A vulnerability in Windows Live Messenger has been reported by
JAAScois. The vulnerability is exploited by loading a specially
crafted contact list (*.ctt) file which causes an overflow allowing
arbitrary code to be executed.

From the point of view of a malicious user, he can just send the
specially crafted .ctt file through e-mail and social engineer a
target user to load the contact list to Windows Live Messenger thus
exploiting the target user’s system.

More information can be found here.

Ok, there were no much entries these past days and I want to share some updates.

• There’s another variant of the W97M_DLOADER, detected as W97M_DLOADER.BVS, which arrives as a .doc file attached to spammed email. It drops a Trojan downloader which is also detected as TROJ_DLOADER.BVS.
  
  
  
• Mac OS X 10.4.7 Update
  
  

  This update fixes multiple vulnerabilities found in version 10.4.6 and below.

  AFP : (CVE-ID: CVE-2006-1468)
  – File and folder names may be disclosed to unauthorized users
  
  ClamAV: (CVE-ID-2006-1989)
  – When virus scanning is configured to update automatically, a malicious database mirror may cause arbitrary code execution
  
  ImageIO: (CVE-ID-2006-1469)
  – Viewing a maliciously-crafted TIFF image may result in an application crash or arbitrary code execution
  
  Launchd: (CVE-ID-2006-1471 )
  – Local users may gain elevated privileges
  
  OpenLDAP: (CVE-ID-2006-1470)
  – Remote attackers may cause Open Directory server to crash
  
  
  

  You may get your updates by visiting Apple’s support page.

  
  

  References:

  
  
  
  
  • http://www.apple.com/support/downloads/
    
  • http://docs.info.apple.com/article.html?artnum=303973
    
  • http://www.securityfocus.com/bid/18686/info
  
  
  
  
• An IRC bot, to be detected as BKDR_IRCBOT.CR, targeting the irc.shadowfire.org IRC server submitted to the Service team for further analysis and detection.

Metasploit Framework has just released a PoC regarding the
MS06-25 Vulnerability. The code is also posted on Milw0rm.com website.

For more information on the vulnerability and its suggested
workarounds, please see the Microsoft site.

We intercepted a malware sample being propagated by exploiting
the Horde Help Viewer Remote Code Execution Vulnerability. BTW,
take note that this malware being executed while exploiting the
said vulnerability do not have the code that will exploit the Horde
vulnerability. It is probable that another program is doing the
exploit. This malware is written in Perl script.

Details about the packet:

More on the Horde exploit at The Horde Project.

March 28th, 2006. The Horde Team has released a
critical security fix for the Horde Application Framework versions
3.0 and above. Version 2.x and earlier releases are not affected.
The fixed Horde versions 3.0.10 and 3.1.1 are available. We
strongly encourage every user to update to the new versions
immediately.

There are exploits in the wild for this
vulnerability. They can only exploit the user the webserver runs
as, but are still serious. Please upgrade now..

Don’t forget to patch if you have vulnerable Horde version and
keep your antivirus pattern files updated.

Update(JoneZ, 23 June 2006 09:43:14)

The malware sample will be detected as PERL_SHELLBOT.AV.

Update(JoneZ, 24 June 2006 09:24:28)

More details about the malware in Trend’s VINFO page.

It uses the Google search engine to search for
servers with PHPBB Remote URLDecode Input Validation vulnerability
using the search string viewtopic.php:. Once it finds a server, it
attempts to upload and execute itself onto a vulnerable system.

Users of vulnerable phpbb software should upgrade to the latest
release. You may download the latest version of phpbb here.

The Worm Bagle malware is currently making a come back after being dormant for months.

Currently, it is implementing an old way from which bagle worms has become famous for. Its email attachments are password protected and the password is included in the e-mail as a gif file.

This has two purpose, one is to slip through the network security, and the other is to social engineer a potential victim into trusting the attachment since it is password protected.

Here is a sample email.

Please be more alert and security conscious. The worm can easily be spotted. Here are some indication of the worm and should raise a level of alertness if seen.

• The password is contained in a gif file.
  
• Random number password.
  
• Email Subjects and passwords are names like Wynefreed, Sidney and Mychaell.

Or ‘Yet Another Excel Exploit’. A post was made yesterday to
Full-Disclosure on a(nother) 0-day for Excel. And yes, code
execution is possible. This time, a user needs to open the file and
click on a (specially-crafted, a buzzword nowadays)link specified
inside the file to trigger the exploit. Same safety-precautions
apply when a 0-day is out:

Do not open Microsoft Excel files that you
receive from un-trusted sources.

This vulnerability could be exploited when a user opens an Excel
file and clicks on a specially-crafted link inside the file. Excel
files from trusted sources or Excel files that are known to be
trusted can continue to be used.


*slightly modified Suggested Action from Microsoft.

Trendlabs is currently in the process of creating a generic
pattern for this exploit.

Browsing some internet forums, my eyes caught an entry talking
about a malware running in the .NET framework. Well, got the
sample and tested it if malicious then submitted to the Service
team for detection and further analysis. Trend will be detecting
this malware as WORM_NETSAD.A.

This malware will not work if your machine does not have the
.NET framework installed (for my testing, I used .NET framework
version 2.0). Just an overview of this malware, it can propagate
via peer-to-peer shares by dropping a copy of the malware in the
shared folders of popular peer-to-peer programs and can also
propagate via email. It may copy itself to the %system% (i.e.
“c:\windows\system32”) directory as notepad.exe so that running
notepad in the “RUN” command will execute the malware instead of
the normal notepad program. It also kills running processes related
to antivirus and firewall programs. Well the complete virus report
will be posted soon in Trend Micro Virus Info page, stay tuned.

Internet surfing can be exciting but just be cautious and be
aware of the security threats it brings. Don’t just trust anything
you click. If you receive a file from an untrusted source, try to
have it scanned by your antivirus. Lastly, please keep your
antivirus pattern files updated regularly.

A new Bagle variant is on the loose Trend Micro detects this
Bagle variant as WORM_BAGLE.FN. This worm sends out copies of
itself in a password protected Zip file. The password to decrypt
this worm can be found in the Body of its email, A 5 number
combination decrypts it. The filename of these attachments are all
sorts of names of people, from Anna to Grace to Martha to many
more. The attached ZIP file contains 2 files a random filenamed EXE
file and a random filenamed DLL file that is inside a folder with
the same name.

More updates will come your way as soon as there are any..

Update(Obet, 21 June 2006 03:36:15)

A sample email of the malware can be found below.

Microsoft posted a security bulletin addressing the currently
unpatched Excel vulnerability, which was used in a targeted attack.
This vulnerability, which affects Excel 2000, 2003 and 2004 (for
Mac), can allow remote code execution, although its detailed
implementation may differ from one Excel version to another. An
attacker can exploit this vulnerability by sending a maliciously
crafted Excel file to an unsuspecting user. Security is compromised
when the user opens the Excel file.

As of the moment, it is advisable for users not to open Excel
files coming from a suspicious or unknown source. Several
workarounds to counter this vulnerability have been provided in
this security advisory from Microsoft.

More information about this vulnerability can be found here.

• 
  http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
• http://isc.sans.org/diary.php?storyid=1420

A new group of malware authors called the doomriderz has emerged
and they’ve just released their first virus, well I assumed it is
their first ‘cause its the only virus posted on their website.

Well the virus is made from C# and it will need a .NET framework
in order for it to work. Upon its infection the virus will make a screen saver that will tell the
user that the user has been infected with the virus. This
screensaver will execute at startup; however, it will not terminate
whatever mouse-movement the user does or whatever is typed on the
keyboard – talk about the ultimate screensaver. As for the
infection, I have yet to see it – It is supposed to infect EXE
files in the current directory but it didn’t work in my testing so far.

btw, below is a screenshot of the screensaver I was talking
about. the text moves around the screen in a random manner.

The infection routine works! and it is verified to be a polymorphic virus. It infects executable files in the current directory. Trend Micro detects this virus as PE_IKOL.A-O you can see more information regarding this virus here.