• 0 Comments

La red social internética MySpace se encuentra pasando por un momento complicado en cuanto a la cantidad de virus informáticos que circulan por sus servicios. En general, se trata de virus troyanos, es decir de código maligno que viene …

• 0 Comments

This worm spreads by e-mail as an attachment or as a hyperlink in ICQ message. On the infected computer virus harvests e-mail addresses or ICQ contacts to which it sends its copies. Virus can download and install other unwanted programs from the Internet. More information can be found in the Virus Encyclopedia.

• 0 Comments

Many people have said that the lack of attacks upon Apple’s operating systems and devices can be attributed to a lower market share than Microsoft Windows-based PCs. With the shift towards malicious code being written for financial gain, it makes more economic sense. (I know that there are other arguments to be made, but bear with me.) Why write a Trojan that only runs on about 10% of computers when you can write one that is capable of affecting closer to 90% of them? Far more bang for the buck.

At the same time, there haven’t been many attacks on cellular phones and mobile devices. There have been several proof of concept Trojans, worms, and viruses for Symbian Smart Phones as well as a few for the Windows Mobile platform. Some of these have even resulted in small, localized outbreaks. Again, the lack of attacks on these devices has been attributed to a smaller user base.

On June 29th, however, these two platforms will converge when Apple’s iPhone is released in the US. The release will potentially make writing malicious code for both an Apple product and a mobile device irresistible to some attackers. The iPhone will represent a robust mobile device platform based on OS X that allows users to send and receive HTML email and surf the Net with the Safari Web browser.

Projections made by various analysts suggest that iPhone adoption will be quite high. This allows attackers to target a larger audience with malicious code designed to run on the devices. The Safari browser and HTML email capabilities of the device could present an ideal attack vector. As recently demonstrated, Safari can be affected by vulnerabilities just as easily as other browsers on the market. While Apple may patch these holes on both the desktop and mobile platforms, the question is will users who have to pay for data transfers be willing to download large security updates on a regular basis?

I doubt that anyone will read this and decide against their iPhone purchase (in fact I’ll probably look into getting one myself). Just remember to keep the same best security practices you would use on any other computer in mind.

• 0 Comments

Recently, a DeepSight honeypot was compromised by a rogue website that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426). This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesis Module (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll, 4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines. In this case, the exploit passes a maliciously crafted argument (ModeName) to the DirectSS.FindEngine function. The overflowed buffer is then populated with attacker-supplied shellcode over-writing the Structured Exception Handler, thus resulting in the execution of arbitrary code. This exploit is being detected as Bloodhound Exploit.150 by Norton AntiVirus.

Upon further investigation we found that this Web site was also serving an exploit that leveraged an unpatched vulnerability in a very popular Chinese peer-to-peer file sharing application called Xunlei (Thunderbolt in English). Xunlei has an estimated user base of around 80 million, which makes it a very lucrative target to exploit. The vulnerability lies in the Xunlei WebThunder, which can be used as a Web-based alternative for the original application accessible through browsers like the Microsoft Internet Explorer. However, the COM control ‘ThunderServer.webThunder.1’ (03507A1A-E0C5-4404-AA26-205385C0892D) fails to properly validate the supplied user-input. The attackers abused a certain sequence of routines supplied by this COM control in order to download arbitrary files on the user’s system. This exploit is being detected as Downloader by Norton AntiVirus.

Both of these client side exploits deliver the same malicious payload, which is being detected as W32.Looked.BK.

Another interesting aspect of this attack is the clever JavaScript obfuscation techniques that are used to hide these attacks. At first glance, what appeared to be a garbled Web page turns out to be an obfuscated JavaScript exploit using up to six levels of obfuscation (see image). This is primarily used to evade security products like Web applications that implement on-the-fly script parsers. This is how the exploit is obfuscated:

1. For the original exploit, all the variable names are randomized and the string values are replaced by their hexadecimal counterparts.
2. It is then encoded using a wrapper function which performs mathematical substitution operations on the code.
3. The wrapper function is further encoded using the JavaScript escape() function.
4. All the new-line characters in the resulting code are then escaped.
5. It is then packed with a routine which performs another set of substitution operations on the code.

Client-side attacks have become the most prominent vector in the ever-evolving threat landscape. With their increased reach, ease, and effectiveness, such attacks have become the bread and butter of cyber-criminals. Almost every other day we hear of anothe legitimate Web site being compromised to enable such attacks, with innocuous users bearing the brunt of them. We anticipate that the frequency and the complexity of such attacks will increase in the near future. To avoid falling victim to such an attack, users should patch their system regularly, update their antivirus definitions, and browse only trusted Web sites.

• 0 Comments

May brought a few surprises, with old email worms climbing to the top of the rankings, and a warning of more to come. This month’s Top Twenty also features two classic file viruses.

• 0 Comments

It’s interesting that the virus writers who are creating Trojan downloaders are actively varying the type of files downloaded, ranging from obviously malicious programs to adware.

• 0 Comments