Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC. After exploiting the said bug, they attempt to connect to a certain URL to download a file.

Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent attacks targeting major organizations like Google and Adobe. However, instead of merely targeting such organizations, they are now fully in the wild and hitting ordinary users.

In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released.

Trend Micro™ Smart Protection Network™ protects users from this type of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Update as of January 21, 2010, 11:00 a.m. (GMT +8:00):

The official Microsoft security bulletin and patch has been released. Users are strongly advised to apply this patch—either manually or automatically—to protect themselves against this threat.

Update as of January 21, 2010, 9:58 p.m. (GMT +8:00):

HTML_COMLE.CXC and another new exploit code downloading other component files before downloading HYDRAQ variants are now detected as JS_ELECOM.SMA. JS_ELECOM.SMA calls JS_ELECOM.SMB, its component file, which contains obfuscated data variables necessary for JS_ELECOM.SMA’s proper execution.

The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.

SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

In the course of conducting research on SASFIS-related activities in the past few months, I have come across around the following infection numbers:

SASFIS variants may usually be downloaded while visiting sites that have been compromised using the Eleonore Exploits Pack as a file named load.exe. Upon execution, these create temporary files and modify registry entries. They then attempt to send a GET request to a remote site to download another file usually named max.exe, which will again download another file named max_b.exe, a FAKEAV variant.

SASFIS may be a simple Trojan downloader that downloads one or more files from a single domain via a GET request onto affected systems but like other malware, the download of several other binaries onto systems is no longer a simple matter.

SASFIS uses two primary business models. SASFIS uses the pay-per-install (PPI) business model, which has been discussed in more detail in “SDBOT IRC Botnet Continues to Make Waves.” In this model, the cybercriminals behind other malware families (e.g., ZBOT, KOOBFACE, etc.) pay those behind SASFIS to install their own creations onto SASFIS-affected systems for a fee.

The cybercriminals behind SASFIS also utilize the pay-per-access (PPA) business model wherein they hardcode a list of adult websites in some of the components their malicious creations download to redirect users to the said sites though their reason for doing so remains vague. They probably just do this to either annoy the users or to distract them to conceal the infection.

Though SASFIS has not been as notorious as other malware families, it still remains a threat. Users are advised to be wary of the sites they visit to avoid infection.

Trend Micro™ Smart Protection Network™ protects users from all kinds of SASFIS-related threats.

Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank’s security. Clicking the link, however, led users to a phishing page that prompts them to key in their user names and passwords. This, as you all probably know by now, is a typical tactic to trick users into giving out their personal credentials, which can then be used for further malicious activities or sold in underground forums.

After signing in, users will see a prompt to download the said digital certificate, certificate.exe, which is actually a malicious file Trend Micro has detected as TSPY_ZBOT.SMAP, which is capable of stealing personal credentials via keylogging. The stolen data, mostly banking-related information, are then sent to a couple of URLs via HTTP POST. It also has the capability to stop firewall-related processes to mask its malicious activities.

Trend Micro™ Smart Protection Network™ already protects users from this attack by detecting and blocking the spammed messages, access to the malicious sites, and the download of the malicious file.

As additional precaution, however, users are advised to be wary of clicking links in suspicious-looking messages, particularly those that come from unknown senders.