Win32/Conficker.A is a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files. Please note that this is a preliminary analysis.
Kaspersky detection: Trojan-Downloader.Win32.Agent.aqfw
Good reference and reading for recent OSX trojans:
CA Blog: New Trojans Strike OS X
ArborNetworks: New OS X Malcode: Not Just a DNSChanger
There’s a slight changes on DMG (as graphically shown below), depending on the Remote IP address it’s trying to access.
The preinstall/preupgrade script now looks like this:
Which previous variants contains code or sequence of strings as follows:
Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”.
Most known IPs and nodes of this threats is currently active serving this variant.
Stay safe and report Dodgy websites!
Working in Mac OS X is now my past time, so I noticed that there’s a new DNSChanger variant.
For the past days, I’ve been receiving this malicious spammed email. Unfortunately, my ISP wasn’t able to block as it continuously proliferate around – specifically Australia?!? Tracing the source of spam … Perhaps, another infected machine.
When you thought it’s safe and you execute it, it will create several HTTP connection in background, which includes its spamming activity and installation of further malware.
There’s a constant or recurring attack on PDF (other says Trojanized PDF) specifically exploiting “Collab.collectEmailInfo()” function and misuse of URI “mailto” [further reading]. Although Adobe already released patch and security researchers creates awareness, it seems there’s much higher value in continuing serving these threats.
I immediately take a look on the PoC and verified how this BoF(buffer overflow) works, ‘coz I’m thinking this is something to watch for … possible one of these day, we’ll see another exploited PDF in-the-wild.
Today, it’s confirmed … I just verified an exploited PDF attacking this latest vulnerability and carrying malicious payload.
Make sure to apply proper security measures to avoid infection. [Refer Adobe Security Update]
I was reading TheAge.com security article today titled “Russian scammers cash in on pop-up menace” and it started with this phrase…
“Cyber criminals are earning up to $US150,000 a week selling fake anti-virus software to naive internet users.. ”
Obviously, we all encountered these fake alerts (those were just swf) saying that you are infected but really, it’s just for show. Behind these deceiving and tricky sales approach, these Rogues are earning good enough money ..
“For instance, if a hacker controls a botnet of 20,000 computers, they could earn up to $US225,000 just by tricking 5000 victims into buying the fake anti-virus software for $US49.95 each.”
Recently, Bakasoftware’s database was obtained by a hacker known as NeoN and earning details of the top 10 affiliates were published on various online hacking forums. The data revealed the most successful affiliate earned $US158,000 in a week and even small-time hackers could earn hundreds of thousands of dollars a year.
Few days ago, I have too many question, I was wondering if MS08-067 was just for show or should I say, isolated attack or maybe real blackhat Vxers working on a bigger one. Today, I have answers and unfortunately this wormable vulnerability it seems going in-the-wild.
As seen today, a file “67.exe” contains malcode exploiting MS08-067, which is a vulnerability in RPC request function “NetPathCanonicalize()” found in netapi32.dll.
The code snippet shows that it is capable connect and bind to a remote pipe thereafter sends its payload which is another file named “6767.exe” – a Chinese malware named “KernelBot” known as DDoS bot.
This bot then downloads its C&C (command and control) configuration file “cmd.txt” from a remote server which then defines its DDoS attack.
The configuration file “cmd.txt” also includes URL where it can download further files: “webcc.exe”, “Loader.exe”, and “67.exe”.