Patch Tuesday has arrived, bringing with it the monthly crop of Microsoft security patches. September has a total of nine bulletins, fixing a total of 11 vulnerabilities, all but one of which affects Windows, two cover Microsoft Office, and one covers both Windows and Office.

In general for this Patch Tuesday, users of older Microsoft products are worse off. Not only are they covered by more bulletins, they are also subject to more critical security issues, as summarized in the table below.

For the two Microsoft Office bulletins, it is a similar story. Users of all versions—from Office XP to Office 2007—are affected though only users of Outlook 2002, a component of Office XP, face a critical vulnerability.

Enterprise users of Trend Micro products such as Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in can use these to protect themselves until Microsoft completes its rollout of this month’s updates. Home users  should visit the Windows Update site to download the patches as soon as possible.

ZeuS/ZBOT is best known for its information-stealing routines via the use of configuration files downloaded from their home sites. They are created using toolkits that allow remote control of the malware. Getting them to infect target systems is the tricky part. Cybercriminals have thus tried utilizing drive-by downloads, spammed messages, worm propagation, and many more ways. This time, they are trying out file infection.

The malware detected by Trend Micro as PE_ZBOT.A injects code into target files and modifies its entry point to redirect to its code. This allows the malware to run its code whenever the infected file is executed. It then attempts to connect to the remote sites from which it downloads and executes malicious files that allow it to steal information from an affected system. The downloaded files are detected as TROJ_KRAP.SMDA and TSPY_ZBOT.SMAP. Once it completes its routine, it returns control of the affected system to its host file.

This only shows that cybercriminals are continuously finding new ways to make sure they do not go out of business. The best way to protect one’s system is to be aware of the many techniques cybercriminals use and to keep security solutions and other pertinent applications patched and up-to-date.

A new threat targeting Borland Delphi Compilers is fast becoming a global concern, as we have been receiving reports of increased infection incidents. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected. Borland Delphi Compiler is a tool used to compile several popular enterprise database and desktop applications.

Upon execution, the malware checks if a Borland Delphi Compiler is installed on the system by checking a certain registry entry. Once the existence of the said compiler on the system is confirmed, it modifies the file SysConst.pas, by appending code. Through this routine, it compiles a new copy of the file SysConst.dcu which is detected by Trend Micro as TROJ_INDUC.AA. It then renames the original SysConst.dcu to SysConst.bak and deletes the modified SysConst.pas.

Once done, all files compiled using the affected Delphi compiler are also infected. This puts other users at risk of getting affected by the same malware: if they happen to run a Delphi program that was compiled using a tampered Borland Delphi Compiler, then their own Borland Delphi Compiler will be tampered with as well.

As of this time, there is no known payload for this malware except for infecting the compiled files.

Trend Micro Japan threat analysts have written an entry on this threat here. We will be updating this entry as more information comes in.