While China is bracing for the 2008 Summer Olympics that it will be hosting in the capital of Beijing from August 8 to August 24, 2008, malware authors are now also busy mounting attacks that play on this quadrennial sporting event.

Reports have surfaced about a zero-day MS Word vulnerability affecting Microsoft Word 2002 Service Pack 3. It is said to affect even patched versions of the popular word-processing application on certain MS Office versions. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

TrendLabs experts confirm that there are malicious .DOC files spreading in the wild, adding the following observation: these use the imminent Olympics to get more users to click on them.

The samples that TrendLabs has come across are detected as TROJ_MDROPPER.ZT and have the following file names:

• attachment .doc
• appeal_letter_of_fttj.doc
• attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijing.doc
• lingotto_con_fiat.doc
• tibetan_independence_vs_beijing_olympic.doc

Here are screenshots of two of these files:

These files are zero-day exploits under CVE-2008-2244.

Furthermore, TrendLabs has seen more than just Trojanized Word files; there are also Trojan samples of .PPT and .XLS circulating, all having to do with the Olympics and the Tibet conflict. The conflict is related to the Olympics as it has spurred pro-Tibetan parties to call for an Olympic boycott.

Here are screenshots of the PowerPoint samples:

And a screenshot of one Excel file:

Trend Micro detects the malicious Excel files as TROJ_MDROPPER.ZY, and the PowerPoint files as TROJ_PPDROP.M. It is important to note that these files are not confirmed to have zero-day vulnerabilities as of yet. Please stand by for updates.

With 10,500 athletes expected to compete in 28 sports, the Olympics is the most prestigious affair of its kind, and as such commands a worldwide audience. It is thus expected that it will be included in malicious users’ arsenal of social engineering techniques.

We have already seen it referred to in four separate incidents this year alone, as detailed in these posts:

• Trojanized .DOC Files in Targeted Attack
• Trojanized Word Docs Used in Another Targeted Attack
• Spam Buys Tickets to Euro 2008
• Storm Makes Fake Quake Felt

Trend Micro Smart Protection Network already got Trend Micro customers covered by blocking this threat. We urge non-Trend Micro to beware of this particular attack and to use appropriate protection.

Updates as of July 10, 2008, 3:00 PM, PST

TROJ_MDROPPER.ZT

Upon successful exploitation, TROJ_MDROPPER.ZT executes a shell code which executes an embedded file. The embedded file may be any of the following:

• %System%\msjava.exe - detected by Trend Micro as TROJ_ENFAL.AA
• %System%\dump.exe - detected as TROJ_ENFAL.AA
• %System%\6to4ex.dll - detected as BKDR_PCCLIEN.AAP
• %System%\systio.exe - detected as TSPY_KEYLOG.CP
• %Windows%\spupdsvc.exe - detected as TROJ_PROXY.RI
• %Windows%\hscancon.dll - detected as TROJ_ZLOB.BPM

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Involved exploit is similar to a previously patched vulnerability, which also allows remote code execution. More information on this vulnerability can be found on this Microsoft page.

TROJ_MDROPPER.ZY

Upon successful exploitation, TROJ_MDROPPER.ZY drops the following files:

• %System%\rcevvb.dll - detected as BKDR_PCCLIEN.BBB
• %User Temp%\svchost.exe - detected as TROJ_SMALL.SYM

(Note: %User Temp% is the current user’s Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

TROJ_PPDROP.M

Upon successful exploitation, TROJ_PPDROP.M drops the following files:

• %User Temp%\{number}.tmp - detected as BKDR_PCCLIEN.AFR
• %User Temp%\svchosk.exe - detected as BKDR_PCCLIEN.BBC
• %User Temp%\svchotg.exe - detected as BKDR_PCCLIEN.BBD

Both TROJ_MDROPPER.ZY and TROJ_PPDROP.M are not zero-day exploits.

The increase in attacks targeting job hunters calls for more security measures for both of job recruitment sites owners and job seekers alike, especially on the disclosure and access of information being posted by job seekers.

A service involving a tool that scours through popular US job recruitment sites to harvest jobseekers’ information right from their curriculum vitas (CV) is currently being offered by the Russian gang, Phreak, TheRegister reports.

The tool uses a predefined recruiter ID which it uses to sift through job recruitment sites like the following:

• Ajcjobs.com
• AOL Jobs
• Careerbuilder.com
• Careermag.com
• Computerjobs.com
• Hotjobs.com
• Jobcontrolcenter.com
• Jobvertise.com
• Militaryhire.com
• Monster.com

Acquired data from CVs are then returned as a Web form to the users of the tool, displaying information such as names, home addresses, and email addresses. Phreak reportedly charges $600 for the data, which will most likely be used for targeted phishing attacks.

