You may have heard of ASLR if you’ve frequented websites heralding Microsoft’s newest OS, Windows Vista. ASLR stands for Address Space Layout Randomization, which is a new security mechanism, built into the new OS. As its name implies, what ASLR simply does is to load code that run the system into different memory locations.

How does this make things more secure? Most exploits call on system functions in order to operate. In current OS architectures (for Windows-based ones, at least) these system functions are loaded in fixed memory locations. “Fixed” means “predictable” and “predictable” means easily compromised. Since ASLR loads the system functions in different memory locations, it makes it more difficult for a particular exploit to access the system functions.

So is this the end of exploits? Not quite.

ASLR makes things more difficult for the exploit but not impossible. A Proof of Concept has yet to come out to challenge the new security measures introduced in Windows Vista.

By the way, there are other security mechanisms aside from ASLR that is built into Windows Vista’s architecture but I’ll be discussing that in another blog.

続きを読む

We recently received reports of a .doc file that have a very nasty macro inside, is being spammed in Russia.

The doc file once opened will install another trojan. This trojan is a downloader that then downloads and installs a Ransomware. We are currently looking into this and the appropriate solutions is being done.

Rest assure that Trend Micro is doing everything possible to speed up the process for our Russian friends and as usual.

I will update you on any developments regarding this matter.

Update(Obet, 07 June 2006 18:01:35)

Upon downloading and executing the ransomware, it encrypts files with certain extensions and will render these files unreadable. The ransomware will then drop the file readme.txt in the folder of the hijacked files as its ransom note. The note reads;

Some files are coded by RSA method.
To buy decoder mail: dfk82356@mail.ru
with subject: REPLY

Trend Micro detects the .doc file that arrives with the spammed email as W2KM_TORED.A and other trojan that is dropped by the Doc file is detected as TROJ_SMALL.AIT while the ransomware that is being downloaded by this trojan is detected as TROJ_PGPCODER.D.

The aforementioned malwares are detected using Control Pattern 3.484.02. To be protected from these malwares, you can now update your Trend products with the said pattern file version. Especially our russian friends who are targeted by this attack.

続きを読む

We are seeing another round of Rechnung spam, the spam may have this subject in its email details “Re-Nr.20700011470”.

The MD5 of the attached file is “c8c53b6a45ccf82c2f140a5b351904c7”.

The file has been submitted to our service team for its corresponding solution and we will update you on the detection for this said malware and of course more details will be posted as soon as there are other developments on this.

Update(Obet, 02 June 2006 18:58:08)

The detection for the mentioned malware is TSPY_AGENT.CFV.

続きを読む

An update for both Firefox and Thunderbird has been released by
Mozilla. Version 1.5.0.4 is now available, according to the release
notes, the list below are the supposed fixed
known-vulnerabilities.

For Firefox

• MFSA 2006-43 Privilege escalation using
  addSelectionListener
• MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
• MFSA 2006-41 File stealing by changing input type
  (variant)
• MFSA 2006-39 “View Image” local resource linking (Windows)
• MFSA 2006-38 Buffer overflow in crypto.signText()
• MFSA 2006-37 Remote compromise via content-defined setter on
  object prototypes
• MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
• MFSA 2006-35 Privilege escalation through XUL persist
• MFSA 2006-34 XSS viewing javascript: frames or images from
  context menu
• MFSA 2006-33 HTTP response smuggling
• MFSA 2006-32 Fixes for crashes with potential memory
  corruption
• MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig,
  Greasemonkey)

For Thunderbird

• MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
• MFSA 2006-40 Double-free on malformed VCard
• MFSA 2006-38 Buffer overflow in crypto.signText()
• MFSA 2006-37 Remote compromise via content-defined setter on
  object prototypes
• MFSA 2006-35 Privilege escalation through XUL persist
• MFSA 2006-33 HTTP response smuggling
• MFSA 2006-32 Fixes for crashes with potential memory
  corruption
• MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig,
  Greasemonkey

So update those firefox and thunderbird softwares now…

続きを読む

We’ve just received a strange email (supposedly coming from
Microsoft) claiming that a new worm is spreading around and further
instructing the user to install the “patch” that came attached with
the email.

Sounds suspicious?

Of course it is… Clearly this is another social engineering
attempt by a malware. This isn’t the first time it happened though.
Some few years back, another malware by the name of WORM_KLEZ also
did the same thing, disguising itself as a “removal tool” for the
worm while the email to which it was attached almost had the same
message as this one. The only difference is that this email message
came with the familiar white-lettering-on-blue-background logo of
Microsoft, obviously a means to provide credibility to the
message.

Just some points on why the email can’t be genuine:

ONE: It references an old malware that is spreading
(Beagle.Worm.D)

TWO: It “pleads” not to take this advisory as a joke (which is
quite unprofessional for a company such as Microsoft)

THREE: It threatens the user in such a way that (s)he will be
liable for a lawsuit if the patch is not installed.

Whatever the technique used, the objective is still the same:
trick the user into opening/executing the attachment.

Again (I think we’ve mentioned it before somewhere, as well as
being mentioned in LOTS of other sites), Microsoft does not send
updates via email.

**By the way, the attachment does not properly execute(yep,
damaged) and based on an initial analysis, it is *supposed* to drop
various other files, but fails to do so. Which is a good
thing.**

続きを読む

We are receiving copies of an email that claims to be a
legitimate mail from Ebay. The content of the email talks about
calculations of payments to Ebay(in German language). It tells the
user to check on the calculations of the user’s Ebay payments in
the attached file which is claimed to be a pdf file but is actually
an executable file. The executable file is to be detected as
TROJ_YABE.K.

Below is a preview of the spammed email.

And of course some translations with the aid of Babelfish.
=)

Good day,

here a summary of the account activities is since your last
calculation

In the settled pdf file you find the exact listing of their
calculation

Payment method

They are announced for the lastschriftverfahren. The invoice amount
is deducted within the next five to seven days by your bank
account. (the amount of deduction can deviate from your invoice
amount, if you made payments in the period between the account
creation and the deduction date or received credit notes.)

Reference

Default fees: If your eBay account is overdue results a default
fee. In order to experience details to this topic, you go please to
calculations and payments.

(http://pages.ebay.de/help/account/payfees.html)


More about eBay fees

(http://pages.ebay.de/help/sell/fees.html)


Reports

Note: eBay never asks by E-Mail for confidential or personal data
(e.g. password, credit card, account number).


Helpful one link

For the answer of your questions to your eBay account you use
please the following link:

http://pages.ebay.de/help/account/selling-account-overview.html

In order to update your member data, you use please the following
link:

http://cgi4.ebay.de/aw-cgi/eBayISAPI.dll?ChangeRegistrationShow


In order to contact eBay, you use please the following link:

http://pages.ebay.de/help/contact_inline/index.html


Yours sincerely

eBay internationally AG


Additional reports

the achievements specified above exclusively refer to your
registration under www.ebay.de.

Users are advised not to open and execute attachments from
unsolicited emails. The network administrators may also want to
block emails shown above to prevent their client users from
receiving a copy and thus, lessen the chance the malware be
executed. Lastly, keep your pattern files updated for protection
from new malware threats.

続きを読む