Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres,which was attempting to access the online recruitment Web site,Monster.com. It was also uploading data to a remote server. When weaccessed this remote server, we found over 1.6 million entries withpersonal information belonging to several hundred thousand people. Wewere very surprised that this low profile Trojan could have attacked somany people, so we decided to investigate how the data could have beenobtained.
Interestingly, only connections to the hiring.monster.com andrecruiter.monster.com subdomains were being made. These subdomainsbelong to the “Monster for employers” only site, the section used byrecruiters and human resources personnel to search for potentialcandidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view...
In the past few days, much has been written about MPack and the mass hacking of legitimate web sitesby inserting hidden iframes. These iframes had the purpose ofredirecting web surfers to malicious sites, which served exploits andeventually infected the computer of the unsuspected visitors.
We have created a little movie to help you understand the wholeprocess. So without further ado, Symantec Security Response presents… MPack, The...
You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.
As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.
I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.
Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.
The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.
Last week, Microsoft published Security Advisory 932553to warn Windows users of a new vulnerability in Microsoft Office.Security Response has analysed a sample of a malicious Microsoft Excelfile that appears to be exploiting the vulnerability that is hinted atin that Advisory. Fully patched versions of Office 2000, XP, and 2003appear to be vulnerable to this exploit.
Upon opening the malicious Microsoft Excel document, which Symantec now detects as Trojan.Mdropper.Y, it drops a Trojan horse program by using the exploit referenced by CVE-2007-0671 (BID 22383).It proceeds to drop a back door Trojan onto the compromised computer.It then attempts to contact a remote...
I’d like to try and clarify the confusionthat has surrounded the publishing and reporting of three MicrosoftWord vulnerabilities in the last few days. The bad news is that thereare actually three different vulnerabilities in the wild. Inchronological order, this is the breakdown of these threevulnerabilities.
Vulnerability #1 BID 21451: Microsoft Word Unspecified Remote Code Execution Vulnerability (CVE-2006-5994). This vulnerability was first reported by Microsoft on December 6 via their Security Advisory 929433. Symantec Security Response created a heuristic detection (Bloodhound.Exploit.106) for this vulnerability that yielded some interesting...
MS Word is under scrutiny again this month.We have some new and interesting details about the vulnerabilityreported by Microsoft on December 5 (referenced by CVE-2006-5994). Thestory shows how the road from a simple bug to a working exploit isshort and sometimes unpredictable.
This morning we analyzed some new samples that had been detected as Bloodhound.Exploit.106, which is a new heuristic detection released yesterday for the Microsoft Word zero-day vulnerability (described in Microsoft Security Advisory 929433). Among the submissions received from our customers we found a Word file that turned out to be a little gem.
We found a malicious Word document that was written in Portuguese and added detection for it as...
The trend of new exploits being releasedimmediately after Microsoft's Patch Tuesday is continuing (we arestarting to call it "exploit week"). Symantec Security Response haveconfirmed a new Internet Explorer zero-day vulnerability today. It wasfirst reported by Sunbelt Software. Security Response is rating it as critical because an exploit for this vulnerability is already in-the-wild.
Wehave confirmed that this exploit takes advantage of a bug in VML(vector markup language, which is an XML language used to producevector graphics) to overflow a buffer and inject shell code. Theexploit then downloads and installs multiple security risks, such as spyware, on the compromised machine.
An interesting feature of the Web sites hosting themalicious...
