Testing the new zero day vulnerability in Excel

During the last weeks, we have heard a great deal of talk about a new zero day vulnerability  in Microsoft Office specifically in the Excel application. The vulnerability allows arbitrary code to be remotely executed in the affected system. It seems that the vulnerability is being used to install Trojans in Asian companies and government agencies.

           

In PandaLabs, we have been analyzing this new “zero day" and have tested different xls files which are in-the-wild. These files contain the exploit named as Exploit:Win32/Evenex.gen  by Microsoft.

The tests have been done with the Office 2007 Service Pack 1 on Windows XP Service Pack 2. The main aim of our analysis was to test the TruPrevent

Technologies included in our products against this new 0 day. These Technologies are not signature-based and are able to detect the malicious behaviour of malware, in order to be proactive against unknown vulnerabilities.

We can conclude from the tests we have done that a system without an antivirus installed gets compromised, as we expected. The exploit creates a file in the temporary file of the user that has run the xls file and the computer is compromised.

1. When the Excel file is run, the following file is created:

    C:\Documents and Settings\<username>\Local Settings\temp\AdobeUpdater.exe

2. The file AdobeUpdate.exe creates the file:

    C:\Documents and Settings\<username>\Local Settings\temp\AcroRD32.exe

3. AcroRD32.exe connects to the Internet.          

4. The file AdobeUpdater.exe is deleted.

5. The system is compromised.

          

However, after having done tests using Panda Global Protection 2009, the exploits we tested could not even create the first file (C:\Documents and Settings\<username>\Local Settingsl\temp\AdobeUpdater.exe). TruPrevent Technologies have blocked the exploit as it has detected a malicious behavior in the Excel application.

Although Microsoft has not published any patch to solve this severe vulnerability yet, our TruPrevent Technologies were already protecting our clients even before the exploit appeared. Thanks to the behavior analysis, our Antivirus is ready to face up to th
is type of unknown vulnerabilities.

Thanks to David Sanchez Lavado for the information.

Metatags in malware websites: II part

A couple of days ago we mentioned how some creators of websites that host malware add metatags to them, so that they are not indexed by the search robots.

Today, we are going to mention the opposite case. Let’s take the following URL as an example: http://malwa<blocked&gt;.com

The following tag can be found in the source code of the website:

 

The FOLLOW attribute allows the links included in the website to be scanned.

The ALL attribute allows all the files to be indexed completely.

The INDEX attribute allows the search engines to index the website.

Generally the creators of this type of websites want the malware to spread widely and asap. That’s why they decide not to add metatags or to add them, so that the indexing robots could index and scan the links easily. This way, when users make queries in the search engines, they are likely to access a malicious website, causing their computers to get infected with the malware hosted in them.

Metatags in malware websites

An indexing robot is a program which tracks websites, storing their content in databases and following the links which point to other websites.

Rogue antimalware creators don’t usually add tags to the code of their websites or they add them so that the websites are indexed by the robots of the searchers. This way, they are more accessible and malware can be widely spread.

Lately we have found several cases that prove quite the opposite: tags are added to go unnoticed.

Let’s take the following URL as an example:
http://<blocked>akedpics.blogspot.com

When clicking the video to view it, we are redirected to the following URL http://<blocked>pomp.com/index.php?q=Adrienne-Bailon-Naked-Pics, which in turn redirect us to http://crack-<blocked&gt;.com (*) and finally to http://fast<blocked&gt;.com/xplays.php?id=40004 from which we will download the file viewtubesoftware.40004.exe, detected as Adware/MSAntiSpyware2009

(*) This URL redirects us to different malware hosting websites randomly, depending on the time.

If we look at the source code of the URL http://fast<blocked&gt;.com/xplays.php?id=40004, we can find the following tag: <META content=noindex,nofollow,noarchive name=robots>

1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links of the document.
3. The noarchive tag prevents the website from being cached.

It seems that these techniques are aimed at making malware analysts’ and antivirus companies’ job more difficult. They are also used to prevent the proactivity, in the sense of preventing the infection with techniques such as URL blocking, which consists in making queries of specific parameters in the search engines.