Sep11
10:20 am (UTC-7)   |   by Dianne Lagrimas (Technical Communications)

US singer Omarion’s Ice box song aptly feels right with the discovery of a new version of an IcePack toolkit hosted on http://{BLOCKED}.{BLOCKED}.72.200, which also hosts a malicious JavaScript. The said JavaScript, detected by Trend Micro as JS_MULEX.C, is capable of resolving browser type and Windows operating system version of an affected system. This capability allows said JavaScript to determine which vulnerability to exploit in a system.

Speaking of vulnerabilities, JS_MULEX.C is capable of exploiting a host of vulnerabilities in various applications and programs. It exploits the following vulnerabilties:

  • Vector Markup Language vulnerability in Internet Explorer
  • WebViewFolderIcon ActiveX integer overflow in Windows
  • Windows Media Player Plug-in with Non-Microsoft Internet browsers vulnerability
  • JavaScript navigator Object vulnearbility in Firefox
  • DXMedia SDK 6 ActiveX remote code execution vulnerability
  • Yahoo! Messenger webcam ActiveX remote buffer overflow vulnerability
  • Yahoo! Widgets getcomponentversion() remote overflow vulnerability
  • Remote code execution vulnerability in Microsoft Management Console
  • Remote code execution vulnerability in Microsoft Data Access Components (MDAC)

The aforementioned vulnerabilities are discussed in detail (some also contain patches for the said vulnerabilities) in the following URLs:

  • http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
  • https://www.kb.cert.org/vuls/id/753044
  • http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
  • http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
  • http://securitytracker.com/alerts/2007/Aug/1018551.html
  • http://messenger.yahoo.com/security_update.php?id=060707
  • http://help.yahoo.com/l/us/yahoo/widgets/security/security-08.html
  • http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
  • http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

Once JS_MULEX.C is able to determine what vulnerabilities can be used in a system, it proceeds to exploit the vulnerability to download the file EXE.PHP onto the affected system. The said file is detected by Trend Micro as TSPY_AGENT.AAWC.

Aside from keeping your patterns updated, Trend Micro strongly recommends applying regular updates to programs and applications.

Thanks to Ryan Flores, Paul Ferguson, Rainer Link, and Roger Thompson of Exploit Prevention Labs for providing information.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Tuesday, September 11th, 2007 at 10:20 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



Comments are closed.


Storming for a touchdown!
WORM_SKIPI skips and spreads via Skype


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice