Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

According to http://www.internetworldstats.com/eu/de.htm, 61.1% from the Germany’s population in 2007 had Internet access. From these users, 56% are online every day or almost every day. Having such a widespread Internet usage, it is no surprise that there is quite a lot of activity in the Germany’s Internet scene.

Our statistics show that 14.43% from the Phishing and 15.04% from the Malware URLs (for which we have geo IP information) are hosted on servers located in Germany. The numbers of malicious URLs which are advertised in Germany (not necessarily hosted) can’t be computed, since no one is able to count all the emails which contain the URLs.

Fig. 1: The countries where phishing URLs are hosted

What do we do to stop them?
The most common way of spreading the URLs is the email. Avira is actively in fighting these threats in two different ways:

Avira’s security products

• detect the phishing emails and mark them as such.
• block the access to the URLs which point to phishing and malware websites.

Fig. 2: The registrars which receive notifications to remove dangerous files

Our Labs collaborate with institutions and organizations which send warning information to the registrars and ISPs hosting the dangerous files.

We actively monitor the most phished institutions and issue alerts to the readers of this blog (Figure 3). Of course, not all the names on the list are relevant for the German Users, but once Avira has reached the users all over the world, these information will be very useful.

Fig. 3: Most phished institutions

Sorin Mustaca
Manager International Software Development

Microsoft, Apple and Adobe provide new updates to their users. While Microsoft plugs 14 holes alone in its PowerPoint software, Apple fixes 67 security holes in its Mac OS X operating system and in the Safari web browser. Adobe closes the security holes in its PDF reader software.

The PowerPoint updates from Security Bulletin MS09-017 close the security hole which already got actively exploited on the net and other, currently unknown vulnerabilities. The patches for PowerPoint for Macs are still missing though. Microsoft urges its users to install the update as soon as possible as the company expects exploits for the other holes to surface soon.

Apple released Mac OS X 10.5.7 and Safari 3.2.3. Apple and Safari users should install those updates immediately, too. The updates for Adobe Reader and Acrobat should be installed ASAP as well.

Dirk Knop
Technical Editor

While refining and improving our detection of the W32/Tobin file patcher malware we analysed its “infection” algorithm closer. Upon execution, it drops a DLL (usually “nikitob.dll”) and modifies executable files on the system so that they load the dropped DLL once they get started. So far nothing new or unusual.

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 2: Original data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:\NIKITA\Soft\black_soft\29a\nikitob\Release\nikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor

Once again the AMTSO, a large group of security professionals, testers and journalists came together to work on further documents trying to help improving the quality of anti-malware reviews. This time the meeting took place in Budapest, Hungary and the host was done by Virusbuster, a Hungarian anti-malware company.

In the two-day meeting we finalized new documents, among them

• Suggested methods for the validation of samples.

A very well-known problem of recent anti-malware tests is the use of damaged or non working samples in test sets. This means that products are tested against files that are not able to run and therefore are no real threat to users. By the fact that the amount of malware samples increases from day to day, it becomes more difficult for testers to ensure that the samples they use for their tests are really working and have a malicious behaviour. The document explains different methods how samples can be validated and so hopefully helps to reduce the amount of less meaningful tests in the future.

• Best Practices for testing In-the-Cloud security products

Testing products that use “in-the-cloud” technologies present new difficulties to testers, since those technologies make use of online databases. Since those databases can change within minutes or even seconds, the repeatability and reproduction – an important criterion for any tests – can be hard or even impossible. The document tries to show the difficulties and comes up with advices how to avoid errors in those product tests.

Furthermore, the members agreed on a process of how AMTSO can review an existing test of anti-malware products and started working on new documents.

Philipp Wolf
Viruslab

Microsoft released the advance notification for the upcoming patch Tuesday next week. So far only one security bulletin is planned, which is supposed to fix the critical vulnerability within PowerPoint – which gets actively exploited for about a month now.

If the patches become available, administrators are well advised to install them as soon as possible!

Dirk Knop
Technical Editor

Recently, we received some false positive (good emails marked as SPAM) and false negative messages (spam emails not detected) from our partners in Japan. It seems that our Antispam engine did not cope well with some messages written in Japanese. Fortunately, the problems were minor and easy to fix.

A large part of messages had a Message-Id header rewritten by an intermediary mail server which made the antispam engine think that those messages were forged (pretending to be sent by Microsoft Outlook Express). Theoretically, the Message-Id header should uniquely represent an email message all over the world. In order to make it unique, Outlook Express generates a Message-Id header having a certain pattern. That’s why, when we met the rewritten Message-Id header, which did not look like generated by Outlook Express at all, we thought that the messages were forged, and thus spam.

A small percent of the messages had a subject header that seemed strange to us, because it would use the same encoding many times. It looked like : Japanese(…) – Japanese(….) – Japanese(…) instead of simply Japanese(……….). Another method is to double encode the subject, like this: Japanese(… Japanese(….) …). After reviewing lots of legit messages written in foreign languages more closely, we concluded that this was not such an abnormal behavior, even though this pattern is often met in spam.

Another problem was with messages that were sent encoded with base64, without specifying the content type in the header. The content could have even been represented by 7-bit characters, so, it did not need any encoding. Spammers often use this pattern, in order to hide the message from Antispam filters that cannot handle base64 encoding. Instead of simply writing VIAGRA, they encode it in base64, the result being VklBR1JB. Normally, messages in foreign languages need to be encoded in base64, because the contents cannot be represented by ASCII characters, and most foreign language encodings need 8bit data. But the Japanese messages did not need base64, because they use a special encoding, iso-2022-jp. This encoding can handle both normal characters (ASCII) and Japanese characters, through a special symbol that switches modes. Apparently, the sender of the message did not know that, so they encoded the messages in base64 anyway.

An interesting fact with the spam emails written in Japanese is that they tend to be plain text (with the charset=”iso-2022-jp”) and also providing a rich content. These emails contain formatted text in form of paragraphs, bulleted lists and ASCII art, as can be seen in the picture below.

Fig. 1: Japanese spam mails.

Extrapolating, based on the spams we received, it seems that more than a half of the spams received by the Japanese are written in their language. The rest is in English.

Vlad Dinulescu
Software Engineer

Sorin Mustaca
Manager International Software Development

Starting at the end of last week we see an increasing level of medicine spams containing a reference to the swine flu. The URL seems to be random generated and no redirect is visible.

Fig. 1: Example of the swine flu spam mails

When visiting the website, we see a classical meds website clone, selling Viagra and the other known meds alike:

Fig. 2: The spam mails link to med sites.

There is a Product Search on the site which seems to actually work. When searching for “swine flu”, we see some meds, but none of them has something to do with the swine flu.

Fig. 3: None of the offers helps against swine flu.

According to Wikipedia, the only working medicament against the swine flu are Tamiflu or Relenza. In this case, the website doesn’t even have these two products. As a conclusion, it seems that the classical meds websites are just trying to get more attention by using the media generated hype around the swine flu epidemic.

As usual, we strongly advise to never buy anything from websites advertised in spams. The products are usually fake and can endanger your life.

Sorin Mustaca
Manager International Software Development

Adobe issued a warning about a buffer overflow vulnerability in all recent versions of Acrobat Reader and Adobe Acrobat. Attackers can inject malicious code into computers with specially prepared PDF documents.

While Adobe announces an Update for the affected software for the 12th May, users of Adobe Reader and Acrobat should till then disable JavaScript support in their products. Adobe recommends following procedure:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK.

Dirk Knop
Technical Editor