検索:

MS05-053 Released

  • 投稿日:2005年11月8日
  • 執筆:ウイルス解析担当者
0

A new vulnerability patch has just been released by Microsoft.

MS05-053 (Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)) is a cummulative update for 3 vulnerabilities that have recently been discovered.



  • Graphics Rendering Engine Vulnerability – CAN-2005-2123
  • Windows Metafile Vulnerability – CAN-2005-2124
  • Enhanced Metafile Vulnerability – CAN-2005-0803


More information can be found here.

続きを読む

Macromedia Flash Vulnerability

  • 投稿日:2005年11月7日
  • 執筆:ウイルス解析担当者
0

Flash animations or any other forms of
interactivity in web pages can be viewed using Flash player
provided by Macromedia. Yet, a vulnerability for Flash was
discovered which when exploited would allow execution of arbitrary
codes. The problem exists in some array boundary condition. An
attacker can actually provide a specially-crafted SWF file (Flash
file format) for it’s malicious intent. The affected system is
Flash 7 and earlier versions. Thus, if you have upgraded to Flash
ver. 8, you are free from possible infection. I know how
entertaining it would be to click on some animations or videos
maybe, but be very cautious on those SWF files ‘coz you might get
more than just entertainment.


So if you happen to be vulnerable at the moment, get an upgrade atMacromedia Flash Download. And for more
information, you may visit the following:

Security Focus
ISS

続きを読む

Avoiding VMware

  • 投稿日:2005年11月7日
  • 執筆:ウイルス解析担当者
0




Most malware uses anti-debugging techniques to avoid detection or
make analysis harder. One example of this is by using the api
IsDebuggerPresent. This Api seems to be the favorite choice of
malwares other than SEH.


But I just found out a new anti-debugging technique (at least new
in my book, as Im still beginning at the AV business… :p)


VMWare, a popular multi-function virtualizer for Windows and Linux
is one of the tools used in this kind of business. Sadly enough,
with just a few code, a malware can Identify if it is running on a
VMWARE machine and not on the actual environment.


The malware can just check this registry,


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools


If existing, the malware automatically creates a batch file to
delete itself leaving no trace of it ever running. So for the
Service Team, don’t always trust your vmware results.


Or you can also just rename the registry to say


HKEY_LOCAL_MACHINESOFTWAREVMware, Inc.Vmware Tools1


After renaming this registry, I tested again the malware and it was
now executing like it would on a normal environment.


The malware that Im talking about here has already been passed to
the service team and word is, it would be detected as
WORM_SDBOT.COQ.

続きを読む

Microsoft’s November security patch due on the 8th

  • 投稿日:2005年11月7日
  • 執筆:ウイルス解析担当者
0

As part of its regular monthly release of
security updates, Microsoft announced recently that they will be
releasing a single patch for the month of November. This update has
been rated as critical the highest risk rating available.
The patch is said to be released this coming November 8. The
advance notice did not say which component would be dealt with nor
did it say how many flaws it is supposed to fix. All we can do is
hope and wait that it is a trouble-free patch unlike previous
releases. We will keep you posted with regards to the update. Clickthis for the official news.

続きを読む

e-gold Scam

  • 投稿日:2005年11月4日
  • 執筆:ウイルス解析担当者
0

We captured a spam mail in our honeypot
system earlier. It attempts to fool the targeted user that e-gold
Ltd has come up with a ‘new security system’ that can be accessed
just by a click of a button. It also promises a number of safety
features that the said new system offers. But, that is just part of
their scam!


It uses social engineering to convince the targeted user to do what
the greedy scammers want to.


It displays a dialog box (see below) when the attachment is
executed. But, an average user will not notice that a malicious
program has been installed on his system as soon as he/she sees the
dialog box.




This malicious program will monitor the internet activity of the
affected system. If the monitored websites have been sensed by the
malicious program, its keylogging capability will be triggered.
These techniques of this malware, social engineering thru spam
combined with unnoticed malicious program, can add up to increasing
cases of identity theft.


As always, security awareness is a major concern. We better not
trust emails that we are not sure of its origin or sender
especially those with executable attachments. Be aware!


Additional details can be found here.

続きを読む

Sony BMG Rootkit Update

  • 投稿日:2005年11月4日
  • 執筆:ウイルス解析担当者
0

Two days ago we blogged a report about Sony installing a rootkit with the purpose of protecting its digital property from piracy.

A concern was raised since this rootkit can be used by a malware to hide itself from the process. Now that concern has just been confirmed to be a real threat…

According to the analysis made by a Sysinternal Researcher, the concern lies in the device driver “aries.sys”, which was confirmed to patch several functions via the system call table and that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$” even if its not part of the Sony software.

A malware author can now just drop the file aries.sys load it in the system and add “$sys$” to the malwares filename and presto! instant rootkit malware.

Also we just received a report that this is now being used by World of Warcraft Hackers to hide their cheat programs from the warden (a controversial anti-cheating program from Blizzard Entertainment).

続きを読む

PayPal Redirect

  • 投稿日:2005年11月4日
  • 執筆:ウイルス解析担当者
0

There has been reports of emails being
spammed targetting PayPal users. It provides a link to where the
user can download a Paypal Security Tool, wherein fact the file
does not at all give your system security as what it should have
offered. It changes the DNS server of the workstation. So, instead
of being redirected to the legitimate PayPal site, the user will
end up logging in a ‘phishing site’. But, it would be not
noticeable since the address bar will still show you ‘paypal.com’.
Screenshots of the legitimate PayPal site and the PayPal phising
site is provided below.


