新しく登場した「WORM_STRATION(ストレーション)」ファミリのワームに 、Skype (スカイプ)を利用するワーム活動が含まれていることが確認されました。
(さらに…)
SAP is the largest business application and Enterprise Resource Planning (ERP) solution software provider in terms of revenue.
CYBSEC Security Systems has discovered a vulnerability in SAP IGS which when exploited can result in remote code execution with the privileges of the LocalSystem on Windows and SAP System Administrator Account on UNIX systems.
For more information about the vulnerability, read here.
SAP has already released a solution for this and customers that are affected should apply the patch as soon as possible. For more information about the patch read SAP Note 968423.
続きを読むWe’ve seen the spamming of TROJ_SMALL.EDWand TROJ_STRAT.CJ, now here comes another spammed trojan with an attachment name of “Rechnung.zip”. This incident is similar to an earlier blog post, Bogus 1&1 Bill from Germany.
The executable file in the zip archive has the following properties:
- MD5: 0B9BC464379180B6A813B85D94D21E9D
- File Size: 16,896 bytes
Here are some sample email details:
Trend Micro will soon detect this malware as TROJ_YABE.AV.
続きを読むMicrosoft Help Workshop is vulnerable to a remote code execution exploit while processing malformed .cnt files.
A POC, made by porkythepig, has already been released and are already found in numerous sites like milw0rm.com.
The Microsoft Help Workshop is not included in the default installation of Microsoft Windows, it is however a standard component of MS Visual Studio v6 and 2003 (.NET) and if .cnt files are already associated with Help Workshop all that’s needed is for the user to double click the file, so please still be on the lookout for malwares exploiting this vulnerability.
Still, the best approach for this is user alertness, be wary of email attachments with the .cnt extension, and rather be wary of ALL email attachments especially if you’re not expecting any.
続きを読むI noticed that in the past two days, there is a suspicious activity on port 80(HTTP). Our smallpot system captured packets sent to this port and after some rough analysis; it is known that the packets is exploiting the ASN.1 vulnerability (MS04-007) so un-patched machines from MS04-007 are affected. Below, I show a part of the packet when it is still Base64 encoded and the payload part of the packet after decoding.
Still base64 encoded:
After decoding:
This incident is not as proliferate as what we had way back 2005. This incident means that there are still users with machines un-patched from known vulnerabilities. On the bright side, the fact that the count of packets received is low means that users are getting educated to security threats and are applying security patches to their machines.
Again, it advised that users apply security patches provided by the software vendor to be secured from attacks exploiting known old vulnerabilities. Always have your antivirus pattern files updated. This is important if your business relies on connecting to the wild internet to have lesser chance of getting infected by malicious software.
続きを読むDid you know that in Germany, you have to pay to watch television?
I’m not talking about cable subscription or even the staggering electric bill one has to pay for the hours spent staring at the TV screen. In Germany, you literally have to pay for the mere actof watching a little bit of telly.
Yep, as regulated by law, those living in Germany have to get a license for their television sets (and radio, too). This is because the costs of public radio and television broadcasting are paid with fees, which are collected by GEZ (Gebuhreneinzugszentrale). According to this article, the cost is EUR5.52 a month for a radio and EUR17.03 for a television, which includes the radio fee. And like I said, the fee does not include fees for cable television…
Sounds complicated? Well, adding to the complication is TROJ_AGENT.JAW— yet another one of those Rechnungmalware, which TrendLabs has discovered being spammed in an email message supposedly coming from GEZ. According to the message, the recipient has unpaid bills amounting to EUR445.99. The attached “PDF” file (which is a copy of the Trojan) supposedly has more details about the bill. Of course, when an unsuspecting user executes the attached Trojan, it proceeds to download a spyware detected as TSPY_BZUB.CJ.
An interesting social engineering, isn’t it? GEZ has been around long and yet this seems to be first time they got entangled with the malicious world of computer threats. What does a TV and radio permit have to do with malware anyway?
Pretty much, actually, because just this new year GEZ started requiring Internet-capable computers to be licensed, too. Thus, for computer users who have been using the Web to watch TV or listen to the radio, they may need to pay up.
And that’s what this Trojan is all about — preying on guilty Internet users.
Trend Micro detects this Trojan and its downloaded spyware with the latest pattern file. However, users are still advised not to open email attachments that come from untrusted or unexpected sources. Of course, honesty is still the best policy…
続きを読むApparently, social engineering techniques may always come in handy when staging what has become more popular these days: profit-driven focused attacks.
Being today’s largest Web hosting company, the German provider 1&1 easily became an eye candy to malicious authors; hence the release of TROJ_YABE.AS. This Trojan arrives via spammed email. It uses the following details to lure users into thinking that the attachment is legitimate:
Subject: Internet AG – Your calculation 4930290
Email body:
Very more honored 1&1 customers,
enclosed you receive your invoice from the 31.12.2006. The total sum for your bill in the December amounts: 89.99 euros.
According to the given direct-debit authorization we will draw the amount during the next days of your account.
You will find attached the calculation in the PDF-EXE format. For reading and printing you need no additional program!
Our 1&1 team answers your questions to your invoice under 0180 5 201 026 (12 ct/Min.)
By the way: We have extended our service times for you and now are available from Monday – Saturday 08:00 – 20:00 o’clock.
Yours sincerely,
1&1 WebHosting team
[This is automatically generated news, please you do not answer to this sender. If you have questions to 1&1 Support, use please the contact form under www.{BLOCKED}nd1.de/cc]
Yes, sending spam with a touch of treachery may be old news but according to Alice Decker, Senior Researcher of Trend Micro EMEA, the words used in the spammed email message are persuasive. In addition, Decker points out that “The smart part of the social engineering in the email body is the reference to the attached file type (EXE-PDF)”.
On its first day of release (January 9, 2007), there are already several cases related to TROJ_YABE.AS originating from Europe as well as one from Asia. Trend Micro already detects the said malware in OPR version 4.171.00.
続きを読むWell within the past few months there have been several browser-related vulnerabilities. This time around a concern has been raised regarding the AdobeReader PDF-plugin.
Now with the PDF plugin, one of the features it offers is the use of what they would refer to as “Open Parameters”. These parameters can be specified in the URL. Take for example the SEARCH parameter:
http://www.somesite.org/somefolder/somefile.pdf #search=”keyword”
Taking this into consideration, you can simply create and execute your own script by specifying your own parameters. Using the following format:
http://[URL]/[FILENAME].pdf# something=javascript:alert(123);
This merely executes a javascript which shows an alert message, but we all know that malware authors can think up of more creative ways of exploiting this vulnerability. (hmm.. another AJAX worm perhaps?)
The attack is made possible by the security flaw that exists in the PDF plugin for browsers. Normally, most XSS attacks can be alleviated by fixing and patching the vulnerable scripts/browser or by adding security checks on the server-side. However in this case, the issue has already been fixed in the latest version of Adobe Reader (Ver. 8). It would be best to update your software ASAP to avoid any further problems.
続きを読む
On January 9, 2007 Microsoft will be having its first ever patch tuesday for 2007. They are planning to release 8 updates for the said events with critical being the maximum severity rating.
- Three Microsoft Security Bulletins affecting Microsoft Windows.
- One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Visual Studio.
- One Microsoft Security Bulletins affecting Microsoft Windows and Microsoft Office.
- Three Microsoft Security Bulletins affecting Microsoft Office.
We hope that MS will patch the word 0-days discovered last December since they left it out from last month’s patch. More information to come on January 9.
続きを読むThe last month of 2006 proved to be as eventful as the holidays. For December, we’ve seen various zero-days, unique malware techniques, and of course, ingenious social engineering that takes advantage of the joyous season.
December was greeted by new findings regarding WORM_NUWAR. After a few days of hardcore analysis, it was found out that WORM_NUWAR “reads” CNN.COM to determine the “Most Popular News”. Found headlines can then be used as e-mail subject for WORM_NUWAR generated mails. Talk about being up to date!
But NUWAR does not stop there. In an effort to infect sensitive institutions, NUWAR sends e-mails to addresses with “Microsoft”, “mil”, and “gov” as sub-strings.
Why it can get worse:
A polymorphic e-mail subject that is sensible and timely is a great, great, great social engineering technique.
Another interesting piece of malware technology encountered last December is the PHP malware PHP_PBOT.A. PHP_PBOT.A looks like an SDBOT source code translated to PHP. As such, this malware behaves like a BOT malware – capable of joining an IRC channel and performing routines triggered by a remote malicious user.
Why it can get worse:
Though the routines of PHP_PBOT.A is only limited to performing DoS attacks and file download, it is highly possible to incorporate work-like propagation techniques and exploits for this PHP malware.
Social Networking Sites
Social networking sites is slowly becoming the favorite infection vector for malware authors. With tens of thousands of registered users connected to each other with only several degrees of separation, using social networking sites as infection vector assures the malware author a large, target user base with the benefit of using a valid site.
A malware that exploits a vulnerability in My space and a worm that uses Yahoo! 360 blog as accomplice were both found last December.
Why it can get worse:
Because networking site users belong to the teens and 20-somethings that are computer literate, has access to the internet, and spends a great deal of time surfing, and constitutes the majority of Internet users, they become the perfect prey for malware authors.
Word Exploits
For December, there were 2 reports of zero-day Word exploits in the wild. Trend Micro was not able to acquire a sample for the first zero-day (due to non-disclosure clauses) while the second zero-day is already detected as TROJ_MDROPPER.EB.
As if the first two weren’t enough, another Proof-of-Concept (Poc) Word exploit was released by vulnerability research group Milw0rm.
Why it can get worse:
December 12 (MS Patch Tuesday) came and gone but not a single fix for Word was included.
First MS Vista Vulnerability
Two days before Christmas, Microsoft Security Response Center confirmed the existence of a vulnerability that works on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and… Windows Vista!
Why it can get worse:
Microsoft’s statement regarding Vista’s “hardened kernel” is true, but it surely means Vista’s not invulnerable. Guess it’s only a matter of time before we witness a new wave of malwares that are Vista “compliant”.
Christmas Season
Of course, no malware author in his right mind would pass up the opportunity to use the holidays as a social engineering trick.
TROJ_STRAT.IG was reported to be spammed anew with Christmas themed e-mail subjects. Same with TROJ_PPDROPPER who was spammed as an attachment with filename Christmas+Blessing-4.ppt. WORM_NUWAR then followed suit by greeting us “Happy New Year!”
Why it can get worse:
Well, thank goodness Christmas season is over! But then, Valentines is just around the corner.
Other notables
Of course, any month won’t be complete if we don’t discover another ZLOB variant hosted on a fake site, or a malware posing as a video, or another malware posing as an MP3 plug-in, and most of all – another round of STRATION attacks.
続きを読む