Microsoft has not confirmed independent reports. A spokesman said the company was still investigating the issue. Enterprise users are protected by Trend Micro products such as Deep Security and Intrusion Defense Firewall. Trend Micro has issued a security advisory with some more technical details on this vulnerability.

Other users are advised to block the ports used by the SMB protocol and await the official Microsoft response.

Update as of 11:01 P.M. While Microsoft has not confirmed these reports as of this writing, we have verified that Windows 7 is vulnerable.

Update as of November 14, 6:20 A.M. Microsoft has released a security advisory for this vulnerability. Accordingly, the said vulnerability can’t be used to install malicious files and to take control of one’s system. Although the exploit code has been published already, Microsoft said that it hasn’t received any reports of known attacks in the wild. As a workaround, Microsoft advises users to block TCP ports 139 and 445 at the firewall.

Post from: TrendLabs | Malware Blog - by Trend Micro

New SMB Zero-Day Exploit?

MS09-067 deals with eight security holes plaguing Microsoft Excel that when successfully exploited can allow remote code execution when users open a specially crafted .XLS file. Users are thus strongly advised to update their systems as soon as possible, as these vulnerabilities (especially those rated “critical”) can be used by cybercriminals to execute worms and drive-by download malware attacks on their systems.

Apart from Microsoft, Adobe also addressed a vulnerability found in Adobe Photoshop Elements 8.0 and 7.0. The said vulnerability can allow cybercriminals to execute commands on the affected system. Though no solution has yet been provided, Adobe issued a workaround that users must apply to avoid infection.

Apple also joined the patch bandwagon as it released its own set of patches to address 58 vulnerabilities affecting Mac OS X. When exploited, some of these security holes can give a malicious user full access to a system. The fixes deal with issues in opening downloaded files and problems with administrator authentication.

Everyone is vulnerable to threats lurking in the Web today. With that in mind, users are encouraged to apply these patches immediately.

Post from: TrendLabs | Malware Blog - by Trend Micro

November Patch Tuesday Addresses 15 Vulnerabilities

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

In January of this year, a few security websites and media outlets reported a wave of detections of another DOWNAD variant.

This variant first sent exploit packets for a Microsoft Server Service Vulnerability to every machine on the network and to several randomly selected targets over the Internet. It then dropped a copy of itself in the Recycler folder of all available removable and network drives and created an obfuscated autorun.inf file on these drives so it can execute every time a user browsed a network folder or removable drive without actually clicking on the file. It then enumerated the available servers on the network and, using this information, gathered a list of user accounts on the machines.

Afterward, it ran a dictionary attack against these accounts using a predefined password list. If it succeeds, it dropped a copy of itself on the systems and used a scheduled task to execute the worm.

Improved Domain Generation Functionality

In March, the most hyped DOWNAD variant reared its ugly head. WORM_DOWNAD.KK’s additional features included an increased number of generated domains, from the 250 generated by earlier variants to 50,000.

While it only attempted to connect to around 500 randomly selected domains at a time, this modification was seen as an effort to increase the botnet’s chances of survival until it was set to unleash its enigmatic payload on April Fools’ Day.

DOWNAD Uses P2P

April 1 came and went. No signs of the DOWNAD worm were seen until a week after. Threat researchers keeping an eye out for new DOWNAD-related activities saw a new file—the newest worm variant—in infected systems’ Windows Temp folder created exactly on April 7, 2009 at 07:41:21. What was odd about this was that no HTTP download took place around that time though a huge encrypted TCP response from a known DOWNAD/Conficker peer-to-peer (P2P) IP node, which was hosted somewhere in Korea, was found.

This variant was set to stop running on May 3, 2009; ran using random file and service names; deleted dropped components afterward; propagated via an exploit to external IP addresses if the system had Internet access or to local IP addresses if it did not; opened port 5114 and served as an HTTP server by broadcasting via an SSDP request; and connected to sites such as MySpace, MSN, and eBay.

Infection Peaks

In a span of just four months (November 2008–February 2009), the DOWNAD infection count peaked, from initially infecting around 500,000 PCs to 9 million PCs. It certainly wreaked a lot of damage, taking advantage of exploits to spread malicious code as a social engineering ploy. DOWNAD was used to create a botnet that can be utilized for the usual range of threats that lurk in the Web—spamming, distributed denial of service (DDoS) attacks, and spreading FAKEAV. According to Trend Micro Advanced Threats Researcher Ryan Flores, “DOWNAD/Conficker opened the IT security industry’s eyes by exposing several truths and areas that IT professionals commonly overlook.”

Updated Patches Still Key

It has been a year since DOWNAD/Conficker first infected PCs. If we have learned anything from this experience, it should be that most worms spread by exploiting network-based vulnerabilities. That is why it is very important to secure connected devices, and keep them up-to-date with the latest patches.

Of course, this would be hard to do if you use pirated software. So using legitimate software copies is also key to keeping data and even your identity secure, especially in today’s worsening threat landscape.

Post from: TrendLabs | Malware Blog - by Trend Micro

DOWNAD/Conficker Turns 1yr

• Weather Report for Halloween: High Chances of a Storm
• “Halloween Costumes” Bring More Fright Than Expected

But just how scary is the Web 2.0 environment nowadays? Let us run down a list of the scariest threats thus far:

• 2009 saw the emergence or resurfacing of three of the most notorious botnets in relation to information, financial, and identity theft—Koobface, ZeuS, and Ilomo. Botnets control more compromised machines than previously believed. Only a handful of cybercriminals have more than 100 million computers under their control. This means they have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90% of all email worldwide is now spam.

Koobface is most known for preying on social networking and micro-blogging site users. It has transcended from its original design of taking over accounts to spread malicious links using the affected users’ credentials to spreading a FAKEAV or its variant to users who just happen to visit a compromised site or to click anywhere on a malicious page where a copy of the malware is hosted.ZeuS/ZBOT

The ZeuS botnet, on the other hand, is best known for ebanking attacks targeting small businesses that do not have full-time IT staff and only 1–2 payroll personnel. It was first introduced by Rock Phishers this April, paving the way for the rise of easy-to-use kits that yielded professional-looking phishing pages. Its latest components, also known as “ZBOT variants,” now come compressed in more and more complex packers.

Ilomo, the third most dangerous botnet, Ilomo, also known as “CLAMPI” or “LOMOL,” is known for injecting code into an affected user’s browser to wait for him/her to connect to one of over 4,000 banking, financial, or Web mail sites so it can steal his/her credentials. It can, however, also “piggyback” on the user’s session to transfer funds from his/her account to a remote one while making a mockery of the bank’s secure login system. The botnet also sells “anonymity as a service” as every infected machine can act as a proxy, allowing cybercriminals to route their illegal activities through different networks and countries, thereby evading detection.

• Tricking users into downloading FAKEAV has been an age-old cybercriminal tactic that apparently has not stopped working. Hence the continuous rise in the number of FAKEAV pushed to unwitting scam victims up to this day. Trend Micro estimates that more than 100,000 users receive messages saying they have been infected by malware while visiting malicious sites and that there are more than 48,000 FAKEAV offerings per month.Apart from its ability to rake in a lot of dough, it is also hard to detect due to its numerous domains and redirectors, giving security experts a hard time tracking all related activities down. FAKEAV will thus continue to plague users for a long time because its ploy works.

• In June 2009, Microsoft broke its December 2008 record of releasing patches for 28 vulnerabilities with the release of 10 security advisories to address 31 vulnerabilities in its OSs and other software.
  Unpatched vulnerabilities can allow cybercriminals to exploit users’ systems. For instance, unpatched vulnerabilities in a system’s browser can allow cybercriminals to run arbitrary code if the user happens to browse through a malicious website, leaving him/her at the mercy of online predators.Microsoft was not alone in this predicament though. Adobe and Firefox have had their share of exploited vulnerabilities as well.

Why do more and more people join the cybercriminal bandwagon? The answer is plain and simple, because there is a lot of money to be made in infecting users. FAKEAV, for instance, sell for an average price of US$50 each. Just imagine how much money cybercriminals can make even if they just sell to a fraction of their target user base!  Our threat research papers provide detailed information of such cybercrime activity, if you’re interested, you can read them here.

