Web browsers have been having a real torrid time of late, it seems the only people showing them any great attention these days are those looking for new 0-day vulnerabilities. Two weeks ago we blogged about the Microsoft Video Streaming ActiveX control vulnerability (Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability – BID 35558) that can be exploited through mostly the older but still widely used versions of Internet Explorer 6 and 7. That vulnerability was quite widely used by malware in the attack involving a Trojan named Downloader.Fostrem. The Trojan In turn downloads various other bits and pieces of malware that we detected as Backdoor.Trojan and...
Most people are well aware of the potential problem posed by software vulnerabilities that are publicly announced, but many of these vulnerabilities can remain unpatched by the relevant vendors. Dealing effectively with security problems posed by software vulnerabilities is a two-way street. You count on your software vendors to quickly bring out reliable patches and once they are available, your end of the bargain is to apply them as quickly as possible. Many software vendors are attempting to address their share of the issues in relation to patch development and distribution. The problem is, many users are still slow to apply new software patches, for various reasons. It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.
To add fuel to the fire, an interesting research report was recently published...
There has been a recent report from SANSabout PDF files (1.pdf and b.pdf) containing a newly patched AdobeReader/Acrobat exploit being widely distributed. The PDF files inquestion we are detecting as Trojan.Pidief.C is believed to be spreading new variants of Trojan.Zonebacby downloading from the IP of 85.17.221.2 (At time of writing theaddress is no longer reachable). Trojan.Zonebac is an old Trojan familythat was discovered back in 2006; the Trojan attempts to disablesecurity software and backed up certain executable files beforereplacing it with a copy of the Trojan as...
n the world of IT, many vendors publish software sprinkled with bugsand potential security holes. It is very difficult (some would arguenext to impossible) and extremely costly to create totally bug- andvulnerability-free software. So software vendors usually aim for abalance between acceptable quality versus cost. Of course that meanssome software contains bugs and vulnerabilities just waiting to beuncovered. In the majority of cases, the vendors and their softwarenever come to the attention of malware creators, either because nobodybothered to look or a "trailblazer" vulnerability has yet to bediscovered.
For a few unlucky vendors who have had exploitable vulnerabilitiesexposed, they begin to appear on the radar of malware creators who,like vultures to a wounded desert animal, dive in on the software,attacking it from all angles, frantically trying to sink their clawsinto more tasty vulnerabilities.
Such is the case with JustSystems' Ichitaro, a Japanese...
Symantec Security Response has observed web based exploit attacks using a previously unknown vulnerabilityin the Xunlei Thunder PPlayer ActiveX control. This is a component ofthe Chinese download accelerator and file-sharing application, XunleiThunder 5.7.4 401.
The attack originates from a server on the 522love.cn domain. If auser navigates to the site, a Web page hosted on the site employs aclient detection technique to determine the appropriate exploit codethat should be sent back to the requesting client in order tosuccessfully exploit it. This technique is similar to the techniquesused by the MPackattack kit that is already widely used. We have seen a whole range ofvulnerabilities both new and old used by this site, including thefollowing:
Some months ago I reported on a cross site scripting vulnerability relating to PDF filesand browser handling of them. As it turned out, the vulnerability wasnot used in the wild much at all. Fast forward to October 2007, wherewe now have a new Adobe PDF vulnerability on our hands. First disclosedon September 20, 2007 by “pdp” on the Gnucitizen Web site, it wassubsequently patched by Adobe yesterday.
One day later, we have discovered a new Trojan named Trojan.Pidief.Athat actually exploits this vulnerability to compromise an unpatchedcomputer. So far we have seen a fair number of emails containing thisnew Trojan in the wild. It is likely that Trojan.Pidief.A has beenspammed out in targeted attacks on specific business organizations.
A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.
How it infects computers
Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious...
Just in time to coincide with MicrosoftTuesday Patches, another new vulnerability is released to the world.This time the vulnerability was found in Windows Help (.hlp) files.This flaw enables an attacker to make use of a heap overflow in orderto achieve arbitrary code execution.
Symantec Security Response have analyzed a sample of the proof-of-concept code and have released the Bloodhound.Exploit.135 detection to proactively detect potential threats that utilize the vulnerability.
At this point we have not seen this vulnerability actively exploitedin the wild, but since there is no vendor-supplied patch available, wewould urge that users continue to remain vigilant, keep your securityproducts up to date, follow safe computing guidelines and refrain...
We’ve seen many threats using vulnerabilities based on MicrosoftOffice documents over the last year, so it’s no surprise that we haverecently observed new samples of a threat that follows the same theme.This threat named Trojan.Mdropper.W is using the new Microsoft Word 2000 Unspecified Code Execution Vulnerability (BID22225)to drop threats onto a compromised computer. When the infected Worddocument is opened, it uses an exploit to drop some files onto thecomputer. These files are back door Trojans that enable an attacker togain remote access to your computer.
This vulnerability comes on the back of three other recent and unpatched Microsoft Word vulnerabilities, which are:
We have received reports of a significantproblem relating to Adobe Acrobat files and Cross Site Scripting (XSS).A weakness was discovered in the way that the Adobe Reader browserplugin can be made to execute JavaScript code on the client side. Thisstems from the “Open Parameters” feature in Adobe Reader, which allowsfor parameters to be sent to the program when opening a .pdf file. Likemost things in life, this was a feature designed for benign usage, butunfortunately somebody has discovered that it can also be used formalicious purposes.
This development is significant for a number of reasons: • The ease in which this weakness can be exploited is breathtaking. Useof this “feature” requires no exploitation of vulnerabilities on theserver side. • Any Web site that hosts a .pdf file can be used to conduct thisattack. All the attacker has to do is find out who is hosting a .pdffile on their Web server and then piggy back on it to mount an attack....
This year will probably go down in historyas the year of Microsoft Office vulnerabilities. Never before have weseen such a high level of activity around the discovery andexploitation of vulnerabilities in the Microsoft Office applicationsuite. Ever since the uncovering of a series of vulnerabilities acrossthe range of Microsoft Office applications in early March of this year,we have seen a considerable pickup in activity. We have been receivinga steady stream of new malicious code that uses zero-day exploits forone or more of the applications that make up this suite. Just toreinforce this point, on September 27, 2006, we received samples of newmalware that uses yet another Microsoft PowerPoint zero-dayvulnerability. We have added detection for this new Trojan as Trojan.PPDropper.F.
“Why the sudden interest in Office applications?” some...
In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.
In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget...
