For those of you who have read last month’s malware roundup, Fidel Castro is still alive. Thanks to some malware authors, a spammed email message spread in the early weeks of March, claiming that the old Cuban leader had already passed away. As expected, the link present in the spammed email led to a malicious Web site and resulted in the download of TROJ_AGENT.LAM.
A lot of Web sites also got compromised last March, most of them belonging to educational institutions. Moreover, we had the usual handful of reported malware and some of them really had some significant impact, like the ones that led to massive Web hacking.
JS_DLOADER.TZE, TROJ_AGENT.KAQ, TROJ_AGENT.TM
These three have been responsible in a mass compromise attack on certain Web sites. Sometime during March 12, malicious scripts were inserted into certain legitimate Web sites. The malicious script was responsible for downloading JS_DLOADER.TZE, which in turn downloaded TROJ_AGENT.KAQ and TROJ_AGENT.TM. The attack took advantage of a vulnerability in RealPlayer. The purpose of the attack was to obtain online gaming information since several variants of notorious online game stealers have been found at the end of the download series.
Early last March, a malware targeting Windows Mobile PocketPC was reported. Detected as WINCE_INFOJACK.A, this worm specifically runs on Windows Mobile environment, leaves the mobile phone open to other malware and installs unsigned applications without the user’s consent. It also steals information like mobile device IMEI or serial number, OS version, model and platform and hosts name among others, to which it sends back to the malware author/s. Aside from this, WINCE_INFOJACK.A also changes the security settings of the phone.
Exploits and Vulnerabilities
Towards the end of March, targeted attacks were reported. It was mentioned that an unpatched security flaw in Microsoft’s Jet Database Engine was involved. This vulnerability is exploited through a specially crafted Microsoft Word document detected by Trend Micro as TROJ_EMBED.AA. The Word file launches a Microsoft Database (MDB) file detected as TROJ_MSJET.C, which serves as a mail-merge file once the document is opened. At this point the vulnerability is exploited, allowing the Word document to drop a malicious .EXE file on the affected system.
Trojanized Excel Files
Early last March, there were reports of Trojanized MS-Excel files that have been sent as email attachments. This was an attempt to compromise computers that are yet to receive a security patch on a still unpatched Microsoft Excel vulnerability reported under CVE-2008-0081. The Trojanized Excel files are known to be capable of dropping and executing Windows binary executables on target machines.
CA Software Vulnerability
A zero-day exploit has been discovered — this time targeting an unpatched ActiveX vulnerability in the CA BrightStor ARCserve Backup product. Reportedly, this exploit code can be used to launch code execution attacks on notebook and desktop computers in businesses. The author has posted the exploit code to this vulnerability online. This discovery goes to show that even security measures can be compromised, and ever more vigilance is needed across all users.
For March there were more than 10 Web threat incidents that were reported. Almost all of the reported incidents are actually legitimate Web sites that have been compromised to distribute malware. With respect to Web site category, 28% of the reported incidents are related to education Web sites.
That’s all for today. Yesterday we have received some spammed email messages regarding April Fool’s Day. A simple prank or something sinister? More of this on next month’s malware roundup.