We’ve just received reports of several sites using the new IE zero-day exploit in conjunction with a Web Attacker kit. Previously, Web Attacker kits were more commonly used with known browser vulnerabilities, many of which were already patched by Microsoft. However, now that its being used with the new IE 0-day, alot more users may be vulnerable to this sort of attack.

For those people who have never heard of Web attacker kits, it gained quite a bit of media attention earlier this year. It’s basically a user-friendly, do-it-yourself type of hacking kit. That particular kit was made available to the public via a russian-based website for a sinfully low price ranging from 15 to 20 US Dollars. Any script kiddie could easily purchase the kit off the internet and infect computers using the code provided with the kit. Then after that, all that’s left to be done is spam messages containing the link to the compromised website.

This just serves as another heads up. We’re still trying to get more information on this. Hopefully more will be available soon. Stay tuned for updates!

Sunbelt has just discovered a new IE zero day being used in the wild. The zero day exploit makes use of a vulnerability in the Vector Markup Language (VML) inside Internet Explorer to overflow a buffer and inject a shellcode.

I will update this as research on the said subject is still on going.

Update (Jovs, Tue, 19 Sep 2006 10:37:07 PM)

For those who don’t know, the vulnerable dll exploited by this zero day is VGX.DLL which is used by Internet Explorer for processing Virtual Markup Language.

Sunbelt has proposed turning off Javascripting to mitigate the exploit. Or you can just use an alternative browser like Firefox.

Microsoft has already been informed about the vulnerability, so far there isn’t a patch available yet, but give them time, it is a zero day after all.

This blog will be updated for the malware name given to the exploit code.

Update (Chachi, Wed, 20 Sep 2006 03:08:05 AM)

The exploit code will now be detected as EXPL_EXECOD.A and the executable files will be detected as TROJ_AGENT.FAC, TROJ_DELF.DBC, TROJ_DLOADER.EES.

These are now detected using Control Pattern 3.764.02

As of this writing we have already received a total of 1,335 Samples in a couple of hours. Trend Micro has already detected this threat as TROJ_CLAGGE.B using OPR 3.759.00.

The malware comes as an attachment to emails with the filename Rechnung.zip or Rakningen.zip(7,028 Bytes). Please be wary of emails you receive with those attachments, do not atempt to open them. If you want more information on what the malware is capable of check our Virus encyclopedia here.

We are still looking into the details of this spammed malware, as of now please be very careful of attachments with the aforementioned filenames in your inbox.

For the past few days, the AV team has been analyzing a set of files and URL’s that is related to a certain Linkoptimizer Trojan.

Earlier this day, Jovs posted about the site js.gbeb.cc which uses a unique way of obfuscating code. Now this particular site connects to other sites when accessed. The sites it connects to are the following:

• http://js.pcweb.cc
  
• http://xearl.com
  
• http://cvoesdjd.com
  
• http://lah3bum9.com
  
• http://gromozon.com
  
• http://td8eau9td.com
  
• http://mioctad.com

These sites in turn download TROJ_RKDICE.H with its rootkit component TROJ_LINKOPTIM.G.

TROJ_LINKOPTIM.G is a Browser Helper Object (BHO) that connects to these sites:

• http://www.flashkin.net/sl.php
  
• http://www.flashkin.net/common/template.php
  
• http://www.flashkin.net/sh.php
  
• http://www.flashkin.net/bs.php
  
• http://www.flashkin.net/wl.php
  
• http://www.flashkin.net/wlink.php
  
• http://www.flashkin.net/ws.php
  
• http://www.flashkin.net/gc.php
  
• http://washerner.com/
  
• http://chongchua.com/
  
• http://livingcert.com/
  
• http://fogcu.com/

For now, the sites mentioned above are blank (but our URL blocking now blocks these sites nevertheless).

The point of this blog entry is to emphasize that the infection cycle used by this trojan is an example of how malware use multiple components for propagation, obfuscation, and detection avoidance.

Trend Micro recently released an urgent OPR due to the increase in infection count from PE_LOOKED variants on Trend Micro’s Business Units. There is also a notification delivered which recommends blocking of the following IP addresses:

• h t t p://218.83.155.72
  
• h t t p://218.85.132.212
  
• h t t p://220.247.158.178
  
• h t t p://221.231.138.85
  
• h t t p://221.231.140.223
  
• h t t p://59.34.197.251
  
• h t t p://60.190.222.233
  
• h t t p://61.152.116.22
  
• h t t p://61.162.230.130

These are the download addresses found from the variants of PE_LOOKED. A simple Whois query of the said addresses reveals that these IP addresses are hosted mostly in China and in Taiwan ISP. Well, that leads us to, in a way; conclude that there are several zombie machines in China and Taiwan compromised by malicious hackers, probably from China.

It is also noted that the PE_LOOKED file infector downloads spyware trojans which aims to spy on user credentials on the on-line game, LINEAGE. The stolen credentials can be used by the malicious hacker to access the compromised users’ game and do whatever he wants… Well IMO, taking over someone else’s game is not the main objective of having this spyware trojan created. In this game, there are items and other things that make someone’s game character strong and these are the target of the malicious hacker. The hacker can then profit from these compromised users by selling to other lineage players what he got. Yes, it all boils down to money. Below is a snipped example of a website which offers Lineage items,accounts and others for a certain price.

This PE_LOOKED malware is not just for file infection but is also being used as a means for gaining profit. From a general view, it is now evident that malware authors aims for money these days and compared to the old malwares where they were created to probably achieve fame or for fun.