Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Jovi Umawing (Technical Communications)




    Since the beginning of the year, Adobe and Microsoft have been under a bad light since most of the most recent attacks notably exploited the two companies’ software vulnerabilities. Adobe Reader and Acrobat, in particular, are currently cybercriminals’ favorite targets. When news that Adobe would be releasing an out-of-band security update to prevent an exploitable hole in certain versions of Reader and Acrobat, some raised their brows in question while some rolled their eyes and declared that this was the last straw.

    According to Adobe’s latest security bulletin, the said critical vulnerability could affect Adobe Reader 9.3 for Macintosh, Windows, and Unix; Adobe Acrobat 9.3 for Macintosh and Windows; and Adobe Reader and Acrobat 8.2 for Macintosh and Windows based on reports from Microsoft and Michael Yong Park. If cybercriminals exploited the said vulnerability, they could make unauthorized cross-domain requests or worse take control of affected systems, similar to the effects of a flaw in Adobe Flash and Adobe AIR Park also spotted days earlier.

    According to ZDNet, Adobe insisted that there were no active exploits in the wild targeting the said vulnerability. TrendLabs engineers, on the other hand, have documented a number of noteworthy incidents wherein cybercriminals utilized Adobe Acrobat and Reader vulnerabilities, specifically in the way these software handled JavaScript:

    Users of affected versions of Adobe Reader and Acrobat are strongly advised to download the updates in this security bulletin.

    Trend Micro™ Smart Protection Network™ protects users from these kinds of attack by blocking user access to malicious sites and domains via the Web reputation service, by preventing spammed messages containing links to malicious sites from even reaching their inboxes via the email reputation service, and by detecting and consequently deleting malicious exploits from their systems via the file reputation service.

    Smart Protection Network™ also protects Trend Micro product users via Trend Micro Smart Surfing for Mac and Trend Micro Security for Mac.

     



    Following the usual cycle of monthly patch releases, Microsoft just issued its first for this year yesterday. Microsoft has released one advisory to address the vulnerability found in the way the Embedded OpenType (EOT) Font Engine can render a specially crafted EOT font file in several Microsoft applications such as Internet Explorer (IE), PowerPoint, and Word.

    An EOT font is a type of OpenType font with the .eot extension. Microsoft created EOT fonts to have them embedded in Web pages to discourage copying (and eventually, using) copyrighted fonts online, which is almost always a possibility.

    According to the official Microsoft bulletin, once the EOT Engine renders a malformed .EOT file, attackers could use the vulnerability to take complete control of the system. This means that they would be able to perform tasks on an affected machine such as installing new programs, deleting important files, or creating new accounts, all without the user’s knowledge. Microsoft has given MS10-001 an Exploitability Index rating of “2,” which means it can be replicated but the outcome of its use would always vary, thus, inconsistent. Note, however, that this rating only applies to systems running Windows 2000. Later versions are unlikely to be exploited.

    In the same vein, Adobe also released a security update detailing new patches for Reader and Acrobat. The patches address vulnerabilities we found and wrote about last month and last week.

    Below is a list of other updates regarding vulnerabilities and patches:

     



    Earlier today, Senior Threat Researcher Joseph Reyes spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:

    • JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
    • JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
    • JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.

    Initial analysis done by Threat Analyst Jessa De La Torre shows that the scripts above may be unknowingly downloaded through either Firefox or Internet Explorer.

    According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature.

    Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog. This workaround is, however, unnecessary for Firefox 3.5.1 users.

    On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

    Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472.

    Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:

    Trend Micro advises users to download the latest scan engine to protect themselves against the above-mentioned exploits.

     



    Following the sudden and shocking death of The King of Pop, Senior Threat Researcher Loucif Kharouni reports that a slew of malicious links related to Michael Jackson’s last moments in the hospital before his death are now being proliferated in the wild via the instant messaging (IM) application, MSN. Below is a sample screenshot of an MSN IM window containing various templates of the said malicious links:

    Screenshot

    When recipients of such messages click on any of these links, they are prompted to save a file named PIC-IMG029-www.hi5.com.exe (with an MD5 checksum of 031429fc14151f94c8651a3fb110c19b), instead of being led to an image site or gallery. Initial analysis shows that the said file is a variant of the SDBOT family.

    More updates shortly. Stay tuned.

    Update as of 27 June 2009

    The botnet is said to push the templated messages through an IRC to the client to be spammed. Below is a sample screenshot of the botnet’s activity:

    Click for larger view

    The malware responsible for this is detected as WORM_IRCBOT.GAT. It opens a certain port on the affected system then listens for remote commands. Kharouni reports that commands to download certain files are received and executed by the affected system, ultimately leading to the download a PUSHDO variant. PUSHDO is a botnet responsible for a huge amount of spam activity. More information on PUSHDO can be found here:

    A whitepaper showing findings by the research of Trend Micro analysts on PUSHDO/CUTWAIL is also available and can be downloaded here.

    Trend Micro clients are rest assured that all URLs are already blocked through the Smart Protection Network.

     



    A new development on the rogue antivirus campaign was recently discovered. It seems that the latest version of these rogue programs has found a new face. The current buzz is that this application is the latest rogue anti-spyware program victimizing unknowing users by extorting money from them by feeding on their worries of (non-existent) system infections. Unfortunate are those who fall prey to these old yet sophisticated scams.

    This new version goes by the name of Virus Remover 2008. It was spotted first in the wild in early July of this year, just ten days after its predecessor, Antivirus 2009, was spotted. Not much of a surprise there, since it is a common cyber criminal behavior to change tactics, or to retouch old ones but leave applications functioning essentially the same way.

    Antivirus 2009 and Virus Remover 2008 are fairly similar in routines. Figure 1 below is a simple yet comprehensive comparison of the two’s scanning windows:


    Figure 1. Comparison between two rogue AV

    There are also several notable differences between the two however:

    • Virus Remover 2008, unlike its predecessor, now comes with a EULA that mentions what it can and will do to systems once it has been installed. System slowdown and several program terminations due to incompatibilities are just some possible effects users may encounter.
    • Virus Remover 2008 already caters to multinational clients as shown by the pages built and written for specific languages and countries — a quality that may denote two things: (a) an attempt to widen client scope (b) an attempt to target clients from specific regions and geographies.


    Figure 2. Fake EULA

    Virus Remover 2008 also seems to have distanced itself from the Windows-looking interface. It no longer uses the logo which distinctly resembles the one by Windows Security Center. This was done possibly because the old Antivirus 2009 interface is already too familiar to users, and that it might give away the fact that it is a fake antivirus program.


    Figure 3. A new, unfamiliar interface

    The Trend Micro Smart Protection Network already identifies Virus Remover 2008 as TROJ_FAKEVIR.AN. It also blocks the website powerfulvirusremover2008(dot)com, thus preventing users from accessing the malicious site.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice