FIRST HUGE ATTACK OF THE YEAR

Barely three weeks into the new year, as the storm "Kyrill" ravaged over central Europe, another "storm" brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

The spam attack started just as the storm in Europe was at its strongest on January 18. Over the next few hours and into the next day, as hundreds of thousands of recipients, interested in information about the storm, opened their inboxes, the global computing community found itself in the face of a huge threat attack.

FIRST STORM

The attachment of the spammed email messages bears the name "Full Clip.exe" or "Full Video.exe", among others. The attachment, as the file name extension gives away, is not a video file but a malicious program, a Trojan detected by Trend Micro as TROJ_SMALL.EDW. Once running on a system, this Trojan downloads numerous other malicious files from various URLs. TROJ_SMALL.EDW thus becomes the starting point of a bigger malicious attack.

TROJ_SMALL.EDW comes with a rootkit component that hides the Trojan's files and processes. The presence of a rootkit always translates to a threat's aim to stay on a system undetected as long as possible. In recent threat attacks, this has always meant that the malware is up to something other than its more obvious routines.

In TROJ_SMALL.EDW's case, the rootkit component also connects to a definite list of IP addresses (hardcoded in the program) using specific UDP ports. This allows affected computers all over the world to converge and create a network.

What is interesting about the network that TROJ_SMALL.EDW-affected computers create is that it is not a traditional botnet. Analysis of the packet structure of TROJ_SMALL.EDW's connections reveals that they are based on a protocol used by a popular peer-to-peer (P2P) application. This is a new twist to botnets and C&C (command and control) in general.

Figure 1. TROJ_SMALL.EDW comes with a rootkit component,
which hides the Trojan's files and processes to avoid immediate detection.
Notably, the rootkit component also connects to specific IP addresses
via UDP ports, which may suggest that the said addresses are access
points to a network of zombie machines.

Traditional botnets use a number of servers where zombie machines connect to. These servers provide specific points where affected computers converge, where a malicious user can gain control over all affected computers. This creates an army of zombie machines, ready at a remote attacker's disposal.

However, it was found that TROJ_SMALL.EDW connects to the said IP addresses not so it can wait for commands from a remote attacker to execute on the affected system. Instead, the IP addresses point to computers running P2P applications that use the protocol that TROJ_SMALL.EDW also uses. These initial IP addresses serve only as launch peers, a way for new TROJ_SMALL.EDW-affected computers to join the P2P network. Once connected to the network, TROJ_SMALL.EDW communicates with other connecting computers to update a list of compromised IP addresses. The result is a list of all affected IP addresses that is continually updated in each affected computer.

The use of P2P connections is not incidental. It is a shrewd choice, as it tweaks the traditional botnet structure, ensuring that a network of zombie machines carries on, even if one machine is cleaned of the threat (and therefore not part of the network anymore).

A P2P setup also allows a compromised machine to take the role of both server and client, granting flexibility to the botnet structure. In contrast, traditional botnets take on the relatively rigid master-slave configuration.

However, although TROJ_SMALL.EDW's network is different from a traditional botnet, ultimately it serves the same purpose. The network can be used to perform other malicious activities, such as spamming, or quite possibly to serve as a huge springboard for another attack in the future.

SECOND STORM

As if the mass-spamming did not reach enough systems, the attack stepped up as one of TROJ_SMALL.EDW's downloaded files is a mass-mailer that drops the Trojan. This creates an endless loop of infection, wherein a TROJ_SMALL.EDW-affected computer becomes a springboard for the worm's propagation, which in turn drops the Trojan in machines it affects.

Figure 2. Recent samples of TROJ_SMALL.EDW are found to be dropped
by WORM_NUWAR.CQ. Because the NUWAR family is known
to create zombie networks in order to send "pump-and-dump" spam,
this development could imply that the Trojan is used to help
NUWAR cast a wider net and thereby gain more profit.

The said mass-mailer, WORM_NUWAR.CQ, is a member of the NUWAR family, of the nuclear war fame (earlier NUWAR variants use war-laden email messages; second-generation variants query the “Most Popular” section of cnn.com, a widely read news site).

WORM_NUWAR.CQ, however, is a 180-degree turn from its family's signature social engineering scheme. As if in anticipation of Valentine's Day, WORM_NUWAR.CQ uses a very long list of email subjects, which are all about love. "The Miracle of Love", "My Perfect Love", and "A Bouquet of Love" are just some of possible subject lines. Notably, like most recent NUWAR-sent email messages, the message body is blank.

Nevertheless, this change of subject line is not the first in the malware family. Just before the turn of the year, two NUWAR variants, .AY and .BH, surfaced, greeting recipients, "Happy New Year!". WORM_NUWAR.CQ's love-inspired email messages only suggest that the computing world may be seeing varying, albeit relatively predictable, subject lines from the family. Interestingly, the .AY, .BH, and .CQ variants use similar attachment file names: postcard.exe, greeting card.exe, etc.

SURVEYING THE DAMAGE

TROJ_SMALL.EDW is the first big threat of the year. The spamming was so massive and quick that this Trojan found its way into inboxes in just a few hours. At the height of this spamming, it accounted for a huge majority of email messages caught by Trend Micro email honeypots. The Trend Micro Service Team received over 60 case submissions from customers in 10 countries (including Japan, United States, and Italy) in the first three days of its onslaught.

Industry experts are pointing to TROJ_SMALL.EDW's clever social engineering scheme as the reason for its "success". As the storm was raging, the email messages containing TROJ_SMALL.EDW started to be spammed. This made the said email messages, supposedly containing information about the storm, available during – and right after – the storm, when information about it may have been on demand.

This is enhanced social engineering, of the same caliber as the NUWAR technique of parsing cnn.com's “Most Popular” section to be used for email details. Both techniques just further prove that threats have gotten smarter, composing email messages and deploying them where and when recipients may actually open them. Users therefore need to get just as smarter, if not more, in order to detect malicious email messages that are aimed directly at them, and not just a blind hit-and-miss method that was popular in the outbreak era.

Its partnership with WORM_NUWAR.CQ, which is a member of the family that launched a huge attack last year, only indicates just how huge this attack is. Interestingly, the contents of the spammed email messages that carried TROJ_SMALL.EDW take on the character of email messages associated with earlier NUWAR variants: messages of war or incredibly timely. "President of Russia Putin dead" and "Russian missle shot down USA satellite" are just two more of the subject lines, apart from the storm plot. This indicates a collaborative attack.

In fact, TROJ_SMALL.EDW's other downloaded files have routines that support not only the Trojan but the whole TROJ_SMALL.EDW-WORM_NUWAR.CQ partnership. They are components that sustain, for instance, mailing capability or communication with other machines in the P2P network, in case either TROJ_SMALL.EDW or WORM_NUWAR.CQ is terminated.

NUWAR is known to create zombie networks for sending “pump-and-dump” spam. This is a source of profit for its authors, as they can create false demand for financial stocks that they hold. As the stock prices reach their peak, the scammers sell their stocks and stop creating the artificial demand, and the stock prices naturally drop even faster than they went up.

As more and more findings are gathered from continued analysis, there is more and more reason to conclude that TROJ_SMALL.EDW uses NUWAR to get a share in profits. As the NUWAR attack is ultimately profit-driven, so is TROJ_SMALL.EDW.

TREND MICRO SOLUTION

To control damage and protect its customers from any more threat, Trend Micro has deployed a comprehensive, layered protection.

As soon as the initial samples were caught by Trend Micro honeypots, VSAPI detections were created, released in control pattern release (CPR) version 4.194.01 in the wee hours of January 18, and included in official pattern release (OPR) version 4.195.00 later that same day. All new samples of both TROJ_SMALL.EDW and WORM_NUWAR.CQ are detected by the latest OPR.

TROJ_SMALL.EDW's rootkit runs even in safe mode. Rootkit Buster removes the rootkit to ensure successful cleanup. Rootkit Buster and GeneriClean also restore system changes, including registry modifications.

The URLs from which the Trojan downloads files are blocked by TMUFE. On the other hand, TMASE block email messages with executable attachments and empty message body, blocking not only the email messages that TROJ_SMALL.EDW arrives in, but also the messages mass-mailed by WORM_NUWAR.CQ.