CA Security Advisor Research Blog

by Rossano Ferraris

The other day spammers spread two interesting emails to users throughout the Internet and attempted to make users believe these emails originated from Microsoft.  The emails contained an alert that advised users of an undiscovered vulnerability in the Kodak Image Viewer and a new 0-day vulnerability affecting machines running Microsoft Word 2007.  The message contained real information about the security bulletin called MS07-055. However, the links included in the email lead to a different website.

Microsoft Security Bulletin MS07-055 - Critical

Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)

Published: October 9, 2007 | Updated: October 17, 2007

Version: 1.1

General Information

Executive Summary

This critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in the way that the Kodak Image Viewer, formerly known as Wang Image Viewer, handles specially crafted images files. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This vulnerability exists only on systems running Windows 2000. However, systems running supported 32-bit editions of Windows XP and Windows Server 2003 may also be affected if upgraded from Windows 2000. This is a critical security update for Windows 2000 Service Pack 4, 32-bit editions of Windows XP Service Pack 2, and supported 32-bit editions of Windows Server 2003. For more information, see the subsection, Affected Software, in this section. This security update addresses the vulnerability by deprecating file types that are no longer supported as well as by improving the way that the Kodak image viewer handles specially crafted file types. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for

the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately following the links below coresponding to your system.

Affected and Software

The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle

Affected Software

Operating System

Maximum Security Impact

Aggregate Severity Rating

Bulletins Replaced by This Update

Microsoft Windows 2000 Service Pack 4

Remote Code Execution

Critical

Windows XP Service Pack 2

Remote Code Execution

Critical

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Remote Code Execution

Critical

© 2007 Microsoft Corporation. All rights reserved.

The second email is similar and below is an extract of it:

From: "Microsoft Corp." <windowsupdate@microsoft.com>

You are receiving this message because you are using Genuine Microsoft Software and your e-mail address has been subscribed to the Microsoft Windows Update mailing list.

 A new 0-day vulnerability has appeared in the wild and was reported for the first time Monday, November 12. The vulnerability affects machines running MICROSOFT WORD and allows an attacker to take full control of the vulnerable computer if the exploitation process is succesfull.

Since then, more than 180,000 machines have been reported as exploited and used to promote spammy pharmacy products such as viagra and cialis.

...

Both emails encourage the recipient to download and install a supposed update which in truth is a trojan.  CA Security Advisor team learned that the "bad guys" set up a proxy "PHProxy 0.5b2" that goes to the original MS patch site.  Additionally we discovered that  the authors of the trap seem to be the same "bad guys" since all the links in these fake emails redirect the user's browser to http://postform[dot]maxiesub[dot]com/securityupdate/index[dot]php?q=aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL2Rvd25sb2Fkcy9kZXRhaWxzLmFzcHg%2FRmFtaWx5SWQ9YmU1MmY3NDAtZTljOS00MjI4LTk1YzAtMDA5OTUyMTNiYmQwJmRpc3BsYXlsYW5nPWVu&hl=1ed.

As you can see, the website does a good job of fooling the unsuspecting user into believing it is the legitimate Microsoft download site. At the time of publishing, the executable available from this fake site is a trojan called WindowsXP-KB923810-x86-ENU.exe and detected by CA Anti-Virus as Win32/Afnb.A and by CA Anti-Spyware as Afnb A.

The trojan drops a number of malicious files on the affected computer and alters or creates a number of  registry entries.  These files and registry entries are already detected by CA Anti-Spyware as Banbot S

The following describes what is dropped on the file system and what registry modifications are made.

Installation of the trojan

When executed "WindowsXP-KB923810-x86-ENU.exe" creates a malicious file at  %AppData% location and called KB923810.exe.

Note: %AppData% is a variable location and refers to the location of the common folder that stores application specific data. The malware determines the location of the current AppData folder by querying the operating system. A typical location for this folder is C:\Documents and Settings\<username>\Application Data.

Then WindowsXP-KB923810-x86-ENU.exe launches KB923810.exe

KB923810.exe makes the following registry changes:

HKCU\Software\Microsoft\Windows\CurrentVersion "ofk" = 1

HKCU\Software\Microsoft\Windows\CurrentVersion "eos" = 1|30|

HKCU\Software\Microsoft\Windows\CurrentVersion\Run "KB923810" = %AppData%\KB923810.exe

HKCU\SOFTWARE\Microsoft "zasucks" = yo

HKCU\Software\Microsoft\Windows\CurrentVersion "bnhide", "228"|KB923810.exe|KB923810|1167|x|"

KB923810.exe creates a backdoor channel through port TCP 1167 attempting to connect to one of the following host servers gaining un-authorized access on the machine affected:

• bndk.prout.be (located in Romania)
• yeosucity.com (located in the Republic of Korea)

Tips to prevent future Microsoft fake updates

To prevent similar issues, the CA Security Advisor team suggests that all users ensure that the source of the update really comes from Microsoft. As we know Microsoft provides new security updates on the second Tuesday of each month publishing a bulletin to announce and describe the details of the updates.

Occasionally Microsoft releases additional updates which are published here:

http://www.microsoft.com/technet/security/current.aspx

Users should be careful of redirections of the browser by noticing what is displayed in the address bar. In this case -for example- for the skilled user it was clear the source was not Microsoft.

Finally, it is always important to maintain and update your own anti-virus and anti-spyware products in order to reduce your exposure to these kinds of risks.