Microsoft will be releasing an out-of-band patch for the rising incidents of the VML vulnerability (MS06-055). Microsoft has dubbed this as Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486). They rated this vulnerability as Critical, which is the highest severity rating given for a vulnerability due to its easy replication that can result to Remote Code Execution (RCE).

Moreover, Microsoft will also re-release Microsoft Security Bulletin MS06-049 (Vulnerability in Windows Kernel Could Result in Elevation of Privilege) to fix the problem that arises when applying the previous release of MS06-049 patch on systems running NTFS file system compression.

Microsoft has announced that the update will be available on September 26, 2006 around 10:00am PST. So, you better get ready to patch up your systems!

MS06-055 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
MS06-049 - Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

For the past few weeks TMIRT is conducting a sort of investigation on how TSPY_LINEAGE and TSPY_WOW arrives on users’ systems. Sure they are Trojan Spywares that do not have the capability to replicate, but then, why are there so many infection reports?

Owing to the fact that they are Trojan Spywares aimed to steal user accounts for the online games Lineage and World of Warcraft (WoW), it is but logical to target those who actually play the game. So, for more than a week, we scoured the Internet searching for hacks, key generators and cheats for both online games. But alas, our search did not yield a malicious file.

Then, just this morning, I bumped into this old article by the Honeyclient Project, where they reported several compromised World of Warcraft accounts. The compromised accounts was caused by a Trojan Spyware (most probably TSPY_WOW) that was installed in gamer’s machine when he visited an ad in Allakzaham - a site where World of Warcraft players trade, sell, or auction virtual items that can be used in the online game.

As a previous blog entry reports, compromised accounts can be used by the malicious author to steal virtual items and then sell it on sites like Allakzaham.

So there, now we have a clearer idea on how company networks become infected. An employee uses company resources to play online games, browses items that can boost the skill level of his character in the online game, gets infected by a Trojan Spyware and it’s accomplice (ever heard about PE_LOOKED?), and then infection spreads in the company’s network.

Moral of the story?

• 1. Do not allow online games
  
• 2. Block ports used by online games
  
• 3. Block sites related to these online games
  
• 4. Educate your users

Simple enough isn’t it?

Today, our email honeypot are receiving emails from WORM_STRATION malware. Unlike the other day where we received 10 different MD5 hashes, now we have 25 different MD5 hashes.

Here is a look at some of the email sent by the worm having the binary file as a zip file attachment.

As for the MD5 hashes, here’s the list (for system admins):

• 0675f71a67dd8dd3716e484855ee2627
• 1d4583ba2c3ebdc6c027cb49db92158c
• 261cec1464be928427ec14b121ea5665
• 299f76fdbf585e5f17941074498349c8
• 37753fdb5de5414a73caa1cc1a36876e
• 3d08becc3329cf3b5d9e10369fc8958d
• 750f38d4e38a6d60051306b8a25fb52d
• 767ac4882e799f5464cb18552c95d257
• 76a347170e155630a059522e424873ed
• 7b5e061f4ad607cf00c10d92b538c4a2
• 89ec4062507593e1e287966fb1acd734
• 9ee6203674f4d770240ae3dc31d90358
• b044c6051d0f7da8aee9e1f9a1f425ab
• b06155140861e86c97bf9cb1abed44c1
• b06155140861e86c97bf9cb1abed44c1
• babf9bdc89ed24522188976ce66be3e1
• cc6a14bcef5ac3227e50ba29f11c6c27
• cf1cf557f045400d4532bd72b3bd6020
• d6e211e97d7799b1792a3cdfbbed78da
• d77bb7178999486d505a8114a12573a3
• d77bb7178999486d505a8114a12573a3
• f973acf2896214400bbcfd5064a8fca8
• fe3a0d18413d9a3a9cfea9fa99264823
• 6938575d2dba7c7f3dbdff97e1cd0617
• 7108695e31b1e029c70392954a197e33

Again, all of these samples are detected by using the Intellitrap technology as PAK_GENERIC.001. These samples will be included in the detection of WORM_STRATIO in the upcoming Official Pattern Release.

There have been several vml exploits found in the wild these past few weeks so I guess most of you are wondering what makes this one different.

Well, to begin with it tries to lure users to sites containing the exploit code by claiming that they’ve gotten a Yahoo! eCard. Once the user visits the site it downloads and installs several executable files one of which is already detected by Trend Micro Inc. as TROJ_BZUB.AW. The other files have already been submitted to the service team for processing. Hang on for updates on this.

In the meantime, you may read up on previous articles we’ve written regarding this exploit for tips, workarounds and other useful information about this vulnerability.

• New IE Zero Day Seen in the wild
• IE Zero Day + Web Attacker Kit
• Update on VML Exploit - IE 0-day
• Web-Attacker + IE 0-Day Stats!

Update (Sheryll Tiauzon, Tue, 26 Sep 2006 07:00:22 AM)

We’ve just received an update from the service team, the files will be detected as HTML_VMLFILL.C and BKDR_SMALL.DYZ.

We received a new sample of a trojan downloader attached to a spammed email. This spammed email used a pop star, Kylie Minogue, for its social engineering claiming that the said artist is dead due to a cancer. Below is an example of the spammed email.

We can see that there’s a hyperlink found in the email body that points to http://xxx.xxx.xxx.133/sp/kylie.htm. Upon visiting the said URL, we’ll see the following page:

Yeah, there’s another hyperlink that points to a binary file. The binary file is an exact copy of the trojan downloader attached to the spammed email. This is probably intended as another way of the malware to be executed by the affected user if the user opted not to open the attachment in the spammed email. The story of this malware does not end here as the said URL contains an iframe which points to another page containing an obfuscated page.

The page triggered my curiosity if it could be related to the TROJ_LINKOPTIM so I decided to un-obfuscate it. Here’s a snip of the code on the first attempt of un-obfuscation.

Then, to my surprise, it also used the “arguments.callee.toString()” function which is also being used in the TROJ_LINKOPTIM obfuscated pages. So I continue and after three more layers of un-obfuscating the page, I arrived at another iframe which opens another page (whew!!!).

This new page will again, download and execute a copy of the trojan downloader; at this point, we can say that this cannot be related to the Link Optimizer thingie. Note that the downloader was designed to have three ways of being executed on an affected system.

The author used “msxml2.XMLHTTP” and “adodb.stream” objects to download and execute the binary file into the affected user.

The trojan downloader will be detected as TROJ_DLOADR.ANR and the downloaded component will be detected as BKDR_AGENT.FBB. Disabling ActiveX in your web browser is recommended to be protected from attacks using ActiveX objects. You can also disable the “adodb.stream” object by following the procedures described here.