Warns Microsoft

Jun 26, 2009 14:43 GMT  ·  By

It is nothing short of ironic that game password stealing malware is being associated with an exploit designed to target a vulnerability in DirectX. But Microsoft officially confirmed that malicious code designed to harvest account credentials for online games had been detected bundled with exploits targeting the DirectShow vulnerability impacting Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003.

The flaw is Critical, the company warned in May 2009, when it revealed that users executing malicious QuickTime media files were at risk of remote code execution.

“Users, upon visiting a specially constructed web page that invokes the vulnerable media plug-in, will encounter exploit shellcode, which further execute and download additional malware to the infected machines. Intending to bypass AntiMalware protection, malware binaries are encrypted in the download data stream. New dog, same old tricks. To wrap up the attack scene, under the cover of the new exploits are the old long-lived online-game password stealers: PWS:Win32/Wowsteal.AP (drops PWS:Win32/Wowsteal.AP.dll); TrojanDropper:Win32/Dozmot.C (drops PWS:Win32/Dozmot.C and VirTool:WinNT/Dozmot.A); and TrojanSpy:Win32/Lydra.AE,” revealed Microsoft's Lena Lin, Cristian Craioveanu, Josh Phillips and Patrick Nolan.

As early as May 2009, the software giant indicated that it was aware of limited attacks targeting the DirectX vulnerability. In the latest update on the security flaw, Microsoft explained that the telemetry data showed only a very low number of affected customers.

Exploit:Win32/CVE-2009-1537 is the generic detection that the Redmond-based company associated with malformed media content capable of exploiting the DirectX security vulnerability.

Malicious websites featuring the exploit are being detected as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I, the company noted. More information on the DirectX vulnerability, including workarounds, is available via the Microsoft Security Advisory (971778).