The last month of 2006 proved to be as eventful as the holidays. For December, we’ve seen various zero-days, unique malware techniques, and of course, ingenious social engineering that takes advantage of the joyous season.
December was greeted by new findings regarding WORM_NUWAR. After a few days of hardcore analysis, it was found out that WORM_NUWAR “reads” CNN.COM to determine the “Most Popular News”. Found headlines can then be used as e-mail subject for WORM_NUWAR generated mails. Talk about being up to date!
But NUWAR does not stop there. In an effort to infect sensitive institutions, NUWAR sends e-mails to addresses with “Microsoft”, “mil”, and “gov” as sub-strings.
Why it can get worse:
A polymorphic e-mail subject that is sensible and timely is a great, great, great social engineering technique.
Another interesting piece of malware technology encountered last December is the PHP malware PHP_PBOT.A. PHP_PBOT.A looks like an SDBOT source code translated to PHP. As such, this malware behaves like a BOT malware – capable of joining an IRC channel and performing routines triggered by a remote malicious user.
Why it can get worse:
Though the routines of PHP_PBOT.A is only limited to performing DoS attacks and file download, it is highly possible to incorporate work-like propagation techniques and exploits for this PHP malware.
Social Networking Sites
Social networking sites is slowly becoming the favorite infection vector for malware authors. With tens of thousands of registered users connected to each other with only several degrees of separation, using social networking sites as infection vector assures the malware author a large, target user base with the benefit of using a valid site.
A malware that exploits a vulnerability in My space and a worm that uses Yahoo! 360 blog as accomplice were both found last December.
Why it can get worse:
Because networking site users belong to the teens and 20-somethings that are computer literate, has access to the internet, and spends a great deal of time surfing, and constitutes the majority of Internet users, they become the perfect prey for malware authors.
Word Exploits
For December, there were 2 reports of zero-day Word exploits in the wild. Trend Micro was not able to acquire a sample for the first zero-day (due to non-disclosure clauses) while the second zero-day is already detected as TROJ_MDROPPER.EB.
As if the first two weren’t enough, another Proof-of-Concept (Poc) Word exploit was released by vulnerability research group Milw0rm.
Why it can get worse:
December 12 (MS Patch Tuesday) came and gone but not a single fix for Word was included.
First MS Vista Vulnerability
Two days before Christmas, Microsoft Security Response Center confirmed the existence of a vulnerability that works on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and… Windows Vista!
Why it can get worse:
Microsoft’s statement regarding Vista’s “hardened kernel” is true, but it surely means Vista’s not invulnerable. Guess it’s only a matter of time before we witness a new wave of malwares that are Vista “compliant”.
Christmas Season
Of course, no malware author in his right mind would pass up the opportunity to use the holidays as a social engineering trick.
TROJ_STRAT.IG was reported to be spammed anew with Christmas themed e-mail subjects. Same with TROJ_PPDROPPER who was spammed as an attachment with filename Christmas+Blessing-4.ppt. WORM_NUWAR then followed suit by greeting us “Happy New Year!”
Why it can get worse:
Well, thank goodness Christmas season is over! But then, Valentines is just around the corner.
Other notables
Of course, any month won’t be complete if we don’t discover another ZLOB variant hosted on a fake site, or a malware posing as a video, or another malware posing as an MP3 plug-in, and most of all – another round of STRATION attacks.