Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
    • About Us
    blog.trendmicro.com Sites > TrendLabs Security Intelligence Blog > Malware > More Details on EXPIRO File Infectors
    Jul19
    3:00 am (UTC-7)   |    by

    We recently reported on an unusual attack involving exploit kits and file infectors. What makes the attack even more notable is that the file infectors used also have information theft routines, a behavior uncommon among file infectors. These file infectors are part of the PE_EXPIRO family, which was first spotted in 2010. It’s possible that this specific attack was intended to steal information from organizations or to compromise websites.

    Further analysis shows that the attack used Styx as its exploit kit. Styx has gotten much press over its role in delivering malware onto systems. The use of Styx in this particular attack may be due to differences between Styx and other exploit kits, namely:

    • Multiple Exploit Pages – Styx distributes the malicious script in multiple pages, which are connected by HTTP redirecting
    • Across IFRAME Data Access – Styx accesses data across IFRAMES via JavaScript

    The act of distributing malicious script across multiple pages is quite unusual given that most exploit kits only use one page. Additionally, while exploit kits commonly store data in a HTML tag and access it via JavaScript, Styx does it differently. Other exploit kits store it in the same HTML page; Styx puts the tags in another IFRAME. These two techniques could be seen as methods of avoiding detection.

    The initial report mentioned several vulnerabilities exploited by this attack. Continuous analysis showed that TROJ_PIDIEF.XJM used an old vulnerability, CVE-2010-0188, which affects specific versions of Adobe Reader and Acrobat. The use of an old vulnerability and the enhancement of the PE_EXPIRO malware is further proof that older, though more refined, threats are still present in today’s landscape.

    Regularly updating systems can help prevent infections from attacks such as these. Trend Micro blocks all related URLs in this attack. Trend Micro Deep Security blocks the associated Java files using the following rules:

    • 1005598 – Identified Malicious Java JAR Files – 3
    • 1005599 – Identified Malicious PDF Document – 10
    • 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493)

    Expiro_JavaCVE2013-1493-small
    Screenshot of Deep Security log

    Additional analysis by Kai Yu, Mark Tang, Michael Du, Pavithra Hanchagaiah, and Manoj Subramanya

     





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Friday, July 19th, 2013 at 3:00 am and is filed under Malware, Vulnerabilities . Both comments and pings are currently closed.



    Comments are closed.



     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice