A new vulnerability patch has just been released by Microsoft.

MS05-053 (Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)) is a cummulative update for 3 vulnerabilities that have recently been discovered.

• Graphics Rendering Engine Vulnerability – CAN-2005-2123
  
• Windows Metafile Vulnerability – CAN-2005-2124
  
• Enhanced Metafile Vulnerability – CAN-2005-0803

More information can be found here.

Flash animations or any other forms of
interactivity in web pages can be viewed using Flash player
provided by Macromedia. Yet, a vulnerability for Flash was
discovered which when exploited would allow execution of arbitrary
codes. The problem exists in some array boundary condition. An
attacker can actually provide a specially-crafted SWF file (Flash
file format) for it’s malicious intent. The affected system is
Flash 7 and earlier versions. Thus, if you have upgraded to Flash
ver. 8, you are free from possible infection. I know how
entertaining it would be to click on some animations or videos
maybe, but be very cautious on those SWF files ‘coz you might get
more than just entertainment.


So if you happen to be vulnerable at the moment, get an upgrade atMacromedia Flash Download. And for more
information, you may visit the following:

Security Focus
ISS

Most malware uses anti-debugging techniques to avoid detection or
make analysis harder. One example of this is by using the api
IsDebuggerPresent. This Api seems to be the favorite choice of
malwares other than SEH.


But I just found out a new anti-debugging technique (at least new
in my book, as Im still beginning at the AV business… :p)


VMWare, a popular multi-function virtualizer for Windows and Linux
is one of the tools used in this kind of business. Sadly enough,
with just a few code, a malware can Identify if it is running on a
VMWARE machine and not on the actual environment.


The malware can just check this registry,


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools


If existing, the malware automatically creates a batch file to
delete itself leaving no trace of it ever running. So for the
Service Team, don’t always trust your vmware results.


Or you can also just rename the registry to say


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools1


After renaming this registry, I tested again the malware and it was
now executing like it would on a normal environment.


The malware that Im talking about here has already been passed to
the service team and word is, it would be detected as
WORM_SDBOT.COQ.

As part of its regular monthly release of
security updates, Microsoft announced recently that they will be
releasing a single patch for the month of November. This update has
been rated as critical the highest risk rating available.
The patch is said to be released this coming November 8. The
advance notice did not say which component would be dealt with nor
did it say how many flaws it is supposed to fix. All we can do is
hope and wait that it is a trouble-free patch unlike previous
releases. We will keep you posted with regards to the update. Clickthis for the official news.

We captured a spam mail in our honeypot
system earlier. It attempts to fool the targeted user that e-gold
Ltd has come up with a ‘new security system’ that can be accessed
just by a click of a button. It also promises a number of safety
features that the said new system offers. But, that is just part of
their scam!


It uses social engineering to convince the targeted user to do what
the greedy scammers want to.


It displays a dialog box (see below) when the attachment is
executed. But, an average user will not notice that a malicious
program has been installed on his system as soon as he/she sees the
dialog box.




This malicious program will monitor the internet activity of the
affected system. If the monitored websites have been sensed by the
malicious program, its keylogging capability will be triggered.
These techniques of this malware, social engineering thru spam
combined with unnoticed malicious program, can add up to increasing
cases of identity theft.


As always, security awareness is a major concern. We better not
trust emails that we are not sure of its origin or sender
especially those with executable attachments. Be aware!


Additional details can be found here.

Two days ago we blogged a report about Sony installing a rootkit with the purpose of protecting its digital property from piracy.

A concern was raised since this rootkit can be used by a malware to hide itself from the process. Now that concern has just been confirmed to be a real threat…

According to the analysis made by a Sysinternal Researcher, the concern lies in the device driver “aries.sys”, which was confirmed to patch several functions via the system call table and that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$” even if its not part of the Sony software.

A malware author can now just drop the file aries.sys load it in the system and add “$sys$” to the malwares filename and presto! instant rootkit malware.

Also we just received a report that this is now being used by World of Warcraft Hackers to hide their cheat programs from the warden (a controversial anti-cheating program from Blizzard Entertainment).

There has been reports of emails being
spammed targetting PayPal users. It provides a link to where the
user can download a Paypal Security Tool, wherein fact the file
does not at all give your system security as what it should have
offered. It changes the DNS server of the workstation. So, instead
of being redirected to the legitimate PayPal site, the user will
end up logging in a ‘phishing site’. But, it would be not
noticeable since the address bar will still show you ‘paypal.com’.
Screenshots of the legitimate PayPal site and the PayPal phising
site is provided below.


