JULY 26, 2013
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Old Malware, New Tricks: File Infector Steals FTP Credentials

Security for Home Users
Summer of Scams: Blockbusters Get Used as Bait

Security for Business
Proactive Security Awareness Programs: Turning Weakness into Strength



Security Spotlight

Old Malware, New Tricks: File Infector Steals FTP Credentials

Just like their biological counterparts, viruses or malware often reappear with new characteristics that cause different symptoms and complications.”



Just like their biological counterparts, viruses or malware often reappear with new characteristics that cause different symptoms and complications. We recently spotted a sudden surge of infections involving a malware family previously discovered in 2010, PE_EXPIRO. The latest strain exhibits a unique behavior and has an unusual way of spreading.

PE_EXPIRO: Not Expired Yet

PE_EXPIRO is a file infector. Its earlier variants scour a computer’s drives for legitimate .EXE files. It then appends code to the files it finds, which corrupts and renders them unusable. The newly discovered strain can now steal information like File Transfer Protocol (FTP) client login credentials, along with specific user and computer information. Losing this kind of data can lead to privacy violation, identity theft, and the compromise of any content the FTP client has access to.

Besides a new malicious routine, it also sports a different arrival method. To infect a computer, it uses a combination of threats and follows the typical infection scenario below:

  • The potential victim is lured to a malicious site that hosts the Styx Exploit Kit, which allows cybercriminals to target even more vulnerabilities in a single attack. A Styx exploit can take advantage of old Java and Adobe Reader®/Acrobat® vulnerabilities. We detect one such exploit as JAVA_EXPLOIT.ZC.
  • The PE_EXPIRO mother file infector, detected as PE_EXPIRO.JX-O, is then dropped onto an already-infected computer.
  • PE_EXPIRO.JX-O searches all available drives for legitimate .EXE files and infects them with malicious code. These infected files are then detected as PE_EXPIRO.JX. Information theft also happens in this stage.

Who’s the Target?

This particular campaign has a specific user profile in mind. Since the new EXPIRO strain steals FTP client credentials, it’s safe to assume that the attack was designed to compromise websites. FTP clients are typically used to manage website content stored in file servers. If cybercriminals obtain access to website file servers through FTP clients, they can host malicious files on those sites. They can also deface the sites if they choose to.

The fact that the Styx Exploit Kit was used to deliver the threat to computers is notable, too. Cybercriminals commonly use exploit kits to target the computers of specific organizations.

Staying Safe

Protection against PE_EXPIRO is within reach. All you need to do is to:

  • Update your software. PE_EXPIRO’s latest strain attacks Java and PDF vulnerabilities. Regularly updating your software ensures that security flaws and vulnerabilities like these are patched.
  • Install a security solution. Security solutions that block these attacks are essential to keep your computer and the data you keep in it safe. Users of Trend Micro security solutions are already protected against all of the threats involved in this attack.

Copyright ©2013 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: