五月惡意程式回顧(TrendLabs Malware Blog)

[harry_chang2003]

May Malware Roundup
June 13th, 2007 by Ryan Flores

May was a relatively quiet month. Except for the slew of TROJ_ARTIEF targetted attacks the last week of May, no other notable malwares were discovered. For this round-up, we’ll recap the malwares that were able to capture our attention, even for a while.



Regional Attacks


While there were’nt much region-specific malware caught in the wild, one IM worm was found to send Spanish text to YM contacts, advertising a dance video of President Bush. This maybe targetted to the fairly large Hispanic Americans, or is riding on “So You Think You Can Dance”’s popularity, or both?



Malwares that hit it big


WORM_SOBER.AX is probably the malware with the largest infection count last May. Although the worm propagated slowly, just the fact that it was able to continously infect several computers in a period that lasted for a couple of weeks may usher in a new model of future worm malwares.



With all security vendors trained to spot fast spreading worms and updating their signatures in a matter of a few hours, worms that fly just under that radar may have more success in the wild than those replicating like bunnies.




Web-based Threats


One of the most interesting aspects of web-based threats is the ingenious use of social engineering by malware authors. As expected, the social aspect of malware threats found last May did not disappoint.



For one, we discovered a phishing Trojan pretending to be a Microsoft’s Security Center console.



A recent JS_FEEBS run made use of an associated Russian site to host additional malware.



And while in search for additional malwares, we saw Google’s site rating and blocking at work by automatically blocking several TROJ_ANI related sites on it’s results page. Of course, known TROJ_ANI related sites are automatically blocked by Trend Micro’s Web Blocking services.



Lastly, a concrete connection between typo-squatting and malware hosting was established through the help of Sunbelt. Their list of Italian typo-squatters were found to be associated through a variety of ways to TROJ_ZLOB hosting sites.




Vulnerabilities and Exploits

Though there were no new exploits discoved in the wild last May, we’ve seen several malwares creatively use application functionalities for malicious purposes.



One example of this is VBS_BADBUN. This malware is capable to infect multiple operating systems running StarOffice by using its macro functionality (much like MS Office’s macro), thereby elevating the risk for malware infection OS previously deemed “safe”, such as Mac and Linux. This is only the second malware to use StarOffice as platform, the first one being XML_DUSTAR.A discovered last year.



In what seems to be a highly targetted attack (it is reported that only top level executives were targetted by this attack), TROJ_ARTIEF arrives embedded inside a Word RTF file, this method improves it’s social engineering trick of pretending to be a valid e-mail from the BBB or the IRS.



*The two examples mentioned above are not vulnerabilities or exploits per se since they are not results of bad programming practices. Rather, the methods mentioned above are a result of insecure software design (or design oversight) that allows the use of such functionalities for malicious purposes.