|
Sharing Security Developments, and Best Practices for corporate and home users
July 2007 - Posts
-
Stock Spammers are massively spamming PDF, XLS,
GIF, and now ZIP based attachments to
distribute stock spam. The senders are trying to circumvent filtering
controls. I've received a # of these and an analysis of one sample sent to
Virus Total is attached below. It's not malicious, but any untrusted attachment
should not be opened.
FORMAT OF ZIP STOCK SPAM: As an example, the subject line
might appear as "OFFER" or "DOC". There is no text in the message body (blank
message). There is only a single attachment (usually named like the subject
line, e.g., "OFFER.ZIP", DOC.ZIP").
Stock Spammers - Now using ZIP files
http://isc.sans.org/diary.html?storyid=3206
QUOTE: We have received numerous emails today regarding yet
another round of spam hitting the cyberwaves. This spam is nothing more than a
new twist on the pump and dump stock market emails. It appears that these
emails include a zip or RAR file for an attachment. Once opened, these contain
nothing more than the get rich quick stock market info. There appears to be
nothing malicious other than an attempt to sway the market.
VIRUS TOTAL RESULTS BELOW:
Complete scanning result of "doc.zip", processed in VirusTotal
at
07/31/2007 19:59:03 (CET).
[ file data ]
* name: doc.zip
* size: 6833
* md5.:
d45288a2ea0dcebf97d5b51d918bcb70
* sha1:
f13217295155a214facce79bae4b503e11b45b23
[ scan result ]
AhnLab-V3 2007.7.31.1/20070731 found
nothing
AntiVir 7.4.0.54/20070731 found
nothing
Authentium 4.93.8/20070731 found
nothing
Avast 4.7.1029.0/20070731 found
nothing
AVG 7.5.0.476/20070730 found
nothing
BitDefender 7.2/20070731 found
nothing
CAT-QuickHeal 9.00/20070731 found
nothing
ClamAV 0.91/20070731 found nothing
DrWeb 4.33/20070731 found
nothing
eSafe 7.0.15.0/20070731 found
nothing
eTrust-Vet 31.1.5019/20070731 found
nothing
Ewido 4.0/20070731 found nothing
F-Prot 4.3.2.48/20070730 found
nothing
F-Secure 6.70.13030.0/20070731 found
nothing
FileAdvisor 1/20070731 found
nothing
Fortinet 2.91.0.0/20070731 found
nothing
Ikarus T3.1.1.8/20070731 found
nothing
Kaspersky 4.0.2.24/20070731 found
nothing
McAfee 5087/20070731 found nothing
Microsoft 1.2704/20070731 found
nothing
NOD32v2 2430/20070731 found nothing
Norman 5.80.02/20070731 found
nothing
Panda 9.0.0.4/20070731 found nothing
Prevx1 V2/20070731 found
nothing
Rising 19.34.12.00/20070731 found
nothing
Sophos 4.19.0/20070726 found
nothing
Sunbelt 2.2.907.0/20070731 found
nothing
Symantec 10/20070731 found
nothing
TheHacker 6.1.7.159/20070731 found
nothing
VBA32 3.12.2.2/20070730 found
nothing
VirusBuster 4.3.26:9/20070731 found
nothing
Webwasher-Gateway 6.0.1/20070731 found nothing
|
-
-
 This new threat is easy to avoid and free games should only be downloaded from safe trusted sites.
Romario - Email worm disquised as Super Mario game
http://vil.nai.com/vil/content/v_142851.htm
http://www.theregister.co.uk/2007/07/30/mario_worm/
http://www.sophos.com/security/analyses/w32romarioa.html
QUOTE: W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself using Outlook and also copies itself to removable devices and open shares on a network. Since the subject is from a previous mail, this technique is highly successful into tricking people that the mail is genuine.
Romario-A is the latest in a series of malware packages that pose as computer games or that actually run real games to disguise the damage they inflict. The trick has been employed several times in the past by malware authors, notes anti-virus firm Sophos. Most notable are the Bagle-U worm, which attempts to start the Microsoft Hearts game, the Coconut-A virus, which urged infected users to throw coconuts at pictures of Sophos's Graham Cluley, and the Gonori-A Trojan, which plays Minesweeper when run.
|
-
Opera 9.22 is available for improved security and Windows Vista support. In using this as a complementary browser with IE 7 and Firefox, no issues have been encountered so far.
Opera 9.22 for Windows is available for download.
Changes Since Opera 9.21
User Interface
- Fix to allow toolbars to use bold fonts again.
- Tabs can be dragged between windows using the Windows panel again.
- Info panel title now correctly displays Web page title and mail subjects that contain HTML.
Miscellaneous
- Scripting and display fixes for the Silverlight plug-in.
- Multiple stability fixes.
- Improved stability and performance of BitTorrent.
Security
- Fixed an issue that could occur when removing a specially prepared torrent transfer, as reported by iDefense. See the advisory.
- Prevented an issue where data URLs could be used to display the wrong address in the address bar. See the advisory.
- Improved the display of long domain names in authentication dialogs. Long domain names will now scroll instead of using ellipsis. See the advisory.
- Added Trustcenter class 3 G2 root certificate.
- Fixes for a problem with certificate import from PKCS #7 Signed and Netscape Multicert files.
Windows specific
- Fix for accessing certain Web sites using Windows Vista.
|
-
 Below are results from a submission this morning of the AGENT.BRK trojan horse from a copy received in my personal email. AV protection is improving and hopefully will be now found in some of the companies missing protection earlier today.
Complete scanning result of "fungame.zip", processed in VirusTotal at
07/30/2007 15:08:24 (CET).
[ file data ]
* name: fungame.zip
* size: 19363
* md5.: e32407039e10ab1be6e639e6fe4c9ee9
* sha1: 166733488b62628278ada4a8b29954c097f42af9
[ scan result ]
AhnLab-V3 2007.7.28.0/20070730 found nothing
AntiVir 7.4.0.50/20070730 found [Worm/Nuj.A.124]
Authentium 4.93.8/20070727 found [W32/Downldr2.AOUA]
Avast 4.7.997.0/20070730 found [Win32:Agent-JSL]
AVG 7.5.0.476/20070730 found [Downloader.Agent.OGE]
BitDefender 7.2/20070730 found [Trojan.Kobcka.A]
CAT-QuickHeal 9.00/20070728 found nothing
ClamAV 0.91/20070730 found [Trojan.Downloader-12017]
DrWeb 4.33/20070730 found [BackDoor.Bulknet]
eSafe 7.0.15.0/20070729 found [Win32.Agent.brk]
eTrust-Vet 31.1.5016/20070730 found [Win32/Cutwail.T]
Ewido 4.0/20070730 found nothing
F-Prot 4.3.2.48/20070727 found [W32/Downldr2.AOUA]
F-Secure 6.70.13030.0/20070730 found
[Trojan-Downloader.Win32.Agent.brk]
FileAdvisor 1/20070730 found nothing
Fortinet 2.91.0.0/20070730 found [W32/Agent.AUH!tr]
Ikarus T3.1.1.8/20070730 found nothing
Kaspersky 4.0.2.24/20070730 found [Trojan-Downloader.Win32.Agent.brk]
McAfee 5085/20070727 found nothing
Microsoft 1.2704/20070730 found [Worm:Win32/Nuwar.JU]
NOD32v2 2429/20070730 found [Win32/TrojanDownloader.Agent.BRK]
Norman 5.80.02/20070730 found nothing
Panda 9.0.0.4/20070729 found nothing
Prevx1 V2/20070730 found nothing
Rising 19.34.02.00/20070730 found nothing
Sophos 4.19.0/20070726 found nothing
Sunbelt 2.2.907.0/20070728 found nothing
Symantec 10/20070730 found [Trojan.Pandex]
TheHacker 6.1.7.158/20070730 found [Trojan/Downloader.Agent.brk]
VBA32 3.12.2.1/20070730 found [Trojan.Win32.Agent.auh]
VirusBuster 4.3.26:9/20070730 found [Trojan.DL.Agent.Gen.8]
Webwasher-Gateway 6.0.1/20070730 found [Worm.Nuj.A.124]
|
-
McAfee has completed it's beta testing for it's new Rootkit Detective tool. The new RKD 1.0 product will be offered as a free standalone detection and cleaning tool. McAfee notes that over 7,325 new rootkit variants have been emerged this year and folks should always be careful with any web links or file attachments they may encounter as we have been in a period of high malicious activity recently.
McAfee offers free Rootkit Detective Cleaner
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027948
quote:
On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations. The freeware program promises the ability to find and remove rootkits -- self-cloaking malware attacks that install themselves as kernel modules or drivers and are most often used to hide other types of threats such as keyword-logging programs -- and send data about the attacks that are discovered back to McAfee.
McAfee Rootkit Detective - Press Release
http://www.mcafee.com/us/about/press/corporate/2007/20070726_182000_r.html
quote:
Cybercrooks use rootkits to hide other nefarious programs on compromised PCs. Last year the number of rootkits hit 3,284 and has already more than doubled in the first half this year to 7,325. Since the initial trial release of Rootkit Detective in January, the application has been downloaded over 110,000 times. "Rootkit Detective offers the most comprehensive rootkit detection capabilities available today," said Ahmed Sallam, lead research architect at McAfee®. "We have achieved extremely high levels of accuracy, using various techniques to find anything that hides itself on a computer."
McAfee Rootkit Detective 1.0 - Home Page
http://vil.nai.com/vil/stinger/rkstinger.aspx
quote:
McAfee Rootkit Detective 1.0 is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system. McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.
|
-
-
 An interesting article by AVERT where they "took the bait" and tracked developments where someone was trying to scam folks using the Nigerian 419 approach. Unfortunately, a few folks still want to believe that money sometimes falls from the sky (e.g., and this would never occur from a random email message). These scams still represent some of the largest dollar losses per incident
Nigerian 419 Scams - A fool and their money are soon parted
http://www.avertlabs.com/research/blog/index.php/2007/07/26/a-fool-and-their-money-are-soon-parted/
QUOTE: The amazing thing is that thousands of people don’t. In 2006 the highest dollar loss per incident reported to the Internet Crime Complaint Center was the Nigerian Scam with a median loss of $5,100. I’m amazed that so many people can fall for this well known scam that has been around, in various forms for a long time.
Nigerian 419 Coalition Website
http://home.rica.net/alphae/419coal/
QUOTE: A Five Billion US$ (as of 1996, much more now) worldwide Scam which has run since the early 1980's under Successive Governments of Nigeria. It is also referred to as "Advance Fee Fraud", "419 Fraud" (Four-One-Nine) after a formerly relevant section of the Criminal Code of Nigeria, and "The Nigerian Connection" (mostly in Europe). However, it is usually called plain old "419" even by the Nigerians themselves. In brief, 419 is a sub-classification of Advance Fee Fraud crime in which the perpetrators are West Africans, primarily Nigerians, operating globally from Nigeria and elsewhere.
Internet Crime Complaint Center
http://www.ic3.gov/
http://www.ic3.gov/crimeschemes.aspx#item-13
QUOTE: Named for the violation of Section 419 of the Nigerian Criminal Code, the 419 scam combines the threat of impersonation fraud with a variation of an advance fee scheme in which a letter, email, or fax is received by the potential victim. The communication from individuals representing themselves as Nigerian or foreign government officials offers the recipient the "opportunity" to share in a percentage of millions of dollars, soliciting for help in placing large sums of money in overseas bank accounts. Payment of taxes, bribes to government officials, and legal fees are often described in great detail with the promise that all expenses will be reimbursed as soon as the funds are out of the country.
Wikipedia - Nigerian 419 Overview
http://en.wikipedia.org/wiki/Nigerian_419
|
-
-
While I've never been a fan of toolbars of any kind, the critical security issue for the Linked In IE tool bar is now fixed
LinkedIn IE Toolbar - Critical Security Update Available
http://www.scmagazine.com/us/news/article/673669/linkedin-fixes-critical-bug/
QUOTE: "Business networking site LinkedIn has remedied a dangerous zero-day vulnerability in its Internet Explorer toolbar, one day after researchers went public with the exploit code. The mandatory fix "was pushed out to all of our users" on Wednesday, Mario Sundar, community evangelist at LinkedIn, told SCMagazine.com today. "The fix is required for users; otherwise the toolbar shuts down"..."
LinkedIn IE Toolbar - Critical Security Issue
http://secunia.com/advisories/26181/
|
-
The Storm worm (aka Nuwar) is one of the worst threats out there as it contains some of the latest advancements in malware techniques (including very realistic social engineering on it's latest e-card versions). While most users don't run Virtual Machine environments, one variant seems to be searching for it to possibly hide better or even damage other logical partitions 
Latest Storm Worm - Is it a VMware or Virtual PC hopper?
http://isc.sans.org/diary.html?storyid=3190
QUOTE: While the Storm worm hasn’t brought anything really new, the authors definitely went a step further – the Storm worm’s code looks much better than a lot of malware we’ve seen. And besides that, you have a custom packer that makes analysis and detection more difficult, rootkit capabilities so it’s completely hidden, P2P botnet control and so on.
While analyzing one sample I noticed that the Storm worm tries to detect if it’s running in a virtual environment. This became pretty popular with malware writers lately. The main reason their doing this is (presumably) to make analysis more difficult. The first step in malware analysis today is typically to run it in an isolated environment and to monitor its behavior.
|
-
This one has been massively spammed and is out there, as I'm receiving copies in my in-box now
Win32.Agent.brk Trojan - Avoid Funny.ZIP attachment
http://www.f-secure.com/weblog/archives/archive-072007.html#00001234
QUOTE: There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.
Very few AV companies have coverage based on the sample sent to Virus Total: Complete scanning result of "funny.zip", processed in VirusTotal at
07/25/2007 15:10:16 (CET).
[ file data ]
* name: funny.zip
* size: 19250
* md5.: e370545d893c2e35bf1b41be3bda45fe
* sha1: f456d384504b9f04faf9f552bbb46ed77ceaa2fd
[ scan result ]
AhnLab-V3 2007.7.25.0/20070725 found nothing
AntiVir 7.4.0.44/20070725 found nothing
Authentium 4.93.8/20070725 found nothing
Avast 4.7.997.0/20070725 found nothing
AVG 7.5.0.476/20070725 found nothing
BitDefender 7.2/20070725 found [Trojan.Downloader.Agent.YJF]
CAT-QuickHeal 9.00/20070724 found nothing
ClamAV 0.91/20070725 found [Trojan.Downloader-11827]
DrWeb 4.33/20070725 found [Trojan.MulDrop.7173]
eSafe 7.0.15.0/20070724 found nothing
eTrust-Vet 31.1.5004/20070725 found nothing
Ewido 4.0/20070725 found nothing
F-Prot 4.3.2.48/20070725 found [W32/Downldr2.ANWJ]
F-Secure 6.70.13030.0/20070725 found
[Trojan-Downloader.Win32.Agent.brk]
FileAdvisor 1/20070725 found nothing
Fortinet 2.91.0.0/20070725 found nothing
Ikarus T3.1.1.8/20070725 found [Trojan-Downloader.Win32.Agent.brk]
Kaspersky 4.0.2.24/20070725 found [Trojan-Downloader.Win32.Agent.brk]
McAfee 5081/20070724 found nothing
Microsoft 1.2704/20070725 found nothing
NOD32v2 2418/20070725 found [Win32/TrojanDownloader.Agent.NPW]
Norman 5.80.02/20070725 found nothing
Panda 9.0.0.4/20070724 found nothing
Sophos 4.19.0/20070717 found nothing
Sunbelt 2.2.907.0/20070725 found nothing
Symantec 10/20070725 found [Trojan.Pandex]
TheHacker 6.1.7.152/20070723 found nothing
VBA32 3.12.2.1/20070724 found nothing
VirusBuster 4.3.26:9/20070724 found nothing
Webwasher-Gateway 6.0.1/20070725 found nothing
|
-
Daily, I'm continuing to receive several PDF based stock messages that are being massively spammed. Both the ISC and Avert labs are warning that Excel document types commonly used in the business environment are now being used. AVERT suggests that Word and other Office formats might also be used in the future to circumvent corporate attachment blocking rules.
