• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   More Details on EXPIRO File Infectors

More Details on EXPIRO File Infectors

  • Posted on:July 19, 2013 at 3:00 am
  • Posted in:Malware, Vulnerabilities
  • Author:
    Trend Micro
0

We recently reported on an unusual attack involving exploit kits and file infectors. What makes the attack even more notable is that the file infectors used also have information theft routines, a behavior uncommon among file infectors. These file infectors are part of the PE_EXPIRO family, which was first spotted in 2010. It’s possible that this specific attack was intended to steal information from organizations or to compromise websites.

Further analysis shows that the attack used Styx as its exploit kit. Styx has gotten much press over its role in delivering malware onto systems. The use of Styx in this particular attack may be due to differences between Styx and other exploit kits, namely:

  • Multiple Exploit Pages – Styx distributes the malicious script in multiple pages, which are connected by HTTP redirecting
  • Across IFRAME Data Access – Styx accesses data across IFRAMES via JavaScript

The act of distributing malicious script across multiple pages is quite unusual given that most exploit kits only use one page. Additionally, while exploit kits commonly store data in a HTML tag and access it via JavaScript, Styx does it differently. Other exploit kits store it in the same HTML page; Styx puts the tags in another IFRAME. These two techniques could be seen as methods of avoiding detection.

The initial report mentioned several vulnerabilities exploited by this attack. Continuous analysis showed that TROJ_PIDIEF.XJM used an old vulnerability, CVE-2010-0188, which affects specific versions of Adobe Reader and Acrobat. The use of an old vulnerability and the enhancement of the PE_EXPIRO malware is further proof that older, though more refined, threats are still present in today’s landscape.

Regularly updating systems can help prevent infections from attacks such as these. Trend Micro blocks all related URLs in this attack. Trend Micro Deep Security blocks the associated Java files using the following rules:

  • 1005598 – Identified Malicious Java JAR Files – 3
  • 1005599 – Identified Malicious PDF Document – 10
  • 1005410 – Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2013-1493)

Expiro_JavaCVE2013-1493-small
Screenshot of Deep Security log

Additional analysis by Kai Yu, Mark Tang, Michael Du, Pavithra Hanchagaiah, and Manoj Subramanya

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: EXPIROfile infector

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.