Microsoft releases five security bulletins for June 2013, which is relatively light compared to previous ones. Despite this, users must update their systems immediately, to avoid possible web threats leveraging software vulnerabilities.

This roster of security fixes include updates for vulnerabilities found in Windows and Internet Explorer, which were rated Critical. This means that IT administrators and users should prioritize and apply the solutions immediately to avoid greatest risk. By exploiting these vulnerabilities, an attacker can execute a malware onto the vulnerable systems, which can lead to information theft and security compromise among others.

Other security bulletins for this month are rated Important, providing resolution to vulnerabilities in Windows and MS Office. If these fixes are not applied immediately, users systems can be vulnerable to threats such as unwanted data disclosure, malware execution, and denial-of-service (DoS) attack.

For its part, Adobe releases their fix for vulnerabilities found in certain Adobe Flash Player versions. Users are advised to apply this too, as a successful exploitation may lead to a vulnerable system being infected with a malware.

Some users may take this few bulletins lightly and delay updating their systems with these fixes. However, now is not the right time to be lax security-wise (there’s actually no ‘right’ time to be lax when it comes to security). Anonymous has recently announced their #OpPetrol cyber attack campaign, which is reportedly targeting oil companies in a dozen of countries (which include the United States, United Kingdom, Canada among others). Such attacks usually exploit vulnerabilities to penetrate their targets’ networks, usually to get more information which they can use to further harm their victims.

Every little vulnerability can be taken against you, thus it is important to guard your systems from attacks. Users are advised to implement these bulletins as soon as possible. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.

Update as of June 13, 12:16 PDT

Microsoft has noted an ongoing attack against specific targets that exploits CVE-2013-1331, which is one of the vulnerabilities resolved for this month. Trend Micro Deep Security already protects users from this threat via DPI rule 1005546 – Microsoft Office Buffer Overflow Vulnerability (CVE-2013-1331).

In our monitoring of the GAMARUE malware family, we found a variant that used the online code repository SourceForge to host malicious files. This finding is the latest development we’ve seen since the increase in infection counts observed last month.

SourceForge is a leading code repository for many open-source projects, which gives developers a free site that allows them to host and manage their projects online. It is currently home to more than 324,000 projects and serves more than 4 million downloads a day. Its popularity among programmers and users is the perfect venue to make these malware available to users.

GAMARUE malware poses a serious risk to users; attackers are able to gain complete control of a system and use it to launch attacks on other systems, as well as stealing information. Among the most common ways it reaches user systems are: infected removable drives, or the user has visited sites compromised with the Blackhole Exploit Kit.

This attack is made up of four files. The first is a shortcut, which appears to be a shortcut to an external drive.  (This is detected as LNK_GAMARUE.RMA.) Instead of a drive, however, it points to a .COM file (detected as TROJ_GAMARUE.LMG).

The .COM file runs another executable file, which has been disguised as a desktop.ini file. This third file (detected as TROJ_GAMARUE.RMA) decrypts the main GAMARUE file, which has been disguised as a thumbs.db file. The main GAMARUE file (detected at WORM_GAMARUE.LJG) is decrypted and saved in a folder under the Windows directory.

Figure 1. GAMARUE Infection Chain

Once the executable file is decrypted, it downloads updates to itself, as well as malicious files from a SourceForge project. In effect, it uses SourceForge to unwittingly host malicious files.

SourceForge User Serves More Gamarue Variants

The malicious files in the above example were hosted under the tradingfiles project. The same user created two more projects that were also used to host malicious GAMARUE files: ldjfdkladf and stanteam. New files were uploaded in these projects from June 1 onwards.

As we noted in our 2013 predictions, legitimate cloud providers are likely to come under attack this year. A site like SourceForge is a perfect target to be abused by cybercriminals.

Trend Micro protects users from this by detecting and deleting these GAMARUE variants. We’ve contacted SourceForge so these files can be removed from their servers as soon as possible.

With analysis from Threat Response Engineer Lenart Bermejo