Online Virus / Malware News

Zozzlein a sentence Zozzle is a static web-page analyzer for detecting ‘Heap-Spray Exploits’ [ literal meaning ] ‘a righteous observance of the law’ [ 3-Things It Is ] + a product of Microsoft Researchers hardwork (by Benjamin Livshits and Benjamin Zorn of Microsoft Research, Christian Seifert of Microsoft and Charles Curtsinger of the University of [...]

Heads-up for users still running Windows XP: The unpatched Help Center flaw revealed last week is now out in the wild and being used to launch malware attacks against target users.

This new zero-day exploit takes advantage of the vulnerability that exists in the Microsoft Windows Help Center, a default Microsoft application that allows users to access online documentation for Windows. This vulnerability could allow remote code execution if a user views a malicious website.

Based on the analysis of TrendLabs^SM threat analyst Joseph Cepe, there are two ways in which a user can get infected as shown below.

The first method yields a prompt, which when clicked, redirects users to a compromised website that downloads a malicious JavaScript file. In this case, the compromised page is detected as TROJ_HCPEXP.A while the malicious script is detected as JS_HCPDL.A. This then downloads another file detected as TROJ_DROPPR.TEJ. This last malicious file drops multiple downloaders onto the affected system. In turn, these download a wide variety of malware onto affected systems (including, unsurprisingly, FAKEAV malware.)

The second method uses a more stealthy approach wherein the malware automatically performs the download without prompting the users to click anything. It instead runs Windows Media Player and automatically downloads a malicious Advanced Stream Redirector (.ASX) file, simple.asx. This .ASX file contains a link that references to another Web page. However, as of this writing, the URL that it redirects to is currently inaccessible.

The disclosure of this vulnerability has been controversial to say the least. Microsoft learned about the flaw on June 5 from its discoverer, Tavis Ormandy. Ormandy released the full details to the public on the Exploits Database site five days later. Microsoft was not particularly happy with Ormandy, as its blog post confirming the vulnerability makes clear. Despite the fact that Ormandy works for Google, it should be noted that he was doing this as a personal project and not as a Google employee.

However one feels about Ormandy’s disclosure, the fact is that the vulnerability is out in the wild for cybercriminals to exploit and causing damage.

Microsoft updated its advisory earlier today saying that it is aware of the “limited, targeted active attacks that use the exploit” and is actively monitoring the situation. Microsoft also added via its Security Response team’s Twitter account that Server 2003 users are currently not at risk based on the seen attacks. (It would be a mistake, however, for Server 2003 users to think that will always be the case.) It is not clear if an out-of-bound patch is forthcoming although that is something that cannot be ruled out.

Until a patch does arrive, however, users are left to apply workarounds for the issue. “The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution,” Cepe advises. Microsoft has provided an online tool to help users do this.

Additional text by Jonathan Leopando. Thanks to Ivan Macalintal for giving the heads-up on the exploit.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Help Center Zero-Day Exploits Loose

After a relatively quiet May with only two security bulletins, Microsoft comes out with 10 security bulletins in June’s Patch Tuesday release. Three of these were rated “critical,” which means these vulnerabilities could be exploited without the user having to take any action beyond visiting a malicious site. These bulletins cover a total of 34 different vulnerabilities.

Of the 10 security bulletins, seven cover flaws either in Windows itself or in Internet Explorer (IE) while the remaining three fix problems in Microsoft Office. Careful observers will also note that two high-profile vulnerabilities—one in SharePoint and another in IE found at the Black Hat Conference—will both be fixed today. (While the latter was not officially classified as “critical” by Microsoft, it could still be used by would-be attackers to read every file on an affected system.)

Home users should go ahead and run Windows Update from within their systems to download and apply the needed patches as soon as possible. Enterprise users should keep in mind that two of the bulletins note that the relevant patches will require a system restart.

Until then, users equipped with Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in are protected so long as they have updated to the latest rules.

Update as of June 8, 2010, 8:30 p.m. (GMT -8:00)

Microsoft wasn’t alone in fixing security holes this week. The new version of Apple’s Safari browser, Safari 5, also fixes numerous security flaws in the browser, many of which could also be used to execute random code. Windows users, as well as those with Leopard and Snow Leopard, will have to upgrade to Safari 5 to plug these holes. Tiger users can upgrade to Safari 4.1, which is Tiger-only.

Post from: TrendLabs | Malware Blog - by Trend Micro

Patch Now: 10 Updates for June Patch Tuesday

After a relatively quiet May with only two security bulletins, Microsoft comes out with 10 security bulletins in June’s Patch Tuesday release. Three of these were rated “critical,” which means these vulnerabilities could be exploited without the user having to take any action beyond visiting a malicious site. These bulletins cover a total of 34 different vulnerabilities.

Of the 10 security bulletins, seven cover flaws either in Windows itself or in Internet Explorer (IE) while the remaining three fix problems in Microsoft Office. Careful observers will also note that two high-profile vulnerabilities—one in SharePoint and another in IE found at the Black Hat Conference—will both be fixed today. (While the latter was not officially classified as “critical” by Microsoft, it could still be used by would-be attackers to read every file on an affected system.)

Home users should go ahead and run Windows Update from within their systems to download and apply the needed patches as soon as possible. Enterprise users should keep in mind that two of the bulletins note that the relevant patches will require a system restart.

Until then, users equipped with Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in are protected so long as they have updated to the latest rules.

Post from: TrendLabs | Malware Blog - by Trend Micro

Patch Now: 10 Updates for June Patch Tuesday

TrendLabs^SM engineers Alvin Bacani and Jayson Pryde recently analyzed a new spyware (detected by Trend Micro as OSX_OPINIONSPY.A) that came bundled with screensavers, according to Intego, in sites that host free applications and software updates like MacUpdate, Softpedia, and VersionTracker.

Interestingly, the same spyware was also found in the Apple Downloads site. Users browsing the legitimate site might have been exposed to this threat unknowingly. However, Apple’s swift takedown minimized the exposure time and prevented the continued spread of the said spyware.

The said screensavers were found to be nonmalicious but did download information-stealing spyware, which robbed users of their email addresses, iChat message headers and URLs, as well as other personal data like user names, passwords, credit card numbers, and Web browser bookmarks and histories. Once installed, the spyware connects to a certain site to send the data (e.g., campaign ID, OS version, OS type) it gathers from affected systems.

What makes OSX_OPINIONSPY.A more interesting, however, is its monitoring routine. It connects to a URL to download an upgraded copy of itself—another spyware that sniffs for instant-messaging (IM) application (i.e., AIM, GoogleTalk, MSN Messenger, and Yahoo! Messenger) as well as Real-Time Messaging Protocol (RTMP) data packets. This allows cybercriminals to acquire user names and passwords from both IM and RTMP streams. Sniffing packets off of these applications may also include information sent and received during conversations.

Based on our analysis, the spyware does not only target Macs but also affects Windows-based systems (detected as SPYW_RELEKNOW). The threat may also come in the form of another application and not just a screensaver. Threat Research Manager, Ivan Macalintal, describes the code used in this attack as “very persistent and sneaky,” as it is possible for the spyware infection to go unnoticed. “This is just another example that debunks the legend that MAC is secure and is malware-free. We will see more and more of cyber-criminals attacking the MAC platform as more and more people are converting from Windows to MAC, ” Macalintal further adds.

TrendLabs has reported several other instances when Mac malware were distributed in the same manner—posing as legitimate applications in the following entries:

• New Malware Cracks Macs
• Mac OS X DNS-Changing Trojan in the Wild
• Mac Malware Disguised as iPhoto Installer
• More Mac Malware In The Wild
• Not One but Two New OS X Malware

Users, regardless of OS, can stay protected from this threat via the Trend Micro™ Smart Protection Network™. Trend Micro products prevent access to sites where the malicious files are hosted via the Web reputation service. They also prevent the download and execution of the malicious files—OSX_OPINIONSPY.A and SPYW_RELEKNOW—on user systems via the file reputation service.

Update as of June 6, 2010, 9:16 p.m. (GMT -8:00)

OSX_OPINIONSPY.A includes the ability to download updated copies of itself, and the cybercriminals behind this attack are now using that feature. These variants are now being detected as OSX_OPNIONSPY.SM.

Post from: TrendLabs | Malware Blog - by Trend Micro

Mac Sniffer Monitors IM Chats and RTMP Data Packets

TrendLabs^SM recently handled a client case last March wherein two peculiar malware leveraged a Windows service—Windows Management Instrumentation (WMI)—to execute their malicious routines.

WMI lets users access and retrieve information about their OSs. It is particularly useful for administrators, especially in enterprise environments, as it manages applications found on systems connected to a network using any one of various coding languages. It can be considered a database that contains information on anything and everything related to a system’s OS and its users.

As WMI contains a huge chunk of data, cybercriminals find it a very likely target for their malicious creations. They can, for instance, introduce specialized pragma to the service to make affected systems do their malicious bids such as:

• Mine sensitive information that can only be accessed by the said service
• Elevate a malicious user’s system privilege to spy on and probe the affected system and other systems connected to the same network
• Embed malicious scripts into target services

In this particular attack, TROJ_WMIGHOST.A, a WMI script, arrives on a system bundled with BKDR_HTTBOT.EA, a DLL malware. The malicious script opens two Internet browser windows. The first window allows BKDR_HTTBOT.EA to execute via an ActiveX content. The second window allows the backdoor to post Office files (e.g., Word, PowerPoint, or Excel) to a remote site and to execute other malicious scripts from the Ghost IP. These backdoor routines puts users at risk of losing pertinent data.

This is, however, not the first time WMI was used for malicious purposes. In “Kiwicon 2008,” a security consultant introduced “The Moth,” a proof-of-concept (POC) Trojan that uses the service to deploy a malicious code capable of performing the following routines:

• Dropping and executing other potentially malicious files onto the host system or onto removable drives
• Hiding malicious codes
• Relaunching an existing rootkit after having been found and removed

Users need not worry, however, of being victimized by such an attack, as downloading this tool rids affected systems of TROJ_WMIGHOST.A. Trend Micro products via the Smart Protection Network™ also rids affected systems of BKDR_HTTBOT.EA.

Post from: TrendLabs | Malware Blog - by Trend Micro

Windows WMI Abused for Malware Operations

Microsoft released two critical security advisories as part of its May Patch Tuesday. In addition to the advanced notification it released last Thursday, Microsoft has addressed the vulnerabilities with this batch of patches.

MS10-030 deals with a privately reported vulnerability plaguing Outlook Express, Windows Mail, and Windows Live Mail, which can allow remote code execution if a user accesses a malicious email server. An exploit has already been reported targeting this vulnerability. Details on which can be found on this page. This site also describes possible attack scenarios for the said vulnerability.

MS10-031, on the other hand, resolves a vulnerability in the Microsoft Visual Basic for Applications runtime.

Users are thus strongly advised to update their systems as soon as possible, as these vulnerabilities can be used by cybercriminals to create worms and to instigate drive-by download malware attacks on their systems.

Adobe also released fixes for Shockwave Player and vulnerable ColdFusion servers. The former poses as more widespread than the latter with 18 separate vulnerabilities (most of which are “critical”). Though the vulnerabilities in the latter were not as critical, they have been noted to lead to cross-site scripting (XSS) and information disclosure. Users can download the latest Shockwave Player version from the Adobe Shockwave Player installation site while ColdFusion customers can find updates on this Adobe security bulletin page.

Everyone is vulnerable to threats lurking in the Web today. As such, users are strongly encouraged to apply the said patches immediately.

Trend Micro Deep Security and OfficeScan, through the Intrusion Defense Firewall (IDF) plug-in, already protect enterprise users against these vulnerabilities if their systems are updated with the latest Deep Packet Inspection (DPI) and IDF rules, respectively, which were released yesterday (May 11).

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft and Adobe Release Fixes in May Patch Tuesday

Coming May 11, Tuesday, Microsoft will be releasing its monthly patch updates, and last Thursday, the company released an advance notification in its Microsoft TechNet site for the updates. Note that these advanced notifications aim to allow Microsoft users to make deployment plans ahead of time. It commonly contains a summary of the security updates or patches, certain software they affect, and severity levels of the covered vulnerabilities for a particular month.

For the month of May, Microsoft informed its users that two security bulletins, with the maximum severity rating of Critical, will be released. Such a rating means that, once exploited, the vulnerabilities covered in the bulletins could enable the propagation of malware over the Internet without user involvement. Since Microsoft can issue proper bulletin identifiers (in the familiar MSyy-xxx format) only every Patch Tuesday release, let us simply call the bulletins Bulletin 1 and Bulletin 2.

Bulletin 1 affects the following Microsoft Windows operating systems:

• Windows 2000
• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2

On the other hand, Bulletin 2 affects Microsoft Office Suites and Microsoft Visual Basic for Applications.

Note, however, that the recently released advisory regarding a Microsoft SharePoint vulnerability will not be covered in the Tuesday release. Despite this, Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against this particular vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule numbers 1000552 and 1004130. Note that the former rule number had been released initially on July 2006 and updated continuously since then while the later was set to be released on May 11.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Released Early Notice for May Patch Tuesday

Regular Release for Microsoft This April

April 13 is here and for Windows users, this means it is Patch Tuesday. According to the advance notification from Microsoft almost a week ago, the company will be releasing 11 bulletins to address 25 vulnerabilities, 11 of which have been dubbed “critical.” These vulnerabilities were found in Microsoft Office and Windows. Affected users could be exposed to remote code execution attacks if they leave their software unpatched.

Included in this Patch Tuesday release are patches for the following notable vulnerabilities:

• Vulnerability in VBScript Could Allow Remote Code Execution
• Vulnerability in SMB Could Allow Denial of Service

Trend Micro has documented these vulnerabilities in the following respective posts:

• Calling Windows Help May Lead to Vulnerability
• New SMB Zero-Day Exploit?

Adobe Automates Updates

The same day Microsoft’s patches are released, Adobe will also issue a patch that can address several high-risk vulnerabilities found in Adobe Reader and Acrobat. The patch will be deployed without actual user download and installation. Adobe will release the patch alongside an automatic (silent) updater software, which the company hopes will make downloading and patch deployment a breeze. The said updater can be used by Adobe Reader and Acrobat 9.3.2 and 8.2.2 users for both Windows and Mac OS X.

Windows users of the said software and versions can activate the silent updater by visiting the Preferences setting under the Updater category and choosing option 2: “Automatically download updates, but let me choose to install them.”

In 2009, ZDNet released an article about silent patching being the best solution to securing users’ Internet browsers. Please refer here for the complete article.

To Be Silent or Not to Be Silent

Security specialists, on the other hand, are not keen on advising silent patching as the best practice to adhere to for enterprise users. The need to have a scheduled patch release, for them, is still a must. “Patching in enterprises is a serious issue. Auto updates are generally not used by administrators because patching can make systems unstable, cause software to have compatibility and performance issues, and the like. They like to test updates first then patch systems in a phased manner,” says Trend Micro researcher Rajiv Motwani.

This is not to say that there are no positive points on silent updating. In fact, there are several. By simply letting the software quietly update itself once patches are available, users will not be disrupted from their work to do something they consider as tedious and time-consuming. Furthermore, auto updating also helps ensure that most users are secure at any time.

However, Motwani stresses that there is a downside to it. He explains, “If a flaw is discovered in patching mechanisms and a malicious patch is somehow issued, more customers will be affected. An example was the recent bug in Adobe Download Manager (ADM) wherein any user having ADM could be forced to install software from Adobe’s website because of a design flaw.” More on the story on ADM here.

A security specialist commented that it is imperative that software companies disclose information regarding security holes found in their software for the sake of their customers.

“I hope Adobe continues to release security notifications/advisories so that administrators who do not use auto updates can properly prioritize patches. Also, they should continue to disclose the CVEs of all vulnerabilities being patched and none should be silently patched,” Motwani concluded.

Update as of April 14, 2010, 5:13 a.m. (GMT +8:00):

Microsoft released the security update that resolves the 25 reported vulnerabilities. Users are advised to download the updates in this security bulletin.

Update as of April 28, 2010 3:00 p.m. [GMT+8:00]:

Microsoft has re-released MS10-025, to address a specific vulnerability found only on units running with Windows 2000 in a non-default configuration with Windows Media Services. This bulletin addresses the flaw allowing remote code execution once an attacker sends a specially crafted transport information packet. Microsoft advised users with the said configuration to install the re-released update.

Post from: TrendLabs | Malware Blog - by Trend Micro

Adobe and Microsoft Simultaneously Release Patches

Apple Fixes Several Bugs

Releasing one of its biggest Mac OS X security updates, Apple fixes 88 vulnerabilities with Security Update 2010-002 / Mac OS X v10.6.3. The update addresses critical issues that can lead to arbitrary code execution, information disclosure, and denial-of-service (DoS) attacks.

One of the critical fixes included is the solution for the AppKit issue, which can lead to an unexpected application termination or arbitrary code execution when spell-checking maliciously crafted documents. The update likewise includes fixes for several critical ImageIO and QuickTime bugs.  Mac OS X users are thus advised to immediately download and install the security update.

Microsoft Releases an Out-of-Band Patch

Microsoft, for its part, recognizes the immediate need to provide a solution for CVE-2010-0806 and has announced the impending release of an out-of-band patch via Security Bulletin MS10-018. The said release will primarily solve the issues surrounding the zero-day Internet Explorer (IE) vulnerability affecting IE 6 and 7.

Since it first became public, cybercriminals have exploited the zero-day vulnerability. These exploits have led to malware detections, including several malicious JavaScript files (JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_ COSMU.A, and JS_SHELLCODE.YY). The final payload of which are TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ, which both lead to game-related information theft.

The advance notification also stated that the out-of-band patch will be a cumulative update for IE. Apart from the critical zero-day patch, the update will likewise address nine other vulnerabilities, some of which also affect IE 8.

The patch is slated for release on March 30, 2010 at approximately 10:00 a.m. PDT (UTC-8). The primary workaround for CVE-2010-0806 is to upgrade to IE 8, which remains unaffected by this particular zero-day vulnerability. However, the best practice is still applying the out-of-band patch as soon as it is released.

Trend Micro Solutions for Windows and Mac Users

Trend Micro Deep Security™ and OfficeScan™ continue to protect business users from the this particular IE zero-day exploit via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Trend Micro™ Smart Protection Network™ likewise protects product users from this threat by preventing users from accessing sites hosting JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. It also prevents the download and execution of malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW, TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ via the file reputation service.

Update as of March 31, 2010, 11:30 A.M. (GMT +8)

Microsoft released the security update which resolves nine reported vulnerabilities and 1 unreported vulnerability in Internet Explorer. The update also addresses the CVE-2010-0806 vulnerability. Affected users are advised to download the updates in this security bulletin.

Post from: TrendLabs | Malware Blog - by Trend Micro

Apple Fixes 88 Bugs as MS Prepares Out-of-Band Patch