Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

    The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user’s personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines.

    The script connects to http://www.{BLOCKED}eofpublic.com/Microsoft.MSN.hotmail/mail/rdm/rdm.asp?a={user account name}{number} to download yet another script.

    The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables—{user account name}, which is the target user’s Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we’ve found that the information theft routines are only executed when certain numbers are in the {number} field.

    The URL leads to another script detected by Trend Micro as JS_AGENT.SMJ. The script triggers a request that is sent to the Hotmail server. The said request sends all of the affected user’s email messages to certain email addresses. The email message forwarding, however, will only work during the session wherein the script was executed and will stop once the user logs off.

    The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail (CVE-2011-1252). Microsoft has already taken action and has updated Hotmail to fix the said bug.

    We analyzed the embedded crafted code before the actual email message’s content and discovered that once Hotmail’s filtering mechanism works on the code, it ironically helps inject a character into the CSS parameters to convert the script into two separate lines for further rendering in the Web browser’s CSS engine. This allows the cybercriminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail login session.

    The malicious scripts and the URL related to this attack are all already being detected and blocked by the Trend Micro™ Smart Protection Network™ file and Web reputation technologies. Microsoft has already acknowledged the presence of the vulnerability and has released a security update to address the issue.

    As Microsoft’s senior response communications manager Bryan Nairn mentioned, this illustrates Microsoft and Trend Micro’s continuous effort and shared commitment to protect customers via coordinated vulnerability disclosure.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice