The sudden death of Michael Jackson caused not only an outpouring emotions from his family, friends, and fans, but also a spread of spam mails that took advantage of this tragic event. Even after his memorial service last July 7, 2009, spammers are clearly not resting as they try to spread other malicious spam messages.

We recently acquired a Portuguese spam mail that attracts the people by stating that they have the pictures from the memorial service of Michael Jackson. Below is the screenshot of the mail:

However, once you click either seu grandes album de fotos (great album for your photos), or fotos do astro (photos of the star), or the picture in the mail, it will redirect to a blank site with a window that asks the user to save an .exe file named foto.exe:

This clearly does not contain the pictures, as these do not need an .exe file for it to be viewed.

All aspects of the Smart Protection Network work together to help neutralize this threat. The spam messages and malicious website involved are all blocked, and the file foto.exe is detected as TROJ_DLOADER.ZRC.

With the growing concern with numerous vulnerabilities, just this afternoon, Trend Micro Research Project Manager, Ivan Macalintal, stumbled on a somewhat regional fallout of this SQL injection in India threading through numerous compromised government, tourism, popular media, and other sites. We have identified the following new URLs leading to more malware that made it into unknowing users’ systems while visiting sites where the malicious script injection was found and identified:

• http://lsg.kerala.gov.in
• http://www.lsg.kerala.gov.in
• http://www.bangaloremirror.com
• http://www.mumbaimirror.com
• http://www.kolkatamirror.com
• http://www.mumbaipluses.com
• http://education.indiatimes.com
• http://www.kolhapurbusiness.com
• http://www.bizxchange.in
• http://timesascent.in
• http://www.studio3india.com
• http://www.timesascent.co.in
• http://www.mumbaibusinessdirectory.in
• http://www.tourindianow.org
• http://www.bizxchange.in
• http://www.maharashtradirectory.com

Based on Trend Micro threat analyst Joseph Pacamarra‘s initial findings, the Trojan detected as TROJ_AGENT.HOZZ has only been seen so far in two domains, jatrja.com and js.tongji.linezing.com. Figure 1 below shows how users can get infected.

Trend Micro product users need not fret though as Smart Protection Network already protects users from these threats but should still be wary of the sites they visit as the final malware payload seems to be a new type of information stealer.

Update as of 17 July 2009, 16:00

Trend Micro threat analyst Joseph Pacamarra confirms that the number of websites compromised in this attack is 6,810 and rising.

Six security bulletins were released by Microsoft for July, which covers one of the two vulnerabilities exploited by cybercriminals in the last 2 weeks.

The Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution was used in a zero-day attack last week that involved around 967 compromised Chinese websites. A script that triggered the exploit was inserted in the said websites, which when successfully executed drops WORM_KILLAV.AI into the affected system. The security advisory MS09-032 already addresses the vulnerability used in this attack.

Here is the full list of security advisories issued for this month:

• (MS09-028) Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
• (MS09-029) Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
• (MS09-030) Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
• (MS09-031) Vulnerabilities in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
• (MS09-032) Cumulative Security Update of ActiveX Kill Bits (973346)
• (MS09-033) Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)

The Office Web Components ActiveX vulnerability is the other vulnerability used in a malware attack this month. Similar to the zero-day attack, a script that triggers the exploit was inserted in compromised websites. This placed any visitor of the compromised websites who hasn’t updated their system at risk of being affected by TROJ_DLOADR.DOF, which drops a rootkit component detected as TROJ_ROOTKIT.DOF, and downloads TROJ_DLOADR.UIG and TROJ_INJECT.AKI. A patch for the said vulnerability hasn’t been issued, but Microsoft provided a workaround, to protect users while an update is being developed.

Meanwhile, users are advised to update their systems as soon as possible.

Conventional wisdom has it that mobile platforms like PDAs and mobile phones are safer from malware attacks, one reason being the relatively closed nature of such platforms. In some platforms, such as newer versions of the Symbian OS, this is enforced in part by mandatory code signing, which requires that applications need to be signed by a third party, ensuring (in theory) that they are not malicious. (Currently, this process is carried out by Symbian Signed, now part of the Symbian Foundation).

Assuming that the third party is trustworthy, this system should be foolproof, shouldn’t it?

Not always.

In the past few days, Trend Micro has encountered a new threat for Symbian devices, deteted as SYMBOS_YXES.B. According to Marianne Mallen, Escalation Engineer in TrendLabs, it posts as the legitimate application ACSServer.exe and calling itself Sexy Space, it steals the user’s subscriber, phone, and network information, and connects to a website in order to send the said information. In addition, it can also send spammed SMS messages to the user’s contacts. (The content in the said messages is acquired from the website it connected to earlier.)

In short, it appears to be a botnet for mobile phones. All this would be worrying enough, but there’s an even bigger issue at play here. Both SYMBOS_YXES.B and an earlier variant, SYMBOS_YXES.A are signed programs. The signing process—undertaken by the Symbian Foundation itself—is supposed to ferret out instances like this, but somehow this slipped through. It may well be a coincidence, but it does not reinforce confidence in the signing system.

Whatever the case, this particular threat is already detected by the Smart Protection Network.

Barely a few days after the last Microsoft zero-day exploit and out comes another, this time attacking vulnerabilities in the OS’s Office Web Components Spreadsheet ActiveX control (OWC 10 and OWC 11). As if on cue for the next round of Patch Tuesday releases, the cybercriminals also released their own “updates” with this attack.

“This vulnerability could be used for remote code execution in a ‘browse and get owned’ scenario,” says Microsoft, “but requires user interaction since a user needs to go to a malicious website that hosts the exploit to become infected.” Users need not fear, however, as Microsoft has released an advisory containing further information on this exploit. It also released information on how users can tell if their systems are vulnerable to this attack in a blog post.

Trend Micro Research Manager, Ivan Macalintal, says that the exploit appears to be using script fragmentation—the same tactic used in a previous zero-day mass Web compromise. He adds that the parts of the whole malicious script may not necessarily be malicious per se. However, when combined, the outcome—a full working exploit—can prove disastrous.

Users who visit malicious sites using vulnerable Internet Explorer browsers run the risk of automatically getting infected. The JavaScript detected as JS_SHELLCODE.BH automatically runs on vulnerable browsers unless the ActiveX control is disabled. Once executed, says Trend Micro Threat Analyst, Jessa De La Torre, the script enables the download of TROJ_DLOADR.DOF, which drops a rootkit (TROJ_ROOTKIT.DOF), then downloads the Trojans TROJ_DLOADR.UIG and TROJ_INJECT.AKI. TROJ_DLOADR.UIG downloads roughly a hundred files from a certain URL, posing the risk of infection to a lot more malware.

The malware affects common Microsoft applications, most notably Microsoft Office XP Service Pack 3 and Microsoft Office 2003 Service Pack 3.

To protect users from this threat, Microsoft has come up with a workaround until the next Patch Tuesday releases. The page also contains a link so users can automatically apply the workaround.

Trend Micro threat analysts received reports of this vulnerability exploit and are currently analyzing the samples. Trend Micro product users need not fret, however, as this threat is already blocked by Smart Protection Network.