Next Page >>
Malicious Software
From http://support.microsoft.com/kb/890830
======
Reporting component
The Malicious Software Removal Tool sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items: * The name of the malicious software that is detected
* The result of malicious software removal
* The operating system version
* The operating system locale
* The processor architecture
* The version number of the tool
The scan-function and the online-scanner OnGuard doesn't
scan .sit- and .dmg-archives.
Impact:
It's possible to download malware from the internet or
to copy it from an usb-stick without interruption from
iAntiVirus.
Malware in .sit-archives is recognized by OnGuard during
manuel decompression, but malware in .dmg-diskimages is
only recognized during a manual scan of the mounted image.
systems to prevent
> pretty much anything from being installed or modified. So everytime you
opened up a brand
> new session of ie and tried to access an external site you were prompted
for your
> username/password. Somehow I doubt there's any malware around that is
designed to survive
> in that type of an environment.
(This is far enough afield that I'm not cc'ing pdp or Thor or anyone else,
just the lists).
Affected products :
Client-side products
---------------------
These will not be patched, trends reason is that
malware will be detected up on extraction. While this is true for end-user
setups this is not the case if you use such products to scan Fileservers,
Database servers or any server where an enduser does not actively extract
content. The detection is still completely bypassed. In other words you
can no longer assume that RAR,ZIP,CAB (or any other archive) is safe/clean after
a Trendmicro scan with these products .
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]
I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple. As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.
As Gadi mentioned, there are a number of known issues that Apple has
pull off, we can safely say the "future" you state below is here now.
Now, what is interesting is that any exploit requiring social
engineering to work has so far been less of a problem than the vast
majority of "remote buffer overflow" exploits like the Blaster and SQL
worms. Social engineering-required malware still works, and works well,
but not with the same success of remote buffer overflow malware. There
is very little we in the security space can point to as a success...but
the overall decrease in remote buffer overflows is one. Unfortunately,
the social engineering malware is getting better day-by-day. We can no
longer count on mispellings (sic) and bad grammar to be malware
> pull off, we can safely say the "future" you state below is here now.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well,
> but not with the same success of remote buffer overflow malware. There
> is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well, but not with the same success of remote buffer overflow malware.
> There is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
Dear all,
I want to share with you this phenomenon.
Web malwares are heavily attacking big hosting providers during the last days.
In particular, as I know, attacks were moved against GoDaddy (USA) and Aruba (Italy). All index files were infected. If you are a customer of the above providers, it's enough to remove the malware script, if your website was infected.
There are a couple of malwares attacking Aruba, at the moment. I just did some reverse engingeering of the last one I found.
Twitter.com is being used to support the script execution.
Cheers,
Angelo Rosiello
the form of an installed program (e.g., Back Orifice), or could be a modification to an
existing program or hardware device.
According to an article on PC World: "The software vendor is giving law enforcers
access to a special tool that keeps tabs on botnets, using data compiled from the 450
million computer users who have installed the Malicious Software Removal tool that
ships with Windows."
Not a big deal until you keep reading: "Although Microsoft is reluctant to give out details
on its botnet buster - the company said that even revealing its name could give cyber
criminals a clue on how to thwart it"
'OS X is the new Windows 98.'
Its sensationalist and of no use, especially when posted to lists that
are supposedly populated with security experts. Everyone here is aware
of the consequences of malware and the manipulation of end users to
spread it. Of course its interesting that a criminal group has taken
to spreading this but hyping up the consequences of it do nobody any
good and is just spreading FUD. To me it seems like the original
poster is trying to get a quote in some tech/security/computer
magazine.
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top.
Adobe Acrobat nor the FoxitReader care too much about the data that
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.
I will spare you the details, a PDF file is bascialy a container that
starts with %PDF and ends with %%EOF.
What follows are the details of this evasion, note this one is generic
The Cyclic Nature of Computer Security, or Must we always
go in circles?
11:00 Coffee Break
11:30 Session: Malicious Software
11:30 Embedded Malware - An Analysis of the Chuck Norris Botnet
Pavel Celeda, Radek Krejci, Jan Vykopal and Martin Drasa
12:00 Experiences and Observations from the NoAH Infrastructure
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
Hi Vladimir,
Please understand that I will not enter that discussion any longer.
Please note that :
V3D> is not malware/intrusion or malware in the form unused in-the-wild
V3D> is not vulnerability.
Is false. It is recognised malware, else the test woulnd't make sense -
obviously.
ABSTRACT
Nowadays most of the malware applications are either packed or protected.
This techniques are applied especially to evade signature based detectors
and also to complicate the job of reverse engineers or security analysts.
The time one must spend on unpacking or decrypting malware layers is often
very long and in fact remains the most complicated task in the overall
process of malware analysis. In this report author proposes MmmBop as a
relatively new concept of using dynamic binary instrumentation techniques
* In the US a small financial firm in Montana lost the information of all
its 226,000 customers
(http://www.webappsec.org/projects/whid/byid_id_2008-08.shtml)
But the incident I want to focus on this week is one I just added from late
last year: In India a large newspaper site was broken into and malware was
planted on it
(http://www.webappsec.org/projects/whid/byid_id_2007-85.shtml). Why is it
important? based on a recent report by WebSense, 51% of the sites hosing
malware are legitimate sites that have been broken into. This is a major
shift in web based threats. For end users, it is not sufficient anymore to
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
> Classifications:
>
> * Attack Method: Unknown
> * Country: France
> * Country: Libya
> * Outcome: Planting of Malware
> * Vertical: Government
>
> To iframe or not to iframe, this is the question. As malware becomes more
> popular, the number of incidents, mostly insignificant, in which malware was
> planted on a hacked site is rising and WHID is not the right place to list
///////////////
Architecture of the vulnerable HP Info Center software gives an attacker few different
attack vector combinations:
- remote automated download and execute (e.g. malware instalation)
- remote registry arbitrary key access (e.g. attack preparation, remote system info gathering)
- remote registry data modification (e.g. sensitive data manipulation, malware instalation, DoS attacks)
- system disk data area manipulation and user documents alteration (e.g. system files manipulation,
sensitive user documents access, entire system crash DoS attacks)
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
NOTE: Resending this was blocked last time.
Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by
simply getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the
best at this. They have shown time and time the power of simple Social
Engineering in order to infect victims machines. Zlob may have been
the first for profit malware to make the jump, but if it proves
WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !
Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
>
> WINDOWS REQUIRES IMMEDIATE ATTENTION
> =============================
>
> ATTENTION ! Security Center has detected
> malware on your computer !
>
> Affected Software:
>
> Microsoft Windows NT Workstation
> Microsoft Windows NT Server 4.0
Eric's talk seems to be a good start on risk analysis of gadgets generically.
The design of Vista gadgets seems particularly troubling since it seemed to
have several design flaws which were the subject of the paper.
> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> serious exploits yet. I guess the relatively low uptake of Vista (compared
> to the XP installed base) has meant that they're not a significant target
> for the malware industry just yet, since it's still more profitable to do a
> drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.
BLACK HAT WASHINGTON DC CFP NOW OPEN
Held February 16-19, 2009 at the Hyatt Regency Crystal City. Black Hat DC is
the leading security conference focused on the needs of government and
infrastructure security professionals, with tracks focused on Hardware and
Embedded Devices, Reverse Engineering and Malware, Client Wars and
Application Security, and Forensics and Network Protection. We hope to see
you there for another highly technical and refreshingly vendor-neutral
event.
Submitters will have until January 1 to get their papers into the Black Hat
The DeepSec In Depth Security Conference is happy to announce the planned
schedule for this year's event from November 11th to 14th in Vienna, Austria.
The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).
Network Forensics
Wireless and Mobile Security
Cryptography
Network Discovery and Mapping
Incident Response and Management
Malicious Software
Web Services Security
Legal and Ethical Issues
Important Dates
Jason Ostrom & Arjun Sambamoorthy
IP Video Attacks!
Ben Feinstein
Koobface: Malware for the Social Web
Rob Havelt
Death to Obscurity: The Frequency Hopping Spread Spectrum Story
K. Chen
Next Page>>
|
