Tuesday, August 08, 2006

Current Virus Threats

This week's report from Panda Software on viruses and intruders clearly reflects the new dynamic influencing malware creators. The three examples of malicious code detailed in the report are aimed at spying, hijacking computers and stealing bank details.

Firstly, RuSpy.A is a Trojan that obtains user names and passwords for a range of programs including ICQ, Internet Explorer, Mozilla, Outlook and The Bat!. This information is then sent to the creator in an email message.

To avoid detection, it tries to terminate several processes belonging to security tools (antivirus programs and files). This however is not effective against Panda Software's TruPrevent(tm) Technologies and the auto-protection systems of Panda solutions.

As well as sending out the information mentioned before, it tries to download the file XINCH.EXE from a web page and creates shortcuts to several websites (all with Russian "ru" domains), and alters the Internet home page on the infected system.

Another widespread fraud technique is to hijack computers. This is what the Tervserv.A backdoor Trojan does. It connects to a website in order to receive remote commands, such as instructions to download and run files that give the attacker complete control over the compromised computer.

Tervserv.A can also be instructed to send information about files on the computer as well as update or uninstall itself.

Finally, this week's report looks at Banker.DZO. This is a Trojan that monitors Internet traffic generated when a user accesses the web pages of Banco de Brasil, Bradesco, CEF, GERENCIADOR, Itau and Brad.Juridico.

When an infected user opens one of these pages, Banker.DZO displays a false login page in order to obtain the user name and password for accessing accounts. This information is then sent to the creator in an email message. The information compiled is quite extensive, ranging from the particular bank or branch of the user to the password or even the secret password reminder question.

Saturday, July 22, 2006

Fake Google Toolbar Download Page

Scammers have set up an exact copy of the download page for Google's Toolbar plug-in in an attempt to lure users to download a Trojan backdoor.

Reported by security outfit Surfcontrol, some versions of the scam even spoof the correct Google Toolbar web address for Internet Explorer, using Google's own redirection service in an attempt to hide the real, non-Google address.

The Trojan itself--W32.Ranky.FW--is designed to turn the PC into a bot zombie, and is spread using the conventional technique of asking recipients of a spam e-mail to follow an embedded link.

According to Surfcontrol, the version detected by the company fails because of poor programming of defective compilation, but it remains a proof-of-concept in how to attack users using a simple combination of convincing elements.

Clever Combination

Outwardly simple, the scam has a clever combination of tricks. Although using parts of established Web sites is standard in phishing scams, it is relatively unusual to go to the length of reproducing en entire page precisely, in combination with a convincingly-spoofed web address.

The fact that the spammed e-mail appears to come from Google could convince recipients to follow the link.

Assuming that a re-engineered version appears--highly likely--once infected, users will notice nothing untoward, although their PCs will have become part of a bot-controlled network.

Google has been attacked in similar way before. Last September, scammers faked the Google search page itself in order to aid the spread of a worm.

More recently, a Trojan attacked the company's adsense advertisements, replacing them, in-browser, with fake ones on any PC infected with the malware.

Wednesday, July 12, 2006

Microsoft Office Vulnerability

A vulnerability has been reported in Microsoft
Office, which could allow a remote attacker to run arbitrary code on the
target system.

According to http://www.frsirt.com/english/advisories/2006/2720 and
http://www.securitytracker.com/alerts/2006/Jul/1016453.html, a remote
user could create a specially crafted Word file which, when loaded by
the target user, could cause a memory access error in the LsCreateLine()
function in the mso.dll file, and allow arbitrary code to be run.

This could result in a denial of service situation, however, if the
attack is successfully carried out, the code will be run with the
privileges of the target user. Also, proof-of-concept code has been
published. Oxygen3 advises users to treat with caution possible
malicious files that could try to reproduce this attack, and not to open
Office files received from unreliable sources.

Current Virus Threats

The Oscarbot.IV, Peerbot.B and Netsad.B worms are the subject of this week's PandaLabs report.

Oscarbot.IV is a worm that opens several communication ports on infected computers, allowing attackers to access the system remotely. It also drops the Protestor.A Trojan on the system, which can capture screenshots and steal user data. Oscarbot.IV spreads via America On Line Instant Messenger, sending messages to all active user contacts. When run, it is installed on the system as a service called "Windows Genuine Advantage Validation Notification", trying to pass itself off as a Microsoft antipiracy service and ensuring it is run on every system startup.

