Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 7th, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment | Tags: cybercrime, Malware

Very recently one of our colleagues, Menard Oseña, who attended the RSA conference discussed the importance of organizations having a strong security mindset when it comes to dealing with social media and company information. In the report, he highlighted how organizations should always make sure that they are protecting themselves from both internal and external threats through proper user awareness, security policies and security technologies.

I want to further stress the latter point, and show how it applies not only to dealing with social media, but in every company’s entire computing infrastructure.

WORM_FLASHY.VRX: Three-in-one Malware

Recently we’ve been encountering a rather interesting kind of infection in certain networks, one that involves multiple malware combining together and “accidentally” coming up with one nasty piece of malicious code.

In one instance, we found a worm and two file infectors: WORM_FLASHY.AA, PE_CHIR.B, and PE_VIRUX.AA all affecting a single network and combining their routines, which resulted in heightened propagation and further disruption of the network’s usability. The following sequence describes how this infection came to be:

1. WORM_FLASHY.AA infects system, dropping copies of itself in System folder, shared drives and removable drives.
2. PE_CHIR.B infects the system, and checks the WORM_FLASHY.AA executable for its infection marker. If not found, PE_CHIR.B infects WORM_FLASHY.AA and leaves an infection marker.
3. PE_VIRUX.AA infects the system, and also checks the already infected WORM_FLASHY.AA for its infection marker. If not found, it then also infects WORM_FLASHY.AA.
4. When WORM_FLASHY.AA reexecutes, what it propagates is no longer the original copy of itself, but rather an infected version containing both the routines of both PE_CHIR.B and PE_VIRUX.AA. This version is detected as WORM_FLASHY.VRX.

One of the key qualities of this attack involves a method used by WORM_FLASHY.AA. This worm does not simply drop a pre-defined copy of itself; instead it checks for exact state of its code, and then drops an exact copy of it. Thus, after WORM_FLASHY.AA is infected by both PE_CHIR.B and PE_VIRUX.AA, what is propagated into other systems is the WORM_FLASHY.VRX, the merged version of the 3 malware.

WORM_FLASHY.VRX delivers a whole lot of malicious routines, as it combines the propagation routines, infection routines, and other malicious payloads of the three:

Prevention is Always Better Than Cure

As complicated as the attack itself is, it could have been easily be prevented through following certain security practices for a network setting:

• Configure work machines to disable autoplay
• Set users’ permission for shared drives and shared folders to “read only”
• Keep machines updated with all available security patches
• Block executable email attachments
• Monitor the network for any suspicious connections/activity
• Make sure security software is installed in all machines, and real-time scan features are enabled

Like what Menard said, oftentimes the lack in efforts to secure company-related networks – social and or system—makes it easier for cybercriminals to conduct their malicious attacks.

In this case, the implementation of protection both technology- and policy-wise could have stopped the merging of existing threats in the network and prevented the development of a much bigger threat. Organizations should fully realize that as security technologies such as the Trend Micro™ Smart Protection Network™ already aims to provide protection for users, proper user education and security policies are just as important.

Post from: TrendLabs | Malware Blog – by Trend Micro

Best Practices Can Prevent Manifold Malware Infection