Napera

For most malware authors, deriving profit from cybercrime is a simple numbers game. The more machines infected with malware that join a botnet, steal data via keyloggers or send spam, the more profitable the operation.

As a result, malware authors are always looking for new vectors for infecting victims. Although today’s vector of choice remains web browser exploits via compromised sites, this is self-limiting in the sense that the pool of people willing or able to visit a compromised site is somewhat small. When you consider that many malware infected machines are located in a network with other machines close by, compromising the local network is another way to quickly spread the infection. This behavior isn’t new – it goes back to the Morris Worm in 1988 and continued with Code Red and others in more recent times. New malware we’ve seen in 2008 such as Conficker, Gimmiv and Agent.BTZ looks for local hosts or network shares that can be compromised.

One of the original drivers behind network access control was the driving need to stop the spread of this type of network aware worm. The recent malware Trojan.Flush.M is an example that expands upon the network based attacks seen with a trojan like Conficker or Gimmiv to potentially compromise an entire network. Trojan.Flush.M does this by using a rogue DHCP server as a mechanism to change local domain name settings in a new spin on what is traditionally known as a pharming attack.

Read the full article…

2008 has been a malware roller coaster ride, and as the end of the year approaches, the bad guys appear to be picking up speed. Microsoft released six critical patches this morning, fixing remote code execution flaws in Windows, Word, Excel, Internet Explorer and Visual Basic. No news yet of exploits in the wild but they usually aren’t far behind.

These latest fixes come on the heels of a New York Times article which claims malicious software is spreading faster than ever and that the industry cannot get ahead of the onslaught, and many folks are saying we are losing the war.

Read the full article…

As a followup to my post on the Conficker worm in the wild, Trend Micro reported on Sunday that they have now seen over 500,000 infected hosts with this malware (which Trend call WORM_DOWNAD.A and is also known as Net-Worm.Win32.Kido.l). That’s a pretty incredible growth trajectory for the Windows RPC exploit which only became widely known on October 23rd. At this rate we could be seeing the birth of a rival to established botnets like Storm.

Read the full article…

Interesting post this morning from Dancho Danchev over on the ZDNet Zero Day blog. As I posted last month, in late October, Microsoft rushed out a security patch to fix MS08-067, which revealed a previously unknown way to inject code into remote Windows systems due to a flaw in the RPC server. Within hours of the Microsoft bulletin, news of a trojan called Gimmiv.A exploiting this flaw in the wild arrived, and I predicted at the time that more would be on the way. Now the pace has picked up dramatically with a new Conficker worm using this exploit to infect other machines across the network, as well as a bot called Backdoor:Win32/IRCbot.BH.

From Microsoft’s Security Response Center:
Read the full article…

As Jeff and I were talking about the evolution of security beyond the firewall in our webinar yesterday, along comes an out of cycle critical patch from Microsoft that proved our point nicely. Security bulletin MS08-067 reveals a previously unknown way to inject code into remote Windows systems due to a flaw in the RPC server. Within hours of the Microsoft bulletin, news of a trojan exploiting this flaw in the wild arrived.

This ranks as one of the most serious Windows flaws disclosed recently and affects almost every flavor of Windows. The Microsoft patch is rated critical for eleven variations of Windows XP, Windows 2000 and 2003. For Vista and Windows Server 2008, it was considered only ‘important’ due to the improved ability of those operating systems to defeat remote code execution attacks. What makes this particular issue even more insidious is that the RPC server can be exposed to attack when a desktop firewall is running, simply by turning on file or printer sharing.

A network vulnerability like this lends itself to worms like Zotob which wreaked havoc a few years ago and took down several networks. I speculated this morning that exploits would be stealthier this time around and aimed at monetizing security breaches. Sure enough, the Gimmiv.A trojan reported yesterday is a network aware trojan that attempts to exploit this flaw against PC’s on the local network. If it succeeds, it quietly steals passwords from the Windows and Outlook password cache and posts them to a Web site.

Traveling back to Seattle yesterday, I used the free Wi-Fi at San Jose airport. This morning when I came into the office, my laptop hadn’t received the Windows update and the Napera N24 immediately notified me. I was given a one hour deadline in which to install, which I promptly did.

That led me to wonder what the situation would be like if our network was unprotected. If I had neglected to install this Windows update and went traveling again tomorrow, it is likely my laptop would be exposed to this trojan. If I was running XP and had file or printer sharing enabled, the laptop is likely to be compromised. On an unprotected network, I could have easily waltzed past the corporate firewall, plugged in my compromised laptop and started infecting other PC’s.

Microsoft’s quick response is admirable, but the question IT managers need to ask themselves today is simple. How confident are you that users walking into your office today have installed this patch before they connect? Plenty of industry studies show that at least half of corporate PC’s won’t update in a timely fashion. Given that at least one exploit is already in the wild, and more are undoubtedly on the way, that’s a universe of opportunity for the bad guys in the coming weeks.