Exploit Prevention Labs

New blog

noreply@blogger.com (tcsl) — Mon, 01 Sep 2008 13:45:00 +0000

Hi folks,

please visit and bookmark my new blog at http://thompson.blog.avg.com/

Cheers

Roger

Riddle us this, Batman

noreply@blogger.com (tcsl) — Tue, 27 May 2008 18:59:00 +0000

Hi folks,

Normally, we provide answers here, but today we have a question.

If you whois xpantivirus2008.com, it shows that the registrar is ESTDOMAINS (the actual owner is hidden, as usual).

If you look up the IP address of xpantivirus2008.com, it shows as 72.14.207.99.

If you whois 72.14.207.99, _that_ shows as GOOGLE!

The question is .... why? All we can think of is that they have a sense of humor.

Cheers

Roger

Here's a whoopsie to start the day

noreply@blogger.com (tcsl) — Fri, 16 May 2008 11:44:00 +0000

Hi folks,

One of the rolling headlines on AOL.com this morning is this ...

"Disgraced 'Oprah' Author Is Back",

and if you click on the link, you're taken to this page...

Attentive readers of this blog will immediately recognize that as being a probable fake codec, but not everyone is an attentive reader of this blog, and if you click the link, you're rewarded with this screen...

Folks, the rule is this ... if ever you have to install a codec to watch a vid, DON'T!!!. It's just not worth the risk. Btw, these guys frequently target MAC users too. It's increasingly common for them to look at your OS platform and offer up a MAC binary instead of Windows.

Btw, I know that AOL takes security seriously, so if they can get caught, anyone can get caught with this trick.

And shout-outs to Bruce for noticing this one.

Keep safe folks!

Roger

Well, there goes the Montana option

noreply@blogger.com (tcsl) — Mon, 31 Mar 2008 19:32:00 +0000

or at least the Idaho variant.

Hi folks,

One of our in-house jokes is that the only real way to be safe on the Internet is to sell all your computers and move to Montana.

Regretably, today we noticed that the innocent and bucolic sounding boise.com was showing up as carrying a link to a known exploit site.

Thinking it couldn't possibly be so, we went to look at the website thusly...

Looks innocent enough, but a view of the source reveals a chunk of escaped javascript ...

Aha! That looks suspicious.... And a look at our debug tool shows a call out to a gpack exploit site...

The web cams are actually pretty interesting, but we can't find any way to contact the site owner to tell him, so we thought we'd post it here.

Cheers

Roger

This might be the ultimate irony

noreply@blogger.com (tcsl) — Mon, 31 Mar 2008 01:30:00 +0000

Hi folks,

Today we found what might be the ultimate irony... a spyware product where the home page has been hacked, and is installing someone else's rootkit!

The product is one of those spy-on-your-spouse/kids/employees things that says it's stealthy (in other words, _it's_ supposed to be a rootkit itself), and the home page has a chunk of escaped javascript

that calls out to a Neosploit site that's installing a rootkit.

And it's the new Neosploit too.

We're trying to contact the site owner to tell them, but the "contact me" page crashes.

Oh well... we'll keep trying.

Cheers

Roger

GPack

noreply@blogger.com (tcsl) — Fri, 28 Mar 2008 22:25:00 +0000

Correction: Sorry folks... there's so much happening at the moment, I've merged a couple of kits in my mind. It's not a mix of vbscript and javascript. It's just javascript, and thus far, we've only seen one exploit come out of it ... a mouldy, old MS06-014, although we expect there are more than that. The rest of the write-up is reasonably accurate, and we'll continue to correct things as we find more.

Hi folks,

A new exploit framework, called Gpack, has been popping up on our radar for a while now. We couldn't find much information on it, so we thought we'd better write some.

The first interesting thing about it is that the external, obfuscated wrapping script is a mix of vbscript and javascript. In other words, some of it is interpretted by the vbscript engine, and then the result of that is used to interpret the javascript portion. The idea here is to make it hard to decrypt and hard for av engines to follow it. To some extent they're successful with this, as the un-obfuscated code is seriously ugly and hard to follow.

