|
Archive for February, 2009
Tuesday, February 17th, 2009
The IE7 vulnerability recently patched by Microsoft’s MS09-002 is being exploited in the wild. The ThreatFire community is not seeing much of the attack, but ThreatFire prevents attacks against the memory corruption (referenced in CVE-2009-0075) in Internet Explorer 7’s loaded mshtml.dll module just the same. We expect to see much more of this exploit code in the near future.
Security researcher Paul Ferguson speculated that the original targeted attack, in which a Word document was sent to a select group of individuals, was similar to previous attacks targeting pro-Tibetan groups:
“Although Ferguson does not know who wrote the attack code, he said that it looks similar to software that was sent to pro-Tibetan groups about a year ago, apparently for the purpose of intelligence gathering…Whether this will lead to more widespread Internet Explorer attacks is unclear, Ferguson said.”
The exploit code itself is beginning to spread and has shown up on additional servers in the Pacific rim. While the original attack may have been very targeted, the exploit code itself looks the same. Even variable and function names remain the same across the exploit pages we’ve seen.
The shellcode and the delivered malware executables differ altogether across servers. In one case, the writers jumped through hoops to complete some stable download and execute shellcode, and in another, the writers added some unusual loops to download “menu.dat” to the user’s temp directory and execute it as “U.exe”.
The original executable was not packed and dropped a dll that phoned data over an encrypted session to a server hosted in China. The second, U.exe, is a downloader packed with a somewhat common compressor known as nPack.
So it appears that different groups already are using the exploit, leading us to believe that this reliable and effective exploit code will continue to spread in the wild.
Be sure to update your Windows system if you have not done so already.
Posted in Exploit, Spyware, Trojan | No Comments »
Friday, February 13th, 2009
The Zeustracker site provides up to date information on the overall Zbot threat. It’s very well put together and a great source of information. The spyware is especially concerning, not because of sophisticated delivery techniques (the kit includes commodity exploits), but because of the effectiveness of the payload’s functionality: “The trojan tries to steal credentials for online services (like ebanking accounts, facebook and other online services).”
Unfortunately, we’ve seen hosted Zeus services that can be leased out, and for a while their revenues must have disappointed their owners. But with C&C servers distributed all over the world, we can surmise that the efforts are sustaining themselves.
We’ve also seen the Zeus kit used to attack users all over the globe for banking information, and the tracker site mirrors much of the prevented activity in the ThreatFire community. The c&c are distributed all over the globe, and the activity has been fairly high over the past six months.
Click on the Zbot label below for earlier posts and links to Dancho Danchev’s posts on Zeus.
Posted in Crimeware, Password stealing, ZBot | No Comments »
Friday, February 13th, 2009
With Valentine’s day approaching, the group continues to spam out links to a new set of sites with some new themes and filenames to watch for, like “reader.exe” and “run.exe”. The pages do not yet seem to carry redirects to pages hosting exploits. Instead, the text directs the user to “Click here to view your card.” Do not download and run these executables. Instead, please click on this post’s Waledac blog label below for previous posts about the ongoing threat.
And another…
Messages related to the image above include subjects like “A Valentine E-Card from ” and text like…
has sent you a Valentine’s Day greeting card and wrote this to you:
“Heaven is not heaven without U”
Just click on the following link to see your E-card:
hxxp://yolk .fun loveonline .com/?cardnum=
For your convenience, the greeting card will be available for the next 30 days.”
Do not click on the link or download the malware at that link.
Messages wishing you a “Happy Valentines Day!” contain text like
Flora just mailed an electronic Valentine greeting card and wrote this to you:
“love u so much dear..”
To view this page please click here:
hxxp:// ii. cherishpoems.com/?code=rand_num
You can see your card at any time within 30 days.”
Leading to teddy bear malware:
Posted in Social Engineering, Spam, Storm, Waledac | No Comments »
|
|
|
|
