The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.

In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.

HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body. Below is a screenshot of HTML_EXPLT.QYUA’s code. Notice the highlighted parts where it calls the MIDI and JavaScript components:

Meanwhile, as the routines stated above happens in the background, the affected users remains unsuspecting and sees the following:

Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2. We’d like to reiterate that this is a publicly disclosed exploit. As such, we can expect similar attacks in the future.

On the other hand, Trend Micro customers are already protected from this by the Trend Micro™ Smart Protection Network™, which blocks the related malicious files and URLs.

We will update this blog entry once more information is available.

Update as of January 26, 2012, 7:50 a.m. (PST)

Trend Micro Deep Security shields this vulnerability using the specified rules. For more information on the Deep Security rules, users can visit our vulnerability page here.

Trend Micro Deep Security customers are protected by the rule 1004899 – Microsoft Windows Media Player MIDI Remote Code Execution Vulnerability (CVE-2012-0003). This rule prevents download of MIDI files, containing bad records, which could allow an attacker to execute arbitrary code if the user opens a link to a midi file or visits a page with embedded MIDI file.

Update as of January 27, 2012, 2:55 a.m. (PST)

Upon further processing, we found that TROJ_DLOAD.QYUA uses two other components for its routines. It drops RTKT_MDIEXP.QYUA for its rootkit capabilities, and connects to a certain URL to download its main payload — BKDR_EAYLA.QYUA. Currently, we are analyzing this threat and we will update this blog post once analysis is complete.

Update as of January 27, 2012, 8:15 p.m. (PST)

Further analysis of BKDR_EAYLA.QYUA revealed that it is not a backdoor, but an info stealer which we now detect as TSPY_ONLING.KREA. This particular malware steals credentials related to certain Korean online game sites. Once credentials are captured, they are sent to the attacker’s C&C.

Update as of January 30, 2012, 12:30 a.m. (PST)

Below is a behavior diagram on how this particular threat works.

Post from: TrendLabs | Malware Blog - by Trend Micro

Malware Leveraging MIDI Remote Code Execution Vulnerability Found

As we prepare for the year ahead, let us take a look at some of the Trend Micro 2011 predictions that came true and how we contributed to the security industry’s wins against the continuing war against cybercrime.

 

Though we didn’t foresee hacktivism coming to the fore in 2011, we witnessed a slew of mass compromises result from AntiSec and LulzSec attacks against various entities. Armed with politically charged agendas and disgruntled with varying issues, hacktivist groups continued to fling attacks at users.

2011, however, wasn’t all bad, as we also garnered some wins in our never-ending battle against cybercrime. In close collaboration with our industry partners and law enforcement authorities, Trend Micro was at the forefront in what has been dubbed the “Biggest Cybercriminal Ring Takedown”—Operation Ghost Click—to date. As individuals and organizations alike embark on the cloud journey, we at Trend Micro, along with our fellow cybercrimefighters in law enforcement and the security industry, will continue to serve our customers by providing data protection from, in, and for the cloud.

For more details on what 2011 was like, take a look at the 2011 security roundup report, A Look Back at 2011: Information Is Currency.

Post from: TrendLabs | Malware Blog - by Trend Micro

2011: The Year of Data Breaches

Microsoft starts the year right by addressing eight vulnerabilities in its January 2012 round of patches. This update includes fixes for one Critical bulletin, while the rest are rated Important.

This month’s update covers several vulnerabilities in Microsoft Windows, including those found in Windows Object Packager, Windows Media Player, and Windows Object Packager.

The only bulletin rated Critical was ‘Vulnerabilities in Windows Media Could Allow Remote Code Execution’. The vulnerabilities included in the said bulletin could allow remote code execution when users open a specially-crafted media file.

Also corrected in this patch Tuesday release is the way Media Player handles specially-crafted MIDI files and the way DirectShow parses media files. This update applies to all versions of Windows, including Windows 7.

In addition, MS12-006 fixes the BEAST vulnerability in SSL/TLS protocols, which potentially allowed a malicious user to conduct man-in-the-middle attacks on secure traffic.

Microsoft was not the only one to release fixes, as Adobe also published their own security updates to address vulnerabilities found in Adobe Reader and Acrobat. Most of the vulnerabilities addressed could lead to code execution when abused. Detailed information on the vulnerabilities can be found here.

To lean more about Microsoft support for the affected software, more details on the security bulletins for January 2012 can be found in their official bulletin summary. Users may also refer to our Trend Micro security advisory page.

Users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can also find updates to their products that will protect them from threats exploiting the vulnerabilities made public today, in advance of IT administrators being able to roll out these patches.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases 7 Bulletins for First Patch Tuesday of 2012

The root cause of the problem lies in hash collisions. Most web applications use hashes to store user supplied inputs/form parameters. The inputs are supplied by users; hence attackers can control what values are eventually filled in the hashes. In this particular attack, the attacker sends too many key value pairs with colliding keys. If the hash implementation of the language is not randomized, it can result in numerous hash collisions, given that a lot of colliding entries are sent. The resolution of these collisions results in very high CPU usage.

An interesting aspect of this attack is that it doesn’t only affect Microsoft products. Several other web applications, such as Apache Tomcat, Apache Geronimo, Oracle web applications, PHP using python, ruby, Java are also vulnerable to this same issue. It’s not a specific vulnerability but a fundamental software flaw with the implementation of hash algorithms.

Trend Micro customers need not worry, as Deep Security provides protection with the rule 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414). For more details, user may refer to Trend Micro security advisory page in our Threat Encyclopedia.

Because of its severity, users are also advised to immediately update their systems before they usher in the new year.

Update as of January 9, 2012,11:00 PM PST

The Microsoft out of band update also addressed three other vulnerabilities:

CVE-2011-3415:

This vulnerability is a domain spoofing/open redirect vulnerability in Forms Authentication feature in the .Net Form Authentication. An attacker can use crafted URL to redirect the users to any website without the users’ knowledge. The attack vector can be a crafted link, which leads to a phishing attack to steal the sensitive information from the user like login credentials.

Websites with ASP.Net installed are at risk from this vulnerability. Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 are also vulnerable to this.

CVE-2011-3416:

This vulnerability is an authentication bypass flaw in ASP.Net. An attacker who successfully exploited this vulnerability can gain complete access to targeted users’ accounts and run any arbitrary commands with its privileges.

Trend Micro Deep Security provides zero day protection against such attacks using it’s heuristic based rule like ‘1000128 – HTTP Protocol Decoding‘.

CVE-2011-3417:

This vulnerability pertains to a specific configuration of ASP.Net. A system with sliding expiration enabled is only vulnerable to this. Once successfully exploited, an attacker can gain access to arbitrary user accounts on the system by sending specially crafted requests.

The following rules in Trend Micro Deep Security provide protection to Trend Micro customers:

• 1004886 – Microsoft ASP.NET Hashes Denial Of Service Vulnerability (CVE-2011-3414)
• 1004887—Microsoft ASP.NET Framework Forms Authentication URI Spoofing Vulnerability (CVE-2011-3415)
• 1000128—HTTP Protocol Decoding

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases Out of Band Update Before Year Ends

Microsoft released 13 bulletins today instead of 14, as announced in the Patch Tuesday announcement some days ago. In their final Patch Tuesday for the year, Microsoft addressed bugs in Windows, Internet Explorer, and Microsoft Office, while adding in a fix for DUQU in the bulletin MS11-087, which is also known as the DUQU zero-day remote code execution flaw. Attackers embedding specially crafted TrueType fonts in documents can exploit this vulnerability in the Windows kernel. MS11-087 was given a ‘Critical’ rating.

MS11-092 also deserves attention in this security bulletin as it affects Windows Media Player and also allows an attacker remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file. Microsoft also includes fixes for Active Directory, OLE and the Windows kernel.

