In recent weeks, WORM_SOHANAD slowly but surely grew into a major malware family, a force to be reckoned with. Indeed, who would have thought that a malware family with such humble beginnings could single-handedly resurrect IM worms?

From the very start, SOHANAD has appeared to be a focused attack. As it developed, it has taken characteristics that are reminiscent of prominent coordinated, targeted attacks of late, chief among them, LINKOPTIM.

To illustrate, I thus trace the development of SOHANAD and its relatives:

September 13– TROJ_AGENT.EVJ was discovered to arrive through an instant message that reads, “Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…”.

October 3– The very first SOHANAD worm was discovered in the wild. It propagated through Yahoo! Messenger. It looked like a continuation of the TROJ_AGENT.EVJ attack, because, among others, it used the message “the lastest picture of our upcoming Miss World 2006”, conforming to the fact that the beauty pageant had already taken place. In fact, WORM_SOHANAD.A was very similar to TROJ_AGENT.EVJ in terms of payload. It changed the Internet Explorer home page and modified the registry to prevent the user from reverting to the preferred home page. It also disabled Registry Editor and Task Manager, and changed Yahoo! Messenger settings, such that affected users may mistakenly access a malicious Web site when executing targeted Yahoo! programs.

October 3– An HTML script was discovered hosted on a certain Web site. When the said Web site is accessed, the script, detected as HTML_SOHANAD.A, downloads a copy of WORN_SOHANAD.A.

October 4– WORM_QUATIM.A was discovered propagating via Yahoo! Messenger using a rather long instant message in Vietnamese. Its payloads are also similar to both TROJ_AGENT.EVJ and WORM_SOHANAD.A.

October 4– The first variant of SOHANAD was discovered. Like its predecessor, WORM_SOHANAD.B also propagated via Yahoo! Messenger, but it also used other popular instant messaging applications, such as AOL Instant Messenger and Windows Live Messenger. It also uses more instant messages, including the message used by TROJ_AGENT.EVJ.

October 5– Another variant was discovered. WORM_SOHANAD.C used 23 different instant messages.

October 6-12– Four more variants were discovered. Notably, WORM_SOHANAD.H used instant messages that promised links to the Web site of a popular male Vietnamese singer.

October 20– The most complex variant to date was discovered. WORM_SOHANAD.I uses only a handful of instant messages, but carries more payloads. The first antivirus retaliation also appears with this variant (it terminates security-related processes). New samples would later on be discovered to reveal a coordinated attack.

October 23– Instant messages containing a link were mass-spammed via instant messaging. The link points to a Web site where a script was hosted. The script, detected as VBS_ADODB.AE downloads a copy of WORM_SOHANAD.I onto systems. Another script, JS_WONKA.N was also discovered hosted on another Web site. It, too, downloaded WORM_SOHANAD.I.

October 23– New samples of WORM_SOHANAD.I were discovered. These samples exploited the Data Access Components (MDAC) Function vulnerability to access a Web site where JS_WONKA.N was hosted. The JavaScript then downloads a copy of the worm onto the system, completing an infection cycle reminiscent of the WORM_BAGLE-TROJ_BAGLE and WORM_FEEBS-JS_FEEBS partnerships.

October 23– The latest variant was discovered. WORM_SOHANAD.J downloads files, including a copy of itself and a Trojan downloader.

This quick look at the short history of SOHANAD thus far shows the fast pace with which the family has developed. From the first SOHANAD worm that seemed to be a common IM-propagating worm, it has grown to a family that enlists the help of other components, each playing a role that contributes to the whole attack.

The earlier variants unmistakably targeted the Vietnamese computing population. More recent variants, notably the .I and the .J variants lost that Vietnamese character in terms of the instant messages they use. But it appears more and more coordinated in other aspects.