Peerbot.B can open a backdoor to receive commands from an attacker via IRC. It can also steal data from SQL Server or Mysql databases on the computer, which it then sends out via email. When run, the worm creates several files on the system, such as Taskdrv.exe (a copy of the worm itself) and Libmysql.dll, a library belonging to the Mysql database. Peerbot.B can spread using email or P2P file-sharing programs. It creates numerous files in the shared folders in P2P programs under names that refer to cracks for well-known applications and games. When other users of the P2P program run a search, they could find the infected files of the initial victim among the results. To avoid detection, Peerbot.B terminates a long list of processes related mainly with security tools, firewalls or even other malware. It also modifies the hosts file to block access to web pages related with security products.

Netsad.B is a worm that spreads as an email attachment, using messages such as "sharing files is the essence of living". It also uses several P2P applications, including Kazaa or Emule, creating copies of itself in shared folders so that it can be downloaded by other users. Netsad.B can only operate if the computer has Microsoft .NET framework 2.0. When run, it creates a copy of itself called winservices.cab.bak.exe in the Windows system folder. It also creates copies of itself with a variety of names, including some related to antiviruses, in the other system drives. In order to remain hidden, the worm terminates a series of security-related processes, leaving the computer vulnerable to further attack.

Friday, June 30, 2006

Open Office Vulnerability

Open Office Vulnerability - The new version of OpenOffice.org 2.0.3 corrects
three vulnerabilities. Although no attacks have yet been detected that
exploit these vulnerabilities, users of this office suite are advised to
install it as soon as possible.

The first of these flaws could allow certain Java applets to break
through the "sandbox" and therefore have full access to system resources
with current user privileges. The malicious Applets could, among other
things, modify or destroy files and read or send private data.
The second problem corrected is the possibility to inject macro code
into documents which is executed transparently when opening the
document, without notifying or consulting the user. The security
consequences are similar to those of the first vulnerability.

Finally, a vulnerability has been corrected in the processing of XML
documents that could cause a buffer overflow. Exploiting this problem
could lead to the application blocking and, possibly, command execution
in the context of the current user.

All the vulnerabilities affect OpenOffice.org 1.1.5 and 2.0.x. In the
latter case, users are advised to update to OpenOffice 2.0.3, while
patches are due to be released shortly for version 1.1.5.

More information is available in the security bulletin at:

Current Virus & Trojan Threats

The Kelvir.EO worm, the virus Kukudro.A and the Downloader.JIH Trojan are the subject of this week's report.

Kelvir.EO is a worm with backdoor functions. It spreads by exploiting certain Windows vulnerabilities in the LSASS, RPC DCOM, Workstation Service and Plug and Play services, and then transfers a copy of itself using its own FTP server. Once it has infected a computer it installs a rootkit, detected as Ruffle.A, in order to disguise its actions. The worm connects to an IRC server which, in turn, connects to a certain channel in order to run commands that, among other things, can obtain passwords stored in Protected Storage, which contains the passwords for programs including Outlook and Internet Explorer. Kelvir.EO also allows attackers to terminate processes, get data about the infected system, and update or eliminate the worm's code.

Kukudro.A is a macro virus that drops the Downloader.JIH Trojan on infected computers, creating a file called 66INSE_1.EXE, a copy of the Trojan, in the hard disk root directory. It does this using an old vulnerability, described in bulletin MS01-34, to avoid the security warning about macros included in Word documents and run its own code automatically. Kukudro.A cannot propagate automatically by itself and therefore needs user interaction in order to spread. The virus spreads in emails with an attachment called My_notebook.doc. This file includes the specifications of a range of different laptop computers.

Finally, Downloader.JIH is a Trojan that downloads the Sality.S virus onto computers. This virus infects executable files and can terminate security processes and capture system information. Once the Trojan is run, it connects to a series of web pages to download an executable file which it then saves on the infected computer under a random name. Downloader.JIH cannot spread by itself, but has to be dropped by other malware, in this case Kukudro.A, or executed by users as an email attachment or a file downloaded from the Internet or P2P networks.