Cross-platform virus spreading as Microsoft expands MAPP program

As security vendors report on a new, nasty cross-platform modification to an old virus, making it able to infect 64-bit and 32-bit files, Microsoft beefs up and expands its MAPP program.

ESET Research warned that an old virus, dubbed Expiro, has learned new cross-platform infection tricks. It is "able to infect 32-bit and 64-bit files (also, 64-bit files can be infected by an infected 32-bit file)," making "the range of potential victims almost universal." Expiro, sometimes also called Xpiro, aims to:

maximize profit and infects executable files on local, removable and network drives. As for the payload, this malware installs extensions for the Google Chrome and Mozilla Firefox browsers. The malware also steals stored certificates and passwords from Internet Explorer, Microsoft Outlook, and from the FTP client FileZilla. Browser extensions are used to redirect the user to a malicious URL, as well as to hijack confidential information, such as account credentials or information about online banking. The virus disables some services on the compromised computer, including Windows Defender and Security Center (Windows Security Center), and can also terminate processes.

The Firefox extension is hidden, but on Chrome it's named "Google Chrome 1.0," which allows it to pass as a clean extension, explained Symantec. When first spotted in the wild by Trend Micro, the company said, "70% of total infections are within the United States. It is possible that this attack was intended to steal information from organizations or to compromise websites, as the specific targeting of FTP credentials suggests either was possible. The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools."

Microsoft expands MAPP program

The threat landscape continues to evolve, so Microsoft announced changes to its Microsoft Active Protections Program (MAPP) that has pretty much been unchanged since it began in 2008 when a common phrase was "Update Tuesday, exploit Wednesday."

Previously, anti-malware, antivirus and intrusion detection system security vendors were given patch data access 24 hours before the release. This allowed them to build, test and deploy antivirus signatures. That program has been renamed MAPP for Security Vendors, and the program has been expanded to include MAPP for Responders and a MAPP Scanner.

MAPP for Security Vendors

Microsoft's Trustworthy Computing group manager Dustin Childs wrote that "trusted" MAPP for Security Vendors partners will receive the patch data three business days before Patch Tuesday "to help them create better quality solutions for our common customers." On the BlueHat blog, Senior Security Strategist Jerry Bryant added that the stringent criteria to be considered "trusted" includes those with a "two-year track record of completing the reporting requirements of the program," as well as those that "demonstrated willingness to partner back with us as they find new issues in the wild that we need to respond to quickly."

This program will also include MAPP Validate, so members of the MAPP community can provide feedback on Microsoft's detection guidance before it is shared with the rest of the MAPP community.

MAPP for Responders

The new MAPP for Responders program will give incident responders (IR), such as CERTs, enterprises, government entities, and private IR organizations, a way to exchange threat information. Regarding the new MAPP for Responders program, Childs wrote:

MAPP for Responders is a new way to share technical information and threat indicators to organizations focused on incident response and intrusion prevention. Getting this information into the hands of those closest to the events can be invaluable in detecting and disrupting attacks. Many attackers share information amongst themselves, and defenders should share knowledge to help prevent and contain issues as they occur. MAPP for Responders will work to build a community for information exchange to counter the activities of those who wish to do harm.

MAPP Scanner

Lastly, Microsoft added a closed pilot program called MAPP Scanner -- "a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability." Bryant wrote, "Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered."

MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application. MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. As a result, MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident.

Childs added, "These new programs, along with the bounty programs we launched last month, are part of a broader end-to-end strategy to help protect customers. The goal is to eliminate entire classes of attacks by working closely with partners to build up defenses, making it increasingly difficult to target Microsoft's platform."

As of July 17, Microsoft's three-part bug bounty program had received 19 submissions.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline