Once again cybercriminals take advantage of the Holidays in what seem like a targeted attack against businesses and government organizations. We spotted samples that bore the filename, PROPOSED CHRISTMAS PARTY 2012.doc. Trend Micro detects this as TROJ_ARTIEF.RTN. When executed, this malware drops a file (temp.doc) that acts as decoy to trick recipients into thinking this is a legitimate document. In the document file we spotted, it looks like a supposedly invitation to a certain government office’s upcoming Christmas party.

Moreover, TROJ_ARTIEF.RTN takes advantage of (MS12-027) Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258) to drop a backdoor which we detect as BKDR_GAMFRIC.A. Once run on the infected system, BKDR_GAMFRIC.A connects to its C&C server, http://{BLOCKED}ws-google.net.  It also executes the following commands, which can compromise system security:

• Download and execute arbitrary files
• Get Network Information
• Get Username/Computername
• Get OS Information
• Get running process
• Get Installed Applications
• Perform Shell Command

Read the rest of this entry »

In the last month of the year, MySQL has been flooded by a set of zero-day exploits. This set was revealed by Kingcope and he has published proof-of-concept (POCs) for all these vulnerabilities.

The newly discovered set of 0-days affects MySQL in multiple ways, such as application crash/denial of service, privilege escalation, authentication bypass, remote root on Windows systems, and heap/stack overrun. These vulnerabilities have been acknowledged by the vendor and assigned to CVE ids CVE-2012-5611, CVE-2012-5612, CVE-2012-5613, CVE-2012-5614, and CVE-2012-5615 respectively.

Two of the critical security issues, ExploitDB: 23073 & 23083 in MySQL allow remote authenticated attackers to get the shell of a Windows system by sending specially crafted requests.

Below are the rest of the critical issues:

• (CVE-2012-5611). This is triggered by sending an overly long argument to GRANT FILE command, which in turn leads to stack buffer overflow. It permits remote attackers to execute arbitrary code or may even cause database crash. However, to exploit this vulnerability valid username and password are required.
• (CVE-2012-5612). A heap buffer overflow vulnerability caused by a series of crafted commands like USE, SHOW TABLES, DESCRIBE, CREATE TABLE, DROP TABLE, ALTER TABLE, DELETE FROM, UPDATE, SET PASSWORD, etc. If exploited, it allows a remote, authenticated attacker with low privileges to change a current user’s password to an undefined value.
• (CVE-2012-5614). This leads to a service crash via SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. The successful exploitation of this vulnerability also needs to be authenticated by a valid username and password.
• (CVE-2012-5615). Enumeration vulnerability exists in MySQL which lets remote attackers to learn all valid usernames based on the error messages generated.
• (CVE-2012-5613). This is not considered as a security bug since it’s a result of misconfiguration, however, it can lead to remote authenticated users gaining administrator privileges. In this case, an attacker with ‘FILE’ privilege is leveraged to create a new user that has full access similar to the MySQL administrator.

Read the rest of this entry »