Re: First WMF mass mailer ItW (phishing Trojan) - think singularities

[Lance James <bugtraq () securescience net>]

I don't disagree with you one bit - I was simply making a similar point,
they are fly below the radar, with that intent.

But there are ways to make pre-emptive signatures based on tracking
certain phishing/spam/porn rings and noting their serial pattern. This
is how you detect "below the radar" attacks. This isn't for prevention,
but detection only. I don't agree with signatures as a reactive response
to most problems, rather I believe in problem response as a whole.

These class of attacks have been definitely observed since the
Korgo/Padonock days and have been going nice and steady for these rings
quite frequently. The time to discovery by AV vendors that we have
observed has been from 2 weeks, all the way to 9 months. Low
distribution, low detection and it allows for rapid deployment. And
slight modifications in variants at such rapid deployment tends to cause
problems for AV vendors in general.


I think to sum it up, we're on the same page - the snort sigs that were
avail were designed to look at trojans such as these in a general
problem response by examing the way they are packed, rather than just
the specific malware.

-Lance James


Ken Kousky wrote:
> Are we missing the point. Hope this isn't too long but here goes .....
>
> Worms and viruses spread and get found out but there's a large class of
> Trojan who don't want to be found out. 
>
> The propagation vector matters a lot if we can use it as a means of finding
> malware and capturing signatures. Worms, Spam and viruses that have broad
> propagation scheme get found out pretty fast - that's the good part of their
> efforts to spread but not all malware wants to spread so recklessly. 
>
> Sometimes it's more important to remain undiscovered which is more likely
> the case in the world of Trojans.
>
> Last year IP3 focused a great deal of analysis on what we called
> Singularities - non-signatured exploits due to their low volume presence.
> This goes way beyond day zero since some reported Trojans hit day 1,000
> without being discovered!
>
>  Spam, defacement or propagation proof-of-concept worms all have been
> reasonably controlled because of their expansive propagation which leads to
> their discovery.
>
> Most economic exploits including ddos zombie nets or identity theft
> campaigns could easily continue to use these same kind of exploits, like WMF
> and are not likely to show up unless they're reckless in distributing
> phishing emails or eventually launching a worm that propagates into a
> discovery zone.
>
> The same root problems that gave rise to WMF will persist in many
> server-side applications for years to come.
>
> The point is that we may spend way to much time looking at the mass mailer
> variants and not enough time looking at the targeted and purposeful
> exploits.
>
> Remember, these exposures existed across our Microsoft platforms for over a
> decade. The exposure didn't begin with it's public disclosure or patch
> release. 
>
> Because gaming and pornography continue to be major revenue streams for
> online providers and because they get very little protection through law
> enforcement, even when legal enterprises, we've allowed a very lucrative
> extortion industry to thrive with individuals well paid to find these
> vulnerabilities. It's hard to believe the potential disparity in good-guy vs
> bad-guy spending on exploring for openings. 
>
> We've cataloged hundreds of buffer overflow patches over the last year alone
> that prove that virtually all enterprises have been widely exposed and have
> little or no way of knowing if anything other than a widely propagating (and
> therefore signatured) exploit has occurred.
>
> Signatures filters do not fix the WMF exposure but they've done a great job
> stopping most of the propagations but it's not the whole story.
>
> -----Original Message-----
> From: Lance James [mailto:bugtraq () securescience net] 
> Sent: Friday, February 17, 2006 2:03 PM
> To: bugtraq () securityfocus com
> Cc: full-disclosure () lists grok org uk
> Subject: Re: First WMF mass mailer ItW (phishing Trojan)
>
> Gadi Evron wrote:
>   
> > The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in
> > Australia.
> >   
> >     
> Respectfully speaking:
>
> There are a few corrections to this that need to be expressed.
>
> The language you're using describing it as a mass-mailing worm is coming
> off confusing to some. The WMF exploit is actually seeded on a website,
> and the mass-mailing is used to get people to go to that site. Stating
> that it's a worm is similar to saying that phishing emails and spam are
> worms. I have seen some actual phishing worms, and this is definitely
> not it.
>
> A correction also needs to be made on this comment
>
> "Abusing websites is mostly how WMF is
> exploited, but no much in the way of emails before today."
>
>
> This is grossly incorrect - here are the dates we started seeing this
> activity:
>
> January 3rd -  WMF exploit distributing identified phishing trojan
> January 9/10th -  WMF exploit distributing identified phishing trojan
> Jan 18th/19th - WMF exploit distributing identified phishing trojan
> Jan 22nd-25th - WMF exploit distributing identified phishing trojan
> Jan 24th - WMF exploit distributing identified phishing trojan
>
>
> I can go into February but we get the point.
>
> This same phishing group works in regions, so it's not surprising that
> they are now targeting Australia. They are also targeting Europe as well
> in February.
>
> Summary:
> WMF Mass-Mailing phishing has not been uncommon, just in small
> distributions, so it may have not been seen on the radar. Since the
> public discovery of the WMF exploit, there have been a few mass-mailings
> taking users to a site that distributed WMF exploits to date.
>
>
>