この投稿では、2007年12月度に観測されたアプリケーションの脆弱性を悪用したウイルスまたは攻撃コードに対する、ベンダ発表とトレンドマイクロ製品による緩和策についてお知らせします。
続きを読む 前編では、ウイルス被害件数とマイクロソフト セキュリティ更新プログラム(以下 修正プログラム)のリリース件数から相関関係について分析を行いました。
修正プログラムのリリース件数は必ずしもウイルス被害件数に影響を及ぼしていないとの結論を報告いたしました。
前編の投稿を読まれた方の中には、被害件数との相関関係が弱まっているという分析結果をみても、WEBメディアなどの報道では、たびたび脆弱性を悪用したウイルスの流通が確認されているように感じる方も多いと思います。
後編では本年度TrendLabsが実施した注意喚起情報を元に、どのような傾向を持つ脆弱性がウイルスによって悪用されているのか分析を行っていきたいと思います。 (さらに…)
続きを読む 11月16日、株式会社メディアクリエイトは任天堂株式会社が販売する携帯用ゲーム機「ニンテンドーDS」の国内実販売台数が2,000万台を突破したと発表しました。
ニンテンドーDSは2004年に発売され3年経過しています。今なお、販売台数を増やし携帯用ゲーム機市場において販売台数ナンバー1のポジションを維持しています。
時を同じくして、お隣韓国ソウルのセキュリティカンファレンス「POC(Power Of Community) 2007」(開催期間:11月15日~16日)において、i3eat氏による講演「Hacking with Nintendo DS」が行われました。
販売好調なニンテンドーDSがセキュリティカンファレンスに登場。一体どんなセキュリティ上の脅威があるのでしょうか。 (さらに…)
続きを読むアメリカでは現地時間6月29日にApple社初の携帯電話「iPhone」が発売され、大きな話題になっていますが、その騒ぎの中、早くも便乗ウイルスが登場しています。トレンドマイクロでは「TROJ_AYFONE.A」として検出に対応しています。
(さらに…)
A new worm has been found on MySpace (a social networking website) that takes advantage of Apple QuickTime movie’s HREF Track feature and MySpace’s XSS vulnerability to successfully propagate and execute its malicious actions. The malware author also intends to steal other MySpace user logins by setting up a phishing site where its url was being advertised by the worm accomplice.
The menace starts when a MySpace user views a malicious embedded QuickTime movie file (.mov). Yes, a movie file… but we are not talking of a vulnerability in QuickTime but rather a special feature built into QT movie file called HREF Track.
An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that loads QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.
…
The URLs in an HREF track can be interactive or automatic. An interactive URL loads when you click anywhere in the movie’s display area. An automatic URL loads as a movie is playing at the exact frame specified by a text descriptor timestamp in the HREF track. With automatic URLs, you can create a narrated tour of a website, use web pages as slides in a presentation, activate a JavaScript command, or do anything else that requires loading movies or web pages in a predetermined sequence.
This movie file loads a malicious javascript file which actually does the necessary modification to the user’s profile page by replacing the navigational links on the page with the fake ones (points to the MySpace phish on the same domain) through some CSS and HTML codes. This approach is possible due to MySpace’s XSS vulnerability. After that, here comes the ‘wormy’ part of the malicious javascript, it adds the malicious QuickTime movie file to the user’s “Interests” sections to further propagate the copy of the worm and the phishing attack. Any MySpace user who visits an infected user’s profile will also have his navigational menus trojanized.
What is also noticing about this worm is its capability to send a random message to users with id’s from 80000000 to 105000000. The worm selects one of the six subjects below to send to random user every 6 seconds.
- what else is there to do on a Sunday.?…….
- You better not forget about this..
- Hehe that was so funny..
- better see this one last time lol..
- omg did you see this last nite..
- whos coming to the party tonight.?..
The body of the message is supposed to be a file named ‘youtubedt7rf2.jpg’ but I unfortunately wasn’t able to get a copy because the source url is no longer available.
Trend Micro has given the detection name JS_QSPACE.A for the malicious javascript.
続きを読む
For years, the Metasploit project has churned up more than a handful of exploit codes. These exploit codes are based from vulnerability researches from the open-source community. Initially, the software vendors are the most affected by the outputs of these exploit codes – forcing Microsoft, Apple or Mozilla to issue urgent patches to address discovered vulnerabilities.
On the other side of the coin, malware authors are quick to abuse these vulnerabilities. They (malware authors), make use of exploit codes to gain access to an unpatched software. This is where security vendors come into play. Through pattern updates and heuristic detection, anti-virus companies race to detect known exploit codes to protect its consumer base.
However, with the release of the VoMM (eVade-o-Matic Module), the challenge is now shifting from the software vendor to the security company. VoMM is an automated module developed in part by Metasploit (with LMH from Info-pull.com and Aviv Raff), that aims to make exploit codes undetectable by anti-virus vendors. VoMM is initially designed for Javascript based exploits in general, but I think it will be only a matter of time for Metasploit to extend VoMM to other non-binary exploits.
In order to make exploits generated by VoMM undetectable, VoMM employs the following techniques:
- White-space randomization
- String obfuscation and encoding
- Random comments; placement and manipulation of existing ones
- Block randomization
- Variables and function names randomization
- Integer and miscellaneous variables obfuscation
- Function pointer reassignment
In general, the techniques mentioned above are already being implemented by malware authors. What VoMM does is to make it easier for script-kiddies to employ these techniques. This scenario will definitely raise the bar for the anti-virus community for stronger scan engines, since the demand for filtering out white-strings and comments, and the ability to obfuscate and trace randomized variables will be commoditized.
I’ve always believed that adversity is needed for something to evolve. The cheetah became the fastest land animal chasing the gazelle, the second fastest. It is through challenges posed by the environment that we become better at what we do. VoMM is one such challenge.
続きを読むYes, especially if you get those Apple’s Video iPod machines that were manufactured after September 12, according to a report from CNET.
Although the worm does not affect Macs or iPods, the worm included in the iPod units was a Windows-based worm that can propagate via mapped drives and has backdoor capabilities that can leave Windows systems being compromised. Because of this propagation feature, it was possible that during the production of the affected units, the iPods were infected by a copy of the worm already found in an infected system when the iPods were somehow hooked up or plugged in for testing purposes or whatnot.
It’s a good thing though that Trend Micro detects this as WORM_SIWEOL.A since May 2006, and customers can be assured that this free-worm-in-an-iPod will not get in the way of their listening sprees.
More info here:
続きを読む
Ok, there were no much entries these past days and I want to share some updates.
- There’s another variant of the W97M_DLOADER, detected as W97M_DLOADER.BVS, which arrives as a .doc file attached to spammed email. It drops a Trojan downloader which is also detected as TROJ_DLOADER.BVS.
- Mac OS X 10.4.7 Update
This update fixes multiple vulnerabilities found in version 10.4.6 and below.
AFP : (CVE-ID: CVE-2006-1468)
– File and folder names may be disclosed to unauthorized users
ClamAV: (CVE-ID-2006-1989)
– When virus scanning is configured to update automatically, a malicious database mirror may cause arbitrary code execution
ImageIO: (CVE-ID-2006-1469)
– Viewing a maliciously-crafted TIFF image may result in an application crash or arbitrary code execution
Launchd: (CVE-ID-2006-1471 )
– Local users may gain elevated privileges
OpenLDAP: (CVE-ID-2006-1470)
– Remote attackers may cause Open Directory server to crash
You may get your updates by visiting Apple’s support page.
References:
- http://www.apple.com/support/downloads/
- http://docs.info.apple.com/article.html?artnum=303973
- http://www.securityfocus.com/bid/18686/info
- http://www.apple.com/support/downloads/
- An IRC bot, to be detected as BKDR_IRCBOT.CR, targeting the irc.shadowfire.org IRC server submitted to the Service team for further analysis and detection.
続きを読む