Very recently, one of our colleagues, Menard Oseña, who attended the “RSA Conference” discussed how important it is for organizations to have a strong security mindset when it comes to dealing with social media and company information. In the report, he highlighted how organizations should always make sure that they protect themselves from both internal and external threats through proper user awareness, security policies, and security technologies.
I want to further stress the second point and show how it applies not only to dealing with social media but to every company’s entire computing infrastructure.
WORM_FLASHY.VRX: Three-in-One Malware
We’ve recently been encountering a rather interesting kind of infection in certain networks—one that involves multiple malware working together and “accidentally” coming up with one nasty piece of malicious code.
In one instance, we found a worm and two file infectors—WORM_FLASHY.AA, PE_CHIR.B, and PE_VIRUX.AA—all affecting a single network and combining their routines, which resulted in heightened propagation and further disruption of the network’s usability. The following sequence describes how this infection ensued:
- WORM_FLASHY.AA infects the system by dropping copies of itself into the System folder, shared drives, and removable drives.
- PE_CHIR.B infects the system and checks the WORM_FLASHY.AA executable file for an infection marker. If it does not find one, PE_CHIR.B infects WORM_FLASHY.AA and leaves an infection marker.
- PE_VIRUX.AA infects the system and checks the already infected WORM_FLASHY.AA for an infection marker. If it does not find one, it then also infects WORM_FLASHY.AA.
- When WORM_FLASHY.AA reexecutes, what it propagates is no longer the original copy of itself but rather an infected version that perfroms both the routines of PE_CHIR.B and PE_VIRUX.AA. This version is detected as WORM_FLASHY.VRX.
One of the notable qualities of this attack is the method that WORM_FLASHY.AA uses to infect systems. It does not simply drop a predefined copy of itself. It instead checks for the exact state of its code then drops an exact copy of it. After WORM_FLASHY.AA has been infected by both PE_CHIR.B and PE_VIRUX.AA, what propagates to other systems is WORM_FLASHY.VRX—the merged version of the three malware.