Cisco Blogs


Cisco Blog > Security

Old and Persistent Malware

TRAC logo
Malware can find its way into the most unexpected of places. Certainly, no website can be assumed to be always completely free of malware. Typically, there are many ways that websites can be compromised to serve malware:

  • DNS record compromise – a user is redirected to a malicious site.
  • Malicious adverts – advertising services on the website include malicious adverts.
  • Server compromise – attackers gain access to the webserver and upload malware to the website.
  • Website management system compromise – attackers gain access to the management interface and upload malware to the website.
  • User error – a user includes malware on the website.

User error is the best reason to explain why Excel spreadsheets infected with the Laroux macro virus have been published on the China Securities Regulatory Commission website (csrc.gov.cn). The commission regulates China’s financial markets and provides an online law library on their website where visitors can download various files and texts. Two of the files available in the library contain the MSEXcel.Laroux virus.

hxxp://www.csrc.gov.cn/pub/zjhpublic/G00306202/201407/P020140704528725003322.xls
MD5 = eb3c6a3f231062d6beb0e62f181f6be6
SHA256 = 023c1070a2b42d6628f33dba1b3138edbde287ff121a6f25ee2da51f359d48c2

hxxp://www.csrc.gov.cn/pub/zjhpublic/G00306202/201407/P020140704528724842661.xls
MD5 = 822e59b1675137b585841946028bf484
SHA256 = e5a7460c063411f5a94bfab7f0e1c3edb3e48f4a372bca07651ca6c38c315e41

The Laroux virus writes an infected file within the Excel startup directory that alters subsequently opened Excel workbook files to infect them with the virus. Older viruses may still be circulating in the wild and can spread through incidents such as this.

We do not know how this piece of malware found its way to this official website. However, it is easy to imagine a scenario where a freelancer, who is not subject to corporate security policies, is contracted to create a file and upload it to a website. If the third party is not running adequate anti-virus protection and becomes infected, the malware can spread through files created by freelancer and onto the corporate website.

Organisations need to ensure that the third parties with whom they do business enforce adequate security protection so that security issues cannot spread between businesses in this way. Additionally, organisations should consider antivirus scanning their own websites to detect and remove malicious files before they affect visitors.

Even the most reputable and official websites can host malware. Although sophisticated targeted attacks tend to make the news, malware can find its way on to websites through simple user error. Organisations need to ensure that their users are protected from this kind of threat not only by considering the enforcement of an acceptable use policy limiting browsing to business related websites, but by scanning all web traffic for the presence of malware. Users browsing the Internet without adequate security protection will almost certainly be exposed to malware. With inadequate protection, malware can all too easily spread from your organisation to your suppliers and customers.

Protect Users Against These Types of Threats.

 Product   Protection 
WSA  Tick
CWS  Tick
Network Security  Tick
AMP  Tick
ESA

Scanning web activity to prevent the download of threats either in the cloud with CWS or with a WSA appliance is the easiest way of protecting users from these types of threats.

The Network Security protection of IPS and NGFW will detect and block attempts at downloading threats and stop threats spreading.

Advanced malware protection (AMP) will certainly detect and protect against such malware, but is not necessary to detect older unsophisticated threats such as these.

This particular threat is not spread by email, so ESA is not applicable in this case.

Emmanuel Tacheau contributed to this blog.

References.

Cisco Malicious Code Alert Laroux Virus

We have notified CSRC of the presence of the malware.

Tags: , , , , ,

Comments Are Closed