The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Trend Micro Deep Security customers are protected by the rule 1004899 – Microsoft Windows Media Player MIDI Remote Code Execution Vulnerability (CVE-2012-0003). This rule prevents download of MIDI files, containing bad records, which could allow an attacker to execute arbitrary code if the user opens a link to a midi file or visits a page with embedded MIDI file.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

Update as of January 30, 2012, 12:30 a.m. (PST)

Below is a behavior diagram on how this particular threat works.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Leveraging MIDI Remote Code Execution Vulnerability Found

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.

The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.

A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.

Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.

Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.

While the malware remained functionally similar over the years, there were also some changes. For example, early versions of the malware communicated with the C&C server in plaintext (HTTP), while the network traffic of later versions is encrypted (HTTPS).

We analyzed the DLL dropped by the 2007 and the 2011 version of the malware and they are similar. In addition to having the same URL format for communication with the C&C server the two DLLs also use the exact same encryption key. The 2008 samples contain some differences as the attackers added then later dropped some commands such as “findpass2000″ and “port2000″ that only work on Windows 2000.

All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.

The Sykipot campaign remains a high priority threat.

* With analysis from Jonell Baltazar.

Post from: TrendLabs | Malware Blog - by Trend Micro

The Sykipot Campaign

This .PDF exploit technique is similar to other commonly-used exploits. It contains a malicious JavaScript which executes a shellcode that decrypts and installs an embedded binary in the PDF. Below is the embedded binary, which is detected by Trend Micro as BKDR_SYKIPOT.B.

Trend Micro protects its customers from this attack via the Trend Micro™ Smart Protection Network™ infrastructure by blocking all related files and URLs.

Threat Discovery Appliance (TDA) is also able to detect traffic related to the malicious sites through TDA Rule 18 NCCP – 1.11525.00, while Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in provides protection through the following rules:

• 1004871 – Adobe Acrobat Reader U3D Component Memory Corruption Vulnerability (CVE-2011-2462)
• 1004873 – Adobe Acrobat Reader U3D Component Memory Corruption (CVE-2011-2462)

Users can remain informed by taking a look at the Adobe security advisories page for more information on this zero-day vulnerability.

Post from: TrendLabs | Malware Blog - by Trend Micro

Adobe Zero-day Vulnerability Installs Backdoor – Another Targeted Attack?

In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.

DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

We at Trend Micro knew what party was most likely behind the DNS Changer botnet since 2006. We decided to hold certain data and knowledge we had from publication in order to allow the law enforcement agencies to take proper legal action against the cybercriminals behind it.

Now that the main perpetrators have been arrested and the botnet has been taken down, we can share some of the detailed intelligence we gathered in the last 5 years.

Rove Digital

The cybercrime group that was controlling every step from infection with Trojans to monetizing the infected bots was an Estonian company known as Rove Digital. Rove Digital is the mother company of many other companies like Esthost, Estdomains, Cernel, UkrTelegroup and many less well known shell companies.

Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning. In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year.

Esthost, a reseller of webhosting services, was in the news in the fall of 2008 when it went offline at the time its provider Atrivo in San Francisco was forced to go offline by actions of private parties. Around the same time a domain registrar company of Rove Digital, called Estdomains, lost its accreditation from ICANN because the owner, Vladimir Tsastsin, was convicted of credit card fraud in his home country, Estonia.

In 2008, it was widely known that Esthost had many criminal customers. Not publicly known was that Esthost and Rove Digital were heavily involved in committing cybercrime.

Trend Micro knew that Rove Digital was not only hosting Trojans, but was controlling C&C servers and the rogue DNS servers, as well as the infrastructure that monetized fraudulent clicks made by the DNS Changer botnet. Besides DNS Changers, Esthost and Rove Digital were also spreading FAKEAV and Trojan clickers, and it was involved in selling questionable pharmaceuticals and other cybercrimes we will not discuss in this blog posting.

The evidence we collected in the past years leaves no doubt of Esthost and Rove Digital’s direct involvement in cybercrime and fraud. Our suspicion started with simple but strong indications.

Cybercrime Activity Indicators

First, in 2006 we noticed that several C&C servers of the DNS Changer network were on subdomains of Esthost.com. (For example the foreign rogue DNS servers whose IP addresses were hardcoded in DNS Changer Trojans were hosted on dns1.esthost.com – dns52.esthost.com (52 domain names)).

A backend server that could update all rogue DNS servers at once was on dns-repos.esthost.com. A backend server for fake codec Trojans was on codecsys.esthost.com. Unless the esthost.com domain was hacked, only Esthost can add these very suggestive sub domains to their domain name. When the esthost.com domain went down, the C&C servers of Rove Digital started to use private domain names ending on .intra. We were able to download the complete zone file of .intra from one of the servers of Rove Digital in the US.

In 2009 we obtained a copy of the hard drives of two C&C servers that replaced advertisements on websites when loaded by DNS Changer victims. On the hard drives we found public SSH keys of several Rove Digital employees. These keys allowed the Rove Digital employees to log in on the C&C servers without password, but with their private key. From log files on the servers we were able to conclude that the C&C servers were controlled from Rove Digital’s office in Tartu.

Rove Digital had also been running a FAKEAV / rogue DNS affiliate program called Nelicash. We were able to download a schema of the infrastructure for the FAKEAV part. From a Nelicash C&C server we discovered data on victims who bought fake AV software.

 

From the same Nelicash C&C server we were also able to download a detailed planning of the deployment of new rogue DNS servers in 2010 and 2011. Every day, Rove Digital spread a new malware sample that changed systems’ DNS settings to a unique pair of foreign servers. We checked DNS Changer Trojans for a couple of days and we learned that these Trojans changed DNS settings of victims exactly according to their plan.

With that, we are very happy to report that a close collaboration between the FBI, Estonian police, Trend Micro and other industry partners resulted in a successful takedown of a dangerous botnet. Such a collaboration also led to the arrest of the bad actors responsible for the botnet, despite the fact that the takedown of Rove Digital was complicated and took a lot of effort.

Trend Micro successfully identified the C&C infrastructure of Rove Digital and backend infrastructure at an early stage and continued to monitor the C&C until November 8, 2011. Other industry partners did a tremendous job by making sure that the takedown of the botnet happened in a controlled way, with minimal inconvenience for the infected customers.

The following links relate to this entry:

• Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks
• Making a Million, Part Two—The Scale of the Threat
• A Cybercrime Hub

For more information, Rik Ferguson posted an entry on his CounterMeasures blog on ways to check if you’re a victim of the “Operation Ghost Click” criminal activity.

Update: Check out our recently released infographic comparing this and other recent takedowns to get an impression of just how big the impact of this development is. The large version may be found here.

With additional text by Paul Ferguson

Post from: TrendLabs | Malware Blog - by Trend Micro

Esthost Taken Down – Biggest Cybercriminal Takedown in History

The Microsoft Security Bulletin Summary for November 2011 tackles and addresses multiple vulnerabilities in Microsoft Windows. According to the notice, one of the bulletins is rated “critical”, while two are rated “important” and remaining one is rated “moderate.”

Majority of the bulletins apply to newer versions of Windows and require a reboot. The critical bulletin only affects Windows Vista, Windows 7, and Windows 2008 Server R2.

This Patch Tuesday gave a break to many IT administrators, however the real question on everyone’s mind is zero-day vulnerability related to DUQU. The vulnerability is exploited through a malicious Microsoft Word document. When opened, a zero-day kernel vulnerability is taken advantage of to execute malicious code. Microsoft did not release a patch in this cycle but has already issued a temporary fix for the exploit found here. The advisory provides a workaround by disabling the rendering of embedded TrueType fonts.

Additionally, Microsoft also raised their concern on the exploitability of MS11-083, giving it an Exploitability Index of “2″. They gave several scenarios wherein the vulnerability is exploited, and eventually used to achieve remote code execution.

Users are advised to immediately download and apply these patches as soon as possible. For more information regarding this month’s Patch Tuesday release, visit the Trend Micro security advisory page.

Post from: TrendLabs | Malware Blog - by Trend Micro

Light Patch Tuesday for November 2011

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.

This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:

• DUQU Uses STUXNET-Like Techniques to Conduct Information Theft
• Anatomy of a Data Breach

We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.

The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.

We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-Day Exploit Used for DUQU

This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.

This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.

This vulnerability, identified as CVE-2011-2371, lies in the Js3250.dll library and Js3250!array_reduceRight function in Mozilla Firefox, and affects versions earlier than 3.6.18, as well as versions 4.0 through 4.0.1. Two proofs-of-concept for this vulnerability were already disclosed publicly earlier this month by Matteo Memelli and metasploit.

We performed some analysis through reverse engineering and tested with the published proof of concept. Through this, we were successfully able to execute arbitrary remote code on Firefox 3.6.16.

Vulnerability Analysis

The following is a sample exploit code:

If the JavaScript shown above is loaded through the JIT engine by Firefox, the js3250!array_reduceRight function will be executed. It will call the js3250!array_extra function after setting ArrayExtraMode as 2.

Whenever any vulnerability is found, the first thing that always comes to mind is what we can do to protect users from threats that will make use of that vulnerability. For users, to default call for action during such circumstances is to check if they are affected by the vulnerability, and to patch their system.

However, security updates are not always available immediately. Also, for network administrators, patch management is at times difficult since it requires testing processes to make sure it won’t affect the network in an unfavorable way.

Using a security product that shields networks and systems from threats that leverage on vulnerabilities can help the networks and systems protected before the vulnerabilities are patched. For example, if a network administrator uses Trend Micro Deep Security, then he or she does not need to hurry to apply patch and save times until patch test has been finished.

