May was a relatively quiet month. Except for the slew of TROJ_ARTIEF targetted attacks the last week of May, no other notable malwares were discovered. For this round-up, we’ll recap the malwares that were able to capture our attention, even for a while.

Regional Attacks

While there were’nt much region-specific malware caught in the wild, one IM worm was found to send Spanish text to YM contacts, advertising a dance video of President Bush. This maybe targetted to the fairly large Hispanic Americans, or is riding on “So You Think You Can Dance”’s popularity, or both?

Malwares that hit it big

WORM_SOBER.AX is probably the malware with the largest infection count last May. Although the worm propagated slowly, just the fact that it was able to continously infect several computers in a period that lasted for a couple of weeks may usher in a new model of future worm malwares.

With all security vendors trained to spot fast spreading worms and updating their signatures in a matter of a few hours, worms that fly just under that radar may have more success in the wild than those replicating like bunnies.

Web-based Threats

One of the most interesting aspects of web-based threats is the ingenious use of social engineering by malware authors. As expected, the social aspect of malware threats found last May did not disappoint.

For one, we discovered a phishing Trojan pretending to be a Microsoft’s Security Center console.

A recent JS_FEEBS run made use of an associated Russian site to host additional malware.

And while in search for additional malwares, we saw Google’s site rating and blocking at work by automatically blocking several TROJ_ANI related sites on it’s results page. Of course, known TROJ_ANI related sites are automatically blocked by Trend Micro’s Web Blocking services.

Lastly, a concrete connection between typo-squatting and malware hosting was established through the help of Sunbelt. Their list of Italian typo-squatters were found to be associated through a variety of ways to TROJ_ZLOB hosting sites.

Vulnerabilities and Exploits

Though there were no new exploits discoved in the wild last May, we’ve seen several malwares creatively use application functionalities for malicious purposes.

One example of this is VBS_BADBUN. This malware is capable to infect multiple operating systems running StarOffice by using its macro functionality (much like MS Office’s macro), thereby elevating the risk for malware infection OS previously deemed “safe”, such as Mac and Linux. This is only the second malware to use StarOffice as platform, the first one being XML_DUSTAR.A discovered last year.

In what seems to be a highly targetted attack (it is reported that only top level executives were targetted by this attack), TROJ_ARTIEF arrives embedded inside a Word RTF file, this method improves it’s social engineering trick of pretending to be a valid e-mail from the BBB or the IRS.

*The two examples mentioned above are not vulnerabilities or exploits per se since they are not results of bad programming practices. Rather, the methods mentioned above are a result of insecure software design (or design oversight) that allows the use of such functionalities for malicious purposes.

Good day dear readers, its patch tuesday once again and here are this month’s round of MS security bulletins:

4 Critical bulletins

MS07-031
Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)

MS07-033
Cumulative Security Update for Internet Explorer (933566)

MS07-034
Cumulative Security Update for Outlook Express and Windows Mail (929123)

MS07-035
Vulnerability in Win32 API Could Allow Remote Code Execution (935839)

1 Important

MS07-030
Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)

1 Moderate
MS07-032
Vulnerability in Windows Vista Could Allow Information Disclosure (931213)

there’s a cumulative update for Internet Explorer and for Outlook Express and Windows Mail, some of the vulnerabilities addressed by these updates can lead to information disclosure as well as remote code execution, so be sure to patch things up especially if you frequent the web using IE. ;)

You can update your machines here.

The Nigerian Economic and Financial Crime Commission (NEFCC) is a law enforcement agency that investigates terrorism, cybercrime, scams and financial frauds within their region. This is their website:

Recently, we’ve received a report that this legitimate website has been compromised. We decided to verify this report and check the site out for ourselves. Sure enough, when we viewed the HTML source for the NEFCCs website, something suspicious came up:

This is an IFRAME tag that loads another HTML document into the existing one that is currently loaded in the browser. In this case, the IFRAME tag makes a reference to an obfuscated URL that is separate from the NEFCC’s domain. It redirects it to a couple of URLs that display a fake error page but actually contain malicious Javascript routines. These malicious Javascript code are detected by Trend as JS_PSYME.AOO and JS_PSYME.ANT. Both script malware attempt to download malicious executable files that are detected as TROJ_WOPLA.DS, TROJ_NIDIS.OF, and TROJ_NURECH.BE.

This is a classic case of a script-based Trojan downloader that is triggered by simply viewing a webpage. However, in this case, the webpage doesn’t offer fake codec downloads or free stuff but rather is a legitimate one, only compromised by a malicious IFRAME tag inserted in its HTML source. It is quite ironic that an organization dedicated to fight cybercrime has been targeted by malware perpetrators. This just shows that even those directly involved in security can become targets as well.

Vulnerability researchers are having a grand time with the release of Apple’s Web browser Safari 3 Beta for Mac and Windows. Hours after its release June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL protocol handler in the Windows version. The vulnerability specifically cites the “lack of input validation for the command line arguments handed to the various URL protocol handlers” on a Windows system. Larholm also cooked up a proof-of-concept exploit for this vulnerability.

Another independent security researcher, David Maynor of Errata Security, found 6 other vulnerabilities in the Windows version — four of these vulnerabilities could allow denial of service (DoS) attacks, while the other two could allow remote code execution on the affected system.

Citing unresponsiveness and use of marketing tactics by vendors to sugarcoat these kinds of security woes, both researchers have decided to publish their findings via their own Web sites. Both also claim that they are not selling and have no plans of selling their research to any individual or corporation.

Vulnerability disclosure is an ongoing debate among researchers, security experts, and software makers. Conflicts arise because of a lack of standard procedures to follow in vulnerability reporting, as well as in vulnerability hunting.

Safari is the third most popular Web browser, owning almost 5% of market share as of May 2007, according to NetApplications.com. As of this writing, no workarounds are available for the vulnerabilities cited. Since Safari 3 is still in its beta stage, users are advised to assess the possible effects on their machines before installing.