The latest release of MoKB deals with a stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver. This leads to arbitrary kernel-mode code execution.

The Zeroday Emergency Response Team (ZERT) has released an FAQ discussing the vulnerability.

Q: Why is this vulnerability dangerous? It’s local; it can not be used through the Internet.

A: Although it can not be exploited over the Internet, it can be used against your computer from a distance. If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop, or using your computer with the wireless card enabled in any public place, you are at risk. It is remote by the means of RF transmissions, the distance is dependent on the attacker’s antenna and signal strength.

Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card’s background scan of available wireless networks triggers the flaw.

Technical details about the vulnerability is located in the MoKBsite and the Proof of Concept code is included in the latestmetasploit module.

It’s not the usual maximizing of resources to achieve as many goals as possible. It’s rather the opposite; and it’s actually using all resources, and all possible means in order to achieve one big goal – and that is to amass a lot of money!

This is probably what the creators of the malware families of STRATION and MEDBOT are doing. On one hand, there’s this comeback of mass-mailers whose main purpose is just to make zombies out of the hundred of thousands of computers to serve Image Spam. This is described in the paper, The Real Motive Behind Stration.

Meanwhile, there’s this fairly new strain of IRC bots that was released almost at the same time as the first variant of STRATION came out – and that was last August 2006. This is MEDBOT, an IRC bot that also attempts to infect computers with the goal of making them zombies to send out SPAM regarding the usual pharmaceutical line of ‘viagra’ and ‘cialis’. This is further described in the previous blog, WORM_MEDBOT.AI and SPAM.

Here are some snapshots of the spam mails we generated and that are being sent out from MEDBOT-infected machines to millions of target recipients:

What’s the connection you say?

Running WHOIS on the domains of the advertized ‘viagra’ sites from the MEDBOT spam emails gives us:

Domain Name:genrunkasderunkion.com
Registrant: Dima li
jungonglu1219hao
200093
Administrative Contact: Dima li

Whoa! Now does that name or alias sound familiar! Dima Li! But of course, this is one of the aliases, along with Wang Pang, used by the same registrants or admins of the domains being used by the STRATION worms. Coincidence?… Add to that the fact that both malware families appeared almost at the same time adds more to the assumption that these malware families may indeed be connected. Coincidence again?… And the ultimate goal – which is sending ‘viagra’ spam…

Take a look at the advertized site from MEDBOT:

And now take a look at the one advertized by STRATION:

Coincidence?…

And the plot thickens! Are they using more than one malware family to acheive their goal of SPAM? Are they using two, three or possibly more stones to hit the grand prize? More chances of winning, eh? More on this as we continue our investigations…

Lately, TrendLabs has been receiving numerous reports of WORM_MEDBOT.AI infections – so TMIRT and our malware Escalation Team went on to investigate, this is what we’ve found…

To know more about WORM_MEDBOT.AI than what is already posted at our Virus Encyclopedia, we sniffed through WORM_MEDBOT.AI traffic and found out it connects to the IRC server reg.raxoper.com with the user nick jebr-1_(four digit random number)_(four digit random number).

Once a private session is established, the controller may issue several commands programmed into MEDBOT. For the session we monitored, the controller issued a download and execute command for four files (modul32e.m.exe, injs.n.exe, hdd.h.exe and ssd32.j.exe) located in http://up.medbod.com/up. On initial analysis, these files seems to be Trojan downloaders. The four files are already submitted to the service team for detection.

Most notable of the four downloaded files is modul32e.m.exe which accepts a URL as a parameter. Downloading the file from the URL parameter reveals that the file also contains a lot of URL links to other files. A brief summary of the file lists include – a s3.2.txt file from the seeky.mootseek.com domain; a domain.cab file; fname.cab; lname.cab; pattern.txt from the up.medbod.com domain; and a lot of other files from the seek(1-2 digit number).mootseek.com domain.

Surprisingly, the s3.2.txt file contains an e-mail template that resembles SPAM. The domain.cab, fname.cab and lname.cab contains the arhived files domain, fname and lname respectively. The domain file contains a list of various domains, fname contains a list of common first names, while lname contains a list of last names. The file pattern.txt on the other hand contains phrases that can be used as e-mail subjects.

