This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price).

This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute.

This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes.

Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV. Fortunately though, the Trend Micro Smart Protection Network provides users protection from such threats.

Trend Micro researchers recently came across samples that exploited a new zero-day vulnerability in Adobe Reader 9.1.2 and Adobe Flash Player 9 and 10.

The exploit arrives as a PDF file embedded with Flash objects and malicious binary files. The Flash object contains a shellcode that allocates heaps of blocks in a system’s memory.

The exploits uses a technique known as heap spraying. Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system. The .PDF file is detected by Trend Micro as TROJ_PIDIEF.ANQ or TROJ_PIDIEF.ANP, while the dropped files are detected as BKDR_HAYDEN.K, BKDR_HAYDEN.L, TROJ_AGENT.AXWS, and TROJ_AGENT.IAAK.

Since Adobe has not yet provided patches for the said vulnerabilities, users are advised to take extreme caution when viewing .PDF files. A workaround has been offered, but it also disables all Flash objects embedded in PDF files – which may or may not be acceptable, depending on one’s usage patterns. Patches from Adobe are not expected until the end of the month.

July has been an exceptionally busy for zero-day exploits. Early in the month, an exploit involving ActiveX controls was used to spread FAKEAV malware; just days ago this was joined by an exploit affecting Mozilla Firefox.

Trend Micro Smart Protection Network users are already protected from these threats.

Yesterday’s solar eclipse over parts of Asia was witnessed by millions of people, so it shouldn’t come as a surprise that it should attract the attention of cybercriminals. And it has. Cybercriminals wasted no time in riding on the said phenomenon as they use SEO poisoning to lead users into redirecting to a site peddling rogue antivirus software (FAKEAV).

According to Senior Threat Researcher Joey Costoya who discovered the said attack, when users query the phrase “solar eclipse 2009 in America” in popular search engines, certain top ranking sites would redirect users to a malicious site under the domain name antispyware-scannerv3 where the FAKEAV is hosted. Trend Micro detects this variant of rogue antivirus as HTML_FAKEAV.FT.

The following are screenshots of the rogue antivirus online scanning page and the scanning results:

The Smart Protection Network protects Trend Micro users from this threat by blocking access to the malicious sites so that even if curious users click on rigged search results they do not end up on rogue antivirus territories. Furthermore, Trend Micro already detects and cleans the rogue antivirus components related to this attack.

This is not the first time an eclipse was used to bait users to download malware. Read more about that in the blog entry Dark Shadows Lurk after Lunar Eclipse.

Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.

In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.

This new command acts as a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.

KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:

• KOOBFACE Increases Twitter Activity
• New KOOBFACE Component: a DNS Changer
• KOOBFACE Tweets
• KOOBFACE Tries CAPTCHA Breaking
• New Variant of KOOBFACE Worm Spreading on Facebook
• Worms Wriggling Their Way Through Facebook

Earlier today, Senior Threat Researcher Joseph Reyes spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:

• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer.

According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032

Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.