Trend Micro has been documenting a number of threats employing old-school methodologies since September 2007 with the trend clearly suggesting that malware authors are looking up old tricks, and old but unpatched flaws exploitable to their advantage.
Take for example the exploit for the Zenturi ProgramChecker vulnerability. Dating back to May of 2007 as reported by Exploit Prevention Labs’ Roger Thompson in his blog, the exploit is a buffer overflow that can be exploited using a specially crafted HTML document to enable a remote attacker to execute arbitrary code on vulnerable systems. Despite being discovered almost a year ago, a patch has not yet been developed. More information and a workaround can be found on this advisory from US-CERT.
Trend Micro Security Researcher Joey Costoya reports that the exploit is available on the Web through an updated version of the exploit toolkit Neosploit. It is currently being sold by its author who goes by the alias grabarz for $1,500 as seen on this post in an underground forum:
“Neosploit is the exploit toolkit. Think of it as a delivery platform: the downloaded files are the payload, the delivered goods. The downloaded files are therefore decided by whomever sets up the exploit toolkit,” Costoya explains.
Investigations have revealed that the following sites in China are housing the exploit:
Trend Micro detects the files downloaded from these sites as the following:
- count.php-1 (13,242 Bytes) – JS_AGENT.IGF
- 1.exe-1 (28,672 Bytes) – TROJ_BUZUS.BD
- getexe.exe-2 (48,640 Bytes) – TROJ_AGENT.MUZ
- get.exe-1 (48,653 Bytes) – copy of getexe.exe-2 with code errors
The aforementioned Web sites are now blocked by Trend Micro’s URL Filtering Service.
As users’ negligence in updating their systems is usually put to blame in situations like this, it is also important to point out the developers’ responsibility in making patches available in a timely manner. Many attacks in the past have been made possible by old, known vulnerabilities that were left unpatched.