PAYPAL SITE:




PAYPAL PHISHING SITE:




The file will be detected as TROJ_DNSCHANGE.F. It may only be PayPal for now but in
the future, malware authors may use all other sites.


For more details, you may visit:

Websensesecuritylabs
ISC Sans

続きを読む

BOT That Scans for Vulnerable Cisco Routers

  • 投稿日:2005年11月3日
  • 執筆:ウイルス解析担当者
0

A short write-up at the ISC
featured a bot worm that is reported to have the capability to scan
for vulnerable Cisco routers.


This bot was tagged by Symantec as
W32.Spybot.ZIF
last November 1, 2005 and the malware was
reported to “scan a specified network range for Cisco routers
that may have vulnerable Telnet or HTTP servers running and report
results back to IRC.
“


A cursory glance at the binary dump shows:


0003E600 0043E600 0 cisco23

0003E60A 0043E60A 0 Cisco Telnet

0003E640 0043E640 0 cisco80

0003E64A 0043E64A 0 Cisco HTTP

0003E7DA 0043E7DA 0 YZqbgff

0003E840 0043E840 0 [SCAN]: Exploit Statistics:

0003E85C 0043E85C 0 %s: %d,

0003E868 0043E868 0 Total: %d in %s.

0003E87C 0043E87C 0 [SCAN]: Current IP: %s.

0003E894 0043E894 0 [SCAN]: Scan not active.



Hmmm…


Trend Micro discovered and detected this malware as
WORM_RBOT.CMR
as early as October 14, 2005. What’s more, we’ve
acquired new Upack-repacked samples of the same malware that will
be detected under the same name of WORM_RBOT.CMR.


Needless to say, let’s be sure that we patch those vulnerable Cisco
routers, ok?


続きを読む

Campus Halloween Trick (Without The Treat)

  • 投稿日:2005年11月2日
  • 執筆:ウイルス解析担当者
0

TMIRT has received reports of email messsages with a malicious attachment being spammed in educational institutions targeting users to ‘check out’ and approve the attachment ‘and reply’ before November 1, Tuesday – yes that’s it folks… the target day should be today! Check out the email contents below:

Subject: Campus Life

Message Body:


Hello,

We have been thinking of including you in the new campus magazine in an article headed “Campus Life”. Can you approve the photo and article for us before we go to printing please.

If any details are wrong then we can amend before printing on Tuesday 1st November so please get back to us as soon as possible.

Many Thanks & Best Regards,

J Chuang
Editor


Possible Attachments:


  • Photo + Article.exe
  • Photo + Article.scr
  • Photo + Article.zip


NOTE: The .exe and .scr usually comes using the icon of a PDF file.



So far, we’ve seen only a couple of infections, including a university that put an online warning for the academe in their university website:



We’ve included some text here from the image above just in case the image is unclear:


IT Services has seen evidence of a new virus hitting university mailboxes on both campuses. This virus travels via email… Our Anti-virus vendors are currently working on virus definition files to identify (and remove) this new virus…

If you receive an email with the subject “Campus Life” and an attachment named “Photo + Article.zip” PLEASE do not open the attachment — just delete the message from your mailbox without opening it. DO NOT OPEN THE ATTACHMENT! There may be variations in the subject and attachment, so please exercise extra vigilance with any email messages that you may receive, especially those that have ZIP attachments…

Thank you for your patience while we resolve this problem…



Kinda like a nasty November 1 Halloween Trick (leave the Treat part out of it) because there is NO treat in what an infected user will experience once the malware is executed.

Using port 8080, the executed malware connects to Internet Relay Chat (IRC) servers and joins a channel, allowing a remote malicious user to issue the following commands that are locally executed on the affected system:



  • Download and execute remote files
  • Retrieve system information
  • Update itself


Good news for Trend Micro customers though, this malware is detected by Trend as either BKDR_IRCBOT.BM, first seen and detected last Oct 26, 2005 or BKDR_BREPLIBOT.B , first seen and detected last Oct 29, 2005.

Other related malwares that started propagating the week just before this November 1 are:

BKDR_BREPLIBOT.A – first seen on Oct 26, 2005

WORM_IRCBOT.AJ – first seen on Oct 27, 2005


This is definitely one evidence of the increasing prolifiration of targeted attacks. The target entity in this case may most definitely be users among the academe and most probably be students who may be tricked into having their 5-minutes-of-fame-plus-photo-plus-article published “in the new campus magazine in an article headed ‘Campus Life'”!

Considered targets in these kinds of attacks vary and may range from operating systems to frequently-used applications or computing peripherals, or from geographical locations to user and institutional groups such as the educational group mentioned above. Let us continue to be more vigilant regarding these attacks in the days to come…

続きを読む

HTML_MULTIEX.A

  • 投稿日:2005年11月2日
  • 執筆:ウイルス解析担当者
0

We have received numerous links, even resulting to more than a hundred, which aim to redirect the user to a specific URL. These malicious links may follow the following format:

http://{varies}.nl/info.html

All of these links have exactly the same contents, an encrypted script, which redirects those unlucky enough to click the malicious link to a malicious HTML file. This is now detected as HTML_MULTIEX.A

It takes advantage of the following Microsoft vulnerabilities:
MS03-011
MS05-001
MS05-013

The HTML exploits the target PC depending on certain conditions. Some of the conditions include the operating system of the target because exploits are usually OS-dependent.

So, what’s the moral lesson of the story? Always update your computers with the latest patches, you’ll never know if the website you stumbled into is malicious or not. Better safe than sorry eh?

続きを読む
Page 199 of 204 « ‹ 198199200 › »


  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2018 Trend Micro Incorporated. All rights reserved.