Fake Microsoft Security Bulletin -> Malicious Browser Add-On

Published: 2007-06-08
Last Updated: 2007-06-11 21:19:42 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Dave Edwards let us know about an email message that claims to be a Microsoft Security Bulletin:
Microsoft Security Bulletin MS06-4
Cumulative Security Update for Internet Explorer (113742734)
Published: June 3, 2007
Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.
Of course, the proper format for the bulletin number would be "MS06-004", not "MS06-4". Second, the number of a bulletin released in 2007 would start with "MS07", not "MS06".

The scheme is what you would expect: the message includes a link to what, it claims, is a patch that is supposed to address the issue. The file, hosted on a remote server, is called "updatems06.exe". It is a UPX-packed executable that is recognized as being malicious by half of the anti-virus engines available to VirusTotal.

The executable installs a malicious browser add-on (BHO)  "down.dll" on the victim's system in C:\WINDOWS\system32. Anti-virus engines that recognize the BHO as malware identify it as Agent.avk. This seems to be a downloader that is also may be capable of spying on the user's interactions with certain sites.

Update 1:

After analyzing down.dll, Symantec Security Response let us know that the program attempts contacting 3 servers via URLs that look like:
http://[server_name]/command.php?userid[REMOVED]
The remote command.php script seems to assist the program in creating a local configuration file that gets saved in %System%\commands.xml. The program uses the XML file to determine how to download and execute other programs from remote locations, saving them as %System%\file.exe.

None of the 3 servers where the program attempts to download the XML file are available at the moment. I find it interesting that 2 of the servers are expected to reside in domains that have not even been registered yet. It is possible that the attacker is still in the process of setting up his or her attack network. The other server is part of a domain that has been registered for a while; however, the server is not currently accessible. Google cache suggests that when the server was up, it was being used to record user passwords, probably as part of another attack campaign.

Update 2:

Please keep in mind that Microsoft never sends out updates as attachments (Thanks, Zot!) They have a page to explain the issue:
http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx

Update 3:

Upon our request, the ISP controlling the system that was distributing updatems06.exe removed the offending file from the server.


-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

Possible FAA computer glitches?

Published: 2007-06-08
Last Updated: 2007-06-08 20:42:33 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
We are are hearing about potential FAA computer glitches on the US east coast. The FAA map shows some flight delays, but the reasons are unclear. We will update this diary as we get additional information.

Update 1: According to CBS, the FAA "experienced computer problems in departure planning early this afternoon, forcing numerous departure delays at airports nationwide. Officials said normal operations began returning between 1 p.m. and 2 p.m."

Update 2 (from Marc): According to the FAA, an FAA aeronautical database that regulates flight departures/arrivals crashed earlier today. The database consists of two systems, one in Atlanta and the other in Salt Lake City. The Atlanta system crashed at 0657 EDT and the Salt Lake City system, which runs off of Atlanta's, crashed quickly thereafter. The systems were back online by 1230 EDT and the current flight delays are a result of the air traffic catching up to the system being down for over five hours. The FAA advised that they have no preliminary information on the cause of the system crash and that it is still under investigation.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC
www.zeltser.com
Keywords:
0 comment(s)

2 Yahoo! Messenger vulnerabilities (with PoCs)

Published: 2007-06-08
Last Updated: 2007-06-08 15:47:58 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
Two brand new vulnerabilities for Yahoo! Messenger have been published on couple of security mailing lists. Both vulnerabilities are boundary errors in two ActiveX controls that come with Yahoo! Messenger: Webcam Upload (ywcupl.dll) and Webcam Viewer (ywcvwr.dll).

PoC exploits for vulnerabilities have been published as well and they allow execution of arbitrary code. Published PoCs just run Windows calculator (calc.exe), but it is trivial to change the shellcode so we can expect some attacks soon.

At the moment, the best mitigation is to set the kill bits for affected ActiveX controls: DCE2F8B1-A520-11D4-8FD0-00D0B7730277 and 9D39223E-AE8E-11D4-8FD3-00D0B7730277.

Thanks to Joshua G. and roseman for alerting us about this.

Update: Yahoo released a patched version of version of Yahoo! Messenger that addresses these vulnerabilities. For additional information and update instruction, please see http://messenger.yahoo.com/security_update.php?id=060707.
Keywords:
0 comment(s)

Comments


Diary Archives