SPAM frauds, fakes, and other MALWARE deliveries - archive

Amnesty Int'l site serving Java exploits...

FYI...

Amnesty Int'l site serving Java exploits...
- https://krebsonsecurity.com/2011/12/amnesty-international-site-serving-java-exploit/
December 22, 2011 - "Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers... The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw*... The site remains compromised..."

- http://www.barracudalabs.com/wordpr...-uses-human-rights-group-to-spy-on-activists/
Comment: Emerson Povey @ amnesty.org.uk - December 23, 2011 - "... we have been working with our hosting service to resolve the issue. They have cleaned our servers, rebooted the system and removed the script from the default page. At 2pm today they confirmed that the problem is now fixed."

- http://www.barracudalabs.com/wordpr...-uses-human-rights-group-to-spy-on-activists/
December 22, 2011 - "... compromised on or before Friday, December 16... Amnesty International UK has been notified... Java content (stolen from the Metasploit project), which targets CVE-2011-3544. If the exploit is successful, malware is installed on the visitor’s system..."
VirusTotal Detections for Exploit
... a more up-to-date report (24/43) for this file:
- https://www.virustotal.com/file-sca...7899333c4b1eaa81489c74e5c2fa17c3a8-1324550847
File name: 542b24f1da13f0b1d647f3865b09e026bf00d4ef.bin
Submission date: 2011-12-22 10:47:27 (UTC)
Current status: finished
Result: 24/43 (55.8%)
VirusTotal Detections for Exploit Payload
... a more up-to-date report (22/43) for this file:
- https://www.virustotal.com/file-sca...22a74ade95c5f3b7d9f74fad4f56d10023-1324397991
File name: f91dd927fd78a36176a68998304d70c8
Submission date: 2011-12-20 16:19:51 (UTC)
Result: 22/43 (51.2%)

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3544
Last revised: 11/24/2011
CVSS v2 Base Score: 10.0 (HIGH)

Current versions of Java here*:
* http://www.oracle.com/technetwork/java/javase/downloads/index.html

:mad::fear:
 
Last edited:
.nl.ai domains ...

FYI...

.nl.ai?
- https://isc.sans.edu/diary.html?storyid=12280
Last Updated: 2011-12-28 00:51:54 UTC - "Now .. where is nl.ai ?? Dot-ai is Anguilla, a speck of land in the Caribbean, to the east of Puerto Rico. And probably has nothing at all to do with what follows. Dot-nl-dot-ai, on the other hand, appears to be a free domain name registrar.
If you're into malware analysis, you've probably seen your fair share of .nl.ai domains recently. And not just these. Feeding "nl.ai" into RUS-CERTs Passive DNS collector http://www.bfk.de/bfk_dnslogger.html?query=ns1.cd.am#result gives us the name server for .nl.ai (one ns1.cd.am), which in turn shows a couple of other domains that are currently very familiar to the malware analyst. Like .c0m.li, and .cc.ai.
If you are blocking domains on your gateway or DNS server, blackholing these few:
.cc.ai
.nl.ai
.c0m.li
.cd.am
.coom.in
... might be a reasonable move, at least until someone in your business can show that they have a legitimate need to access one of the sub domains of these pseudo top level domains. Mind you, chances are that not all domains hosted there in fact are bad. But all the ones that I've seen in my logs so far: were."

:fear::mad:
 
QR code malware ...

FYI...

QR code malware ...
- http://www.darkreading.com/taxonomy/index/printarticle/id/232301147
Dec 29, 2011 - "... QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware... Just point your mobile device's camera on the code, scan it and the reading will take you to the website or mobile app download that its promoter promises to provide... There are a number of ways they are already using malicious codes to perpetrate their scams. On iOS devices, for example, hackers are re-purposing jail-break exploits to send users to websites that will jailbreak the device and install additional malicious malware... attackers are using QR codes to redirect users to fake websites for phishing..."
___

- http://community.websense.com/blogs.../2012/01/09/spam-emails-link-to-qr-codes.aspx
9 Jan 2012

:fear::mad:
 
Last edited:
Web hijacks w/AJAX

FYI...

Web hijacks with AJAX
- http://labs.m86security.com/2012/01/web-hijacks-with-ajax/
January 3, 2012 - "... a malicious site which loads parts of its attack using AJAX (Asynchronous JavaScript and XML), a method for client-side code to asynchronously exchange data with web servers. The following attack was observed on a currently running server located in China, which is serving malware... This code is very similar to code commonly used in so many web pages nowadays. The main difference is the extra parameters it accepts, which are used to “cut” certain parts from the accepted content, so it could be processed and executed as code later on... Using the exact same technique, this web page can load various browser or plugin exploit attempts. In this specific case, the page loads an SWF file exploiting CVE-2010-1297. Other pages on this server are exploiting CVE-2010-0806 and CVE-2010-0249. The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded. This provides an advantage which is also very useful for evading AV detection, since tiny bits of the attack can be loaded one at a time, thus making it very difficult to provide a signature..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0249 - 9.3 (HIGH)
MS10-002 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0806 - 9.3 (HIGH)
MS10-018 - IE "... as exploited in the wild..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297 - 9.3 (HIGH)
Adobe Flash Player, Reader, and Acrobat "... as exploited in the wild..."

Also: https://isc.sans.edu/diary.html?storyid=12313
Last Updated: 2012-01-03 09:37:04 UTC - "... very nasty JavaScript... potentially malicious JavaScript files..."

:fear::mad:
 
Last edited:
Fraud schemes erase evidence of account theft...

FYI...

Post Transaction fraud schemes erase evidence of account theft ...
- https://www.trusteer.com/blog/gift-...line-banking-fraud-during-2011-holiday-season
January 04, 2012 - "... During the final few weeks of 2011, we saw fraudsters take advantage of this trend with their latest fraud scheme... we’ve typically seen man-in-the-browser attacks take place at one of the three possible online banking phases... There is another, less discussed, form of man-in-the-browser attack – the post transaction attack... as the name implies, occur after the evil deed has already been done and the account holder has closed the online banking session. These are designed to conceal illegitimate activity for as long as possible to either allow money to transfer to its final destination – uninterrupted, or continue to control the account and perform further transactions... Just before the recent holiday season, we came across a SpyEye configuration which attacks banks in the USA and UK. Instead of intercepting, or diverting, email messages... the attack automatically manipulates the bank account transaction webpage the customer views... a post transaction attack is launched that hides fraudulent transactions from the victim..."
(More detail at the trusteer URL above.)

:mad:
 
Worm on Facebook steals 45,000 logins ...

FYI...

Worm on Facebook steals 45,000 logins ...
- http://blog.seculert.com/2012/01/ramnit-goes-social.html
January 5, 2012 - "... Seculert's research lab has discovered that Ramnit recently started targeting Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, mostly from people in the UK and France... Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users* in the United Kingdom and France...
* http://1.bp.blogspot.com/-F2YMFY8HB-o/TwWh91V2TFI/AAAAAAAAADw/FJHGPgCHcVY/s1600/ramnitbycountry.png
... We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks... With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms. As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands..."

:mad:
 
MS11-100 exploit released

FYI...

MS11-100 exploit released
- https://threatpost.com/en_us/blogs/exploit-code-released-aspnet-flaw-010912
Jan 9, 2012 - "A few days after MIcrosoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability. The proof-of-concept exploit code was posted to the Full Disclosure mailing list.. the code is designed to exploit a recently discovered vulnerability in ASP.NET that's related to the way that the software handles certain HTTP post requests... The problem isn't actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch* for the flaw on Dec. 29, recommending that users install it as quickly as possible... The base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server's rresources."
* https://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx

- https://isc.sans.edu/diary.html?storyid=12355
Last Updated: 2012-01-09 19:21:27 UTC

:fear::sad:
 
Last edited:
BBB SPAM leads to 'Blackhole' ...

FYI...

BBB SPAM leads to 'Blackhole'...
- https://blogs.technet.com/b/mmpc/ar...about-with-faux-bbb-spam.aspx?Redirected=true
12 Jan 2012 - "... BBB is aware of the spam and posted an alert on their site, and also offer the following suggestions:
'To verify the legitimacy of BBB complaints, contact Better Business Bureau locally. Consumers or businesses who have received the fraudulent emails are asked to report them to http://bbb.org/scam/report-a-scam ...'
The hyperlink in the message labeled "click here" pointed to an HTML page "index.html" on a compromised domain. I retrieved the index HTML page and its content was very minimal, yet suspicious, with links to a JavaScript file named "ajaxam.js"... The domains referenced in the script appear to have been compromised for this attack. Two of the links for the "ajaxam.js" script were dead but a third was not. That .JS file contained a simple one line document location instruction to yet another domain and server-side PHP script... This request results in the delivery of an obfuscated script file that, when run, attempts to exploit CVE-2010-1885. This particular vulnerability is also known as the "Help Center URL Validation Vulnerability", mitigated by Microsoft Security Bulletin MS10-042. On a vulnerable computer, this script exploit would have dropped and executed malware... This scheme of redirection and executing obfuscated script with these certain exploits was none other than the "Blackhole" exploit pack..."

:mad:
 
NY banks and Online Theft ...

FYI...

NY banks and Online Theft ...
- http://online.wsj.com/article/SB10001424052970203436904577151230598919896.html
Jan. 10, 2012 - "... initiatives are designed to encourage banks to work together to better protect against hackers, whose efforts to shut down electronic operations and steal money or customer data pose a growing concern for the industry... Online attacks have increased sharply over the past two years and financial institutions are among the most likely targets, according to a new survey by PricewaterhouseCoopers LLP, the consulting firm. Avivah Litan, an analyst with Gartner Research, expects financial companies to increase spending on fraud detection and customer authentication systems by as much as 12%, to $1 billion, over the next two years — a record... While many bank officials agree with the information-sharing in principle, some are concerned that doing so could provide rivals with too much insight into their operations... Sharing might be discouraged in other parts of banking, because of possible antitrust implications...
the chief technology officer of a large bank said "phishing" attacks used by cyber criminals to extract personal information were not a threat... 'If they are -not- a threat, why are you spending $2 million on software to protect against them?'... The executive's answer: "We don't want to talk about fraud in front of anyone."

Search: online bank frauds
- https://encrypted.google.com/
... about 109,000,000 results.

:mad: :sad:
 
Last edited:
IP's to block 2012.01.14...

FYI...

IP's to block...
- https://isc.sans.edu/diary.html?storyid=12400
Last Updated: 2012-01-14 21:40:30 UTC - "Antony Elmar owns quite a few domain names... lives in a lovely city called "Kansas, US"... with a phone number that is a tad odd for "Kansas, US" and has a dial prefix that looks more like Italy... Registrant Phone:+3.976639877...
His new domains currently point to 89.187.53.237, in Moldova... The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 89.187.53.238.
His latest new domains include:
cyberendbaj .in
cyberevorm .in
endbaj .in
endbajcomp .in
evorm .in
evormhost .in
evormcorp .in
... and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages..."

:mad:
 
Zbot spreads thru fake email...

FYI...

Zbot spreads thru fake email ...
- http://labs.m86security.com/2012/01...gh-fake-conedison-billing-notification-email/
January 13, 2012 - "... malicious SPAM campaign that is actively sent out by the Cutwail spam botnet. The suspicious email claims to be a bill summary from the New York-based energy company Con Edison, Inc. It may use the subject line “ConEdison Billing Summary as of <DATE>” and the attachment uses the filename format Billing-Summary-ConEdison-<random numbers>-<Date>.zip... The attached zip file contains an executable file, which unsurprisingly is a Zbot malware variant. When extracted, the malicious executable uses no disguise. It uses no fake icons of Adobe Reader or Microsft Word, no double file extensions, or excessive use of space in the file name to hide the .EXE extension... bill notifications do -not- usually arrive with an executable file - so emails like this should be treated with extreme suspicion. When you see these obvious signs of malware, just stop and delete the email..."

:fear::mad:
 
Zappos breach - 24M affected...

FYI...

Zappos breach - 24M affected...
- https://www.computerworld.com/s/art...in_dark_as_Zappos_cleans_up_after_data_breach
January 16, 2012 - "... Zappos.com is advising over 24 million customers to change their passwords following a data breach... Zappos employees received an email from CEO Tony Hsieh on Sunday*, alerting them about a security breach that involved the online shop's customer database... Even though he assured everyone that no credit card details had been compromised, Hsieh revealed that the attacker had accessed customer records including names; email, billing and shipping addresses; phone numbers, and the last four digits of their credit card numbers. The hacker also gained access to password hashes for the accounts registered on the website, prompting the company to reset everyone's access codes. Zappos is currently in the process of emailing its 24 million customers in order to notify them about the security breach and advise them to change their passwords..."
* http://blogs.zappos.com/securityemail

- https://isc.sans.edu/diary.html?storyid=12406
Last Updated: 2012-01-16 16:56:49 UTC

> http://www.reuters.com/article/2012/01/17/us-zappos-hacking-idUSTRE80F1BD20120117
Jan 17, 2012 - "... hackers had not been able to access servers that held customers critical credit card and other payment data... Zappos... was recommending that customers change their passwords including on any other website where they use the same or similar password..."

- http://blog.eset.com/2012/01/17/zappos-com-breach-lessons-learned
Jan 17, 2012 - "... Although the goal would be to never have a breach in the first place, if it happens, there is a crisis of confidence among the customers. Acting quickly and decisively can work wonders toward restoring that confidence, as customers sense they are receiving current, relevant, and honest communication about the incident..."
___

(Yet -another- hAcK...) T-Mobile USA hacked
- http://h-online.com/-1414307
17 January 2012

:fear::mad:
 
Last edited:
Zeus variant - Gameover...

FYI...

Zeus variant - Gameover...
- https://www.trusteer.com/blog/post-transaction-attacks-exposes-weaknesses-fraud-prevention-controls
January 17, 2012 - "A recent FBI warning* on the Zeus variant called Gameover reveals that high detection accuracy of fraudulent transactions is not enough to prevent cybercrime. This new attack is specifically designed to circumvent post transaction fraud prevention measures... Some Post-Transaction Attacks are not targeted at the bank but rather at the user. One example uses SpyEye to execute man in the browser (MitB) attacks that hide confirmation emails in web email services or fraudulent transactions on the online banking site... these attacks can bring the entire fraud assessment process to a grinding halt..."
(More detail at the trusteer URL above.)
* http://www.fbi.gov/denver/press-rel...tizens-to-be-aware-of-a-new-phishing-campaign
"... The SPAM campaign is pretending to be legitimate e-mails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication. After the accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to make them unable to reverse the transactions (if found)..."

:mad:
 
SOPA scams...

FYI...

SOPA scams...
- http://blog.eset.com/2012/01/17/beware-of-sopa-scams
Jan 17, 2012 - "... on January 18, 2012, dozens of popular websites covering a diverse range of subjects will be blacking out their home pages in protest of the U.S. Stop Online Piracy Act (SOPA). Some of these websites are well-known... While we cannot be certain exactly what sort of scams may appear, keep in mind that the websites listed above will resume normal activity around their announced times. It is unlikely they will resume much earlier, and some may even be slightly delayed in returning to normal activity. If you see any pronouncements about sites returning to operation early or an option to bypass the blackout by visiting a new web site, ignore them and wait for the site to return at its preannounced time: The “new” site being promoted may have far more malicious actions in mind than pictures of kittens, discussions about ents, bacon and narwhals or jokes about arrows to the knee..."

:sad:
 
Last edited:
Malicious SPAM - "Scan from a Xerox..."

FYI...

Malicious SPAM scam "Re: Scan from a Xerox..."
- http://community.websense.com/blogs...ro-xxxxxxx-quot-comes-back-in-a-new-face.aspx
18 Jan 2012 - "... malicious email scam with the subject "Re: Scan from a Xerox W. Pro #XXXXXXX" went wild. This scam has returned – this time, with a new face! Instead of making you attach a .zip file, as it did in the past, it now prompts you to click a download link - DON'T... This redirects the link to a malicious site that hosts a Blackhole exploit kit. Once the iframe is loaded, content from the Blackhole exploit kit (which contains a highly obfuscated script ) site is also loaded... Successful exploitation executes a shellcode that triggers the download and execution of malware... there is an administration option for this kit to use underground audio and video scanners for malware. This lets attackers tweak their malware samples to make them undetectable prior to launching their attack live... detected more than 3,000 messages in this campaign..."

:fear::mad:
 
SPAM / phish leads to malware...

FYI...

SPAM / phish leads to malware...
- https://blogs.technet.com/b/mmpc/ar...ication-leads-to-malware.aspx?Redirected=true
19 Jan 2012 - "Our partners at the City of Seattle sent us a warning* today about a phishing campaign which targets users very close to home - specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form... If the link is visited, the browser requests the page and loads an IFrame from yet another site, which was registered on January 16, 2012 and is hosted in the Ukraine at IP 93.190.44.171. This Ukrainian site contains an obfuscated JavaScript that attempts to exploit an issue in MDAC (Microsoft Security Bulletin MS06-014) that was mitigated by a Windows security update in 2006. If the exploit is successful, it will download and execute a file named "info.exe" from the domain “doofyonmycolg .ru”..." (!?)
* http://spdblotter.seattle.gov/2012/01/19/beware-phishy-email-titled-seattle-traffic-ticket/
"... The City of Seattle does not have its own Department of Motor Vehicles nor does the Seattle Police Department send email notifications of a traffic violations..."
___

Search for "QuickTime" Leads to Phishing Site...
- http://community.websense.com/blogs...rch-for-quicktime-leads-to-phishing-site.aspx
19 Jan 2012 - "... if you were to search for the term "QuickTime" today, the 31st resulting entry would lead to a typosquatted URL, which pulls content from a phishing URL... Clicking this Google search entry sends you to a fake QuickTime download site... The "Download Now" button doesn't take you to the download page for QuickTime software. It directs you to a phishing site instead. This alleged music download site phishes your credit card information on the membership fee payment page. Be aware of the risks of using your credit card on random websites to avoid such phishing attacks."

:mad:
 
Last edited:
Top 50 Bad Hosts 2011-Q4

FYI...

Top 50 Bad Hosts... Q4 2011
- http://hostexploit.com/blog/14-reports/3536-cybercrime-friendly-hosts-or-industry-victims.html
24 January 2012 - "There is one common denominator in cybercrime – it is hosted, served, or trafficked by some host or network operator somewhere. It could be assumed that such a succinct, yet true, statement should yield, in return, an equally concise solution. In fact, it provides only a place to start... The aim is to encourage service providers to "clean up" and to be proactive in stopping the cybercriminal activities found on their servers... Some things have changed since our early reports. There is now more cooperation between the security industry, law enforcement and service providers and some pleasing results against some of the worst activities found on the net. Sadly, some things have -not- changed. Cybercriminals are still too easily making financial gain from the lax procedures by service providers, security vulnerabilities of organizations large or small and Internet users’ lack of awareness. 2011 showcased some data breaches of truly epic proportions with the year ending in the same vein in which it began..."
(Full report links @ the hostexploit URL above.)

:fear:
 
Typosquatting back in use... 7,000+ sites

FYI...

