CA Security Advisor Research Blog

We continued to see a raft of new vulnerabilities being exploited by malware in 2006. Some of the vulnerabilities targeted included:

• MS06-005 - Microsoft Windows Media Player bitmap file buffer overflow vulnerability
• MS06-006 - Microsoft Windows Media Player Plugin EMBED buffer overflow vulnerability
• MS06-013 - Microsoft Internet Explorer createTextRange() handling vulnerability
• MS06-014 - Microsoft Windows MDAC RDS.Dataspace ActiveX control vulnerability
• MS06-040 - Microsoft Windows Server service buffer overflow vulnerability
• MS06-055 - Vulnerability in Vector Markup Language
• MS06-057 - Microsoft Windows Shell remote code execution vulnerability (JavaScript)

These last two vulnerabilities were exploited by the Win32/Duiskbot family, amongst others.

There is also evidence that old vulnerabilities are still being used by malware authors, thus suggesting that regardless of repeated warnings, many machines may still remain unpatched and vulnerable to exploitation. The Java/ByteVerify!exploit description in our Virus Encyclopedia continues to be one of the most visited pages (refers to MS03-011).

The other trend that featured last year was a number of exploits targeting vulnerabilities in Microsoft Office. CA received reports that several had been utilized in the wild by particular droppers to compromise targets. Several Office platforms were affected and some were targeted very specifically - they only worked on systems with particular service packs applied. Some examples include:

• MS06-062
• MS06-012
• MS06-027 (exploited by Win32/SillyDL.AQS dropper)
• MS06-037 (exploited by several droppers including Win32/Ginwui dropper, Win32/Daserf.A dropper, and Win32/Enfal.A dropper)
  
  For more information on the MS06-037 vulnerability, please see the following entries in our Vulnerability Encyclopedia:
  34258, 34388, 34389, 34390, 34391, 34392, 34393, 34394

All of these bulletins refer to vulnerabilities in Microsoft Office allowing remote code execution.

Strangely enough for MS Office applications, no macros were involved. Although, that's not to say that macro malware is dead. We saw a new family of Word Macro trojans in 2006 that attempted to exploit an old vulnerability in Microsoft Word. The exploit utilizes a document or template containing macros to execute malicious code, irrespective of how high Word's macro virus protection is set (MS01-034).

The family is W97M/Kukudro, and CA received reports that it had been actively spammed out to users in mid 2006. The payload for this trojan involves dropping another trojan (Win32/Kukudro), which in turn attempts to download and execute arbitrary files. In the wild, we observed that Win32/Kukudro downloaded variants of the Win32/Sality family - a polymorphic virus that infects Win32 PE executable files. Sality in turn has many and varied payloads. It may steal system information, download and execute arbitrary files, delete files, terminate processes, log keystrokes, change firewall settings, run an HTTP proxy, and/or harvest email addresses.

Up next... Anti-detection mechanisms: server-side polymorphism