We’ve received reports of a web threat toolkit similar to WebAttacker and MPack being hosted at a particular domain. This new toolkit utilizes a variety of exploits to download TROJ_SMALL.FXD into the affected system. We’ve checked several obfuscated PHP files contained within a directory behind this domain and so far, here’s what we have on this new threat: Through IFRAME tags, a file called INDEX.PHP loads other webpages located in the same directory: Z-CS-AN.HTM, Z-JAVA1.PHP, Z-014-2.PHP, Z-CREATE-O.PHP, Z-014-1.PHP, and Z-PNG-OV.PHP. Z-CS-AN.HTM is an HTML file that loads FILE.JPG (also located in the same directory) as an animated cursor. Through FILE.JPG, it exploits the animated cursor vulnerability in Windows similar to ANICMOO. FILE.JPG is already detected by Trend as EXPL_ANICMOO.GEN. Further inspection of the file reveals a download location and the executable file that is retrieved from this location (FILE.EXE) is actually a Trojan downloader that is detected by Trend as TROJ_SMALL.FXD. Z-JAVA-1.PHP makes use of a .JAR file that contains malicious java classes compiled as web page applets. These applets are detected by Trend as JAVA_BYTEVER. It exploits the ByteVerifier vulnerability in unpatched versions of Microsoft (MS) Java Virtual Machine, which could allow a file to be downloaded and executed without a user’s knowledge. Through the use of this exploit, TROJ_SMALL.FXD is downloaded. Z-014-2.PHP, Z-CREATE-O.PHP and Z-014-1.PHP have obfuscated JavaScript and Vbscript code. All of them have similar content in terms of functionality, which is to download and execute TROJ_SMALL.FXD. These 3 PHP files differ in the method that they use to download the malware and how they rename its file once it is successfully downloaded in the affected system. Z-PNG-OV.PHP exploits the vulnerability indicated in MS06-024 using the PNG File residing in the same directory. Remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images. Through the use of this exploit, TROJ_SMALL.FXD is downloaded.

In summary, this particular web threat toolkit makes sure that TROJ_SMALL.FXD is downloaded regardless of the method or exploit used. Most of the vulnerabilities exploited are nothing new so be sure to patch your systems as a security measure. These will be the respective detections for each file: index.php as JS_PSYME.APS z-014-1.php as JS_PSYME.AQR z-014-2.php as JS_PSYME.AQD z-create-o.php as JS_PSYME.AQM z-cs-an.php as HTML_DLOADER.NHY z-java1.php as JS_PSYME.AQN z-png-ov.php as JS_AGENT.UNW