|
Archive for the ‘Exploit’ Category
Tuesday, September 1st, 2009
We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.
Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.
Posted in 0day, Exploit, Worm | No Comments »
Thursday, July 30th, 2009
The banking password and information stealer Clampi recently was described as infecting anywhere from 100,000 and 1 million windows PC’s. Let’s take a closer look at this menace, and what interesting Clampi behaviors ThreatFire has been preventing in our community.
First, let’s talk about the distribution over the past year. Most of the Clampi executables appear to be unique, and appear to have been run on no more than one machine. The bulk of these executables are repacked and re-obfuscated to evade AV solutions, so only a quarter of the Clampi malware prevented in the ThreatFire community over the past year showed up on more than one system. Mostly all of the Clampi variants seen on multiple user desktops appear to have been delivered via an Adobe Acrobat client-side exploit. As posted previously about mainstream Windows pdf readers, be sure to update the software on your system, especially popular web browser third party plugins. A high number of these Clampi-delivering exploits successfully attacked Acrobat 7.0. Unfortunately, while the message may be getting out that third party plugins need to be updated on a regular basis, the advice does not seem to be followed reliably.
The trojan runs a new instance of Internet Explorer and injects it with executable code of its own, accesses the personal store of saved passwords, and phones the data off of the system to multiple web sites. It’s not a set of new malicious techniques, but highly problematic nonetheless. ThreatFire prevents these behaviors reliably, and PC Tools AV reliably detects the malware with one of several heuristic routines: Trojan.DL.Ilomo.Gen!Pac, Trojan.DR.Ilomo.Gen!Pac.2, Trojan.DL.Ilomo.Gen!Pac .
Symantec named this malware Trojan.Clampi, and it has been labelled inconsistently by other groups with a handful of other names, including Clomp, Downloader, Inject, Rscan, Small, Ilomo, Agent2, Agent, and often it is detected by its packer’s characteristics. Unfortunately, its packer changes and old signatures can become ineffective against this malware as it appears on systems around the world over time. PCTAV heuristics were effective over time, however.
Update: Please see post with a bit of technical information regarding Clampi variant’s injection technique.
Posted in Bot, Crimeware, Evasion technique, Exploit | No Comments »
Tuesday, July 28th, 2009
As out-of-band patches are released today, we are not yet seeing memory corruption attacks targeting these newly patched vulnerabilities that effect Internet Explorer 6,7, and 8. Nonetheless, be sure to visit the Microsoft updates site and patch your system soon.
Instead, ThreatFire continues to prevent prevalent attacks from malicious pages like those currently hosted on cxim-way. cn, where javascript identifies third party plugins on the system and attacks the user’s system accordingly. Pseudocode here:
while name = navigator.plugins[i].name
if((name.indexOf(”Adobe Acrobat”) != -1) || (name.indexOf(”Adobe PDF”) != -1))
then iframe src=”cache/readme.pdf
if(name.indexOf(”Foxit Reader”) != -1) then iframe src=”cache/update.pdf
if(name.indexOf(”Flash”) != -1) then iframe src=”cache/flash.swf
The resulting malicious payload is prevented by ThreatFire. “Load.exe” is pulled down from the site on a successfully compromised system, renamed to “pdfupd.exe”, and run. This malicious downloader/dropper currently evades most AV scanners. It drops a couple of drivers, and possibly may be a rustock bot variant, which we are looking further into: 
ThreatFire users are protected from multiple layers of the attacks. In addition to patching your system, install a behavioral-based layer of protection on your system.
Posted in Exploit, Undetected malware | No Comments »
|
|
|
|
