In a blog entry long ago, we wrote about the trend of faking Facebook support emails to spread malware. So far, Bkav’s Honeypot system still regularly receives such emails. The technique is old, while the emails’ contents and the malicious attachments are always innovated.

Figure 1: One of the counterfeit Facebook emails

Why has this old technique been used by bad guys for such a long time? This proves the technique very effective. Let’s try analyzing the nature of the problem. First of all, it’s not difficult to see that Facebook is still the biggest social networking site, which means it owns a huge number of users. Secondly, the popularity of Facebook helps these fake emails bypass spam filter systems much more easily.

So, what should you do when receiving such an email? The answer is just simply to configure your system to show the extension of the attached file before opening it.

Figure 2: Be careful with the icons

Besides, you should not immediately believe in the file’s icon, but carefully examine its extension. It’s advisable that you should not open the file when its extension is “.exe”, “.bat”, “.pif” or “.scr”. More importantly, you need update your antivirus program on a regular basis to have your computer completely protected.

Nguyen Cong Cuong

Senior Malware Researcher

Recently, we have got samples of new  variant of Sality. Through analyzing these samples, we find some MMX (MultiMedia eXtension) instructions in their metamorphic code which have never been seen in the previous variants.

Sality with MMX instruction

Previous Sality variants only uses pure x86 instructions in their metamorphic code.  Nowadays, x86 code can be emulated by almost antivirus emulators so these variants could be detected without much difficulty. However, the new variant has adopted one more instruction type: MMX instruction. By using MMX instructions, Sality can defeat antivirus emulator which does not support these instructions, and avoid being detected.

Generating MOVD mm, r/m32 instruction

There are few MMX instructions used in this variant . However, judging from the innovation trend of the previous variants, it’s likely that new variants will come up with more complex MMX instructions in the future.
Furthermore, new Sality variant turns its characteristic instructions into some pieces of code which does the same work.
Example:
R1 = [R2]
(R1 and R2 are 32bit register, [] indicate the memory addressed by the register in it)
can be turned into:
R1= 0
R1 = R1 xor [R2]
or
R1 = 0
R1 = R1 or [R2]
or
R1 = 0
R1 = R1 + [R2]

It is difficult to indicate which instruction is used to decrypt the virus body and which is only junk code, which register contains useful value and which does not. Antivirus programs must work more sophisticatedly to collect enough parameters for decrypting and cleaning virus from infected files.
This variant of Sality is detected by Bkav as W32.SalityVM.PE.

Nguyen Ngoc Dzung
Malware Analyst

General Information

Libxml2 is an open source software library for parsing XML documents. In October 2010, vulnerability researchers team at Bkis have found a high security vulnerability in libxml2. This library is used by many popular softwares, browsers and operating systems for example, Google Chrome, Apple Safari, Linux OS, etc. Thus, these softwares, particularly browsers, are vulnerable to attacks. Bkis has reported the vulnerability to the related vendors.

Technical Description

XPATH is a language querying content from XML documents. The vulnerability lies in the module processing this query language. Specifically, libxml2 does not well process a malformed XPATH, causing crash.

To exploit this vulnerability, hacker may send user a link containing malicious XPATH. When user opens this link, the malicious code will be executed, attacking user’s system.

Solution

Google team has issued the patch for this vulnerability in libxml2-2.7.8. Besides, Google also updates the latest libxml2 in Chrome 7.0.517.44. Apple Safari and some other popular software vendors using libxml2 are in their updating process but have not issued the official patch yet.

Rating this vulnerability as high security, Bkis recommends users, particular browser users, update the latest version of their software. Since Apple Safari has not issued the official patch yet, users should keep track on the vendors’ information and update their software as soon as the patch is released.

In addition, those teams who use libxml2 in their software should also update the latest version of their libxml2 immediately.

Bkis

On November 3rd, Microsoft gave a warning about a new unpatched vulnerability in all versions of Internet Explorer (IE) which is exploited to spread virus.

Since IE does not well process CSS tags, it’s likely to access a freed object  causing memory corruption (use-after-free). This makes program’s pointer (EIP) work improperly, causing crash, and even allows remote code execution.

Exploit demonstration on XP SP3

Exploit code demo

Call 0x0D7DC9C9 ?

According to the above figure, the program will call 0x0d7dc9c9 . This is the address for heap memory, and normally, the program will crash since it has not initiated this memory before. However, the attacker employs heapspray technique to create a large heap (including the above address), with data previously prepared, which allows arbitrary code execution.

This attack vector will be blocked by Data Execution Prevention (DEP) which is turned on by default in IE 8 on all OS versions: Windows XP SP3 and later versions.

Microsoft is currently monitoring the threat to decide whether to issue an out-of-band patch or not. It’s likely that this vulnerability will be fixed in its monthly bulletin.

Until Microsoft issues the patch, users are recommended to take caution not to click links of unknown sources.

Le Manh Tung
Senior Security Researcher