research the vector. watch
the profits. close the
door.
|
|
|
June 2005 VECTORBLOG
June 28, 2005 eyes peeled The Beagle author has released a new round of the same Trojan we have seen and evaluated previously. The malware carries what appears to be a new set of servers from which it intends to retrieve more malware (as is the modus operandi, the code is not available yet), based on the list published by Trend Micro.
Also, CA bought Tiny - something that would be of interest to fans of the Tiny firewall product. Read more here.
June 27, 2005 The "Washington Post" ran a story on the front page of this Sunday's (June 26) newspaper which pointed to Internet crime as a force that is ruining the web, to the point that only an overhaul (i.e.: Internet2) will solve the ills. This was very interesting to see on the front of such a powerful journal, indicative of the breadth and depth of Internet crime. The report is available for two weeks free at their site. Changes that are singled out include the requirement for authentication, specifically for email, but needed for almost every type of online communication. The issues described here are also discussed in a few infectionvectors reports: Email Crime, Phishing Trip, and of course, the Beagle series.
Most on point to the issues described in the Post's feature is the third part of the "Phishing Trip" series, Liability. If the Internet is a cost-prohibitive venture, will there be a technology that can save it? If anonymity is what fuels the 'net now (both the good and the bad), would removing that hurt crime and legitimate business equally?
It is a topic that online vendors and bankers are facing individually; I don't know of any global organizations that complete such analysis from a cost/benefit perspective, but it is something that is urgently needed. If you are running an e-commerce site of any kind, we'd love to hear your views on the cost of Internet business.
June 23, 2005 taken for granted Looking for a quick way to gauge user awareness? A story on MSN (by Kim Komando) about the security issues everyone should know before being part of the Internet community is a good measure. Sure, if you are reading this blog you likely will know everything already. The article, however, is a concise and easy-to-read overview for everyone else you may care about (or just be responsible for). http://tech.msn.com/guides/955450.armx?GT1=6597
June 22, 2005 keep driving A day after the release of the hard-fought IM feature is a much lighter read (and writing assignment) concerning the value of corporate data. This brief look at asset management asks whether one can look at the safeguards in place and determine the value of the information - and if not is there work to be done at the company in question. The paper, "Reverse Data Valuation" is available as a short HTML document and PDF.
Also, take a look at the Smitfraud alert. This is a strain of malware that has been around for a while, but based on the ramped up alerts (also seen on Panda Software's site), a report is now justified.
June 21, 2005 instantly The IM worm paper, "Shoot the Messenger: IM Worms," is up today. This was undoubtedly the slowest paper to research as it covers the broadest set of samples yet in one of the features.
IM worms make an interesting study because of the way the family has developed; much of the history will look familiar to people who have watched the progression of mass mailers. IM worms are a relatively new threat to Internet-connected systems, many scanning and defense technologies do not effectively block these attacks like they do other, more traditional malware. Yet, IM worms, as a family have successfully adopted the same attack technologies as their cousins. The paper asks security managers to consider how nimble their defense tactics are; do we learn and adapt to "new" attacks, are we able to leverage the strategies of last year against threats from this year? Get the report HTML style and PDF.
June 20, 2005 overestimate Beagle has popped up once more, Symantec is up to Beagle.BT for those of you keeping score. The mass mailers shoots out copies of Tooso, as you might have expected. What is really interesting to me (still) is the lack of social engineering required. Consider this iteration: it sends emails with a spoofed From: field, no subject, an attachment named something akin to 3.zip, and a message that consists of just a password for the archive. Hard to call that engineering. On the other hand, if that's all it takes to make a profit, it's hard to argue in favor of doing any more work. In either case, the business has to be respected - but you've heard that from me before.
June 17, 2005 “involuntary protagonist” The term above comes from a Panda Software story about the most-used celebrity names in malware. They compiled the names used to entice recipients to open worm/Trojan attachments, which is a really interesting study that I had not previously considered. The top three are Britney Spears, Bill Gates, and Jennifer Lopez. Check it out at the Panda website:
http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=6320&ver=21
June 16, 2005 bot out of hell From June 13 through June 16 a number of new Mytob iterations were released. Trend Micro posted reports for 7 of the worms; Symantec counted and released alerts for 15 new versions. The new Mytobs carry an expanded list of processes to terminate and slightly modified email messages. The Mytob strategy continues to be one of brute force, changing the packing methods more frequently than the outer appearance of the worm. For more information, see the updated alert and the Mytob Infantry feature.
Dear INFECTIONVECTORS.COM Member,
We have temporarily suspended your email account VECTORBLOG@INFECTIONVECTORS.COM. This might be due to either of the following reasons: 1. A recent change in your personal information (i.e. change of address). 2. Submiting invalid information during the initial sign up process. 3. An innability to accurately verify your selected option of subscription due to an internal error within our processors. See the details to reactivate your INFECTIONVECTORS.COM account.
Sincerely,The INFECTIONVECTORS.COM Support Team
+++ Attachment: No Virus (Clean) +++ INFECTIONVECTORS.COM Antivirus - www.infectionvectors.com
Imagine how bad I felt, I didn't even know we had subscriptions.
Interestingly, Trend Micro also cataloged one version (Mytob.GD) that does not spread via email, only unprotected/weakly protected file shares. This is not a variant infectionvectors.com has seen thus far, and would be an important shift in the release strategy of the Mytob authors.
June 15, 2005 top 10 This month brings 10 new security bulletins from Microsoft, although few are especially scary. Of the three “Critical” warnings, the first, MS05-025 appears to hold the most potential in terms of malware. Just as previous vulnerabilities like MS05-020 allowed for malicious email attachments and graphics files to be used as the foundation for Trojans, this one is likely to spur a few mail-borne worms. HTML Help is again targeted for a fix; if this is something you don’t need to use it may be worth turning off (see the Microsoft bulletin for the quick method of removing the infotech protocol registration). The final Critical flaw is one that is not getting a lot of press currently, an SMB vulnerability potentially allowing remote code execution. As always, the XLS and CSV roll-ups are available for download, check out the June MS vulnerabilities page here and all the MS advisories for the year on the bulletins page.
June 14, 2005 blue ribbon I add this to the vectorblog for your review: this is probably the nicest looking phishing attempt we have received at infectionvectors. If I'm way off, let me know, but I think this looks pretty good. The website it points to is fairly standard, good enough to fool anyone who follows the request. Below is the message, for the HTML that accompanies it and the site, click here.
Back in May, we published a scam that was much less polished, it didn't try to hide the URL of the phony site, few graphics, poor grammar, etc. In response, the NCUA has placed a very good warning to users about the scamming on their home page, ncua.gov.
June 13, 2005 summer time A surprisingly busy summer, not so much from a malware release perspective - more because of professional mandates and the lure of the good weather, has prevented a lot of entries. The work is feverish for a new report covering the history and impact of IM worms to be released this month. We are again looking for report topics that are of interest to fill the idle days during the summer - send ideas to the vectorblog.
June 7, 2005 middle card A follow-up to the investigation/report mentioned June 2, 2005 - the Deutsche Bank-targeted scamming continues a few days later, but with a different forward and server when the victim clicks the emailed link. The day after the initial email flood, the server was changed to: bvderkio.mail333.com/6/. It stil opens the real bank site with phony pop-up:
<HTML><HEAD> no,scrollbars=no,resizable=no')">
And the current host, pochta.ru, has appeared in a few other phishing reports as well: http://www.fraudwatchinternational.com/alerts/0503/pages/050305_7544_barclays.shtml http://news.netcraft.com/archives/2005/03/07/phishers_use_wildcard_dns_to_build_convincing
June 4, 2005 reported Mytob variants making the rounds again, same process (various packers) and similar look to the last round - where the look was actually altered quite a bit from the original few months' worth of worms. The last few versions have the feel of Beagle/Netsky mailers, in that the authors have constructed simple, yet "urgent" sounding messages. More info at the AV companies for this one, specifically, Trend Micro has good coverage: http://www.trendmicro.com/vinfo.
June 3, 2005 three card monty Back to phishing issues for a moment - a short new piece on a scam directed at Deutsche Bank customers. This story is interesting because of the shell game the criminals play with the reader, even readers trying to investigate where the con is headed. There is a little refinement of the game played with researchers - check out the report, "Shell Game: Deutsche Bank Phishing Attempt." The PDF version contains the full HTML of the fake sites/forms, which are of possible interest to analysts.
June 2, 2005 on schedule Is it possible that the Beagle releases are actually scheduled so tightly that they can be expected during the first week of each month? Seeing new Mytob's again, maybe a continuation of the authors' strategy to overwhelm antivirus companies - this time using the additional cover of new Beagle iterations as leverage. That's it for today.
June 1, 2005 monthly visitor The Beagle worm author is back, with a few new iterations of the Tooso Trojan that has come to signal a new wave of malware from this developer. The copies arrive as "09_05_2005.exe" inside a ZIP file with a single digit as its name (most of ours are 5.ZIP, some 7.ZIP, etc.). The initial blast seems to be fairly large. Although the malware is still being analyzed (mostly PeX-compressed, some ASPack), it appears to have very similar functionality to previous versions, with some new webservers hard-coded for the later release of new Beagle worm, Mitglieder, and Tooso code (and maybe a few new ones?).
And for a little more on the PGPCoder stories around the world, I like to check out the Google news site, just to see what the general media has to say (see previous vectorblog entries).
|
Copyright Ó 2005 infectionvectors.com. All rights reserved.
