Amidst a period when the antivirus and computer security industry is all agog on targeted trojan attacks, trojan-downloader and spywares, comes a threat that is, on the surface, pretty much reminiscent of the mass-mailers that have plagued the cyberspace in previous years such as BAGLE, NETSKY, MYDOOM and MYTOB. Just as we thought that mass-mailers are dying down, now comes a new breed of mass-mailers known as STRATION (aka WAREZOV, STRAT).

The first variant appeared just in the latter days of the third quarter of 2006, specifically in August 16, 2006. This was given the detection name of WORM_STRATION.A. After only two months Trend Micro has received well over 150 variants, with the most recent variant that was detected last October 25, 2006 with the name of WORM_STRAT.EQ by Official Pattern Release 883.

At first, there was neither rhyme nor reason in the behavior of the STRATION worms. Yes, they exhibited features much like those used by the other previous mass-mailers, but there were differences such as the bursts of spiked attacks or continuous massive spamming in short time frames; the use of various different top-level domains that downloader components of STRATION use as infection vectors, thereby adding to the rising complexity of the implication of web threats; and of course, the ultimate motive of the mass-mailer, unlike previous worms whose only purpose was to spread to as many computer systems as much as possible.

NOTE: This is a research and investigative work in progress as the STRATION menace still continues up to this very minute…

Nothing is sacred anymore and the recent malware attack on goody-goody Wikipedia brings this fact home more blatantly than a bad rabbi-priest joke. In spammed email messages, recipients were lured to download a “security update” from Windows via a particular article page in Wikipedia. Not surprisingly the said article is about the infamous WORM_BLASTER.

Living up to its good name, Wikipedia acted with due haste and deleted the misleading warning texts and link added to the article. Its editors also cleaned Wikipedia’s archive to completely eradicate the threat. More information about the attack can be found in this link.

A remote code execution vulnerability has been confirmed in Microsoft XML Core Services XMLHTTP ActiveX Control. According to a report by FrSIRT

This flaw is due to a memory corruption error in the XMLHTTP ActiveX Control when processing specially crafted arguments passed to a “setRequestHeader()” method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by tricking a user into visiting a malicious Web page.

Microsoft has already released a security advisory for this and as of the moment is still investigating public reports.

Microsoft has also posted workarounds in their advisory in order to protect your systems while a patch is still unavailable.

We will update this blog as more information about the vulnerability is acquired.

Update (Jhoevine Capicio, Tue, 07 Nov 2006 03:28:16 AM)

Sunblet Blog has confirmed that this exploit is now being used in the wild.