As everyone knows, new Japanese Prime Minister Mr. Yasuo Fukuda has just been appointed and already a suspicious email supposedly coming from the new PM is making its rounds.

The said email message comes with the attachment named MOFA.ZIP, which looks like the following when uncompressed. It uses the icon for MS Word but instead of using the normal .DOC extension, it uses .EXE:

Once MOFA.EXE is executed, MOFA.DOC opens. Part of the new Japanese Prime Minister’s official Web site is saved in the said .DOC file. The said content uses a font called SimSun, which can display Chinese characters on Japanese platform, or Japanese characters on a Chinese platform. On Windows XP systems, this font can be displayed normally. However, on Windows 2000 platforms with MS Word 2000 version, the result is the following:

When you check “Property”, you can see some Chinese characters in the name field:

It is most probable that the opening of this document is a trick to distract users. It is possible that when the document opened, malicious activity is started in the background. The said .EXE file is detected by Trend Micro as BKDR_DARKMOON.BG.

As of now, a warning about has been issued regarding this suspicious email message. It may be found on the official Web site of the Japanese PM.

Users are advised to not open attachments that are not expected or from suspicious senders.
Additional information from the Japan Regional TrendLabs

Only a little more than a week after September Patch Tuesday, expect to download more software patches to keep your computer updated and protected from malware threats.

Update 1: Microsoft Service Pack 3
Microsoft recently released Service Pack 3 for Microsoft Office 2003, incorporating SP1, SP2, and other Office 2003 updates up to August 2007. The new service pack also incorporates other bug fixes that affect the user experience.
Related links: Download page KB Entry

Update 2: Mozilla Firefox 2.0.0.7
Mozilla Firefox recently updated to version 2.0.0.7, preventing a vulnerability of the Apple QuickTime Plug-in from performing remote code execution.
Related Link: Download Page

Unpatched Vulnerability 1: Apple QuickTime version 7.2.0.240
The Firefox update above resolves the issue raised by Petko D. Petkov, which details how a simple quicktime file can execute arbitrary code from the said browser. In his report, a QTL file which serves as an encapsulation for loading a real media file, can contain a qtnext field which may have parameters in execution of code thru Firefox. So, users can just avoid the link from a Web site if the file in the link has an extension in .QTL, right? Wrong. The file can be renamed as .MP3 or .MOV (or any file extension supported by QT) and the file would still be processed as a QTL file. The exploit has been verified to work on Firefox 2.0.0.6 (thus necessitating the update) and the latest QuickTime version 7.2.0.240 (still unpatched).
Related Links: Mozilla Vulnerability Page Petko D. Petkov’s Blog CVE Entry

Unpatched Vulnerability 2: Microsoft MFC42 and MFC71 Heap Overflow Allows RCE
Jonathan Sarba from GoodFellas Security Research Team recently disclosed the Findfile Class implementation in the MFC42 and MFC71 library lacks checking of the buffer, allowing a heap overflow to execute arbitrary code. Any application using CFileFind::FindFile from MFC42.DLL and MFC71.dll may be susceptible to this attack. If you remember, a previous MFC vulnerability was patched last June. Considering the possibilities, could there be an upcoming Month of MFC Bugs?
Related links: Jonathan Sarba’s Disclosure MS07-12

Would you like to earn $50 per hour in a job that only take 3-5 hours of your free time every day? If so the Storm team want people like YOU!

The latest version of Storm is aimed at people who want to make loads of money, for minimal effort, from the comfort of their own homes…so not a huge target audiance then.

Users that follow the link (which is blocked by Trend Micro Web Reputation) will be brought to a site hosting a BullEten Board, and refreshingly, not hosting an entire arsenal of vulnerabilities - which makes for a nice change. The Scammers waste no time in explaining how this wonderful scheme works. The helpful user (i.e. Mule) simply receives some funds (i.e. Money stolen from Phishing scams), takes 10% for themselves, and send the rest back via Western Union.

Unfortunately for budding entrepreneurs in Europe and Asia, this fantastic offer is only available to people with a bank account registered in Canada, Australia, New Zealand or the United States.

Joking aside, this is what is known as a “Money-Mule” scheme. It is an essential part of the money-laundering side of the Crimeware business, and is used to launder stolen money through unsuspecting users. Needless to say, it is a very bad idea to get involved in this type of business.

Interestingly this forum has been Active since December 2004 and at the time of writing has around 150 members. The fact that this is been spammed out now suggests that the Storm team are in need of more mules, either because of the increased amount of money that they need laundered, or because existing mules have stopped particapating.

Lets hope its the later case.

Robert McArdle, EMEA Regional TrendLabs

This is to confirm a report from Websense about the compromised official website of Syrian Embassy located in London. Indeed, there are three obfuscated iframes found in the site.

The following is a sample obfuscated script found in the compromised page:

Deobfuscating the said scripts we get the following URLs:

• hxxp://0ki.ru{blocked}/index.php
• hxxp://sicil.info{blocked}/index.php
• hxxp://x12345.or/{blocked}ounter.php?out=1189360677 (a zero-byte file)

Initial analysis of the first URL, it seems that it accepts country code as an argument, thus country checking is most probably employed. This is already detected as JS_PSYME.ANT. The second URL contains another iframe which leads to a URL containing the exploit kit (most probably Icepack). The exploit kit employs OS detection, web browser detection, and contains several exploits targeting web browsers and web browser plug-in. This will try to exploit several vulnerabilities to download and execute a file to be detected as TROJ_SMALL.KYZ. The exploit kit will be detected as JS_PSYME.ADQ.

The third URL just contains a zero-byte file.The malicious files are already being processed and the malicious URLs are submitted for blocking.

Spammers are still trying to cash in on the popularity of YouTube. The Trend Micro Content Security team spotted the following message:

Clicking on the YouTube logo leads the user to a YouTube login page. When a user logs on to his/her YouTube account or creates a new account, the user is led to the following Web page:

This may be the spammer’s way of harvesting valid email addresses, when a user provides information such as an email address on the login page. Aside from being led to the above Web page, a user may also be redirected to the following Web page:

Users are advised to be wary of spam messages such as this.