And if that isn’t scary enough, Trend Micro’s threat researchers found that the going rates for stolen data (credit card information and user credentials) and for infecting users’ systems continue to rise each year. Cybercriminals never seem to run out of tricks to spread threats to users throughout the Web. No wonder U.S. President Obama officially announced October as the “National Cyber Security Awareness Month!”

Post from: TrendLabs | Malware Blog - by Trend Micro

Trick or Threat?

Trend Micro Senior Threat Researcher David Sancho had this to say about the new OS:

Microsoft has been improving the security of its OS that is why there are fewer network vulnerabilities every time. Having said that though, security cannot be taken for granted and there’s always room for improvement. The Web is today the biggest infection vector therefore hardening the OS needs to be complemented with strengthening the browser and applications used to visualize Web pages (such as Adobe Acrobat, Flash, etc.).

Now, users may wonder if their Trend Micro products will work with Windows 7. The answer is yes. Programs such as Trend Micro Internet Security will work just as well in Windows 7 as in previous versions like XP and Vista. Whether users upgrade or stick with their current OS, they can continue to rely on their existing Trend Micro software. Even HouseCall, our free online scanner, will run under Windows 7.

Post from: TrendLabs | Malware Blog - by Trend Micro

Windows 7? No Problem for Trend Micro Users

Well, sorry, obviously we are not going to give that sort of information out publicly—we’d need to be crazy to do something like that.

On the other hand, if you want a heads up on Microsoft’s upcoming Windows 8 and Windows 9 OSs (128-bit, apparently) just wander over to the LinkedIn social networking site.

PC Pro has published a short piece on how a certain key Microsoft employee’s LinkedIn profile described his job as:

Working in high-security department for research and development involving strategic planning for medium- and long-term projects. Research and development projects, including 128-bit architecture compatibility with the Windows 8 kernel and Windows 9 project plan. Forming relationships with major partners: Intel, AMD, HP, and IBM.

Ouch.

This is yet another example of very sensitive company data being accidently posted on a social networking site, an all-too-common occurence. Social networking sites are also invaluable as sources of reconnaissance for hackers targeting a specific company, whether it’s an IT administrator on LinkedIn mentioning “managing checkpoint firewalls” in his job description or an employee tweeting that he/she is on his/her way to a “merger meeting with company X”—employees are quite often unaware of the sensitive information they are publicly disclosing.

Don’t get me wrong, I like social networks. I even have a LinkedIn profile of my own but I don’t put any data there that people would not already know.

If you are worried about this sort of data leak occuring in your own company, I’d fully recommend reading my colleague, David Sancho’s, paper “A Security Guide to Social Networks.”.

Perhaps Microsoft might like to print out a copy for all of its own employees.

Post from: TrendLabs | Malware Blog - by Trend Micro

Even Smart People Make Mistakes

Microsoft’s monthly patch cycle for September has come out, and it’s something of a mixed bag for users. While there were only 5 advisories, all of them were rated as Critical by Microsoft, because if exploited all five could be used to execute arbitrary code on user systems.

The patches fix vulnerabilities in the JScript Scripting Engine (MS09-045), the DHTML Editing Component ActiveX control (MS09-46), the Windows Media Format runtime (MS09-47), the TCP/IP stack (MS09-48), and the Wireless LAN AutoConfig service (MS09-49). The following Microsoft operating systems are covered by at least one of the said bulletins: Windows 2000, Windows XP, Server 2003, Server 2008, and Vista. The final versions of Windows 7 and Server 2008 R2 are not affected by any of these vulnerabilities.

The MS09-45 and -46 vulnerabilities could affect users that visit malicious/compromised Web sites; MS09-47 affects users who open specially crafted media files. Meanwhile, MS09-48 and -49 affects users who are directly sent malicious data. Microsoft has rated MS09-45 and -47 as 1 on their Exploitability Index, which indicates that they believe that exploit code can be consistently produced for these vulnerabilities by cybercriminals in the future.

However, Windows users are not out of the woods just yet. A separate vulnerability has been found in both Vista and Server 2008’s implementation of the Server Message Block (SMB) protocol, which is largely used to share files and printers. According to the official Microsoft bulletin, the vulnerability could be used to take complete control over affected systems, although to date the proof-of-concept code encountered can only crash and restart affected systems. Like the vulnerabilities patched during Patch Tuesday, final versions of both Windows 7 and Server 2008 R2 are not affected. (The Windows 7 Release Candidate is, however, affected.)

Microsoft has so far not issued a patch to cover this latest security flaw; it is not known either if such a patch will be issued out-of-cycle, or be held until next month’s regular update schedule.

Users should run Windows Update and see if their systems have been patched to protect against these vulnerabilities. For most systems, this should have taken place automatically, but it’s still an excellent idea to double-check.

Trend Micro OfficeScan users with the Intrusion Defense Firewall plugin installed should apply the recent filter update (IDF09-027). This version contains protection from attacks exploiting the five patched vulnerabilities, as well as other potential security risks.

Post from: TrendLabs | Malware Blog - by Trend Micro

September Patch Tuesday Fixes 5 Vulnerabilities; Leaves One Open

Today’s Patch Tuesday from Microsoft comes with 9 security advisories, 5 of which are tagged as critical, 4 as important. Collectively, 19 flaws are addressed in these advisories, 15 of which are critical. This set of advisories also includes the bulletin that addresses the previously exploited Microsoft Office Web Components bug.

The critical advisories include patches for vulnerabilities in Microsoft Office Web Components (MS09-043), Remote Desktop Connection (MS09-044), Internet Name Service (MS09-039), Windows Media File Processing (MS09-038), and Active Template library (MS09-037).

The other advisories are for vulnerabilities in ASP.NET (MS09-036), Message Queuing (MS09-040), Workstation Service (MS09-041) and Telnet (MS09-042).

Details about these vulnerabilities can be found at our Security Advisory for the August 2009 Patch Tuesday at the Threat Encyclopedia. The Microsoft blog says that five of the six critical patches are rated “1″ in their Exploitability Index. They are thus expecting there to be some in-the-wild exploits targeting these within 30 days from now.

Again, this is a reminder to make sure that all your applications and operating systems are up to date with the latest patches. Software vendors issue these patches to prevent cybercriminals from exploiting these vulnerabilities. Update now.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF09024). This version contains protection from attacks exploiting the above and other vulnerabilities.

Post from: TrendLabs | Malware Blog - by Trend Micro

August 2009 Patch Tuesday Addresses MS Vulnerabilities

Senior Security Analyst Rik Ferguson reports that spam messages arrive with text indicating that it has file attachments that are image files with the JPEG format. In truth however, the file names of attachments are actually links that connect to shortened URLs, which in turn connect to malicious URLs.

Connecting to the malicious URLs, which are now blocked, leads to the download of the malicious file fotos.com which is now detected as TROJ_DLOADR.AQJ. The said file, in turn, downloads a wide variety of information-stealing malware. The malicious URLs and files are all blocked through the Trend Micro Smart Protection Network.

Quite noteworthy is the fact that the links were crafted to, at first glance, look very similar to how file attachments are displayed in most emails. An envelope-shaped icon is even seen at the side of each of the links, which is typical for file attachments.

However, there are also noticeable differences between such spam email and a legitimate email message, which users must watch out for should they receive a suspicious email message.

Here are a few of the noticeable differences between the spam email and a legitimate one:

• The attachment details are indicated not in the message area, but above it, along with the other fields.
• The number of attached files are supposed to be stated right under the email address in the To: field.
• The size of the attached file is displayed beside the file name.
• The attached images are always displayed at the bottom of the message.

Hotmail users are advised not to click on any of the links contained in messages that do not display the abovementioned details.

Post from: TrendLabs | Malware Blog - by Trend Micro

Sly Spam Run Targets Hotmail Users

More information, as well as download links for the said patches, may be found below:

• Cumulative Security Update for Internet Explorer
• Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases Out-of-Cycle Patches For Exploits

• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer.

According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032

Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.

Post from: TrendLabs | Malware Blog - by Trend Micro

More Zero-Day Exploits for Firefox and IE Flaws

The Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution was used in a zero-day attack last week that involved around 967 compromised Chinese websites. A script that triggered the exploit was inserted in the said websites, which when successfully executed drops WORM_KILLAV.AI into the affected system. The security advisory MS09-032 already addresses the vulnerability used in this attack.

