There are a number of vulnerabilities that are currently unpatched, but have working publicly known exploits for Excel (*2) and Internet Explorer (2 vulnerabilities here as well.) Proof of Concept code has been released for both the Excel and Internet Explorer vulnerabilities. This means, with the code publicly available, it won’t be long before it’s bundled into other malware delivery structures…. You might look at alternative browsers, BUT…. be forewarned that one of these vulnerabilities appears to work on a fully patched install of Mozilla-Firefox. (According to Sans – the Secunia code doesn’t – but the full disclosure exploit code does affect Firefox.) I’ve seen word of early 1.5.0.5 builds being available – I wonder if that will be modified to fix this issue?
Tag: malware
-
New malware sightings
Incidents.org had an entry in the last couple days on a malware infestation that was interesting and showed a couple things. 1) You can’t bet on antivirus to keep you safe (the initial installer was not detected by most AV vendors – suspicious by 1.) (If you think about it, this makes perfect sense – antivirus is reactionary and needs to have seen a bug once to recognize it again.) 2) Malware, once in the system, can bring all their friends.
-
The spammers win a round
There is a company (well, unfortunately, WAS a company) called Blue Security. They had an innovative approach to stopping spam. A small download essentially sent opt-out return emails that were junk back to the REAL spam sender (clever concept huh? bouncing to the person that REALLY sent the message… Of course what was clever here was that they were coordinating the responses of all their users – herding a “white hat” network of sorts.) Anyway, it was a successful concept at getting several of the top 10 to clean their mailing lists.It looks as though 6 of the top 10 agreed to clean up their mailing lists. Unfortunately, they were the subject of a Massive DDOS. They managed to recover and come back, but the dDos took out other sites as well and there were threats of more it seems.
-
Search engines to blame for malware spread?
There are a couple news stories about a McAfee SiteAdvisor report about the search engines responsibility for sites that distribute malware.
McAfee said Friday that the epidemic of spyware and viruses could be linked to search engines. According to research from the company, even seemingly benign search terms could bring up sites loaded with nasty payloads.
The study looked at the five major search engines — Google, Yahoo, MSN, AOL, and Ask — and covered a period from January through April. Researchers found that in every search engine, popular keywords returned sites that could be potentially dangerous.
What’s worse, in popular keywords such as “free screensavers,” “digital music,” “popular software,” and “singers,” as much as 72 percent of the returned results contained some kind of risky link.
-
Makers of fake security software settle lawsuit
The security fix has some news today on some bogus security software makers (the wolves in sheeps clothing as I tend to think of them…) Anyway, they’re settling deceptive trade practice chargers that were brought by the FTC. SpywareAssassin and Spykiller were facing a civil suit over their ads which invariably found infestations on a users pc and offered to clean it up for ~$30 or so.
-
Big block of blank space in Add/Remove Programs
This isn’t an earth shattering issue, but as I was looking into some other problems on a Windows XP Pro system, I noticed a HUGE blank space in the Add/Remove programs area of the control panel. It was something like this, there were several entries (10 maybe) and then a huge block of blank space perhaps hundreds of “pages” long. I scrolled a bit with the mouse wheel and was not making quick progress, so just grabbed the scroll bar and pulled down to see the next 30-40 entries.
-
Microsoft advisory on Sober “Awakening”
Microsoft has posted a security advisory (912920) on the previously reported “awakening” of the Sober worm, expected January 6th.
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
Further they give the following note….
(more…) -
More testing on the second WMF exploit
After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install against the latest version of the exploit and with each connection to the locally hosted page I got a new random file. After I collected five of these I ran them through virustotal.com to see how well detection has come in just 24 hours.
-
Cleaning up after the WMF exploit
OK, I mentioned that I infested a virtual machine with the current WMF 0-day exploit. First I should probably clarify. An exploit is a means of getting in to a system. The payload is the software that is installed. In the case of my experience there was a long list of pests installed. Given that the exploit enables any software to be installed, your experience may be different. That’s the first thing I want to make clear, depending on where and when you were affected you may see vastly different malware.
-
WMF zero-day exploit first hand experience
Well, I’ve just spent the better part of 6 hours (maybe a bit more) “sacrificing” a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one site from the sunbeltblog list to infect the virtual machine with and can attest to it being quite nasty. I was able to get the virtual machine *mostly* clean. I still haven’t gone back over it to try and make sure, but I’ll be posting some details from the “fun” tomorrow.