In recent weeks, WORM_SOHANAD slowly but surely grew into a major malware family, a force to be reckoned with. Indeed, who would have thought that a malware family with such humble beginnings could single-handedly resurrect IM worms?
From the very start, SOHANAD has appeared to be a focused attack. As it developed, it has taken characteristics that are reminiscent of prominent coordinated, targeted attacks of late, chief among them, LINKOPTIM.
To illustrate, I thus trace the development of SOHANAD and its relatives:
September 13– TROJ_AGENT.EVJ was discovered to arrive through an instant message that reads, “Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…”.
October 3– The very first SOHANAD worm was discovered in the wild. It propagated through Yahoo! Messenger. It looked like a continuation of the TROJ_AGENT.EVJ attack, because, among others, it used the message “the lastest picture of our upcoming Miss World 2006”, conforming to the fact that the beauty pageant had already taken place. In fact, WORM_SOHANAD.A was very similar to TROJ_AGENT.EVJ in terms of payload. It changed the Internet Explorer home page and modified the registry to prevent the user from reverting to the preferred home page. It also disabled Registry Editor and Task Manager, and changed Yahoo! Messenger settings, such that affected users may mistakenly access a malicious Web site when executing targeted Yahoo! programs.
October 3– An HTML script was discovered hosted on a certain Web site. When the said Web site is accessed, the script, detected as HTML_SOHANAD.A, downloads a copy of WORN_SOHANAD.A.
October 4– WORM_QUATIM.A was discovered propagating via Yahoo! Messenger using a rather long instant message in Vietnamese. Its payloads are also similar to both TROJ_AGENT.EVJ and WORM_SOHANAD.A.
October 4– The first variant of SOHANAD was discovered. Like its predecessor, WORM_SOHANAD.B also propagated via Yahoo! Messenger, but it also used other popular instant messaging applications, such as AOL Instant Messenger and Windows Live Messenger. It also uses more instant messages, including the message used by TROJ_AGENT.EVJ.
October 5– Another variant was discovered. WORM_SOHANAD.C used 23 different instant messages.
October 6-12– Four more variants were discovered. Notably, WORM_SOHANAD.H used instant messages that promised links to the Web site of a popular male Vietnamese singer.
October 20– The most complex variant to date was discovered. WORM_SOHANAD.I uses only a handful of instant messages, but carries more payloads. The first antivirus retaliation also appears with this variant (it terminates security-related processes). New samples would later on be discovered to reveal a coordinated attack.
October 23– Instant messages containing a link were mass-spammed via instant messaging. The link points to a Web site where a script was hosted. The script, detected as VBS_ADODB.AE downloads a copy of WORM_SOHANAD.I onto systems. Another script, JS_WONKA.N was also discovered hosted on another Web site. It, too, downloaded WORM_SOHANAD.I.
October 23– New samples of WORM_SOHANAD.I were discovered. These samples exploited the Data Access Components (MDAC) Function vulnerability to access a Web site where JS_WONKA.N was hosted. The JavaScript then downloads a copy of the worm onto the system, completing an infection cycle reminiscent of the WORM_BAGLE-TROJ_BAGLE and WORM_FEEBS-JS_FEEBS partnerships.
October 23– The latest variant was discovered. WORM_SOHANAD.J downloads files, including a copy of itself and a Trojan downloader.
This quick look at the short history of SOHANAD thus far shows the fast pace with which the family has developed. From the first SOHANAD worm that seemed to be a common IM-propagating worm, it has grown to a family that enlists the help of other components, each playing a role that contributes to the whole attack.
The earlier variants unmistakably targeted the Vietnamese computing population. More recent variants, notably the .I and the .J variants lost that Vietnamese character in terms of the instant messages they use. But it appears more and more coordinated in other aspects.
The use of not one but two scripts to help spread WORM_SOHANAD.I makes it a carefully planned, coordinated strike, which is characteristic of targeted attacks. These attacks do not hope to hit it big, the way malware in the outbreak era did; they instead purposely stage the attack to achieve their end. In these kinds of attack, a multi-component approach is key.
WORM_SOHANAD.I takes it even farther by bringing an exploit to the equation, making the infection more complex than ever.
The latest variant, WORM_SOHANAD.J, carries another payload that is at the heart of all targeted attacks: Trojan downloaders. In the outbreak era, worms reigned supreme, because they have the capability to infect whole networks and spread across geographic regions. In this age of targeted attacks, however, worms have receded into the periphery; with the fast advancement and increased proactive action from antivirus products, worms have become too easy to catch. They have given way to the true big shots of the day.
Trojan downloaders quietly sneak into systems. Today, mass-spamming has become a very important tool for malicious attackers, because that is how they get Trojan downloaders into systems. Once the mass-spamming is done, there is no way for antivirus products to discern that something malicious has transpired. In fact, unless a very smart customer finds out about the file of dubious nature, there is no way for antivirus outfits to get a sample of the file for analysis. This is what the Incident Response Team at Trend Micro refers to as a spiked attack. It doesn’t spread. Instead, it proceeds with its download routine, and then its job is done. Its part in the concerted strike has been achieved.
The downloaded files can be other threats that have other parts to play, all helping in a coordinated attack. Before long, the attack has become so complex that the user is caught in a sticky situation.
This is exactly how the LINKOPTIM incident in Italy got so huge. By sharing similar characteristics, namely, the unmistakable focus on the Vietnamese computing population (LINKOPTIM targeted Italy), the coordinated strike (LINKOPTIM employed downloaders, downloaders, rootkits, spammers, etc), and the prominent use of downloaders, SOHANAD is not just a common IM worm anymore.
SOHANAD arguably has become the most prominent malware of the month. Still very young, with just nine variants and a handful of components to date, it is showing potential for becoming a full-blown concerted, focused attack. The only other thing that SOHANAD has to do to consummate its strike is achieve what all target attacks ultimately achieve: monetary gain. And with the great capacity for improvement that it has shown throughout its very short history, and with downloaders already in the equation, that’s not very hard to do.
Gear up, everyone. Looks like we ain’t seen nothing yet.