A new exploit has been found in the Japanese word processor Ichitaro. JP-RTL engineers have received a sample Ichitaro document, which is capable of exploiting the previously unknown vulnerability. It is released by Japanese Vulnerability Notes as JVNDB-2010-000024. If exploited, arbitrary code could be run on users’ systems.

The file that exploits this new vulnerability has been detected as TROJ_TARODROP.XZ. This malicious Ichitaro document actually contains two files, which are both dropped and opened on the affected system—a malicious executable file detected as TROJ_TARO.XZ and a nonmalicious document.

TROJ_TARO.XZ primarily serves as a means for malicious users to download malicious files onto the affected system. At this time, the downloaded file does not execute on user systems. However, this file could easily be replaced by a working malicious file at a later date.

JustSystems, Ichitaro’s publisher, has released a patch to remedy this flaw. (An English-language version of the patch page can be found here.) Until users can patch their systems, Trend Micro advises them to be cautious in opening Ichitaro documents, especially those that come from unknown or untrustworthy sources. More TROJ_TARODROP variants are expected to be seen in the coming days, as cybercriminals rush to exploit this flaw.

Trend Micro product users, however, need not fret as Smart Protection Network™ already protects them from this threat by detecting TROJ_TARODROP.XZ and TROJ_TARO.XZ as well as by preventing the files’ execution on their systems.

Today is the last day of May and, for some people, the last day their Facebook accounts are available online. Recent changes to Facebook’s privacy settings are regarded as rather confusing and not readily apparent to users. Not even the latest update that Facebook made last May 26, which attempted to address its long-running issue with user privacy, was enough to make critics feel secure. The discontent—and even outrage for some users—eventually spurred a group of individuals to declare May 31st as “Quit Facebook Day.”

Privacy Issue: Facebook’s Privacy Policy Versus User Behavior

Facebook is one of the newer and very active social networks on the planet today. Its open attitude to third-party development and widget features from the get-go was one of its major moving changes. This led the way to how people viewed social networking today—a more fun and interactive online community. It took some of the best ideas from various existing sites and seamlessly integrated them.

However, to become the widely connected social network that it is today, Facebook had to compromise the privacy of a lot of the data that users post and share on the site. While this may provide a good way for users to be more “social” on the site, it is also the major issue that is pushing a large number of users to cancel their accounts.

Perhaps the question is not limited to “Should users quit Facebook?” but “Should users quit social networking altogether?” Compared with other social networks that came before it, Facebook has done a whole lot better than most of these pioneer sites did. In terms of available data, those sites were even more unprotected then than they are now.

Another aspect of this privacy issue is how users tend to behave online. With or without Facebook, unenlightened users will make a mistake and divulge private information no matter what social network you drop them in to.

As senior threat researcher Alice Decker puts it, “There is no reason to assume that people don’t know what they are doing. I have never heard anybody say that they actually don’t want to share their private information.”

Antivirus engineer Joseph Cepe adds, “Users who sign up for an account have every intention to connect and reach out to others. Setting up a secure account is probably the least of a new user’s priorities.”

If you don’t want it out there, don’t share it.

TrendLabs^SM research engineer Jayronn Bucu notes that creating an account on a social networking site comes with the intention of sharing information via the Internet. “Facebook carries the vision of creating a more open place. If there are no threats… then we could freely connect and share. However, that’s not how things roll.”

As we all know, the proliferation of online threats such as the KOOBFACE malware is another popular Facebook issue that threatens the privacy of user information within the network. The TrendLabs Malware Blog has discussed this threat in the following posts:

• The Evolution of KOOBFACE: A Web 2.0 Botnet
• KOOBFACE IP Taken Down, Gang Transfers Hosting to China
• Shortened URLs in IM Apps Lead to a Worm
• KOOBFACE Makes a Comeback
• From KOOBFACE with Love

At the end of the day, keeping personal information private is still the user’s responsibility. If you don’t want it out there, don’t share it. Your real friends online should also be aware of your decision and respect it, otherwise they aren’t your friends after all. Perhaps the better question one should consider is, “Is it time to de-friend your social network’s weakest link?”

Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

TrendLabs^SM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.

This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.

Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.

Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)

In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.