For this specific vulnerability, users are advised to upgrade their Mozilla Firefox browser to the latest version, and to refrain from accessing untrusted links or opening emails from untrusted senders. Network administrators are also advised to maintain minimal system privilege for users.

Enterprises already using the Trend Micro Deep Security and IDF are already protected from exploits leveraging on this vulnerability, provided that they’ve applied virtual patch that includes the rule 1004722-Mozilla Firefox ‘Array.reduceRight()’ Remote Code Execution, which was released in July 2011.

Post from: TrendLabs | Malware Blog - by Trend Micro

Technical Analysis for Mozilla Firefox Array.reduceRight() Vulnerability

In this post, we will reorient readers on the infection chain of such an attack to help them understand why basic mitigation practices are still effective and can help them protect themselves from today’s threats.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.

Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.

Below is an example of this type of spam supposedly from the National Automated Clearing House Association (NACHA). NACHA manages the ACH network, which facilitates bulk payment transactions involving businesses, governments, and consumers. Users who are more likely to receive email from NACHA conduct transactions related to payroll, government benefits, tax refunds, and others.

In the spam screenshot above, we can see that the link points to a dubious-looking domain that is not related to NACHA. A blank page is displayed when users click the link. This blank page is actually a gateway page that contains the following obfuscated JavaScript:

When decrypted, we can see that the script attempts to embed an iframe pointing to another malicious site, which uses the BlackHole Exploit Kit:

Once the iframe is loaded, content is also loaded from the BlackHole Exploit Kit site, which again contains a highly obfuscated script. Upon decoding the code, we can now see the actual code that searches for vulnerable software and uses the appropriate exploits.

The BlackHole Exploit Kit exploits vulnerabilities both in third-party applications like Adobe Acrobat and Flash Player and Java as well as in Windows components like Microsoft Data Access Components (MDAC) and Help and Support Center (HCP).

Multilayer Mitigation

As a reminder to users, here are some ways to prevent this kind of threat from affecting their systems:

• Be aware of social engineering attacks. The majority of online attacks today utilize social engineering before the malware can exhibit technical infection payloads. By being wary of what you do online, infections can already be mitigated from the onset. Simple common sense like not entertaining unsolicited email can go a long way in keeping your personal information safe online.
• Always check for malicious links. Check what URLs point to. It is also a good practice to copy and paste a URL onto your browser’s address bar instead of directly clicking links.
• Consider disabling JavaScript in your browser. As mentioned earlier, the gateway and the BlackHole Exploit Kit pages both used JavaScript. The same is true for a lot of threats today that use browsers to execute malicious payloads. As such, it is a good idea to consider disabling JavaScript in your browser and only allow it to do so in your trusted sites, if necessary.
• Always remember to patch. The BlackHole Exploit Kit utilizes exploits that affect old, unpatched versions of software. The persistence of such tools means that old exploits are still able to infect many users. No matter how inconvenient it may be, regularly patching your software is still an important mitigation step.

The state of the threat landscape and the overwhelming reliance of the general public on the Internet demand that users should stay aware of the kinds of threats found online as well as of ways to protect themselves by following advice. Knowing how attacks such as these work, users can gain advantage over attackers and be able to stop threats before these even reach their systems. A little self-education can ultimately make the Internet a better and safer place to be in.

More information on how cybercriminals utilize spam in malicious schemes can be found in our recently released security focus report, “Spam in Today’s Business World.”

Post from: TrendLabs | Malware Blog - by Trend Micro

A Refresher on Spam and Exploits

We were able to find spam that contain the text, “Steve Jobs Alive” or “Steve Jobs Not Dead.”

Subject: Creator of Steve Jobs of Apple’s Mac, iPod and iPad dies
Steve Jobs, died of cancer aged 56
The death of Steve Jobs left an orphan of most of his creations, the Apple, a company shaped in accordance with their technological dreams and now faces the challenge of surviving in the absence of its visionary leader.
More news portal in direct U.S. in Portuguese
[LINK]

All of the said messages came with a link that when clicked redirects users to a blank site. We were unable to continue our analysis at this point. In cases like this, however, a blank page is rarely ever truly blank and is often a sign that something else is happening in the background, away from the user’s view. For this particular attack, we found reports suggesting that the said site previously contained a script that loads the BlackHole Exploit kit.

We are currently monitoring all of the sites for any further development. Trend Micro product users are already protected from this threat, as the spam and the URLs are already being blocked with the aid of the Trend Micro™ Smart Protection Network™.

Based on Smart Protection Network spam data for the first half of 2011, the volume of traditional spam has been decreasing though these are still being regularly used for malicious schemes. Attacks that involve spam heavily rely on social engineering techniques as well as more advanced methods that render IP blacklisting and content filtering insufficient. For more information on the state of spam and how Trend Micro protects product users from this type of threat, please check out our security focus report, “Spam in Today’s Business World.”

Post from: TrendLabs | Malware Blog - by Trend Micro

Steve Jobs Proclaimed Alive by Spam