Oct15
5:44 am (UTC-7)   |    by Det Caraig (Technical Communications)

A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to be hosted by several Indian, Thai, and New Zealand websites.

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity.

Users, as usual, are thus warned to refrain from opening suspicious-looking files. They are also strongly advised to patch their systems regularly to avoid becoming prey to vulnerability exploits.

Trend Micro Smart Protection Network™ protects users from this threat by blocking access to malicious URLs and preventing the download of malicious files. Mac users are also protected through Trend Micro Security for Mac and Smart Surfing for Mac.

Non-Trend Micro product users, on the other hand, can also stay protected with Housecall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

Important correction, posted October 16, 2009: TROJ_PIDIEF.ASP exploits vulnerabilities cited in CVE-2009-0927 and CVE-2007-5659, not the previously posted vulnerability discussed in the second paragraph above. We apologize for any confusion caused by this oversight. Adobe users should enable the auto-update feature in their product to receive patches that address these vulnerabilities.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

 


Oct14
2:01 am (UTC-7)   |    by JM Hipolito (Technical Communications)

The solution for the vulnerability that was left unpatched during last month’s patch cycle was included in the recently released security advisory, along with a dozen other vulnerability reports.

Of the 13 security vulnerabilities fixed today, 8 vulnerabilities were marked “critical” while the other 5 were marked “important.” This month’s release covered a wide range of vulnerabilities, each of which affects long lists of software. Listed among the software affected in several of the released security update is the very much coveted Windows 7, which is slated to be released next week.

The update also included a security update for a vulnerability that was partly addressed in a previous patch release. More information on the security advisories can be found in this Trend Micro Security Advisory page.

Considering that many of the newly patched vulnerabilities enable remote code execution, it is all but necessary that users patch their systems as soon as possible.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF9030). This version contains protection from attacks exploiting the above and other vulnerabilities.

 


Oct14
1:53 am (UTC-7)   |    by Christopher Talampas (Fraud Analyst)

Trend Micro threat analysts were recently alerted to a phishing attempt targeting random employees of several companies. The email posed as a notification from the company’s “system administrator,” reminding the employee to update his/her system’s software due to a recent server software upgrade. The spammed email contained a URL using several subdomains that resolved to the same IP address.

Click for larger view

Click for larger view

Trend Micro Advanced Threats Researcher Joey Costoya believes the subdomains are tailor-made, depending on the recipent’s email address. This makes the email seem legitimate, even if it is not, tricking unknowing users into clicking the URL.

As of this writing, the URLs are already inaccessible. Trend Micro analyzed the domains and subdomains used in this attack and found that they are already blacklisted. The domain was registered for only one year.

Trend Micro Smart Protection Network™ already detects the malicious files as TROJ_ZBOT.CYX and blocks the spammed emails. Non-Trend Micro product users are, on the other hand, advised to use HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

 


Oct9
2:59 pm (UTC-7)   |    by JJ Reyes (Advanced Threats Researcher)

Trend Micro threat analysts were alerted to the discovery of a zero-day exploit that affects Adobe Reader and Acrobat 9.1.3 and earlier versions (CVE-2009-3459). Trend Micro detects this as TROJ_PIDIEF.UO. This .PDF file contains an embedded JavaScript, which Trend Micro detects as JS_AGENTT.DT. This JavaScript is used to execute arbitrary codes in a technique known as heap spraying. In addition, there is a possibility that a future variant may be created that does not use JavaScript to exploit the said vulnerability.

Based on our findings, the shellcode (that was heap sprayed) jumps to another shellcode inside the .PDF file. The said shellcode then extracts and executes a malicious file detected by Trend Micro as BKDR_PROTUX.BD. The said backdoor is also embedded in the .PDF file and not the usual file downloaded from the Web. Protux variants are known for their ability to provide unrestricted user-level access to a malicious user. Earlier variants of the Protux backdoor were seen to have been used as payload in previous attacks exploiting vulnerabilities in Microsoft Office files.


Click Click
Click

As of this writing, Adobe has indicated that it will include this vulnerability in its upcoming security update release. Meanwhile, users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:

  1. Run Acrobat or Adobe Reader.
  2. Go to Edit > Preferences.
  3. Select JavaScript under the Categories tab.
  4. Uncheck the “Enable Acrobat JavaScript” option.
  5. Click OK.

Users are also advised to patch their systems as soon as Adobe releases the security patch. Trend Micro protects users with the Smart Protection Network by detecting the said exploit.

 


Oct9
8:21 am (UTC-7)   |    by Robert McArdle (Senior Malware Researcher)

Anybody want to know Trend Micro’s top secret internal strategic plans for our upcoming projects? How about our financial returns for the next quarter?

Well, sorry, obviously we are not going to give that sort of information out publicly—we’d need to be crazy to do something like that.

On the other hand, if you want a heads up on Microsoft’s upcoming Windows 8 and Windows 9 OSs (128-bit, apparently) just wander over to the LinkedIn social networking site.

PC Pro has published a short piece on how a certain key Microsoft employee’s LinkedIn profile described his job as:

Working in high-security department for research and development involving strategic planning for medium- and long-term projects. Research and development projects, including 128-bit architecture compatibility with the Windows 8 kernel and Windows 9 project plan. Forming relationships with major partners: Intel, AMD, HP, and IBM.

Ouch.

This is yet another example of very sensitive company data being accidently posted on a social networking site, an all-too-common occurence. Social networking sites are also invaluable as sources of reconnaissance for hackers targeting a specific company, whether it’s an IT administrator on LinkedIn mentioning “managing checkpoint firewalls” in his job description or an employee tweeting that he/she is on his/her way to a “merger meeting with company X”—employees are quite often unaware of the sensitive information they are publicly disclosing.

Don’t get me wrong, I like social networks. I even have a LinkedIn profile of my own but I don’t put any data there that people would not already know.

If you are worried about this sort of data leak occuring in your own company, I’d fully recommend reading my colleague, David Sancho’s, paper “A Security Guide to Social Networks.”.

Perhaps Microsoft might like to print out a copy for all of its own employees.

 


© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice