Experts in the industry would agree that there is no silver bullet in securing your network. There is no single security tool or product that could actually ensure the total security of your network and whatever resources are contained within it. It is a known reality that security products do sometimes fail and may even leave systems unprotected, especially against zero-day attacks. What exactly are the reasons why security products fail? Some experts have just identified significant reasons behind such failures. Among them are:

• Too many false alarms
• Products are riddled with holes
• Products don’t work well together
• Users don’t understand the product’s capabilities
• Users fail to install/deploy the product correctly
• Users fail to update the product

Read more about this here

A new malware is being spammed across email inboxes once again. This Trojan poses as a picture file attachment with the filename KodacDC008.JPG……EXE. It uses a double extension and trailing characters to trick unsuspecting users into clicking the file. In some spammed emails the filename may vary (eg. KodacDC004.JPG.EXE, KodacDC007.JPG.EXE). When executed it downloads a file which is saved as KERNEL32.EXE in the affected machine. The file which is saved as KERNEL32.EXE is actually a spyware that Trend detects as TSPY_GOLDUN.FM

Trend detects this threat as TROJ_GOBRENA.V. Its detection pattern has been available since CPR 3.702.01.

Last year, with the destruction brought by Hurricane Katrina, many Katrina sites popped up asking for money.

Some of them legitimate while most, were illegal sites robbing many good Samaritans of their money, some sites also came with spywares and malwares to exploit systems.

See here for a previous blog posting about Katrina.

And now as hurricane Ernesto comes, SANS has noted a spike in Domain registrations with the term “ernesto”.

These are some of the domains that they have disclosed.

• cnnernesto(.com)|(.net)
• ernestodamage(.com)|(.net)
• ernestohurrican(.com)|(.net)
• ernestoinsurance(.com)|(.net)
• ernestomoney(.com)|(.net)
• ernestonews(.com)|(.net)
• ernestopipeline(.com)|(.net)
• ernestovideo(.com)|(.net)
• ernestoweather(.com)|(.net)
• thehurricaneernesto.com

It will be good if we can keep track of these kinds of sites and verify their legitimacy before we have another Katrina on our hands.

Just a heads up: there’s a new malware on the scene once again, one which has the capability to propagate across desktops and mobile devices. Dubbed as “Mobler” by various security reports, this malware has a propagation vector that involves Windows and Symbian platforms. This malware does not actively spread however. Instead of having a routine to propagate itself across both platforms, this malware simply drops an executable file in the mobile device’s memory card. When the files in the memory card are browsed using a PC, the dropped file is displayed as a system file, making it possible for an unsuspecting user to execute the malware and trigger the propagation.

As of now we have alerted the respective channels to provide us with samples of this malware for in-depth analysis, so stay tuned for updates.

Update (Jasper, Tue, 05 Sep 2006 01:42:16 PM)

For the past several months, a new trend surfaced when it comes to email-borne malwares. We’re seeing lesser numbers of mass-mailers; instead, we’re seeing more trojans arriving through emails.

These trojans are not capable of mass mailing itself to a bunch of email addresses. They’re usually small programs (usually not more than 5 kB in size) that executes a secondary payload, which can download and execute a file, or just set up a backdoor. This begs the obvious question: If these trojans don’t have the mass mailing capability, then how do these critters arrive at our Inbox?

This, of course, obviously means one thing: these malwares are deliberately spammed, in massive quantities. Massively spamming these malwares, however, cannot be sustainable. A spammer cannot just continuously spam the same malware over a long period of time – it would be just plain expensive. Moreover, once AV firms picked up the sample, systems with AV will protected within the day.

As is oftentimes observed, spam runs of these downloaders occur within just a day, or at the most, two. This would give the spammer enough time to reach a multitude of Inbox, and just enough time before the majority of AV vendors can release signatures to detect the new critter. Of the spammed trojans captured over several months, lets take a look at three.

TROJ_YABE.R was first intercepted late July 4, 2006. The number kept piling up to the next day. After which, TROJ_YABE.R was no longer seen beeing spammed.

Two weeks later, TROJ_DLOADER.DHX made its debut appearance. A LOT was intercepted within the day. But, as with TROJ_YABE.R, TROJ_DLOADER.DHX was never to be seen again.

Just this week, another malware was heavily spammed: BKDR_HAXDOOR.IL. The spam run started very late on August 28, and peaked the next day. The day after, no more email samples with BKDR_HAXDOOR.IL was seen.

Spammed malwares are currently dominating the current threat landscape. As the number of mass mailers go down, expect to see more and more spammed trojans.

A new malware partnership was discovered earlier today. A worm, detected as WORM_WOMBLE.A, mass-mails a modified Windows Metafile (WMF) that takes advantage of a vulnerability in order to drop copies of the worm. A worm that uses a WMF to propagate? Or a malicious WMF that uses a worm to spread?

It doesn’t really matter. It only matters to computer and antivirus experts whose job is to analyze the files and provide a solution. To the greater, and arguably more important, population of average computer users, it is a single malware package that their system needs protection from.

It is not a new propagation technique, as far as malware history is concerned. One of the biggest malware attacks in history was a partnership a little over two years ago, WORM_NETSKY.P started mass-mailing copies of itself with the help of HTML_NETSKY.P, which exploited the Incorrect MIME Header Vulnerability to allow the automatic execution of the malicious attachment when the email is open or even just previewed, fueling WORM_NETSKY.P to spread like fire, going on to infect almost a million computers* worldwide to date.

Later generations of the prominent BAGLE family mass-mailed Trojans that download copies of the worm onto recipients computers. The first time that a WORM_BAGLE variant employed this technique, many computer experts were briefly taken aback. How could a Trojan downloader that does not have propagation capabilities spread? Before long, the vicious cycle was busted. Still, the partnership proved disastrous or effective, depending on your point of view as several of these partnerships went on to cause outbreaks.

Another prominent malware partnership involved WORM_FEEBS variants that mass-mailed malicious JavaScript files, whose payload includes downloading copies of the worm. The main component in this case seems to be the JavaScript, rather than the worm and this adds an interesting new twist. Worms have always been considered to be some of the most destructive malware, not only because they consume system and network resources, and can carry a myriad of payloads, but because they can bring their damage to a wide scale. But the FEEBS attacks relegated worms to mere tools for propagation; the JavaScript carries the payloads. And why not? Worms are easiest to detect. Let the user detect and remove the worm from the system all while the JavaScript does its job.

The new attack by WORM_WOMBLE.A is reminiscent of WORM_NETSKY.P, because half of the email messages it sends contains a specially crafted WMF that takes advantage of the Windows Graphics Rendering Engine Vulnerability, which allows it to automatically drop and execute a copy of the worm when the user so much as views the WMF using Windows Explorer. Half because it may also attach a copy of itself, in which case it is a regular mass-mailer.

In a lot of ways, however, it is also like the BAGLE and FEEBS attacks, because it is an endless cycle of a worm mass-mailing a dropper that in turn drops a copy of the worm, which again mass-mails a dropper and so on. For this cycle to stop, both components should be removed from the system.

Which is why a holistic approach to malware removal is best for average computer users. They don’t differentiate between main component and sub-component. All they care about, and understandably so, is if their system is safe from malware attack: main component or not, partnership or not.

* Data from Trend Micro World Tracking Center.

We are currently receiving samples of another rechnung spam. As of this writing we have received 100+ samples of this trojan. The samples have been given for processing and solutions will be posted as soon as possible and of course, Updates will follow.

Update (Obet, Wed, 30 Aug 2006 02:09:31 AM)

This being spammed a lot. We now received a couple of hundreds of samples for this malware and now Trend Micro is going to detect this threat as BKDR_HAXDOOR.IL. The pattern that will detect it is now under testing and will be released very soon.

Update (Obet, Wed, 30 Aug 2006 03:01:04 AM)

With this I will just remind everybody to watch out for mails having attachments of Rakningen.zip and Rechnung.zip, the file size of BKDR_HAXDOOR.IL is 52,693 Bytes. Do not open the attachment, if you see a mail with this attachment especially if the file size is the same kindly disregard it.

Update (Obet, Wed, 30 Aug 2006 09:11:20 AM)

More updates. The Control Pattern Release 3.700.04 that will detect this current threat has been released and can be downloaded here. More information regarding this threat can be found here.

A new worm is spreading around, using email as its propagation vector. This worm arrives as an attachment to an email with various and ambiguous subjects (e.g. “Hello”, “Test”). The name of the attached file varies accordingly from one email to another but all attachment names make use of double extensions. When executed, it drops the file rsmb.exe in the Windows folder and attempts to download a file, which may be possibly malicious. Initial analysis reveals that the malware seems to target individual email addresses in a particular domain by concatenating a common first name (e.g. john, mary, ann, etc.) to a well-known domain name. Below is a sample email:

TO: smith@[domain-name].com

SUBJECT: hello

BODY: [none]

ATTACHMENT: text.dat.pif

Update (Jasper, Mon, 28 Aug 2006 05:00:16 PM)

A 2nd PoC has been released by Milw0rm.com for MS06-040. This overflow is regarding MS Windows NetpIsRemote() Overflow Exploit. The PoC has been tested with Windows XP SP1 and Windows 2000 SP4.

These codes were released for educational purposes, which makes it accessible to both researchers and malware authors alike.

With these information malware authors can now include the exploit in their code, but it also makes us, the malware researchers better prepared for the incoming threat.

Christopher Maxwell of Vacaville, California, was sentenced to 37 months plus three years of probation as well as a combined restitution pay of $250,000 to Northwest Hospital and Department of Defense.

Maxwell pleaded guilty to launching a botnet attack which compromised computers at Seattle Northwest Hospital and several universities.

Check here for the rest of the story.

This just shows that people in the high places are beginning to understand the damage that security breaches can bring and are now doing steps to send a message especially to the botnet community. One point for the good guys!