For September, Nuwar took advantage of the Labor day holidays and the start of the NFL football season to spread around. Sohanad came up on the radar once again, this time resorting to its old trick of spreading through YM. And if the usual Web threats and vulnerabilities weren’t enough, an ancient virus boot sector virus resurfaces in German laptops… Here’s our monthly roundup for September.
TROJ_AGENT.EGK: The malware with a plan for everything…
Here’s a malware that seems to have prepared for everything. TROJ_AGENT.EGK arrives in an archive (.ZIP file) through a spammed email, which is done possibly to avoid primitive email filters. The archive also contains an HTML file that attempts to trick the user into clicking on the malware’s executable file (cancel order.exe). In case the user did not click on the malicious executable, the HTML file contains a link that references the EXE file. Thus, when the unsuspecting user clicks on the link (thinking that it supposed to lead to a website somewhere), the malware is executed and in turn downloads a bot that reports system information to a remote server. Of course, this malware’s ploy wouldn’t work if the EXE file were not extracted from the archive. So I guess, TROJ_AGENT.EGK didn’t quite prepare for everything at all…
WORM_SOHANAD.DJ: Spreading through YM again
Last August a Sohanad variant used a fake Google page in order to spread. This time it seems that Sohanad is relying on its old tricks once more. WORM_SOHANAD became infamous for spamming YM messages, containing links from where it could be downloaded. During mid-September last month, a new Sohanad variant turned up again. This time, the YM message related to the malware contained a link that seemed to offer pictures of the war in Iraq. Of course, no pictures can be downloaded from the link. Instead, clicking on the link downloads WORM_SOHANAD.DJ onto the user’s system.
ANGELINA.A-B: Old boot sector virus found in German laptops
ANGELINA.A-B is an old, old boot sector virus, first discovered in 1994. Recently, it emerged once again on Medion laptops sold by a German retailer. The laptops ran on Windows Vista and although it had its own antivirus software, it failed to clean the virus, despite the fact that it did a good job in detecting it. No need to panic though, since this is an isolated incident and we haven’t received any reports since then of laptops being infected with boot sector viruses.
WORM_NUWAR.AQK (Labor day) and WORM_NUWAR.AQN (football)
For September, we’ve had 2 notable variants of Nuwar. The first one, WORM_NUWAR.AQK, initially appeared during the Labor Day holidays in the US, masquerading as a Labor Day e-card. The malicious site that the e-card redirects not only downloads Nuwar but also TROJ_TIBS.ANF. The second Nuwar variant is WORM_NUWAR.AQN, appearing several days later during the start of the NFL football season. It uses the same social engineering tactic as the previous variant but this time posing as an online game tracker, apparently targeted at football fans.
TROJ_ACDROPPER.K: Exploits Vulnerability In Access
Although macro viruses are a thing of the past, it doesn’t necessarily mean that Office applications won’t become threat vectors. The first week of September saw TROJ_ACDROPPER.K, a dropper Trojan that arrives as an MDB file, which is simply an Access database. The Trojan exploits a vulnerability in Access that allows it to drop a copy of another Trojan (TROJ_AGENT.PXT) on the affected system
London-based Syrian Embassy Website hacked.
Towards the end of September, Websense reported that the website of the Syrian embassy based in London was compromised. True enough, IFRAME tags with obfuscated content were found in the website’s HTML source, a clear indication that the website had been hacked. The IFRAMEs redirect the browser to a location with malicious script content, which in turn download a Trojan (TROJ_SMALL.KYZ) on the affected system.
Science Fiction Book Review Site Compromised.
Not only government websites are targeted by hacker attacks; even book review sites aren’t safe either. During mid-September, a science fiction book review site was hacked, compromised through the insertion of IFRAME tags that redirected to URLs with malicious content. Close inspection of the IFRAME tags revealed that a web threat toolkit was used for the hack, most likely related to the 404 toolkit that was uncovered months ago.
Botnet attacks eBay.
The early days of September saw eBay being attacked by a botnet in an attempt to steal both personal and financial information of eBay users. Through IFRAME tags redirecting to sites with malicious content, a spyware is downloaded (TSPY_EBBOT.A). It is the spyware that does the actual distributed brute force attack on eBay. In depth investigation has revealed that the spyware accesses several webpages containing compromised account login information. Furthermore, the spyware also utilizes an eBay API, allowing it to communicate directly with eBay’s database. The stolen information can be used by cyber-criminals for further illegal activities.
CSRF in Gmail.
CSRF stands for Cross Site Request Forgery, a technique that attackers use to get to unsuspecting users via trusted websites. Recently, towards the end of September, Gmail, Google’s popular web-based email service, was discovered to be vulnerable to this attack. The vulnerability in Gmail could be exploited by accessing a malicious webpage while Gmail users were logged on to the respective accounts. Once a user has browsed the malicious webpage, the attacker could gain access to his/her mailbox.
New YM Proof of Concept Exploit.
A proof of concept exploit for Yahoo Messenger came out last September, targeting a vulnerable DLL used by YM. When the DLL component is exploited, it can download files specified by a program or Web site. This makes it capable of becoming a distribution vector for malware. Unsuspecting YM users can be led to a malicious Web site, which can exploit the DLL via an ActiveX control. It seems that every month, Yahoo is getting its own share of vulnerabilities.
The biggest observation is that for the past few months, Nuwar and YM vulnerabilities have become common threats. Could there be a connection? Let’s see if they make it into next month’s malware roundup.