There has been a noticeable change on the number of security updates that Microsoft will be releasing on January 9 as seen on their ‘Advance Notification’ website. Instead of the original eight (8) updates, it has just been reduced to four (4). Though the reason was unannounced but this might have been due to some QA process problems, just maybe…
続きを読むBeing a Microsoft ally may spell profits but it also spells malicious users out to find cracks in your armor. Trend Micro discovers such a crack this week on a 3rd-party application commonly used on Windows mobile, a compact version of Windows designed for mobile devices, such as Pocket PCs and Smartphones.
This flaw involves a specially-crafted PNG file causing a buffer overflow when opened in Resco Photo Viewer. It affects mobile devices running Windows Mobile 5.0, 2003, and 2003SE. Note that buffer overflows open up the affected system to malicious code injection and execution.
Trend Micro ascertains that Resco Photo Viewer v4.11 and v6.01 are affected. However, versions in between the two mentioned may also be vulnerable.
Users are advised not to open files using the said photo viewer until its manufacturers release an appropriate patch.
続きを読むAs digital and streaming media steadily gain momentum, computers are no longer just machines for processing data — they are now full-fledged media centers. Unfortunately, along with this increasing popularity of video download and video streaming are malware attempting to ride on and take advantage of it. One such malware is the ZLOB family of Trojans. Read a comprehensive article about ZLOB here: The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.
続きを読むWell within the past few months there have been several browser-related vulnerabilities. This time around a concern has been raised regarding the AdobeReader PDF-plugin.
Now with the PDF plugin, one of the features it offers is the use of what they would refer to as “Open Parameters”. These parameters can be specified in the URL. Take for example the SEARCH parameter:
http://www.somesite.org/somefolder/somefile.pdf #search=”keyword”
Taking this into consideration, you can simply create and execute your own script by specifying your own parameters. Using the following format:
http://[URL]/[FILENAME].pdf# something=javascript:alert(123);
This merely executes a javascript which shows an alert message, but we all know that malware authors can think up of more creative ways of exploiting this vulnerability. (hmm.. another AJAX worm perhaps?)
The attack is made possible by the security flaw that exists in the PDF plugin for browsers. Normally, most XSS attacks can be alleviated by fixing and patching the vulnerable scripts/browser or by adding security checks on the server-side. However in this case, the issue has already been fixed in the latest version of Adobe Reader (Ver. 8). It would be best to update your software ASAP to avoid any further problems.
続きを読む
On January 9, 2007 Microsoft will be having its first ever patch tuesday for 2007. They are planning to release 8 updates for the said events with critical being the maximum severity rating.
- Three Microsoft Security Bulletins affecting Microsoft Windows.
- One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Visual Studio.
- One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Office.
- Three Microsoft Security Bulletins affecting Microsoft Office.
We hope that MS will patch the word 0-days discovered last December since they left it out from last month’s patch. More information to come on January 9.
続きを読むThe last month of 2006 proved to be as eventful as the holidays. For December, we’ve seen various zero-days, unique malware techniques, and of course, ingenious social engineering that takes advantage of the joyous season.
December was greeted by new findings regarding WORM_NUWAR. After a few days of hardcore analysis, it was found out that WORM_NUWAR “reads” CNN.COM to determine the “Most Popular News”. Found headlines can then be used as e-mail subject for WORM_NUWAR generated mails. Talk about being up to date!
But NUWAR does not stop there. In an effort to infect sensitive institutions, NUWAR sends e-mails to addresses with “Microsoft”, “mil”, and “gov” as sub-strings.
Why it can get worse:
A polymorphic e-mail subject that is sensible and timely is a great, great, great social engineering technique.
Another interesting piece of malware technology encountered last December is the PHP malware PHP_PBOT.A. PHP_PBOT.A looks like an SDBOT source code translated to PHP. As such, this malware behaves like a BOT malware – capable of joining an IRC channel and performing routines triggered by a remote malicious user.
Why it can get worse:
Though the routines of PHP_PBOT.A is only limited to performing DoS attacks and file download, it is highly possible to incorporate work-like propagation techniques and exploits for this PHP malware.
Social Networking Sites
Social networking sites is slowly becoming the favorite infection vector for malware authors. With tens of thousands of registered users connected to each other with only several degrees of separation, using social networking sites as infection vector assures the malware author a large, target user base with the benefit of using a valid site.
A malware that exploits a vulnerability in My space and a worm that uses Yahoo! 360 blog as accomplice were both found last December.
Why it can get worse:
Because networking site users belong to the teens and 20-somethings that are computer literate, has access to the internet, and spends a great deal of time surfing, and constitutes the majority of Internet users, they become the perfect prey for malware authors.
Word Exploits
For December, there were 2 reports of zero-day Word exploits in the wild. Trend Micro was not able to acquire a sample for the first zero-day (due to non-disclosure clauses) while the second zero-day is already detected as TROJ_MDROPPER.EB.
