Security Response: Showing posts by Liam O Murchu

While analyzing W32.Zimuse recently I was surprised to find two different passwords used within the threat: one of these decrypts a Word document that contains information about some members of a Slovakian motorbike forum.

In order to spread via USB drives, W32.Zimuse copies the file zipsetup.exe to removable drives. If zipsetup.exe is run with no parameters it shows the following message box:

The zipsetup.exe dialog box

This is not a real WinZip dialog box, just a password box made to look like the WinZip message box. The user has 10 chances to enter the correct password, after which the application will close. Entering "2008_15_12" (without quotes) decrypts a Word document named zoznam.doc:

...

Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.

Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice,...

In part one of this blog, I gave an overview of the exploitation flow for the recent DirectShow vulnerability. With no patch for this vulnerability available as of yet, the fact that we are seeing this exploit used more commonly in the wild is worrying. In this article I will discuss the exploit, how it works, and mitigation strategies to protect against it.

To get straight to the mitigation strategies jump to the bottom of the page. This vulnerability does not exist in Vista or Windows Server 2008.

The Vulnerability

To trigger this vulnerability, attackers are currently enticing users to visit a malicious page. Attackers have become quite adept at doing this by embedding iframe tags in legitimate pages, among other techniques.  This is the most likely attack vector. We have seen iframe tags pointing to this exploit inside phishing pages already and we do expect to see iframe tags added...

While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):

(to see how we received this – skip to “Arnold Surprise” below)

First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:

hxxp...

On Monday we saw that Trojan.Silentbanker had added rootkit functionality in order to hide its own files. Today we'll look at another change that the new version of the Trojan has introduced, namely, the new configuration file format that the Trojan uses.

Trojan.Silentbanker's configuration files have always been protected, ever since the first version of the Trojan that we encountered. The reason for this protection is to make it difficult to understand what the Trojan is doing, and in particular, to hide which sites the Trojan is targeting. The original version targeted over 400 banking pages. Although, the actual list of pages being targeted was only clearly visible after the protection had been removed from the configuration files.

In order to discover the list of sites being targeted by any version of the Trojan the protection needs to be...

The problem: You develop a software package that you want to sell in the underground community. However, your buyers are not the most reputable/trustworthy people. How do you prevent your product from being purchased once and then distributed freely afterwards? How do you enforce your “copyright”?

We have previously discussed Trojan.Bayrob without describing theentire attack from end to end. This article will show how the entirescam works from initial contact right through to the actual sale.Security experts at eBay are already well aware of it and working toprotect their customers.

Tip: It should be noted from the outset thatpotential buyers should read safety tips and follow preventativemeasures provided by their service provider.

To start with, take a look at this video for a walk-through of our analysis:

In order to attract potential victims the scammers first list carsfor sale on various auction sites. These auctions are not scams per se,but they are "legit" auctions that are used solely to attract potentialvictims—whoever asks a question or bids on these auctions becomes apotential victim. Once these auctions have expired the scammers get towork emailing each potential victim. These emails explain that thewinner of the...