We received a new sample of a trojan downloader attached to a spammed email. This spammed email used a pop star, Kylie Minogue, for its social engineering claiming that the said artist is dead due to a cancer. Below is an example of the spammed email.

We can see that there’s a hyperlink found in the email body that points to http://xxx.xxx.xxx.133/sp/kylie.htm. Upon visiting the said URL, we’ll see the following page:

Yeah, there’s another hyperlink that points to a binary file. The binary file is an exact copy of the trojan downloader attached to the spammed email. This is probably intended as another way of the malware to be executed by the affected user if the user opted not to open the attachment in the spammed email. The story of this malware does not end here as the said URL contains an iframe which points to another page containing an obfuscated page.

The page triggered my curiosity if it could be related to the TROJ_LINKOPTIM so I decided to un-obfuscate it. Here’s a snip of the code on the first attempt of un-obfuscation.

Then, to my surprise, it also used the “arguments.callee.toString()” function which is also being used in the TROJ_LINKOPTIM obfuscated pages. So I continue and after three more layers of un-obfuscating the page, I arrived at another iframe which opens another page (whew!!!).

This new page will again, download and execute a copy of the trojan downloader; at this point, we can say that this cannot be related to the Link Optimizer thingie. Note that the downloader was designed to have three ways of being executed on an affected system.

The author used “msxml2.XMLHTTP” and “adodb.stream” objects to download and execute the binary file into the affected user.

The trojan downloader will be detected as TROJ_DLOADR.ANR and the downloaded component will be detected as BKDR_AGENT.FBB. Disabling ActiveX in your web browser is recommended to be protected from attacks using ActiveX objects. You can also disable the “adodb.stream” object by following the procedures described here.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

November 18, 2006 will be a significant day for boxing enthusiasts everywhere, especially for Filipinos and Mexicans as this day marks the third time that their respective boxing champs, Manny Pacquiao and Erik Morales will face each other to show to the world who’s the best in the boxing ring. Just like any popular international event, this spectacle will be the focus of many product endorsements, advertising campaigns, media hypes and the like. Of course, just like the Miss World event that has been the topic in one of my blogs these past few days, this event can also be used by a malware in its social engineering ploys.

WORM_SILLYFDC.AO is a malware that targets Pacquiao and Morales fans. Although this worm does nothing at all aside from propagating through network shares, it does have a high potential for spreading since it poses as a text file in the affected system (Morales_vs_Pacquiao.txt…exe). The double extension is a dead giveaway that the file is not what it seems to be but loyal Pacquiao and Morales followers would click on the file anyway, possibly in the hope to read something interesting about the upcoming match. Once executed, the worm drops copies of itself in all possible removable storage media (yes, floppy disks included) and mapped network drives. It also creates a registry entry so that it will be executed upon system startup.

This is not something new. This worm may use a simple and unsophisticated technique in propagation but the way it takes advantage of a popular event in an effort to trick the user into opening it can give it a chance of wide-scale propagation. Fortunately, a solution is already in the works for this new threat. We’ll update you once a detection pattern has been deployed.

Just a couple of hours after the reportedly 0-day VML exploit there were also reports that this has been implemented by the Web-Attacker as described on this post.

Then, earlier this morning a Web-Attacker exploit penetration statistics website has been reported by an external source. The url points to a statistics page that contains the Total hosts infected by Web-Attacker kit. The website even has a breakdown of each infection based on the browser exploit, the host operating system (OS), and the internet browser used by the affected system. The internet browser statistics section was even broken down into specific version or service packs.

But, this particular site does not show the statistics for 0-day infected systems but rather by the not-so-old browser exploits. So, given that url, I played with it a little with the help of my friend, Google, and there I got 49 urls all pointing to different Web-Attacker control panels. I tried every url one after another and there I saw a convincingly updated exploit penetration statistics page that includes a column of data on 0-day infected hosts.

Since, we recently have two (2) browser related 0-day vulnerabilities, the 0-Day column shown above may or may not be for the VML vulnerability alone.

Now, you know who are the most likely to be hit by the recent 0-days.

I have also listed below the rest of the Internet Browsers that are being monitored/affected by the Web-Attacker. I am suppose to capture it as well as an image but I dare not to, it’s pretty long as you will see.:(

• Firefox 0.10 13
  
• Firefox 0.10.1
  
• Firefox 0.10.1
  
• Firefox 0.8
  
• Firefox 0.8 (ax)
  
• Firefox 0.9
  
• Firefox 0.9.1
  
• Firefox 0.9.2
  
• Firefox 0.9.2 (ax)
  
• Firefox 0.9.3
  
• Firefox 0.9.5.1
  
• Firefox 1.0 392
  
• Firefox 1.0 (Debian package 1.0+dfsg.1-6)
  
• Firefox 1.0 (Ubuntu package 1.0.2)
  
• Firefox 1.0 (ax)
  
• Firefox 1.0 Red Hat/1.0-12.EL4
  
• Firefox 1.0+
  
• Firefox 1.0.1
  
• Firefox 1.0.1 (ax)
  
• Firefox 1.0.1 StumbleUpon/1.9993
  
• Firefox 1.0.2
  
• Firefox 1.0.2 (MOOX M3)
  
• Firefox 1.0.2 (ax)
  
• Firefox 1.0.3
  
• Firefox 1.0.3 (Debian package 1.0.3-2)
  
• Firefox 1.0.3 (ax)
  
• Firefox 1.0.3 StumbleUpon/1.9995
  
• Firefox 1.0.4
  
• Firefox 1.0.4 (Debian package 1.0.4-2)
  
• Firefox 1.0.4 (Debian package 1.0.4-2sarge4)
  
• Firefox 1.0.4 (ax)
  
• Firefox 1.0.4 (ax) Firefox/1.5.0.2
  
• Firefox 1.0.4 StumbleUpon/1.9995
  
• Firefox 1.0.5
  
• Firefox 1.0.5 (ax)
  
• Firefox 1.0.6
  
• Firefox 1.0.6 (ax)
  
• Firefox 1.0.6 SUSE/1.0.6-4.1
  
• Firefox 1.0.7
  
• Firefox 1.0.7 (CK-IBM)
  
• Firefox 1.0.7 (Debian package 1.x.1.0.7-8)
  
• Firefox 1.0.7 (Ubuntu package 1.0.7)
  
• Firefox 1.0.7 (ax)
  
• Firefox 1.0.7 Firefox/1.5
  
• Firefox 1.0.7 NLD/1.0.7-0.2
  
• Firefox 1.0.7 SUSE/1.0.7-0.1
  
• Firefox 1.0.7 SUSE/1.0.7-0.2
  
• Firefox 1.0.7 StumbleUpon/1.9993
  
• Firefox 1.0.8
  
• Firefox 1.0.8 (Ubuntu package 1.0.8)
  
• Firefox 1.0.8 SUSE/1.0.8-0.2
  
• Firefox 1.0RC2
  
• Firefox 1.4 16
  
• Firefox 1.4.1
  
• Firefox 1.5 133
  
• Firefox 1.5.0.1
  
• Firefox 1.5.0.1 pango-text
  
• Firefox 1.5.0.2
  
• Firefox 1.5.0.2 pango-text
  
• Firefox 1.5.0.3
  
• Firefox 1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)
  
• Firefox 1.5.0.3 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.3 RTSE/1.0.6
  
• Firefox 1.5.0.4
  
• Firefox 1.5.0.4 (Debian-1.5.dfsg+1.5.0.4-1)
  
• Firefox 1.5.0.4 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.4 Flock/0.7.1
  
