May’s Patch Tuesday came earlier this week, addressing six vulnerabilities. The latest batch of Microsoft Security Bulletin consisted of four security updates, with three rated as critical and one as moderate.

This batch includes a security update on the vulnerability found in Microsoft Jet Database Engine that was initially reported late March.

Here is the set of security advisories for May:

Risk Rating: Critical

• Microsoft Security Bulletin MS08-026: Vulnerabilies in Microsoft Word Could Allow Remote Code Execution (951207)
• Microsoft Security Bulletin MS08-027: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208)
• Microsoft Security Bulletin MS08-028: Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution (950749)

Risk Rating: Moderate

• Microsoft Security Bulletin MS08-029: Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)

All users are strongly encouraged to download the mentioned patches from Microsoft immediately.

When security researchers encounter a piece of code, they often have little idea about its ultimate objective. Analysts have to play online gumshoe when it comes to tracing the relationship of a single file to what is very often a multi-component attack.

Storm has been on the foreground for quite some time as a primary example of how rampant (and undetected) zombified computers have become. Whenever analysts want to talk about the Internet’s propensity to help administer organized crime, the Storm botnet always comes to mind. There have been several reports in the past few months that point to Storm’s various nefarious activities:

• downloading Bancos info-stealers in February
• advertising Canadian pharmaceutical products in January
• phishing information from Royal Bank of Scotland customers, also in January

Now we are beginning to see Zango-related codes being passed around and distributed among known Storm proxies.

One of these files, now detected as TROJ_MUTANT.BN, is an AdPack kit that contains a file named zango.php. Within this file can be found CLSIDs that are similar to those modified in line with Zango or Hotbar routines.

The other PHP files, detected as either JS_AGENT.BB or PHP_MPHAK.AL, seem to be products of signature detection’s arch-enemy: server-side polymorphism. This is a technique that enables malware writers to produce a slightly different version of a file (technically a new variant) each time a request to access the remote malicious server (typically by an infected computer) is made.

At this time, we have no explicit knowledge on why Storm (or a portion therein) may be pushing Zango adware, nor whether Zango explicitly knew about this situation or authorized it. Zango (also ePIPO, 180solutions, HotBar) is an adware company that has a history of distributing software that runs on startup, displays advertisements, and comes bundled with other software.

Trend Micro and Zango are in contact and expect to work together to more fully understand the situation.

Users with computers under the control of a botnet often have little idea that their units are involved in any of the activities that the botnet is currently performing. It therefore becomes a big responsibility for users to make sure not only that they are not infected by agents of these botnet malware (by using adequate and updated Web Threat Protection technology) but also that they are not aiding in carrying out online theft and fraud.

Update — 17 May 2008 23:34 PDT: After further review it appears the ‘AdPack’ exploit toolkit and the Storm authors are specifically targeting systems with Zango-related software installed.

We apologize for the confusion.

Updated by Paul Ferguson, Advanced Threats Research

Trend Micro threat researchers were recently alerted to yet another Web threat being perpetrated on a very popular e-commerce Web site, but with a new twist: this threat had all the markings of a Chinese-related, cyber-underground maneuver.

Research Project Manager Ivan Macalintal reported that almost 300 pages on the said site had been injected by malware code that redirects to a number of URLs, which eventually lead to a .TXT file full of links to yet more malware. Most of the infected pages were found to be ViewItem pages of gold-plated jewelry like the one below.

Below is an image of the infection chain:

The first three redirections lead the victim to URLs all detected by Trend Micro as JS_ADODB.FP.

The third redirection connects the victim to various exploit codes detected as the following:

• hxxp://www.mvoe.cn/all/a014.js - HTML_ADODB.EP
• hxxp://www.mvoe.cn/all/arl.js - TROJ_REPL.CE
• hxxp://www.mvoe.cn/all/abf.js - HTML_SHELLCOD.DE
• hxxp://www.mvoe.cn/all/alz.htm - TROJ_IFRAMEBO.BD
• hxxp://www.mvoe.cn/all/anrl.htm - TROJ_EXPLOIT.FP

All the aforementioned pages then connect to hxxp://w.117b.cn/net/are.exe, which is detected as PE_CAOLYWA.E-O. Upon connection, a config file is accessed, located at hxxp://w.117b.cn/config.txt. This file now contains the bulk load of malware code, which connects to 30 URLs to download TROJ_DLOADER and TSPY_ONLINEG variants.

That is obviously not good.

That is what could have happened, had the code worked successfully. Further research by threat analysts reveals that this “bouncing Web threat” never got its bounce to begin with; a missing tag prevented the infection chain from actually ever taking place.

A related malware link has also been found by researchers disclosing that more malicious files may be stored in the same domain: hxxp://w.117b.cn/net/new.htm was found to be detected as JS_ADODB.FP, which also connects to the same exploit codes used in the foiled attack against the popular e-commerce company.

A close call indeed, but Trend Micro isn’t taking any chances. This same attack may have been used in other sites than just this popular e-commerce site and may have unfortunately worked like a charm. Trend Micro customers are already protected from this threat. All involved malicious URLs are now blocked by WTP (Web Threat Protection). Trend Micro advises users to keep the URL Filtering feature enabled in their product.

At the time of writing, Trend Micro has advised the concerned site of the attempted attack in order that any affected pages can be cleaned up.