The authors of the Sality family added a new executable component, which we detect as Troj/Sallink-A, that enumerates network resources, dropping two files where it can. The first of these is a DLL file, detected as Troj/Salload-D, the other a LNK shortcut file, detected as Exp/Cplink-A. Simply browsing to the folder containing the LNK file will automatically execute the DLL file – that’s the nature of the CVE-2010-2568 vulnerability.

Different variants of Troj/Sallink-A format their payload in slightly different ways. Most drop the DLL using a filename consisting of random letters and numbers (usually ‘a’ to ‘f’, and ‘0′ to ‘9′), with earlier variants using <random>.dll and later ones using ~<random>.tmp or w<random>.tmp. For the shortcut file, earlier variants used the simple <random>.lnk, while later variants moved to using a wide variety of click-enticing names – for a full list, see the “More Information” tab of Troj/Sallink-A, but filenames include “My Photos.lnk”, “Gallery photos.lnk”, “XXX.lnk”, “Britney Spears XXX.lnk”, “Barrett Jackson nude photos.lnk”, and “Miss America Porno.lnk”.

I’m not quite sure why they’ve gone out of their way to give these the sort of filename that get people to click them, since the whole point of this vulnerability is that you don’t have to click the shortcut – in fact I’d say most of these names are far more likely to arouse suspicion on a network. But then, that’s what you get if you just steal a list of names from other malware – most of the names are recognisable as having been used by the Bagle family of malware more than 4 years ago.

For good measure, Troj/Sallink-A also tries to drop the LNK file to all subdirectories of the network share, maximising the chance that someone will browse there and trigger the DLL-executing exploit. When run, the DLL tries to contact a remote URL, and to drop a file to %lt;temp>\<random>.exe – this is the main Sality component, which goes on to infect files, and to spread to all available drives (including USBs) and network shares. We detect this component as Mal/Sality-D.

In fact before the authors had even sent out the first dll-dropping exe or exe-dropping dll, we detected all of these files as Mal/Sality-D – we’re now using the names Troj/Sallink-A and Troj/Salload-D to help differentiate components of the chain, but we’ve always protected against them all.

It’s a bit surprising to see a malware family that concentrates on a rather old-school file infection keeping on top of new vulnerabilities, but clearly someone in their gang is reading the news – earlier in the month they sent exploited PDF spam, so (ab)using exploited LNK files is an obvious next step. It’s a shame the authors don’t spend more time on the actual virus itself, since it still has a nasty habit of corrupting files during infection.

Even once Microsoft releases a patch for the vulnerability, history has shown that lots of people won’t apply it with any due expediency, so it’s a safe bet that we’ll see more malware exploiting this in the future. We’ll continue to update our main shortcut exploit page as we get more information, and you might also want to download our Windows Shortcut Exploit Protection Tool to help keep you safe until the vulnerability has been patched.

Though some sessions I attended were a bit of a hit and miss, mostly because of the less than ideal presentation skills of the presenters, not the technical content of the sessions I can say that I thoroughly enjoyed seeing the enthusiasm which exuded from every single presenter who gave their best to show their work.

The highlight of the day one was the presentation by Barnaby Jack which successfully showed that ATMs are just computers, like any other and that by learning about their functionality it is possible to remotely compromise their operation. This can become quite a serious problem, especially if the attackers find an easy way to modify software running on the system. Big crowds attending the session had every right to be impressed by the show. Several good videos of Barnaby Jackpotting ATMs on the stage have been posted on Youtube.

I was particularly interested to attend sessions concerning malware analysis and reverse engineering techniques, and see if we can get new ideas and tools to use in Sophoslabs. Some interesting tools, such as Berkley University BitBlaze are already available and some others such as excellent VMM based debugger Virt-ICE are in relatively early stages of development showing good potential for future usage for malware analysis.

For me, another interesting area was the increased attention to smartphone platforms, primarily Android based devices and iPhones. We often discuss the protection techniques for smartphones and question the need to develop an anti-malware software for them and conclude that there are relatively few threats to warrant fully functional anti-malware protection, especially in a corporate, managed environment.

