December has always been a festive month and it’s no wonder that most of the malware that surfaced last month wanted to be a part of the holiday action. As expected, most of the malware that have shown up leveraged the holiday season to gain attention and increase their chances of distribution.
New Year Storm malware
The Storm worm wasted no time in taking advantage of the New Year celebrations. Shortly before the new year began, a lot of users received spammed Storm emails containing a simple greeting with a link to a spoofed greeting site where an e-card awaits them. To view the card, the user must install a player for it, which is a variant of the Storm malware.
This Christmas Trojan is spammed through email as a PowerPoint slideshow with the filename Merry Christmas.pps. Through a Microsoft Office vulnerability, clicking open the file extracts and executes Merry Christmas.exe which is detected as BKDR_AGENT.ADGS. The backdoor gathers email account credentials and login information, which it then sends to a specific email address.
It seems like there’s a corresponding malware for each Christmas holiday activity that we do: shopping, traveling, exchanging gifts, etc. Using a website that offers a guide for lowering blood pressure, this backdoor targets health conscious people who happen to indulge in excessive eating during the festivities. As the backdoor runs, it connects to a certain server where it can listen for commands from a remote malicious user who may then take virtual control over an affected system.
Bhutto-Assassination Related Web Threats
The former prime minister of Pakistan, Benazir Bhutto, was assassinated during the last week of December. In light of the event, several malicious websites turned up on Google search results, using the incident as leverage for malware distribution. The websites that turn up in the search results are embedded with JS_AGENT.AEVE, a script downloader that installs a variant of TROJ_SMALL on the affected system.
More ZLOB fake codecs
They’re still the same ZLOB Trojans, trying to get past the common user by disguising itself as a legitimate codec for videos. The only difference is that, this time, they’re making use of poisoned search results to get to the user faster than usual. Furthermore, the search results are suited to holiday-specific activities, mostly in relation to traveling, shopping and gift giving. In addition to that, the fake codecs are hosted on blog sites rather than the usual spoofed codec download sites.
A new vulnerability has been uncovered in RealPlayer, which allows the download of malicious files. The vulnerability can be exploited through a stack overflow that can be triggered by visiting a website containing code to exploit the vulnerability on an installed copy of RealPlayer. The downloaded file is saved in the Windows system folder. Trend detects the downloaded file to be a variant of PE_MUMAWOW.
Google toolbar as malware vector
Last December, a researcher has released a proof of concept code that the Google toolbar can be used as a malware distribution vector. Because Google encourages the creation of web tools using the well-documented API functions that they have developed, their web search platform eventually becomes a launching pad for malware attacks and distribution, which is what is happening with this newly discovered vulnerability. To implement this, the code makes use of a specially crafted link that refers to the button’s XML file, which when clicked displays a dialog box summarizing the details of the button to be installed. But the details may be spoofed and instead of installing the toolbar button, a malware is downloaded into the system.
New Ichitaro exploit
Another exploit for Ichitaro has turned up. Ichitaro is a well-known Japanese word processor and, like its other counterparts, has had its own share of exploits and vulnerabilities. The exploit installs a malware when a malicious JTD file is opened with the application. Initial analysis reveals that the affected platform is Windows XP SP2 Japanese version with Ichitaro 2006
HP Laptop software vulnerability
Most HP laptops contain a system software that allows access to system information and hardware configuration. However, a newly uncovered security flaw exists in the software and can be used to allow remote code execution and registry manipulation.