With the bad guys increasingly resorting to quieter, more targeted
attacks, it's been a long time since we've seen headlines about the
massive spread of a worm or Trojan horse. Most security experts
agree the days of
Sasser-like attacks are over.
So when the so-called
Storm Trojan started gaining traction last
week, antivirus vendors were jolted into overdrive.
Symantec gave the malware a rare risk rating of
three. The firm flags most malware with a rating of one or
two. It also declared it the worst outbreak since 2005. F-Secure
Corp. dedicated big blocks of space in its
F-Secure blog to updates on the Trojan's
spread. F-Secure even offered footage of its computerized world
map so everyone could witness the malware's march across the
globe.
But was this malware really worth the publicity it received?
Opinions vary among security bloggers.
Mike Rothman, president and principal analyst of Security Incite
in Atlanta, suggested in his
Daily Incite blog that the malware got the
big media headlines because of an otherwise slow news week.
"Nothing seems novel about it. It's just social engineering on
steroids. More zombies, more bots, more spam," he wrote.
Rothman shared the assessment of security blogger Dancho
Danchev, who
described in his Mind Streams of Information
Security Knowledge blog that the Storm coverage as a
"frontal PR attack" among vendors.
"With all the buzz over the 'Storm worm' … it is almost
unbelievable how hungry for a ground-breaking event the mainstream
media is," he wrote. "Don't misunderstand me, protecting the end
user from himself is a necessity, but over hyping this simple
malware doesn't really impress anyone with a decent honeyfarm out
there."
Besides, he noted, corporate email environments stopped allowing
this type of incoming executable file through the gates a long time
ago.
While that may be the case to a certain extent, other security
experts -- including some of the vendors -- used their blogs to
argue that all the attention is indeed justified.
The
Symantec Security Response Center blog, for
example, offered up a series of charts to document the malware's
spread in the past week.
One graphic shows how the malware -- named Peacomm by Symantec
-- has topped the charts and exceeded the spread of the "Happy New
Year" [Mixor] worm despite getting a much later start. Symantec
suggested there's a link between Mixor and Peacomm.
"While the first sample of Mixor.Q did not contain Peacomm, it
did contain a simple downloader executable," Symantec said. "It is
highly likely that there is a direct correlation between the number
of Mixor infections and the later rise of Peacomm, considering that
Mixor dropped Peacomm as a payload."
Allysa Myers of McAfee Avert Labs said in the organization's
Avert Labs blog that she personally sees emails
with outlandish claims as something to be deleted without further
ado, especially if they include file attachments. "But for some
reason this tactic is still proving successful," she wrote.
Danchev is correct to say most enterprises started blocking
suspicious attachments at the gate a long time ago. That has
certainly helped drive down to almost nothing the mass worm attacks
that were common in the first half of this decade. But Myers also
makes a valid point that a lot of people continue to fall for
social engineering tactics that are more obvious to those of us
with more security savvy.
When home users click on these malicious attachments, the bad
guys take control of their PCs with bots and Trojans. Those
machines can then be used to target enterprises with more
sophisticated malware.
For that reason, IT professionals should take this Storm surge
seriously, even if some of the media headlines appear
hyperbolic.
Secunia reports an ActiveX flaw
Elsewhere, Danish vulnerability clearinghouse Secunia said in its
Secunia
blog that it has discovered a new ActiveX flaw that may affect
audio and media applications from a variety of vendors.
"Secunia Research has discovered vulnerabilities in various
audio and media applications caused due to an insecure ActiveX
control," the blog said, adding that the vulnerable component,
NCTAudioFile2.dll, was originally developed by NCT Company Ltd.,
now known as Online Media Technologies Ltd., and is known to be
present in more than 70 products from 28 different software
companies.
"This means that not only are certain NCTsoft products
vulnerable, but most applications using the same component are
vulnerable as well," Secunia said.
The problem is a boundary error in the NCTAudioFile2.AudioFile
ActiveX control and in the handling of the "SetFormatLikeSample()"
method. "Passing an argument with length of about 4,124 bytes
induces a stack-based buffer overflow, making it possible for the
attacker to execute arbitrary code on the user's system," Secunia
said.
The exploit could be housed on a malicious Web site that a user
is tricked into visiting, Secunia said, adding that because the
flaw involves an ActiveX component, successful exploitation
requires that Internet Explorer be used to visit such a site.
"While we are not aware of any publicly available exploit for
this vulnerability, actually crafting one is pretty
straight-forward," Secunia said. "So it's not too much to ask users
to exercise caution when surfing the Internet, especially as IE6
automatically runs ActiveX controls."