Good day blog readers!
As part of our efforts to keep you updated with the latest happenings on the malware scene, we’ve decided to write a monthly round up report, like this one, using data gathered from our honeypot systems, actual infection reports, and news within the industry.
Anyway, enough with the formalities and let’s get it on!
For e-mail borne malwares, TROJ_STRAT is undisputed king for November. Aggressively spammed and targeted to known e-mail addresses, not a week passed by without at least three waves of STRATION spamming. No e-mail borne malware came close to the volume of e-mail traffic TROJ_STRAT generated this November. With 31 new STRATION incarnations, each seeding chokes our honeypots with 90% of malicious e-mails belonging to STRATION alone.
Why it can get worse:
STRATION has slowly evolved from a single file mass-mailing worm to a two component Trojan-worm partnership. The malware authors have also changed the release into the wild timing of STRATION. From releasing it into the wild after MS patch Tuesday, STRATION is now released into the wild every other day. These not so subtle changes on STRATION patterns and behavior may indicate that its authors are constantly monitoring how their malware performs. And I’m quite sure the tweaking of STRATION’s characteristics is aimed to infect more and more users.
European malware writers had a busy November – registering new domains, creating new websites, and making TROJ_ZLOB variants available for download… as pseudo-video codecs!
For November, we’ve seen at least 10 domains hosting TROJ_ZLOB where you can download anywhere from 1 – 1000 unique binaries. The ZLOB sites is carefully laid out to look legitimate and professional, which speaks greatly about the malware authors’ efforts, and monetary returns
Why it can get worse:
With all the digital video formats out there, your favorite video player is bound NOT to have the codec you need in order to watch say, a freshly downloaded porn clip. So you Google for codecs and your search leads you to a site that promises an all-in-one codec complete with amazingly sharp resolution and unbelievable picture quality. Convinced, you download and install. Then, a message box appears saying the codec cannot be installed. Well, you’ve just been Punk’d… err, I mean… infected.
See, this method of infecton is different in such a way that it waits for the victim to download the file. Not like a targeted attack where a hunter tracks his prey, then fires with accuracy, ZLOB’s method is – present a lure, then wait for prey to take the bait.
For as long as there is a need for codec updates, people will surely be lured by fake Trojan codecs.
Messenger worms are having a small revival after being almost invisible for the first two quarters of this year. This time WORM_SOHANAD is leading the charge.
Why it can get worse:
This is one area where malware social engineering can get better. Why give links pointing to unknown sites when you can hack a social networking site to make the link more believable? Ooops… did I say it out loud?
WORM_BLASTER Wikipedia Entry Gets Real!!!
Websites that allows users to insert HTML code or link on their pages presents itself as a possible host for malicious code, exploits, or links
Why it can get worse:
User customization is the “in” thing when it comes to forums and social networking sites, thus allowing HTML code modification and linking to other sites. Expect other malware writers to pull off this trick on other sites who still offer the user a great amount of HTML freedom.
November was declared the Month of Kernel Bugs by Info-pull.
Why it can get worse:
Thankfully this did NOT get worse!!! 30 kernel bugs were discovered but not one was translated into actual malicious code (thank you responsible disclosure). Else, it would’ve been a very, very, very busy month for AV.
These two malwares serves as downloaders for other malwares to enter the infected machine, elaborately designed to turn those infected into spam zombies sending out Viagraand pump-and-dump stockspams.
Why it can get worse:
Actually, it is getting worse. WORM_NUWAR and WORM_MEDBOT is constantly updating their downloaded components. WORM_NUWAR has updated its spammer component at least 99 times, its downloader component at least 200 times, and itself at least 475 times. WORM_MEDBOT on the other hand updated its spammer component at least 131 times, and itself at least 103 times.
The constant update of files may mean that the two worm malwares either have 1. a large install base, 2. is currently infecting more, 3. or both! The constant update of component files just shows the component files are still being downloaded to infect new or existing infected machines.
PE_LOOKED is known for downloading Trojan spywares that targets online games Lineage and World of Warcraft. Towards the end of the month, at least 26 new variants of PE_LOOKED were released in the wild. A few days after, the new variants’ download sites are making available for download TSPY_LINEAGE, TSPY_WOWSTEAL, and even TSPY_QQPASS variants.
Why it can get worse:
We recently discovered a PE_LOOKED inspired virus named PE_PARDONA.