Trend Micro has again discovered flaws related to Windows Mobile. Both of the newly found vulnerabilities are flaws in applications that ship by default with Microsoft’s mobile device OS.

One of the said applications is Pictures and Videos, which causes a mobile device to hang for 10-15 minutes when it tries to process a malformed JPEG file. The other flaw is found in Windows Mobile’s Internet Explorer(IE), which when exploited terminates IE and causes the affected mobile device to be unstable.

Both vulnerabilities affect devices running Windows Mobile 5.0 and Windows Mobile 2003/2003SE for Smartphones and PocketPC. As of this writing, Microsoft has already been informed of these flaws but no patches are available as of yet.

The photos that we capture using our digital cameras come in different naming conventions: CIMG{numbers}for Casio, IMG_{numbers}for Canon, DSC{numbers}for Sony, and so on. Thus, receiving a file that follows the format below may puzzle some digital camera hobbyists but is usually not going to bother the majority of users who will likely automatically open the said file:

DC{number} (Without comments).JPG________________________________________
_____________________.exe

Trend Micro detects this malicious file as TROJ_DLOADER.FYX. Similar to TROJ_DLOADER.EXIthat connects to http://www.{BLOCKED}en21.net/images/r_title08.jpg to download a spyware, it also connects to the same Web site to download a file detected by Trend Micro as TSPY_BZUB.HN.

This Trojan arrives via spammed email.

After the persistent queries of IT journalist Davey Winder, the makers of satellite navigation device TomTom GO 910 have confirmed reports that two Trojans are embedded in items produced from September to November last year. This is reminiscent of the incident in Japan only in October last year, when the local McDonald’s gave away prize MP3 players that contained WORM_QQPASS.ADH, prompting the food chain to do a mass-recall and a public apology.

Because TomTomis Linux-based, the Trojans, which are designed to run on Windows, do not directly affect them. However, the real problem for the user begins when he or she connects the device to Windows platforms via USB ports.

Interestingly, the Trojans are pretty old. One of them, TROJ_PERLOVGA.A, has been detected by Trend Micro as early as June last year. The other Trojan is caught by the generic pattern TROJ_GENERIC. Users with updated antivirus products are thus protected from the threat.

Users can derive two lessons from this incident. First, nowadays, even fresh-off-the-shelf products are not completely safe from threats, so precaution is key. Any storage device can be inhabited by threats, so users are advised to scan removable devices before use. Which brings us to the second lesson.

This incident brings to light the importance of having antivirus products that provide timely updates. Even with safe computing practices, unexpected cases like this still bring threats. In fact, the makers of TomTomdid not do a recall, advising instead their customers to get rid of the Trojans by using antivirus products.

It is not clear how the Trojans got into the products, but the company insisted that it was an isolated case. Customers without an antivirus product were advised to install one.

Davey Winder’s complete documentation of the incident, as well as the full statement from the company, can be found here: http://www.daniweb.com/blogs/entry1276.html.

TrendLabs has just discovered a new MDROPPER variant circulating in the wild and taking advantage of a newly discovered vulnerability in Microsoft Word 2000.

Detected as TROJ_MDROPPER.EQ, this Trojan is a specially crafted .DOC file that may arrive on systems as an attachment to spammed email messages, or dropped/downloaded by other malware. When executed, it then exploits the mentioned flaw in order to drop and execute an embedded — and possibly malicious — file.

Microsoft has already released a Security Advisory regarding the said vulnerability and the “limited ‘zero-day’ attacks” exploiting it. Since a security patch is yet to be released, users are advised not to open .DOC files from untrusted or unexpected sources.

This is just another obfuscated script but it attempts to exploit Windows versions 2003 down to Windows 95 and might include lower versions as well as you will see later. It uses browser exploits to download and execute malicious file from the internet right to your box. But, you don’t have to worry if your system is fully patched because it targets known vulnerabilities that vendors have already provided the patch.

The url when accessed is a bit deceiving because it’s like you end up on a non-existent resource on the server. Unknowingly, the malicious script that is embedded on the page is currently determining some system information to know what are the exploits that it may serve… very rude!

The image above is the source code of the malicious website and apparently it’s quite a bit obfuscated. There is also a special page for Netscape browser users. After the three-step de-obfuscation process, it is pretty clear now the intention of the author and what most likely to happen to your system. I have summarized the exploits that will be used by the attacker to compromise the system in the form of a table as against the version of Windows that the victim is using.

The exploit names I’ve used are based on the function names that the author has used in his program.

Function Description:

RDS
This function exploits MS06-014vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe as C:\NTDETECT.EXE.

MDAC
This function exploits MS06-014 vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe as Uninstall.exe or Uninstall0.exe or randomly generated filename in the following locations.

• $AllUsersStartupFolder\Uninstall.exe


• or $StartupFolder\\Uninstall0.exe


• or C:\\Documents and Settings\\All Users\\Menu Inicio\\Programas\\Inicio\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Start\\Programma\\’s\\Opstarten\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzioneautomatica\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Kaynnista-valikko\\Ohjelmat\\Kaynnistys\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start Menu\\Programlar\\BASLANGIC\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start-menyn\\Program\\Autostart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Iniciar\\Uninstall.exe


• or C:\\Dokumente und Einstellungen\\All Users\\Startmenu\\Programme\\Autostart\\Uninstall.exe

AND

• $TEMPDIR\Math.round(Math.random()*(1000000-1)+10000)+”.exe”


• or $HOMEDRIVE\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Uninstall.exe


• or C:\\RECYCLER\\”+Math.round(Math.random()*(1000000-1)+10000)+”.exe”


• or “\\sys”+Math.round(Math.random()*(1000000-1)+10000)+”.exe”

WVF
This function exploits MS06-057vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe.

JAVA
This function exploits MS02-069(JVM CODEBASE) Vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe.

XML
This function also attempts to download and execute http://66.xxx.xxx.67/bin/win.exe by exploiting the MS06-071(XMLHTTP) or the MS04-025vulnerability (ADODB.Stream).

On the other hand, if the victim is using the Netscape web browser, a MS06-006(Media Player Plugin EMBED) exploit will be triggered but seems to be broken.

Whew! That’s a lot of exploits huh! And it also targets a number of language platform and uses fail-safe copying of malicious file to the affected system as you can notice in its MDAC function and in the rest of the code.

The good news is, the vulnerabilities that are being targeted were already patched by the vendor but the bad news is, not all users apply these patches. Incident like this just teaches us the importance of up to date patching of product vulnerabilities and regular update of antivirus patterns.

Note:
The malicious script, the downloaded file, and the url were all submitted to respective teams to be integrated into Trend Micro solutions.