Trend Micro has acquired samples of an exploit targeting the recent zero-day vulnerability affecting Windows XP and Server 2003. This is an elevation of privilege vulnerability, which may allow an attacker to gain privileges that would enable him to do various activities, including deleting or viewing data, installing programs, or creating accounts with administrative privileges.

We acquired this sample from a targeted attack. In this incident, a malicious PDF (detected as TROJ_PIDEF.GUD) exploits an Adobe vulnerability (CVE-2013-3346) referenced in APSB13-15, which was released in May of this year. This vulnerability is used in tandem with the Windows zero-day vulnerability  (CVE-2013-5065), resulting in a backdoor being dropped into the system. The backdoor, detected as BKDR_TAVDIG.GUD, performs several routines including downloading and executing files and posting system information to its command-and-control server.

This incident also serves as a reminder to users of the importance of shifting to the newer versions of Windows. Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014. For users, this may mean that they will no longer receive security updates provided by the software vendor. Those who are using Windows XP will be vulnerable to attacks using exploits targeting the OS version.

Users with systems running on later versions of Windows are not affected by this threat. Trend Micro protects users from this threat by detecting and deleting all related malware. We will provide further information about this vulnerability at a later time.

Update as of 9:00 AM, PST November 29, 2013

Trend Micro Deep Security protects users from threats exploiting the vulnerabilities cited in this entry via the following rules:

• 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065)
• 1005798 – Adobe Acrobat And Reader ToolButton Remote Code Execution Vulnerability (CVE-2013-3346)

Microsoft announced yesterday that an unpatched vulnerability was reportedly being exploited and used in targeted attacks in certain countries. The said exploit is designed to take advantage of a previously unknown vulnerability in Microsoft Office 2003, 2007 and 2010 and Windows XP and Server 2003.

The said vulnerability stems from how older versions of Office and Windows graphic components process TIFF images (CVE-2013-3906). A common way that this is being exploited is embedding a DOC file with a malicious TIFF file. Using clever social engineering tactics, an attacker can persuade users to open an email with a malicious attachment or visit a site hosting the exploit. Once done, an attacker gains the same user account privileges as the logged-in user. Fortunately, those user accounts configured with limited rights are not as affected.

There are two important points that need to be considered. First, this zero-day attack was initially seen in certain regions particularly the Middle East and South Asia. However, it’s only a matter of time before the attack reaches other countries. It is important for users and organizations to understand the basics of social engineering and how threat actors can incorporate this in their attacks. Organizations can always benefit from well-conceived employee social engineering training program, which includes “social” penetration testing. For more information on how companies can protect their infrastructure from targeted attacks, you may refer here.

Second, only older versions of the software are affected by this threat. This is not the first instance that older software versions were susceptible to such attacks, for example the Java 6 zero-day incident last August. Fortunately, in this case, patches will still be made available, but in the long run it is a potential risk. Users and system administrators should consider the security benefits of keeping their software up to date.

Microsoft has released a Fix-it Tool to temporarily address the issue. Trend Micro Deep Security also protects users from this threat via the following rules:

• 1005764 – Microsoft Graphics Component Remote Code Execution Vulnerability (CVE-2013-3906)
• 1005765 – Identified Microsoft Office File With Embedded TIFF File

We have blocked several websites related to this attack and obtained several samples of this exploit. We detect these as TROJ_ACTIFF.A and TROJ_ACTIFF.B. We are actively monitoring this threat and will update this post with further information as necessary.

Internet Explorer (IE), Office, Silverlight, .NET Framework are just some of the applications patched in this month’s Microsoft Patch Tuesday. Perhaps the most important vulnerability fixed this month was a zero-day vulnerability in Internet Explorer (CVE-2013-3893) which was exploited in certain targeted attacks.

Among the eight bulletins released October 2013 Patch Tuesday, four were rated Critical while the rest were Important. One of these four Critical bulletins covers the recent  Internet Explorer zero-day, which was used in attacks aimed at organizations in the Asia Pacific region and three other targeted attack campaigns.

This zero-day surfaced a week after last month’s Patch Tuesday and as an immediate solution, Microsoft released a “Fix It” workaround tool. This security bulletin offers a permanent solution to the said vulnerability as well as nine other privately disclosed bugs.

Trend Micro Deep Security and Intrusion Defense Firewall (IDF) have already been protecting customers from this threat via the following DPI rule:

• 1005689 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893)

The other bulletins tagged as Critical address vulnerabilities in Microsoft Windows and the .NET Framework. These may allow malicious actors to execute malware that may steal information or enable attackers to control the vulnerable system.

Though not as immediate in terms of priority, the remaining four Important bulletins offer solutions to serious vulnerabilities in Microsoft Office and Silverlight. If not addressed, malicious threat actors may use this to gain access to valuable information or to a certain extent, allow them to execute malicious files (given certain conditions).

Users are advised to apply these security updates as soon as possible, as well as visiting the Trend Micro Threat Encyclopedia page to know more about our Deep Security solution.

Note:

Some of the apps discussed in this blog entry were developed with an older adware SDK that did not contain opt-in provisions, particularly regarding the ability to collect information and display ads outside of the original app. The adware SDK has since been updated to this capability to comply with Google’s developer policies; apps that use this newer version are no longer considered high-risk.

More details about this change can be found in our December 2012 Monthly Mobile Review: The Hidden Risk Behind Mobile Ad Networks.

With three months to spare before the year ends, our prediction that mobile threats, specifically malware and high-risk apps reaching the 1 million mark has finally come true.

In our 2Q Security Roundup for the year, we noted that more than 700 thousand malicious and risky apps were found in the wild. This impressive number plus the continuous popularity of the platform among users lead us to predict that 2013 would be the year when Android malware reaches 1 million.

Figure 1. Growth in malicious/risky Android apps

Our Mobile App Reputation data indicates that there are now 1 million mobile malware (such as premium service abusers) and high-risk apps (apps that aggressively serve ads that lead to dubious sites). Among the 1 million questionable apps we found, 75% perform outright malicious routines, while 25% exhibits dubious routines, which include adware.

Premium Service Abusers, Adware Among Top Mobile Threats

Malware families such as FAKEINST (34%) and OPFAKE (30%) were the top mobile malware. FAKEINST malware are typically disguised as legitimate apps. They are also premium service abusers, which sends unauthorized text messages to certain numbers and register users to costly services. One high-profile incident involving FAKEINST is the fake Bad Piggies versions, which we found right after the game’s release.

Figure 2. Top Mobile Malware Family

The OPFAKE malware is similar to FAKEINST, particularly in mimicking legitimate apps. However, a variant (ANDROIDOS_OPFAKE.CTD) showed a different side of the malware, as it was found to open an .HTML file that asks users to download a possibly malicious file. Aside from sending messages to certain numbers and registering users to costly services, premium service abusers pose other risks to users. Our recent infographic shows the other dangers of installing this type of mobile malware.

On the high-risk apps front, ARPUSH and LEADBLT lead the pack, gathering 33% and 27% of the total number, respectively. Both are known adware and infostealers, collecting device-related data such as OS information, GPS location, IMEI etc.

Figure 3. Top High-risk Apps Family

The threat to mobile devices, however, is not limited rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions, with the likes of FAKEBANK and FAKETOKEN malware threatening users. Details about these malware can be found in our recent report A Look At Mobile Banking Threats.

To keep your devices safe, it is important to treat your devices like your PC counterparts specially when it comes to security. Be wary of downloading apps and make sure to read the comments section and developer details. Trend Micro protects users from mobile malware and high-risk apps via Trend Micro Mobile Security App. Our Mobile Threat Hub also provides helpful information about mobile threats  and security tips for your smartphones, tablets and other gadgets.

With analysis from Trend Micro Mobile Response Team

Microsoft Outlook, Internet Explorer are two of the four Critical bulletins (plus ten bulletins rated as Important) in today’s Microsoft Patch Tuesday. Particularly troublesome is the Outlook vulnerability, which is exploitable via preview pane. By not applying these updates, vulnerable systems are at risk of malware infection and unwanted data disclosure among others.

The four critical bulletins all pose serious risks to users and organizations. If not addressed, the vulnerability in Microsoft Outlook can lead to malware execution once users preview a maliciously crafted email message using Outlook. Applying this patch should be a priority, particularly for organizations who are under the constant threat of targeted attacks by way of spear-phishing.

For the past months or so, Microsoft has consistenly released Critical security bulletins for Internet Explorer. This month is no different, with security patches for ten privately vulnerabilities affecting several IE 6, including a privately reported IE 10 flaw on Windows 8 and RT. Similar to the Outlook vulnerability, an attacker can exploit this to execute a malware.

What is interesting is the inclusion of security patches for Windows XP, which Microsoft will stop supporting by April next year. For users and organizations still using the platform, it is important to start or at least seriously consider migrating to later versions of Windows to avoid threats similar to the Java 6 zero-day exploit seen two weeks ago, in which no consumer security updates are available for users as Oracle has already halted its support for that version.

Security updates for SharePoint, which resolved ten vulnerabilities in the software, rounds up the Critical issues for this month. Those bulletins rated Important include vulnerabilities in MS Office, Excel, FrontPage and Windows, that can lead to varied threats, including an attacker gaining administrative access and risk of information leak among others.

Users are advised to apply these security updates immediately. For IT administrators, applying certain security updates such as the SharePoint might be tricky, as these might need to be tested for any adverse impact on business operations. You may also visit our Trend Micro Threat Encyclopedia page to know more about how Deep Security solution.