Three new exploits posted in the Web takes advantage of a vulnerability in QuickTime Player v7.3 in the way it handles response from a video/audio streaming server via Real Time Streaming Protocol (RTSP). RTSP controls the delivery of audio and video data with real-time properties.

The exploits were designed to send a malformed RTSP response header that results to remote code execution on computers that uses QuickTime Player.

Sample of a normal RTSP response:

Sample of a malformed RTSP response:

Notice the Content-Type Field with has malformed type. Examples of valid values for this field are ‘Application’, ‘Text’, ‘Audio’, ‘Image’.

The following are the scenarios of how a machine can be attacked:

The attacker executes the exploit on his/her own computer, listening on port 554 (port 554 - default port for RTSP protocol). The attacker’s machine then tries to wait for RTSP request from its victim.

The attacker creates a Web site with the malicious RTSP link embedded (redirected to the exploit) or pops a message with the exact media link location of the exploit to the victim’s Messenger.

The victim is then enticed to visit the malicious link or view the media opens the link using QuickTime Player.

The exploit listening on port 554 is triggered to send a response with a malformed RTSP header.

Voila! The shell code is executed on the victim’s machine.

Another attack vector that can be used is through visiting a Web site that has embedded script/objects that directs RTSP connections to a malicious remote server.

As of this writing, there is still no patch that addresses this vulnerability. To prevent these kinds of attacks, visiting sites and/or opening links from unknown sources should be avoided. It is also better if connections through port 554 are blocked until a patch for this vulnerability becomes available.

TrendLabs recently received samples of a Trojan sent as an attachment to spammed mail bearing the subject Sexy Card from Hot Girl. The Trojan, detected by Trend Micro as TROJ_PUSHDO.AR is disguised as an animated e-card with nude photos of a certain Monica T. supposedly sent via Adult Sex Finder. Below is a sample of the said message :

When the attachment is opened, this Trojan executes and installs itself on the affected system, registering itself as a service to ensure automatic execution. It then connects to the URL http://66.{BLOCKED}.252.215/s_60_3232297080?m… to download a file detected by Trend Micro as TROJ_PANDEX.AR.

Its social engineering tactic is old news but what’s interesting is its use of the term Adult Sex Finder as the supposed company that put together the provocative e-card. “Adult Sex Finder” bears such close sounding recall to AdultFriendFinder- a Web site that claims to be the “world’s largest adult sex and swingers site”- that one can’t help but wonder if there is some kind of connection there. AdultFriendFinder has been related in malware attacks in the past.

Whether there is or there isn’t any connection, TROJ_PUSHDO.AR is out there in the wild finding propagation partners: users that are lured by its lurid bait. Don’t be that user. Trend Micro customers are encouraged to update to the latest pattern to be protected from this pesky spam attachment.

You better watch out and you’ll probably cry as Web threats come to town with a bang. Yes, it’s that time of the year again when we search for Christmas goodies online. Sad to say, it’s also that time of year when cyber hooligans compromise innocent Web searches such as the simple phrase “christmas gift shopping” to serve up malicious URLs via search results such as this:

Lo and behold, one innocent search turns into a Web threat nightmare. Searching for the above phrase can lead you to the malicious URLs encircled in the image above. Clicking on these URLs then takes you to another site (http://{BLOCKED}ldgonit.com/search.php?gzapr=…) via a JavaScript that eventually leads to the download and execution of a malware. Good thing Trend Micro Web Threat Protection already prevents malicious downloads from these URLs, protecting users from possible infection.

The site mentioned above also has an IFRAME that allows for redirection and installation of more malware on the affected system from the URLs http://{BLOCKED}id.theoreon.com/setup.php?aff_id=6025 and http://{BLOCKED}aga.com/exe.php?pid=1008.

We keep coming up with different binaries for every download, suggesting rehashing on the server-side. Expect more new ones to come our way this Christmas.

Digging deeper into the scene, extending the discovery by Sunbelt of malicious URLs creeping up in christmas related searches, the .CN domains above are also being rampantly advertised in Japanese forums/blogs/bbs, et al.:

Other compromised Christmas-y Google searches:

• christmas gift shopping
• christmas holiday sale
• holiday shopping fun

Note that there could be more variations to this theme of searches.

Moreover, the IFRAME mentioned above also uses the so-called 404 Web threat toolkit - probably a new version- in some of its infection URL vectors:

• http://{BLOCKED}sliksuka.com/check/version.php?t=148
• http://{BLOCKED}sliksuka.com/check/n14041.htm
• http://{BLOCKED}sliksuka.com/check/n14042.htm
• http://{BLOCKED}sliksuka.com/check/n14043.htm
• http://{BLOCKED}sliksuka.com/check/n14044.htm
• http://{BLOCKED}sliksuka.com/check/n14045.htm
• http://{BLOCKED}sliksuka.com/check/n14046.htm
• http://{BLOCKED}sliksuka.com/check/n14047.htm
• http://{BLOCKED}sliksuka.com/check/n14048.htm
• http://{BLOCKED}mndskj.com/check/vers2.php
• http://{BLOCKED}mndskj.com/check/tpknlkk433.php
• http://{BLOCKED}mndskj.com/check/tpktskk2.php

A graphical representation of this routine is as follows:

Here are some of the malware and grayware programs that are installed on the affected system from several other Web sites where the user is redirected to:

• TROJ_SPAMBOT.B
• ADW_WINFIXER.CJ
• TROJ_SRIZBI.A
• TROJ_XORPIX.CF
• TROJ_AGENT.WHO
• TROJ_CLICKER.SF
• TROJ_AGENT.ACLR
• TROJ_SMALL.IYK
• TROJ_AGENT.AELC
• DIAL_DIALPLAT.NC
• TROJ_DLOADER.SPZ
• JS_WONKA.AK
• TROJ_PUSHDO.A
• TROJ_TINY.ML
• HTML_IFRAME.EZ
• JS_PSYME.BEZ
• TROJ_AGENT.FA
• TROJ_AGENT.AELB

Ho, ho, ho, a malware-y christmas to us all indeed. Malware is just a click away, but cautious and vigilant online shopping can keep your computer’s infection at bay. Having solid Web threat protection like Trend Micro at your back wouldn’t hurt either.

TrendLabs has received samples of a file infecting virus that, interestingly, logs its own behavior for the affected users to see (if s/he looks hard enough). Maybe because its taunting the said users? A closer look, after all, reveals that this malware is quite challenging to remove.

The virus is detected by Trend Micro as PE_MABEZAT.A-O. It searches for certain files - typically those related to MS Office and multimedia applications - which it encrypts before actually prepending its code onto theirs:

The infected files are detected as PE_MABEZAT.A. Given that the host files are encrypted, restoring them (which naturally includes ridding the malicious code) can be tough. TrendLabs has thus created a special fixtool for this.

Apart from its complex file infection routine, PE_MABEZAT.A-O monitors its own behavior by keeping a log file. The said file basically lists down the files it infected or attempted to infect:

Finally, to ensure widespread infection, PE_MABEZAT.A-O also attempts to spread via fixed, networked, and removable drives. It does this by searching the affected system for drives C to Z, then dropping a copy of itself with an AUTORUN.INF to automatically execute once a drive is accessed. It even attempts to spread and infect via CD-ROMs by infecting files found in the CD burning “staging area”, usually located in C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning.

Trend Micro products already detect this virus with the latest pattern file. Users are advised to update their patterns to avoid infection.

Users visiting the Laoairlines Web site (laoairlines.com) are up for a surprise without them knowing it. Sophos Australia (via iTnews) has reported that visiting the said site for online bookings or any other activities can lead to downloading a malware.

Upon further analysis by Trend Micro threat analyst Ryan Flores, the compromised site automatically redirects unsuspecting users to cs.{BLOCKED}ick.cn , which is known to host several malware, including the following:

• JS_AGENT.WLN
• JS_PSYME.ACK
• TROJ_DLOADER.BZQ

Fortunately for Trend Micro users, the said site is already blocked by the Web Reputation Service. The malicious files are also detected as early as 2006.

Now that the holiday season has officially kicked off in most countries, this incident should serve as a reminder that malicious authors are not only targeting online shoppers and online bankers (as is the usually the case during this time of the year). Travels - and therefore online bookings - are also bound to increase. With the rise of Web-based attacks, computer users should have all bases covered.