PAYPAL SITE:




PAYPAL PHISHING SITE:




The file will be detected as TROJ_DNSCHANGE.F. It may only be PayPal for now but in
the future, malware authors may use all other sites.


For more details, you may visit:

Websensesecuritylabs
ISC Sans

A short write-up at the ISC
featured a bot worm that is reported to have the capability to scan
for vulnerable Cisco routers.


This bot was tagged by Symantec as
W32.Spybot.ZIF last November 1, 2005 and the malware was
reported to “scan a specified network range for Cisco routers
that may have vulnerable Telnet or HTTP servers running and report
results back to IRC.“


A cursory glance at the binary dump shows:


0003E600 0043E600 0 cisco23

0003E60A 0043E60A 0 Cisco Telnet

0003E640 0043E640 0 cisco80

0003E64A 0043E64A 0 Cisco HTTP

0003E7DA 0043E7DA 0 YZqbgff

0003E840 0043E840 0 [SCAN]: Exploit Statistics:

0003E85C 0043E85C 0 %s: %d,

0003E868 0043E868 0 Total: %d in %s.

0003E87C 0043E87C 0 [SCAN]: Current IP: %s.

0003E894 0043E894 0 [SCAN]: Scan not active.



Hmmm…


Trend Micro discovered and detected this malware as
WORM_RBOT.CMR as early as October 14, 2005. What’s more, we’ve
acquired new Upack-repacked samples of the same malware that will
be detected under the same name of WORM_RBOT.CMR.


Needless to say, let’s be sure that we patch those vulnerable Cisco
routers, ok?

TMIRT has received reports of email messsages with a malicious attachment being spammed in educational institutions targeting users to ‘check out’ and approve the attachment ‘and reply’ before November 1, Tuesday – yes that’s it folks… the target day should be today! Check out the email contents below:

Subject: Campus Life

Message Body:




Possible Attachments:

• Photo + Article.exe
  
• Photo + Article.scr
  
• Photo + Article.zip

NOTE: The .exe and .scr usually comes using the icon of a PDF file.



So far, we’ve seen only a couple of infections, including a university that put an online warning for the academe in their university website:



We’ve included some text here from the image above just in case the image is unclear:




Kinda like a nasty November 1 Halloween Trick (leave the Treat part out of it) because there is NO treat in what an infected user will experience once the malware is executed.

Using port 8080, the executed malware connects to Internet Relay Chat (IRC) servers and joins a channel, allowing a remote malicious user to issue the following commands that are locally executed on the affected system:

• Download and execute remote files
  
• Retrieve system information
  
• Update itself

Good news for Trend Micro customers though, this malware is detected by Trend as either BKDR_IRCBOT.BM, first seen and detected last Oct 26, 2005 or BKDR_BREPLIBOT.B , first seen and detected last Oct 29, 2005.

Other related malwares that started propagating the week just before this November 1 are:

BKDR_BREPLIBOT.A – first seen on Oct 26, 2005

WORM_IRCBOT.AJ – first seen on Oct 27, 2005


This is definitely one evidence of the increasing prolifiration of targeted attacks. The target entity in this case may most definitely be users among the academe and most probably be students who may be tricked into having their 5-minutes-of-fame-plus-photo-plus-article published “in the new campus magazine in an article headed ‘Campus Life'”!

Considered targets in these kinds of attacks vary and may range from operating systems to frequently-used applications or computing peripherals, or from geographical locations to user and institutional groups such as the educational group mentioned above. Let us continue to be more vigilant regarding these attacks in the days to come…

We have received numerous links, even resulting to more than a hundred, which aim to redirect the user to a specific URL. These malicious links may follow the following format:

http://{varies}.nl/info.html

All of these links have exactly the same contents, an encrypted script, which redirects those unlucky enough to click the malicious link to a malicious HTML file. This is now detected as HTML_MULTIEX.A

It takes advantage of the following Microsoft vulnerabilities:
MS03-011
MS05-001
MS05-013

The HTML exploits the target PC depending on certain conditions. Some of the conditions include the operating system of the target because exploits are usually OS-dependent.

So, what’s the moral lesson of the story? Always update your computers with the latest patches, you’ll never know if the website you stumbled into is malicious or not. Better safe than sorry eh?