Kevin Mahaffey and John Hering from Lookout security have conducted an interesting research into functionality of all free applications available through Android Market and Apple App Store and found out a significant number of applications, developed by few developers which are developed with a clear intention to steal data available on the device and send the data to a central server managed by the developers. Malware? Maybe. Spyware? Certainly. Unfortunately, both Google and Apple are currently in the stage of threat denial and do not provide documented programming interfaces which would allow security vendors to create reliable protection for the platforms. Let us hope they are right and that they will be able to make sure that all applications published through their respective Application stores will always be free from malicious intent. I am a bit of skeptic on that front, but that may just be me.

On the corporate front, it is obvious that Microsoft is making a better job of handling vulnerabilities discovered in Windows, despite the recently discovered feature/bug in Windows handling of shorcuts to control panel extensions couple of weeks ago. Great news is that Adobe has decided to jump on the bandwagon and coordinate the incident response with Microsoft. Members of MAPP, including SophosLabs should be pleased to learn that technical information about issues in Adobe software will be distributed to all members through the channel already used to distribute information related to vulnerabilities in Microsoft’s products.

I am off now to the positive madness of Defcon and will make sure to let you know about the sessions I particularly enjoyed.

Many Facebook accounts are currently posting messages saying:

OMG! Shocking Real Crimes caught live on Google Streets. This is SO Unbelievable and you have got to see it! hxxp:/tiny.cc/urztb

At first glance you may believe that your friend is genuinely thinks you will be interesting in viewing what’s at the end of that link, but the fact of the matter is that it wasn’t your Facebook friend who posted that message – but a rogue Facebook application called Earth Finder.

If you do fall for the social engineering trick and click on the link you are taken to a Facebook page which says:

Google Street View

Big Brother is constantly watching us and does so all the time. These Crooks thought that they were above the LAW and could get away with anything. Unfortunately for them, Google Streets caught them red handed and on FILM!

See the world's most EMBARRASSING and SHOCKING CRIME photos that were caught live on Google Streets.

[Click Here to See The CRIMES]

By now you’re hooked, and quite possibly desperate to find out what embarrassing and shocking photographs of criminals you might be about to be shown (remember, it was your friend’s Facebook account which has recommended this content after all).

But going any further takes you to a page which tells you you need to give permission to a Facebook application called “Earth Finder” first.

And that’s where things really begin to go wrong. Because now you’ve given the green light for “Earth Finder” to post messages from your Facebook profile, advertising it to all of your friends.

And once again (like the recent “Teacher Nearly Killed This Boy” application which I caught on video) you will be making money for the scammers by being redirected to a series of surveys and online questionnaires.

If you’ve fallen for a scam like this, spreading virally across Facebook, make sure you clean up your Facebook account – remove the references to it from your status updates and news feeds, and ensure that you have zapped it from your list of applications.

Please take care when you’re online, and consider joining the Sophos page on Facebook to be kept informed of the latest security threats.

And be sure to warn your friends who passed the link onto you as well – clearly they’re not taking enough care about their computer security if they’re granting permission for apps like this to have access to their Facebook profile.

Threat Research Engineer Benson Sy encountered two .MOV files (001 Dvdrip Salt.mov, salt dvdrpi .mov) that both used the recent movie, Salt of Angelina Jolie. It looks suspicious enough because of its relatively small size compared to regular movie files.

When the movie files are loaded to Quicktime player, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation. It is still under investigation whether the malware is using vulnerability or a known functionality to download the malware.

The first.MOV file connects to hxxp://{BLOCKED}.{BLOCKED}.53.196/stat1/pix1.php which redirects to hxxp://{BLOCKED}.{BLOCKED}.8.120/cms/976/1/QuickTime_Update_KB640110.exe. It then asks the user to save/run the file. Trend Micro detects this as TROJ_TRACUR.SMDI.

On the other hand, the second .MOV file connects to hxxp://play.{BLOCKED}nstaller.com/0.c which points to hxxp://player.{BLOCKED}nstaller.com/d77.php. It then downloads the file, music_installer.exe. Similarly, it asks the users to save/run the file.

Trend Micro users are protected from this attack via the Trend MicroTM Smart Protection NetworkTM that blocks the malicious URLs to prevent the download of malicious files onto the system.

Post from: TrendLabs | Malware Blog – by Trend Micro

QuickTime Player Allows Movie Files to Trigger Malware Download