<<< Date Index >>>     <<< Thread Index >>>

RE: First WMF mass mailer ItW (phishing Trojan) - think singularities



Are we missing the point. Hope this isn't too long but here goes .....

Worms and viruses spread and get found out but there's a large class of
Trojan who don't want to be found out. 

The propagation vector matters a lot if we can use it as a means of finding
malware and capturing signatures. Worms, Spam and viruses that have broad
propagation scheme get found out pretty fast - that's the good part of their
efforts to spread but not all malware wants to spread so recklessly. 

Sometimes it's more important to remain undiscovered which is more likely
the case in the world of Trojans.

Last year IP3 focused a great deal of analysis on what we called
Singularities - non-signatured exploits due to their low volume presence.
This goes way beyond day zero since some reported Trojans hit day 1,000
without being discovered!

 Spam, defacement or propagation proof-of-concept worms all have been
reasonably controlled because of their expansive propagation which leads to
their discovery.

Most economic exploits including ddos zombie nets or identity theft
campaigns could easily continue to use these same kind of exploits, like WMF
and are not likely to show up unless they're reckless in distributing
phishing emails or eventually launching a worm that propagates into a
discovery zone.

The same root problems that gave rise to WMF will persist in many
server-side applications for years to come.

The point is that we may spend way to much time looking at the mass mailer
variants and not enough time looking at the targeted and purposeful
exploits.

Remember, these exposures existed across our Microsoft platforms for over a
decade. The exposure didn't begin with it's public disclosure or patch
release. 

Because gaming and pornography continue to be major revenue streams for
online providers and because they get very little protection through law
enforcement, even when legal enterprises, we've allowed a very lucrative
extortion industry to thrive with individuals well paid to find these
vulnerabilities. It's hard to believe the potential disparity in good-guy vs
bad-guy spending on exploring for openings. 

We've cataloged hundreds of buffer overflow patches over the last year alone
that prove that virtually all enterprises have been widely exposed and have
little or no way of knowing if anything other than a widely propagating (and
therefore signatured) exploit has occurred.

Signatures filters do not fix the WMF exposure but they've done a great job
stopping most of the propagations but it's not the whole story.

-----Original Message-----
From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx] 
Sent: Friday, February 17, 2006 2:03 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: First WMF mass mailer ItW (phishing Trojan)

Gadi Evron wrote:
> The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in
> Australia.
>   
Respectfully speaking:

There are a few corrections to this that need to be expressed.

The language you're using describing it as a mass-mailing worm is coming
off confusing to some. The WMF exploit is actually seeded on a website,
and the mass-mailing is used to get people to go to that site. Stating
that it's a worm is similar to saying that phishing emails and spam are
worms. I have seen some actual phishing worms, and this is definitely
not it.

A correction also needs to be made on this comment

"Abusing websites is mostly how WMF is
exploited, but no much in the way of emails before today."


This is grossly incorrect - here are the dates we started seeing this
activity:

January 3rd -  WMF exploit distributing identified phishing trojan
January 9/10th -  WMF exploit distributing identified phishing trojan
Jan 18th/19th - WMF exploit distributing identified phishing trojan
Jan 22nd-25th - WMF exploit distributing identified phishing trojan
Jan 24th - WMF exploit distributing identified phishing trojan


I can go into February but we get the point.

This same phishing group works in regions, so it's not surprising that
they are now targeting Australia. They are also targeting Europe as well
in February.

Summary:
WMF Mass-Mailing phishing has not been uncommon, just in small
distributions, so it may have not been seen on the radar. Since the
public discovery of the WMF exploit, there have been a few mass-mailings
taking users to a site that distributed WMF exploits to date.


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/