Archive for April, 2009

« Older Entries

A Recipe for Stolen Biscuits

Thursday, April 30th, 2009

As Koobface has proven, stealing biscuits can get malware distributors a long ways.

Another technique and tool has just been posted to abuse stolen biscuits, much like the Koobface worm, and it supports changing a wall without the password. The author claims to have just completed “FBController – The Ultimate Utility to Control Facebook accounts without the Password”.

Be aware that downloading and executing code from untrusted sources is always a problem, and please do not fall for the ongoing phony video codec or software update ploys.

Update – a cnet writer finds the techniques interesting.

Posted in Reversing, Software Release, hacking tool | No Comments »

Pdf Reader 0day Published

Wednesday, April 29th, 2009

Another Acrobat Reader 0day PoC has been posted, this time targeting a boundary condition error (longhand for buffer overflow here) in the vulnerable ‘getAnnots()’ javascript function. We haven’t seen any ITW malcode targeting Windows versions of Reader, but based on past experience, ThreatFire will prevent exploits targeting this vulnerability when they arrive within a week or so.

Right now, the highest levels of Reader exploitation comes from commodity LuckySploit exploit pack implementations, as we have mentioned and expected in previous posts. At the least, users should update their third party software frequently, possibly consider an alternative reader for now, and install a behavioral based solution like ThreatFire for proactive protection.

Posted in Exploit, Vulnerability | No Comments »

LuckySploit Links Sent over Gaming Collaboration Clients

Tuesday, April 28th, 2009

Links to LuckySploit exploit pages are being sent over gaming collaboration tools with the end goal of installing rogueware/scareware Spyware Protect 2009, still being hosted at antiwareprotect.com:

Name: antiwareprotect.com
Address: 91.212.65.122

inetnum:         91.212.65.0 - 91.212.65.255netname:         EUROHOST-NETdescr:           Eurohost LLCdescr:           Provider Local Registrycountry:         UAremarks:         ---------------------------------------------------------------------------------------------remarks:         Trouble:Please report abuse incidents to abuse@eurohost.biz.uaremarks:         Trouble:Messages sent to other contact addresses may not be acted upon.remarks:         ---------------------------------------------------------------------------------------------org:             ORG-EL76-RIPEadmin-c:         MI1858-RIPEtech-c:          NOC114-RIPE
organisation:    ORG-EL76-RIPEorg-name:        Eurohost LLCdescr:           Eurohost LLCaddress:         Evpatoria, Crimea, Ukraineabuse-mailbox:   abuse@eurohost.biz.ua
role:            Network Operations Centreaddress:         Evpatoria, Crimea, Ukraineaddress:         Evpatoria, Crimea, Ukrainenic-hdl:         MI1858-RIPEmnt-by:          EUROHOST-MNT

The arrival of a link in text is somewhat out of the ordinary, because most of these gaming tools are voice chat clients. But players of MMPORG online games like Counter Strike and World of Warcraft should be aware that links are being sent out via popular chat clients that redirect to LuckySploit hosting sites. Typically, an invitation to check out a new game or mod is delivered. The end result usually is an “install.exe” file downloaded and executed due to successful exploitation of a vulnerable version of Adobe Acrobat Reader, which in turn installs “sysguard.exe”. Pop-ups from this rogueware pummel the screen with consistently poor english grammar, false detections and phony alerts like “Windows Security alert: Windows reports that computer is infected”:

Back in February, we posted on the Spyware Protect 2009 group’s hosts file abuse (with modifications to browser-security.microsoft.com, which is not a legitimate site), and then again in March, with hosts file modifications leading to phony AV reviews.
It also is somewhat unusual to see such a site in this space (hxxp://v-state(dot)com/pool/ or 212.117.185.40):

Name: v-state.com
Address: 212.117.185.40

inetnum: 212.117.160.0 – 212.117.191.255
netname: LU-ROOT-20071108
descr: root eSolutions
country: LU
org: ORG-re8-RIPE
admin-c: AB99-RIPE
tech-c: RE655-RIPE
organisation: ORG-re8-RIPE
role: root eSolutions
address: Luxembourg
e-mail: info@root.lu

If you receive a malicious link to check out a new game while playing WoW or Counter Strike as a part of a larger team, please let us know. ThreatFire is preventing a fairly high number of related LuckySploit acrobat reader attacks in the community.

Posted in Exploit, FakeAlert, Rogueware | No Comments »

« Older Entries