Typosquatting back in use... 7,000+ sites
- http://community.websense.com/blogs...2/01/22/The-rise-of-a-typosquatting-army.aspx
22 Jan 2012 - "... Typosquatting of social web sites that lead visitors to spam survey sites with a high Alexa ranking. With our on-going research, we discovered that cyber-criminals are carrying out even more work, and the campaign is more widespread than we originally thought. Their targets are not limited to social web, but also include popular and frequently-visited registered typosquatting domains in all areas ranging from Google to Victoria's Secret, or Wikipedia to Craigslist; the list goes on. The attacker registers a network of typosquatting domains and redirects visitors of these mistyped sites to a spam survey site... discovered over 7,000 typosquatting sites within this single network... These typosquatting sites redirect visitors to a suspicious URL via a URL shortening service. From there, they take them to a spam survey site... After visitors complete the spam survey, they are then taken to spam advertisement distributed sites where spam advertisements are displayed... An example of such advertisment is a free movie downloader... Currently, these spam advertisements are not -spreading- maliciously..."

- http://community.websense.com/blogs...leads-to-compromised-chrome-plugin-forum.aspx
23 Jan 2012 - "... unofficial Google Chrome plugin forum Web page which is pulling in content from two malicious Web sites. We believe this Web page was compromised... The fake AdSense show_ads.js links to a typo-squatted URL where the whois record shows that it's clearly -not- a site owned by Google Inc... Notice the details*..."
* http://community.websense.com/cfs-f...bs/7838.20120123_5F00_typo.png_2D00_550x0.png

:fear::mad:
 
Last edited:
Top 10 web security threats...

FYI...

Top 10 web security threats...
- http://betanews.com/2012/01/25/the-top-10-web-security-threats-you-should-avoid/
2012.01.25 - "The compromised website is still the most effective attack vector for hackers to install malware on your computer with 47.6 percent of all malware installs occurring in that manner, says security firm AVG*. Another 10.6 percent are tricked into downloading exploit code - many times, without their knowledge - by clicking on links on pages to sites hosting malware. The Chelmsford, Mass. company announced its findings as part of a broader study of threats detected by its software... AVG warns that the security issues plaguing desktops are migrating to mobile devices..."
* http://aa-download.avg.com/filedir/press/AVG_Community_Powered_Threat_Report_Q4_2011.pdf

- http://betanews.com/wp-content/uploads/2012/01/10-security-threats-chart1-e1327515917633.jpg

- http://betanews.com/wp-content/uploads/2012/01/Top-q0-web-threats-q4-11.jpg

:fear::mad:
 
MS12-004 exploit in-the-wild

FYI...

MS12-004 exploit in-the-wild
- http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/
Updated: Jan 30, 2012 - "... we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003)*. The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code. In the attack that we found, the infection vector is a malicious HTML... This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA. HTML_EXPLT.QYUA calls TROJ_MDIEXP.QYUA to trigger the exploit, and uses JS_EXPLT.QYUA to decode the shellcode embedded in HTML_EXPLT.QYUA’s body... Microsoft has already issued an update to address this vulnerability during the last patch Tuesday, so our first advice to users is to patch their system with the Microsoft security update here**. It affects Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0003
Last revised: 02/01/2012
CVSS v2 Base Score: 9.3 (HIGH)

** https://technet.microsoft.com/en-us/security/bulletin/ms12-004
MS12-004 - Critical || Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)
Updated: Wednesday, January 11, 2012
___

- http://www.securityfocus.com/bid/51292/info
Updated: Jan 27 2012
- http://www.securityfocus.com/bid/51292/exploit
"... Reports indicate this issue is actively being exploited in the wild."

- http://h-online.com/-1424576
30 January 2012

- http://labs.m86security.com/2012/01/midi-files-mid-way-to-infection/
Jan 31, 2012

:mad::fear:
 
Last edited:
You must log in or register to reply here.
Back
Top