* 2008年9月よりスパムマップをリニューアルいたしました。新しいURLは「http://itw.trendmicro.com/malware_spam_map.php」になります。 (さらに…)続きを読む
There has been a lot of WORM_NUWAR movement this week. The controversial “storm malware”, TROJ_SMALL.EDW of P2P botnet fame was found to be an accomplice of the NUWAR network; dropped as it is by a variant detected by Trend Micro as WORM_NUWAR.CQ.
The weekend is upon us and yet another NUWAR makes it to the Trend Micro noteworthy list. Detected as WORM_NUWAR.EE, its spammed email carries belated New Year cheer and the usual Trojan hitchhiker (TROJ_TIBS.PE). Like the earlier variant, WORM_NUWAR.EE also uses the file name POSTCARD.EXEfor its attachment. What is surprising for this new variant is its total lack of originality. WORM_NUWAR’s spammed messages have always used convincing social engineering tactics like the CNN ploy and, of course, the recent Storm email. WORM_NUWAR.EE, however, is just rehashing the “New Year” subject line and an old attachment file name. Based on this, it can be surmised that NUWAR’s code may have been made publicly available and somebody is trying it on for size.
As always, users are highly advised not to open attachments from suspicious email messages. The best protection is still caution and vigilance.続きを読む
The smoke from the LINKOPTIM attack against the Italian computing population last month has not completely cleared, but already a new worm that uses email messages in Italian is making the rounds. Last weekend, the Incident Response Team at Trend Micro recorded that as much as 82% of all email messages received by their email honey pot were generated by this worm.
WORM_SPIAG.A sends copies of itself as attachment to email messages that promise photos of the recipient on a beach.
“In spiaggia”the subject reads. “In the beach.”
The email message says:
A free online translator produced this (surely) loose translation:
The attachment file name sustains this picture on the beach scam: SPIAGGIAFOTO.ZIP. When a recipient opens this attachment, the worm executes on the system, and the system becomes a launch pad for further propagation.
“What’s up with this old-fashioned worm?”, one might ask. It does not even try to cover its malicious acts by, say, dropping and opening an image file to further trick the user, the way some malware do. Instead, it proceeds with its payload right away. It dials to premium numbers, possibly to long-distance numbers or pay-per-view sites. Also, as the Incident Response Team documents, this worm accesses a legit social networking Web site for adults, and this raises questions as to the true goal of WORM_SPIAG.A.
It’s a worm that carries a dialer payload. Wait, that’s not quite right. Along with the major change in the malware threat landscape (from outbreaks to targeted attacks) is an inevitable shift in perspectives. WORM_SPIAG.A is a dialer with propagation capabilities. Now that’s more like it.
In any case, the affected user ends up being charged for calls or connections that he or she never intentionally made.
Well, let’s just say that’s the price of being a stubbornly unwise computer user at a time when complex, coordinated, targeted attacks are rampant, a time when user awareness and carefulness are more critical than ever.続きを読む
During the past weeks, we’ve been seeing vulnerabilities found in Microsoft Office being exploited by malwares in order to compromise a system. However, most of these malware exploits vulnerabilities found were in Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.
Right now, we have received a sample said to be exploiting a currently unknown vulnerability in Microsoft Access. The said vulnerability being exploited is under thorough verification if it is an old vulnerability which is probably MS04-014, Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001), or possibly a new vulnerability altogether.
Trend Micro detects this malicious MS Access file as TROJ_ACCDROP.A and the dropped file is detected as TROJ_AGENT.FNM.
Today is Microsoft patch day, and some of our readers may know about the trend of MS Office 0days showing up after every MS release…
Also, it may be the best time we update our MS software products which includes MS Office. This will help in protecting our systems from malwares exploiting old vulnerabilities, as malware authors are taking advantage of vulnerabilities on our systems as possible attack vectors. Let’s patch our machines and be cautious of unsolicited email messages containing MS Office documents or MS Office files which may have been altered and crafted to successfully exploit and compromise your system.
Patching up avoids this kind of exploit if the mentioned vulnerability in Access is found out to be an old one. However, if this is indeed a new vulnerability, then it is advised that users be cautious from opening or executing unsolicited MS Office documents especially MS Access. Always update your pattern files to be protected against different malwares (like this one) from compromising your machine.
Update (Ivan Macalintal, Wed, 11 Oct 2006 03:32:39 AM)
The MDB file reported above may have been used for an attempted targeted on a high-profiled customer (who we’re not going to mention here to secure confidentiality).
Nevertheless, here are some more information regarding this threat:
More info below:
Filesize: 161,796 bytes
TROJ_ACCDROP.A just drops and executes TROJ_AGENT.FNM. TROJ_AGENT.FNM creates the following files and registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Sell “C:\WINDOWS\system32\html.exe”
TROJ_AGENT.FNM also connects to a site, most probably acting as a trojan proxy.
Microsoft has already been contacted regarding this issue but so far, there has been no reply yet, so do hold for updates.
Update (Jessie Paz, Wed, 11 Oct 2006 02:13:30 PM)
The sample does not look similar with other MDB files that has the MS04-014 exploit. However, when the sample was opened in an unpatched machine, MSAccess crashed… but when the MS04-014 patch was installed, the crash did not happen…
This only means that if you already have the MS04-014 security patch, you will be well protected from this threat.続きを読む
According to InformationWeek, that is.
No doubt that these are noteworthy events, but distilling “infamous moments” in security research to just 10 tends to miss out other significant infamous moments. As some security blogs (OSVDB) points out, “initial discovery/disclosure of vulnerability classes (Overflow, XSS, SQL Injection) seem like they would big moments.” Moreover, the “list seems to be very centered around the last couple of years.”
Personally, I would like to add these.
These ones are off the top of my head. Of course, there are a lot others that I’ve missed. But then again, adding more would make the length of the list greater than 10, which is the purpose of the original article.
For the past weeks, we’ve had LOTS of little-ly(yes, there is such a word in my vocabulary) spammed trojans. No massive email spamming, just email messages in small doses, and with small targets.
Take for example these hand-picked advisories from the Email Honeypot:
Short and sweet. And with a typo. And of course, an executable attachment.
This one is in.. portuguese?
“Talk for free with anyone you want, netphnoe, this service came to stay! Open the attached file and install now our product the first 500 minutes are for free!”
Now this one attempts to make the target believe that the original email is from the user. Confused? Hmm… Let me try again. This one tries to make the target think that the email is a reply to an original email… Wait, here’s an email sample:
There, see what I mean? The “you wrote” part? Yes?
Right in the middle of the holiday season, internet users and security experts alike received an unexpected gift which would start the New Year with a bang. It has only been a week since the release of the 0-day WMF exploit code but it has already caused much disarray and has spread like wildfire throughout the net.
In the Beginning…
December 28, 2005, I still had a hangover from Christmas and was looking forward to New Years when Microsoft released an advisory regarding the said vulnerability. At the same time an exploit code for wmf(windows meta file) has also been released by Metasploit as part of their Framework. And so the began the spread of the WMF exploit.
In just a few days after the release of the exploit code, reports came in that the wmf exploit has now spread throughout the net and is gaining the attention of security experts. Sans has released an infocon Yellow implying the gravity of the situation.
The said exploit is very dangerous since unlike exe files, it does not need to be manually run to execute. The exploit could be triggered just by selecting the file, or by viewing the directory in Explorer with “Icon Size”. With this, a malware can spread using the exploit in a number of different vectors. It can be used on e-mails, Instant Messaging Applications, and the most used of all, Websites(through Iframes and redirection).
Metasploit has now released 3 modules for the wmf exploit and we have confirmed reports of the wmf vulnerability being spammed in email and links of wmf file, circulating through Instant Messaging Applications.
We have a generic detection for the wmf vulnerability (TROJ_NASCENE.GEN). This generic pattern is also continually being improved as new samples are being created.
As of this moment we are still expecting more and more malwares to use this vulnerability and rest assured that we are taking every measure in defense of this vulnerability. Furthermore it is advised to all as always to be more conscious and alert of unknown emails, links and websites that you go to, this is probably the best defense anyone can have not just to this wmf vulnerability but against any malware.