|
Archive for the ‘Worm’ Category
Tuesday, March 2nd, 2010
Spanish law enforcement nabbed three operators of the Mariposa botnet: “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”
The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.
If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.
Posted in Bot, Crimeware, Evasion technique, IM Worm, Malware Counts, Obfuscation, Password stealing, Uncategorized, Worm | 1 Comment »
Wednesday, September 9th, 2009
Some hugely prevalent, worming families just won’t wither away and disappear. They top vendors’ prevalence lists for years on end, even as the malcode fails to serve its original purpose. As the ThreatFire community grows its presence in Mexico and Brazil, it protects more users from a relentless worm originally distributed from Indonesia, Brontok.
Brontok is a mass mailing worm that isn’t mentioned all that often anymore, being out-amplified by sensations like Conficker/Downadup/Kido, but its many variants continue to show up all over the world. For the past month, our ThreatFire users in Mexico and Brazil have been most protected from these Brontok variants, being run and ThreatFire-prevented on desktops in high numbers.
The compromised hosts used to be abused as DDoS bots, attacking sites around the world in what was unconfirmed as hacktivism or blackmailing attempts. Now, however, the worm travels without a head in the sunniest tropics — the major provider (unwittingly at the time) hosting Brontok’s configuration files have long ago taken down Brontok-accessed command-and-control server accounts.
Posted in Worm, cybercrime | No Comments »
Tuesday, September 1st, 2009
We’ve been waiting for some stats to come rolling in, but we haven’t seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.
Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to rip across the Russian Federation and the Ukraine by attacking a several-year-old vulnerability in srvsvc.dll, the server service hosted within one of the several svchost.exe processes running on Windows systems. (Why rush development of a new stack overflow exploit when users don’t patch systems for various reasons for years?) The worm itself attempts to exploit the aged vulnerability and deliver download and execute shellcode, pulling down and running more malware on the compromised host. That shellcode has been downloading an incremented-daily URL from a server hosted in England since August 2nd. Today it is 94.76.194 .116/ 37.exe. Threatexpert report for the payload here.
Posted in 0day, Exploit, Worm | No Comments »
|
|
|
|
