Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    October 2013
    S M T W T F S
    « Sep   Nov »
  • Email Subscription

  • About Us

    Archive for October 8th, 2013

    Patch-Tuesday_grayInternet Explorer (IE), Office, Silverlight, .NET Framework are just some of the applications patched in this month’s Microsoft Patch Tuesday. Perhaps the most important vulnerability fixed this month was a zero-day vulnerability in Internet Explorer (CVE-2013-3893) which was exploited in certain targeted attacks.

    Among the eight bulletins released October 2013 Patch Tuesday, four were rated Critical while the rest were Important. One of these four Critical bulletins covers the recent  Internet Explorer zero-day, which was used in attacks aimed at organizations in the Asia Pacific region and three other targeted attack campaigns.

    This zero-day surfaced a week after last month’s Patch Tuesday and as an immediate solution, Microsoft released a “Fix It” workaround tool. This security bulletin offers a permanent solution to the said vulnerability as well as nine other privately disclosed bugs.

    Trend Micro Deep Security and Intrusion Defense Firewall (IDF) have already been protecting customers from this threat via the following DPI rule:

    • 1005689 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893)

    The other bulletins tagged as Critical address vulnerabilities in Microsoft Windows and the .NET Framework. These may allow malicious actors to execute malware that may steal information or enable attackers to control the vulnerable system.

    Though not as immediate in terms of priority, the remaining four Important bulletins offer solutions to serious vulnerabilities in Microsoft Office and Silverlight. If not addressed, malicious threat actors may use this to gain access to valuable information or to a certain extent, allow them to execute malicious files (given certain conditions).

    Users are advised to apply these security updates as soon as possible, as well as visiting the Trend Micro Threat Encyclopedia page to know more about our Deep Security solution.

    Posted in Vulnerabilities | Comments Off on October Patch Tuesday Addresses IE Zero-Day Exploit

    Just a month after the G20 Summit in Russia, threat actors have found another high-profile political event to leverage their schemes. The APEC 2013 Summit – an annual meeting of 21 Pacific Rim countries – in Indonesia can be the perfect lure for their spoofed emails.

    The threat arrives as an email purportedly from “Media APEC Summit 2013” containing two attached Excel files. The sender, message and the recipients of the email lead us to believe that this threat is aimed at individuals who would be interested in the summit (both attendees and non-attendees).

    Figure 1. Screenshot of spoofed APEC email

    As mentioned, the email contains two attachments. Both are disguised as “APEC media list”, however only one of them (APEC Media List 2013 Part 1) was found malicious. The other, non-malicious file serves as a decoy document. Based on our analysis, the malware exploits an old Microsoft Office vulnerability (CVE-2012-0158), an old vulnerability that was also exploited in other targeted attacks, such as the “Safe” campaign.

    This malware then triggers a series of multiple malware dropping and connects to various command-and-control (C&C) servers. The exploit drops and executes the file dw20.t. The said file is a dropper, which drops another file in C:\Program Files\Internet Explorer\netidt.dll.

    This dropped file also communicates to specific C&C servers and sends/receives encrypted data containing system information and infection status. This allows netidt.dll to download the executable _dwr6093.exe. This malware is another dropper that drops and executes downlink.dll. This final dropper leads to the final payload (netui.dll and detected as BKDR_SEDNIT.SM) and responsible for its automatic execution (by creating autostart registry entries).

    BKDR_SEDNIT.SM steals information via logging keystrokes and executes commands from its C&C servers. The malicious actors behind this threat can then use the malware to gather and exfiltrate important data, leading to serious repercussions to the targeted parties.

    Trend Micro detects and deletes the malware cited here as BKDR_SEDNIT.AE, while Deep Discovery detects the malicious network communication of the malware. Users are also protected from the exploits targeting CVE-2012-0158 via Deep Security Rule 1004978 – MSCOMCTL.OCX RCE Vulnerability For Office Binary File (CVE-2012-0158). Furthermore, organizations can benefit from a good social engineering training among its members.

    News events like these are favored social engineering lures in targeted attacks, which are never easy to defend against. The losses of organizations due to data exfiltration can be significant.

    With additional analysis from Lenart Bermejo.

    Update as of Oct. 10, 2013

    The SHA1 hashes of the related samples are:

    • ac6b465a13370f87cf57929b7cfd1e45c3694585
    • 3814eec8c45fc4313a9c7f65ce882a7899cf0405
    • 2e5b2228f427001e250e2cc36339c7b2c12ffe42
    • e8b3aae37ef0ebbac71a5d40637374aeebdc4a6e
    • ade25a15b8cfa4586a8b4df3601c90bcf2e57032


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice