|
Week of
01/06/08
General-
Be careful of connecting any new USB devices that you
may have purchased for yourself or received as a gift
for the holidays. It seems that a number of digital
photo frames (mostly ones made/assembled in China) as
well as other USB devices recently produced come
pre-loaded with malware of one sort or another. I
recommend a complete scan of your system with your
security software immediately after installation of any
new device. This includes external hard drives and GPS
devices as well.
Vista –
Today 1/8/08 Microsoft released two security bulletins
to update and patch all currently supported versions of
Windows, as well as a new version of the Malicious
Software Removal Tool. Vista users only have one update
bulletin. And for once, none of the updates involve
Internet Explorer.
The first bulletin, MS008-01 (KB941644) is rated
critical.
This critical security update resolves two privately
reported vulnerabilities in Transmission Control
Protocol/Internet Protocol (TCP/IP) processing. An
attacker who successfully exploited this vulnerability
could take complete control of an affected system. An
attacker could then install programs; view, change, or
delete data; or create new accounts with full user
rights.
IE 7 –
Microsoft -- Internet Explorer
DivX -- DivX Player
A certain ActiveX control in npUpload.dll in DivX Player
6.6.0 allows remote attackers to cause a denial of
service (Internet Explorer 7 crash) via a long argument
to the SetPassword method.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0090
Other Software-
This section contains information on other Vista
compatible software including Microsoft Office and other
software that may have come bundled with your new Vista
computer, or that you may have added.
Adobe -- Flash Player Plugin
Adobe -- Flash Player
Multiple cross-site scripting (XSS) vulnerabilities in
Adobe Flash Player allow remote attackers to inject
arbitrary web script or HTML via a crafted SWF file,
related to "pre-generated SWF files" and Adobe
Dreamweaver CS3 or Adobe Acrobat Connect. NOTE: the
asfunction: vector is already covered by CVE-2007-6244.1
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6637
CRITICAL: Real Networks RealPlayer and Helix Server
Undisclosed Remote Code Execution
Affected:
Versions 11 and prior
Description: Real Networks RealPlayer, a popular
streaming media player,
and Helix Server, a popular streaming media server,
contain an
undisclosed remote code execution vulnerability. A
specially crafted
RealPlayer datastream or Real Time Streaming Protocol (RTSP)
request
could trigger one of these vulnerabilities and allow an
attacker to
execute arbitrary code with the privileges of the
vulnerable process.
RealPlayer content is generally displayed by default,
without first
prompting the user, and Helix Server generally accepts
arbitrary
requests. No further technical details are publicly
available for this
vulnerability, but a proof-of-concept is available for
members of the
Immunity Security Partners' Program. It is believed that
RealPlayer on
all supported platforms is vulnerable.
Status: Real Networks has not confirmed, no updates
available.
References:
Videos Demonstrating Purported Proofs-of-Concept
http://gleg.net/realplayer11.html
http://gleg.net/realserver.html
Posting by Evgeny Legerov
http://lists.immunitysec.com/pipermail/dailydave/2008-January/004811.html
Proof-of-Concept (live link, will exploit vulnerable
browsers)
http://c.uc8010.com/111.htm
Real Networks Home Page
http://www.real.com/
SecurityFocus BIDs
http://www.securityfocus.com/bid/27091
http://www.securityfocus.com/bid/27122
Sun has released a new version of Java. The updated
version contains over 370 bug fixes. Users are
encouraged to update to v 1.6.0_04 as soon as possible.
You can obtain the latest version by going to
www.Java.com in the
near future as it is not on the public Website as of
yet. It should be available within the next week. Newest
version on the public site at this time is still v
1.6.0.3
Remember to go to the Control Panel | Add & Remove
programs to uninstall the older version of Java, as the
Java installer will not do that for you. Leaving the
older version(s) of Java installed on your computer will
leave you vulnerable to attacks that the newer version
is patched against.
New Viruses-
This section lists the new Viruses, Worms, Trojans etc.
released into the wild during the past week. The
discoveries come from SOPHOS, UK recognized as a world
leader in computer security products, software and
appliances.
1. W32/AutoRun-AG is a worm for the Windows platform.
2. Troj/Pushu-E is a Trojan for the Windows platform.
When Troj/Pushu-E is installed it creates the file
<System>\drivers\runtime.sys.
The file runtime.sys is detected as Troj/Pushu-Gen.
The file runtime.sys is registered as a new system
driver service named "runtime".
The Trojan also replaces <System>\drivers\secdrv.sys
with its own copy. This file is detected as Troj/Pushu-Gen.
Drops more malware
Downloads code from the internet
Installs itself in the Registry
3. W32/Tilebot-KR is a worm with IRC backdoor
functionality for the Windows platform.
W32/Tilebot-KR runs continuously in the background,
providing a backdoor server which allows a remote
intruder to gain access and control over the computer
via IRC channels.
When first run W32/Tilebot-KR copies itself to <System>\spoolvc.exe.
The file spoolvc.exe is registered as a new system
driver service named "Task Restore Service" with a
startup type of automatic.
Allows others to access the computer
Downloads code from the internet
Reduces system security
Installs itself in the Registry
4. W32/Nugache-I is a worm with backdoor functionality
for the Windows platform.
W32/Nugache-I runs continuously in the background,
providing a backdoor server which allows a remote
intruder to gain access and control over the computer.
When first run W32/Nugache-I copies itself to <System>\mstc.exe.
Allows others to access the computer
Installs itself in the Registry
5. W32/Idas-A is a virus for the Windows platform.
When run the virus will attempt to find and infect other
executable files on the computer and then display a
small dialog with the text 'Infecte' and a OK button.
6. Troj/Phish-B is a Trojan for the Windows platform.
7. Troj/KillFile-I is a Trojan for the <windows>
platform.
The Trojan attempts to delete the following files:
<windows>/regedit.exe
<windows>/system32/command.com
<windows>/system32/hal.dll
<windows>/system32/keyboard.drv
<windows>/system32/keyboard.sys
<windows>/system32/mouse.drv
<windows>/system32/msvideo.dll
<windows>/system32/shell.dll
<windows>/system32/system.drv
<windows>/system32/taskkill.exe
<windows>/system32/tasklist.exe
<windows>/system32/taskmgr.exe
<windows>/system32/win.com
<windows>/system/system.drv
<windows>/system/system.mdw
<windows>/taskman.exe
Troj/KillFile-I also deletes all the links in the quick
launch bar of the infected computer.
The absence of the deleted files may not allow Windows
to boot up correctly upon restart.
8. Troj/CashGrab-T is a Trojan for the Windows platform.
When Troj/CashGrab-T is first run it creates the file
<Root>\xp2008.dat, also detected as Troj/CashGrab-T.
The file xpdata2008.dat is registered as a COM object
and Browser Helper Object (BHO) for Microsoft Internet
Explorer
Installs itself in the Registry
Monitors browser activity
Installs a browser helper object
9. Troj/AgentM-Fam is a family of Trojans for the
Windows platform.
Troj/AgentM-Fam may appear to be a new version of
Macromedia Flash.
Troj/AgentM-Fam includes functionality to access the
internet and communicate with a remote server via HTTP.
When Troj/AgentM-Fam is installed the following files
are created:
<Temp>\_check32.bat
<Windows>\s32.txt
<System>\aspimgr.exe
<Windows>\ws386.ini
The file aspimgr.exe is registered as a new system
driver service named "aspimgr", with a display name of
"Microsoft ASPI Manager" and a startup type of
automatic, so that it is started automatically during
system startup.
10. Troj/Agent-GLF is a Trojan for the Windows platform.
11. Troj/Pushu-E is a Trojan for the Windows platform.
When Troj/Pushu-E is installed it creates the file
<System>\drivers\runtime.sys.
The file runtime.sys is detected as Troj/Pushu-Gen.
The file runtime.sys is registered as a new system
driver service named "runtime".
12. Troj/Pushu-F is a Trojan for the Windows platform.
Drops more malware
Downloads code from the internet
Installs itself in the Registry
13. Troj/Trinity-C is a Trojan for the Windows platform.
When first run Troj/Trinity-C copies itself to
<Windows>\wmssvc.exe.
The file wmssvc.exe is registered as a new system driver
service named "NET Service", with a display name of "NET
Service" and a startup type of automatic, so that it is
started automatically during system startup.
14. Troj/KillDis-L is a Trojan for the Windows platform.
15. Troj/Dropper-SZ is a Trojan for the Windows
platform.
16. Trojan/Mbroot-A is a Trojan that infects Master Boot
Record code in a fashion similar to DOS boot sector
viruses.
The code installed in the MBR is used to install a
rootkit in an early stage of the bootup process. The
rootkit hides the presence of malware on the system.
Troj/Mbroot-A includes functionality to access the
internet and communicate with a remote server via HTTP.
When Troj/Mbroot-A is installed it creates the file
<Temp>\cln2.tmp. The file cln2.tmp is detected as Mal/Sinowa-A.
Allows others to access the computer
Downloads code from the internet
17. W32/Sality-AA is a virus that also acts as a
keylogger.
The virus logs keystrokes to certain windows, as well as
information about the infected computer. This logged
data is periodically submitted to a remote website.
W32/Sality-AA has been seen spreading itself via email
by piggy-backing on W32/Netsky-T.
18. Troj/Dloadr-BEQ is a Trojan for the Windows
platform.
Troj/Dloadr-BEQ includes functionality to download,
install and run new software.
When Troj/Dloadr-BEQ is installed the following files
are created:
<User>\Application
Data\Microsoft\Network\Downloader\qmgr0.dat
<User>\Application
Data\Microsoft\Network\Downloader\qmgr1.dat
<System>\ldr3.tmp
19. Troj/KeybRant-A is a Trojan for the Windows
platform.
Troj/KeybRant-A creates the batch file:
<All Users Profile>\StartMenu\Programs\Startup\Update.exe.bat
The Update.exe.bat file attempts to disable to the
keyboard when the user logs on. Update.exe.bat is also
detected as Troj/KeybRant-A.
Troj/KeybRant-A sends the following message to all
computers in the workgroup:
"The network is infected by poisonous worm by mr.loser
and my poisoned blood will fill the whole world"
20. Troj/Yasspy-B is a Trojan for the Windows platform.
21. Troj/Agent-GLN is a Trojan for the Windows platform.
Troj/Agent-GLN runs continuously in the background,
providing a backdoor server which allows a remote
intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Agent-GLN copies itself to <System>\svcshost.exe
and creates the file <System>\svcshost.dll.
22. W32/Vora-A is a worm for the Windows platform.
When first run W32/Vora-A copies itself to <User>\svfhost.exe
and creates the following files:
<Program Files>\KaZaA\My Shared Folder\Aim.Hacker.zip
<Program Files>\KaZaA\My Shared Folder\Counterstrike.Source.aimbot.zip
<Program Files>\KaZaA\My Shared Folder\Hotmail.Hacker.zip
<Program Files>\KaZaA\My Shared Folder\MSN.Hacker.zip
<Program Files>\KaZaA\My Shared Folder\Universal-Keygen.zip
<Program Files>\KaZaA\My Shared
Folder\Virtua.Girl.Serial.Pack.wih.10.Girls-TorrentZ.zip
<Program Files>\KaZaA\My Shared
Folder\Windows.Activation.Crack.Final-ETH0.zip
<Program Files>\KaZaA\My Shared Folder\Windows.Live.Messenger.Beta.Serial.Generator-PARADOX.zip
<Program Files>\KaZaA\My Shared
Folder\XXX.Passes.Juli.2007.zip
<Program Files>\KaZaA\My Shared Folder\Xbox.Live.Serial.Generator.zip
23. Troj/Inject-BX is a Trojan for the Windows platform.
24. W32/Eriv-A is a worm for the Windows platform.
When first run W32/Eriv-A copies itself to:
<CurrentFolder>\sample1.exe
<Root>\Scan.pif
<Windows>\Check.exe
<Windows>\Desktop.com
and creates the file <Temp>\~df1ac7.tmp.
25. W32/Ennumi-A is a virus for the Windows platform.
26. W32/Kolabc-A is a worm with IRC backdoor
functionality for the Windows platform.
27. Troj/Telemot-D is a backdoor Trojan for the Windows
platform.
28. Troj/Cimuz-CU is a Trojan for the Windows platform.
Troj/Cimuz-CU installs itself as a browser helper
object.
Troj/Cimuz-CU creates the file <system>\openfiles.dll
which is also detected as Troj/Cimuz-CU.
Troj/Cimuz-CU uploads information from the host computer
to a remote server.
29. Troj/Rootkit-BP is a Trojan for the Windows
platform.
Modifies data on the computer
Reduces system security
30. Troj/Qhost-F is a Trojan for the Windows platform.
Troj/Qhost-F runs continuously in the background,
providing a backdoor server which allows a remote
intruder to gain access and control over the computer
via IRC channels.
When first run Troj/Qhost-F copies itself to <Windows>\ntmngr.exe
and creates the file <Windows>\images.zip.
Allows others to access the computer
Installs itself in the Registry
31. Troj/Psyme-GW is a downloader Trojan for the Windows
platform.
Troj/Psyme-GW is a Visual Basic script which arrives by
browsing websites whose HTML pages contain the script or
a SRC= link to the script.
If the browser has ActiveX enabled or the user allows
the script to run when prompted, the script attempts to
exploit the ADODB stream vulnerabilty associated with
Microsoft Internet Explorer to download a remote file to
<temp>\commomds.exe and then execute this file.
Downloads code from the internet
Exploits system or software vulnerabilities
Phishing & Malicious Websites-
1. Websense(R) Security Labs(TM) has discovered a new
email attack that uses a spoofed email claiming to be
from the National Payroll Reporting Consortium (NPRC).
This is similar to previous attacks claiming to
originate from the IRS, Better Business Bureau, and
Department of Justice. We have been tracking all of
these attacks, and reporting them as they are
discovered.
The message claims that the recipient's company has made
numerous misrepresentations regarding worker
classification to lower compensation costs. The email
asks the recipient to fill in an attached form and fax
it to NPRC's fraud department in order to resolve the
issue.
The attachment is a Trojan downloader with some backdoor
capabilities. It is a malicious Windows executable file
with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d.
[Top]
|
