There is a huge volume of unsolicited emails that run through the veins and arteries of the Internet every single second of the day and this particular phish is just one of them.

TrendLabs has received a report that there has been a spam run that appears to be seeded from Germany. The phish claims to be a confirmation email from Apple Store and indulge the user to follow the embedded link where another link to a malicious binary was being offered. The spammed email is in German and was believed to have an english variant as well but all pointing to the same malicious binary.

Here is the sample email scam in German (Thanks to Rainer Link for providing the sample).

The binary is currently being analyzed and will be included soon on the Trend Micro pattern files. The offending domain that hosts the binary was also included in the RS Pattern that will be released on March 20, 2007 at 8:00 PM (PH Time). Updates on the detection name of the malicious binary will be posted shortly.

Yet another malware is recently discovered lurking the pages of MySpace, a popular social networking Web site that has become a favorite target of threat attacks by malware authors today. This malware is a JavaScript Trojan that uses QuickTime movies as its infection vector. This malicious script is found embedded in a MySpace page of a French rockband. The said page has an EMBED tag that instructs a user’s browser to play a movie when the HTML page is opened. However, the attribute of the movie is set to “hidden”, therefore it is invisible to the profile viewer. The QuickTime movie is downloaded from the server, profileawareness.com.

QuickTime has a feature that allows URLs or JavaScript codes to be embedded in a movie. This malware takes advantage of this feature by embedding a malicious JavaScript program within the movie. Thus, when the movie is played, the JavaScript is automatically downloaded and executed. This JavaScript is a spyware that collects data about MySpace users that visits the page. The stolen information is then uploaded to the profileawareness server.

Trend Micro detects the malicious JavaScript as JS_SPACESTALK.A and the QuickTime movie as TROJ_DLOADER.JHV.

External sources have confirmed that the said vulnerability exists in version 7.1.3 of the Quicktime software for Windows and possibly earlier versions as well. This issue has already been addressed by Apple in their latest Quicktime release. More information on how to update Quicktime can be found here.

Sometimes when you try to update your Quicktime players using the “Update Existing Software” option under the program’s help menu, it tells the user that his software is already up to date even if it isn’t. To be safe you may have to manually re-install the software using the latest installation package available at the Apple Web site.

Sources:

• http://didierstevens.wordpress.com/2007/03/12/p0wned-by-a-qt-movie/
  
• http://www.theregister.co.uk/2007/03/16/myspace_quicktime_exploit/
  

Reading through some security forums, I came around a post talking about MS07-012 ( Vulnerability in Microsoft MFC Could Allow Remote Code Execution). The researcher claimed that the security fix did not solve all of the problem found in the MFC library MFC42u.dll. Thus, the workstation is still vulnerable even if the security fix was applied.

[Start Quote]

The original MS07-012 patch was released to fix an issue in the MFC library MFC42u.dll. The issue was the result of MS not taking into account that a TCHAR string is actually twice as big as its CHAR counterparts. To fix this, the patch readjusted the nMaxCount variable to half of its original value in the GetMenuStringW(…) call. Unfortunately, GetMenuStringW will null terminate a long string at the end adding two additional characters to the string. This gives a returned string of (nMaxCount*2) + 2 bytes in size.

[End Quote]

The researcher said that exploitation of the said vulnerability is not trivial, however, it is possible to have a successful exploit. Also, Microsoft mentioned in their Security Bulletin that remote code execution is possible for MS07-012. Thus, it is likely that this vulnerability will be used by malicious attackers. As of this time, we don’t have reports of active exploitation in the wild for MS07-012 (and hopefully none in the future).

This is one of those things that go unnoticed until someone comes up with a deviously crafted malware to demonstrate its potential. If you’re on a Windows system, try hitting the SHIFT key five times and you’ll see a dialog box similar to the one below.

The resulting dialog box is an interface to enable the use of StickyKeys, which is a Windows feature to aid handicapped users. There is nothing really wrong with the use of this feature. The only problem is how it is implemented.

You see, when you hit the SHIFT key 5 times, a file called sethc.exe is executed from within the Windows folder. This program is the one responsible for the dialog box that you just saw earlier. Regardless of the content of sethc.exe, Windows would still execute it if the SHIFT key were pressed 5 times. If the original contents of the file were overwritten with malicious code, then the malicious content would be executed once the SHIFT key is pressed 5 times. This feature provides malware authors with a potential attack vector.

To mitigate this, you can disable the shortcut for StickyKeys. You can do this by opening the Control Panel and modifying the settings for StickyKeys in the Accessibility Options dialog. Click on the Settings button and uncheck the option for using the keyboard shortcut.

Once this setting has been put into effect, hitting the SHIFT key 5 times will no longer activate the StickyKeys interface.

Similar to SYMBOS_MREX.A, the recently discovered Symbian malware, SYMBOS_FEAKS.A, also affects devices that run on UIQ platform.

UIQ is a software platform or GUI based upon Symbian OS. Like the other Symbian platform S60, it provides additional components to the core operating system, thus enabling compatible mobile devices to run third-party applications.

Currently, there are only a number of devices that support UIQ. Targeting the said devices clearly suggests that the malware author is trying to prove a point, rather than aiming to actually spread the Symbian malware and cause an outbreak.

SYMBOS_FEAKS.A attempts to spread by sending the following SMS message to the affected mobile phone’s contacts:

hey check this link out bye
http://www.{BLOCKED}.ucsb.edu/%7efeakk/feakk.zip

Although currently inaccessible, the URL mentioned above supposedly contains a copy of the Symbian malware.

To avoid infection, refrain from receiving and installing unsolicited files from other mobile devices. If you have received the SMS message specified above, delete it and do not visit the URL. In addition, download and install the Trend Micro Mobile Security and keep your patterns updated.