Here is the full list of security advisories issued for this month:

• (MS09-028) Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
• (MS09-029) Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
• (MS09-030) Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)
• (MS09-031) Vulnerabilities in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
• (MS09-032) Cumulative Security Update of ActiveX Kill Bits (973346)
• (MS09-033) Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)

The Office Web Components ActiveX vulnerability is the other vulnerability used in a malware attack this month. Similar to the zero-day attack, a script that triggers the exploit was inserted in compromised websites. This placed any visitor of the compromised websites who hasn’t updated their system at risk of being affected by TROJ_DLOADR.DOF, which drops a rootkit component detected as TROJ_ROOTKIT.DOF, and downloads TROJ_DLOADR.UIG and TROJ_INJECT.AKI. A patch for the said vulnerability hasn’t been issued, but Microsoft provided a workaround, to protect users while an update is being developed.

Meanwhile, users are advised to update their systems as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

July 2009 Microsoft Security Updates

“This vulnerability could be used for remote code execution in a ‘browse and get owned’ scenario,” says Microsoft, “but requires user interaction since a user needs to go to a malicious website that hosts the exploit to become infected.” Users need not fear, however, as Microsoft has released an advisory containing further information on this exploit. It also released information on how users can tell if their systems are vulnerable to this attack in a blog post.

Trend Micro Research Manager, Ivan Macalintal, says that the exploit appears to be using script fragmentation—the same tactic used in a previous zero-day mass Web compromise. He adds that the parts of the whole malicious script may not necessarily be malicious per se. However, when combined, the outcome—a full working exploit—can prove disastrous.

Users who visit malicious sites using vulnerable Internet Explorer browsers run the risk of automatically getting infected. The JavaScript detected as JS_SHELLCODE.BH automatically runs on vulnerable browsers unless the ActiveX control is disabled. Once executed, says Trend Micro Threat Analyst, Jessa De La Torre, the script enables the download of TROJ_DLOADR.DOF, which drops a rootkit (TROJ_ROOTKIT.DOF), then downloads the Trojans TROJ_DLOADR.UIG and TROJ_INJECT.AKI. TROJ_DLOADR.UIG downloads roughly a hundred files from a certain URL, posing the risk of infection to a lot more malware.

The malware affects common Microsoft applications, most notably Microsoft Office XP Service Pack 3 and Microsoft Office 2003 Service Pack 3.

To protect users from this threat, Microsoft has come up with a workaround until the next Patch Tuesday releases. The page also contains a link so users can automatically apply the workaround.

Trend Micro threat analysts received reports of this vulnerability exploit and are currently analyzing the samples. Trend Micro product users need not fret, however, as this threat is already blocked by Smart Protection Network.

Post from: TrendLabs | Malware Blog - by Trend Micro

OWC ActiveX Exploit Follows MPEG2TuneRequest’s Lead

The shellcode of the exploit is XOR encrypted. Below is the screenshot of the decrypted shellcode:

Microsoft already released a security advisory regarding this vulnerability. More information can be found in the following page:

• Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution

Upon successful exploitation, the script downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates antivirus software processes, and drops other malware on the affected system.

As of this writing, all domains are blocked already by Smart Protection Network. Furthermore, OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09021).

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-day MPEG2TuneRequest Exploit Leads to KILLAV

This doesn’t really look like a med spam, since everything is just plain text advertisement with no Buy Now or Click this link, but this is close to being a med spam, probably a failed attempt to create one on the Silverlight forum website. So I kept on looking and found other Silverlight forum members peddling other Cialis and other drugs, and this time, successfully creating a med spam site on the Silverlight site.

I found around fifty of these med spam pages hosted free by Silverlight, all of which are supposed to be profile pages of Silverlight Community members, but crafted by the “member” to advertise med spam.

More troubling is that this doesn’t end with med spam. Some spam profile leads to fake anti-virus programs. Several “RedTube” profiles (supposed to be porn video streaming) link to a site which needs you to “download the Tube Video player to play this video”.

The downloaded file install.exe is actually a fake AV detected as TROJ_FAKEAV.ODN.

We’ve alerted Microsoft of this abuse. We are hoping that the spam posts will be deleted as soon as possible. Meanwhile the Trend Micro Smart Protection Network provides users complete protection against this threat.

Post from: TrendLabs | Malware Blog - by Trend Micro

Med Spam Litters Silverlight Forums