January 2006

January 1: MS06-001, Windows Meta File (WMF) vulnerability

The year started off abruptly with a vulnerability found in the Graphics Rendering Engine (GRE) of Windows. By specially crafting a Windows Meta File (.wmf), an attacker can execute code on the system and take full control of the system. Since this engine is found on all versions of Windows and is used to display graphical content, all Windows machines were open for this vulnerability. The day the information became known, the first malware was found exploiting the vulnerability, making this into a 0-day exploit.

Norman included technology into its Sandbox to detect this and future exploitation of this vulnerability. For several days, other pieces of malware were found that tried to exploit this vulnerability, but all were stopped pro-actively by the Norman Sandbox.

January 5: The Sober ‘Attack’

The Sober attack that some experts predicted to happen on 5 January didn’t occur. First of all due to some sloppiness in their analysis: the comparison in the latest Sober variant is “ComparissonDay > 5 January", which would make it at least 6 January. Nothing happened on the 6 January either, or any of the days thereafter. The so-called anniversary of the 87th birthday of the Nazi party makes that more into a hype-type event from the company that published that ‘fact’ than a real event. Why would the author celebrate the anniversary of the Nazi party and celebrate that every day after 5 January?

January 10: MS06-002, Embedded Fonts vulnerability

While surfing the internet, people tend to access web pages they were not intending to do. This frequently happens due to typos in the URL where someone else registered that domain. With MS06-002, this became more dangerous as vulnerability was found in the way that Windows handles embedded Web fonts. By visiting a specially constructed website or by opening a specially constructed e-mail, the attacker could be able to execute code and take full control over the system.

January 10: MS06-003, TNEF vulnerability

Users are at risk when the would open message which contains a specially crafted Transport Neutral Encapsulation Format (TNEF) Mime Attachment or when a message like this is processed by the Exchange Server’s Information Store. The attacker sending this special message may get full control over affected systems.

January 17: W32/Small.KI is not smallish

It has been a while since a virus was distributed widely with a serious destructive payload, but W32/Small.KI was there. This virus is as mystique as unnamable: almost all anti-virus vendors use a different name for it: Nyxem, MyWife and KillAV are just a few. It seems it has as many names as potential damage: on every 3rd of the month, for the first time on 3 February 2006, it will corrupt data residing in Word documents, Excel Spreadsheets, Access Databases, Powerpoint presentations, Adobe PDF-files, Zip- and Rar-achives, etc. This virus was assigned a CME-identifier, CME-24

February 2006

February 3: W32/Small.KI, nothing happened

Despite the fact that this virus is widespread and should drop its destructive payload on every month on the 3rd (3 February being the first time) there has been hardly any reports (if at all) about people loosing their data. With an external web-counter counting the number of infections (or actually number of connects to a specific webpage) reaching far into the 15.000.000, this means that most users have taken their precautions by having their anti-virus programs up to date.

February 14: MS06-004: WMF vulnerability

Another vulnerability in the WMF image handler was detected which could allow remote code execution of code with specially crafted images which may be loaded by surfing to a websites or by opening an e-mail containing that special image. This vulnerability, although also in the WMF handler is different from the ones prior found as MS05-053 and MS06-001.

February 14: MS06-005, Windows Media Player vulnerability

Windows Media Player has the ability to retrieve bitmaps. Most often these are the covers of the albums playing. If these covers are specially crafted, remote execution of malicious code is a possibility. The likelihood of being exposed to this vulnerability is low as it takes quite some interaction to exploit this vulnerability. Also, as most covers are on bonafide sites of the record-industry, these sites need to be hacked and a cover has to be replaced with a malicious one.

February 14: MS06-006, Windows Media Player Plug-In vulnerability

To continue with the Windows Media Player, yet another vulnerability inside there is in the Plug-In section for non-Microsoft Internet browsers. This is due to the way the Windows Media Player Plug-In handles a <EMBED> elements. EMBED elements are tags and are usually the most common way of adding sound to internet pages. A specially made malicious <EMBED> element on a website may cause remote code to be executed by non-Microsoft browsers when this website is visited.

February 14: MS06-007, Allow Denial of Service on Ping vulnerability

Specially crafted Ping (IGMP) packets can make affected system to stop responding, making this vulnerability an real denial of service attack. When not properly protected and patched, entire networks could stop responding.

February 16: First Mac OSX malware: OSX/Leap.A

For decennia Windows-users have been teased by the Macintosh OSX users that their operating system is more secure and their environment friendlier. Finally a smallish distributed malware was discovered that targets the OSX. It was more a proof of concept as the malware, identified as OSX/Leap.A, will execute on the recipients system, but can not spread further. Still, the first somewhat successful malware for OSX has been made. It is very likely that more will follow, and eventually, a successful spreading piece of malware for OSX will see the day of light.

February 17: Second Mac OSX malware: OSX/Ingtana.A

And indeed, it only took one day before the next malware for OSX was found, a worm named OSX/Ingtana.A. This one successfully spreads itself over Bluetooth, but considering that the worm uses a time limited demo version of a Bluetooth library, it again must be seen as a proof of concept. If the worm would be compiled with a non-limited version, it would have imposed more danger. Apple has updates available that will patch the system to protect users against CVE ID: 2005-1333, the Bluetooth File and Object Exchange Directory Traversal vulnerability that this worm exploits.

March 2006

March 6: Proof of Concept virus found for InfoPath

A new proof of concept virus has been discovered infecting yet another application of the Microsoft Office Suite. The targeted application this time is InfoPath and the virus at case is called W32/Icabdi.A. The virus is rather ‘interesting’ as it relies on the presence of external applications as well as well as writing and execution permission from a specific location on the user’s harddisk. Since this proof of concept virus does not carry and payload and relies on the presence of external applications, the risk of this virus is that low that users should not be concerned. Of course, like with any proof of concept virus, we might see a flood of viruses now using the same technique.

March 10: Trojan uses Child Pornography to hide itself

A sad day as Norman has identified a new Trojan. Now that is something that is not uncommon for a security company, but this Trojan installs and shows a movie with child pornography. The Trojan with the video clip is distributed on the internet through various channels, file-sharing networks (Kazaa among others) and probably also through e-mail. The Trojan, which has been named W32/Agent.ULL, warns for the explicit content in the film, but uses the video clip as bait in order to get users to click on it.

The primary function is not to display the movie but to install a number of other malicious programs that are automatically downloaded as the movie is being played. The movie is their to distract the user from the other activity being done. The malicious programs being installed and downloaded is a whole family of harmful adware and spyware files, complemented by an advertisement campaign for pornographic web sites.

A week later, Norman received a second Trojan which uses the same movie. Hopefully this will not become a Trend. It does however show that the ad/spyware vendors are going at length to distribute their "badies".

14 March: MS06-012, Remote Execution from MS Office

On affected systems, if the user is logged on with administrator rights, an attacker could obtain full access rights to and control of the system and would allow the attacker to execute any code he likes. This vulnerability has been rated as critical by Microsoft as the vulnerability exists in every version of Office, including those for the Macintosh.

15 March: Proof of Concept for an RFID virus

Researchers of the University of Amsterdam in The Netherlands have succeeded to successfully infect a RFID-chip (Radio Frequency Identification Device) with a computervirus. Up to now, the general conception was that the memory capacity of RFID chips was too limited to infect it. This now has been proven wrong by researchers. RFID chips can be used in many ways as embedded in passports, luggage tags of airlines, electronic devices. They can also be placed just under the skin of pets, etc. Although there are several prerequisites before a virus is possible (among these RFID writing equipment), the publication of the code may speed up the appearance of the first virus.

21 March: DRM Software forces harsh reboot

A company that is known to create DRM software for the gaming industry is a company named StarForce. It was discovered that their implementation will in fact install a driver at the highest level in the system (ring0). At that level, the driver will always be loaded and running, regardless if you are playing a game that is protected by StarForce’s DRM software. A driver running at this level has complete control of the system. At the moment this DRM software is detecting suspicious behavior that may copy the protected software, the DRM software will make your system reboot. It is reported that they are doing it in the most destructible way: not a normal shutdown so any non-saved work is stored, but a harsh instant reboot where all non-stored data is lost.

22 March: Worm goes Rootkit

The author(s) of the Bagle worms have introduced a new layer to their latest creatures. Starting with W32/Bagle.MD, they have introduced Rootkit technology. This makes the worm less detectable and more difficult to remove when it is present in memory. Applying Rootkit technology by worms or viruses can be lucrative for the malware authors as many people do get infected by spreading malware all the time.

23 March: New vulnerability in Internet Explorer (CVE2006-1359)

The way Internet Explorer handles the createTextRange() call on a checkbox object can be potentially dangerous. Specially crafted websites may make Internet Explorer crash in such a way that arbitrary code can be executed. Active Proof of Concept code has been found on at least 37 sites. Microsoft has yet to release a patch. Other browsers are not affected. A work-around for users of Internet Explorer is to disable Active Scripting and Scripting of Java Applets. At http://support.microsoft.com/kb/q154036 you can find a description how to do this for the different versions of Internet Explorer.

Norman has included generic detection in its products as JS/Exploit!CVE-2006-1359 and at the moment of writing has successfully stopped all material that was downloaded from malicious sites due to this exploit.