This week is turning out to be a busy one for zero-day exploits. Days after such a bug was found in Firefox, it’s Adobe’s turn to have its products under the gun.

According to the official Adobe security advisory, both the Flash and Acrobat/Reader product lines have been confirmed vulnerable to this latest problem. All current Flash versions are affected, regardless of platform. The same is mostly true for Acrobat and Reader—all released 9.x versions of Acrobat and Reader are affected though older 8.x versions are not. Neither is the Android version of Reader affected. Adobe states that attacks against Acrobat and Reader are in the wild but that no exploits have been found (so far) hitting Flash.

If exploited, the vulnerability causes a system to crash and potentially allows random code execution. More details on this particular flaw have not yet been released but it appears to be very similar to the June zero-day vulnerability. As in the June attack, the vulnerable component lies in Flash. Acrobat and Reader were just both affected because they include what is, in effect, an embedded Flash Player in the file authplay.dll.

For Acrobat and Reader, Adobe’s official advise is to remove the vulnerable component. Instructions to do so may be found at the Adobe page linked to earlier. Mitigation for Flash is only possible with Firefox, as certain extensions such as Flashblock and NoScript allow users to selectively load Flash files, protecting themselves from this flaw.

Official fixes are due by November 9 for Flash and by November 15 for Acrobat and Reader.

Update as of October 29, 2010 7:21 PM UTC

Trend Micro offers protection for this flaw for enterprise users of Deep Security and OfficeScan via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004113.

Update as of November 1, 2010 12:48 PM UTC

Trend Micro detects the zero-day exploit as TROJ_PIDIEF.SMQA.

TROJ_PIDIEF.SMQA drops a file which is detected as TROJ_WISP.SMA, which in turn connects to certain URLs to download more malicious files. The said URLs however are inaccessible as of this writing.

Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:

1. Trojanizing .EXE files to keep the malware updated (turning them into PE_LICAT.A) and more difficult to remove
2. Contacting pseudorandomly generated domains ala DOWNAD/Conficker to avoid easy takedown

Over the past few weeks, we have been working on completing a comprehensive report on this new ZeuS upgrade. This includes an analysis of its runtime decompression/deobfuscation stub, a decryption of the configuration file it used for its information-stealing payload, an identification of the command-and-control (C&C) servers it used, and an in-depth study of the above-mentioned file infection and domain generation algorithm (DGA).

Earlier this week, reports on the supposed SpyEye and ZeuS toolkit merger came out. The result of this merger may be a hybrid toolkit that uses the best features of both SpyEye and ZeuS.

The full analysis in the report, “File-Patching ZBOT Variants: ZeuS 2.0 Levels Up,” is the result of the collaborative effort of TrendLabs engineers/researchers Alvin Bacani, Mark Anthony Balanza, Feike Hacquebord, Marco Dela Vega, Julius Dizon, Patrick Estavillo, Jasper Manuel, Loucif Kharouni, David Sancho, Ben April, Kevin Stevens, Ryan Flores, Ivan Macalintal, and Robert McArdle.

We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

• File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
• ZeuS Ups the Ante with LICAT
• ZeuS’ Response to Automated Analysis
• The Plot Thickens for ZeuS-LICAT
• ZeuS, Still a Threat; Now Also Spreading Through LICAT

During a recent analysis of a particular malware sample, we came across the author’s online nickname. After some digging, we found a link to the location where the author advertised his malware and allowed others to freely download its source code.

The blurbs in the said site promote some of the malware’s features such as the fact that it works in Windows XP, Vista, and 7 and that it can capture screenshots. It also lists the banks and browsers from which the malware can steal information.

Eight days after we saw the page, the same person came out with a new version of his malware, which he called Version 2.0. To this, he added a new target (a credit score firm) and the ability to terminate two security programs.

Read the rest of this entry »

A major website that has been compromised and is serving malware is bad news in itself. However, when that attack uses a previously undiscovered and unpatched zero-day vulnerability, the problem worsens.

The official website of the Nobel Peace Prize was compromised and used to serve an exploit targeting a zero-day vulnerability in Mozilla Firefox. On its blog, Mozilla has acknowledged the vulnerability and said that it will issue a patch as soon as this has been tested. The said vulnerability causes a drive-by download wherein a malicious file is downloaded and run without prompting the user as to what is happening.

The Nobel Peace Prize site appears to have been compromised with a malicious PHP Script Trend Micro detects as JS_NINDYA.A. However, for one reason or another, the cybercriminal behind this attack has chosen to limit the scope of the vulnerability. Using browser headers, the exploit checks both the Firefox version and the OS installed on the machine.

According to Mozilla, the underlying flaw is present in both Firefox 3.5 and 3.6 but only recent versions of 3.6 were targeted by JS_NINDYA.A. In addition, if the user runs new versions of Windows (e.g., Vista, Windows 7, Server 2008, and Server 2008 R2), the exploit will not be triggered either.

The exploit downloads a backdoor Trend Micro detects as BKDR_NINDYA.A onto infected systems. It connects to a remote malicious server that a cybercriminal uses to send out various commands to infected systems. These commands include shutting down and deleting all of the files on infected systems. Saying this may cause problems would be an understatement.

We detect both the script and the payload used in these attacks, as noted above. We also block the URLs that the backdoor uses in case this attack is used on other sites. As for the Firefox vulnerability, the latest Firefox 4 beta versions have been confirmed to be safe from this attack. Mozilla also recommends that users install the NoScript extension to mitigate future attacks until a patch has been issued.

Update as of October 27, 2010, 3:56 p.m. (UTC)

Upon checking, we found out that the Nobel Peace Prize site has been cleaned.

Previously, we discussed the “Here You Have” mail attack and the associated malware, WORM_MEYLME.B. Today, let’s look into the backdoor payload, BKDR_BIFROSE.SMU.

The “Here You Have” Payload: A Powerful Backdoor

Not all backdoor applications are created equal. As such, it can be said that the cybercriminals behind WORM_MEYLE.B deliberately opted to use a BIFROSE backdoor program for several reasons. In our simulated environment, we saw that an attacker can use a BIFROSE variant to transfer files to and from an infected system, delete files, terminate processes, and steal sensitive information off an infected system such as the computer’s name; lists of active users, processes, and windows; and serial keys, among others. It can also access and modify registry information, log and retrieve keystrokes, create a remote shell, issue commands that the infected user’s shell can offer, and routinely capture and retrieve images of an affected user’s screen.

WORM_MEYLME authors used the downloaded backdoor to do most of the dirty work. Upon execution, the backdoor will connect to its command-and-control (C&C) server at {BLOCKED}inziad.no-up.biz. Upon successfully connecting to this server, attackers can now retrieve the passwords they stole earlier. That’s only for starters, however. By maximizing all of the features offered by the BIFROSE backdoor, an attacker can cause serious damage.

Read the rest of this entry »