Arbor Networks: Security to the Core

I want to take a few minutes today and post a bit about the current “menace” on the mass-mailer front, Stration, and point to some external analysis of it. It’s nowhere near as popular as the old “favorites”, like Sober.X and the Blackworm, but it sure is gaining some ground fast. Sadly, I can’t share our internal analysis of it.

The latest enticement mails look something like this:

Mail server report. Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

[ Part 2, Application/OCTET-STREAM (Name: “Update-KB7546-x86.zip”) ]
[ 17KB. ]
[ Cannot display this part. Press “V” then “S” to save in a file. ]

As you might have guessed, the attachment is the malware.

What’s this guy up to? We’re not really sure, but he (or she, or the whole team) has been very busy: dozens of variants in the past few weeks and mainly on the weekends. The worm goes by a few names, including Warezov and Strat.

The folks at Fortinet have a brief writeup of the Stration worm and it’s prevalence. It’s still drawfed by Netsky.P in the same timeframe, but we can see that with every burst of activity, more and more get out there. The messages often have the same format (gotta love it when someone keeps the same MO) as previous versions, but the malware comes in a rapid fire pattern. What’s the plan? I’m not sure, but it could be making a spam network for somone by hijacking PCs.

Another spam-related Trojan got a great writeup by Joe Stewart, formerly of LURHQ and now at SecureWorks (who merged with LURHQ recently). The writeup, SpamThru Trojan Analysis, looks at how a sophisticated spam network operates. Joe’s talented and he’s been able to peer into the spam net, its templates, and the results.

We, as a community, keep our eyes on these folks for the simple reason that they’re out there to cause you pain, either an infected PC, spam floods, or scam vicitimization. We used to think they were in it for pure theft, ie grab your credit card or your account. Now we’re wiser, or maybe the criminals are smarter. There’s good money for them to make in illegal business practices, and they want to use things like botnets to do it.

Update: The original post incorrectly said that SecureWorks bought LURHQ, Joe tells me it was a merger, instead. I’ve updated the text above.

This entry was posted on Thursday, October 19th, 2006 at 9:17 pm and is filed under Arbor Networks, Interesting Research, Malware, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.