October is known for the Halloween season and just as we’ve noted last September, at least one malware would capitalize on the holidays to leverage its propagation. In fact, we’ve got quite a handful of threats that made themselves infamous last month. It’s not only people who get to wear disguises during Halloween; even maliciously crafted files do. Let’s start off this month’s roundup with the Trojan that supposedly spoke for the Dalai Lama…
This Trojan made itself known amidst monk-led protests and demonstrations in Burma and took advantage of that newsworthy event. It arrives as an attachment in spammed email messages, which claimed to be a message of support to the Burmese monks from the Dalai Lama. Once executed, TROJ_MDROPPER installs a backdoor by exploiting a vulnerability in MS Word. This Trojan’s social engineering tactic is reminiscent of WORM_NUWAR’s own tactic, which leverages on news events to facilitate its propagation.
This particular variant of Nuwar plays on the unsuspecting user’s penchant for cute little cuddly things. Similar to its brethren, it disguises itself as an eCard that can be downloaded from a web page where an image of a laughing kitten greets the user. Once executed on the user’s system, it propagates through email and installs a rootkit to hide its malicious activities.
This information-stealing spyware illicitly obtains eBay account information by disguising itself as an eBay Web page to trick users. When installed, the spyware acts as a Web server, hosting spoofed eBay Web pages. Not only that, it further hosts bogus replicas of external validation sites in an effort to spoof an entire eBay transaction, all for the goal of getting the user’s eBay account information.
CAPTCHA is a system for validating the presence of a human user behind a Web transaction, usually implemented as a form of input, wherein the user would have to enter a series of alphanumeric characters based on a distorted (but still readable by humans) image. It seems that someone with a lot of creativity and imagination has come up with a Trojan for defeating this system. How does it do this? When executed, TROJ_CAPTCHAR.A displays a CAPTCHA image and entices the user to identify the characters presented. For each entry, the user is treated to an image of a woman stripping herself. By doing this, the malware created an incentive for the user to correctly input the characters. What the user doesn’t know is that (s)he is possibly aiding future spammers and information stealers in the process.
It seems that the Storm worm (aka Nuwar) doesn’t want to be left behind the Halloween festivities. It’s expected that this malware would capitalize on Halloween and it just did. A “Dancing Skeleton” website lures unsuspecting users into downloading Halloween.exe, which is a variant of the Storm worm.
CISRT Web Site Compromised
The Web site of the Chinese Internet Security Response Team (CISRT) was compromised in early October. Inspection of the site’s HTML code revealed that an IFRAME tag was used to redirect the browser to another site with malicious content. The malicious Web site executes a script that downloads a Trojan onto the affected system. This incident is similar to what happened with the NEFCC last June.
Arizona Government Site Hacked
An Arizona government university website was hacked early last October. When the HTML code of the website is inspected, it reveals multiple links leading to a website where a codec could be downloaded. This codec turns out to be none other than a copy of TROJ_ZLOB.DZW.
Safari 3.0.03 Web Browser Flaw
A security flaw in the beta version of Safari was discovered last October and it’s likely to be exploited in the future for malicious purposes. The vulnerability allows a file referenced in an IFRAME tag to be automatically downloaded onto the system. What makes this dangerous is that no notifications are displayed by Safari when the file is about to be downloaded. In contrast, IE and Firefox prompt the user with a message that a file is about to be downloaded.
PDF File Links Exploit
A proof of concept exploit regarding Adobe Acrobat was recently disclosed. This exploit takes advantage of the vulnerability present on how Acrobat parses URIs (Uniform Resource Identifiers) or links within a PDF document. It turns out that this vulnerability, which is caused by a flaw in parameter passing to a particular API, can be employed by malware to automatically download malicious files.
An exploit for a RealPlayer vulnerability has been discovered. Working in tandem with IE, this exploit enables malware to be automatically downloaded onto the affected system. The exploit works by hosting a maliciously crafted RealPlayer ActiveX code in a Web site which the user is lured to visit. Visiting the Web site would trigger the ActiveX code and connect to another URL, possibly where a malware can be downloaded.
That’s it for now. As always, Nuwar is once again present in our roundup and it’s very likely that this malware would still be present by the time Thanksgiving rolls around.