September 22, 2010
Blended Threats Old (VBMania) and New (Malicious HTML Attachments, Twitter Worms) Cause for Concern: Tips for Defense and Remediation
As I note here on a regular basis, blended threats—malware attacks that combine (for example) both web and email vectors—continue to be one of the preferred methods of distributing new forms of malicious software. We've lately seen both old and new examples of blended threats and it's worth noting a few details of those attacks and some tips for staying safe from them.
Last week, we saw the return of a very "old school" type of mass mailing worm, the so-called VBManiaor "Here You Have" worm (also dubbed VBMania@MM, Imsolk.B, Autorun-BHO, Visal.B, Trojan.Heur.rm0, or MEYLME.B), which used techniques like the "I Love You" worm that first struck more than 10 years ago.
VBMania spread quite quickly in North America on September 9th during the middle of the day. The email used social engineering techniques to get recipients to download a .SCR file (screensaver type Windows executable file) from a valid hosting service. A link appearing in the email looked to recipients like a PDF file and the subject contained the phrase "Here you have". The hosted malware file was quickly removed from the hosting service so users in Europe and in other time zones were not affected as heavily.
A few observations on minimizing the impact of such worms:
One of the reasons that worms like this cause major IT headaches is because, even once gateway defenses are protecting against the attack (and like most other gateway anti-spam and anti-virus vendors, Proofpoint systems were accurately detecting and blocking the attack and its variants very shortly after its introduction), any emails that have gotten through and get activated (by users clicking a malicious link) cause the worm to set off an internal spam storm, as the worm emails itself to everyone in the email recipient's address book.
Since those emails are not coming from the Internet, they are not screened by the gateway device and so can wind up in other inboxes on the affected organization's email system... And the cycle can repeat.
Analyst Mike Osterman has a very interesting and educational post at his blog—see, "One Large Organization's Response to a Major Email Virus"—in which an unnamed organization (that uses Proofpoint, Websense and Sophos for different aspects of Internet security) details how they responded to the attack. The entire post is a highly-recommended reading, but one very clever bit is especially worth noting here. Says the poster:
The reason we were able to spot it [the VBMania infection] so quickly is a result of preplanning that we put in place shortly after we installed our Exchange 2007 system. We created a mailbox called ‘..Canary’. The two periods make sure that it is always at the top of the list in our address book. The Canary mailbox acts like a canary in a coal mine. We never use that mailbox for anything and it appears in no distribution lists. Our messaging team and our security team subscribe to that mailbox and are immediately notified whenever an email is delivered there. When the ‘Here You Have’ virus started its attack, it started walking down our address book sending to each user in turn.
The first message to hit Canary set off alarms. We watched it closely to see if it was just misdirected mail. However, by 2:30pm [ET] we had 10 messages from 10 different users and we knew that we were under attack.
Web security tools also play a role in preventing and remediating blended threats, of course, and as just one example, this organization used their Websense web filter/proxy to block any outbound traffic to the malicious URL (succeeding in doing so before the hosting provider had deactivated it).
Many organizations have had issues with infected machines on their network getting them into trouble with various RBLs (blacklist/blocklists) as those machines blast out spam and malware-infected emails. This has driven many organizations to adopt email security systems (like Proofpoint) that can apply anti-spam and anti-virus policies to the outbound email stream as well as to inbound email.
Proofpoint users are encouraged to turn on outbound spam and virus scanning (if they haven't already done so) to avoid having their IP addresses land on various blocklists and to help keep threats like these from propagating across the net with ease.
Newer blended threats
New blended threats are appearing all the time, and just today Proofpoint detected and blocked a new - and rather aggressive - malicious email attack that features highly randomized subject lines and comes with an HTML attachment. While this new attack is completely unrelated to VBMania, it's another interesting example of how blended threats continue to evolve.
More after the jump...
The HTML attachment does not contain a direct URL link (a feature that anti-spam and anti-malware vendors very quickly "latch on" to and can block), but instead includes JavaScript code that, when executed, constructs and displays a URL for the user to click. That URL points to (you guessed it) a virus hosted on a compromised site.
With attacks such as this where the email message contains no or very few clues as to its true nature, it takes a small amount of time for content-based scanning systems to detect and block the message and its variants.
So how do you protect against that "leading edge" of a new attack?
This is a case where having multi-layered defenses is extremely helpful. For example, in Proofpoint's case, our core spam detection technology (Proofpoint MLX) uses machine learning techniques to identify, predict and adapt to new threats based on many factors including the content of messages and their attachments. But this is supplemented by reputation-based and connection management techniques, which block email messages at the connection level based on sender reputation.
In the case of today's attack, many of the messages were blocked immediately by this type of connection-level protection. Proofpoint's connection management technology, Proofpoint Dynamic Reputation, is always enabled in our SaaS version and comes is bundled with our Proofpoint Enterprise Protection suite, but organizations that don't yet take advantage of this system are encouraged to do so.
In addition to anti-spam techniques, anti-virus techniques are also useful in detecting and blocking new threats and, again, other variants of this particular attack were stopped immediately by Proofpoint's zero-hour anti-virus technology (like Dynamic Reputation, this feature is always enabled in our SaaS email security solution and other Proofpoint users are encouraged to activate that feature).
Proofpoint is constantly developing new techniques for detecting, blocking and predicting new attacks with ever-increasing accuracy and speed. Proofpoint has always been at the forefront of combating new types of spam and that innovation continues on a daily basis. And while some techniques might seem more novel or noteworthy (such as techniques for combatting attachment-based spam like image-, zip- and mp3-based spam), Proofpoint continually delivers new defenses to customers, multiple times per day, in automatic updates.
That work doesn't occur in a vacuum. We work continuously with security partners including F-Secure, McAfee, Commtouch, and Blue Coat Systems to design new methods for fighting blended threats.
Complex web threats
Similar to the issue of email-based blended threats, new web-based threats are constantly emerging, like today's cross-site scripting attack that allowed several worms to propagate across Twitter. The flaw that allowed these worms to propagate is reportedly fixed now (see Information Week, "Twitter Worm Fixed" for details).
Even so, our friends at F-Secure warn in their blog that, "it's perfectly possible that there will be more malicious attacks, possibly combining this technique with browser exploits."
The role of end-user education
While technology plays an important role in deflecting all of these new types of attacks, it'd be extremely out of character for me to close a long post like this without mentioning that individual email and Web users (both inside and outside the enterprise) are part of the security equation.
Rather than repeating my tips for "staying safe online" here, I'll simply link to them and note that it's important in today's environment for email users to understand that they should never click on links in email (opting to copy trusted locations directly into their browser, instead).
See my "Seven Simple Rules for Staying Safe Online" included in a previous blended threat sighting blog post.
In the case of today's attack, many of the messages were blocked immediately by this type of connection-level protection.
Posted by: ClubPenguin | March 29, 2011 at 01:28 AM