|
Archive for November, 2007
Tuesday, November 27th, 2007
In an interesting move, Microsoft is returning more drive-by exploitation functionality to their Internet Explorer browser:
“Back in April 2006, we made a change to how Internet Explorer handled embedded controls used on some webpages. Some sites required users to “click to activate” before they could interact with the control. Microsoft has now licensed the technologies from Eolas, removing the “click to activate” requirement in Internet Explorer. Because of this, we’re removing the “click to activate” behavior from Internet Explorer!”
Very exciting. This change means that malicious web sites delivering drive-by exploits targeting ActiveX controls will once again run without any user intervention from Internet Explorer.
The DailyDave mail list (run by Dave Aitel, an individual driving the penetration-testing industry with his CANVAS product), pointed this out last night in regards to the recent RTSP QuickTime 0day discussion and how CANVAS attacks the vulnerability:
“Dave-
It’s not hard to make the exploit work against IE 7, but the user will have to click on the ActiveX (or hit the spacebar) to enable it.
Steve Shockley-
Fixed that for you“
ThreatFire prevents buffer overflow exploits like the QuickTime 0day. A related link can be found here — the same SEH overwrite technique used in Krystian Kloskowski’s recent 0day QuickTime exploit is described in that writeup.
Posted in Exploit, Penetration testing, Vulnerability | No Comments »
Tuesday, November 20th, 2007
We continue to see lots of triggers from files that appear to have names resembling image files. Be very careful with these sorts of files, here is an example filename that is causing problems in-the-wild (on users’ systems, or ITW):
PHOTO3.JPEG-WWW.IMGUPLOAD.COM.
It’s nice to see the av vendors catching up with this worm:
| File PUSHBHOST.EXE received on 11.21.2007 03:26:30 (CET) |
| Antivirus |
Version |
Last Update |
Result |
| AhnLab-V3 |
2007.11.21.0 |
2007.11.20 |
- |
| AntiVir |
7.6.0.34 |
2007.11.20 |
TR/Drop.IRC.TKB.15 |
| Authentium |
4.93.8 |
2007.11.21 |
- |
| Avast |
4.7.1074.0 |
2007.11.20 |
Win32:Delf-GNA |
| AVG |
7.5.0.503 |
2007.11.20 |
IRC/BackDoor.SdBot3.VOF |
| BitDefender |
7.2 |
2007.11.21 |
Trojan.Dropper.IRC.TKB |
| CAT-QuickHeal |
9.00 |
2007.11.20 |
Backdoor.SdBot.cib |
| ClamAV |
0.91.2 |
2007.11.21 |
- |
| DrWeb |
4.44.0.09170 |
2007.11.20 |
- |
| eSafe |
7.0.15.0 |
2007.11.14 |
- |
| eTrust-Vet |
31.3.5312 |
2007.11.20 |
Win32/Pushbot.AT |
| Ewido |
4.0 |
2007.11.20 |
- |
| FileAdvisor |
1 |
2007.11.21 |
- |
| Fortinet |
3.14.0.0 |
2007.11.21 |
W32/SDBot.CIB!tr.bdr |
| F-Prot |
4.4.2.54 |
2007.11.21 |
W32/Sdbot.AEEP |
| F-Secure |
6.70.13030.0 |
2007.11.21 |
Backdoor.Win32.SdBot.cib |
| Ikarus |
T3.1.1.12 |
2007.11.21 |
Backdoor.Win32.Agent.LA |
| Kaspersky |
7.0.0.125 |
2007.11.21 |
Backdoor.Win32.SdBot.cib |
| McAfee |
5167 |
2007.11.20 |
- |
| Microsoft |
1.3007 |
2007.11.21 |
VirTool:Win32/DelfInject.gen!D |
| NOD32v2 |
2674 |
2007.11.21 |
Win32/IRCBot.AAU |
| Norman |
5.80.02 |
2007.11.20 |
W32/Malware.BGLP |
| Panda |
9.0.0.4 |
2007.11.21 |
W32/MSNWorm.BB.worm |
| Prevx1 |
V2 |
2007.11.21 |
MSNLive-Image:Worm-a |
| Rising |
20.19.11.00 |
2007.11.21 |
- |
| Sophos |
4.23.0 |
2007.11.21 |
- |
| Sunbelt |
2.2.907.0 |
2007.11.21 |
- |
| Symantec |
10 |
2007.11.21 |
- |
| TheHacker |
6.2.9.135 |
2007.11.20 |
Backdoor/SdBot.cib |
| VBA32 |
3.12.2.5 |
2007.11.20 |
- |
| VirusBuster |
4.3.26:9 |
2007.11.20 |
- |
| Webwasher-Gateway |
6.0.1 |
2007.11.21 |
Trojan.Drop.IRC.TKB.15 |
|
| Additional information |
| File size: 63488 bytes |
| MD5: 1dc5b5977ea11bc63a57c6c464021f3b |
| SHA1: fd86ab861f8e40943b4e4615d1fc581ae35c404f |
You always can scan your files prior to opening them at our ThreatExpert site.
Btw, ThreatFire will identify some variants as Worm.MsnBot, and it will prevent the outbound internet connection activity, the file copy activity, and the remote thread injection performed by this family.
Quarantine what you think are images acting in bizarre ways on your system.
Posted in Bot, Worm | No Comments »
Friday, November 16th, 2007
We’re seeing a pretty dramatic uptick in bot activity today. With all the attention that botnet activity has been getting lately, I thought that this stuff was going the way of Ruben Studdard. Anyways, unfortunately, we are also seeing a very low detection rate for the major AV players, with most of the detections in the scanners supported by Virustotal coming from somewhat unreliable heuristic based detections:
File V received on 11.16.2007 21:22:05 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 HEUR/Crypted
Authentium 4.93.8 2007.11.16 -
Avast 4.7.1074.0 2007.11.15 Win32:IRCBot-CFX
AVG 7.5.0.503 2007.11.16 Obfustat.VTU
BitDefender 7.2 2007.11.16 Packer.Krunchy.B
CAT-QuickHeal 9.00 2007.11.16 (Suspicious) -
DNAScanClamAV 0.91.2 2007.11.16 -DrWeb 4.44.0.09170 2007.11.16 BackDoor.IRC.Sdbot.2056
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5300 2007.11.16 -
Ewido 4.0 2007.11.16 -
FileAdvisor 1 2007.11.16 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.16 -
Ikarus T3.1.1.12 2007.11.16 Virus.Win32.IRCBot.CFX
Kaspersky 7.0.0.125 2007.11.16 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.16 Backdoor:Win32/Poebot.V
NOD32v2 2664 2007.11.16 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.16 Suspicious file
Prevx1 V2 2007.11.16 -
Rising 20.18.40.00 2007.11.16 Trojan.Win32.Agent.vyl
Sophos 4.23.0 2007.11.16 Mal/EncPk-BP
Sunbelt 2.2.907.0 2007.11.16 -
Symantec 10 2007.11.16 -
TheHacker 6.2.9.132 2007.11.16 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.16 Packed/FRBR
Webwasher-Gateway 6.0.1 2007.11.16 Heuristic.Crypted
This low detection antivirus scanner rate may be due to the use of the kkrunch packer.
Threatfire has been identifying it as “Trojan.CnomBot”.
The bots are all reporting back to a server in China. We’ll keep you updated.
Posted in Bot, Evasion technique, Unpack | 2 Comments »
|
|
|
|
