There is a new Yahoo phising site spotted located at
http://www.geocities.com/myphotos30021. It spoofs the Yahoo!Photos site.
Below is a snapshot of the site. Just click the picture for a fuller view.

The site has already been submitted to Web Blocking Team.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Microsoft will be releasing an out-of-band patch for the rising incidents of the VML vulnerability (MS06-055). Microsoft has dubbed this as Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486). They rated this vulnerability as Critical, which is the highest severity rating given for a vulnerability due to its easy replication that can result to Remote Code Execution (RCE).

Moreover, Microsoft will also re-release Microsoft Security Bulletin MS06-049 (Vulnerability in Windows Kernel Could Result in Elevation of Privilege) to fix the problem that arises when applying the previous release of MS06-049 patch on systems running NTFS file system compression.

Microsoft has announced that the update will be available on September 26, 2006 around 10:00am PST. So, you better get ready to patch up your systems!

MS06-055 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

For the past few weeks TMIRT is conducting a sort of investigation on how TSPY_LINEAGE and TSPY_WOW arrives on users’ systems. Sure they are Trojan Spywares that do not have the capability to replicate, but then, why are there so many infection reports?

Owing to the fact that they are Trojan Spywares aimed to steal user accounts for the online games Lineage and World of Warcraft (WoW), it is but logical to target those who actually play the game. So, for more than a week, we scoured the Internet searching for hacks, key generators and cheats for both online games. But alas, our search did not yield a malicious file.

Then, just this morning, I bumped into this old article by the Honeyclient Project, where they reported several compromised World of Warcraft accounts. The compromised accounts was caused by a Trojan Spyware (most probably TSPY_WOW) that was installed in gamer’s machine when he visited an ad in Allakzaham – a site where World of Warcraft players trade, sell, or auction virtual items that can be used in the online game.

As a previous blog entry reports, compromised accounts can be used by the malicious author to steal virtual items and then sell it on sites like Allakzaham.

So there, now we have a clearer idea on how company networks become infected. An employee uses company resources to play online games, browses items that can boost the skill level of his character in the online game, gets infected by a Trojan Spyware and it’s accomplice (ever heard about PE_LOOKED?), and then infection spreads in the company’s network.

Moral of the story?

• 1. Do not allow online games
  
• 2. Block ports used by online games
  
• 3. Block sites related to these online games
  
• 4. Educate your users

Simple enough isn’t it?

Today, our email honeypot are receiving emails from WORM_STRATION malware. Unlike the other day where we received 10 different MD5 hashes, now we have 25 different MD5 hashes.

Here is a look at some of the email sent by the worm having the binary file as a zip file attachment.

As for the MD5 hashes, here’s the list (for system admins):

• 0675f71a67dd8dd3716e484855ee2627
• 1d4583ba2c3ebdc6c027cb49db92158c
• 261cec1464be928427ec14b121ea5665
• 299f76fdbf585e5f17941074498349c8
• 37753fdb5de5414a73caa1cc1a36876e
• 3d08becc3329cf3b5d9e10369fc8958d
• 750f38d4e38a6d60051306b8a25fb52d
• 767ac4882e799f5464cb18552c95d257
• 76a347170e155630a059522e424873ed
• 7b5e061f4ad607cf00c10d92b538c4a2
• 89ec4062507593e1e287966fb1acd734
• 9ee6203674f4d770240ae3dc31d90358
• b044c6051d0f7da8aee9e1f9a1f425ab
• b06155140861e86c97bf9cb1abed44c1
• b06155140861e86c97bf9cb1abed44c1
• babf9bdc89ed24522188976ce66be3e1
• cc6a14bcef5ac3227e50ba29f11c6c27
• cf1cf557f045400d4532bd72b3bd6020
• d6e211e97d7799b1792a3cdfbbed78da
• d77bb7178999486d505a8114a12573a3
• d77bb7178999486d505a8114a12573a3
• f973acf2896214400bbcfd5064a8fca8
• fe3a0d18413d9a3a9cfea9fa99264823
• 6938575d2dba7c7f3dbdff97e1cd0617
• 7108695e31b1e029c70392954a197e33

Again, all of these samples are detected by using the Intellitrap technology as PAK_GENERIC.001. These samples will be included in the detection of WORM_STRATIO in the upcoming Official Pattern Release.

There have been several vml exploits found in the wild these past few weeks so I guess most of you are wondering what makes this one different.

Well, to begin with it tries to lure users to sites containing the exploit code by claiming that they’ve gotten a Yahoo! eCard. Once the user visits the site it downloads and installs several executable files one of which is already detected by Trend Micro Inc. as TROJ_BZUB.AW. The other files have already been submitted to the service team for processing. Hang on for updates on this.

In the meantime, you may read up on previous articles we’ve written regarding this exploit for tips, workarounds and other useful information about this vulnerability.

• New IE Zero Day Seen in the wild
• IE Zero Day + Web Attacker Kit
• Update on VML Exploit – IE 0-day
• Web-Attacker + IE 0-Day Stats!

Update (Sheryll Tiauzon, Tue, 26 Sep 2006 07:00:22 AM)

We’ve just received an update from the service team, the files will be detected as HTML_VMLFILL.C and BKDR_SMALL.DYZ.