Already last week Opera released version 10.01 of its Web Browser. It closes some security holes. At least one of them can lead to code injection (for example to infect the computer with a Trojan). Users are advised to install the new version fast.

Meanwhile, the Mozilla Foundation has updated Firefox to version 3.5.5. The developers only mention stability fixes, this release doesn’t seem to fix security issues. Anyhow it is a good idea to install the update.

There was another security Update for Sun Java. Version 6 Update 17 fixes a lot of security vulnerabilities. Those flaws may lead to remote code execution, thus updating immediately is recommended.

What else? Adobe has released Shockwave Player 11.5.1.602 which also closes security holes in the software which allow for remote malware injection. Users of the Shockwave Player (which is different from Adobe Flash Player) should also update their software immediately.

Today also Google released an update for its Chrome browser. It fixes 2 security problems which put users at risk.

Dirk Knop
Technical Editor

On a popular Bittorrent site during the last weekend there appeared a package that allegedly contains Avira AntiVir Premium and a so called keygen. A keygen is a tiny piece of software that calculates a license number for a commercial software, for free.

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor

There is a severe security hole in Microsofts Internet Information Services (IIS) versions 5 and 6. “0-day” Exploit code is publicly available on the net. The error is within the FTP component. Thus Microsoft recommends as workaround to disable (anonymous) FTP on IIS, or to withdraw anonymous users the rights to create directories. A security advisory was already available but currently leads to a Bing search page. There you can see the advisory as “cached page” at least.

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

If you are a German user and receive an email coming from “Virenwarndienst” with the email address <Virenwarndienst@<Abzock-Webseite>.info> do not register there for downloading the software. This site is a price trap. The users who register there are closing a contract for 2 years where they have to pay 8 euro per month.

The text of the email is:

“Achtung – Wichtige Virenwarnung:

Nach Berichten des Bundesamts für Sicherheit in der Informationstechnik (BSI) ist derzeit ein besonders gefährlicher Virus/Trojaner im Umlauf.

Ihr PC ist ungeschützt und damit potentiell gefährdet. Bitte laden Sie unbedingt in Ihrem eigenen Interesse einen aktuellen Virenscanner herunter.

Die aktuellste Version erhalten Sie direkt hier:

http://www.<Abzock-Webseite>.info/

Mit freundlichen Grüßen

Ihr Virenwarndienst”

It says that the German government authority for IT Security has issued a warning because a dangerous Virus/Trojan is in the wild. It then advises all users to download a security solution (note: Avira AntiVir isn’t mentioned there) in order not to endanger their computer. Once following the link in the mail and trying to download the software, the unsuspecting users are forced to register:

Fig. 1: The fraudsters need the address data in order to send bills for downloading the free software.

Almost nobody reads the AGB (EULA) which specifies somewhere that you are signing a contract for two years, for 8 euro per Month.

The users who want to obtain the free version of Avira AntiVir, called Avira AntiVir Personal, can visit the website www.free-av.com and download the software for free.

Sorin Mustaca
Manager International Software Development

As announced, Adobe released the first updates for the critical security vulnerabilities in its products already. The first update is for Adobe Flash-Player – the new version 10.0.32.18 is supposed to close the security hole in the software. You can get it via Adobes web site.

During the day, Adobe wants to release further patches for Adobe Reader and Acrobat. Also, a new version of the Shockwave-Player is already available. Please install the updated versions as soon as possible.

Let me thank all the hardworking administrators out there at this place, especially the Avira admins. They have to roll out all these updates today and already had a busy week due to Microsoft’s out-of-band updates from Tuesday. Don’t forget, it’s System Administrator Appreciation day!

Dirk Knop
Technical Editor

Microsoft announced extraordinary updates for the Internet Explorer and for Visual Studio for this Tuesday to come. While the company rates the security issue in Visual Studio only as moderate, the IE-flaws – which also affect IE8 – are considered critical and allow for remote code execution.

Prepare for those updates as they are really critical and necessary if Microsoft decides to do an out-of-band release. Install them ASAP when available.

Dirk Knop
Technical Editor

There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

The Mozilla Foundation released Firefox 3.5.1 today. The new version fixes an issue which could get abused by web sites to inject malicious code into a victim’s computer. The vulnerability was in the Just-In-Time compiler for JavaScript which is a new feature in Firefox 3.5. Please update your Firefox to the most recent version by clicking on “Help” and selecting “Search for updates” now.

Dirk Knop
Technical Editor

Microsoft has warned about yet another security hole which already gets actively exploited on the net. Affected are installations of Microsofts Office XP and 2003, the ISA Server 2004 and 2006 and Office Small Business Accounting 2006.

It is unclear whether the updates which are to be released later today will already fix the error, but it seems unlikely. Microsoft has a “Fix-it” tool ready which disables the ActiveX component within Internet Explorer to help mitigate the risk. Please use it ASAP!

Dirk Knop
Technical Editor

According to Microsofts announcement of the next Black Tuesday the company plans to release six security bulletins. Three of those are dealing with security holes deemed critical by Microsoft, while the other three are only rated “important”.

Among those three critical vulnerabilities there is one in DirectX. It seems that the Redmond company plugs the holes which are currently attacked in the wild. We detect the JavaScript used to exploit the vulnerability generically up to all currently known versions as “HTML/Shellcode.Gen”. Halvar Flake has a nice writeup in his blog with details of the flaw and shows “how deep the rabbit hole really goes”.

While it stays unclear what the other two Windows vulnerabilities are, there will be updates which wipe out the important security flaws within Publisher from Microsofts Office suite, within VirtualPC and Virtual Server and in the ISA Server. Two of the updates will require a restart, so prepare for some downtime next Tuesday!

Dirk Knop
Technical Editor