The second interesting point is that there is nothing new in it. They've gone to a lot of trouble to obfuscate some really old and common exploits.

The third interesting thing is the number of innocent websites that have been hacked by someone pointing back at this kit. There are lots and lots of them... mostly mom and pop shops, but _lots_. We haven't figured out what the common thread between them is so far, but there clearly is one, for so many to be hacked.

The fourth interesting thing is that while there is clearly more than one set of Bad Guys involved, most of them seem to being hosted by the same ISP, because the exploit IPs are similar.

By the way, the exploit set seems to be:

MDAC/ MS06-014
MDAC variant - MS06-042
QuickTime
SetSlice
WinZip
VML

These are very common, and we can assume the author simply lifted them from the public domain, and put most of his effort into the obfuscation.

Nothing new here folks, except that it's being quite widely adopted.

Cheers

Roger

New Exploit Targets Corporate Users of CA Apps

noreply@blogger.com (tcsl) — Fri, 28 Mar 2008 16:59:00 +0000

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.

Secondly, the vulnerability is likely to be quite widespread, simply because of CA's size and spread within the corporate market.

Thirdly, the exploit will likely soon also be quite widespread, simply because it is Neo, and Neo is quite popular as an exploit package.

Fourthly, corporate clients should probably be pretty nervous, because their firewall is unlikely to protect them against this. Remember, web traffic is usually permitted to go right thru the firewall, because it _starts_ from a trusted place ... _inside_ the firewall.

Another contributing factor to corporate nervousness is that they rarely allow automatic patching. This is an example where they probably should.

The current list of exploits is therefore:-

Mdac/ MS06-014
SuperBuddy
CaListCtrl
NctAudio
GomWebCtrl
SetSlice
DaxCtle

In other words, they've added the CaListCtrl exploit, and dropped the Yahoo Jukebox and Microsoft xVoice exploits, presuambly because they were not productive.

Folks, this appears to be one for the corporates rather than consumers, but it highlights that the Bad Guys are still thinking hard and probing hard.

Natuarally, LinkScanner and AVG 8 users have little to fear, as we detect it and block it just fine (which is how we noticed it in the first place)

Cheers

Roger

Arthur C Clark dies, and Space.com gets hacked!

noreply@blogger.com (tcsl) — Mon, 24 Mar 2008 01:24:00 +0000

Can't you see the pattern emerging??

Seriously though, uplink.space.com (careful) has had an iframe injected into it, and it's reaching out to another seemingly hacked site (www.forvideo.at - careful),

and launching a encrypted javascript

that turns out to be a simple and venerable MS06-014 exploit.

It's not an exploit pack, so it's just a single exploit, and it's tracking IPs, so it'll only come once, but it's there.

And the exploit is only an MS06-014, but the point is that if the website is vulnerable enough to have a mouldie old exploit injected, it could have something much newer and fiercer. Space.com needs to fix their website, and we've sent them an email about it. Hopefully they will, because they get an awful lot of visitors each month.

Cheers

Roger

Something new tonight

noreply@blogger.com (tcsl) — Fri, 21 Mar 2008 00:17:00 +0000

Hi folks,

Tonight we found something new in an exploit pack coming from a site in China. Well, the exploit is actually from May 2007, but this is the first time we've seen it in use. This indicates two things... the first is that the Bad Guys are apparently combing older exploit announcements looking for appropriate samples. When you think about it, any exploit that allows remote code execution, and for which there is no forced or automatic upgrade of the vulnerable program is useful to them. Remember, they don't _want_ to catch everybody. They couldn't manage 100k victims. They don't want to cut down the apple tree, but rather just shake it, and pick up the fruit that falls off. What this means is that old exploits are still valuable when there is no automatic patch mechanism.

Btw, the exploit in question is a buffer overflow in something called Zenturi ProgramChecker, and is described nicely here ... http://www.kb.cert.org/vuls/id/603529.

The second interesting thing is that it is obviously Yet Another Exploit Pack. It has all the common ones that we've come to love and expect with Mpack/IcePack/Neosploit, and the obfuscation scheme is very similar to the one in use with Mpack/ IcePack, so this probably means that someone has bought or stolen a copy of Mpack/ IcePack, and has modified it with the addition of the Zenturi exploit, and is now selling it as their own work.

GASP... no, there's no honor among thieves, and Copyright means when you copy it, it'll be right, and all that stuff.

The full list of exploits is ...

Zenturi ProgramChecker
MDAC/MS06-014
VML/MS07-004
Yahoo Webcam Image Uploader
Yahoo Webcam Viewer
Winzip
QuickTime
and
MSXML/MS06-067

By the way, the exploit site is in China (no surprise there), but the lure site is in the USA, and is quite interesting. We might write about that tomorrow.

Cheers

Roger

Unfortunate hack at tax time

noreply@blogger.com (tcsl) — Thu, 13 Mar 2008 20:50:00 +0000

Hi folks,

We noticed a couple of Alabama county websites have been hacked, with a Neosploit call out to a website in Germany.

The two websites are...

hxxp://www.co.blount.al.us/ and
hxxp://www.blountrevenue.com/

(The actual exploit server in Germany seems to be 404 at the moment, but you should still be careful)

The second one is more interesting, particularly given the time of year. The front page looks like this ...

Looks pretty innocent, doesn't it? If you're good at html, and you make a point of looking at page source, you might notice something weird at the top of the page ...

but you probably won't, because no one looks at source much anyway. ;-)

If you have a Really Useful Tool (tm) like our Browser Helper Object, you'll probably notice that it's reaching out to a funny looking site ...

That's because the funny looking javascript s actually a Neosploit obfuscation that decrypts to a call to an attack script at 78.47.147.188. This site is currently 404, but it might come back to life at any time, so be careful.

We've told the very nice folks at the revenue website, so it should be cleaned up soon. It's just a particularly unfortunate website to be hacked at tax time.

Cheers

Roger

Something interesting

noreply@blogger.com (tcsl) — Sun, 02 Mar 2008 19:20:00 +0000

Hi folks,

hat-tip to Ståle Fagerland of Norman for noticing this article...

http://joongangdaily.joins.com/article/view.asp?aid=2886846

To save you _having_ to read it, the story is about a CEO of a Korean software company being arrested for foisting fake anti-spy software on unsuspecting victims. (entering sarcasm mode) Gosh, who`d have thought it? (leaving sarcasm mode) Apparently, not only would the software lie about detecting problems on the system, and try really hard to get victims to pony up a payment to register the software, sometimes it made the victims re-buy the software every month!

Now, arresting theses guys is not a bad idea in itself, but that`s not the most interesting aspect of the story. In fact,if the article is correct, there are two stunning revelations.

The first is that they made $10m doing this over two or three years!!! Another couple of years at that rate, and before you know it, you`re talking real money. No wonder we see so much of this stuff!

The second astonishing thing is that, according to the article, there are over 200 anti virus companies in Korea! If that is correct, that is simply amazing for an industry that`s 20 years old!

That would seem to indicate...

(1) that the US and European companies have not dominated and rationalized the market there, and
(2) none of the local companies have managed to dominate either.

It must also mean that there`s an awful lot of av guys not making much money, so it`s not entirely surprising that people are tempted to initiate frauds like this.

And if there are that many in Korea, how many must there be in China!?

Cheers

Roger

google defames saints ... bolts of lightning fall

noreply@blogger.com (tcsl) — Mon, 25 Feb 2008 22:09:00 +0000

I'm kidding, I'm kidding!!!!!!!

Update number 2: Feb 26, 2008, 6:30am est

Dang, that was quick. Some of the sites, such as St Kilda, and the Geelong Cats sites, are now correctly marked as clean. They're not all correct though ... the Brisbane Lions site is still incorrectly marked as dangerous, for example, but that was still quick for the others, and we hope that all will shortly be corrected. Shout-outs to google for reacting quickly!

Update number 1:

Some of our team in the Australian office noticed that it wasn't just the Saints, but also the Victorian based clubs of North Melbourne Kangaroos, Carlton Blues, Geelong Cats, Hawthorn Hawks, Melbourne Demons and Richmond Tigers, plus Port Adelaide Power (South Australia), Sydney Swans (New South Wales) and Brisbane Lions (Queensland) all being blocked by Google the same way. Shout-outs to the guys down-unda!

-----------------------------------------------------------------

Hi folks,

What I'm really talking about is that if you search for "saints football club", the number 3 organic search result is the famous (to Australians) St Kilda Football club. The "defamation" bit is that google has one of its "This site may harm your computer" messages against it.

(If you look at the screen snapshot, you'll notice that LinkScanner assesses the site to be clean... the correct result)

This means that it is not possible for anyone to click thru a google search and get to the St Kilda website... you have to deliberately cut and paste the url back into your browser bar.

The reason that they're doing it is that, probably, at some point the website was hacked, and was infecting people, but ....GOOGLE-GUYS!!! IT'S CLEAN NOW!!! TAKE THE BLOCK OFF, PLEASE!!! (I feel like saying "Mr Google! Tear down this wall!", but I wouldn't be so bold.)

What this really underscores is the concept that a centralized database is useless at detecting web issues... the problem is simply too transient.

This happens quite a bit, and I must admit that I'm surprised that no one has accused google of damaging their brand. I'm sure regular readers of my blog will remember the case of k1-usa.net. They used to be the number one organic result when people searched for k1. They were hacked for about 10 days, and then cleaned, but in the mean time, they had earned the "This site maye harm your computer label", and over the next 12 months, before the label was removed, their rating slipped, and slipped, until finally it was nowhere on the first three pages.

I can't imagine St Kilda taking it lying down if their ratings start to slip, and I can't imagine google meaning that to happen. It just shows how difficult it is to keep up.

Cheers

Roger

Another gov site hacked

noreply@blogger.com (tcsl) — Fri, 22 Feb 2008 16:24:00 +0000

Hi folks,

Who can see what's wrong with this picture?

Looks pretty reasonable, doesn't it? Here's what you see if you have a suitable monitoring tool...

Enquiring Minds will wonder why a county government site is reaching out to pepato.org.

And here's what you see on a vulnerable pc, _if_ you're running another suitable monitoring tool...

And here's the offending code in the page source ...

Yes, it's hacked. Bit hard to tell without some tools, though, eh? We've told the county, so we expect it'll get cleaned up very quickly, but be careful in the mean time.

Cheers

Roger

This is kind of funny

noreply@blogger.com (tcsl) — Fri, 22 Feb 2008 03:55:00 +0000

Hi folks,

We've been following up on the new Neosploit that we reported last night. This was actually a pretty high-profile site, so we wanted to notify them. We couldn't find a contact point on the hacked domain, but we found another subdomain that had an online support chat option, and we gave it a try. The conversation was sufficiently funny that we grabbed a screen capture (anonymized to protect the innocent). You might have to double-click it to read it, but it's worthwhile...

:-)

Fwiw, we eventually found someone who understood, and we got it cleaned up.

Cheers

Roger

New Neo Now

noreply@blogger.com (tcsl) — Wed, 20 Feb 2008 16:46:00 +0000

(Sorry... the alliteration bug bit me)

Hi folks,

Last night, as the title suggests, we found a new version of Neosploit. It has two new exploits, one uses a clsid of EEE78591-FE22-11D0-8BEF-0060081841DE, which appears to be the ActiveVoice ActiveX dll from Microsoft, and the other clsid is 5F810AFC-BB5F-4416-BE63-E01DD117BD6C, which is the Music Jukebox control from Yahoo.

The most recent ActiveVoice exploit seems to be from about June 2007, but the most recent JukeBox exploit is from Feb 2008, so that's kind of interesting.

We'll try to figure out over the next couple of days if these are the ones that indeed match up, but the bottom line is that the Neosploit developers are very active.

Cheers

Roger

Wow... this was quick

noreply@blogger.com (tcsl) — Sun, 17 Feb 2008 03:30:00 +0000

Hi folks,

I'm sure most people know about the horrific attack on the poor NYC psych. In the news tonight, we noticed that the police had arrested someone named David Tarloff for allegedly being the perp. With the web being what it is, we often find that if you look quickly, you can find personal pages about these people, often before the police get them taken down. Ok, it's a little morbid, but it's interesting at the same time.

So, when we googled for David Tarloff, here was the result...

Hmmm... an AOL journal account... that sounds plausible for a personal page... click...

Yep ... still looks plausible ... let's click the name ... click...

WAAAAIT A MINUTE!!!!! That ain't no Hank William's song! (Pop culture reference to Bob, of Bob's Country Bunker in the Blues Brothers, where Bob suddenly realizes that that the boys aren't really a country and western band, and that he's been had.)

Attentive readers will instantly notice that this is a Fake Codec, and will close the browser. Non-attentive readers will attempt to install the codec, and will be rewarded with a rootkit.

But how quick was that? We only noticed that the guy had been arrested and named today, and yet they not only managed to get their lure in place on AOL, but they also managed to get their site the Number One organic result on Google if you search for David Tarloff! And on the weekend at that! These boys are on the ball. We're grudgingly impressed.

Be careful folks, it's a tricky world out there.

Cheers

Roger

MalwareAlarm

noreply@blogger.com (tcsl) — Thu, 07 Feb 2008 22:35:00 +0000

Hi folks,

MalwareAlarm is so common now, we decided to give it it's own vid. Remember, it's not really scanning your pc, it's just pretending to, but it does a very good job of pretending. Enjoy...

Cheers

Roger

UK .gov site hacked

noreply@blogger.com (tcsl) — Wed, 06 Feb 2008 13:39:00 +0000

Note: One of our users, John Thomson (no relation as far as I know :-) ) noticed this first and brought it to our attention. His blog entry is here ...
http://www.roundtripsolutions.com/blog/2008/02/06/317/forth-road-bridge-website-hacked/

Sorry John! :-)

Hi folks,

Sometime between the 1st Feb 2008, and the 3rd of Feb 2008, the official website for the Forth Estuary Transport Authority was hacked an obfuscated iframe, using Neosploit encoding, was injected.

This decoded to an iframe that called to 88.255.90.130 (careful about going there, folks)...

This, in turn, loaded one of the current Neosploit exploit package (we have a full write-up on Neo a little further down this blog). If you're patched, or running LinkScanner, you're ok, but if not, you probably got a rootkit, so if you visited that website in the last couple of days, you might like to run an anti-root and an anti virus over your system. AVG has a free one here ... http://free.grisoft.com .

One of the most interesting aspects of this is that inside the full Neosploit download was an attempt to load bbc.com.uk , presuamably after the infection, presumably to hide what had happened a little bit. That's no big deal in itself, but a hacked uk gov website, pointing to the bbc afterwards makes us think it was not a random hack, but something more deliberate. Interesting times, folks.

Looks like they cleaned the site this morning, although the google cache is still infective, so be careful.

Cheers

Roger

Return of Innocent Searches

noreply@blogger.com (tcsl) — Sat, 02 Feb 2008 22:11:00 +0000

Hi folks,

I keep getting requests offline for more innocent searches, so here are some from the last couple of days. Enjoy...

coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac
carolina theater - mpack/ icepack

Stay safe folks,

Roger

A transient hack

noreply@blogger.com (tcsl) — Thu, 31 Jan 2008 03:06:00 +0000

Hi folks,

A few days ago, we were looking at a website that was being blogged about (on Jan 21st) as being hacked, but when we looked (on Jan 21st) it was already clean. What we normally do in such cases is go to the google cache, and that usually gets us a copy of the exploit, but in this case, it was clean in the cache as well, so... what gives???