The use of not one but two scripts to help spread WORM_SOHANAD.I makes it a carefully planned, coordinated strike, which is characteristic of targeted attacks. These attacks do not hope to hit it big, the way malware in the outbreak era did; they instead purposely stage the attack to achieve their end. In these kinds of attack, a multi-component approach is key.

WORM_SOHANAD.I takes it even farther by bringing an exploit to the equation, making the infection more complex than ever.

The latest variant, WORM_SOHANAD.J, carries another payload that is at the heart of all targeted attacks: Trojan downloaders. In the outbreak era, worms reigned supreme, because they have the capability to infect whole networks and spread across geographic regions. In this age of targeted attacks, however, worms have receded into the periphery; with the fast advancement and increased proactive action from antivirus products, worms have become too easy to catch. They have given way to the true big shots of the day.

Trojan downloaders quietly sneak into systems. Today, mass-spamming has become a very important tool for malicious attackers, because that is how they get Trojan downloaders into systems. Once the mass-spamming is done, there is no way for antivirus products to discern that something malicious has transpired. In fact, unless a very smart customer finds out about the file of dubious nature, there is no way for antivirus outfits to get a sample of the file for analysis. This is what the Incident Response Team at Trend Micro refers to as a spiked attack. It doesn’t spread. Instead, it proceeds with its download routine, and then its job is done. Its part in the concerted strike has been achieved.

The downloaded files can be other threats that have other parts to play, all helping in a coordinated attack. Before long, the attack has become so complex that the user is caught in a sticky situation.

This is exactly how the LINKOPTIM incident in Italy got so huge. By sharing similar characteristics, namely, the unmistakable focus on the Vietnamese computing population (LINKOPTIM targeted Italy), the coordinated strike (LINKOPTIM employed downloaders, downloaders, rootkits, spammers, etc), and the prominent use of downloaders, SOHANAD is not just a common IM worm anymore.

SOHANAD arguably has become the most prominent malware of the month. Still very young, with just nine variants and a handful of components to date, it is showing potential for becoming a full-blown concerted, focused attack. The only other thing that SOHANAD has to do to consummate its strike is achieve what all target attacks ultimately achieve: monetary gain. And with the great capacity for improvement that it has shown throughout its very short history, and with downloaders already in the equation, that’s not very hard to do.

Gear up, everyone. Looks like we ain’t seen nothing yet.

Secunia released an advisory discussing IE 7’s Popup Address Bar weakness to Spoofing.

The url in the address bar of the popup can be padded with special characters to show only a portion of the complete url thereby misleading the user to be spoofed.

Secunia came up with a test page to check if your IE 7 is vulnerable. You may check out their test page here.

It is always advisable not to follow links from untrusted sources to prevent from being victimized by phishers and scammers.

Well I’m not actually one to squirm or shiver when it comes to ghosts and ghouls and ‘the undead’ that they say rise from the underground and comes out during the night of the 31st of October. It’s quite another thing that I’m pretty anxious about… and it’s really much more ghastly and hellish (in my point of view that is).

What I’m talking about are malwares – and those malware authors who use special events, such as the coming Halloween, as a social engineering ploy to fool unsuspecting users to say, click on a website that’s part of a search query they just made via Google, allowing a bunch of exploits, malwares and spywares to infiltrate the users’ systems – just like a whole gamut of evil spirits that will reside and continually haunt your environment… And this is just what will happen exactly if we didn’t discover the website described below and promptly released solutions for this ghoulish scheme as early as possible.

The site in question is one of the top query results when you search for “Halloween Sites”in Google. Shown below is the top banner that users will see upon entering the site.

And when users click on this link, they’ll find themselves being redirected to URLs using IFRAMEs found at the bottom of the site. These URLs, using malicious scripts, will infect systems with a devilish trojan downloader that uses the filename of win32.exe. The malicious scripts exploit known vulnerabilities which include but are not limited to:

• COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2127
  
• Microsoft Windows MDAC Vulnerability – CVE-2006-0003
  
• Cursor and Icon Format Handling Vulnerability – CAN-2004-1049
  
• Graphics Rendering Engine Vulnerability – CVE-2005-4560 (aka the WMF vulnerability)

Shown below are snapshots of one of the sites in question where the scripts are escaped and then finally decoded to reveal some of the exploits being used.

