Here is yet another case of Patch Tuesday/Exploit Wednesday. While the bounty hunt for software vulnerabilities is still very much an active industry, malware authors have been seen to watch out for (and ultimately prey on) vulnerabilities disclosed by legitimate software vendors. This isn’t as irrational as it looks; malware authors are not looking for massive hits, just the numerous few who do not take care enough to download and install software patches.
A few days after the regulation Patch Tuesday last April 8, our researchers were alerted to an exploit-backdoor tandem that specifically takes advantage of the vulnerability discussed in the Microsoft Security Bulletin MS08-021 (classified as critical). This vulnerability refers to the Graphical Device Interface (GDI) available in Windows operation systems. treats information. The exploatation of this vulnerability allows an attacker to take full control of a computer system.
A file named TOP.JPG has been found to successsfully use this flaw. It was found hosted on sites, and arrives on a system as an executable which is now detected as EXPL_NEVAR.B. Its specific routine connects to an URL for downloading a file named WORD.GIF (which is also detected by Trend Micro, as BKDR_POISONIV.QI). Backdoors perform silent commands on the compromised computer without the user knowing it.
Users should update applications and operating systems the moment patches are available.