Online Virus / Malware News

This is a video showing you howto effecitvely audit your website with aidsql   Description: aidSQL is a PHP application provided for detecting security holes in your websites. It is a modular application, meaning that you can develop your very own plugins for SQL injection detection & exploitation. Download aidSql from here  

  Injection Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data Cross Site [...]

Cybercriminals have once again used a not-so-new but still a seemingly promising medium for their malware campaigns. Earlier today, ZDNet reported a “new” exploit that targets Skype users. This exploit takes advantage of a vulnerability in a Skype component—EasyBits Extras Manager. While the vulnerability was found and fixed as early as October 2009, many users are still running older, vulnerable versions.

The vulnerability is being used to download malicious files, among them a ZBOT variant, TROJ_ZBOT.COC. As is typical of ZBOT variants, it steals a user’s personal information, particularly those related to online banking.

Good thing that Trend Micro already had coverage for these payloads many months before the cyber-criminals actually made use of this Skype vulnerability described above as a means to deploy these malicious codes!!

Over the years, Skype has been targeted and used as an infection vector by several malware families, including STRAT, KOOBFACE, and, more recently, PALEVO, due to its growing user base.

Skype currently hosts more than 500 million registered users and is still adding 300,000 users per day. Skype CEO John Silverman aims to have about 100 million PCs shipped preloaded with the popular VoIP software in 2011. This January, TeleGeography reported that Skype’s traffic growth has soared over last year while the international phone traffic declined, proving that more and more users are preferring Skype as a medium for international voice communications.

Unfortunately, Skype vulnerabilities have been found and exploited in the past:

• New Skype Vulnerabilities
• Skype Releases Security Bulletin to Address CrossZone Scripting Vulnerability
• SkypeFind Still Flawed!

This attack highlights how important it is to keep applications updated. Nowadays, many popular applications have auto-update capabilities. Users should use these to ensure that all their commonly used applications, particularly those that run whenever their systems start—are updated.

On a similar note, the popularity of Skype is also now being used in spam campaigns. Trend Micro engineers received the following spam message targeting Skype users:

As expected, the link in the message does not go to a legitimate Skype page although this site is currently down.

All threats discussed in this post are already covered by Trend Micro products.

Additional text by Jonathan Leopando, Merianne Polintan and Threat Research Manager Ivan Macalintal. Thanks Ivan for the heads-up!

Post from: TrendLabs | Malware Blog - by Trend Micro

Months-Old Skype Vulnerability Exploited in the Wild

Heads-up for users still running Windows XP: The unpatched Help Center flaw revealed last week is now out in the wild and being used to launch malware attacks against target users.

This new zero-day exploit takes advantage of the vulnerability that exists in the Microsoft Windows Help Center, a default Microsoft application that allows users to access online documentation for Windows. This vulnerability could allow remote code execution if a user views a malicious website.

Based on the analysis of TrendLabs^SM threat analyst Joseph Cepe, there are two ways in which a user can get infected as shown below.

The first method yields a prompt, which when clicked, redirects users to a compromised website that downloads a malicious JavaScript file. In this case, the compromised page is detected as TROJ_HCPEXP.A while the malicious script is detected as JS_HCPDL.A. This then downloads another file detected as TROJ_DROPPR.TEJ. This last malicious file drops multiple downloaders onto the affected system. In turn, these download a wide variety of malware onto affected systems (including, unsurprisingly, FAKEAV malware.)

The second method uses a more stealthy approach wherein the malware automatically performs the download without prompting the users to click anything. It instead runs Windows Media Player and automatically downloads a malicious Advanced Stream Redirector (.ASX) file, simple.asx. This .ASX file contains a link that references to another Web page. However, as of this writing, the URL that it redirects to is currently inaccessible.

The disclosure of this vulnerability has been controversial to say the least. Microsoft learned about the flaw on June 5 from its discoverer, Tavis Ormandy. Ormandy released the full details to the public on the Exploits Database site five days later. Microsoft was not particularly happy with Ormandy, as its blog post confirming the vulnerability makes clear. Despite the fact that Ormandy works for Google, it should be noted that he was doing this as a personal project and not as a Google employee.

However one feels about Ormandy’s disclosure, the fact is that the vulnerability is out in the wild for cybercriminals to exploit and causing damage.

Microsoft updated its advisory earlier today saying that it is aware of the “limited, targeted active attacks that use the exploit” and is actively monitoring the situation. Microsoft also added via its Security Response team’s Twitter account that Server 2003 users are currently not at risk based on the seen attacks. (It would be a mistake, however, for Server 2003 users to think that will always be the case.) It is not clear if an out-of-bound patch is forthcoming although that is something that cannot be ruled out.

Until a patch does arrive, however, users are left to apply workarounds for the issue. “The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution,” Cepe advises. Microsoft has provided an online tool to help users do this.

Additional text by Jonathan Leopando. Thanks to Ivan Macalintal for giving the heads-up on the exploit.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Help Center Zero-Day Exploits Loose

After a relatively quiet May with only two security bulletins, Microsoft comes out with 10 security bulletins in June’s Patch Tuesday release. Three of these were rated “critical,” which means these vulnerabilities could be exploited without the user having to take any action beyond visiting a malicious site. These bulletins cover a total of 34 different vulnerabilities.

Of the 10 security bulletins, seven cover flaws either in Windows itself or in Internet Explorer (IE) while the remaining three fix problems in Microsoft Office. Careful observers will also note that two high-profile vulnerabilities—one in SharePoint and another in IE found at the Black Hat Conference—will both be fixed today. (While the latter was not officially classified as “critical” by Microsoft, it could still be used by would-be attackers to read every file on an affected system.)

Home users should go ahead and run Windows Update from within their systems to download and apply the needed patches as soon as possible. Enterprise users should keep in mind that two of the bulletins note that the relevant patches will require a system restart.

Until then, users equipped with Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in are protected so long as they have updated to the latest rules.

Update as of June 8, 2010, 8:30 p.m. (GMT -8:00)

Microsoft wasn’t alone in fixing security holes this week. The new version of Apple’s Safari browser, Safari 5, also fixes numerous security flaws in the browser, many of which could also be used to execute random code. Windows users, as well as those with Leopard and Snow Leopard, will have to upgrade to Safari 5 to plug these holes. Tiger users can upgrade to Safari 4.1, which is Tiger-only.

Post from: TrendLabs | Malware Blog - by Trend Micro

Patch Now: 10 Updates for June Patch Tuesday

After a relatively quiet May with only two security bulletins, Microsoft comes out with 10 security bulletins in June’s Patch Tuesday release. Three of these were rated “critical,” which means these vulnerabilities could be exploited without the user having to take any action beyond visiting a malicious site. These bulletins cover a total of 34 different vulnerabilities.

Of the 10 security bulletins, seven cover flaws either in Windows itself or in Internet Explorer (IE) while the remaining three fix problems in Microsoft Office. Careful observers will also note that two high-profile vulnerabilities—one in SharePoint and another in IE found at the Black Hat Conference—will both be fixed today. (While the latter was not officially classified as “critical” by Microsoft, it could still be used by would-be attackers to read every file on an affected system.)

Home users should go ahead and run Windows Update from within their systems to download and apply the needed patches as soon as possible. Enterprise users should keep in mind that two of the bulletins note that the relevant patches will require a system restart.

Until then, users equipped with Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in are protected so long as they have updated to the latest rules.

Post from: TrendLabs | Malware Blog - by Trend Micro

Patch Now: 10 Updates for June Patch Tuesday

On Friday, Adobe released a security advisory announcing a zero-day exploit found in specific Adobe Flash Player versions. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application to crash. Potentially, the underlying vulnerability could also be used to run arbitrary code such as downloading/dropping malicious files onto an affected system.

Currently, all released 10.0.x and 9.0.x versions of Flash, including the current version (10.0.45.2), are vulnerable. In addition, because the vulnerable component is also used by Adobe’s PDF products, both Acrobat and Reader versions 9.3.2 and earlier that belong to the 9.x family are also affected. The previous 8.x versions of Acrobat and Reader are not affected.

Malicious files exploiting this vulnerability have already been encountered by Trend Micro and are now detected as TROJ_PIDIEF.WX.

No date for a patch has been announced by Adobe. However, Adobe offers two potential workarounds, one for Flash and another for Acrobat/Reader. In the former case, users can download the 10.1 version, which is already available for download, although officially it has not been released for public use and remains at Release Candidate status.

For the latter, users can manually delete the vulnerable component. However, when this is done, all Flash content within .PDF files cannot be opened. Users may see a crash or error message although the exploit will not be triggered.

Trend Micro protects users via the Smart Protection Network™, which detects and deletes TROJ_PIDIEF.WX via the file reputation service.

Update as of June 8, 2010, 9:15 a.m. (UTC)

Attacks that use this vulnerability are now out in full force. TROJ_PIDIEF.WX downloads TROJ_SMALL.WJX; in turn BKDR_PDFKA.W is dropped onto affected systems. The latter can be used for pay-per-install schemes favored by cybercriminals.

Update as of June 10, 2010, 7:33 a.m. (UTC)

Adobe has released a product update to resolve the security issue found in Adobe Flash Player. Users are thus advised to immediately update their software. Meanwhile, updates for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX are expected to be released by June 29, 2010.

Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against the Adobe Products authplay.dll Remote Code Execution Vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004202.

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-Day Flash/Acrobat Exploit Seen in the Wild

A new exploit has been found in the Japanese word processor Ichitaro. JP-RTL engineers have received a sample Ichitaro document, which is capable of exploiting the previously unknown vulnerability. It is released by Japanese Vulnerability Notes as JVNDB-2010-000024. If exploited, arbitrary code could be run on users’ systems.

The file that exploits this new vulnerability has been detected as TROJ_TARODROP.XZ. This malicious Ichitaro document actually contains two files, which are both dropped and opened on the affected system—a malicious executable file detected as TROJ_TARO.XZ and a nonmalicious document.

TROJ_TARO.XZ primarily serves as a means for malicious users to download malicious files onto the affected system. At this time, the downloaded file does not execute on user systems. However, this file could easily be replaced by a working malicious file at a later date.

JustSystems, Ichitaro’s publisher, has released a patch to remedy this flaw. (An English-language version of the patch page can be found here.) Until users can patch their systems, Trend Micro advises them to be cautious in opening Ichitaro documents, especially those that come from unknown or untrustworthy sources. More TROJ_TARODROP variants are expected to be seen in the coming days, as cybercriminals rush to exploit this flaw.

Trend Micro product users, however, need not fret as Smart Protection Network™ already protects them from this threat by detecting TROJ_TARODROP.XZ and TROJ_TARO.XZ as well as by preventing the files’ execution on their systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Another Vulnerability Discovered in Ichitaro

Microsoft released two critical security advisories as part of its May Patch Tuesday. In addition to the advanced notification it released last Thursday, Microsoft has addressed the vulnerabilities with this batch of patches.

MS10-030 deals with a privately reported vulnerability plaguing Outlook Express, Windows Mail, and Windows Live Mail, which can allow remote code execution if a user accesses a malicious email server. An exploit has already been reported targeting this vulnerability. Details on which can be found on this page. This site also describes possible attack scenarios for the said vulnerability.

MS10-031, on the other hand, resolves a vulnerability in the Microsoft Visual Basic for Applications runtime.

Users are thus strongly advised to update their systems as soon as possible, as these vulnerabilities can be used by cybercriminals to create worms and to instigate drive-by download malware attacks on their systems.

Adobe also released fixes for Shockwave Player and vulnerable ColdFusion servers. The former poses as more widespread than the latter with 18 separate vulnerabilities (most of which are “critical”). Though the vulnerabilities in the latter were not as critical, they have been noted to lead to cross-site scripting (XSS) and information disclosure. Users can download the latest Shockwave Player version from the Adobe Shockwave Player installation site while ColdFusion customers can find updates on this Adobe security bulletin page.

Everyone is vulnerable to threats lurking in the Web today. As such, users are strongly encouraged to apply the said patches immediately.

Trend Micro Deep Security and OfficeScan, through the Intrusion Defense Firewall (IDF) plug-in, already protect enterprise users against these vulnerabilities if their systems are updated with the latest Deep Packet Inspection (DPI) and IDF rules, respectively, which were released yesterday (May 11).

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft and Adobe Release Fixes in May Patch Tuesday

Vulnerabilities found in Internet Explorer (IE) have been well-documented in the past due to the browser’s popularity among users. However, the rise in the use of alternative browsers, particularly Apple Safari and Opera, has now led to the discovery of new vulnerabilities as well.

Trend Micro researcher Rajiv Motwani reports that there have been a lot of exploits for all browsers last week. According to Motwani, this may be due to the fact that exploit code is publicly available, making it more challenging for users to protect themselves from these threats because patches are not always available. “Also, the same code can sometimes be used to exploit several browsers,” adds Motwani.

A vulnerability in Apple Safari version 4.0.5 for Windows has been found that allows a window object to be deleted even if references to it still exist. This creates an invalid pointer whenever specially crafted JavaScript code attempts to use the deleted object, which may permit a remote user to control the pointer using the said code. Cybercriminals may exploit this by persuading users to view an HTML document using Safari, then run an arbitrary code using an authorized user’s privileges. For further details, you may check out Vulnerability Note VU#943165.

A similar threat was also noted for Opera, which could allow an attacker to execute arbitrary code using privileges similar to that of the legitimate user. This flaw makes it possible for attackers to make Opera access uninitialized memory and cause memory corruption, thus allowing them to execute arbitrary code on the system. Opera has already released the necessary security patch for this.

The U.S. Computer Emergency Readiness Team strongly advises users to disable JavaScript and to avoid clicking links found in email messages, instant messages, Web forums, or Internet Relay Chat (IRC) channels, among other possible workarounds.

Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect enterprise users against this particular threat via the Intrusion Defense Firewall (IDF) plug-in as long as their systems are updated with IDF rule numbers 1004147, 1004141, and 1004126.

Post from: TrendLabs | Malware Blog - by Trend Micro

New Vulnerabilities Found in Apple Safari and Opera