Gladiator Research and Security

GSA Reference Number: AD100429-01

Simply Put: A new attack has been detected that attempts to spread data-stealing malicious code via an email with the subject “setting for your mailbox are changed.”  Users should not open this email or the attachment. The email includes an infected PDF attachment called “doc.pdf,” which, when opened, runs a set of scripts and executables on the recipient’s computer that infect or spoof various Windows programs and services.  The methods used do not require JavaScript in order to execute.  Once infected, the machine will then periodically contact malicious Web locations to download and update itself with any of the latest malicious and data-stealing viruses.

Now that the Internet has been around for some time, users are starting to become more adept at protecting themselves from Web-based threats.  Users have learned that certain parts of the Web or Web pages, like advertisements, can pose a security threat and, therefore, will avoid clicking on them.  Unfortunately, the malware writers have also noticed the trend and continue to come up with new ways of distributing their malicious applications.  The most popular method used for the past year is called Drive-by Downloads.  The term Drive-by Download means users become infected simply by surfing an exploited Web page and are completely unaware of the malicious file download occurring in the background.  Web browser exploits (such as IE, Firefox, Safari, etc.) and other third party application exploits (such as Adobe Reader, Microsoft Excel, etc.) can potentially allow remote code execution, which can lead to a malicious file download which is completely invisible to the user.  Fake pop-ups that look legitimate, often cleverly masqueraded as anti-virus solutions, are also a popular method of tricking a user into either clicking on the pop-up to close it or following the instructions on the pop-up, both of which result in malicious file downloads.

Happy Holidays!  This is just a reminder that the Holidays are always a very active time for the “bad guys.”  Malware writers and phishers prey on our cheery attitudes and overactive messaging habits to slip in malicious emails.  There are a few popular attacks that pop up like clockwork around the holidays each year, and so you should make your users aware of these attacks.

We’ve all noticed the trends lately which suggest that new malware is being written at an ever-increasing pace.  It seems like each day a new threat is discovered by security professionals.  However, anti-malware products seem unable to keep up with the pace set by the malware programmers.  So, what can be done to combat this discrepancy?  Have you heard of software “sandboxes”?  Read on and we’ll discuss some options available to help you fight in the war against malware.

Part 1 – Recognizing an Infection
Part 2 – Incident Response Plans and Procedures

Introduction

We’ve all been faced with the following situation at one time or another.  Imagine you’ve just walked in the door of your office, and one of your coworkers comes up to you complaining that his computer is running slowly.  You tell him that is normal in the morning, but then he says his web browser keeps popping up new windows and then crashing.  Of course, he forgets to mention that he was on a flash game website when it all started, until you get to his desk and discover this for yourself.  So, now what do you do?  You suspect this machine has a virus or some other type of malware, but you aren’t sure.  The computer has fully-updated virus definitions and a full system scan didn’t find any malware.  But is the machine safe?

In Part 1 of Malware Basics, we’re going to review some signs that a machine may have malware.  Then we will go over some useful tools for identifying suspicious files even if your antivirus suite does not detect anything.  Finally, we’ll talk about how to identify what type of malware you found.  Part 2 of this series will deal with Malware Incident Response.

CheckFree’s online bill payment service suffered a DNS Hijacking Tuesday morning, December 2nd.  This incident would have affected the bill-pay portion of any Internet banking application using CheckFree. Furthermore, users trying to visit CheckFree’s websites were redirected to a Ukranian IP address.  This IP was serving up malware to anyone visiting the website.  The exact nature of the malware is not known at this time, but could include Trojans, key loggers, bots or other drive-by downloads.  The exact domain names being redirected are also not known, but could include mycheckfree.com, checkfreecorp.com and ebillplace.com.

Happy Halloween, everybody!  This is a great holiday that brings out the kid in all of us.  Unfortunately, it also brings out the email forwards with games that could be more “trick” than “treat.”  Malware authors are quick to take advantage of any holiday to send us fun, new ways to spend our free time.  In this case, our free time may be spent cleaning up some new spyware or trojans.  CRN has a nice piece on Halloween malware from the past few years.  I suggest you check it out and let your employees know to beware of email forwards with Halloween subjects.

Related Links:

• CRN: 9 Scary Halloween Tricks (http://www.crn.com/security/211800350)