|
Sharing Security Developments, and Best Practices for corporate and home users
December 2006 - Posts
-
F-Secure creates Vista compatible version of Blacklight Rootkit detection tool
As a starting point, here's hoping that rootkit detection tools won't be needed for Vista or that the improved security makes this a rare event. F-Secure''s Blacklight Rootkit detection tool is a great free service offered to users who need assistance in removing Windows based rootkits that hook into the OS in a highly stealth-like manner.
F-Secure creates Vista compatible version of Blacklight Rootkit detection tool
http://www.f-secure.com/weblog/archives/archive-122006.html#00001062
QUOTE: The same BlackLight executable will work on all supported platforms.You may find it interesting that we're adding support for 64-bit operating systems, even though there are currently no rootkits for them! The reason is that while 32-bit rootkits do not work on 64-bit platforms it is not impossible to create a 64-bit compatible rootkit. It just requires extra effort.
For example, a user-mode rootkit would have to hook 64-bit processes with 64-bit code but also make sure everything is hidden from 32-bit applications running under WOW64 emulation. As the number of computers running 64-bit Windows has remained low, the rootkit authors have not had a reason to spend the extra effort to target those systems. When they do, we hope to be ready
|
-
-
-
-
In my personal email, I've seen dramatic increases in SPAM and these articles document these trends as well:
Spam Rates Soar in 2006 due to Botnets
http://www.eweek.com/article2/0,1759,2077665,00.asp
Microsoft sees Botnets as a top threat in 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006818
QUOTE: E-mail security firm Commtouch says 85 percent of today's spam comes from remote-controlled "zombie" computers. A report on spam by e-mail security firm Commtouch Software dubs 2006 the "Year of the Zombies." The study found that "zombies," the name given computers remote-controlled by hackers, can number up to 8 million hosts globally on a given day.
As a result, spam volume increased by 30 percent in 2006, according to the report. "Spam outbreaks got bigger, faster and smarter during 2006," Amir Lev, president and chief technical officer for Commtouch, based in Netanya, Israel, said in a statement. "Innovative spammers quickly developed new techniques to bypass common anti-spam technologies and amassed huge zombie botnets. Outbreaks have become so fast, massive and sophisticated that most anti-spam solutions had great difficulty defending against them."
Some prior links:
Massive surge in spam hits the Internet
http://blogs.techrepublic.com.com/Ou/?p=354
Bot nets likely behind jump in spam
http://www.securityfocus.com/news/11420
Great site to bookmark for SPAM trends (under construction until 12/30/2006)
http://tqmcube.com/tide.php
|
-
This new vulnerability is rated as low-risk can only be exploited by local users.
Microsoft Windows Client Server Run-Time Subsystem Memory Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5197
http://secunia.com/advisories/23491/
QUOTE: A Microsoft Windows vulnerability can be exploited by malicious local users to gain knowledge of sensitive information. The problem is that CSRSS.exe does not properly validate arguments passed via NtRaiseHardError and can be exploited to view the contents of CSRSS process memory. The vulnerability is confirmed on a fully-patched Windows XP SP2 system and reportedly affects Windows 2000 SP4 as well. Other versions may also be affected.
Solution: Allow only trusted users access to the system
|
-
F-Secure has published 3 new malware threats that use holiday themes to trick users into opening them:
Stration (Warezov) - Happy New Year
http://www.f-secure.com/weblog/archives/archive-122006.html#00001059
QUOTE: A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise.
More Christmas-themed malware
http://www.f-secure.com/weblog/archives/archive-122006.html#00001058
QUOTE: Now there's a backdoor called Christmas_Puzzle.exe. This one uses a rootkit to hide it's presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one shows a Christmas-themed jigsaw puzzle game on screen. And then there's a Powerpoint file called Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has been making rounds previously.
Christmas.EXE
http://www.f-secure.com/weblog/archives/archive-122006.html#00001057
QUOTE: When run, this IRCBot variant will try to download various malicious executables from web servers. As a decoy, it shows this Christmas-themed image. Obviously, a gift that keeps on giving. To be avoided.
|
-
There is also a POC exploit published for this new vulnerability.
