C2C Anyone? For chatters who frequent Yahoo! Chat rooms, this is a common thing to say… C2C (Cam to Cam) Chat has been very popular nowadays, from chatters who just want to view their chat mates to webcam shows to far away loved ones…most of the time a webcam is used while chatting on Yahoo! Sad to say, Yahoo! Webcam did not escape the reality that almost all software has vulnerability. Two vulnerabilities for the Yahoo! Messenger have been disclosed to the public. These vulnerabilities have been proven to result in arbitrary code execution, which means that it may just be a little time before it is exploited by malicious users. The first vulnerability is because of lack of boundary checking in the ywcupl.dll (used for Yahoo! Webcam Upload ActiveX control). This error can cause a stack based buffer overflow by assigning a very long string to the “Server” property and then calling the “Send()” method. The second vulnerability is because of lack of boundary checking in the ywcvwr.dll (used for Yahoo! Webcam Viewer ActiveX control). It works the same way as the first vulnerability but this time instead of send(), the exploit is triggered by calling the “Receive()” method. Not to worry though, because Yahoo! has already given an update which solves this issue. Please go to this site to know more about the vulnerability and how to update your Yahoo! Messengers.

Days after the public posting of two Yahoo! Messenger vulnerabilities, malware authors have created malicious codes exploiting the said vulnerabilities. The malware is to be detected as JS_DLOADER.NSP, which points to another component which also exploits one of the Yahoo Messenger vulnerabilities (already detected as JS_AGENT.TEJ). The latter download and install Trojans, detected by Trend as TSPY_AGENT.TRI, TROJ_DELF.HYI, and TROJ_PCCLIENT.FS, in the affected system.

Here, it is evident that malware authors are trying to get income from the installation of Trojan spywares. In order to successfully install these malware into target users machine, they use the latest exploit codes in order to have a higher chance of attaining their goal. Moreover, they also use the web (HTTP) in order to bypass firewalls. In summary, malware author�s uses exploit codes in order to download and install malware hosted in a website. Users should apply latest software security updates provided and update antivirus signatures regularly.

TROJ_BANLOAD.CZE is banking on the stir caused by an animated sci-fi series, currently hosted in YouTube, to cover its virtual robbery scheme. Similar to TROJ_BANLOAD.CFU, it also downloads TSPY_BANKER.JAT, a variant of a Trojan spyware family known for stealing online banking-related information. TROJ_BANLOAD.CZE opens an Internet Explorer window to connect to an episode from the animated series AfterWorld so as to hide its download routine:

This latest TROJ_BANLOAD iteration may be downloaded from certain Web pages. Users are advised to exercise vigilance and caution in downloading files.

Patch Tuesday is just around the corner and it’s ironic how a malware is using MS Security Update notification to propagate. SANS Internet Storm posted a report for this malware, which arrives on computers via spammed email messages carrying a link to a supposed patch to certain Windows vulnerabilities. To “dress up” this link, the email message purports to be a MS Security Update advance notification for the June 2007 batch release. Trend Micro detects this Trojan as TROJ_AGENT.JPO.

While it is good practice to be always updated with Microsoft patches, users should still be extra vigilant when receiving these kinds of notifications. Note that although Microsoft does send notifications for its security updates, the links in these alerts take users to the MS Security Bulletin pages themselves, and not to some server that directly installs the fixes to a computer. Users are therefore advised to directly go to the Microsoft Updates Web site page to check and download updates for their operating system.