November 18, 2006 will be a significant day for boxing enthusiasts everywhere, especially for Filipinos and Mexicans as this day marks the third time that their respective boxing champs, Manny Pacquiao and Erik Morales will face each other to show to the world who’s the best in the boxing ring. Just like any popular international event, this spectacle will be the focus of many product endorsements, advertising campaigns, media hypes and the like. Of course, just like the Miss World event that has been the topic in one of my blogs these past few days, this event can also be used by a malware in its social engineering ploys.

WORM_SILLYFDC.AO is a malware that targets Pacquiao and Morales fans. Although this worm does nothing at all aside from propagating through network shares, it does have a high potential for spreading since it poses as a text file in the affected system (Morales_vs_Pacquiao.txt…exe). The double extension is a dead giveaway that the file is not what it seems to be but loyal Pacquiao and Morales followers would click on the file anyway, possibly in the hope to read something interesting about the upcoming match. Once executed, the worm drops copies of itself in all possible removable storage media (yes, floppy disks included) and mapped network drives. It also creates a registry entry so that it will be executed upon system startup.

This is not something new. This worm may use a simple and unsophisticated technique in propagation but the way it takes advantage of a popular event in an effort to trick the user into opening it can give it a chance of wide-scale propagation. Fortunately, a solution is already in the works for this new threat. We’ll update you once a detection pattern has been deployed.

Just a couple of hours after the reportedly 0-day VML exploit there were also reports that this has been implemented by the Web-Attacker as described on this post.

Then, earlier this morning a Web-Attacker exploit penetration statistics website has been reported by an external source. The url points to a statistics page that contains the Total hosts infected by Web-Attacker kit. The website even has a breakdown of each infection based on the browser exploit, the host operating system (OS), and the internet browser used by the affected system. The internet browser statistics section was even broken down into specific version or service packs.

But, this particular site does not show the statistics for 0-day infected systems but rather by the not-so-old browser exploits. So, given that url, I played with it a little with the help of my friend, Google, and there I got 49 urls all pointing to different Web-Attacker control panels. I tried every url one after another and there I saw a convincingly updated exploit penetration statistics page that includes a column of data on 0-day infected hosts.

Since, we recently have two (2) browser related 0-day vulnerabilities, the 0-Day column shown above may or may not be for the VML vulnerability alone.

Now, you know who are the most likely to be hit by the recent 0-days.

I have also listed below the rest of the Internet Browsers that are being monitored/affected by the Web-Attacker. I am suppose to capture it as well as an image but I dare not to, it’s pretty long as you will see.:(

• Firefox 0.10 13
  
• Firefox 0.10.1
  
• Firefox 0.10.1
  
• Firefox 0.8
  
• Firefox 0.8 (ax)
  
• Firefox 0.9
  
• Firefox 0.9.1
  
• Firefox 0.9.2
  
• Firefox 0.9.2 (ax)
  
• Firefox 0.9.3
  
• Firefox 0.9.5.1
  
• Firefox 1.0 392
  
• Firefox 1.0 (Debian package 1.0+dfsg.1-6)
  
• Firefox 1.0 (Ubuntu package 1.0.2)
  
• Firefox 1.0 (ax)
  
• Firefox 1.0 Red Hat/1.0-12.EL4
  
• Firefox 1.0+
  
• Firefox 1.0.1
  
• Firefox 1.0.1 (ax)
  
• Firefox 1.0.1 StumbleUpon/1.9993
  
• Firefox 1.0.2
  
• Firefox 1.0.2 (MOOX M3)
  
• Firefox 1.0.2 (ax)
  
• Firefox 1.0.3
  
• Firefox 1.0.3 (Debian package 1.0.3-2)
  
• Firefox 1.0.3 (ax)
  
• Firefox 1.0.3 StumbleUpon/1.9995
  
• Firefox 1.0.4
  
• Firefox 1.0.4 (Debian package 1.0.4-2)
  
• Firefox 1.0.4 (Debian package 1.0.4-2sarge4)
  
• Firefox 1.0.4 (ax)
  
