Virus Threats

This week's report looks at four new IT security threats: The LootSeek.AU and Briz.F Trojans, the CrazyFrog.A worm and the Matlab/Lagob virus.

LootSeek.AU is a Trojan which in turn downloads another Trojan - detected as Rizalof.BL - onto the compromised computer. It also uses an anonymous proxy server for mass-mailing new malware.

In addition, it finalizes several processes corresponding to security tools and Windows updates.

This Trojan, like many others, cannot spread automatically using its own means and therefore, needs an attacker to distribute it.

The Briz.F Trojan is designed to steal data related to online bank services. This new threat uses the lure of pornographic web pages to install itself on users' computers.

The emergence of Briz.F is a consequence of the scam for creating and selling customized versions of Briz, recently discovered and dismantled by authorities. The web pages hosting Briz.F are designed to automatically download the malicious code onto the computers of users visiting these pages by exploiting several software vulnerabilities.

The modus operandi of Briz.F is complex and elaborate. The attack begins with the installation of a file called iexplore.exe, which really serves to prepare the ground, detecting whether there is an Internet connection. If this is the case, it connects to a certain web page in order to download another file called ieschedule.exe.

Finally, iexplore.exe disables the Windows Security Center services and shared access to the Internet. Then, ieschedule.exe sends the information about the infected computer (name, IP address, location, etc.) to a predetermined address.

It also downloads other files, including one called smss.exe, which modifies the hosts file to prevent access to websites related with security products, and another called ieredir.exe, which redirects users to spoof web pages when they try to connect to certain online services, mainly those related to online banks.

CrazyFrog.A is a worm that spreads through the MSN instant messaging system and is designed to steal both access passwords to this application and bank details of the affected user.

It does this by monitoring network traffic and checking if the user accesses web pages with certain text strings - related to online banking services - in their address. If the user accesses one of these, Crazyfrog.A installs a banker Trojan which captures the bank details entered by the user.

Finally, Matlab/Lagob is a virus that can infect files with the M extension -corresponding to the popular Matlab application for resolving mathematical problems - directory as the virus is run. When it runs the virus adds its code to the beginning of the file.

Firefox Remote Attacker Vulnerability Reported

SecurityTracker has reported, at http://securitytracker.com/alerts/2006/Aug/1015981.html, a vulnerability in the increasingly popular Firefox browser which could allow a remote attacker to run arbitrary code.

A remote user could create HTML code which, when loaded by the victim's browser, would cause a buffer overflow with the possibility of crashing the browser or even remotely running code on the affected system.

The problem lies in the js320.dll and xpcom_core.dll due to the fact that the browser does not correctly handle the Javascript code included in the iframe.contentWindow.focus() function.

A demo exploit for this vulnerability has been published which means real world exploits are not far behind.

Cisco Advisories

Cisco has released two security advisoriesinforming of several vulnerabilities in systems with Cisco IOS XR and inCiscoWorks Wireless LAN Solution Engine (WLSE).

There are three vulnerabilities in Multiple Multi Protocol LabelSwitching (MPLS) in systems running Cisco IOS XR, which are only foundin CRS-1 and Cisco 12000 series routers.

Only systems running Cisco IOSXR and configured for MPLS are affected by these vulnerabilities. An attacker that successfully exploited any of these vulnerabilities could cause a denial of service in compromised systems.

Cisco has released the corresponding patches for these vulnerabilities, and it is advisable to refer to the advisory at:http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml.

On the other hand, two vulnerabilities have been confirmed in CiscoWorks Wireless LAN Solution Engine (WLSE).

The first of these refers to across-site scripting problem, while the second involves privilege escalation.

Cisco has published the updates for these vulnerabilities at: http://www.cisco.com/cgi-bin/tablebuild.pl/wlan-sol-eng.

The secondCisco warning is available at: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml

Current Virus Threats

Here's our report on the most significant threats in the current malware panorama. This week's report includes two new codes that, although they have different functions and characteristics, share the same aim: steal user data.

A clear example of the new cyber-crime tendency is the Goldun.IL Trojan, which is a password stealer that tries to capture the e-gold payment details of the affected user.

To do this, it goes memory resident on computers without carry out any actions until it detects that the user has accessed the e-gold web page. When this happens, it captures the passwords typed and sends them to another computer.

The author of this code can collect the details from this computer and carry out operations with the user's account. Goldun.IL has been spread through spamming techniques. It has been mass-mailed in a file attached to an email message.

The message carrying the malicious file containing Goldun.IL encourages the user to install a Service Pack that supposedly blocks Trojans that try to steal e-gold details.

This week's report also refers to another Trojan called HarBag.A, whose basic mission is to collect email address to which to send the Bagle worm. To do this, it looks for 28 types of files and scans them for email addresses.

These file types are files that usually contain email addresses, such as the Windows Address Book, database, temporary Internet files, etc.After collecting the addresses, it sends them to a server where all the information is centralized.

A curious feature of HarBag.A is that it only runs once on each computer, so that the hacker that receives the email addresses collected does not receive the same addresses twice.

Finally, PandaLabs includes information about a false virus for blogs that is starting to generate confusion in the blogosphere. This is simply a joke created by a Dutch author which suggests inserting an animated graphic in blogs. The graphic is a picture of a virus that makes a series of comments, such as how it intends to infect blogs around the world.