PeteyPablowski
2008-12-23, 16:54
Virtumonde and SmitFraud look to be a VERY hot topic. I have fixed about 6 PCs that were infected with them.
I would like to be proactive in preventing this virus from taking over. First off, here's a definition of Vundo:
Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0.7 (aka Version 5.0 release 7) and earlier versions.[1] Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpywareMaster, and WinFixer. There are two main components to the Virtumonde.dll file. These are Browser Helper Objects and Class ID. Each of which are in the Windows Registry under Local Machine and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. According to Spybot - Search & Destroy scans, there are two Virtumonde.prx files and one Virtumode.dll file located in the Windows Registry as well as the system32 directory.[2]
(Courtesy of http://en.wikipedia.org/wiki/Vundo)
Reading that, there is an exploit in the BHO's that Internet Explorer uses. How does a BHO work? :
The BHO API exposes hooks that allow the BHO to access the Document Object Model (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware have also been created as BHOs. For example, the Download.ject exploit installed a BHO that would activate upon detecting a secure HTTP connection to a financial institution, record the user's keystrokes (intending to capture passwords) and transmit the information to a website used by Russian computer criminals. Other BHOs such as the MyWay Searchbar track users' browsing patterns and pass the information they record to third parties.
(Courtesy of http://en.wikipedia.org/wiki/Browser_Helper_Objects)
From the looks of things, this is not something a user is clicking on, but explicitly an exploit in IE using Java.
However, I had a user with Java 1.6.0_01 get infected, not completely, but the BHO still loaded enough in the registry and a dll file for it to be picked up by antivirus.
So how do we go about being proactive with this preventative measures?
Is IE's Patch something that will seal the hole on this? I don't see it anywhere mentioning anything about BHO vulnerability being fixed. Here's a link:
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
The article that linked me to it:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123758&intsrc=it_blogwatch
It was mentioned above "vulnerability in Sun Java 1.5.0.7 (aka Version 5.0 release 7) and earlier versions". Uninstalling and re-installing the latest version of Sun Java...does that seal the hole? A link to the latest release :
http://java.sun.com/javase/6/webnotes/6u11.html
I am looking for serious responses only. Do not bother posting a response if you are only going to complain about your problem and how to fix it, or with your detailed scan log....please do not hijack this thread with ignorance.
-PeteyPablowski
Edit.
Welcome to the Tavern, general chat unrelated to our software support (http://forums.spybot.info/showthread.php?t=187)
I would like to be proactive in preventing this virus from taking over. First off, here's a definition of Vundo:
Vundo infects victims' computers by exploiting a vulnerability in Sun Java 1.5.0.7 (aka Version 5.0 release 7) and earlier versions.[1] Many of the popups advertise programs including (but not limited to) Sysprotect, Storage Protector, AntiSpywareMaster, and WinFixer. There are two main components to the Virtumonde.dll file. These are Browser Helper Objects and Class ID. Each of which are in the Windows Registry under Local Machine and the file names are dynamic. It attaches to the system using bogus Browser Helper Objects and DLL files attached to Winlogon and Explorer.exe. According to Spybot - Search & Destroy scans, there are two Virtumonde.prx files and one Virtumode.dll file located in the Windows Registry as well as the system32 directory.[2]
(Courtesy of http://en.wikipedia.org/wiki/Vundo)
Reading that, there is an exploit in the BHO's that Internet Explorer uses. How does a BHO work? :
The BHO API exposes hooks that allow the BHO to access the Document Object Model (DOM) of the current page and to control navigation. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware have also been created as BHOs. For example, the Download.ject exploit installed a BHO that would activate upon detecting a secure HTTP connection to a financial institution, record the user's keystrokes (intending to capture passwords) and transmit the information to a website used by Russian computer criminals. Other BHOs such as the MyWay Searchbar track users' browsing patterns and pass the information they record to third parties.
(Courtesy of http://en.wikipedia.org/wiki/Browser_Helper_Objects)
From the looks of things, this is not something a user is clicking on, but explicitly an exploit in IE using Java.
However, I had a user with Java 1.6.0_01 get infected, not completely, but the BHO still loaded enough in the registry and a dll file for it to be picked up by antivirus.
So how do we go about being proactive with this preventative measures?
Is IE's Patch something that will seal the hole on this? I don't see it anywhere mentioning anything about BHO vulnerability being fixed. Here's a link:
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
The article that linked me to it:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9123758&intsrc=it_blogwatch
It was mentioned above "vulnerability in Sun Java 1.5.0.7 (aka Version 5.0 release 7) and earlier versions". Uninstalling and re-installing the latest version of Sun Java...does that seal the hole? A link to the latest release :
http://java.sun.com/javase/6/webnotes/6u11.html
I am looking for serious responses only. Do not bother posting a response if you are only going to complain about your problem and how to fix it, or with your detailed scan log....please do not hijack this thread with ignorance.
-PeteyPablowski
Edit.
Welcome to the Tavern, general chat unrelated to our software support (http://forums.spybot.info/showthread.php?t=187)