The google bots went past three days earlier, so we wondered if there was a different result from the other search engine caches, and lo and behold, the yahoo cache was still infective. :-)

Now, yahoo doesn't show the date that they went by, but a quick email exchange with the blog author confirmed that it was definitely infective on the 21st.

What this means is that it was clean on the 18th, but hacked after that, and then cleaned on the 21st.

Just for fun, we made this vid about it...

Keep safe folks

Roger

Pigs fly... oh, and another 0-day ... ho hum

noreply@blogger.com (tcsl) — Mon, 14 Jan 2008 02:43:00 +0000

Hi folks,

In a previous entry I suggested that we'd probably never know how the uc8010.com mass hack occurred unless one of the website victims told us, and that the chances of that were about the same as flying pigs. Guess what ... it turns out that some people do have the right combination of nerve, public spirit, and willingness to share about security matters... so... pigs _can_ fly, and now we know how it happened. I _did_ promise it was off the record, so we can't share it further, but at least we know. Bravo to that person!

And why ho-hum about a 0-day? It only affects users of a product called QVOD Player, which seems to be a popular Chinese media player, but which is probably only on Chinese user's machines.

The exploit code is coming from a Chinese website, so that makes sense, and it is obfuscated by flipping all the high-order bits in the javascript, to make it harder to read and notice.

Fortunately, this appears unlikely to be taken up by the gangs targeting Western PCs and the kit developers, so it's probably not going to be a major problem.

The real message, of course, is that the Bad Guys are still thinking.

Cheers

Roger

So this is kind of interesting...

noreply@blogger.com (tcsl) — Sun, 06 Jan 2008 02:09:00 +0000

Hi folks,

This domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains.

So the first point is that this was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.

The second point is that some victims were pretty sophisticated in terms of security smarts, including, apparently, some Computer Associates pages. The exploit must have been pretty new. I wonder if any of the website operators will have the nerve to own up and tell us how they got nailed? Pigs might fly too.

The third point is how fast the victims are being cleaned up. If you google for uc8010(dot)com, you still get about 50k hits, but if you are running something like LinkScanner (something that can check out each of those sites in real time by crawling to them), you will see that although the google snapshot still shows them infected, LinkScanner shows that the majority of them are already clean. (Btw, what this means is that the cached copy is probably still infective, so don't go testing it out yourself unless you know what you're doing)

The fourth interesting point is that the only exploit we were able to coax out of them was the venerable MS06-014 (MDAC) patched in September 2006. What this means is that they went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a mouldy old client exploit. It's almost a dichotomy.

Stay safe folks!

Cheers

Roger
Chief Research Officer
AVG/ Grisoft

Neosploit January 2008

noreply@blogger.com (tcsl) — Thu, 03 Jan 2008 23:25:00 +0000

Hi folks,

Welcome to 2008. Let's hope it's a safer year than last.

Given that Neosploit seems to be gaining in popularity, and seems to be being modified fairly often, we thought it would be worthwhile to take a bit of a snapshot of it, for posterity's sake, if nothing else.

Here's what we're seeing in January 2008: (Props to Glenn Jordan of AVG/ Grisoft, and Nick FitzGerald for their Most Excellent help with decryption and analysis)

First there's a sort of pre-amble... typically there is a launcher script whose job it is to simply redirect to the exploit script. We say "simply" with our tongue firmly in our cheek because the launch scripts are typically encoded twice with Neosploit to make it hard for crawl-bots (but not a browser) to follow, and it appears that they might be encoded with the ip of victim, so that the exe is hard to get (except for a victim).

Then the exploit script itself is also double encoded, again with the Neo-algorithm, and contains the following exploits...

(1) first is the venerable MDAC (MS06-014). It's old, (worked up to Sep 2006), but it works like a charm if you're not patched.
(2) second is one of the many QuickTime exploits. It's not easy to determine which version it is, but it's probably one of last years.
(3) three is AOL's SuperBuddy, from April 2007
(4) is an NCTAudioFile2 overflow from January 2007
(5) is the GomWebCtrl from October 2007, and which has recently appeared in the Storm exploit pack as well (an idea that is Catching On (tm))
(6) is SetSlice, patched in October 2006 and
(7) is the ANI exploit from April 2007.

Interestingly the previously-popular WinZip exploit has been dropped.

The payload, or the exe that gets delivered, of course varies from website to website.

It will be interesting to see how long it takes to update it with the current RealPlayer exploit.

Keep safe folks!

Roger

Storm is b-a-a-a-a-ack

noreply@blogger.com (tcsl) — Mon, 24 Dec 2007 19:25:00 +0000

Hi folks,

As you've probably noticed, Storm is back for Christmas. There are only two noteworthy points about it.

The first is that they've added another fairly new exploit to it, and that is for something called GomPlayer, or the Gretech Online Movie Player, which is apparently very popular in South Korea.

The exploit is from October 2007, and is explained here, http://www.milw0rm.com/exploits/4579, but the key point is that if you're using GomPlayer, you're potentially vulnerable.

The second point is that 3rd party dlls continue to provide the attack points for new exploits. This is kind of interesting, and either means that Microsoft is patching faster than the exploits are coming out, or 3rd parties are not patching fast enough, or perhaps both.

Of course, this also highlights that the Bad Guys don't want or need a massive number of infections... they couldn't handle that... all they want is enough to make a profit. Folks, they're farming the Internet.

Cheers

Rog

In the news today... December 19, 2007

noreply@blogger.com (tcsl) — Thu, 20 Dec 2007 02:14:00 +0000

Hi folks,

Things have been quiet for a few weeks now, and we've been patiently waiting for the other shoe to drop, especially given that it's the run-up to Christmas, but four fairly notable things have happened today...

First is that the DollarRevenue guys have been fined $1m euros for dodgy practises, with the full story here.

Shout-outs to OPTA, although a bigger fine would have been even better.

(Props: Larry @ Spamhaus)

Second is that the authors of the popular Pinch trojan have been arrested in Russia, full story here.

(Props: Kaspersky Labs and Ferg)

Surely those two events will serve to make perpetrators think twice.

Third is that, seemingly overnight, there was a web worm on Orkut, which seemingly lived, infected 400k computers, and died again overnight due to google being quick to react (shout-outs to google for that). Basic story is that any place where 3rd parties can post to a website, such as scrapbook entries on Orkut, represent an issue. If the 3rd party can post javascript, there's a good chance they can do something malicious, so all such inputs are supposed to be sanitized against that, but in this case the perp found a way to disguise the javascript enough to get past the validation/ sanitization process, and voila .... a webworm. It's a wonder we don't see more of them. Fuller story here.

(Props: Ryan)

The fourth thing is that one of our goat machines we got a virus today from a website. A really, truly virus called Cekar! Cekar is not particularly new, having been around the early part of 2007, and its main function is to steal passwords from a Chinese chat program called QQ (according to McAfee ... http://vil.nai.com/vil/content/v_141463.htm), and this makes sense, because it came in from a Chinese exploit server. The exploit that delivered it was old too... an MDAC (MS06-014), but it was interesting to watch it infect the system. It was a fast infector too... instead of waiting for a program to execute before infecting, it hit the whole disk, and all visible network drives in one pass. Quite took us back to the Old Days of the early 90's when fast infectors were the problem du jour.

This really underscores two points... (1) it's way better to keep these things off your disk in the first place, because a fast infector messes you big time, and (2) we are _always_ going to need good antiviruses, just for the times when they manage to get in.

Cheers

Roger