Real-time File Extractor by Solera Networks

Real-Time File Extractor---Real-time Malware Extraction and Analysis by Solera Networks

To counteract today's targeted attacks that use low profile, multi-vector malware, Solera Networks has announced Real-Time File Extractor as part of their DeepSea platform. This is claimed to identify zero-day exploits.

Some of the advertised features:
- Real-time malware file extraction based on deep packet inspection attributes such as transport protocol, file extension or mime pipe
- policy-based automated analysis of common threat vectors: PE (portable executable) files, PDFs, JavaScript, Java JAR files, Flash and Microsoft OLE documents

The focus is on 'files on the wire'.
http://www.net-security.org/malware_news.php?id=2020

Solera Network alerts on attack trends in 2012 is worth noting:
http://www.net-security.org/secworld.php?id=12213

-Joseph Ponnoly

Happy Valentines Day- Beware of eGreeting Cards

Spammers and phishers have a heydey during Valentine's Day season as they have during Christmas or New Year.

Pandasecurity has listed some of the social engineering techniques employed by phishers through the medium of greeting cards. They have listed some of the worms and trojans that have been spread in the recent past:

Details are reproduced below from Pandasecurity.com

==Waledac.C: This worm spread by email trying to pass itself off as a greeting card. The email message included a link to download the card. However, if the user clicked the link and accepted the subsequent file download they were actually letting the Waledac.C worm into their computer. Once it infected the computer, the worm used the affected user’s email to send out spam.

I Love.exe you: This was a RAT (Remote Access Trojan) that gave attackers access to the victim’s computer and all their personal information. The Trojan allowed the virus creator to access target computers remotely, steal passwords and manage files.

Nuwar.OL: This worm spread in email messages with subjects like “I love You So Much”, “Inside My Heart” or “You in My Dreams”. The text of the email included a link to a website that downloaded the malicious code. The page was very simple and looked like a romantic greeting card with a large pink heart. Once it infected a computer, the worm sent out a large amount of emails, creating a heavy load on networks and slowing down computers.
Image available at: : http://prensa.pandasecurity.com/wp-content/uploads/2012/02/NuwarOL.jpg

Valentin.E: This worm spread by email in messages with subjects like “Searching for True Love” or “True Love” and an attached file called “friends4u”. If the targeted user opened the file, a copy of the worm was downloaded. Then, the worm sent out emails with copies of itself from the infected computer to spread and infect more users.
Image available at: http://prensa.pandasecurity.com/wp-content/uploads/2012/02/Valentin.E.jpg



Storm Worm: This worm spread via email by employing a number of lures, one of them exploiting Valentine’s Day. If the targeted user clicked the link in the email, a Web page was displayed while the worm was downloaded in the background. Web page displayed by Storm Worm.


For Anti-malware technologies:
http://press.pandasecurity.com/panda-technologies/

DMARC standard to fight domain spoofing in phishing mails

Realizing the rising threat of phishing mails, the email providers and Facebook as also Paypal and Bank of America along with others are teaming up to fight phishing threats. http://searchenginewatch.com/article/2143128/Google-Microsoft-Facebook-Teaming-Up-to-Fight-Phishing They are focusing on implementing the DMARC Internet standard -- Domain-based Message Authentication, Reporting and Conformance. http://nakedsecurity.sophos.com/2012/02/02/dmarc-microsoft-facebook-google-unite-to-fight-phishing/ This would further require as first steps the implementation of SPF Sender Policy Framework and DKIM - Domain Keys Identified Mail standards. The question is: will this put a break on domain spoofing?

Spear Phishing Attack Plants Trojans

Source: SANS NewsBites Vol. 14 Num. 010

SANS report is copied below:

" --Spear Phishing Attack Plants Trojan on Targeted Computers (February 1, 2012) A recently detected, sophisticated spear phishing attack disguises itself as conference invitations. The attack exploits unpatched flaws in Adobe Reader to place Trojans on vulnerable computers. The malware, once on the computer, manages to disguise itself as a Windows Update utility. The attack has been named MSUpdate Trojan. Researchers have evidence of similar attacks from what appears to be the same group of attackers, dating back to 2009. The Trojan steals information and sends it back to the command and control server, but the traffic is disguised as Windows Update traffic.

http://www.theregister.co.uk/2012/02/01/spear_phishing_rats/

http://www.eweek.com/c/a/Security/Trojan-Targets-Industry-Government-with-Fake-Conference-Invitations-542238/  "

Trend Micro Crimeware Report 2Q 2011

Here is the Trend Micro Crimeware  Report for 2Q 2011:
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_2q2011-crimeware.pdf

Major highlights:

*Crimeware toolkits Zeus and SpyEye continued to evolve.  Zeus-SpeEye merger has resulted in new and improved ZBOT variants.
*Banking trojans are on the rise, MAL_BANKER topping the list, with BKDR_QAKBOT.SMG and BKDR_PAPRAS.SME.QAKBOT following.
*Stolen user information and banking credentials were hot commodities in the cyber underground.
*CARBERP variants targeted government offices, schools, universities and financial institutions  hook network APIs in WININET.DLL enabling them to monitor user's browsing activities, to download configuration files and to receive malicious commands from remote servers.
*SpyEye 1.3.4.x enhancements include a MySQL database to store as  blobs (binary large objects) the files uploaded by users.

In April 2011, the CoreFlood botnet was taken down  by the FBI with help from security researchers.

-jp