The win32.exe file, which can be classified as a variant of TROJ_GALAPOPER, downloads more ghoul codes in the form of JPEG files, which are variants of TROJ_TIBS. These files are actually also downloader executables, embedded inside a .jpg file format. All of these files will install themselves in the system, leaving the computer being compromised by a remote hacker somewhere in Russia. And what’s more, AV detection rate is quite low for the trojans described above. It’s a good thing though, that Trend Micro detects these malwares and also blocks the malicious URLs in its product implementations.

Sneaky?… Yes it is… But the term I prefer to use is Ssscary… Booooooo…

After all, it’s a Halloween Site, right? And if you are afraid of (not of ghosts or ghouls) but of exploits, malwares and spywares that will hound your system, better be careful when browsing unknown sites, this Halloween and everytime for that matter!

NOTE: The site is alive and hosting malcode up to the time of this writing and has been reported to the proper authorities for take down.

For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes – forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.

On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.

However, with the release of the VoMM (eVade-o-Matic Module), the challenge is now shifting from the software vendor to the security company. VoMM is an automated module developed in part by Metasploit (with LMH from Info-pull.com and Aviv Raff), that aims to make exploit codes undetectable by anti-virus vendors. VoMM is initially designed for Javascript based exploits in general, but I think it will be only a matter of time for Metasploit to extend VoMM to other non-binary exploits.

In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:

1. White-space randomization
   
2. String obfuscation and encoding
   
3. Random comments; placement and manipulation of existing ones
   
4. Block randomization
   
5. Variables and function names randomization
   
6. Integer and miscellaneous variables obfuscation
   
7. Function pointer reassignment

In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.

I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.

After the “success” of WORM_STRAT.DR yesterday, the inevitable twin brother is bound to show up sooner or later. Clearly, with the detection of WORM_STRAT.DX today, it is more “sooner” rather than “later”.

Similar to the .DR variant, this new STRATION worm arrives on a system as a downloaded file of its manually-spammed Trojan clone (TROJ_STRAT.DX). And with the sudden surge of infection reports (mainly from Japan, Taiwan, and China) and email samples received, it seems that there is another attempt at a “spiked attack”. What is different, from these two variants, however, is the domain where they download additional components. Yesterday it was vedasetionderun.comfor WORM_STRAT.DR. Since this is most probably already blocked by most security companies, WORM_STRAT.DX opted to use another domain: hertionkadesinpoion.com.

From the looks of things, there seems to be a new STRATION strategy in the works. Blame it on the recent cameo appearance of MYTOB, because here’s what I think: after all those comparisons between STRATION and MYTOB (i.e., STRATION is the new MYTOB), the sudden reappearance of the the latter reminded us that MYTOB maybe old, but it’s still packs a punch. Placed beside the “original”, STRATION looked like a pathetic copycat.

Uh-oh. Are we looking at another worm war? Let’s hope not.

For a brief amount of time today, TMIRT honeypots were able to receive multiple samples of TROJ_STRAT.DR. In what seems to be another “spiked” attack, TROJ_STRAT.DR was aggressively spammed, recompiled, then spammed again. This methodology resulted in at least 10 variations of the said malware, each one with a different MD5, but with the same behavior.

TROJ_STRAT.DR is a Trojan downloader that copies heavily from its worm brother. The same timing (a few days after MS patch Tuesday), the same e-mail details (pretending to be a patch from MS), and the same file attachment format (UPDATE-KBxxxx-x86).

This trojan downloads WORM_STRAT.DR from the VEDASETIONDERUN.COM domain. Interestingly, the said domain was created only yesterday, October 18, 2006. It seems to be that the domain was created for the sole purpose of hosting downloadable STRAT variants.

OPR 855 was quickly released to protect Trend Micro customers from this malware.

No, there’s no typo in the title above… But I can understand your surprise! (Smirk!)

In our world of antivirus cleaning up infected systems from trojans and viruses, what more can be crazier (but also most ingenious I might say) than actually having a trojan install an antivirus in your system?!?

But yes! It is true… and Trend calls this trojan as TROJ_AGENT.BGK.

This trojan, whose main purpose is to send SPAM from infected computer, installs an antivirus onto the infected systems by downloading a pirated copy of Kaspersky Antivirus. It then patches the KAV license signature checking and then lets the antivirus scan the system, skipping the trojan itself and its components WHILE flagging and deleting other malwares found. The trojan obviously uses this technique against other potential rival-trojans that may possibly also infect the system and take some share of the pickings… Apparently, for this greedily-ingenious trojan, two or more cannot play at this game… ;)

What a dilemma for Kaspersky though… Talk about a free marketing stunt from the bad guys!

More from Joe Stewart of SecureWorks.

Microsoft has released its much awaited (i’m not sure if this is true) Internet Explorer 7 and not more than 24 hours have passed and its first vulnerability has been posted. Secunia released information regarding this new IE7 vulnerability. According to them, an error in the handling of redirections for URLs with the “mhtml” URI Handler caused this vulnerability. This can be exploited to access documents served from another web site.

The vulnerability however requires an access to a server where you can write HTTP headers, you will need to force a browser to go to a certain URL which will then redirect to another URL.

Update (Roberto Tayag, Fri, 20 Oct 2006 07:55:16 AM)

Apparently according to Microsoft, the vulnerability itself is in Outlook Express, IE7 is just a vector. This vulnerability is currently under investigation by Microsoft. 

The recent months have seen a lot of zero-day exploits targeting Microsoft Word— what with MDROPPER variants becoming a perennial mainstay in the Trend Micro Malware Advisoriespage (TROJ_MDROPPER.CT being the most recent detection).

It is a bit surprising, therefore, when new malware exploiting old vulnerabilities suddenly appear virtually out of nowhere. W97M_KUKUDRO.AB and W97M_LAFOOL.AO— detected just almost two days apart — both take advantage of MS vulnerabilities dating as far back as 2001 and 2003, respectively. We all know that the threat landscape has changed dramatically since then. And using macros? That is soooancient.

And yet, they still proved effective — even almost getting detected as new exploit Trojans. Why? Because of the mere fact that they areancient. Something old, yet something new. In a time when Microsoft (and perhaps even the antivirus industry) are chasing proof-of-concept and zero-day malware like cats to anything shiny, seemingly unassuming grandpa exploits may just slip in quietly. The same goes for computer users who may be panicking for the latest security fixes… and forgetting the older patches in the process.

Perhaps malware authors are trying to check if we have strained our necks forward for so long that we cannot look back anymore. Fortunately, we love stretch our muscles once in a while.

As of this writing, we are getting a lot of samples of a malware that Trend Micro is going to detect as TROJ_DLOADER.GAF (pattern has already been created and is now on the testing phase). The malware is currently being spammed as an attachment, the filenames and md5 of these files are different. Some of the filenames are:

• doc.zip
  
• test.zip
  
• document.zip
  
• body.zip
  
• text.zip
  
• Update-KB-x86.zip
  
• file.zip
  
• readme.zip
  
• data.zip
  
• message.zip
  
• test.txt.pif
  
• text.txt.pif

The extensions vary ranging from zip, exe, pif, and cmd. The filesize of these attachments also vary from 12,430-12,758 bytes. Upon extraction of the file it will drop an executable file imitating however a notepad icon. Please reconsider opening emails with attachments having these filenames or as of today at least, opening attachments with these extensions.