This Patch-Tuesday, Microsoft patched 11 vulnerabilities. Among the patched vulnerabilities are two that can be remotely exploited by an anonymous user, MS06-074 SNMP Buffer Overflow Vulnerability and MS06-077 Remote Installation Service Vulnerability. The Windows SNMP Service and Remote Installation Service are not default installed which greatly reduces the attack surface.

The vulnerability in Visual Studio, exploited in the wild, has been addressed in this month’s patch cycle.

The update of our graphs of last month is found below. The top graph shows that Microsoft almost hit one hundred critical vulnerabilities for 2006. The year is not over and Microsoft may provide out-of-cycle patches for the current 0-Day Word vulnerabilities.

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

In the week leading up to 12 December 2006, two new Microsoft Word zero-day vulnerabilities became public (Word I, Word II). Microsoft’s December Patch Tuesday fell on December 12, but this cocktail of Microsoft’s patches did not include fixes for the two new Word flaws. To make matters worse, on December 12, a third zero-day Word flaw was released (Word III).

Although one could argue that the December 12 release of a new Microsoft flaw was only a coincidence, it fits the trend of the disclosure of Microsoft vulnerabilities on or just after a Patch Tuesday. November’s trend-fitter, a vulnerability in Microsoft Active Directory, did not include a public proof-of-concept; this month’s trend-fitter, however, does have a public proof-of-concept.

So the Word zero-day trio has a window of exposure of at least a month. Please stay secure as we continue to protect our customers against such attacks.

Inside the Trojan family, password stealers (abbreviation : PWS) are dedicated to monitoring some of your keystrokes. They collect confidential information like Internet logins. Depending on the data collected, an attacker is then able to access your bank, e-commerce, game or social networking website account for the purpose of fraud or other criminal activities.

McAfee Avert Labs recently added detection for a newcomer distributed over the Skype VoIP network. Named PWS-JO, it captures all keystrokes, saves them to a local file and contacts a remote website - hopefully no longer accessible - to send them to. This new example illustrates a new variety of attack vector (in this case a VoIP client), no longer limited to viruses, spammed email or malicious webpages for distribution.

This new alert must also remind us that password stealers are more and more numerous and not limited to immediate financial offenses. Although 62% of them target financial institutions, it is important to note that Massive Multi-Player Online Role Playing Games (MMORPG) are the second predominantly targeted vector (approx 18%).

At McAfee the main PWS families are the following:

In one year the PWS family number grew by 240% (from 5000 to 12000). Users must stay vigilant to not lose their “cyber-money” as well as their uber dragon sabre!!!

Technologies advance with time, and so is the case with Instant Messengers. Not long ago, people were happy sending text messages. Then VoIP came along and changed the scene. Soon after IM vendors embraced it. Many IM clients are now VoIP enabled. As soon as VoIP started going deeper into the mainstream, security researchers warned of related issues. One issue was abuse with spam, usually referred to as SPIT. Wikipedia states SPIT is “as-yet-nonexistent problem“. As VoIP is getting more popular the scenario is changing fast, this “as-yet-nonexistent problem” is slowly but surely emerging. The following images shows a real-world VoIP spam over Skype.

The image shows a typical spam prospect. The spammer starts a conference call with some random users and starts playing the spam message. This process is most likely not manual but automated with bots.

Use and abuse are two sides of the same coin and this technology is no exception. All major IM providers are giving away SDKs to develop add-ons. However these SDKs also lower the bar for spammers to develop bots. We have witnessed the same with the ongoing development around Skype malware.

The image below shows the assembly code for the loop which is used by Skype malware to search for users. You will notice the “SEARCH USERS” Skype APIs:

The malware actually uses more of these. The image below will highlight those:

These APIs are part of Skype SDK and are documented by skype. It is just a matter of time before we start seeing bots, in the wild build on top of IM SDKs provided by the vendors. We advise users to be aware of this developing attack vector. McAfee Avert Labs is prepared for this battle!!

As of late, a weekend is just not complete without a new W32/Stration variant spamming, and this weekend was no exception. Of course, this variant added a Christmas twist to the message body. To add to the Christmas “fun”, we also saw two other nasties taking advantage of people hoping for a little holiday cheer in their inbox.

Here’s hoping you all missed this excitement because you were having a wonderful holiday with friends and family instead. Or perhaps basking in the glow of a TV, enjoying a new video game console. (Speaking of which, the Wii just got an internet browser which is capable of playing Flash games. Hmmm… Very cool that they went with Opera, though!)

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. If it was just the spammers, we could understand, since they live to do that, but today I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com.br, where you could select up to 4 different Christmas / New Years cards and send to your friends… This just happened hours ago… I bet that I will start to receive some Xmas virtual cards and I also bet that those will not be from my friends . So you do not get me wrong, I like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware??

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!