research the vector. close the
door.
|
|
|
April 2005 VECTORBLOG
April 30, 2005 can't beat 'em, join 'em In February, we published the quasi-homage to the simple Netsky mass mailer on its first anniverary. The focus of the report was how successful this seemingly common worm continues to be, asking how it could be that Netsky.P continues to be on the "top threats" chart at every major AV vendor. This mass mailer continues to show up in Inboxes - nearly a year later, during a time most analysts say that mass mailers are dying off. So, if you have been toiling for a year yourself with your own delivery mechanism to compromise machines and haven't found the degree of success you had hoped for, maybe consider repackaging your specific Trojan/backdoor with the Netsky wrapper. Exactly. Netsky.AI (Symantec's name) has the feel of classic Netsky iterations with the functionality of a MyDoom release - this version pulls down a copy of Nemog, Trojan used by the MyDoom author(s). There is currently no way of knowing for sure if this is the MyDoom author using the Netsky code or an unconnected malware writer altogether; however, the continued use of such hybrid tactics would again signal a base of developers using methodical, professional practices to deliver viruses.
April 29, 2005 another day The release of the Sasser worm occurred one year ago today, 3 weeks after MS04-011. This event helped shape the configuration management efforts of many enterprises, probably yours. If you're still looking for direction for your CM program, see emergency preparedness and some of the great sites on the web, such as:
Carnegie Mellon Software Engineering Institute (SEI)
April 28, 2005 venus flytrap An interesting trend in malware so far this year has been the prevalence of what we're calling "passive malware" - code lying in wait for a victim (drive-by web infections, executables mailed to users waiting for a double-click, links/files sent via IM, etc.). This is distinct from the Blaster and Sasser worms that pushed a great number of companies to evaluate and purchase patch management systems as the infrastructure for their CM efforts. Those worms created a lot of fear because the time from Microsoft's vulnerability release to working exploit/malware was relatively short, scaring many configuration managers and IA folks. That idea is examined through the lens of 2005 malware in the first of three reports, Just In Time: Microsoft's Time to Exploit, January - April 2005 (and PDF).
April 27, 2005 letter from the future This month marks the release of MS05-023, which describes a couple buffer overruns in MS Word. The significance? Not a lot so far except that two years ago, the 2003 worm Torvil made a reference to the patch "MS05-023" in the message body of the email it sent out:
Hello, You should apply this fix which solves the newest Internet Explorer Vulnerability described in MS05-023. It's important that you apply the fix now since we estimate the Buffer Overflow is at a Critical Level. Sincerely Yours The Security Team
That's it. Just an interesting aside on an otherwise uneventful day. April 26, 2005 aim for the top Interesting review of the Beagle zombie nets that exist. Yury Mashevsky put together a great article called "The Bagle Botnet" which examines the family of Beagle/Mitglieder code - one great stat from the report: based on the number of unique samples Kaspersky has collected, the Beagle author(s) are putting out a new piece of malware every 2 days on average. The whole thing is available at: http://www.viruslist.com/en/analysis?pubid=162656090
And don't forget infectionvectors.com's own trilogy on the Beagle worm: http://downloads.securityfocus.com/library/Beagle_Lessons.pdf http://www.securityfocus.com/data/library/beagle_lessons_2.pdf http://www.infectionvectors.com/vectors/year_of_the_beagle.htm
While on the topic of mass mailers, a worm named Kedebe is out and mentions Beagle/MyDoom in its infection routine. There's a Malagent report for it: Kedebe Alert.
April 24, 2005 trying to help The latest article on spy/ad-ware hits infectionvectors today, a look at the business side of the annoyances. Two familiar pieces of code are used as the backdrop for this report. Check it out, May I Help You: The Search Assistants, and the PDF.
April 21, 2005 and lower One more makes the vectorblog, subject: "You have won a lottery." Feel the excitement? Ready to pay a nominal processing fee?
April 19, 2005 hi and low Just published is Viruslist.com's report on the first quarter of 2005, written by Senior Virus Analysit Alexander Gostev. Although they offer a competing view of mass mailers for this year than does infectionvectors.com, the report is still a great read. In all seriousness, the report is comprehensive but not overly detailed, especially well-written review of the year in malware from all angles. Check it out here:
http://www.viruslist.com/en/analysis?pubid=162454316
The idea that phishers are getting lazy after seeing some very well-crafted samples earlier just strikes the vectorblog the wrong way, after all, the whole scam is not especially time or resource intensive, at least put some effort into the con. Today we received a sample with the "From:" field of simply "Bank." Nice work. Got a sample you think needs a mention? Send it to the vectorblog.
April 15, 2005 alluring The following email arrived, the first that we have received using Amazon.com as the bait for recipients. Other than that, it's a pretty
standard phishing attempt: 002-1636631-0825622?opt=oa&page=recs/sign-in-secure.html&response=tg/recs/ recs-post-login-dispatch/-/recs/ref=pd_rw_gw_r/ref=amb __192930_2/002-1636631-0825622= name=REDIRECT_URL> <INPUT type=hidden value=aici_vin@yahoo.com name=to><INPUT type=hidden value=oa name=opt><INPUT type=hidden value=recs/sign-in-secure.html name=page><INPUT type=hidden value=tg/recs/recs-post-login-dispatch/-/recs/ref=pd_rw_gw_r/ref=amb__192930 _2/002-1636631-0825622 name=response>
April 14, 2005 tie your own Phishing is a fairly low-investment business: a web server, someone else's style sheets, access to spam tools and you are on your way to owning your own franchise. The tricks of the con artist are the same across the board - improve the slight-of-hand and you may find yourself becoming very successful at fraud. As seems to be traditional, the latest Phishing Trip report has been followed up with another phishing article, this time one that looks at Blinder again and the high-volume world of email-based cons. Check out "Phishing Lures" and the PDF.
April 13, 2005 april showers Eight advisories
and the related patches have been released for April by Microsoft. The bulletins cover everything from a few widely reported TCP/IP "flaws" through the MS Word products. Five are stamped Critical, the other three are Important. Of these there is already working sploit code for the IE problems (MS05-020). The TCP flaws are reminiscent of last year's hype over sequence number guessing and BGP connections. The IETF paper concerning the possibilities for an attack (well-written by Fernando
Gont) is here:
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt. In a nutshell, the idea is to send an ICMP error notification (a "hard" error, i.e.: port/protocol unreachable or fragment required/don't fragment set) that requires (that is, required by protocol standards) a device to dump an existing connection when the error is received. The Microsoft patch adjusts the validation method of ICMP traffic. In addition, MS05-019 changes the validation of TCP requests
(unrealted additional patch) and adjusts the MTU allowed value to no lower than 576 bytes (to mitigate the Path MTU ICMP problem). The XLS version and the CSV versions of the monthly roll up are available as always.
April 12 2005 liable to end badly How much trust do you place in an email? How about one stamped urgent, with a subject line that indicates your bank needs your help with a security matter, from the service department at said bank? Right. Email has been corrupted and ruined as a means of doing legitimate business with consumers. Is the web next? With the use of phony sites, real SSL certs, DNS poisoning, etc. the web is continuously becoming a crummier place to do business. Where is the breaking point, will the Internet fold under the rising costs imposed on companies trying to provide web services?
The latest in the popular "Phishing Trip" series is out today: Phishing Trip 3: Liability examines the issues of responsibility when a consumer is a victim of fraud and how the rising costs are affecting web commerce. Check it out here, the PDF here, and send feedback here.
April 11, 2005 what's myne is yours Check out the "top ten" or "recent threats" portion at your favorite anti-virus vendor's site (or all of them if you are a virus research devotee, as is likely if you are reading this) - the recent versions of Mytob dominate. Trend's 10 recent threats is all Mytob variants. This by no means is an indication of success, anyone can repack a worm a release it - it only shows the level of effort placed into the malware. Someone has the
April 7, 2005 29 on The number of Mytob variants continues to grow, making it one of the biggest virus stories of the year so far. Will this represent a turning point for "hybrid" vehicles? The continued use of IRC bots to control the victims of popular worms like MyDoom certainly looms on the horizon. Thoughts - send them to the vectorblog.
April 4, 2005 all in perspective A new version of Cabir (known as Mabir) was introduced today, still in zoo classification, apparently written by the same author. Mytob continues to roll out in new models. The number one growth are, however, continues to be profit-motivated malware. AllocUp, a piece of malware that downloads a list of spyware/Trojan sites to retrieve code from, hit the streets today. Not only does it keep trying to stick additional applications on the local machine, it opens a backdoor for any use the controller can imagine. The Internet continues to be profitable for criminals, and more cumbersome for legitimate users.
April 1, 2005 out like a lamb After a blitz of Mytob variants and a month filled with new iterations of worms for wireless devices, March leaves without a significant outbreak. The continued development of malware for mobile phones still shows signs that this is a "niche" area of code - the varied platforms make finding one virus that will infect a large number of phones difficult.
Phishing samples continue to pour in; just when it seems that everything has been covered by the scammers, new banks, charities, and online businesses are the targets of fraud. Phishing Trip III is due for release this month, after great feedback on parts I and II. Any interesting samples or stories are always welcome - send to the vectorblog.
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