The various files from the seek(1-2 digit number).mootseek.com domain are text files containing lists of generated e-mail addresses not covered by the combinations of strings found in fname/lname@domain.

It is worthy to note that all these files are constantly updated. The s3.2.txt file that serves as an e-mail template was updated twice during our session, with each template changing the URL link being advertised on the template spam mail. The same goes for the numerous files from the seek(1-2 digit number).mootseek.com domain. The only files that remained constant are the domain, fname and lname files.

Summing up all these files reveals the real intention of WORM_MEDBOT, that is, to turn infected computers into SPAM machines. The MEDBOT infection is a case of an elaborate and collaborative effort of a malware writer(s) attempt for profit. The use of multiple component files and the collaboration with at least 3 domains all points out that there is an organized group behind all of this, and for them to set-up such a complicated system – the returns must be really, really good…

On the 14th of November, Microsoft will be releasing its monthly security bulletins, for this month’s release One bulletin affecting Microsoft XML Core Services will be released, the highest Maximum Severity rating for this is Critical. MS will also release five Microsoft Security Bulletins affecting Microsoft Windows the highest Maximum Severity rating for these is also Critical.

A lot of zero-days have been coming out this month and hopefully Microsoft will include the fixes for them in this month’s upcoming bulletins. Be sure to patch your machines after the release. =)—A friendly reminder from your friendly neighborhood TMIRT. =)

Yes. And that is not a typo of “Myspace” in the title; although that is what it is actually meant for – a typo. The domain, myspaace.co.uk(with two a’s), has been bought for 100 GBP just last October 25, 2006.

The said social networking site’s popularity is now at its peak, just like all domains that fall under the umbrella of Web 2.0, and with this kind of surge of activity from users, there’s almost always a dark side just a few feet away.

A couple of examples of the abuse of Myspace’s popularity includes but is not limited to the Myspace worm last year; the bunch of adwaresthat infected more than 100M users last July, 2006; or just the recently discovered 0day Myspacevulnerability.

This write-up is not aimed at jumping the gun, so to speak…

But with the rising incidents of typo-squattingusing popular sites such as Googleand Trend Micro, it wouldn’t take long enough for malicious hacker groups to take advantage of the popularity of Myspace, and the fact that users may just type in an extra letter such as the letter ‘a’ to go to the Myspace site… and then WHAM! It could be another big malware infection incident – considering the numbers of Myspace users and would-be users around the globe!

With that said, let us take extra care in and check what we have typed in our browser windows before hitting on the Enter button. And rest assured too that the Trend Micro Incident Response Team will be monitoring any malicious use of this newly-bought domain, Myspaace, or any other typo-squatting incident for that matter.

Just an FYI, we are currently being spammed with emails containing a trojan as an attachment.

The attachment name is New_Folder_01NOV2006.rar, you can begin filtering this out on your systems for proactive protections.

I have to say, the social engineering tactics made by the malware author to fool users into executing the attachment is above standards, so customers will have to be extra careful to keep them from being fooled.

The contents of New_Folder_01NOV2006.rar are shown below

As you can see, there are two objects

• New Folder – an actual folder (nothing to it)
  
• New Folder_01NOV2006(215 SPACES).exe (an exe file with a folder icon, the 215 spaces is there to fool users into thinking that it is not an exe file. This is the same logic used by worms like WORM_MYTOB.)

I can only guess that the folder “New Folder” is inside the archive for more social engineering. As the user extracts the files from the archive, he clicks on “New Folder” which will open as a folder as it really is one. Raising the chances of the user clicking New Folder_01NOV2006(215 SPACES).exe under the assumption that it is a folder too.

The exe file has already been given to the service team for detection and has been given the name TROJ_DLOADER.HAP.

Again with good social engineering TROJ_DLOADER.HAP downloads http://www.[blocked]nrg.org/tmp/about.html, making anyone watching the network think that the file downloaded is just an html file when it actually is an exe file which will be downloaded as iexplore.exe in your C: directory.

The great thing is that this is already detected by Trend as TROJ_DLOADER.FUO.

From TROJ_DLOADER.FUO begins a stream of downloads ultimately ending in phishing attempts on several banks.

Here is a list of files that were downloaded beginning with TROJ_DLOADER.FUO, all files come from a single ip address.