• Firefox 1.0.4 (ax) Firefox/1.5.0.2
  
• Firefox 1.0.4 StumbleUpon/1.9995
  
• Firefox 1.0.5
  
• Firefox 1.0.5 (ax)
  
• Firefox 1.0.6
  
• Firefox 1.0.6 (ax)
  
• Firefox 1.0.6 SUSE/1.0.6-4.1
  
• Firefox 1.0.7
  
• Firefox 1.0.7 (CK-IBM)
  
• Firefox 1.0.7 (Debian package 1.x.1.0.7-8)
  
• Firefox 1.0.7 (Ubuntu package 1.0.7)
  
• Firefox 1.0.7 (ax)
  
• Firefox 1.0.7 Firefox/1.5
  
• Firefox 1.0.7 NLD/1.0.7-0.2
  
• Firefox 1.0.7 SUSE/1.0.7-0.1
  
• Firefox 1.0.7 SUSE/1.0.7-0.2
  
• Firefox 1.0.7 StumbleUpon/1.9993
  
• Firefox 1.0.8
  
• Firefox 1.0.8 (Ubuntu package 1.0.8)
  
• Firefox 1.0.8 SUSE/1.0.8-0.2
  
• Firefox 1.0RC2
  
• Firefox 1.4 16
  
• Firefox 1.4.1
  
• Firefox 1.5 133
  
• Firefox 1.5.0.1
  
• Firefox 1.5.0.1 pango-text
  
• Firefox 1.5.0.2
  
• Firefox 1.5.0.2 pango-text
  
• Firefox 1.5.0.3
  
• Firefox 1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)
  
• Firefox 1.5.0.3 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.3 RTSE/1.0.6
  
• Firefox 1.5.0.4
  
• Firefox 1.5.0.4 (Debian-1.5.dfsg+1.5.0.4-1)
  
• Firefox 1.5.0.4 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.4 Flock/0.7.1
  
• Firefox 1.5.0.4 RTSE/1.0.6
  
• Firefox 1.5.0.4 pango-text
  
• Firefox 1.5.0.6
  
• Firefox 1.5.0.7
  
• Firefox 2.0a1 8
  
• Firefox 2.0b1 3
  
• Firefox 3.0a1 2
  
• MSIE 5.0
  
• MSIE 5.0 SP2
  
• MSIE 5.01
  
• MSIE 5.01 SP1
  
• MSIE 5.01 SP2
  
• MSIE 5.01 SP3
  
• MSIE 5.01 SP4
  
• MSIE 5.5
  
• MSIE 5.5 SP1
  
• MSIE 5.5 SP2
  
• MSIE 5.5 SP4
  
• MSIE 6.0
  
• MSIE 6.0 SP1
  
• MSIE 6.0 SP1a
  
• MSIE 6.0 SP2
  
• MSIE 6.0 SP4
  
• MSIE unknown
  
• MSIE unknown SP2
  
• Netscape
  
• Opera
  
• Unknown

Two new variations of Proof-of-Concept (PoC) exploit that targets 0-day VML vulnerability have been publicly posted on two sources in web. They both target the same vulnerability as EXPL_EXECOD.Adoes but with some modifications on the way it is being exploited (the value passed to the fill method inside the rect tag). The PoC posted at XSec can cause Remote Code Execution while the PoC posted at Milw0rm can cause Denial of Service as they described.

If you will recall, this was first discovered in the wild by Sunbelt and a number of sites have also been found to be using the exploit to infect unsuspected users. Microsoft has been aware of this security bug since Sunbelt has posted an entry about this and last September 19, Microsoft has published a Security Advisory (925568)that addresses this issue. Microsoft has dubbed the vulnerability as Vulnerability in Vector Markup Language Could Allow Remote Code Execution. Microsoft has also suggested four (4) possible workarounds to protect us from this bug while they are working for the official patch that will be released on October 10, 2006, hopefully.

One of the workarounds that Microsoft has suggested is to unregister Vgx.dll, which is the affected component.

Follow these steps to unregister the dll.

1. Click Start, click Run, type regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”;, and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

However, applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with regsvr32 “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”.

Related Posts:
IE Zero Day + Web Attacker Kit
New IE Zero Day Seen in the wild