Friday, June 02, 2006

More On The iexplore.exe Trojan

PandaLabs has detected a data theft scam using the new I variant of the Briz Trojan. According to data obtained by PandaLabs from the page the attackers used to control the network, some 2,700 computers spread across more than 120 countries were infected.
The creator -or creators- of this newly uncovered network have been distributing Briz.I from certain web pages, mostly related with illegal or pornographic content. PandaLabs is working alongside other security companies to identify and close down each of the websites related to this network and prevent the threat from spreading.

The emergence of Briz.I could be the consequence of the scam for creating and selling customized versions of Briz, recently discovered by PandaLabs.

According to Luis Corrons, director of PandaLabs: "It is possible that the creator of the original Trojan has decided to profit directly using the same Trojans that were sold before, alternatively, Briz.I could be a new version of one of the examples that was sold while the previous scam was still in operation ".

Briz.I infiltrates infected systems under the name "iexplore.exe", simulating an Internet Explorer process. Once on the system, it downloads a file that sends information -including the IP address or country of the infected computer- to the attacker's website.

Another of its components integrates in Internet Explorer capturing all information entered by users in online forms, such as e-mail passwords or details for entering online banking services.

This malware allows the computer to be used as a gateway for connecting to other pages and masking the identity of the attacker, who can also remotely access files on the local computer.

Briz.I is specifically designed to go unnoticed by both users and security companies. It does this by covering its tracks once each of the components has carried out the task. It also modifies the "hosts" file in Windows to prevent users from accessing web pages of security companies and it disables the Windows firewall.

rel="tag">Computer Security Threats

"The current objective of malware developers is to profit from their creations, and so they are concentrating on introducing malware surreptitiously, and, as in this case, trying to capture data and login details in order to commit fraud ", explains Luis Corrons.

"Traditional signature-based detection technologies are proving to be insufficient to combat these threats. To prevent this silent epidemic, they need to be complemented with proactive technologies such as TruPreventTM which can detect malware without having previously identified it."

In order to check if a computer is free from all types of threats, including Briz.I, Panda ActiveScanTM is available to users free of charge (http://www.activescan.com)

Thursday, June 01, 2006

Three New IE6 Vulnerabilities

Several new vulnerabilities have been announced in Internet Explorer 6, which could cause the popular Microsoft browser to crash.

The first of these problems concerns a vulnerability on trying to obtain the value pointed to by a null pointer causing the browser to crash.

When creating an empty applet tag prior to any other HTML tag without closing it, Internet Explorer will have a Null Pointer result and, without closing the tag, will crash.

A second problem has been announced, which occurs when trying to enter an infinite loop. This causes Internet Explorer to close and display an "unknown software exception".

Finally, a denial of service problem has been announced when a frame with certain conditions is created and the user clicks on the frame.

Tuesday, May 30, 2006

AW Stats Vulnerability

Once more, we are confronted with the fact that any point in a system can become a weak point if not managed properly. This time, danger stems from a tool seemingly as harmless, but also as essential, as a log file analyzer and web statistics generator.

The vulnerable product is AWStats 6.5 (and prior versions), a well-known log file analyzer for generation of web, streaming, ftp or mail server access statistics, graphically.

This vulnerability could be used by an attacker to bypass security restrictions and run commands on the affected system.

The flaw is caused by incorrect input validation in the "awstats.pl"script, which cannot validate parameters "configdir" and "config" before being used to load a configuration file.

This could be exploited by an attacker to upload an arbitrary file to inject and run arbitrary shellc ommands through the "LogFile" configuration directive.

More information about this flaw is available at: http://www.frsirt.com/english/advisories/2006/1998