We just got a report from an external source about a particular url that exhibits some strange behavior…

So I grabbed the url and investigated on what may have caused the ’strange behavior’. As soon as I had the copy of the file that is pointed to by the url, http://{blocked}.org/xpl/index.php, I checked its contents and found out that it uses an iframe tag (html tag) to redirect the browser to another page that hosts another strange looking script.

I verified the contents of the script to see if it has anything to do with the ’strange behavior’ and I was surprised because it did look pretty strange… Looking closely, I found some interesting keywords prodding me to continue my analysis and my interest to unravel the mystery behind the ’strange behavior’. The script is obfuscated but still gives out some clues on what it might do. See below for the part of the obfuscated script, especially the words enclosed in a box.

Now, my intuition runs into a conclusion that this obfuscated code has an embedded shellcode (because of the ‘unescape’ keyword followed by unicode characters) that will download and execute a possibly malicious file to the affected system as pointed to by the url included in the script. Since there is a shellcode (a code snippet, must be injected to an intended process space to execute successfully), there should also be a particular process/application that this shellcode will be applied to. Then, I noticed the “.wmv” string which is associated with Windows Media Player by default when executed. To prove my little theory I executed the script in my infect machine and there I saw a Windows Media Player object on the page being rendered on the browser.

Then, at the bottom part of the obfuscated script is a readable JavaScript-disciplined code that seems to be helpful in cleaning up (to de-obfuscate) the obfuscated code shown above. I modified the code a bit so that it will stop executing as soon as I have the de-obfuscated code as shown below.

There it is! — It just told half of the story but this is sort of misleading because the shellcode is already embedded in the script which the “spray” variable holds. The exact url to be accessed by the malicious shellcode is now clear as well. On the lower part of the de-obfuscated script I have noticed a html tag that was given a very strange looking value.

So, I googled every keyword that may seem to help from the image above and not surprisingly, I was directed to a popular web site that posts exploits for particular vulnerabilities and I found similarities from one of the published exploits. Based on the behavior I have seen in my testing and the sample exploit posted on the site, I have confirmed that the ’strange behavior’ was caused by a vulnerability exploited by the Windows Media Player Plugin EMBED Exploit (MS06-006).

Even though this is not a new vulnerability, there are still malicious people that are trying to take advantage of this bug as evidenced by this incident. This only shows the importance of up-to-date patching of systems AND applications to protect our systems from malicious attacks like this.

More information on MS06-006 can be found in the Microsoft website.

All malicious samples together with the urls related to this incident are already being processed for inclusion in Trend solutions.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Well Microsoft has recently released its advance notification for its monthly security patches and if things go well it might actually be a very light tuesday. Microsoft is set to release 3 security updates, 2 updates for Windows with the highest severity rating as Important and 1 Office update which they tell is Critical, hopefully it will be related to the recent zero-day Word 2000 vulnerability. So eventhough they are set to release a few bulletins, it is still best to update your machines as soon as possible.

According to wikipedia.org;wiki is a type of website that allows visitors to easily add, remove, or otherwise edit and change some available content, sometimes without the need for registration, it is an editable website that does not require users to know HTML.

Reports on SANS Internet Storm Centre tell us of botnets being created with the use of Software bugs in Pmwiki and Tikiwiki software applications. According to them Pmwiki exploit is hitting versions 2.1.19 and below and Tikiwiki versions 1.9 and below.

The way the exploit on Pmwiki can be exploited is if you have “Register_globals” turned to “On” in your php installation. But, the Tikiwiki exploit is exploited regardless if the setting is On or Off.

Tikiwiki has published some information regarding this matter here. And Pmwiki has been said to have updated their code. Check the Release notes for more details

TROJ_MDROPPER.BO is a .doc file. it exploits a zero-day vulnerability in Microsoft Word 2000. No specific details yet on this vulnerability. This specially crafted doc file executes a shell code that drops and executes an embedded exe file. TROJ_MDROPPER.BO executes a backdoor that is being detected by Trend Micro as BKDR_PCCLIENT.PX. To protect your system from this threat please update you pattern file to 3.735.00.

You can manually download the pattern file here.

For more details on this threat, click here.