While this is completely unrelated to any particular malware, there is a rather disconcerting DNS cache-poisoning vulnerability that has surfaced which deserves the attention of any and every organization on the planet that operates their own DNS servers.

The importance of determining if you are vulnerable, and getting the vulnerability fixed quickly, is becoming more important as each day passes. This is due not only to the criticality of the vulnerability, but also due to some of the “colorful” background in how some of the details have become available surrounding the vulnerability itself.

First, US-CERT published an advisory on this vulnerability on 8 July 2008, and they have a detailed reference of vendor products that are affected on their advisory page. Please visit their advisory page to determine if your DNS infrastructure is at risk.

As the US-CERT advisory states, the heart of this issue is that DNS caching nameservers can be poisoned by an “…attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver.”

This is a very serious situation, and can possibly lead to widespread and targeted attacks that hijack sensitive information by redirecting legitimate traffic to fraudulent Web sites, due to incorrect (fraudulent) information being injected into the vulnerable caching nameserver(s).

Secondly, while the details of this vulnerability were originally discovered by Dan Kaminsky, and were originally to be revealed at the upcoming Black Hat conference in Las Vegas next month, some details regarding the vulnerability have been “leaked” to the public, which increases the importance of quickly patching any vulnerability in deployed DNS servers.

There are also some publicly available tools to determine if your DNS servers are affected.

This vulnerability is quite serious, so please — PATCH NOW.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

A few hours ago (22 July 2008, 03:41 a.m. PST), our EMEA threat analysts were able to catch the following UPS spam samples from our honeypots. Apparently, the spam run we saw last week (discussed in the blog entry Trojans Deliver) is just beginning to pick up.

Here are fresh new UPS spam:

Banking perhaps on a previous observation from the earlier UPS post:

The B2C (business-to-consumer) parcel industry is set to be the next big thing in Europe, says market research company Datamonitor, according to M2 Presswire in this report. European users, especially those who routinely have purchases delivered to them, should be extra careful when receiving communications from their parcel delivery company of choice. At most it is recommended to challenge such messages when they have different format (in content, sender address, attachment type) as the original ones. It might be best to prefer tracking deliveries online or by phone.

Fortunately, the Trend Micro Smart Protection Network already detects these files as TSPY_ZBOT.PF. As we write this, more samples are being seen.

Updates as of 22 July 2008

TSPY_ZBOT.PF downloads an encrypted configuration file from a remote site. The said file contains banking-related URLs which the spyware monitors in Internet browser address bars. When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes. Gathered data is then saved in a file, then sent to a remote site through HTTP post. The URLs listed in the downloaded configuration file may change at any time.

We’ve seen malicious URLs ending in r.html, main.html, news.html, and about.html being spammed over the past several days. Now it’s changing to start.html and begin.html.

Visiting these start.html and begin.html Web sites redirects the browser to a site where WATCH.EXE is downloaded. From what I’ve seen so far, these sites are pushing the same binary. Trend Micro now detects it as TROJ_AGENT.AYZO.

What’s worrying about these *.html spam runs over the past several days is the increasing incidence of compromised Web sites used to host malicious content on a massive scale. These *.html pages and the .EXE payloads are all hosted on legitimate Web sites. It seems that malware distributors no longer have to register/buy domains and Web hosting services when they have this huge number of compromised Web sites to host their malware.

Shortly after this entry was posted, I was contacted by one Web hosting company’s network architect, who said that two of their customers’ Web sites were compromised and the files described in the blog post were found in the said site. He said that the hackers were able to use the right FTP user name and password, and there was no evidence of a brute force attempt. What’s left to consider is that the machine (or network) that the said customer is using to manage the Web site is infected, and has some sort of keylogging/sniffing malware (especially for FTP passwords).

This was the first clue I got regarding this proliferation of compromised Web sites. It is known that FTP accounts are traded in underground forums, and there exist tools to automate file uploads with the right FTP credentials (FTP-Toolz comes to mind). It forms a really neat malware ecosystem.

Updates as of 22 July 2008, 11:00 AM PST

Trend Micro Escalation Engineer Edgardo Diaz also found a number of URLs, but this time ends with viewmovie.html, cennib.html and hot.html. Viewmovie.html redirects the user to a Web site that downloads codecinst.exe. Our engineers are currently analyzing the possibly malicious file. Meanwhile, the said malicious URLs are blocked to protect users from being infected.

Updates as of 26 July 2008, 10:23 AM PST
During the past few days the Advanced Threats Research team has found other malicious .HTMLs: live.html (which redirects browsers to install_flash_player_update.exe, which Trend now detects as TROJ_RENOS.ADF) and just recently, topnews.html.