WEEKLY REVIEW

BitDefender weekly review

Sina.Dloader, does it ring any bells? It should, because this weeks highlight is something very similar. Baofeng Storm Player, which happens to be one of the more popular chineze media players out there, is vulnerable to several buffer overflow vulnerabilities.

 Although the fix for these vulnerabilities has been released on 14th Nov. 2007, attackers still exploit these flaws to spread malware without the users consent.

Trojan.Buzus.CV

After execution, with Trojan starts a new process with the same name as its filename.
It inject an executable into the process’ memory and then it drops it into a
system file called netmon.exe. It creates registry keys to ensure that the
dropped executable file is started on each boot.

The
injected netmon.exe drops a driver into %system%driverssysdrv32.sys and
registers it as a service.

In order to
spread it creates copies of itself on every detected removable drive and uses
an autorun.inf file to execute them.

To protect
itself, it is hidden from user mode.

 

Exploit.Baofeng.A

Baofeng
Storm Player is a popular Chinese media player. It comes bundled with an
ActiveX Control used for media playback on websites. However certain versions
of it are prone to multiple buffer overflow vulnerabilities which allow
attackers to execute arbitrary code on the affected system.

The methods
“advancedOpen()”, “isDVDPath()” and “rawParse()” and
the properties “backImage”, “titleImage” and
“URL” which reside inside “sparser.dll” and “mps.dll”
fail to validate user supplied input and allow the attacker to gain control
over the system within the security context of the running process. Vulnerable
versions are all below 2.08.

Currently
only the method “rawParse()” has been seen in the wild, exploiting the above
mentioned vulnerabilities. Specially crafted websites make use of this method
to spread other malware. The exploit is downloading executable files from URLs
like http://[removed]de.com/bf.css and http://[removed]p.cn:6135/qwer/bf.css,
saves them inside the system32 folder under the name “a.exe” and executes them
with the priviledges of the browser.

BitDefender
recommends immediate upgrade to the latest version of the player, since that
has fixed these vulnerabilities.

 

Information
in this article is available courtesy of BitDefender virus researchers: Marius
Barat and Balazs Biro