Archive for November, 2008

Another worm exploiting MS08-067

Win32/Conficker.A is a worm that exploits the MS08-067 vulnerability in order to spread. It may also download and execute various files. Please note that this is a preliminary analysis.


Symantec identified a new worm, “W32.Downadup,” exploiting the MS08-067 vulnerability, successful against Windows 2000 unpatched targets.  [Read]


Kaspersky detection: Trojan-Downloader.Win32.Agent.aqfw

About recent OSX Trojan

Good reference and reading for recent OSX trojans: 

CA Blog: New Trojans Strike OS X 

ArborNetworks: New OS X Malcode: Not Just a DNSChanger

There’s a slight changes on DMG (as graphically shown below), depending on the Remote IP address it’s trying to access. 


Begin 777 withLove by OSX DNSChanger

What’s new? Here’s a static analysis of this new variant. Notice the header, it seems the compression used was changed. 


The preinstall/preupgrade script now looks like this: 


Which previous variants contains code or sequence of strings as follows: 


Before,the installer name was “MacVideo” and “Porn4Mac”, today it’s “MacAccess”. 

Most known IPs and nodes of this threats is currently active serving this variant. 

Stay safe and report Dodgy websites!

OSX DNSChanger is Back!

Working in Mac OS X is now my past time, so I noticed that there’s a new DNSChanger variant.

You’ve received A Hallmark E-Card!


For the past days, I’ve been receiving this malicious spammed email. Unfortunately, my ISP wasn’t able to block as it  continuously proliferate around – specifically Australia?!? Tracing the source of spam … Perhaps, another infected machine. 


When you thought it’s safe and you execute it, it will create several HTTP connection in background, which includes its spamming activity and installation of further malware. 


“util.printf()” Another Exploited PDF In-The-Wild?

There’s a constant or recurring attack on PDF (other says Trojanized PDF) specifically exploiting “Collab.collectEmailInfo()” function and misuse of URI “mailto” [further reading]. Although Adobe already released patch and security researchers creates awareness, it seems there’s much higher value in continuing serving these threats.

This time another strain joining the group, CoreSecurity disclosed last Nov 4 that PDFs is again vulnerable due Javascript Printf “util.printf()” Buffer Overflow. A day after PoC (proof-of-concept) was immediately published and became available; there were 2 post which looking on the Hits, it has gained immediate attention in the community (for sure, both black and whitehats) [Refer milw0rm].

I immediately take a look on the PoC and verified how this BoF(buffer overflow) works, ‘coz I’m thinking this is something to watch for … possible one of these day, we’ll see another exploited PDF in-the-wild.

Today, it’s confirmed … I just verified an exploited PDF attacking this latest vulnerability and carrying malicious payload.

Make sure to apply proper security measures to avoid infection. [Refer Adobe Security Update]

Rogues Earning $US150,000 aWeek

I was reading security article today titled “Russian scammers cash in on pop-up menace” and it started with this phrase…

“Cyber criminals are earning up to $US150,000 a week selling fake anti-virus software to naive internet users.. ”

Obviously, we all encountered these fake alerts (those were just swf) saying that you are infected but really, it’s just for show. Behind these deceiving and tricky sales approach, these Rogues are earning good enough money ..

“For instance, if a hacker controls a botnet of 20,000 computers, they could earn up to $US225,000 just by tricking 5000 victims into buying the fake anti-virus software for $US49.95 each.”

 Recently, Bakasoftware’s database was obtained by a hacker known as NeoN and earning details of the top 10 affiliates were published on various online hacking forums. The data revealed the most successful affiliate earned $US158,000 in a week and even small-time hackers could earn hundreds of thousands of dollars a year.