• http://[blocked]/ieschedule.exe (TROJ_DLOADER.FUX)
  
• http://[blocked]/ib14.dll (TSPY_VB.BRF)
  
• http://[blocked]/smss.exe (TROJ_DELF.DSJ)
  
• http://[blocked]/iexplore.exe (TROJ_DLOADER.FUO)
  
• http://[blocked]/ieserver.exe (TROJ_DELF.DSH)
  
• http://[blocked]/dsrss.exe (TROJ_DELF.DSF)
  
• http://[blocked]/preredir.exe (TROJ_DELF.DSI)
  
• http://[blocked]/ieredir.exe (TROJ_DELF.DSG)

All files except for ib14.dll (TSPY_VB.BRF) have an internet explorer icon, another social engineering tactic which will elevate the chances of a user executing the file.

Although it is great to note, that all malwares used by TROJ_DLOADER.HAP have all been previously detected by Trend Micro. The URLs of the files have also been given to the url blocking team.

With all the social engineering tactics that has been used by these malwares, it is important for users to be more vigilant and make sure to only execute files that are known to be good.

More and more of these cases are showing up. Different malwares working together for profit just like the case with TROJ_LINKOPTIM. We are continually seeing this trend on malwares. No more fast spreading worms but trojans downloading trojans ultimately leading to profit by the malware author.

As security and AV companies scramble to put out protection against Internet fraud and spam, phishers take attacks deeper: targeting high-income Internet consumers.

Gartner Research, in its recent study on phishing attacks, found in a survey of 5000 adults residing in the US that high-income (earning over $100k/year) adults are targeted by phishing attacks.

Public service announcements (PSAs) online and through other media, as well as consumer education campaigns launched by government agencies did not help curb consumer non-awareness. Although high-income respondents tend to successfully avoid phishing attacks, once they are hit, their losses skyrocket.

Also featured in this research is the not-so-new way of survival for phishers: constant changing of URLs. Phishers host malicious URLs for a limited time only. And by the time cyber law enforcers get a lead on the URLs, the phishers have already dumped these URLs and moved on.

Read more here: http://asia.internet.com/news/article.php/3642971

Additionally, phishing is also a booming problem in the UK. Losses to online fraud not only tripled but grew “16-fold”, as measured by UK’s Association of Payment Clearing Services based on recorded losses by banks with online facilities.

Read more here: http://news.bbc.co.uk/1/hi/business/6122116.stm

I’ve never thought malware writers also creates redundant systems for business continuity. A couple of days after a Wikipedia entry was found to contains links to TROJ_SMALL.DMR, another site was found – http://h(blocked)v.webhostingoutsourcing.com/ – that contains the exact content, text, links and all, from the malicious Wikipedia entry.

Which entry was posted first doesn’t matter much, what is alarming is the fact that malware writers are using multiple instances of a vector in order to create a more stable infection platform. Indeed, industry best practices can be used by security professionals, to malware writers alike.

Heads up folks!!! There are reports of attack incidents exploiting a vulnerability found in WMIObjectBroker Activex control which is part of Visual Studio 2005.

“The WMIObjectBroker ActiveX component is part of Visual Studio 2005 and associated with the WmiScriptUtils.dll. So you are only vulnerable if you find WmiScriptUtil.dll on your system. Also, by default this ActiveX component is not activated by default. For more details about this vulnerability see http://www.microsoft.com/technet/security/advisory/927709.mspx

Users with vulnerable machines are advised to apply the workaround provided by the software vendor until a security patch is released.

For more information regarding this report, you may visit the following:

• www.microsoft.com
  
• secunia.com
  
• www.kb.cert.org
  
• isc.sans.org
  
• sunbeltblog.blogspot.com
  
• www.cve.mitre.org

Just today, Sunbelt discovered several scam sites. Most notable is qualitycodec.com, which is another one of those Trojan codec sites. This site in particular hosts TROJ_ZLOB.BCN.

Another notable site is iesecurepage.com which contains links to several rogue anti-spyware programs. Two rogue anti-spyware programs are currently available and is detected as ADW_MWAREWIPE.E, ADW_BRAVESEN.D and ADW_BRAVESEN.E