• Firefox 1.5.0.4 RTSE/1.0.6
  
• Firefox 1.5.0.4 pango-text
  
• Firefox 1.5.0.6
  
• Firefox 1.5.0.7
  
• Firefox 2.0a1 8
  
• Firefox 2.0b1 3
  
• Firefox 3.0a1 2
  
• MSIE 5.0
  
• MSIE 5.0 SP2
  
• MSIE 5.01
  
• MSIE 5.01 SP1
  
• MSIE 5.01 SP2
  
• MSIE 5.01 SP3
  
• MSIE 5.01 SP4
  
• MSIE 5.5
  
• MSIE 5.5 SP1
  
• MSIE 5.5 SP2
  
• MSIE 5.5 SP4
  
• MSIE 6.0
  
• MSIE 6.0 SP1
  
• MSIE 6.0 SP1a
  
• MSIE 6.0 SP2
  
• MSIE 6.0 SP4
  
• MSIE unknown
  
• MSIE unknown SP2
  
• Netscape
  
• Opera
  
• Unknown

Two new variations of Proof-of-Concept (PoC) exploit that targets 0-day VML vulnerability have been publicly posted on two sources in web. They both target the same vulnerability as EXPL_EXECOD.Adoes but with some modifications on the way it is being exploited (the value passed to the fill method inside the rect tag). The PoC posted at XSec can cause Remote Code Execution while the PoC posted at Milw0rm can cause Denial of Service as they described.

If you will recall, this was first discovered in the wild by Sunbelt and a number of sites have also been found to be using the exploit to infect unsuspected users. Microsoft has been aware of this security bug since Sunbelt has posted an entry about this and last September 19, Microsoft has published a Security Advisory (925568)that addresses this issue. Microsoft has dubbed the vulnerability as Vulnerability in Vector Markup Language Could Allow Remote Code Execution. Microsoft has also suggested four (4) possible workarounds to protect us from this bug while they are working for the official patch that will be released on October 10, 2006, hopefully.

One of the workarounds that Microsoft has suggested is to unregister Vgx.dll, which is the affected component.

Follow these steps to unregister the dll.

1. Click Start, click Run, type regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”;, and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

However, applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with regsvr32 “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”.

Related Posts:
IE Zero Day + Web Attacker Kit
New IE Zero Day Seen in the wild

The Miss World 2006 beauty pageant will be held in Poland on September 30. Unlike other popular international beauty pageants, the Miss World beauty pageant has an interactive way of selecting the winner. Using SMS, people from around the world can vote for the contestant whom they consider to be the one worthy of the beauty title.

A new threat has taken advantage of the event’s unique way of choosing the winner. In another bout of social engineering, it employs the use of instant messaging applications as a distribution vector for the malware. Instant messenger users who are often online may have received the following message recently:

Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…

The message is followed by a URL that the unsuspecting user may expect to lead him to a site or webpage where he can vote for the candidate. Obviously, this does not happen at all. When the URL is accessed, the user is redirected to another website offering credit card debt consolidation, which has absolutely nothing to do with voting for the next Miss World. Here’s what the user didn’t know: when the link was accessed, it redirected to another site that downloaded a Trojan into the system. To cover-up the download, it redirected to another site that featured the credit card scheme. In that way, the user wouldn’t notice anything.

Unless he tried to open the task manager or the registry editor.

Initial analysis shows that this Trojan disables the task manager and the registry editor. Furthermore, Internet Explorer’s startup page is modified so instead of the user’s default web page being loaded when the browser is opened, the site where the malware originates is accessed instead.

Disabling these system applications are a common technique of most malware to hide themselves from computer-savvy users. Moreover, it prevents knowledgeable users from verifying if a malware is present in the system. Modifying the startup page in IE ensures that even if the malware is deleted or cleaned from the system, it still has a chance of reinstalling itself.

Fortunately, a solution is currently in the works for this threat. Trend will be detecting this malware as TROJ_AGENT.EVJ. We’ll update you once the detection pattern for this Trojan has been released.

Update (Jasper, Wed, 20 Sep 2006 09:55:05 AM)

The detection pattern for this threat has already been deployed in CPR 3.764.01