Very recently, one of our colleagues, Menard Oseña, who attended the “RSA Conference” discussed how important it is for organizations to have a strong security mindset when it comes to dealing with social media and company information. In the report, he highlighted how organizations should always make sure that they protect themselves from both internal and external threats through proper user awareness, security policies, and security technologies.
I want to further stress the second point and show how it applies not only to dealing with social media but to every company’s entire computing infrastructure.
WORM_FLASHY.VRX: Three-in-One Malware
We’ve recently been encountering a rather interesting kind of infection in certain networks—one that involves multiple malware working together and “accidentally” coming up with one nasty piece of malicious code.
In one instance, we found a worm and two file infectors—WORM_FLASHY.AA, PE_CHIR.B, and PE_VIRUX.AA—all affecting a single network and combining their routines, which resulted in heightened propagation and further disruption of the network’s usability. The following sequence describes how this infection ensued:
- WORM_FLASHY.AA infects the system by dropping copies of itself into the System folder, shared drives, and removable drives.
- PE_CHIR.B infects the system and checks the WORM_FLASHY.AA executable file for an infection marker. If it does not find one, PE_CHIR.B infects WORM_FLASHY.AA and leaves an infection marker.
- PE_VIRUX.AA infects the system and checks the already infected WORM_FLASHY.AA for an infection marker. If it does not find one, it then also infects WORM_FLASHY.AA.
- When WORM_FLASHY.AA reexecutes, what it propagates is no longer the original copy of itself but rather an infected version that perfroms both the routines of PE_CHIR.B and PE_VIRUX.AA. This version is detected as WORM_FLASHY.VRX.
One of the notable qualities of this attack is the method that WORM_FLASHY.AA uses to infect systems. It does not simply drop a predefined copy of itself. It instead checks for the exact state of its code then drops an exact copy of it. After WORM_FLASHY.AA has been infected by both PE_CHIR.B and PE_VIRUX.AA, what propagates to other systems is WORM_FLASHY.VRX—the merged version of the three malware.
WORM_FLASHY.VRX delivers a whole lot of malicious routines, as it combines the propagation routines, infection routines, and other malicious payloads of the three aforementioned malware:
Prevention Is Always Better Than Cure
As complicated as the attack itself is, it can be easily be prevented by following certain security practices for a network setting:
- Configure work machines to disable Autoplay.
- Set users’ permission for shared drives and folders to Read only.
- Keep machines updated with all available security patches.
- Block executable email attachments.
- Monitor the network for any suspicious connection/activity.
- Make sure security software is installed on all machines and real-time scan features are enabled.
Like Menard said, often, lack of effort to secure company-related networks—social and/or system—makes it easier for cybercriminals to conduct malicious attacks.
In this case, policy implementation both technology- and policywise could have stopped the merger of existing malware in the network and prevented the development of a much bigger threat. Organizations should fully realize that even if security technologies like the Trend Micro™ Smart Protection Network™ already provides protection, proper user education and security policies are still important.