Stock Spammers now sending Excel documents
http://isc.sans.org/diary.html?storyid=3177
http://www.avertlabs.com/research/blog/index.php/2007/07/24/pdf-spammers-already-moving-on-to-other-filetypes-currently-xls/
QUOTE: PDF spam has continued to increase during the last 3 weeks and has moved from ‘pump and dump’ stocks to other types of spam such as pharmacy spam. The spammers responsible for the recent .PDF based ‘pump and dump’ stock spam have also started to send pump and dump spam containing Microsoft Excel .XLS documents
|
-
-
-
While Apple will most likely patch security issues that are discovered promptly, iPhone users should carefully monitor developments
NY Times reports Serious iPhone security issue
http://www.nytimes.com/2007/07/23/technology/23iphone.html
QUOTE: A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device. The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.
Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem.
|
-
-
Unfortunately major tragedies can be used by the bad guys for social engineering purposes to scam folks in a fradulent manner. Always be careful with email or websites and always go to mainstream sites (e.g., Red Cross) to ensure these worthwhile contributions are made safely and securely
Hackers use Brazilian plane crash to push malware
http://www.networkworld.com/news/2007/071807-hackers-use-brazilian-plane-crash.html
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=788
McAfee - PWS-Banker.gen.ac (DAT 5075)
http://vil.nai.com/vil/content/v_139526.htm
QUOTE: Hackers haven't wasted any time exploiting the airplane crash in Sao Paulo, Brazil that claimed nearly 190 deaths Tuesday, a U.S. security company said Wednesday. An e-mail campaign is using the tragedy to lure readers to a malicious Web site, reported Websense in an alert. According to Websense, the e-mail, written in Portuguese, includes details of the TAM airlines flight that crashed after trying to land at the notoriously dangerous Congonhas Airport, which is located in the middle of Sao Paulo.
|
-
Code Red - Sixth Anniversary of Internet worm attacks The Code Red attacks in July and August of 2001 represent one of the first completely automated major security attacks for Windows servers that were not completely up-to-date on security patches. A critical security patch was issued by Microsoft on June 18, 2001 and the 1st Code Red worm surfaced about one month later on July 13, 2001. It was essentially a reverse engineering of the MS01-033 security patch to automatically manipulate the Windows NT and 2000 Index Server environment used by IIS 4 and 5. The peak number of infections was around 359,000 by July 19, 2001. Code Red II was a much more potent attack launched on August 4, 2001. It was not just another variant of Code Red, as it was a complete redesign and rewrite of the original attack. Code Red II had a more sophisticated design for randomly calculating IP addresses. The paradigmn presented by both Code Red and Nimda got administrators into the mode of applying patches expeditiously, at least for servers. Still, more lessons were learned about workstation patching when the Blaster worm surfaced in August 2003. Hopefully, history will not repeat itself where you simply plug a PC/server into the Internet and you get zapped. One of Microsoft's TWC improvements helps here with XP SP2 and Vista's firewalls that help protect against potentially malicious traffic that constantly surfaces on inbound TCP/IP ports. A key lesson learned is to constantly monitor the changing landscape associated with security risks. Something that's completely safe today may not be tomorrow. Finally I believe even after six years, that Code Red I or II may still yet reside in limited circulation on some of the unpatched servers out there. Wiki Links for Code Red I and IIhttp://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29http://en.wikipedia.org/wiki/Code_Red_II_%28computer_worm%29http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms#2001MS01-033 - The key security bulletin exploited by these attackshttp://www.microsoft.com/technet/security/bulletin/MS01-033.mspxMicrosoft MVP Steve Friedl's Excellent Analysis
http://www.unixwiz.net/techtips/CodeRedII.html
|
-
This is installed on my work PCs and the update went well. There was an option to install the Google toolbar that occurred. Folks should carefully read EULAs and other options presented carefully as they update any software.
Java Runtime Environment - Critical Security Patch
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102934-1
http://www.f-secure.com/weblog/archives/archive-072007.html#00001231
QUOTE: A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.
|
-
A new variant of the Bagle family has been discovered. McAfee users should move to DAT 5076.
New Bagle Downloader - Adobe Audition EXE
http://vil.nai.com/vil/content/v_142713.htm
QUOTE: The trojan pretended to be a software crack for Adobe Audition 3.02 and came with the filename: ClickFix_for_Adobe_Audition_3.02.exe. Manually executing an infected binary will infect the local system, which is then will be used to download other W32/Bagle viruses.
|
-
 The 10 question quiz only takes a minute or two and some of these are tricky (e.g., I missed a couple myself). I've always found these as neat ways to promote security awareness and the analysis of answers afterwards is well done also.
McAfee SiteAdvisor - Phishing Quiz Available
http://www.avertlabs.com/research/blog/index.php/2007/07/16/phish-or-fair-take-our-phishing-quiz-and-test-your-phish-iq/
McAfee SiteAdvisor - The actual Quiz of 10 Questions
http://www.siteadvisor.com/quizzes/phishing_0707/
QUOTE: YOU ANSWERED 8 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru -- Nice work! Your practically clairvoyant knowledge of the Web allows you to spot even the most realistic looking spoofed sites. We're impressed! But remember that even one misstep on a deceptive Web site can put your personal information at risk which could lead to identity theft or financial losses. Don't let scammers fool you! SiteAdvisor can help protect your identity by warning you before you visit a risky site.
|
-
For most users the flash player is an integral part of their browser environment (e.g., Internet Explorer, Mozilla Firefox, Opera, etc). While no in-the-wild risks have emerged a serious security risk has been fixed and users should quickly move to the latest version. Since this special update may not part of Windows Update or other browser automatic updates, it is important to manually update the Flash player to ensure browser safety in the future.
Flash Player Browser plug-in - Critical Update to v9.0.47
http://isc.sans.org/diary.html?storyid=3126
http://www.adobe.com/support/security/bulletins/apsb07-12.html
http://www.f-secure.com/weblog/archives/archive-072007.html#00001231
QUOTE: An input validation error has been identified in Flash Player 9.0.45.0 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456). There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for at least a few of these vulnerabilities
Flash Player Version 9.0.47 - Download Site
Note - You may want to uncheck the installation of the Google Toolbar
http://www.adobe.com/go/getflash
|
-
This family of virus takes information found in the infected PC and presents it to the user as a serious violation of privacy  The user is then blackmailed into paying $300 or all private information will be destroyed or disclosed
As Kaspersky notes, actual payment should not be rendered as AV companies work to decrypt any encrypted files and one can never trust that the persons behind these malicious attacks will honor any payments 
GPcode.ai - New Ransomware threat
http://www.viruslist.com/en/weblog?weblogid=208187396
http://www.viruslist.com/en/analysis?pubid=189678219
QUOTE: Some of our non-Russian users told us their documents, photos, archive files etc had turned into a bunch of junk data, and a file called read_me.txt had appeared on their systems. Sadly, the contents of this file were all too familiar: But in the meantime, we'd just like to remind you – if you've fallen victim to Gpcode or any other type of ransomware, you should never pay up under any circumstances. Always contact your antivirus provider and make sure you back up your data on a regular basis.
COPY OF RANSOMWARE INFORMATION
Hello, your files are encrypted with RSA-4096 algorithm
http://en.wikipedia.org/wiki/RSA
You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: [REMOVED] and provide us your personal code [REMOVED]. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.
If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
Glamorous team
|
-
AV coverage is present and parasitic PE based threats have been present for years. The interesting development for this new virus was the activity log file. It writes to it as scans the system for vulnerabilities or as it actually infects it.
PE based infectors can spread rapidly to all EXE files where network shares and folders aren't locked down. These "network walkers" can infect dozens and even 00's of files on a PC if shares were publicly open and the virus was able to seed.
This virus could originate as a trojan horse email, website EXE download, or any other method where an EXE file could be shared. I've not seen a virus that keeps a sophisticated log file of all of it's activity like this one. It might be further used by malicious individuals to research any security weaknesses?
W32/Kespo - Parasitic Infector keeps a detailed activity log
http://vil.nai.com/vil/content/v_142549.htm
http://secunia.com/virus_information/40145/kespo.a/
QUOTE: W32/Kespo infects windows executables parasitically, prepending its code to existing files. The DLL and EXE files are pure viral code. The DLL file is injected into the memory space of Explorer. The virus replicates by infecting executable files on local and shared/remote drives.
