Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2014
    S M T W T F S
    « Aug    
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
  • About Us

    Sep11
    10:20 am (UTC-7)   |    by

    US singer Omarion’s Ice box song aptly feels right with the discovery of a new version of an IcePack toolkit hosted on http://{BLOCKED}.{BLOCKED}.72.200, which also hosts a malicious JavaScript. The said JavaScript, detected by Trend Micro as JS_MULEX.C, is capable of resolving browser type and Windows operating system version of an affected system. This capability allows said JavaScript to determine which vulnerability to exploit in a system.

    Speaking of vulnerabilities, JS_MULEX.C is capable of exploiting a host of vulnerabilities in various applications and programs. It exploits the following vulnerabilties:

    • Vector Markup Language vulnerability in Internet Explorer
    • WebViewFolderIcon ActiveX integer overflow in Windows
    • Windows Media Player Plug-in with Non-Microsoft Internet browsers vulnerability
    • JavaScript navigator Object vulnearbility in Firefox
    • DXMedia SDK 6 ActiveX remote code execution vulnerability
    • Yahoo! Messenger webcam ActiveX remote buffer overflow vulnerability
    • Yahoo! Widgets getcomponentversion() remote overflow vulnerability
    • Remote code execution vulnerability in Microsoft Management Console
    • Remote code execution vulnerability in Microsoft Data Access Components (MDAC)

    The aforementioned vulnerabilities are discussed in detail (some also contain patches for the said vulnerabilities) in the following URLs:

    • http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
    • https://www.kb.cert.org/vuls/id/753044
    • http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
    • http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
    • http://securitytracker.com/alerts/2007/Aug/1018551.html
    • http://messenger.yahoo.com/security_update.php?id=060707
    • http://help.yahoo.com/l/us/yahoo/widgets/security/security-08.html
    • http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
    • http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

    Once JS_MULEX.C is able to determine what vulnerabilities can be used in a system, it proceeds to exploit the vulnerability to download the file EXE.PHP onto the affected system. The said file is detected by Trend Micro as TSPY_AGENT.AAWC.

    Aside from keeping your patterns updated, Trend Micro strongly recommends applying regular updates to programs and applications.

    Thanks to Ryan Flores, Paul Ferguson, Rainer Link, and Roger Thompson of Exploit Prevention Labs for providing information.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice