Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Word macro trojan dropper and (another) downloader

Published: 2006-06-27
Last Updated: 2006-06-27 22:41:08 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:



The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http:// 206.204.52.54  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// 218.239.223.224 /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).


Keywords:
0 comment(s)

New Mambo, Joomla releases fix security vulnerabilities

Published: 2006-06-27
Last Updated: 2006-06-27 10:09:50 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
Various security vulnerabilities have been identified in two most popular open source CMS (Content Management System) packages.

All version of Mambo prior to 4.6RC1 are vulnerable to a SQL injection attack in the weblinks.php file. You can patch this manually as only two variables need to be escaped, or you can download patches from the Mambo web site, http://www.mamboserver.com.
We've also received reports that some vulnerabilities in previous versions of Mambo (older than 4.5.3) are being actively exploited, so be sure that you are running the latest version, with the security patch installed. If we get more information about attacks we'll post an update.

New release of Joomla, 1.0.10 also fixes couple of security vulnerabilities. Joomla is also vulnerable to SQL injection attacks, of which 3 rated critical were fixed in the latest release. As the latest version fixes other security vulnerabilities and numerous bugs, users are urged to upgrade. You can find more information on the Joomla web site, http://www.joomla.org.

Keywords:
0 comment(s)

Reminder about MS06-025

Published: 2006-06-27
Last Updated: 2006-06-27 03:25:32 UTC
by Kevin Liston (Version: 5)
0 comment(s)

The original patch from Microsoft caused issues with dialup.  Revised  patch development was discussed by Microsoft.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on unpatched Win2k, Windows 2003 and XP SP2 systems.  On versions that still allow anonymous connections/null sessions,  an attacker could execute arbitrary code without authentication.


UPDATE: Microsoft has released on official comment at http://www.microsoft.com/technet/security/advisory/921923.mspx

The gist:
MS06-025 works to protect against the published exploit.
Un-patched Windows 2000 systems are primarily at risk from this vulnerability.
Windows XP SP2, Windows Server 2003, and Windows Server 2003 SP1 require the attcker to have a valid login.
Windows 98, 98SE and ME are not affected by this vulnerability.

UPDATE 2

To clarify things a bit with some extra information we received in the mean time.

Windows 2000 Service Pack 4 and Windows XP Service Pack 1 systems are primarily at risk as this vulnerability can be exploited by an anonymous user that needs to deliver a specially crafted message to the vulnerable system. If you are running any of these install the patch as soon as possible.

On Windows XP Service Pack 2 and Windows 2003 systems, a user has to be authenticated (has to have valid credentials) to the system to exploit the vulnerability.

--
Bojan Zdrnja <bzdrnja at isc dot sans dot org>


Keywords:
0 comment(s)
Diary Archives