The Statement of Fees malspam campaign continues today with additional messages containing new Trojans. This round is distributing the W32/Autorun.AFC.worm malware which connects and downloads a file called lspr.exe.
I have been writing now for eleven months in the Information Security Systems Association Journal (ISSA). These articles have been primarly focused along the lines of sharing information concerning the emerging threat-landscape and what we are seeing from a Panda Security perspective. Therefore; I thought I would share a little history with you by making these articles available for download.
Thoughts or comments?
Behavioral blocking (a.k.a kernel rules / system rules) can provide the first layer of defense against emerging threats exploiting 0-day vulnerabilities. Exploits commonly take advantage of mistakes made by programmers and thus good applications can turn bad in an instant.
Malformed documents have accounted for a good number of these attacks (PDF, MDB, DOC, etc) recently. Take for example the new vulnerability discovered in Microsoft Access reported by Ismael Briones from PandaLabs (http://pandalabs.pandasecurity.com/archive/New-MS-Access-exploit.aspx).
All in all a bit of clever social engineering can result in successful exploitation, thus, resulting in confidential information being stolen from a user’s system.
An effective use of behavioral blocking can mitigate the risks of a 0-day threat. This works by monitoring the behavior of applications and applying such rules as: “Adobe Acrobat shouldn’t spawn a command shell“, or “Internet Explorer should not inject threads into other processes.”
This way one can proactively block new exploits (including the one for MS Access) without the actual need to analyze the threat and produce detection for it. However; it is still crucial that other protection layers exist (behavioral analysis, system hardening, IPS firewall, etc) as behavioral blocking alone is not 100%.