TrendLabs^SM recently handled a client case last March wherein two peculiar malware leveraged a Windows service—Windows Management Instrumentation (WMI)—to execute their malicious routines.

WMI lets users access and retrieve information about their OSs. It is particularly useful for administrators, especially in enterprise environments, as it manages applications found on systems connected to a network using any one of various coding languages. It can be considered a database that contains information on anything and everything related to a system’s OS and its users.

As WMI contains a huge chunk of data, cybercriminals find it a very likely target for their malicious creations. They can, for instance, introduce specialized pragma to the service to make affected systems do their malicious bids such as:

• Mine sensitive information that can only be accessed by the said service
• Elevate a malicious user’s system privilege to spy on and probe the affected system and other systems connected to the same network
• Embed malicious scripts into target services

In this particular attack, TROJ_WMIGHOST.A, a WMI script, arrives on a system bundled with BKDR_HTTBOT.EA, a DLL malware. The malicious script opens two Internet browser windows. The first window allows BKDR_HTTBOT.EA to execute via an ActiveX content. The second window allows the backdoor to post Office files (e.g., Word, PowerPoint, or Excel) to a remote site and to execute other malicious scripts from the Ghost IP. These backdoor routines puts users at risk of losing pertinent data.

This is, however, not the first time WMI was used for malicious purposes. In “Kiwicon 2008,” a security consultant introduced “The Moth,” a proof-of-concept (POC) Trojan that uses the service to deploy a malicious code capable of performing the following routines:

• Dropping and executing other potentially malicious files onto the host system or onto removable drives
• Hiding malicious codes
• Relaunching an existing rootkit after having been found and removed

Users need not worry, however, of being victimized by such an attack, as downloading this tool rids affected systems of TROJ_WMIGHOST.A. Trend Micro products via the Smart Protection Network™ also rids affected systems of BKDR_HTTBOT.EA.

Update as of July 23, 2010 3:20 a.m. UTC

Read more information about this malware technique through our research paper, Understanding WMI Malware.

The upcoming “2010 FIFA World Cup” in South Africa is one of the most highly anticipated events in sports history today. As expected, cybercriminals have been using this event as another means for their endless string of profiteering schemes.

TrendLabs^SM engineers discovered two separate spam runs leveraging the said event. The first spam sample (see Figure 1) had a .DOC file attachment that informs recipients of a supposed new contest called “Final Draw” organized in part by the FIFA Organizing Committee. It also tells the recipient of a US$550,000 prize. To claim this, however, the “winner” must immediately coordinate with the releasing agent via the contact information indicated in the email. The email also asks the recipient to give out personal information.

Another sample (see Figure 2) related to this scam is a poorly written email with an equally poorly worded letter attachment in PDF. This asks recipients to divulge specific information in relation to a fund transfer transaction amounting to a whopping US$10.5 million. Upon agreeing to the proposal, the recipient should supposedly get 30 percent of the said amount.

Note that this tactic is reminiscent of the infamous 419 or Nigerian scam, which persuaded users to send cash by promising them a large amount of money in return for their cooperation.

A typical 419 or Nigerian scam is a type of fraud wherein victims are promised a sum of money such as lottery prizes, inheritances, etc. in exchange for something minor like giving out information or a small donation via spam (see Figure 3). The letter starts off by (1) introducing the sender from a supposedly reputable organization. It then implores help from the email recipient. The FIFA-themed spam we obtained (see Figure 4) uses the same technique—(2) promising the recipient a sum of money.

Both scams do not directly ask for cash. Instead, they request for information or for the recipients to (3) coordinate with a fake contact accompanied by a (4) call to action to send in their contact details. Simply put, the cybercriminals behind these scams are malicious users that use the Internet to commit crimes such as identity theft, spamming, phishing, and other types of fraud. In fact, FIFA sternly warned fans of similar online scams such as those featured in the following blog posts:

• 2010 FIFA World Cup Spam Strikes Again
• Scammers Attempt to Score Through the FIFA World Cup

Trend Micro is committed to always being a step ahead of internal and external threats to digital information and reputation. As such, Trend Micro™ Smart Protection Network™ protects product users from this kind of attack by blocking the spammed messages even before they reach inboxes via the email reputation service.