Gusano que modifica la configuración del sistema comprometido para ejecutarse cada vez que se inicia un fichero .EXE, .BAT, .PIF o .COM.
Reinicia el sistema comprometido al detectar ciertos títulos de la ventana de Internet Explorer.
Se propaga a todas las unidades físicas, extraibles o mapeadas que se encuentran disponibles en el sistema comprometido.

• 0 Comments

Troyano que puede llegar al ordenador infectado a través de un correo masivo que contiene un enlace a una dirección de Internet desde la que se descarga una copia del troyano.
Captura información del ordenador infectado para, posteriormente, enviarla por correo electrónico.

• 0 Comments

Troyano con capacidad para modificar ficheros ‘.dll’ y sustituir su contenido por el texto ‘MVIIIAX ‘, haciendo necesaria la reinstalación de los archivos afectados para recuperar su funcionalidad.
Deja en cada subdirectorio del directorio de instalación de Windows un fichero de nombre ‘gorgomelero.exe’.

• 0 Comments

Troyano que se descarga en el sistema al visitar páginas web maliciosas.
Intenta deshabilitar ciertas aplicaciones cortafuegos.

• 0 Comments

Troyano que crea archivos en nuestro sistema y se conecta posteriormente a una puerta trasera en una dirección IP.

• 0 Comments

Virus que añade su código al principio de los ficheros ejecutables para ser ejecutado cada vez que sean lanzados sus archivos ‘anfitriones’.
Tiene capacidad para robar información sensible del equipo afectado (datos del sistema y contraseñas).

• 0 Comments

While the scale of the data loss by the UK’s Revenue and Customs is indeed stunning, there is still no indication that the missing disks containing information from 25 million UK residents has actually fallen into unfriendly hands. However, this is now almost irrelevant as we in the security industry sit and wait for the first scam or phishing attack that plays on people’s doubts and fears.

For those unaware of this issue, on November 20th Her Majesty’s Revenue & Customs (HMRC - the UK’s tax and excise agency) acknowledged that it had lost two computer disks containing large amounts of confidential information, including names, addresses, dates of birth, and in some cases bank account information. The missing disks — apparently lost while being transported — may include information on as many as 25 million individuals, including recipients of child benefits.

HMRC believe the disks are still within one of their sites, but after an exhaustive search, they have failed to materialize. So, imagine if you or your family receive an email purporting to be from the Child Benefit Helpline, asking you to visit a certain Web site to input your name, address, national insurance number, and even bank account details so that they can be checked against records to see if your details have been compromised. Or, just think if you receive an email asking you to call a helpline number for advice and guidance on how to protect your details – and this turns out to be a premium line which will rack up huge call charges.

Unfortunately these are just two of many scams and attacks we can expect to see in the coming days and months – just as it happens every time there is a major breach of customer data security. Fraudsters and Internet criminals regularly employ social engineering methods to extort money while playing on people’s genuine doubts and fears.

If you receive an email from your bank, HMRC, or similar, do not be tempted to click on the link or call the number. No genuine communication would ever come to you this way and is in all probability a spam email using criminal gang-controlled botnets to send them out.

Our top-line advice to anyone concerned about identity fraud is:

1. Monitor your bank and credit card statements and alert your bank immediately if you see a transaction in your account that you did not authorize.

2. Reset your passwords if you chose a child’s name or date of birth. Select complex passwords containing numbers, letters and symbols.

3. On the Internet, don’t give away personal details or credit card details to unsecured sites. Always look for the padlock symbol in the bottom of your Internet browser screen and for https:// in the URL address of the Web site you are visiting.

4. Be careful how much personal information you disclose on Websites, especially social networking sites. Avoid giving out your email address, mobile phone number, or other sensitive information that cyber criminals could use to clone your identity online.

5. Do not click on URL links in emails or instant messages (IMs) from unknown or suspicious sources, especially not those requesting you to verify personal information to a bank or retailer. These are phishing attempts.

6. Install a solid Internet security software suite to protect you from hackers, viruses, and spyware. Always select a product that includes identity protection features to verify the Web sites you visit.

7. Watch out for unexpected emails, particularly those purporting to be from HMRC or government agencies requesting you verify personal details. These are phishing attempts.

• 0 Comments

Symantec Security Response has observed web based exploit attacks using a previously unknown vulnerability in the Xunlei Thunder PPlayer ActiveX control. This is a component of the Chinese download accelerator and file-sharing application, Xunlei Thunder 5.7.4 401.

The attack originates from a server on the 522love.cn domain. If a user navigates to the site, a Web page hosted on the site employs a client detection technique to determine the appropriate exploit code that should be sent back to the requesting client in order to successfully exploit it. This technique is similar to the techniques used by the MPack attack kit that is already widely used. We have seen a whole range of vulnerabilities both new and old used by this site, including the following:

• Xunlei Thunder PPLAYER.DLL_1_WORK ActiveX Control Buffer Overflow Vulnerability
• Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability
• SSReader Ultra Star Reader ActiveX Control Register Method Buffer Overflow Vulnerability
• BaoFeng Storm MPS.DLL ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities
• PPStream PowerPlayer.DLL ActiveX Control Buffer Overflow Vulnerability
• Xunlei Web Thunder ActiveX Control DownURL2 Method Remote Buffer Overflow Vulnerability
• Microsoft Windows Vector Markup Language Buffer Overrun Vulnerability
• Microsoft Windows Cursor And Icon ANI Format Handling Remote Buffer Overflow Vulnerability

Successful exploitation of the client results in code execution that may result in the download and installation of additional malicious files. These files are currently detected by Symantec as Downloader and Trojan.Maliframe!html.

Until a vendor patch is available, users can minimize their risk of exposure by avoiding unknown or untrusted URLs, such as those sent in spam emails and unsolicited instant messages, disabling JavaScript and ActiveX in their Web browser and ensuring that their antivirus software is up-to-date.

Update:
Upon further analysis we have discovered that the following vulnerabilities are also used on this Web server:
• Yahoo! Webcam ActiveX Control Buffer Overrun Vulnerability
• Baidu Soba Search Bar BaiduBar.DLL ActiveX Control Remote Code Execution Vulnerability

Clearly this piece of malware attempts to cover its bases pretty well in terms of market coverage. However, on closer inspection we have also found that the server appears to be misconfigured, as a result the client detection and exploit selection code is appended to everything that the server serves up–HTML, data, and binary files included. As a result, clients receiving the content may behave unpredictably in many cases, causing browser crashes. Perhaps the quality control department must have had a bad day at the office in this operation.

• 0 Comments

Your hardware is well secured. You’ve got a good perimeter firewall in place that only allows communication on authorized ports, an IDS to scan for suspicious activity, WPA2 encryption set on wireless devices, and so on. Your software is secure as well. Patches up to date, good password policy enforcement, etc.

So where is the weak point in your network? I think there’s a common expression used to describe it – the problem exists between keyboard and chair.

Lately, more attacks have relied upon social engineering to infect users rather than automated exploitation of vulnerabilities in network services. Social engineering is nothing new, but the sophistication of some of these attacks has been increasing. Three prime examples of this come to mind.

Earlier this year, there was a large-scale attack using the MPack kit in which a large number of legitimate Web sites were compromised to redirect visitors to a malicious server. Links to the compromised Web sites were spammed out to users to entice them into visiting them. Since some of these Web sites may have been trusted by the users (they might have visited them in the past or purchased services from them) they might not have thought twice about following the links, and were then compromised by MPack.

A couple of weeks ago the MySpace page for singer Alicia Keys was compromised and modified. The attackers changed it so that clicking almost anywhere on the page would direct the user to a Web site that attempted to sell them fake antivirus software. Similar to MPack, a Web site the user may have trusted was used to redirect them to malicious content. In this case the Web site recorded credit card information if the user chose to “purchase” the program.

And, in the first week of November, a Trojan program for Apple’s OS X operating system was reported. Users who followed links to a Web site promising adult content were prompted to install a video codec in order to see what they came for. During the installation of the program, users were prompted for an administrator password to continue. Since most video codecs (and a large number of applications in general) require administrative privileges to install, this probably didn’t seem too unusual. Rather than installing a video codec though, users were providing a Trojan with administrative privilege on their computers.

In all three of these examples, users were tricked by exploiting their trust or being presented with something they’re used to seeing. Secure policies along with good endpoint and network security will protect users from most threats, but adding a good dose of knowledge and education is vital. If something seems suspicious there is probably good reason for it. While complete paranoia isn’t the answer, neither is blind trust.

• 0 Comments

Win32/Rbot.IHP is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants…



 

• 0 Comments