EXAMPLES OF LOG FILE MAINTAINED BY VIRUS:
The non-executable files are data files or link files. The data files track what the virus has done, and can have content like the following:
3/30/2006 1:03:40 PM - Guardian process started
3/30/2006 1:05:12 PM - Virus service terminated, try to restore it
3/30/2006 1:05:12 PM - Restoring virus service file
3/30/2006 1:05:12 PM - Virus service file restored
3/30/2006 1:05:13 PM - Restarting virus service
or
3/30/2006 1:03:34 PM - K Print Spooler Service starting...
3/30/2006 1:03:35 PM - Scanner for drive C has been created and started
3/30/2006 1:03:35 PM - Scanner for drive D has been created and started
3/30/2006 1:03:35 PM - Mencari di folder D:\
3/30/2006 1:03:36 PM - Scanner for drive E has been created and started
3/30/2006 1:03:36 PM - Scanner for drive F has been created and started
3/30/2006 1:03:36 PM - Scanner for drive G has been created and started
3/30/2006 1:03:36 PM - K Print Spooler Service started
3/30/2006 1:03:38 PM - Mencari di folder D:\System Volume Information
3/30/2006 1:03:39 PM - Guardian process not exists, try create it
3/30/2006 1:03:39 PM - Explorer found (HWND: 65646) injecting it
3/30/2006 1:03:39 PM - Mencari di folder D:\
3/30/2006 1:03:40 PM - Guardian process created
|
-
-
-
-
This highly destructive virus damages the Windows environment extensively and infected users may need to rebuild their PC This virus uses Microsoft Text-To-Speech (TTS) technology to repeatedly tell users their files are being deleted, which creates extra anxiety. Thankfully, this new trojan horse is not prevelant in the wild. Best practices and up-to-date AV protection will help ensure protection.
Botvoice Trojan - Computerworld Article
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026362
quote:
The program, called the BotVoice.A Trojan, was first spotted by security vendor Panda last week. It is a Trojan horse program, which the victim must download first. But once installed, it gets nasty. The Trojan soon sets to work trying to delete everything from the victim's hard drive, while at the same time endlessly repeating an audible message, apparently designed to taunt the victim. "You have been infected. I repeat, you have been infected, and your system files have been deleted. Sorry. Have a nice day and bye-bye," the Trojan says.
It does this by using a text-reading program that is part of the Windows operating system, Panda said. Users of Windows 2003, XP, 2000, NT, ME, 98 and 95 are all at risk. Unlike a virus, BotVoice.A does not jump from computer to computer on its own, but spreads via peer-to-peer networks or storage devices such as CD-ROMs or USB (Universal Serial Bus) memory drives. The Trojan is unusual because unlike most malware written these days, it appears to be designed to perform mindless vandalism
Additional Information on this new threat can be found in the links below:
McAfee Information (DAT 5067 or higher)
http://vil.nai.com/vil/content/v_142617.htm
F-Secure Information
http://www.f-secure.com/v-descs/trojan_w32_botvoice_a.shtml
Symantec Information
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-070902-1916-99
Trend Information
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FBOTVOICE%2EA
Trend Behavior Diagram
http://www.trendmicro.com/vinfo/images/TROJ_BOTVOICE_A_BD4.gif
Register Article
http://www.theregister.co.uk/2007/07/03/talking_trojan/
|
-
iPhone users should track developments closely, as hackers and crackers are actively exploring security developments to discover weaknesses.
Hackers gain shell-level access on iPhone
http://blogs.techrepublic.com.com/tech-news/?p=775
http://www.engadget.com/2007/07/06/iphone-hacked-for-shell-access
QUOTE: Well, that didn't take long -- the hacker crew of IRC channel #iPhone has managed to enable shell access to the iPhone just a week after its release. There's not a lot to the hack -- the iPhone's 30-pin dock connector features the same pinouts as the iPod, so creating a serial connection simply involved connecting up a resistor, ground, and RS-232 level converter and running a few commands from iphoneinterface. The resulting shell is pretty basic, but features a TFTP client -- meaning that we should see a flood of attempts to open the iPhone up in the coming weeks (as if we wouldn't anyway).
|
More Posts Next page »
|
|
|