Archive
Another worm exploiting MS08-067
Win32/Conficker.A is a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files. Please note that this is a preliminary analysis.
ooOOoo
Symantec identified a new worm, “W32.Downadup,” exploiting the MS08-067 vulnerability, successful against Windows 2000 unpatched targets. [Read SecureComputing.net]
ooOOoo
Kaspersky detection: Trojan-Downloader.Win32.Agent.aqfw
About recent OSX Trojan
Good reference and reading for recent OSX trojans:
CA Blog: New Trojans Strike OS X
ArborNetworks: New OS X Malcode: Not Just a DNSChanger
There’s a slight changes on DMG (as graphically shown below), depending on the Remote IP address it’s trying to access.
Begin 777 withLove by OSX DNSChanger
What’s new? Here’s a static analysis of this new variant. Notice the header, it seems the compression used was changed.
The preinstall/preupgrade script now looks like this:
Which previous variants contains code or sequence of strings as follows:
Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”.
Most known IPs and nodes of this threats is currently active serving this variant.
Stay safe and report Dodgy websites!
OSX DNSChanger is Back!
Working in Mac OS X is now my past time, so I noticed that there’s a new DNSChanger variant.
You’ve received A Hallmark E-Card!
For the past days, I’ve been receiving this malicious spammed email. Unfortunately, my ISP wasn’t able to block as it continuously proliferate around – specifically Australia?!? Tracing the source of spam … Perhaps, another infected machine.
When you thought it’s safe and you execute it, it will create several HTTP connection in background, which includes its spamming activity and installation of further malware.
“util.printf()” Another Exploited PDF In-The-Wild?
There’s a constant or recurring attack on PDF (other says Trojanized PDF) specifically exploiting “Collab.collectEmailInfo()” function and misuse of URI “mailto” [further reading]. Although Adobe already released patch and security researchers creates awareness, it seems there’s much higher value in continuing serving these threats.
This time another strain joining the group, CoreSecurity disclosed last Nov 4 that PDFs is again vulnerable due Javascript Printf “util.printf()” Buffer Overflow. A day after PoC (proof-of-concept) was immediately published and became available; there were 2 post which looking on the Hits, it has gained immediate attention in the community (for sure, both black and whitehats) [Refer milw0rm].
I immediately take a look on the PoC and verified how this BoF(buffer overflow) works, ‘coz I’m thinking this is something to watch for … possible one of these day, we’ll see another exploited PDF in-the-wild.
Today, it’s confirmed … I just verified an exploited PDF attacking this latest vulnerability and carrying malicious payload.
Make sure to apply proper security measures to avoid infection. [Refer Adobe Security Update]
Rogues Earning $US150,000 aWeek
I was reading TheAge.com security article today titled “Russian scammers cash in on pop-up menace” and it started with this phrase…
“Cyber criminals are earning up to $US150,000 a week selling fake anti-virus software to naive internet users.. ”
Obviously, we all encountered these fake alerts (those were just swf) saying that you are infected but really, it’s just for show. Behind these deceiving and tricky sales approach, these Rogues are earning good enough money ..
“For instance, if a hacker controls a botnet of 20,000 computers, they could earn up to $US225,000 just by tricking 5000 victims into buying the fake anti-virus software for $US49.95 each.”
Recently, Bakasoftware’s database was obtained by a hacker known as NeoN and earning details of the top 10 affiliates were published on various online hacking forums. The data revealed the most successful affiliate earned $US158,000 in a week and even small-time hackers could earn hundreds of thousands of dollars a year.
More Threats Exploiting MS08-067
Few days ago, I have too many question, I was wondering if MS08-067 was just for show or should I say, isolated attack or maybe real blackhat Vxers working on a bigger one. Today, I have answers and unfortunately this wormable vulnerability it seems going in-the-wild.
As seen today, a file “67.exe” contains malcode exploiting MS08-067, which is a vulnerability in RPC request function “NetPathCanonicalize()” found in netapi32.dll.
The code snippet shows that it is capable connect and bind to a remote pipe thereafter sends its payload which is another file named “6767.exe” – a Chinese malware named “KernelBot” known as DDoS bot.
From “6767.exe” code, it obvious that its targeting several security sites by modifying the local host.
This bot then downloads its C&C (command and control) configuration file “cmd.txt” from a remote server which then defines its DDoS attack.
[DDOS_ScriptFlood]
IsScriptFlood=0
CmdID=46
ScriptFloodUrl=http://zhang_231.blog.163.com
ScriptFloodDNS=blog.163.com
ScriptFloodPort=80
IsGetUrlFile=1
ThreadLoopTime=10000
ThreadCount=1
IsTimer=1
Timer=15
[DDOS_UdpFlood]
IsUdpFlood=0
CmdID=9
UdpFloodDNS=222.130.21.3
ThreadCount=6
IsTimer=1
Timer=4
[DDOS_SynFlood]
IsSynFlood=0
CmdID=1
SynFloodDNS=www.bc248.com
SynFloodPort=80
ThreadCount=1
IsTimer=1
Timer=10
[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=26
TcpFloodDNS=
TcpFloodPort=80
IsSendPacket=0
ThreadCount=1
IsTimer=1
Timer=6
The configuration file “cmd.txt” also includes URL where it can download further files: “webcc.exe”, “Loader.exe”, and “67.exe”.
Recent Comments