Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    As July winds down, infection counts for PE_EXPIRO have been trending downwards recently. This file infector can infect Windows files on both 32-bit (detected as PE_EXPIRO.JX) and 64-bit (detected as PE64_EXPIRO.JX) systems. At its peak, we saw thousands of infection counts but then dropped eventually (as seen in our Smart Protection Network feedback).

    Expiro-SPNFeedback-edit

    Because of the threat’s interesting blend of routines (file infector with info theft routines and exploit kit connection), we think that this is a good opportunity to discuss the various solutions that are available to help users. For more information about the threat, users can read our previous entry here.

    Utilizing Trend Micro Solutions To Stamp Out EXPIRO

    First of all, URLs associated with this attack are already blocked to avoid further damage, re-infection, or information leakage. Here’s an example wherein Trend Micro’s OfficeScan Web Reputation Service (WRS) blocked a URL associated to the EXPIRO malware:

    WRS blocks the C&C URLs associated with the EXPIRO malware
    WRS blocks the C&C URLs associated with the EXPIRO malware.

    The above screenshot was taken from OfficeScan 10.6 Service Pack 2 with the Custom Defense Pack. This enhanced version of Officescan allows administrators to visualize high profile attacks; it uses the Trend Micro Smart Protection Network Global Intelligence list to inform administrators of the activities of any C&C servers and point out which hosts may need immediate remediation.

    More detailed information is available if Deep Discovery Inspector is in use. It allows the administrator to watch the network for such events – even if there is no security software installed on the endpoint. For very large networks, it makes it even easier for administrators to determine which endpoint violated a certain policy as they are able to view information – including  the MAC address – of the offending endpoint.

    The following screenshots show the Deep Discovery Inspector can provide about connections to malicious C&C servers, ranging from DNS queries:

    Deep Discovery Inspector’s detection if a connection to a malicious C&C server has been requested (1 of 2)

    To information about the connection:

    Deep Discovery Inspector’s detection if a connection to a malicious C&C server has been requested (2 of 2)

    Files copied to the affected machine:

    Deep Discovery Inspector’s detection via CIFS/SMB (2 of 2)

    And information about the EXPIRO malware itself:

    DDA giving more information about an EXPIRO-infected file (1 of 2)

    Preventing similar infections in the future

    This unusual attack used several noteworthy methods, with both Java and PDF exploits to deliver the file infectors to potentially vulnerable systems. That being said, there are two things that will help minimize similar attacks in the future:

    • Have effective patch management, even for third party software such as Java and Adobe Acrobat
    • Block unknown or unverified web sites. Web sites that are unknown or unverified may contain malicious files. A web filtering solution – either at the gateway or the endpoint itself – may be useful.

    If third party software patch management is not in use, “virtual patching” may be useful. Deep Security or OfficeScan’s Intrusion Detection Firewall plug-ins can prevent vulnerabilities from being executed, preventing these threats from reaching user systems. For more information on the related Deep Security solution, you may read our previous blog entry here.

    Conclusion

    One weakness in the network is all that is needed for this threat to re-occur. EXPIRO is indeed a traditional file infector (with an added twist of data stealing) and cleaning systems that have been infected with this malware is pretty straight forward. The various Trend Micro solutions at the disposal of system administrators allows them to effectively fix, and prevent, these threats in the enterprise environment.

    With additional inputs from Jay Yaneza and Rhena Inocencio.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice