Next Page >>
hostile code
The scan-function and the online-scanner OnGuard doesn't
scan .sit- and .dmg-archives.
Impact:
It's possible to download malware from the internet or
to copy it from an usb-stick without interruption from
iAntiVirus.
Malware in .sit-archives is recognized by OnGuard during
manuel decompression, but malware in .dmg-diskimages is
only recognized during a manual scan of the mounted image.
systems to prevent
> pretty much anything from being installed or modified. So everytime you
opened up a brand
> new session of ie and tried to access an external site you were prompted
for your
> username/password. Somehow I doubt there's any malware around that is
designed to survive
> in that type of an environment.
(This is far enough afield that I'm not cc'ing pdp or Thor or anyone else,
just the lists).
Affected products :
Client-side products
---------------------
These will not be patched, trends reason is that
malware will be detected up on extraction. While this is true for end-user
setups this is not the case if you use such products to scan Fileservers,
Database servers or any server where an enduser does not actively extract
content. The detection is still completely bypassed. In other words you
can no longer assume that RAR,ZIP,CAB (or any other archive) is safe/clean after
a Trendmicro scan with these products .
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]
I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple. As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.
As Gadi mentioned, there are a number of known issues that Apple has
pull off, we can safely say the "future" you state below is here now.
Now, what is interesting is that any exploit requiring social
engineering to work has so far been less of a problem than the vast
majority of "remote buffer overflow" exploits like the Blaster and SQL
worms. Social engineering-required malware still works, and works well,
but not with the same success of remote buffer overflow malware. There
is very little we in the security space can point to as a success...but
the overall decrease in remote buffer overflows is one. Unfortunately,
the social engineering malware is getting better day-by-day. We can no
longer count on mispellings (sic) and bad grammar to be malware
> pull off, we can safely say the "future" you state below is here now.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well,
> but not with the same success of remote buffer overflow malware. There
> is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
>
> Now, what is interesting is that any exploit requiring social
> engineering to work has so far been less of a problem than the vast
> majority of "remote buffer overflow" exploits like the Blaster and SQL
> worms. Social engineering-required malware still works, and works
> well, but not with the same success of remote buffer overflow malware.
> There is very little we in the security space can point to as a
success...but
> the overall decrease in remote buffer overflows is one.
Dear all,
I want to share with you this phenomenon.
Web malwares are heavily attacking big hosting providers during the last days.
In particular, as I know, attacks were moved against GoDaddy (USA) and Aruba (Italy). All index files were infected. If you are a customer of the above providers, it's enough to remove the malware script, if your website was infected.
There are a couple of malwares attacking Aruba, at the moment. I just did some reverse engingeering of the last one I found.
Twitter.com is being used to support the script execution.
Cheers,
Angelo Rosiello
'OS X is the new Windows 98.'
Its sensationalist and of no use, especially when posted to lists that
are supposedly populated with security experts. Everyone here is aware
of the consequences of malware and the manipulation of end users to
spread it. Of course its interesting that a criminal group has taken
to spreading this but hyping up the consequences of it do nobody any
good and is just spreading FUD. To me it seems like the original
poster is trying to get a quote in some tech/security/computer
magazine.
I have run across a design issue in VMware's scripting automation API that
diminishes VM guest/host isolation in such a manner to facilitate privilege
escalation, spreading of malware, and compromise of guest operating systems.
VMware's scripting API allows a malicious script on the host machine to
execute programs, open URLs, and perform other privileged operations on any
guest operating system open at the console, without requiring any
credentials on the guest operating system. Furthermore, the script can
execute programs even if you lock the desktop of the guest OS.
those markers is parsed and interpreted. Furthermore PDF files are read from
the bottom to the top.
Adobe Acrobat nor the FoxitReader care too much about the data that
comes prior the magic byte, the kaspersky engine does, not only does
it care, it fails to detect the malware inside the PDF file.
I will spare you the details, a PDF file is bascialy a container that
starts with %PDF and ends with %%EOF.
What follows are the details of this evasion, note this one is generic
Hi Vladimir,
Please understand that I will not enter that discussion any longer.
Please note that :
V3D> is not malware/intrusion or malware in the form unused in-the-wild
V3D> is not vulnerability.
Is false. It is recognised malware, else the test woulnd't make sense -
obviously.
ABSTRACT
Nowadays most of the malware applications are either packed or protected.
This techniques are applied especially to evade signature based detectors
and also to complicate the job of reverse engineers or security analysts.
The time one must spend on unpacking or decrypting malware layers is often
very long and in fact remains the most complicated task in the overall
process of malware analysis. In this report author proposes MmmBop as a
relatively new concept of using dynamic binary instrumentation techniques
* In the US a small financial firm in Montana lost the information of all
its 226,000 customers
(http://www.webappsec.org/projects/whid/byid_id_2008-08.shtml)
But the incident I want to focus on this week is one I just added from late
last year: In India a large newspaper site was broken into and malware was
planted on it
(http://www.webappsec.org/projects/whid/byid_id_2007-85.shtml). Why is it
important? based on a recent report by WebSense, 51% of the sites hosing
malware are legitimate sites that have been broken into. This is a major
shift in web based threats. For end users, it is not sufficient anymore to
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
> Classifications:
>
> * Attack Method: Unknown
> * Country: France
> * Country: Libya
> * Outcome: Planting of Malware
> * Vertical: Government
>
> To iframe or not to iframe, this is the question. As malware becomes more
> popular, the number of incidents, mostly insignificant, in which malware was
> planted on a hacked site is rising and WHID is not the right place to list
///////////////
Architecture of the vulnerable HP Info Center software gives an attacker few different
attack vector combinations:
- remote automated download and execute (e.g. malware instalation)
- remote registry arbitrary key access (e.g. attack preparation, remote system info gathering)
- remote registry data modification (e.g. sensitive data manipulation, malware instalation, DoS attacks)
- system disk data area manipulation and user documents alteration (e.g. system files manipulation,
sensitive user documents access, entire system crash DoS attacks)
Classifications:
* Attack Method: Unknown
* Country: France
* Country: Libya
* Outcome: Planting of Malware
* Vertical: Government
To iframe or not to iframe, this is the question. As malware becomes more
popular, the number of incidents, mostly insignificant, in which malware was
planted on a hacked site is rising and WHID is not the right place to list
NOTE: Resending this was blocked last time.
Profit-driven malware has gotten very good at using Social Engineering
(backed up with Exploits) to spread itself. Zlob and it Codecs are one
particular example that has worked very well on Windows, even by
simply getting the user to install the software willingly. The
Storm/Zhelatin/Russian Business Network group however are by far the
best at this. They have shown time and time the power of simple Social
Engineering in order to infect victims machines. Zlob may have been
the first for profit malware to make the jump, but if it proves
WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !
Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
>
> WINDOWS REQUIRES IMMEDIATE ATTENTION
> =============================
>
> ATTENTION ! Security Center has detected
> malware on your computer !
>
> Affected Software:
>
> Microsoft Windows NT Workstation
> Microsoft Windows NT Server 4.0
Eric's talk seems to be a good start on risk analysis of gadgets generically.
The design of Vista gadgets seems particularly troubling since it seemed to
have several design flaws which were the subject of the paper.
> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> serious exploits yet. I guess the relatively low uptake of Vista (compared
> to the XP installed base) has meant that they're not a significant target
> for the malware industry just yet, since it's still more profitable to do a
> drive-by iframe exploit and hit all OSes than to mount a Vista-only attack.
data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
Vulnerable are Firefox 3.0.12 and Opera, but without access to cookies (the
same as in case of refresh-header redirectors), because code executed not in
context of original site. It can be used for fishing and executing of
JavaScript code (for malware spreading).
Vulnerable version is Mozilla Firefox 3.0.12 and previous versions (and 3.5
should be also vulnerable).
Vulnerable version is Opera 9.52 and previous versions (and
10. About TELUS Security Labs
TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include:
* Vulnerability Research
* Malware Research
* Signature Development
* Shellcode Exploit Development
* Application Protocols
* Product Security Testing
* Security Content Development (parsers, reports, alerts)
31/08/2009 Initial vendor notification. Secure contacts requested.
31/08/2009 Vendor response
02/09/2009 Vulnerability details sent. Confirmation requested.
03/09/2009 Vendor accepted vulnerability for analysis
14/09/2009 Vendor response: "This issue is not a vulnerability. During program designing, Rising Virus Lab has known Rising program files could be modified by this way. However, few malware attacks Antivirus through the method. And, we have not detected any malware do this until now."
14/09/2009 I informed vendor about the possible attack scenarios. No reply.
17/09/2009 Resend message
17/09/2009 Vendor accepted information for analysis
06/10/2009 Planned disclosure date has been sent to vendor
10/10/2009 Vendor notified me that vulnerability will be fixed only in 2010 edition of the vulnerable products
Michal, there are always something that bad guys can gain. And they can gain
benefits even from data: URL without inheritance with original site. Only
just JavaScript execution (of evil code) is dangerous. Like I said to
Mozilla, cookie stealing (and such things as access to DOM) is only one
vector, there are other vectors of attacks. As I mentioned in advisory, it
can be used particularly for malware spreading.
> he could as well just redirect to his own site and run any potentially
> malicious JavaScript there.
First he need to have his web site (with malicious JS code) and then he need
> If it was possible to execute system() commands directly through the
> browser
It's possible to use this vulnerability for phishing and for spreading
malware. And after it'll be run at user's computer, malware can run system
commands :-). So attacks will be doing directly through the browser.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
==========
Background
==========
"The IDA Pro Disassembler and Debugger is an interactive, programmable,
extendible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X.
IDA Pro has become the de-facto standard for the analysis of hostile code,
vulnerability research and COTS validation." [1]
========
Timeline
========
10. About TELUS Security Labs
TELUS Security Labs, formerly Assurent Secure Technologies is the leading provider of security research. Our research services include:
* Vulnerability Research
* Malware Research
* Signature Development
* Shellcode Exploit Development
* Application Protocols
* Product Security Testing
* Security Content Development (parsers, reports, alerts)
Next Page>>
|