Job hunters are well becoming frequent targets by malware authors, with popular job recruitment site Monster.com being defaced and also being frequently used for phishing attacks. More recently, a spam posed as a CareerBuilder job offer to entice recipients on sending their CVs to a certain email address.

Threat Analyst Jasper Pimentel advises job seekers to limit the information on curriculum vitas to the necessary information only. It would also be helpful to setup a separate throw away email account for situations as such, where email addresses may be disclosed publicly.

It’s Patch Tuesday once again and for this month, Microsoft released four important security bulletins to address nine vulnerabilities.

Microsoft Security Bulletin MS08-037
Vulnerabilities in DNS Could Allow Spoofing (953230)

Microsoft Security Bulletin MS08-038
Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)

Microsoft Security Bulletin MS08-039
Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)

Microsoft Security Bulletin MS08-040
Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)

Along with the following security updates is this month’s update for the Microsoft Malicious Software Removal Tool (MSRT). The said update targets malware identified by Microsoft as Win32/Horst. Horst is a combined kit seen in peer-to-peer (P2P) networks. Trend Micro detects the said malware as the following:

• BKDR_MEDBOT.CJ
• BKDR_MEDBOT.CK
• BKDR_MEDBOT.DB
• MAL_HORST
• TROJ_MEDBOT.AI
• WORM_MEDBOT.AI

Both MEDBOT and HORST families are known partners in crime which turns computers into spam-churning machines. A more detailed report on this malicious partnership can be found here.

MEDBOT has infected more than 700 systems so far this year, a big decline compared to last year, where it infected more than 5,000 computers in the year’s first half alone. HORST on the other hand remains hot, infecting almost 120,000 systems in 2007, and managing to affect about 43,000 in the last 6 months.

These security updates stirred some attention due to reported conflict issues in systems installed with ZoneAlarm products. Users who installed the MS updates experienced Internet connection loss. In line with this, ZoneAlarm also issued an update for users to resolve the connection loss. The solution, as well as identified workarounds, can be found here.

Users are strongly advised to update their PCs with the latest patches from Microsoft as soon as possible.

Picture the scene: You wake up in the morning and make your way on autopilot to work at your job in Tehran, then switch on your work PC to check your email. One in particular stands out as being a bit different from the others. You read it once, and then just to be sure read it a second time, then run to look out the window. Seeing no tanks in the streets and a significant lack of mushroom clouds, you return to your desk and take another look…

Anxious to find out what’s going on, you download the video and run it to find out more information.

Wrong move.

Now, longtime readers of this blog (well, most people to be honest) should look at that email and be immediately skeptical. They might even go check out a legitimate new sites like CNN or BBC. However, enough people will open your email inboxes this morning, download the video (hint: it’s not really a video, it’s just another Storm/Nuwar/Zhelatin/Peacomm variant detected by Trend Micro as TROJ_NUWAR.AB) and proceed to help the Storm gang’s authors make even more money. The Storm network may have decreased since its heyday — but its size still makes the approximately 20,000 soldiers seem small in comparison.

It’s a sad world we live in where we have to educate people to be careful of what they get in their email, to be suspicious of every site they visit, and to be constantly on the lookout for scams.

Needless to say, Trend Micro customers are protected from this threat, both with our latest pattern file, and in the cloud with our Smart Protection Network. For everyone else, think before you click.

Additional information — here are samples of spam pertaining to this attack:

Bebo (”Blog Early, Blog Often”), a social networking site widely used in the US and the UK, is being used by spammers as a new avenue to reach more users. Spammers create Bebo accounts and use their profile page for spam advertisement purposes, Websense first reported. Trend Micro Content Security confirms that this is the first time this particular social networking site was used in this manner in relation to spam.

Figure 1. Sample spam message containing Bebo links.

Figure 2. Bebo profile page advertising medication.

The risk here is that Bebo users might assume that the contents of the profile are legitimate since the link is under the Bebo domain. The risk of this for Bebo, however, has to do with maintaining a level of credibility amongst the sea of other social networking sites. Rampant abuse of profile creation for spamming purposes may compromise Bebo’s reputation. Same is true for other social networking sites that suffer from the same issues of control. This has been a prevalent and currently unresolved problem for sites like MySpace and Facebook.

According to Antispam Engineer Florabel Baetiong, spammers are leveraging on social networking sites since these are popular and are considered to be legitimate Web sites offering free services. Antispam outfits can easily take down an entire spamming operation via URL blocking if spammers used their own spam domains. Spammers point users to Bebo profiles in the hopes of evading antispam filters and piggybacking on the site’s legitimacy.

Trend Micro Smart Protection Network recognizes and effectively blocks this threat from ever reaching our users’ inboxes. Non-Trend Micro customers should be aware of this particular mode of attack and should activate antispam filters, if available, in their email applications.