September 2006 - Posts

I haven't seen this info anywhere else yet, but here you go....

Link below wasn’t live when I checked it either.

* VML Update Released (NEW)

Published: 2006-09-26,
Last Updated: 2006-09-26 17:53:13 UTC by Robert Danford (Version: 1)

Microsoft has just released an update to address the VML (VGX) issue

The update can currently be found on Microsoft Update and is titled
Security Update for Windows XP (KB925486)

This URL should point to the right place: (not live as of 1:38PM EST)

It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.

Thanks to everyone that submitted analysis, news, samples, malicious website reports, etc

More info:

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

MSN Worm Used to Download Adware Programs Posted by Elda @ 05:53 GMT

We have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

Licat.C Example

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C. This is used to connect to[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C also attempts to overwrite the original MSN Messenger application client, msnmsgr.exe, with its own copy. So it is advised that you reinstall your MSN Messenger client after a Licat.C infection.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as The other is a Softomate adware installer - detected as Softomate toolbar.

Nowadays, instant messenger worms are being used to install adware programs. Be suspicious of unsolicited links in your IM client. Below is an illustration of the process:


F-Secure : News from the Lab - September of 2006.

Deja Vu - Request for W32.Pasobir Malware Sample (NEW)

Published: 2006-09-26,
Last Updated: 2006-09-26 12:29:30 UTC by Patrick Nolan (Version: 1)

If any of ISC participants have a sample of W32.Pasobir we'd really appreciate a submission via our contact page.


"Periodically checks for both fixed and removable drives starting with drive D: that are attached to the system and copies itself as the following file:

[DRIVE LETTER]:\sxs.exe

Creates the following file containing instructions to start the worm when the drive is attached to the system:

[DRIVE LETTER]:\autorun.inf"

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Using ISA to help block VML exploit

Published: 2006-09-25,
Last Updated: 2006-09-25 23:11:25 UTC by Adrien de Beaupre (Version: 1)

For those of you that use MS ISA as a proxy, or even as a perimiter protective mechanism, Microsoft has posted an article on "Learn How Your ISA Server Helps Block VML Vulnerability Traffic (925568)"
This would be highly recommended measure in a Microsoft centric environment, as one of the defence-in-depth layers of protection, not by itself. Please see the earlier diary entries on the VML vulnerability and its current exploitation here.

Adrien de Beaupré
Cinnabar Networks/BSSI

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Work faster Microsoft!!

VML vuln being actively exploited

Published: 2006-09-25,
Last Updated: 2006-09-25 23:41:46 UTC by Adrien de Beaupre (Version: 1)

Messagelabs has reported that E-cards are being used as an attack vector, exploiting the VML vulnerability in MS Internet Explorer to download malware. There has been an upswing of web sites hosting the exploit, and of course downloading malware.

A reader wrote in after having seen a VML exploit and reviewing his firewall logs. The following web site URLs are deliberately munged and obfuscated until the site owners respond to emails and phone calls advising them of the problem, do not click on them using any web browser on a Microsoft platform.
The first site is
http:// www .allied(snipped) parts .com
The bottom of tha page contains an iframe which loads:
http:// www .traffl(snipped) .info/out.php?s_id=1
Which goes and gets:
http://www .webmasters(snipped) .com/s_test/test/ vml_sp2_gamer .htm

Which contains the VML exploit. The fun doesn't stop there!
By now this system is thoroughly owned, and more malware follows.

vml_sp2_gamer.html pulls gamer.exe off the same site, which in turn grabs gamer1.exe and counter.exe and also reports successful infection to another URL, raff  gamer1.exe is a password stealer that is even seen by Clamav: Trojan.Spy.Goldun-141

Many thanks to Daniel and Swa and the other ISC handlers.

Adrien de Beaupré
Cinnabar Networks/BSSI

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

We did the same thing here, and so far there have been on issues.

De-registering vgx.dll in an enterprise

Published: 2006-09-25,
Last Updated: 2006-09-26 00:08:34 UTC by Adrien de Beaupre (Version: 1)

The following is one experience in a global enterprise environment sent in by a reader.


The following post is my experience with de-registering vgx.dll in a large, corporate and R&D environment with sites around the globe.

The purpose is to present our actions and findings.  I make no promises, guarantees, etc. that this will work for others. So please be sure to do your own testing and risk analysis.

All of that said ... I hope that my point of view helps to possibly aid others in their efforts to find and effective mitigation strategy for this vulnerability.

Since the early whisperings of exploits for the vulnerability, and then 'suggested' work-arounds, de-registration of the vgx.dll has been at the top of our list of possible mitigations.

Starting (very) early on Friday morning, and going through an 11 hour day, our InterOp team tested the affects of the de-registration on as many different system configurations as they could.  In the end they found no issues and supported this recommendation for mitigation.  Early Friday evening we put our plan in place and commenced with the de-registration of vgx.dll from all of our ~38,000 corporate and ~8,000 R&D systems.  By late-evening 1/3 of our targets had the dll de-registered; there were no reported issues with business critical systems and applications, there were calls to the help desks and there were no issues from our R&D folks.

Two and a half days after putting the plan in place 98% of our systems have had the dll de-registered and things remain stable and quiet on all fronts.

There have been some reports of system slow-downs by employees but after investigation there no clear linkages between the actions taken and the symptoms observed.  In most cases a simple reboot solved the problem.

We continue to monitor the situation as well as staying in contact with Microsoft to ensure that our environment remains stable and malware free.


Thanks for sharing Eric.

Adrien de Beaupré
Cinnabar Networks/BSSI
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.
Warezov.AT Posted by Sean @ 12:44 GMT

There have been several posts regarding Warezov this month and it remains busy. It reached variant AA on the 12th and we have now reached variant AT. Detections for Warezov.AT were added with database 2006-09-25_01.

We've received several submissions of Warezov, so we published a Radar 2 Alert about it today.

IS2007 Note: We tested Warezov.AT as we did with an earlier variant, and System Control continues to block it automatically.

F-Secure : News from the Lab - September of 2006.

VML Candid Camera

Sep 22 2006 11:00AM


Now that we are seeing VML exploits proliferate the Internet, we thought it would be fun to grab a video capture of what happens when a workstation visits an infected site.
We did a similar video when the WMF zero-day was released and our workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive
sight and obvious that you had just visited an infected site.

So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe containing a
VML exploit.

But...what's this? Nothing happened, or so it seemed.

We were hoping to capture another onslaught of Spyware, but this malware author had something else in mind. Digging a little further, we discovered that this exploit
is being used to install a new variant of a keylogger called Goldun. The attacker doesn't want you be suspicious, so they have made certain that the infection process is as unobtrusive as possible. You are given no indication that there was anything wrong with the website you just visited.

After we visit the infected site, we log into a PayPal account to show you an example of the information that can be stolen. This keylogger operates by indiscriminately
capturing the entire contents of EVERY web form on any page -- all data entered into your financial, webmail, and Intranet sites can be captured. We added some
commentary to the end of the video to provide a brief explanation of what happens behind the scenes.


Visiting the website shown in this video can and will infect your computer - even if you have removed vgx.dll - it contains multiple exploits, including one for an older version of Firefox. Please DO NOT visit this site.

Note on our codec choice:
We chose WMV9 because we've found it to be the only widely installed codec that keeps desktop text readable while maintaining a web-friendly file size. hint to our 'nix friends: apt-get install w32codecs

Websense® - Blog: VML Candid Camera.

Just as I predicted. The only real way to protect against this is to unregister the DLL until a patch is released by Microsoft.

VML exploits with OS version detection (NEW)

Published: 2006-09-24,
Last Updated: 2006-09-24 20:46:46 UTC by Daniel Wesemann (Version: 1)
We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win. If you have the option, we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Netcraft Report - HostGator servers exploited via cPanel, allowing redirection & VML exploitation (NEW)

Published: 2006-09-23,
Last Updated: 2006-09-23 23:05:27 UTC by Patrick Nolan (Version: 1)

Netcraft's Rich Miller is reporting on VML related exploitation, details at "HostGator: cPanel Security Hole Exploited in Mass Hack.". The article also contains links to their earlier coverage.

"By early Saturday morning, HostGator managers were assuring users that the cause of the redirections had been isolated, and was due to a new exploit targeting cPanel.".

The article details and references a fix that is at the cPanel site.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

MSN-Worms exploit MS pif filter vulnerability (NEW)

Published: 2006-09-23,
Last Updated: 2006-09-23 23:03:34 UTC by Patrick Nolan (Version: 1)

Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms (see Do you like photos?) that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

While you're there also check out their excellent Kaspersky Security Bulletin, January - June 2006: Malware Evolution released 09/22.

Thanks for the heads up Kaspersky!

And readers please remember (sticking tongue firmly in cheek) Microsoft says "Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software. While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third party security updates or mitigations."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Title: Microsoft Security Advisory Notification
Issued: September 22, 2006

Security Advisories Updated or Released Today

* Microsoft Security Advisory (925568)

  - Title: Vulnerability in Vector Markup Language Could Allow Remote
Code Execution


  - Reason for Update: Advisory updated with third party security
updates FAQ, un-register vgx.dll workaround updated, and ISA Server
workaround added.



Title: Microsoft Security Advisory Notification
Issued: September 19, 2006

Security Advisories Updated or Released Today

* Microsoft Security Advisory (925568)
  - Title: Vulnerability in Vector Markup Language Could Allow Remote
Code Execution
  - Revision Note: Advisory published    


Mailbag Q&A concerning MS Desktop Search add-on vulnerabilities (NEW)

Published: 2006-09-23,
Last Updated: 2006-09-23 22:58:44 UTC by Patrick Nolan (Version: 1)

 We received an inquiry from Ricardo Calina which asked if FolderShare (Diary item here) was  "used on the new MSN Live Messenger ?". After an inquiry to Microsoft about this and related questions (where else may it be, is it default enabled anywhere?) we received an answer that said "The one in MSN Messenger is different." and "FolderShare is not installed by default in any systems.".

Thanks for the question Ricardo, and MS, thanks for the answer!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Zeroday Emergency Response Team (ZERT) (NEW)

Published: 2006-09-22,
Last Updated: 2006-09-22 15:48:54 UTC by Ed Skoudis (Version: 1)

Several readers have written to us about the newly formed Zeroday Emergency Response Team (ZERT).  It looks like they will endeavor to create, test, and distribute patches (yes, we know about all the controversies of third-party patches... so please don't flood us with rants for or against them).  Still, we find the ZERT concept interesting, and thought you might want to read about it.  You can read more about ZERT and the people running it an article by eWeek here.  Gadi Evron, operations manager for ZERT, points out that they have recently released a third-party patch for the VML vulnerability.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

More Posts « Previous page - Next page »