eSafe CSRT has recently discovered a new massive Web attack where a malicious iframe pointing to a remote exploit is being planted on compromised legitimate websites. The iframe points to an Mpack exploit kit, detected by eSafe as JS.Agent.hdd, hosted on a Chinese server. The exploit kit in its turn downloads a new improved version of the Russian Trojan horse called Gozi Trojan, which is detected by eSafe as Win32.Agent.gjs.

The Gozi Trojan is designed to steal sensitive information and to send it to a predefined address. It has been noticed that this new version of Gozi Trojan transfers the stolen data to an IP address located on Malaysia.

The following TCP Stream shows the Gozi Trojan in action:

More than 600 legitimate websites have fallen victim to this attack. The list includes a popular pro-Israel website and a private banking service website located in the Cayman Islands. Visiting the bank’s main page or any of the compromised websites triggers the exploit and ends up downloading the Gozi Trojan into the victim’s system.

Microsoft has released its monthly security bulletin for June 2008 to address nine vulnerabilities in Windows and Internet Explorer, five of them critical. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Following is a summary of the security updates released by Microsoft:

Critical

Microsoft Windows Bluetooth Stack Remote Code Execution

A vulnerability has been discovered in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Internet Explorer HTML Objects Memory Corruption Vulnerability

A remote code execution vulnerability exists in the way Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Internet Explorer Request Header Cross-Domain Information Disclosure Vulnerability

An information disclosure vulnerability exists in the way Internet Explorer handles certain request headers. An attacker could exploit the vulnerability by constructing a specially crafted Web page.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

DirectX MJPEG Decoder Vulnerability

A remote code execution vulnerability exists in the way that the Windows MJPEG Codec handles MJPEG streams in AVI or ASF files. A user would have to preview or play a specially crafted MJPEG file for the vulnerability to be exploited.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

SAMI Format Parsing Vulnerability

A remote code execution vulnerability exists in the way DirectX handles supported format files. This vulnerability could allow remote code execution if a user opened a specially crafted file.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Important

WINS Elevation of Privilege

A vulnerability has been discovered in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Active Directory Denial of Service

A remote code execution vulnerability exists in the way that the Windows MJPEG Codec handles MJPEG streams in AVI or ASF files. A user would have to preview or play a specially crafted MJPEG file for the vulnerability to be exploited.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Pragmatic General Multicast (PGM) Denial of Service

A denial of service vulnerability exists in implementations of the Pragmatic General Multicast (PGM) protocol on Microsoft Windows XP and Windows Server 2003. The vulnerability is due to improper validation of specially crafted PGM packets. An attacker who successfully exploited this vulnerability could cause the computer to become non-responsive and require a restart to restore functionality.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

PGM Malformed Fragment Vulnerability

A denial of service vulnerability exists in implementations of the Pragmatic General Multicast (PGM) protocol on Microsoft Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The protocol's parsing code does not properly validate specially crafted PGM fragments and will cause the affected system to become non-responsive until the attack has ceased.

Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

References:

• June 2008 Monthly Release
• Microsoft Security Bulletin Summary for June 2008

According to numerous media sources, security firm Trend Micro has confirmed that a number of webpages on its Japanese and English-language websites were compromised by hackers on Sunday, March 9. This attack was part of a widespread web attack launched on websites across the world.

The attackers planted an invisible malicious IFrame tag into the compromised webpages in order to redirect the users, using JavaScript, to a website located in China that served up malware.

Trend Micro has discovered the problem on Wednesday 12 March and replaced affected pages with a message that says: “This page is temporarily shut down for emergency maintenance”.

It has not yet been revealed how the webpages on Trend Micro’s website were hacked by the attackers; however, all these webpages seem to use Microsoft's Active Server Page (ASP) technology. The attackers probably have exploited a vulnerability or a software bug in ASP to hack the webpages.

Trend Micro reported on its website that web surfers could be infected by the malware, which they named JS_DLOADER.TZE, either by accessing one of the infected webpages or clicking a URL link embedded in the malware’s name. They have recommended that visitors to their site check that their computers are not infected.

A perfect 5 star award was granted to eSafe by SC Magazine, the leading industry magazine for IT security professionals. The March 2008 Issue of SCMagazine’s Product Review described eSafe as: “A solid anti-malware gateway with good value". eSafe won 5 out of 5 stars in the following evaluation criteria: features, ease of Use, performance, documentation, support, value for money, and overall rating.

More information about SC Magazine’s product review of eSafe is available here. For the full review, visit http://www.scmagazineus.com/eSafe/Review/2356/.

In light of the scammers' new trend of utilizing blogs to spread malware, a specially crafted security-like blog hosted at blogger.com shows up with loads of Trojans, backdoors, rogue security applications, and more. The story begins when a dubious Google blog alert, noting a new blog entry mentioning various security products aroused our suspicion here at the Aladdin Content Security Response Team (CSRT). The blog on which the entry is posted was extensively investigated, and the findings revealed what appears to be an increasingly used new method of delivering malware.

More information about this incident is available here.