As if the first two weren’t enough, another Proof-of-Concept (Poc) Word exploit was released by vulnerability research group Milw0rm.
Why it can get worse:
December 12 (MS Patch Tuesday) came and gone but not a single fix for Word was included.
First MS Vista Vulnerability
Two days before Christmas, Microsoft Security Response Center confirmed the existence of a vulnerability that works on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and… Windows Vista!
Why it can get worse:
Microsoft’s statement regarding Vista’s “hardened kernel” is true, but it surely means Vista’s not invulnerable. Guess it’s only a matter of time before we witness a new wave of malwares that are Vista “compliant”.
Christmas Season
Of course, no malware author in his right mind would pass up the opportunity to use the holidays as a social engineering trick.
TROJ_STRAT.IG was reported to be spammed anew with Christmas themed e-mail subjects. Same with TROJ_PPDROPPER who was spammed as an attachment with filename Christmas+Blessing-4.ppt. WORM_NUWAR then followed suit by greeting us “Happy New Year!”
Why it can get worse:
Well, thank goodness Christmas season is over! But then, Valentines is just around the corner.
Other notables
Of course, any month won’t be complete if we don’t discover another ZLOB variant hosted on a fake site, or a malware posing as a video, or another malware posing as an MP3 plug-in, and most of all – another round of STRATION attacks.
続きを読むThe holidays had come and gone but malware hitching on holiday cheer still persists. Trend Micro recently detected TROJ_DLOADER.IAR riding as attachment to spammed email messages. It arrives as a ZIP archive that contains the file FLASH_HAPPY_NEW_YEAR.EXE.
This Trojan modifies the HOSTS file and downloads other possibly malicious files onto affected computers. As of this writing, however, its download URLs are unavailable.
続きを読むWhen Julius Caesar arrogantly proclaimed “Veni. Vidi. Vici.” (I came. I saw. I conquered.) to describe his swift and total victory in the Battle of Zela, he must have been sitting atop his horse and looking over his spoils, contemplating the lethal brilliance of his planning. Sitting atop its Trojan spyware, one of this year’s most prevalent file infectors, PE_LOOKED, can lay claim to that same arrogance. To know why, read an in-depth article about PE_LOOKED’s routines and payloads here: PE Came, LOOKED, and Conquered.
続きを読むOn December 20, Trend Micro detected the 879th TSPY_QQPASS variant in the wild. This variant joins the almost 1,200 members of the ever-growing QQPASS family that includes spyware, worms, backdoors, Trojans, and even scripts. In recent months, QQPASS has consistently been one of the most prevalent Trojan spyware (TSPY) around based on actual customer submissions.
This information-stealing threat family targets Tencent QQ, an instant messaging application hugely popular in Mainland China and South Africa. It hooks an infected computer’s keyboard and mouse to steal QQlogin information.
Proof of its notoriety is the news-grabbing event it stirred in Japan last October. One of QQPASS’ worm variants was found to be infecting more than 10,000 MP3 players given away by McDonald’s Japan as prizes. The event prompted a public apology and a mass recall operation from the fast-food chain.
In an article, Miray Lozada, Associate Engineer at Trend Micro, documents QQPASS’s behavior and describes how stolen information can be used by the malware author. The writer further infers that monetary reward is the motive pushing this threat family to stay in the wild for so long and evolve with the changing threat landscape.
Read the article here: QQ Me… But TC :(.
続きを読むThis Christmas, malware authors still seem to be pretty busy spreading malicious codes instead of holiday cheers.
Trend Micro discovered today a new virus that is infecting 64-bit Windows Operating Systems (AMD64). Detected as W64_ABUL.A, this virus infects 64-bit systems by injecting its codes to all executable (.EXE) files in drive C and its subfolders.
To date, W64_ABUL.A is probably the third known file infector to target 64-bit systems, and the second to target the AMD64 platform. First seen was W64_RUGRAT.A, discovered on May 2004. Followed by W64_SHRUGGLE.A, which came out on August 2004. Both of these viruses were considered proof-of-concept viruses created by an author (who calls himself “roy g biv”) to prove that new systems are penetrable to virus attacks.
Well, that much is true nowadays, and we all know that the current trend is to attack new and different platforms as much as possible for profit.
However, with W64_ABUL.A, seems the malware authors of this virus are just out to taunt the AV industry, as you can probably notice in the malware code. This file infector creates the following mutex to mark its presence on a system:
64_absolute by tM & SH,a nice gift for all the AV
community, Marry X.mas to all the AV
Since this file infector targets 64-bit systems, it is not able to infect 32-bit files. It also cannot run on 32-bit processors without software that enables these processors to support 64-bit programs. Clearly, there is no intention to make this virus widespread.
A warning or just pure mockery, whatever is behind this “holiday greeting”, this just shows that malware authors can and will always try to use all available means in spreading their malicious codes.
続きを読む