We have seen the first attempt to create a macro virus affecting StarOffice. The code does not contain any damaging payload. It only tries to open an image hosted on Internet. The image is currently unreachable.
VirusScan currently detects this threat as StartOffice/StarDust.intd. The intd suffix means we are quite convinced that the author intended to create a virus, but failed.

Macro viruses were in the news from 1995 to 2001. They generally affected the Microsoft Office environment. Macro viruses have fallen out of favor and have been insignificant over the past 5 years.

The code is signed with a pseudonym. In 2001, a person using the same pseudonym indicated online that he lived in Germany.

More information can be found on
http://vil.nai.com/vil/content/v_139638.htm

Looks like the days of Virus-Writing-For-Glory may truly be past.

6/6/06 came and went without anything of note in the malware world, it was all business as usual.  No prognostications of doom in the preceding days about the potential of an onslaught of 666-themed viruses and in the end, nothing actually happened worth worrying about. (At least not any more than usual!)
It seems there's no financial motivation in making a big deal of dates that can't be used for phishing or to sell products through spam.

Another year, and another journalist proposes that the security industry discusses threats purely to sell products (http://www.newsforge.com/article.pl?sid=06/06/06/1832223). This is usually followed closely by the conspiracy theory that we actually write the viruses that we protect against. I find it interesting that this argument has cropped up every few years since the nineties.

I often wonder why this argument is so frequently recurring and apparently popular. I suppose, on the one hand, that it fits so neatly into our collective understanding about how free market capitalism works: If you can artificially create demand, you can increase your sales. But why does this same argument not crop up more often for others in security or services fields, like firemen, policemen, doctors, nurses, people who make home security alarms, airbag manufacturers, etc.

Particularly when there are (very rare) documented cases of people in some of these fields actually harming the people they are meant to help? It seems to me that in all of these cases we have:

• good, independent statistics from organizations designed to track those phenomena, so we know what the actual risk is (or it’s at least harder to lie and get away with it).
• they usually catch the bad guy, so everyone knows that the frequency with which someone is playing a scam is very low or non-existent.

But in our world, antivirus companies are the only ones who have good first-hand data about the prevalence of threats, and the attackers are almost always anonymous. How then, could we prove that these accusations aren’t true?

Unfortunately, we probably cannot. There are barely national law enforcement or governmental agencies, never mind global organizations, capable of tracking the problem on the massive scale that it actually occurs. We routinely see millions of attacks on hundreds of thousands of computers occur on a 24-hour basis, and this represents only a fraction of our customer base that has opted in to anonymous reporting. And McAfee represents only a portion of the AV marketshare. And computers with antivirus protection represent only a portion of all computers.

The internet is a remarkable tool for anonymity, even if it weren’t true that in some parts of the globe, there is no authority who will even try to help you track down a virus writer. Add privacy-minded tools like Tor to the mix, and the task quickly becomes mind-boggling.

So here’s some truth, from someone in the trenches: You don’t NEED an antivirus product. As long as:

• you use a good NAT hardware firewall/router
• you practice good, safe surfing habits all the time
• everyone else who uses your computer does the same, and has limited privileges
• you keep the operating system and applications patched on a daily basis
• you have complete control over who can exist on or connect to your computer or network (especially with wireless networks and Bluetooth)
• you have, and keep current, with existing malware trends
• you can recognize and recover from a 0-day attack that does get through
• you have no data worth anything on your computer

Most people either can’t, or don’t want to, expend this kind of effort or maintain this kind of draconian control over their computers. Frankly, most of us wouldn’t use computers or the internet nearly as much if they weren’t as open and flexible as they are. So the value of data and processing power in computers is so massive and growing so fast that there will always be LOTS of people trying to steal or exploit it. Imagine trying to protect a transparent bank from invisible attackers who could see every camera and security mechanism in the building. You would block many attacks, but sooner or later somebody will get through. Which means we’ll have a job for a long time.

So why do we talk about threats to Linux, or Mac, or Windows, or any other platform? Mostly to educate consumers and enterprises about the possible threats, so that people apply an appropriate amount of effort to preventing those threats. Naturally, we have to walk a fine line between creating a false sense of security, and crying wolf too often. The former means people will leave themselves exposed; the latter, that they will ignore real threats that will harm them.

In my position, we are frequently asked to be psychic about impending threats. If we do not start preparing solutions a year or more before the threat appears, we may be unable to protect our customers down the line. If we move too soon, we might expend a lot of effort writing code that isn’t needed. Sometimes we talk about those threats when we think it has relevance for our customers. Recently we’ve taken a lot of flak for bringing up Mac OSX viruses, largely from Mac zealots, as Kaspersky takes flak in the article above (from a Linux site) for talking about Linux threats.

Are we right or wrong about our predictions - it’s too soon to tell. I do believe that if these platforms make serious inroads into Windows marketshare, that their value will go up, and the attackers will follow. But whether that happens depends on far more factors than any threat report by any security vendor. What I am sure of is that the capacity for malware to be effective on these platforms is ample, and that pretending that this is not the case increases the risk of those doing the pretending.

Here’s an earlier example. In June of 2002, we did a press release about a (poorly-written) proof-of-concept threat that was appended to JPEG files called W32/Perrun. Despite the fact that “pure” data files like images (as opposed to files containing macros or scripts like Word docs or HTML) were commonly thought of as immune to infection, or uninteresting as a vector of malware, we took a lambasting in the press (see http://www.infoworld.com/articles/hn/xml/02/06/21/020621hnjpegvirus.html).

Fast-forward to today. There are threats for WMF, MP3, JPG, BMP, ANI, SWF, PNG and a variety of other data file formats. In fact, the most common dropper for malware today is Exploit-WMF (see http://us.mcafee.com/virusInfo/default.asp?id=regional&continent_k=0&track_by=2&period_id=3). So before you blast us for this year’s predictions, wait a few years. Whether you believe our information or not, we’re working on solutions so that you can be protected when the threat materializes.

Likewise, many of us in the AV space weren’t out there earlier this year making a lot of fuss about W32/MyWife.d (or the Kama Sutra or Blackmal worm, as it was commonly known). We knew that the prevalence was grossly over-estimated and that world meltdown was not going to occur on February 3rd. And it didn’t.

In my position, I have the privilege of working with over a hundred of the most hard-working and well-respected experts in the security field. And right now (Thursday evening US time) many of them are in the 50th or 60th hour of their work week. They are not having dinner with their families or playing with their kids. They will be working this weekend while you go to the beach. They (and their spouses) will be woken up in the middle of the night sometime soon to respond to a threat.

I’m not naive enough to think that everyone does this job out of a sense of altruism. Certainly, many researchers get a charge from the technical challenge. Some may even be completely mercenary about it, though I have yet to meet one, at McAfee, or any other antivirus vendor. If they exist, they are not too bright, because most of us could be making as much or more working fewer hours writing code for other kinds of applications. The fact is, most of us do it because we feel good about helping people. And you can’t get that from the company balance sheet.

Joe Telafici

Director of Operations, McAfee Avert Labs

The price of freedom is eternal vigilance
- Thomas Jefferson

In May 2006, millions of U.S. military veterans were worried about risks for identity theft after their electronic records were stolen from the home of an agency employee. Data was saved on a laptop and the laptop was stolen. It contained names, Social Security numbers and birthdays of some 26.8 million veterans.

Speaking about this incident, the Gartner analyst Avivah Litan explained in a research note that data protection is cheaper than a data breach.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms. Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."

"Name and Fame" were once the driving factor for writing viruses, but that's not what malware authors of today are driven by.

Money talks and today's generation of malware authors are finding newer ways to indulge in cyber crime. From selling time on bot nets, to spam and phishing or extortion via DDOS attacks, cyber criminals are now targeting home consumers via the re-emergence of a threat called "Ransomware".

Ransomware dates back to 1989, when the "PC CYBORG / AIDS Information Trojan", posing to provide information about the AIDS virus, was the first malware to be classified as ransomware.

This type of malware encrypts important files on the victim's computer, holding them as ransom until the victim agrees to the attackers demands. A typical ransom demand could be anything from transferring money online to an attacker's account or purchasing pharmaceutical drugs from an affiliate website.

After a lull, the past couple of months has seen a rash of ransomware variants including GPCoder, CryZip, MayArchive that attempt to extort money from its victims by encrypting their document files.

Users typically get infected when visiting pornographic, questionable or unsafe sites, but in a recent incident, a specially crafted Microsoft Word document was mass spammed that then attempted to download and install ransomware. With cyber criminals improving upon their distribution techniques with every new variant, it is more important than ever that users  not trust seemingly familiar or safe files particularly when received via P2P clients, IRC, email or other media.

We strongly recommend that users who have fallen victim to ransomware not give in to the demands of the malware authors as this will further fuel the money trail.

A zero day Yahoo! Mail vulnerability was exploited today that results in the execution of arbitrary code.  The vulnerability lies within Yahoo's onload event handling, allowing an attacker to craft an email message that results in script execution when users read their Yahoo! Mail.  In today's attack, a virus author utilized this exploit to run JavaScript that spams @yahoo.com and @yahoogroups.com recipients with a new virus (JS/Yamanner@MM - http://vil.mcafeesecurity.com/vil/content/v_139913.htm).  Yahoo is reportedly working on a fix and blocking these messages.

Here’s an excerpt from an email that was sent to McAfee today:

Subject: I have written JS/Yamanner@MM Worm

Hello

I have written JS/Yamanner@MM Worm that has been discovered 12 June 2006. I found that in Yahoo! mail and use it to execute scripts ( collecting yahoo addresses from someone mail, sending this email using Ajax technology to them and then redirecting them into a sample site).

…

Finally I should mention that I don’t like to disturb no one. Since I live in iran and taking a Job in good computer companies is very hard (becaue getting Visa is very hard from US) I just want to prove that I have some abilities in web programming . And I like to work with professional team like you if there is any way to do that.

Regards

(intentionally censored as not to give props’ to the author)

Yahoo Inc. said Tuesday it has contained a malicious program aimed at the millions of people who use its e-mail service, which ranks as the world’s largest.

…

“We have taken steps to resolve the issue and protect our users from further attacks of this worm,” Yahoo spokeswoman Kelley Podboy said. “The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user.”

See: Yahoo Says E-Mail Worm Now Contained

Over the past few years we have seen a shift in the primary motivations behind the creation of viruses and trojans.  Personal challenge, peer praise, and prank value used to be main driving factors in the creation of malware.  Today, it's money.

So are we seeing the start of a similar trend in vulnerability land?

Yesterday, Microsoft released 12 patches to cover 21 vulnerabilities.  Brian Krebs blogged that iDefense paid out the advertised $10k to hacker who discovered one of the critical vulnerabilities.  He also states notes that "software flaws identified or purchased by TipppingPoint and iDefense made up 6 of the 21 flaws".  Both iDefense and TippingPoint have publicized vulnerability research incentive programs.

In the past, there has been a perception among some vulnerability researchers that iDefense and other companies will not pony up the promised prize for their work.  Now that this is happening in a public way (see below), others may be more encouraged to try and cash in on the opportunity.  It's a little early to say that this is the start of a vulnerability growth trend, driven by money, but the ingredients are there.

iDefense Vulnerability Contributor Program awards paid:

• Q4 2005 $41k paid in VCP awards
• Q3 2005 $39k paid in VCP awards
• Q1 2005 $21k paid in VCP awards
  

The 2006 Global Security Survey was just released by the Financial Services Industry, conducted by Deloitte Touche Tohmatsu (DTT). This survey of the world's 100 biggest financial services organizations announced a surge in digital attacks over the past year.

The world's largest financial institutions experienced a surge in the number of digital attacks over the past year, specifically from external sources. More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. Among the key points of this survey: sophistication of attacks and proliferation of vulnerabilities dominate attention. When asked to rate the intensity of perceived threats over the next twelve months, 53% of respondents chose phishing and pharming while 51% chose viruses, spyware, Trojans and worms. While internal threats continue to rise over previous years organizations appear to be more concerned with threats from the outside, since, in their minds, they bring a higher degree of publicity and potential damage to their reputations. The study suggests that financially motivated, targeted attacks are increasing and the criminal profile is shifting - from script kiddies and disorganized hackers to well funded organized crime rings, whose around-the-clock, across-the-globe attacks are yielding a big financial payback. This trend clearly highlights that random acts of vandalism (such as the web page defacements experienced by 4% of respondents) have been replaced by purposeful, targeted acts of criminal activity (such as the successful phishing attacks experienced by 51% of respondents).
In the survey, identity theft is called the "Crime of the 21st Century". Along with account fraud, they are two priorities that Financial Institutions will likely be focusing on this year.

To end this note, I am surprised by the classification for external breaches experienced by the companies and quoted in page 26 :

• Viruses/worms : 63%
• Phishing/pharming : 51%
• Spyware/malware : 48%

A bit of clarification may be needed for the Deloitte malware definition in order to understand why viruses, worms (page 26 and 27) and Trojan horses (page 29) are not classified in this category. By their definition, malware are only considered as malicious program "deployed to extort some form of monetary gain" as explained in this press release document.

This interesting survey is available at :
http://www.deloitte.com/dtt/research/0,1015,sid=1000&cid=121102,00.html

Here's a trick the traffall.biz (aka iframecash.biz) gang has been using for at least a few weeks. In addition to their usual Internet Explorer exploitation to install downloading downloader trojans (downloading downloading downloaders in many cases), they've been obfuscating some of the traffic by hiding exe files within JPG files. To a network administrator they would see HTTP get requests to traffall.biz/pic/[filename].jpg Which would appear normal (unless you were up-to-date on your bad domain list). And if you were to download the '.jpg' files they would indeed first appear to be just an image of a goofy frog:

Here's a Hex dump of the start of the JPG file:

In the middle of the file, we can see the encrypted executable (the cursor is at the start):

Once the file has been downloaded, the trojan that fetched the file in the first place strips off the image, decrypts the exe, and launches it (and as you may have guessed, the 'it' in this case is yet another downloader). Ironically the trojans that employ this tactic usually download other files that do not use this tactic, so it's less effective in hiding a compromised machine from a network admin. So why else do it? The main reason may be an attempt to slip passed anti-virus and anti-spyware researchers and automated analysis tools. Basic file-type tools will likely see the files as valid JPEGs, which could lead to early dismissal during analysis.

The group behind this remains to be one of the most active spyware creators out there.