[Dshield] Meanwhile...

Joe Stewart jstewart at lurhq.com
Thu Jun 16 17:18:46 GMT 2005


On Thursday 16 June 2005 12:46 pm, TheGesus wrote:
> I hate to tear you folks away from obsessing about your reports, but
> does anyone have any information on this...
>
> http://www.niscc.gov.uk/niscc/index-en.html

Yes. Some of these attacks involve embedding trojan to a malicious .doc 
file which will install open opening the document in MS Word, using an 
exploit for the MS03-050 vulnerability:

http://www.microsoft.com/technet/security/bulletin/MS03-050.mspx

Most antivirus engines can detect the exploit itself, regardless of 
whether the trojan is packed to evade detection. They still require 
user interaction to infect; however a user is more likely to click on 
a .doc file than an .exe file, as it seems macro viruses are all but a 
thing of the past.

The ones that are directly mailed as an executable attachment and rely 
on social-engineering are the most threatening if you are relying 
solely on AV scanning to stop the threat. If you value your company's 
intellectual property, you should block executable attachments outright 
at the gateway, even if they are zipped. Better yet, consider 
outsourcing your mail scanning to a company that can detect these kinds 
of threats across multiple destinations (e.g. MessageLabs)

I'm also surprised they didn't mention W32.Myfip in the bulletin. It's a 
little worse than the others; acting as a network worm once it makes 
its way into a network. It steals PDFs, DOCs and MDBs as well as 
several types of CAD/CAM formats including electronic schematics, 
circuit board layouts and the like. It also has a Chinese nexus, and 
has been out since last August (last known variant .AB was seen this 
April)

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/



More information about the list mailing list