|
| |||||||||||||||||||||||||||||||||||||
| This memory-resident worm propagates by exploiting the Windows Plug and Play vulnerability. For more information, please refer to the Microsoft Security Bulletin MS05-039 page. It is dropped by other malware as UPDATE.EXE in the Windows system folder. Upon execution, it downloads and executes certain files from a certain Web site. It is capable of launching a SYNC flood type of denial of service attack that consumes system resources.
For additional information about this threat, see: Solution Technical Details Statistics | ||||||||||||||||||||||||||||||||||||||
Thursday, September 15, 2005
WORM_ZOTOB.N
Shadow Software Attack
INTRODUCTION
During the last years we could see how shadow server[3] attacks were a serious problem for many companies. It’s true that, for a security "expert", a shadow server attack can be considered obsolete and a "stupid" attack but in a security contest there is no banal problem,
mainly if it is still feasible.
The shadow software[1] attack, discussed in this paper, is very similar to the shadow server’s one, if we abstract to its essence.
Usually, the user does not require the authentication of the server and the exchange of information begins trusting the look-and-feel of the server[3]. This is very dangerous since we don’t know if the server we are connected to is the real one.
The shadow software attack is based on the concept that an attacker could simulate the look-and-feel of a software, launched by the victim, to steal his or other people's information.
For More: neworder
During the last years we could see how shadow server[3] attacks were a serious problem for many companies. It’s true that, for a security "expert", a shadow server attack can be considered obsolete and a "stupid" attack but in a security contest there is no banal problem,
mainly if it is still feasible.
The shadow software[1] attack, discussed in this paper, is very similar to the shadow server’s one, if we abstract to its essence.
Usually, the user does not require the authentication of the server and the exchange of information begins trusting the look-and-feel of the server[3]. This is very dangerous since we don’t know if the server we are connected to is the real one.
The shadow software attack is based on the concept that an attacker could simulate the look-and-feel of a software, launched by the victim, to steal his or other people's information.
For More: neworder
Saturday, September 10, 2005
TROJ_BAGLE.CR
|
| |||||||||||||||||||||||||||||||||||||
| Upon execution, this memory-resident Trojan opens the Notepad application, possibly to hide its malicious routines from unsuspecting users. In the background, however, it drops copies of itself as WINSHOST.EXE in the Windows system folder and as CJECTOR.EXE in the Windows folder. It also drops its dynamic link library (DLL) component using the file name WIWSHOST.EXE. The dropped DLL carries this Trojan's malicious routines. This Trojan modifies a system's HOSTS file to contain only the following entry: 127.0.0.1 localhost By default, most systems only have this line in their HOSTS file, so this routine does not really pose any adverse effects on the system. However, this may overwrite the HOSTS file of users who customize it for filtering purposes. This Trojan disables antivirus applications by deleting specific keys from the system registry. It also modifies the registry to disable the Windows automatic updates, the Windows XP SP2 Firewall, and the system's administrative alerts. Furthermore, it stops services, terminates processes, and renames several files that are mostly related to security, antivirus, and firewall applications. These routines may make it difficult for affected users to detect and remove this Trojan from the system. This may also pose as an additional threat to the affected system by making it vulnerable to further attacks from other malware programs. Notably, this Trojan specifically disables Trend Micro antivirus by modifying a certain registry entry. This Trojan downloads a file from a list of URLs. The downloaded file is saved as _RE_FILE.EXE. As of this writing, the said URLs are inaccessible.
For additional information about this threat, see: Solution Technical Details Statistics source: trendmicro.com | ||||||||||||||||||||||||||||||||||||||
WORM_LEWOR.D
|
| |||||||||||||||||||||||||||||||||||||||
| This worm propagates via MSN Instant Messenger. It sends messages containing a link that points to a copy of itself to available contacts in the MSN Instant Messenger of the affected user. The following are some of the URLs where this worm is downloaded:
Upon execution, it drops a copy of itself in the Windows folder. It also drops two copies of itself in the Windows system folder. For its autostart technique, it modifies the registry depending on the platform of an affected system. It also modifies specific registry entries to enable it to start whenever a .TXT file is opened. It creates a registry entry to disable the affected system's Task Manager. The affected user then has to use a third-party process explorer in order to terminate this worm. It also sets the home page and search page of the Internet Explorer of an affected system to http://www.joyiex.com by creating several registry entries. It also creates a registry entry to prevent the affected user from restoring the default home page settings while in Internet Explorer. This worm creates mutexes to ensure that only one instance of itself is running on a system.
For additional information about this threat, see: Solution Technical Details Statistics source: trendmicro.com | ||||||||||||||||||||||||||||||||||||||||
Subscribe to:
Posts (Atom)