Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Sep11
    10:20 am (UTC-7)   |    by

    US singer Omarion’s Ice box song aptly feels right with the discovery of a new version of an IcePack toolkit hosted on http://{BLOCKED}.{BLOCKED}.72.200, which also hosts a malicious JavaScript. The said JavaScript, detected by Trend Micro as JS_MULEX.C, is capable of resolving browser type and Windows operating system version of an affected system. This capability allows said JavaScript to determine which vulnerability to exploit in a system.

    Speaking of vulnerabilities, JS_MULEX.C is capable of exploiting a host of vulnerabilities in various applications and programs. It exploits the following vulnerabilties:

    • Vector Markup Language vulnerability in Internet Explorer
    • WebViewFolderIcon ActiveX integer overflow in Windows
    • Windows Media Player Plug-in with Non-Microsoft Internet browsers vulnerability
    • JavaScript navigator Object vulnearbility in Firefox
    • DXMedia SDK 6 ActiveX remote code execution vulnerability
    • Yahoo! Messenger webcam ActiveX remote buffer overflow vulnerability
    • Yahoo! Widgets getcomponentversion() remote overflow vulnerability
    • Remote code execution vulnerability in Microsoft Management Console
    • Remote code execution vulnerability in Microsoft Data Access Components (MDAC)

    The aforementioned vulnerabilities are discussed in detail (some also contain patches for the said vulnerabilities) in the following URLs:

    • http://www.microsoft.com/technet/security/Bulletin/MS07-004.mspx
    • https://www.kb.cert.org/vuls/id/753044
    • http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
    • http://www.mozilla.org/security/announce/2006/mfsa2006-45.html
    • http://securitytracker.com/alerts/2007/Aug/1018551.html
    • http://messenger.yahoo.com/security_update.php?id=060707
    • http://help.yahoo.com/l/us/yahoo/widgets/security/security-08.html
    • http://www.microsoft.com/technet/security/Bulletin/MS06-044.mspx
    • http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

    Once JS_MULEX.C is able to determine what vulnerabilities can be used in a system, it proceeds to exploit the vulnerability to download the file EXE.PHP onto the affected system. The said file is detected by Trend Micro as TSPY_AGENT.AAWC.

    Aside from keeping your patterns updated, Trend Micro strongly recommends applying regular updates to programs and applications.

    Thanks to Ryan Flores, Paul Ferguson, Rainer Link, and Roger Thompson of Exploit Prevention Labs for providing information.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice