Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

BBB=>IRS=>FTC=>Proforma | don't open that invoice!

Published: 2007-06-15
Last Updated: 2007-06-15 20:56:54 UTC
by donald smith (Version: 3)
0 comment(s)

BBB->IRS->FTC->Proforma_Invoice.doc
Several of our ever-vigilant readers have warned us of a new targeted Trojan “document” that is being sent out specifically to executives in corporations.
Thanks Dan, Andy and Joe!
Subject of the emails were of the form:

Proforma Invoice for "Company Name" (Attn: "Executive Name")

The Body of the email included this text

"Hello,

The Proforma Invoice is attached to this message. You can find the file
in the attachments area of your email software.

PS: The invoice also includes the cost for the services provided for the
second quarter of 2007.
Please read, evaluate and reply with any comments. Thanks."


It is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents” we have seen lately.

The file sent is Proforma_Invoice.doc
Those AV vendors that recognized at virustotal were:

Authentium 4.93.8 06.15.2007 W32/Dropper.ESR
Fortinet 2.85.0.0 06.15.2007 W32/Nuclear!tr
Sophos 4.18.0 06.12.2007 Troj/BHO-BP
Symantec 10 06.15.2007 Downloader
Panda 9.0.0.4 06.15.2007 Suspicious file

The document itself contains a icon of a pair of books (blue and yellow) and a magnifying glass and the text
“DOUBLE CLICK THE ICON ABOVE
TO VIEW THE DOCUMENT DETAILS”
The icon represents a “Packaged Object”.

Clicking the icon in XPsp2 resulted in a windows popup box that stated:
“The publisher could not be verified. Are you sure you want to run this software?
Name: C_PROFOR~1.EXE
Publisher: Unknown Publisher
Type: Application

The three copies we have seen so far were all the same, all were 689,152 bytes long and all had a md5 hash of 47fff5b9d3765b70571454146ea9f244.

A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!
Most of us who do malware analysis have a machine that they can reinstall a fresh clean copy of the OS on if things go wrong and the ability to watch their network and see if anything is going wrong.

 

UPDATE

Several additional comments from readers on this malware:

"We have also seen this targeted executive malware infection.
I have observed multiple machines once infected attempting to connect over https to 216.7.80.5"

"Thank you for highlighting the evil malware going around today.
We have received two of them so far, addressed directly to
two Senior Execs at a prominent U.S. consumer electronics retailer."


"The executable is definitely a Trojan.
It creates an executable called microsoft.exe and adds it to the
normal HKLM\Software\Microsoft\Windows\Current Version\Run key
(and the user's profile \Run key) to ensure it gets started on system startup.

It looks like the executable is trying to contact three web domains:
hlplace.com, www.tanzatl.org, and aecv.ch."

hlplace.com -> 76.162.218.180
www.tanzatl.org -> 208.64.137.12
aecv.ch is not resolving from my location

Keywords:
0 comment(s)

safari update

Published: 2007-06-15
Last Updated: 2007-06-15 17:03:04 UTC
by donald smith (Version: 1)
0 comment(s)

Apple has released a new version of the public BETA safari browser (3.0.1) to address the three vulnerabilities announced earlier this week.
It is available here: http://www.apple.com/safari/download/

From http://lists.apple.com/archives/Security-announce/2007/Jun/msg00000.html
"CVE-ID:  CVE-2007-3186
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to arbitrary code
execution
Description:  A command injection vulnerability exists in the Windows
version of Safari 3 Public Beta.  By enticing a user to visit a
maliciously crafted web page, an attacker can trigger the issue which
may lead to arbitrary code execution.  This update addresses the
issue by performing additional processing and validation of URLs.
This does not pose a security issue on Mac OS X systems, but could
lead to an unexpected termination of the Safari browser.

CVE-ID:  CVE-2007-3185
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description:  An out-of-bounds memory read issue in Safari 3 Public
Beta for Windows may lead to an unexpected application termination or
arbitrary code execution when visiting a malicious website.  This
issue does not affect Mac OS X systems.

CVE-ID:  CVE-2007-2391
Available for:  Windows XP or Vista
Impact:  Visiting a malicious website may allow cross-site scripting
Description:  A race condition in Safari 3 Public Beta for Windows
may allow cross site scripting.  Visiting a maliciously crafted web
page may allow access to JavaScript objects or the execution of
arbitrary JavaScript in the context of another web page.  This issue
does not affect Mac OS X systems."

Keywords:
0 comment(s)
Diary Archives