To lean more about Microsoft support for the affected software, more details on the security bulletins for December can be found in their official bulletin summary. Users may also refer to our Trend Micro security advisory page.

Users of Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can also find updates to their products that will protect them from threats exploiting the vulnerabilities made public today, in advance of IT administrators being able to roll out these patches to their systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases 13 Bulletins to Close 2011

The Microsoft Security Bulletin Summary for November 2011 tackles and addresses multiple vulnerabilities in Microsoft Windows. According to the notice, one of the bulletins is rated “critical”, while two are rated “important” and remaining one is rated “moderate.”

Majority of the bulletins apply to newer versions of Windows and require a reboot. The critical bulletin only affects Windows Vista, Windows 7, and Windows 2008 Server R2.

This Patch Tuesday gave a break to many IT administrators, however the real question on everyone’s mind is zero-day vulnerability related to DUQU. The vulnerability is exploited through a malicious Microsoft Word document. When opened, a zero-day kernel vulnerability is taken advantage of to execute malicious code. Microsoft did not release a patch in this cycle but has already issued a temporary fix for the exploit found here. The advisory provides a workaround by disabling the rendering of embedded TrueType fonts.

Additionally, Microsoft also raised their concern on the exploitability of MS11-083, giving it an Exploitability Index of “2″. They gave several scenarios wherein the vulnerability is exploited, and eventually used to achieve remote code execution.

Users are advised to immediately download and apply these patches as soon as possible. For more information regarding this month’s Patch Tuesday release, visit the Trend Micro security advisory page.

Post from: TrendLabs | Malware Blog - by Trend Micro

Light Patch Tuesday for November 2011

Their report indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

The installer files are composed of a .SYS file detected as RTKT_DUQU.B, and a .DLL file detected as TROJ_DUQU.B. RTKT_DUQU.B loads TROJ_DUQU.B into the system. TROJ_DUQU.B, on the other hand, drops and decrypts the DUQU components, RTKT_DUQU.A, TROJ_DUQU.ENC, and TROJ_DUQU.CFG. Below is a simple behavior diagram of the threat.

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon. As a member of the Microsoft Active Protections Program (MAPP), if Microsoft provides information on ways we can protect customers while a security patch is being developed, we will add these protections to our products as quickly as possible and update you with that information.

This new information allows us to have more educated theories of how the DUQU attack took place. Considering the usage of a Microsoft Word document, it is likely that this was initially deployed through email messages sent to employees in the targeted organization.This further verifies our earlier hypothesis that DUQU is part of a highly targeted attack aimed at exfiltrating information from targeted entities. For more information on DUQU and the nature of highly targeted attacks, please check the following reports:

• DUQU Uses STUXNET-Like Techniques to Conduct Information Theft
• Anatomy of a Data Breach

We have created the proactive detections of TROJ_DUQUCFG.SME and RTKT_DUQU.SME to address future variants of DUQU component files. Also, the Threat Discovery Appliance (TDA) protects enterprise networks by detecting network activity and the malwares’ connection to the C&C server through the rules 473 TCP_MALICIOUS_IP_CONN, 528 HTTP_Request_DUQU, and 529 HTTP_Request_DUQU2.

Update as of November 3, 2011, 8:30 PM PST

Microsoft released a security advisory regarding the vulnerability used by DUQU.

The vulnerability exists in the Win32k TrueType font parsing engine and allows elevation of privilege. According to the advisory, a successful exploitation can allow an attacker to run arbitrary code in kernel mode.

We are currently collecting more information about this, and will update this blog entry with our findings as soon as possible.

Post from: TrendLabs | Malware Blog - by Trend Micro

Zero-Day Exploit Used for DUQU

Microsoft issued a new batch of security bulletins for October with fixes for several vulnerabilities in software products used by millions of computer users worldwide. Eight security bulletins have been released, which include patches for 23 vulnerabilities for software such as Microsoft .NET Framework, Microsoft Silverlight, Internet Explorer, Microsoft Forefront United Access Gateway, and Microsoft Host Integration Server.

Six out of the eight bulletins are rated “important” while two are rated “critical.” Some of the patches indicated a required restart after updating the machine with the affected software. Users and administrators are advised to immediately address these security flaws.

Users may refer to our vulnerability page for more information.

With a plethora of devices now entering the work environment, consumerization proves to be an IT nightmare and an increasing security risk, especially in terms of making sure all devices connected to the network are updated accordingly. With that, a lack of strategy could prove devastating and user-liable devices can get infected simply by surfing the Web or by being used in an unsecure environment. It is critical for users who bring their personal devices to their workplace to make sure that they update their systems with the latest security updates as soon as these are made available.

To learn more about Microsoft support for the affected software, more details on the security bulletins for October can be found in the vendor’s official bulletin summary.

Post from: TrendLabs | Malware Blog - by Trend Micro

Microsoft Releases Eight Bulletins for October Patch Tuesday

Microsoft is keeping it light this September after releasing 13 security bulletins last August. The vendor released five security bulletins this month, all of which were rated “important.” These bulletins resolve 15 flaws found in several software. One of the bulletins addresses five vulnerabilities (MS11-072) in Microsoft Excel and affects even the newest and Mac versions of the program. To successfully exploit these, a potential attacker needs to create malicious Excel files and distribute these via different social engineering schemes. Microsoft also rated this as the top bulletin in deployment priority, thus users and administrators are advised to immediately address these security flaws.

This month’s security updates also include fixes for Windows Internet Naming Service (WINS) and SharePoint Server 2010.

Users are encouraged to immediately download and apply these patches. For more details regarding this month’s Patch Tuesday release, users may visit this Trend Micro security page.

In addition, Microsoft released another non-security update to add six cross-signed  DigiNotar root certificates as untrustworthy, following the theft of more than 500 digital certificates issued by DigiNotar. More details on this can be found in  Microsoft’s official corporate security response blog.

Post from: TrendLabs | Malware Blog - by Trend Micro

Five Important Bulletins for September Patch Tuesday

Detected as WORM_MORTO.SMA, this malware drops its component files, including a .DLL file, which is dropped onto the Windows folder. The said .DLL file, which bears the file name clb.dll, is detected as WORM_MORTO.SM. WORM_MORTO.SM acts as a loader for the malware and places its own clb.dll in the %Windows% folder to exploit the way by which Windows finds files. Windows typically loads the %Windows% folder before the %System% folder where the legitimate clb.dll file is located. By doing so, the malware’s .DLL file is loaded before the legitimate one whenever regedit.exe is executed.

When WORM_MORTO.SM loads, it decrypts a file that contains the malware’s payload. It searches for Remote Desktop Servers associated with the infected system and attempts to log in as an administrator using a predefined set of passwords. Once a successful connection is established, it drops a copy of WORM_MORTO.SM into a temporary directory in the system.

Note that dropping files is not the only action a cybercriminal will be able to do once it remotely accesses the system through RDP. It was designed so a user can remotely access an entire system, thus allowing a cybercriminal to obtain complete access to an infected system.

According to my colleague Karl Dominguez, it appears that this attack aims to indeed give an attacker full control of an infected system and of a whole network since the malware logs in using an administrator account. Anything can be done in the system at this point, including information theft, especially if the malware infiltrates servers.

Trend Micro customers are protected from this threat, as the malicious files are now detected as WORM_MORTO.SMA and WORM_MORTO.SM. In addition, the URLs this malware uses to accesses its servers are now blocked.

As a form of prevention against this threat, and against similar threats, users are advised to use strong passwords and to enable firewall settings. Network administrators are also encouraged to require a secure VPN connection before allowing users to use Remote Desktop Connection.

Post from: TrendLabs | Malware Blog - by Trend Micro

More MORTO Infections Found