Yesterday, our e-mail honeypot was flooded with TROJ_YABE.AF with more than 5,500 samples gathered in just 24 hours. Because of this, TrendLabs was forced to release urgent OPR 2.839.00.
TROJ_YABE.AF is a downloader Trojan that downloads TROJ_CIMUZ.AI, an anti anti-virus Trojan, and TROJ_BANKEM.B a Trojan spyware that attempts to spy online banking.
Today however, TROJ_YABE.AF is nowhere to be found on our e-mail honeypots. After a day of massive spamming, it seems like the seeding attempt has stopped.
There are two theories that we may be able to construct from this TROJ_YABE.AF incident, 1.Malware authors using a “spiked attack”– massive spamming in a short time frame (this means a smaller window of opportunity for honeypots to catch samples in the wild), and 2.“collaborative infection”– multiple malware infections that can be traced to a single malware, with each malware component designed to work together with the other malware components.
As we move forward in this age of “spiked attacks”, honeypot coverage becomes increasingly important for AV companies since seeding attempts are made in bursts. “Collaborative infection” on the other hand poses a greater challenge on cleaning already infected systems because of multiple components used by malwares.
For now, the threat of TROJ_YABE.AF is already controlled – thanks to TrendLabs’ honeypot system and the fast response time of our AV team. Though we are expecting to see more “spiked attacks” going into next year, this challenge is being embraced by Trend Micro’s AV team. After all, we can’t let the bad guys win can’t we?