Microsoft will be releasing an out-of-band patch for the rising incidents of the VML vulnerability (MS06-055). Microsoft has dubbed this as Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486). They rated this vulnerability as Critical, which is the highest severity rating given for a vulnerability due to its easy replication that can result to Remote Code Execution (RCE).

Moreover, Microsoft will also re-release Microsoft Security Bulletin MS06-049 (Vulnerability in Windows Kernel Could Result in Elevation of Privilege) to fix the problem that arises when applying the previous release of MS06-049 patch on systems running NTFS file system compression.

Microsoft has announced that the update will be available on September 26, 2006 around 10:00am PST. So, you better get ready to patch up your systems!

MS06-055 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)

For the past few weeks TMIRT is conducting a sort of investigation on how TSPY_LINEAGE and TSPY_WOW arrives on users’ systems. Sure they are Trojan Spywares that do not have the capability to replicate, but then, why are there so many infection reports?

Owing to the fact that they are Trojan Spywares aimed to steal user accounts for the online games Lineage and World of Warcraft (WoW), it is but logical to target those who actually play the game. So, for more than a week, we scoured the Internet searching for hacks, key generators and cheats for both online games. But alas, our search did not yield a malicious file.

Then, just this morning, I bumped into this old article by the Honeyclient Project, where they reported several compromised World of Warcraft accounts. The compromised accounts was caused by a Trojan Spyware (most probably TSPY_WOW) that was installed in gamer’s machine when he visited an ad in Allakzaham – a site where World of Warcraft players trade, sell, or auction virtual items that can be used in the online game.

As a previous blog entry reports, compromised accounts can be used by the malicious author to steal virtual items and then sell it on sites like Allakzaham.

So there, now we have a clearer idea on how company networks become infected. An employee uses company resources to play online games, browses items that can boost the skill level of his character in the online game, gets infected by a Trojan Spyware and it’s accomplice (ever heard about PE_LOOKED?), and then infection spreads in the company’s network.

Moral of the story?

• 1. Do not allow online games
  
• 2. Block ports used by online games
  
• 3. Block sites related to these online games
  
• 4. Educate your users

Simple enough isn’t it?

Today, our email honeypot are receiving emails from WORM_STRATION malware. Unlike the other day where we received 10 different MD5 hashes, now we have 25 different MD5 hashes.

Here is a look at some of the email sent by the worm having the binary file as a zip file attachment.

As for the MD5 hashes, here’s the list (for system admins):

• 0675f71a67dd8dd3716e484855ee2627
• 1d4583ba2c3ebdc6c027cb49db92158c
• 261cec1464be928427ec14b121ea5665
• 299f76fdbf585e5f17941074498349c8
• 37753fdb5de5414a73caa1cc1a36876e
• 3d08becc3329cf3b5d9e10369fc8958d
• 750f38d4e38a6d60051306b8a25fb52d
• 767ac4882e799f5464cb18552c95d257
• 76a347170e155630a059522e424873ed
• 7b5e061f4ad607cf00c10d92b538c4a2
• 89ec4062507593e1e287966fb1acd734
• 9ee6203674f4d770240ae3dc31d90358
• b044c6051d0f7da8aee9e1f9a1f425ab
• b06155140861e86c97bf9cb1abed44c1
• b06155140861e86c97bf9cb1abed44c1
• babf9bdc89ed24522188976ce66be3e1
• cc6a14bcef5ac3227e50ba29f11c6c27
• cf1cf557f045400d4532bd72b3bd6020
• d6e211e97d7799b1792a3cdfbbed78da
• d77bb7178999486d505a8114a12573a3
• d77bb7178999486d505a8114a12573a3
• f973acf2896214400bbcfd5064a8fca8
• fe3a0d18413d9a3a9cfea9fa99264823
• 6938575d2dba7c7f3dbdff97e1cd0617
• 7108695e31b1e029c70392954a197e33

Again, all of these samples are detected by using the Intellitrap technology as PAK_GENERIC.001. These samples will be included in the detection of WORM_STRATIO in the upcoming Official Pattern Release.

There have been several vml exploits found in the wild these past few weeks so I guess most of you are wondering what makes this one different.

Well, to begin with it tries to lure users to sites containing the exploit code by claiming that they’ve gotten a Yahoo! eCard. Once the user visits the site it downloads and installs several executable files one of which is already detected by Trend Micro Inc. as TROJ_BZUB.AW. The other files have already been submitted to the service team for processing. Hang on for updates on this.

In the meantime, you may read up on previous articles we’ve written regarding this exploit for tips, workarounds and other useful information about this vulnerability.

• New IE Zero Day Seen in the wild
• IE Zero Day + Web Attacker Kit
• Update on VML Exploit – IE 0-day
• Web-Attacker + IE 0-Day Stats!

Update (Sheryll Tiauzon, Tue, 26 Sep 2006 07:00:22 AM)

We’ve just received an update from the service team, the files will be detected as HTML_VMLFILL.C and BKDR_SMALL.DYZ.

We received a new sample of a trojan downloader attached to a spammed email. This spammed email used a pop star, Kylie Minogue, for its social engineering claiming that the said artist is dead due to a cancer. Below is an example of the spammed email.

We can see that there’s a hyperlink found in the email body that points to http://xxx.xxx.xxx.133/sp/kylie.htm. Upon visiting the said URL, we’ll see the following page:

Yeah, there’s another hyperlink that points to a binary file. The binary file is an exact copy of the trojan downloader attached to the spammed email. This is probably intended as another way of the malware to be executed by the affected user if the user opted not to open the attachment in the spammed email. The story of this malware does not end here as the said URL contains an iframe which points to another page containing an obfuscated page.

The page triggered my curiosity if it could be related to the TROJ_LINKOPTIM so I decided to un-obfuscate it. Here’s a snip of the code on the first attempt of un-obfuscation.

Then, to my surprise, it also used the “arguments.callee.toString()” function which is also being used in the TROJ_LINKOPTIM obfuscated pages. So I continue and after three more layers of un-obfuscating the page, I arrived at another iframe which opens another page (whew!!!).

This new page will again, download and execute a copy of the trojan downloader; at this point, we can say that this cannot be related to the Link Optimizer thingie. Note that the downloader was designed to have three ways of being executed on an affected system.

The author used “msxml2.XMLHTTP” and “adodb.stream” objects to download and execute the binary file into the affected user.

The trojan downloader will be detected as TROJ_DLOADR.ANR and the downloaded component will be detected as BKDR_AGENT.FBB. Disabling ActiveX in your web browser is recommended to be protected from attacks using ActiveX objects. You can also disable the “adodb.stream” object by following the procedures described here.

November 18, 2006 will be a significant day for boxing enthusiasts everywhere, especially for Filipinos and Mexicans as this day marks the third time that their respective boxing champs, Manny Pacquiao and Erik Morales will face each other to show to the world who’s the best in the boxing ring. Just like any popular international event, this spectacle will be the focus of many product endorsements, advertising campaigns, media hypes and the like. Of course, just like the Miss World event that has been the topic in one of my blogs these past few days, this event can also be used by a malware in its social engineering ploys.

WORM_SILLYFDC.AO is a malware that targets Pacquiao and Morales fans. Although this worm does nothing at all aside from propagating through network shares, it does have a high potential for spreading since it poses as a text file in the affected system (Morales_vs_Pacquiao.txt…exe). The double extension is a dead giveaway that the file is not what it seems to be but loyal Pacquiao and Morales followers would click on the file anyway, possibly in the hope to read something interesting about the upcoming match. Once executed, the worm drops copies of itself in all possible removable storage media (yes, floppy disks included) and mapped network drives. It also creates a registry entry so that it will be executed upon system startup.

This is not something new. This worm may use a simple and unsophisticated technique in propagation but the way it takes advantage of a popular event in an effort to trick the user into opening it can give it a chance of wide-scale propagation. Fortunately, a solution is already in the works for this new threat. We’ll update you once a detection pattern has been deployed.

Just a couple of hours after the reportedly 0-day VML exploit there were also reports that this has been implemented by the Web-Attacker as described on this post.

Then, earlier this morning a Web-Attacker exploit penetration statistics website has been reported by an external source. The url points to a statistics page that contains the Total hosts infected by Web-Attacker kit. The website even has a breakdown of each infection based on the browser exploit, the host operating system (OS), and the internet browser used by the affected system. The internet browser statistics section was even broken down into specific version or service packs.

But, this particular site does not show the statistics for 0-day infected systems but rather by the not-so-old browser exploits. So, given that url, I played with it a little with the help of my friend, Google, and there I got 49 urls all pointing to different Web-Attacker control panels. I tried every url one after another and there I saw a convincingly updated exploit penetration statistics page that includes a column of data on 0-day infected hosts.

Since, we recently have two (2) browser related 0-day vulnerabilities, the 0-Day column shown above may or may not be for the VML vulnerability alone.

Now, you know who are the most likely to be hit by the recent 0-days.

I have also listed below the rest of the Internet Browsers that are being monitored/affected by the Web-Attacker. I am suppose to capture it as well as an image but I dare not to, it’s pretty long as you will see.:(

• Firefox 0.10 13
  
• Firefox 0.10.1
  
• Firefox 0.10.1
  
• Firefox 0.8
  
• Firefox 0.8 (ax)
  
• Firefox 0.9
  
• Firefox 0.9.1
  
• Firefox 0.9.2
  
• Firefox 0.9.2 (ax)
  
• Firefox 0.9.3
  
• Firefox 0.9.5.1
  
• Firefox 1.0 392
  
• Firefox 1.0 (Debian package 1.0+dfsg.1-6)
  
• Firefox 1.0 (Ubuntu package 1.0.2)
  
• Firefox 1.0 (ax)
  
• Firefox 1.0 Red Hat/1.0-12.EL4
  
• Firefox 1.0+
  
• Firefox 1.0.1
  
• Firefox 1.0.1 (ax)
  
• Firefox 1.0.1 StumbleUpon/1.9993
  
• Firefox 1.0.2
  
• Firefox 1.0.2 (MOOX M3)
  
• Firefox 1.0.2 (ax)
  
• Firefox 1.0.3
  
• Firefox 1.0.3 (Debian package 1.0.3-2)
  
• Firefox 1.0.3 (ax)
  
• Firefox 1.0.3 StumbleUpon/1.9995
  
• Firefox 1.0.4
  
• Firefox 1.0.4 (Debian package 1.0.4-2)
  
• Firefox 1.0.4 (Debian package 1.0.4-2sarge4)
  
• Firefox 1.0.4 (ax)
  
• Firefox 1.0.4 (ax) Firefox/1.5.0.2
  
• Firefox 1.0.4 StumbleUpon/1.9995
  
• Firefox 1.0.5
  
• Firefox 1.0.5 (ax)
  
• Firefox 1.0.6
  
• Firefox 1.0.6 (ax)
  
• Firefox 1.0.6 SUSE/1.0.6-4.1
  
• Firefox 1.0.7
  
• Firefox 1.0.7 (CK-IBM)
  
• Firefox 1.0.7 (Debian package 1.x.1.0.7-8)
  
• Firefox 1.0.7 (Ubuntu package 1.0.7)
  
• Firefox 1.0.7 (ax)
  
• Firefox 1.0.7 Firefox/1.5
  
• Firefox 1.0.7 NLD/1.0.7-0.2
  
• Firefox 1.0.7 SUSE/1.0.7-0.1
  
• Firefox 1.0.7 SUSE/1.0.7-0.2
  
• Firefox 1.0.7 StumbleUpon/1.9993
  
• Firefox 1.0.8
  
• Firefox 1.0.8 (Ubuntu package 1.0.8)
  
• Firefox 1.0.8 SUSE/1.0.8-0.2
  
• Firefox 1.0RC2
  
• Firefox 1.4 16
  
• Firefox 1.4.1
  
• Firefox 1.5 133
  
• Firefox 1.5.0.1
  
• Firefox 1.5.0.1 pango-text
  
• Firefox 1.5.0.2
  
• Firefox 1.5.0.2 pango-text
  
• Firefox 1.5.0.3
  
• Firefox 1.5.0.3 (Debian-1.5.dfsg+1.5.0.3-2)
  
• Firefox 1.5.0.3 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.3 RTSE/1.0.6
  
• Firefox 1.5.0.4
  
• Firefox 1.5.0.4 (Debian-1.5.dfsg+1.5.0.4-1)
  
• Firefox 1.5.0.4 Creative ZENcast v1.00.12
  
• Firefox 1.5.0.4 Flock/0.7.1
  
• Firefox 1.5.0.4 RTSE/1.0.6
  
• Firefox 1.5.0.4 pango-text
  
• Firefox 1.5.0.6
  
• Firefox 1.5.0.7
  
• Firefox 2.0a1 8
  
• Firefox 2.0b1 3
  
• Firefox 3.0a1 2
  
• MSIE 5.0
  
• MSIE 5.0 SP2
  
• MSIE 5.01
  
• MSIE 5.01 SP1
  
• MSIE 5.01 SP2
  
• MSIE 5.01 SP3
  
• MSIE 5.01 SP4
  
• MSIE 5.5
  
• MSIE 5.5 SP1
  
• MSIE 5.5 SP2
  
• MSIE 5.5 SP4
  
• MSIE 6.0
  
• MSIE 6.0 SP1
  
• MSIE 6.0 SP1a
  
• MSIE 6.0 SP2
  
• MSIE 6.0 SP4
  
• MSIE unknown
  
• MSIE unknown SP2
  
• Netscape
  
• Opera
  
• Unknown

Two new variations of Proof-of-Concept (PoC) exploit that targets 0-day VML vulnerability have been publicly posted on two sources in web. They both target the same vulnerability as EXPL_EXECOD.Adoes but with some modifications on the way it is being exploited (the value passed to the fill method inside the rect tag). The PoC posted at XSec can cause Remote Code Execution while the PoC posted at Milw0rm can cause Denial of Service as they described.

If you will recall, this was first discovered in the wild by Sunbelt and a number of sites have also been found to be using the exploit to infect unsuspected users. Microsoft has been aware of this security bug since Sunbelt has posted an entry about this and last September 19, Microsoft has published a Security Advisory (925568)that addresses this issue. Microsoft has dubbed the vulnerability as Vulnerability in Vector Markup Language Could Allow Remote Code Execution. Microsoft has also suggested four (4) possible workarounds to protect us from this bug while they are working for the official patch that will be released on October 10, 2006, hopefully.

One of the workarounds that Microsoft has suggested is to unregister Vgx.dll, which is the affected component.

Follow these steps to unregister the dll.

1. Click Start, click Run, type regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”;, and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

However, applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with regsvr32 “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”.

Related Posts:
IE Zero Day + Web Attacker Kit
New IE Zero Day Seen in the wild

The Miss World 2006 beauty pageant will be held in Poland on September 30. Unlike other popular international beauty pageants, the Miss World beauty pageant has an interactive way of selecting the winner. Using SMS, people from around the world can vote for the contestant whom they consider to be the one worthy of the beauty title.

A new threat has taken advantage of the event’s unique way of choosing the winner. In another bout of social engineering, it employs the use of instant messaging applications as a distribution vector for the malware. Instant messenger users who are often online may have received the following message recently:

Let’s vote for Miss Vietnam – Mai Phuong Thuy – for the upcoming Miss World championship…

The message is followed by a URL that the unsuspecting user may expect to lead him to a site or webpage where he can vote for the candidate. Obviously, this does not happen at all. When the URL is accessed, the user is redirected to another website offering credit card debt consolidation, which has absolutely nothing to do with voting for the next Miss World. Here’s what the user didn’t know: when the link was accessed, it redirected to another site that downloaded a Trojan into the system. To cover-up the download, it redirected to another site that featured the credit card scheme. In that way, the user wouldn’t notice anything.

Unless he tried to open the task manager or the registry editor.

Initial analysis shows that this Trojan disables the task manager and the registry editor. Furthermore, Internet Explorer’s startup page is modified so instead of the user’s default web page being loaded when the browser is opened, the site where the malware originates is accessed instead.

Disabling these system applications are a common technique of most malware to hide themselves from computer-savvy users. Moreover, it prevents knowledgeable users from verifying if a malware is present in the system. Modifying the startup page in IE ensures that even if the malware is deleted or cleaned from the system, it still has a chance of reinstalling itself.

Fortunately, a solution is currently in the works for this threat. Trend will be detecting this malware as TROJ_AGENT.EVJ. We’ll update you once the detection pattern for this Trojan has been released.

Update (Jasper, Wed, 20 Sep 2006 09:55:05 AM)

As of this writing we have already received a total of 1,335 Samples in a couple of hours. Trend Micro has already detected this threat as TROJ_CLAGGE.B using OPR 3.759.00.

The malware comes as an attachment to emails with the filename Rechnung.zip or Rakningen.zip(7,028 Bytes). Please be wary of emails you receive with those attachments, do not atempt to open them. If you want more information on what the malware is capable of check our Virus encyclopedia here.

We are still looking into the details of this spammed malware, as of now please be very careful of attachments with the aforementioned filenames in your inbox.