January 2005 VECTORBLOG

January 28, 2005

better late

In an oversight of miniscule proportions, the Dipnet Malicious Agent was added today. In addition, an analysis of mass mailer strength was added. In the wake of bot net applicaitons such as Dipnet and the mysql worm making its way around the Internet, the mass mailer has received a lot less press, much of the attention being theories of its demise. Infectionvectors does not believe the reports of the mass mailers death, check out the report, Demise of the Mass Mailer, and decide for yourself. Send feedback to the site contact. 

January 24, 2005

more the merrier

Beagle fans already know of the powerful Trojans added to machines that find themselves infected with one of the many variants. Just ahead of the release of "Beagle History Part 3" (early February), a Malicious Agent report was added: Formglieder. We discovered this one on a server the Beagle author used in the fall 2004/winter 2005 to distribute the additional code; the report is an excerpt from the forthcoming feature. 

January 18, 2005

last call

So there's a little more to the Washington Mutual story. Received today is a new sample that impersonates the WaMu site. This one creeps into a slightly different world, actually taking the form directly from the real page. Here's yet another short chapter in this series. 

January 14, 2005

pile on

After the publication of "Phishing Trip I" we received a few additional examples of scam spam using Washington Mutual's logo. Part II will focus on a different facet of Phishing, so we'll just call this the Addendum. 

January 13, 2005

castaway

Has your enterprise been one of the many that noted a spike in TCP 11768 traffic since the last week in December? If the answer is yes, hopefully it has been coming from the outside and not the inside of the network. If the answer is no, hopefully your sensors/logging are accurate. In either case, the cause appears to be a stripped down cousin of the bot net variants, this time named Dipnet or Oddbob. The bot infects boxes via the LSASS overflow (from April of 2004), and supports only a few commands, one being the DoS routine responsible for the traffic spikes. 

Dipnet makes a good argument for two things: 1) exploits are not as readily crafted and added to worms as one may expect, for all the infections in the last three weeks, keep in mind a box has to be missing a patch that is now 9 months old. 2) bot nets may be the enemy most feared by malware researchers, but they still require a transport, in this case the LSASS overflow used by other applications. Bot net is a payload, not a medium, not a type of worm. Remote exploits are no more capable of delivering a bot as a manual hack, as a remote exploit, mass mailer, or any other means of injecting code. 

January 11, 2005

baby new year

The first Microsoft advisories for 2005 were released today, 2 Critical and 1 Important alert. The Criticals affect almost every modern release of Windows (no offense to 9x/NT shops still in business) and deserve some quick attention: both hold the possibility of web-delivered exploits that result in the dreaded "arbitrary code execution." Interested yet? Check the rundown here and then head to Microsoft's site to get the patches for your test machines. No time to read? How about the Excel or CSV breakdowns?

January 9, 2005

our own soup

There is one persuasive, but unscientific, measure of a worm's success: the number of copies one gets attacking their personal machine. Whether that is an Internet worm bouncing against the firewall or a mass mailer arriving in the Inbox, seeing a worm enter one's own sphere is a good way to ensure it will be remembered. Often, this plays into the "voodoo," a belief that a worm requires a lot more attention than it deserves because it has made a personal connection with the user. Currently, I feel that way about Sober. The latest variant has appeared at least once everyday for the last few weeks in a single mailbox here at infectionvectors.com. The rash of hits initially makes the alarm bells go off, which is OK, but it needs to be researched (like against the virus monitors of the AV companies and reports like are available here). Follow a process and maintain sanity, it's important to remember even when researching virus defense methods everyday. 

January 7, 2005

hook line & sinker

As a special Vector Space report, "Phishing Trip Part1" was posted today. This paper examines the explosion in phishing and the scammers' attempts to convince users to turn over personal data. The focus is on samples directed at Washington Mutual account holders, but the lessons are valuable for phishing education and awareness training across the board. The HTML of each is included for those with more technical interests. 

Phishing has become such a problem in the world of malware that it warrants a little attention of its own. This is just the beginning of this new series unfortunately. 

January 5, 2005

hit counter

Seems like a good year for viruses already, if you equate "high volume" with "good." The AV vendors are all flagging a high number of new samples, making it seem like a rough road is ahead for security administrators. 

January 2, 2005

the end of the world

The real sign of the end is not the horrible tsunami-caused devastation in Asia, but the appearance of scams using the relief effort as a phish-hook. We received what appears to be the first piece of spam hoping to cash in on the good intentions of recipients. An e-gold account is used to collect the funds (.02 g of Gold from each donator's e-gold account) to "help people in Asia". The crafters of this scam intend for the email to appear to be from e-gold itself; in fact from their "Emergence TEAM." However, the misspelling of "Emergence" in the subject field, the used of broken grammar, and multiple questionable lines in the HTML of the email itself make this is a pretty dubious plea.

Examples from the message code that may strike you as suspicious:

-the e-gold logo is actually downloaded from "isp-crackers.com"

-the use of "Valued PayPal" in some of the unprinted text

-calling the yahoo mail login in unused portions of the HTML

- the eloquent plea "Asia Earthquake Need your help !!!"

Obviously, this is directed only at those with e-gold accounts to transfer from, but it makes for a great example of the things users need to be on the lookup for (and the depths some will sink to in order to lift a few dollars from unsuspecting people).

January 1, 2005

all over again

No controversial (hopefully) predictions, no crazy prognostication. The new year brings more of the same that you're already used to (hopefully) dealing with everyday. Check out the first report of the new year, a light look at why surprises will dot a very familiar backdrop in 2005. 

New virus code is popping up at a regular level for the holiday season, which is to say that we're seeing quite a bit. Nothing especially innovative as of yet, last week's Santy episode appears to be the last development of 2004. As always in the new year, if you have story ideas or just vectorblog info to share, feel free to rant to the contact address.

Happy New Year.