Windows Workstation Service - New unpatched vulnerability
http://www.frsirt.com/english/advisories/2006/5142
QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This issue is due to an error in the Workstation Service that does not properly handle specially crafted "NetrWkstaUserEnum()" requests, which could be exploited by attackers to cause a vulnerable service to crash or exhaust all available memory resources, creating a denial of service condition.
Affected Products: Windows XP and 2000
Solution: Block ports 139 and 445 at the firewall.
|
-
This recent hacking incident illustrates the need to be fully protected and up-to-date while surfing the Internet. Kids or Parents might land on this type of site which doing a general Internet search.
Santa Web Site Hacked and may download spyware
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006639
QUOTE: It turned out that Santa's Web site had been hacked. On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message."The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."
|
-
-
-
Jim Allchin provided an EXCELLENT response to Windows Vista and the improved protection from malware based on a recent analysis, which seemed to infer that "Vista offers no more protection than XP". Technically, this article had some factual information, but it did not tell "the rest of the story". Users must almost want to purposefully infect their systems, for these attacks to work properly.
At the end of November, Sophos commented on Vista being suseptible to 3 of the top 10 viruses circulating in-the-wild. However, Vista users must lower built-in defenses, not run any AV protection at all, plus click on a clearly suspicious email attachment (that most likely would be prefiltered as a suspicious document and classified as spam). No Operating System's security controls can fully protect a user from themselves.
I didn't have the opportunity to beta test Vista (as my home PCs are too underpowered to support it). However based on numerous articles and reviews, Vista will clearly offer superior security over Windows XP SP2. By enhancing Windows XP SP2 with IE 7, MP 11, and a good AV product, users can enjoy a secure environment there as well. I'm anxious to purchase a new family PC later in 2007 with Vista Ultimate installed for better protection and gain greater knowledge of this environment by actually using it.
|
-
The new version of Opera released today offers improvements to help prevent phishing attacks with it's new Fraud Protection facility.
Opera 9.1 Download site
http://www.opera.com/download/
Opera 9.1 introduces Fraud Protection
http://www.opera.com/docs/fraudprotection/
Changelog for Opera 9.1 for Windows
http://www.opera.com/docs/changelogs/windows/910/
Release Notes and Change Log
This release of Opera introduces Fraud Protection.
User interface
- Fixed handling of access keys on Web pages with frames.
Mail, messaging, and newsfeeds
- Fixed an instability connected with delayed entry of the Master password.
- Deleting of newsfeeds in the panel now both unsubscribes and deletes.
Display and scripting
- Improved performance for elements with both :focus and :hover.
- Fixed an issue with opacity on links that have images nested within them.
Security
- New Fraud Protection feature (a phishing filter).
- Changed Wand data to a new format. The upgrade to this new format is not reversible.
Miscellaneous
- Multiple stability issues solved, including crashes on Gmail and Google Maps.
- Changed the Mozilla User Agent string to include Firefox identification.
- Improved handling of Web site logins on slow connections.
- Cancellation of torrent downloads now functions as expected.
Windows-specific changes
- Multimedia keys now function as expected when Opera has focus.
- Enabled loading of Windows Media plugins when Java is turned off.
|
-
Both of these are rated as low-risk by FrSIRT
Windows Media Player - New Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/5039
QUOTE: A vulnerabilitiy has been identified in Microsoft Windows Media Player, which could be exploited by attackers to cause a denial of service. This issue is due to a division by zero error when handling a specially crafted MIDI file with a header chunk containing malformed fields (i.e. number of tracks and delta time), which could be exploited by attackers to crash a vulnerable application via a specially crafted file.
Microsoft Project Server 2003 File Information Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5038
QUOTE: A vulnerability has been identified in Microsoft Project Server 2003, which could be exploited by malicious users to gain knowledge of sensitive information. This issue is due to an error when handling HTTP POST requests passed to the "logon/pdsrequest.asp" script, which could be exploited by authenticated attackers to disclose the username and password of the "MSProjectUser" SQL account.
|
-
Since April 2005, this site has captured summary info for tech and non-tech violations where sensitive information has been exposed and possibly compromised. This is a great site to bookmark (and even share with your IT management so that security remains an important focal point).
Privacy Rights - Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.incidents.org/diary.php?storyid=1942
QUOTE: Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million.
... and on a related note, looks like 3 million folks may need to be added from Russia 
Major data leak from Russian banks
http://www.viruslist.com/en/weblog?calendar=2006-12
Note - Please see Dec 13th Weblog entry
|
-
-
This article provides an update on several forthcoming changes for next year, although not all of the work on SOX 404 is complete:
S.E.C. Eases Regulations on Business
http://www.nytimes.com/2006/12/14/business/14secure.html
| Quote: |
| WASHINGTON, Dec. 13 — Responding to criticism that regulators had overreacted to years of major corporate scandals, the Securities and Exchange Commission on Wednesday issued a flurry of deregulatory orders and proposals intended to lower costs to public companies. It said the moves would not reduce investor protection |
SUMMARY OF DISCUSSIONS
APPROVED
1. Easier for foreign companies to withdraw their securities from American markets.
2. Increase the financial qualifications for investors in hedge funds, to a net worth of $2.5 million from the current standard of $1 million.
3. The S.E.C. adopted a rule that would save corporations the expense of mailing financial reports and proxy statements by enabling them to communicate with the vast majority of their investors through the Internet. (Investors can continue to receive paper copies of proxies and other material through the mail if they request them.)
And it proposed rules that would make it easier and less costly for banks to offer brokerage services.
IN THE WORKS
1. Under those new guidelines, prosecutors in the field will now have to obtain permission from senior officials before trying to get companies that are under investigation to waive their attorney-client privilege.
2. In weighing whether to seek the indictment of a company, the prosecutors will also no longer be permitted to consider whether the company is paying the legal fees of an employee involved in the inquiry.
3. The changes announced by the commission on Wednesday fell short of what some companies and groups had sought. In the case of the auditing rules, for instance, many businesses had sought an exemption from the requirements of Section 404 of the Sarbanes-Oxley Act.
4. Instead of a blanket exemption, officials said, the proposed guidance would give many small companies a powerful new tool in restricting their auditors from engaging in what the executives viewed as expensive and unnecessary audits of financial controls that had minimum impact on financial statements.
5. Under the guidance proposed by the S.E.C., executives would evaluate the design of only those financial controls that might carry the risk of having a material impact on financial statements. Commission officials emphasized that the guidance is being drafted to be less onerous on smaller or less intricate companies.
|
-
During the December updates, I almost "unselected" MS06-078, as it referenced an update for Media Player 6.4 in the title information and at 1st I felt it might even impact my Media Player 11 environment. Still I decided to install this and when I saw the same reference to MP 6.4 in updating other PCs, I knew all was well 
This is actually documented in the FAQs. Apparently, MP 6.4 "lives" on your PC for compatibility reasons even if you're on the latest and greatest version.
MS06-078 - Please see FAQ section
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
quote:
I have installed Windows Media Player 11 on my computer. Why am I being offered the Windows Media Player 6.4 security update?
While Windows Media Player 11 is not vulnerable, Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition will still have Windows Media Player 6.4 installed on the system for backwards compatibility.
|
-
This is an interesting article and hopefully someone will eventually catch these guys.
The Rock Phish group may be responsible for half of all phishing attacks
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005958
QUOTE: The Rock Phish criminal organziation is responsible for as many as one-half of all current phishing attacks. Problem is, no one's sure who they are, or even if it isn't just one person. It is estimated that the criminal organization's phishing schemes have cost banks more than $100 million to date.
Rock Phish is not known for targeting the two most popular phishing targets -- eBay and PayPal. Instead, it specializes in European and U.S. financial institutions. At last count, the group had spoofed 44 brands from businesses in nine countries, sending out e-mails that try to trick victims into visiting phony Web sites and entering information such as credit card numbers and passwords. Rock Phish sites have spoofed CitiBank, E*Trade, Barclays, and Deutsche Bank, among others.
|
-
Microsoft Security Bulletins - December 2006
http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx
As part of Microsoft's routine, monthly security update cycle, they've or they will released the following updates:
3 Critical:
MS06-072 - Cumulative Security Update for Internet Explorer (925454)
MS06-073 - Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
MS06-078 - Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
4 Important:
MS06-074 - Vulnerability in SNMP Could Allow Remote Code Execution (926247)
MS06-075 - Vulnerability in Windows Could Allow Elevation of Privilege (926255)
MS06-076 - Cumulative Security Update for Outlook Express (923694)
MS06-077 - Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)
|
-
IE 7 and Firefox 2.0 are improved browsers offering improved functionality and security. The new Firefox 3 version offers internal improvements and so far no issues have been encountered in early testing.
Article: Firefox 3.0 Alpha Is for Developers Only
http://www.eweek.com/article2/0,1895,2071031,00.asp
QUOTE: The Mozilla Foundation recently released the first alpha of Firefox 3.0, and when people refer to this release of the browser as a developer version, they aren't kidding. In fact, the only difference that a regular Firefox user will notice between this alpha and the current shipping version of Firefox 2.0 is that the top browser title bar and the About screens use the Firefox 3.0 code name Gran Paradiso instead of Firefox.
FIREFOX 3.0 - SUMMARY OF KEY CHANGES
1. Uses alpha of Gecko 1.9, the forthcoming rendering engine for Mozilla browsers.
2. Uses the Cairo library for all vector graphics rendering.
3. Includes changes to improve page rendering and performanc
4. Use System X Cocoa application environment, making Mac versions easier to develop.
5. Will only run on Windows 2000 and later and on Mac OS X 10.3.9 or later.
DOWNLOAD - Home Page (Windows, Linux, Mac, etc)
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha1/
DOWNLOAD - Windows 2000 or Higher
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha1/win32/en-US/
|
-
This new threat is not circulating extensively yet and updating to the latest levels of AV (plus always being careful with suspicious attachments) will help mitigate this new exposure. 
Microsoft Word - Second new vulnerability and exploit
http://www.incidents.org/diary.php?storyid=1925
QUOTE: We received notification from an ISC participant that McAfee has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006.".
McAfee information on Word Exploit II
http://vil.nai.com/vil/content/v_vul27249.htm
QUOTE: A vulnerability exists in Microsoft Word that could allow for arbitrary code execution. This could be exploited successfully if a victim were to open a specially crafted Word document obtained via an email attachment or downloaded from a malicious website.
New Word Exploit II Protection - DAT 4915
http://vil.nai.com/vil/content/v_141056.htm
MSRC Commentary on New Word Exploit
http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
QUOTE: We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433. Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability.
Secunia
http://secunia.com/advisories/23205/
FRSirt
http://www.frsirt.com/english/advisories/2006/4920
|
-
-
I'm certain as hackers mitigate anti-piracy controls, Microsoft will in turn fix these issues. Naturally, folks are going to experiment with new products, as I had read recently of someone getting Linux to run on the new Zune player. In the case of Vista, software pirates are spoofing a corporate tool that's designed to make the technician's job easier for mass installing this in an enterprise setting.
Hopefully, no one will use pirated copies and the associated activation hacks. They could save a few dollars now, but then when Vista stops working down the road later they may not be able to recover data easily or go through a lot of grief to get things corrected.
Beyond ethical considerations, it is a crime to knowingly install and use pirated software (at least in the countries where this can be prosecuted). Given the inexpensive nature of PCs when compared with the past, folks should always get the real versions of software.
Article: Pirates work around Vista's activation feature
http://www.infoworld.com/article/06/12/08/HNpiratesworkaroundvista_1.html?source=NLC-TB2006-12-08
QUOTE: Windows Vista must be "activated," or authorized by Microsoft, before it will work on a particular machine. To simplify the task of activating many copies of Vista, Microsoft offers corporate users special tools, among them Key Management Service (KMS), which allows a company to run a Microsoft-supplied authorization server on its own network and activate Vista without contacting Microsoft for each copy.
|
-
-
nmap is an excellent network penetration testing tool that I've used in the past to evaluate security vulnerabilities. A new version release is noted in the link below with other links pointing to the download and informational site pages.
NMap 4.20 released
http://www.incidents.org/diary.php?storyid=1923
QUOTE: Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source (license).
Nmap is ...
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
- Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
- Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials. Find them in multiple languages here.
- Supported: While Nmap comes with no warranty, it is well supported by the community and we appreciate bug reports and patches. If you encounter a problem, please follow these instructions.
- Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
- Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
|
-
Corporate McAfee's version 8 is our current AV standard at work and during December version 8.5i. I received early copies and have been testing this on 4 PCs (e.g., 3 XP SP2 and 1 W/2000 SP4). So far, I've not encountered issues as it scans thoroughly, starts/stops properly, and does not impact system performance. I'm pleased with the new version and it will also be the one supporting Windows Vista as it's introduced corporately.
McAfee - Corporate Enterprise Version 8.5i released
http://www.mcafee.com/us/about/press/corporate/2006/20061204_192020_k.html
http://phx.corporate-ir.net/phoenix.zhtml?c=104920&p=irol-newsArticle&ID=937398
McAfee - Corporate Enterprise Version 8.5i system requirements from RC1
http://www.mcafee.com/us/enterprise/downloads/beta/beta_mcafee/vse.html
QUOTE: SANTA CLARA, Calif., Dec. 4 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE: MFE) today announced the latest release of its Total Protection solution, McAfee(R) Total Protection for Enterprise 2.0. The release further strengthens the threat prevention side of McAfee's security risk management strategy while reducing the complexity, expense and headaches of multiple standalone products. The latest release updates key components including McAfee VirusScan(R) Enterprise, McAfee AntiSpyware(TM) Enterprise and McAfee Policy Enforcer network access control, and adds McAfee SiteAdvisor Enterprise to Total Protection for Enterprise Advanced.
McAfee VirusScan Enterprise 8.5i and McAfee AntiSpyware Enterprise 8.5 provide advanced, proactive protection from viruses, worms, spyware, adware, rootkits, hacker attacks, exploits and more, for desktops and servers. The new technology goes beyond simply offering protection from a database of signatures, using advanced behavioral technology protecting systems from both known and unknown threats.
The key new enhancements include:
* Enhanced behavioral-based protection to stop unknown and sophisticated attacks
* Advanced rootkit detection to stop attackers and spyware from hiding threats
* Improved self-protection to prevent malware or attackers from disabling protection
|
-
Some of the listed themes found in this 4 page article include:
1. Two-factor authentication
2. Sandbox connections
3. Encryption and Strong Passwords
4. Special EMAIL and IM controls
5. External SharePoint sites
Article: How Microsoft fights off 100,000 attacks per month
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005756
QUOTE: Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth -- they are behind firewalls and on networks segmented with IPSec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on.
What do I mean by a constant target? Last year, Microsoft IT said it was the target of more than 100,000 intrusion attempts per month. Currently, Microsoft filters out about 9 million spam and virus e-mails a day out of a total 10 million received. Yes, that means that roughly 90% of incoming e-mails are spam.
|
-
-
While this new worm may not be widespread, it features some advanced designs. In particular, the polymorphic encryption feature could make this one difficult for AV vendors to detect.
Allaple.A Internet/LAN worm - Highly polybmorphic with Password attacks
http://secunia.com/virus_information/34550/allaple.a/
http://www.f-secure.com/v-descs/allaple_a.shtml
QUOTE: Allaple is a powerful polymorphic LAN and Internet worm. It uses a number of exploits to spread and performs a dictionary attack on network share passwords. The worm copies itself multiple times to a hard drive and also affects HTML files. In addition the worm performs a DoS (Denial of Service) attack on a few websites.
The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes. After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.
After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following TCP ports used during the DoS attack: 22, 80, 97, 443
|
More Posts Next page »
|
|
|