Miscreants have begun creating malware that overwrites software update applications from Adobe and others.
Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse.
Vietnam-based anti-virus firm Bkis said the tactic is a logical follow-on from earlier approaches where viruses replace system-files and startup-program files.
Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package.
Variants of the malware also pose as updaters for Java and other software applications.
Duc explains: "From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands."
source : theregister.co.uk
Showing posts with label virus. Show all posts
Showing posts with label virus. Show all posts
Friday, April 2, 2010
Sunday, February 7, 2010
Kaspersky Lab and BitDefender websites hit by hackers
The websites of two major providers of security products have been hit by hackers.
The website of Russian IT security provider Kaspersky Lab was hit at the weekend by a Romanian ‘white-hat’ hacker.
A group calling itself ‘the Romanian Security Team’ claimed that the hackers achieved full access to the database supporting the websites – which includes customer data – by simply altering a parameter in the URLs. They could also perform SQL injections to remotely introduce harmful code into the database.
The group also claimed to have hit the Portuguese site of US anti-virus provider BitDefender, with the personal details of thousands of users viewed. The hackers said that they alerted the two companies of the security flaw and did not expose any of the data they found.
Kaspersky Lab said in a statement: “On Saturday February 7 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site.
“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
Gunter Ollmann, chief security strategist at IBM’s Internet Security Systems, said: “I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed
“On top of that, this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products - which could include the linking to malicious and backdoored versions of their software - thereby infecting those very same customers that were seeking protection from malware in the first place.â€
The website of Russian IT security provider Kaspersky Lab was hit at the weekend by a Romanian ‘white-hat’ hacker.
A group calling itself ‘the Romanian Security Team’ claimed that the hackers achieved full access to the database supporting the websites – which includes customer data – by simply altering a parameter in the URLs. They could also perform SQL injections to remotely introduce harmful code into the database.
The group also claimed to have hit the Portuguese site of US anti-virus provider BitDefender, with the personal details of thousands of users viewed. The hackers said that they alerted the two companies of the security flaw and did not expose any of the data they found.
Kaspersky Lab said in a statement: “On Saturday February 7 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site.
“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
Gunter Ollmann, chief security strategist at IBM’s Internet Security Systems, said: “I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed
“On top of that, this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products - which could include the linking to malicious and backdoored versions of their software - thereby infecting those very same customers that were seeking protection from malware in the first place.â€
Wednesday, December 16, 2009
Powershell vs Conficker
Earlier in the week I found a few PC's that were infected with the Conficker malware. After looking at the infected PC's I noted that the infected file that was detected always had the following characteristics.
- Always a dll file in the Windows\system32 directory
- Always exactly the same size (155858 bytes)
- Always has ReadOnly, System, Archive and Hidden attributes set
Out of curiosity I wrote the following script to pull from AD a list of servers, ping them and then search through the System32 directory on servers that were up for dll files with those attributes set.
I found 3 servers that had dodgy AV signatures and infected dll files.....Powershell wins!!
#Get the server list
$ServerList = @(get-qadcomputer -OSName "Windows Server*"); $Servers = $ServerList | foreach {$_.Name}; Write-host "These Servers will be checked" -fore green ; $Servers
#Ping Server
function Find-Infection{
$ping = gwmi -q "SELECT * FROM Win32_Pingstatus WHERE Address = '$serv'"
if($ping.statusCode -eq 0) { Write-Host "Checking $Serv Now" -fore Yellow;
#Check for File
gci -path \\$serv\c$\windows\system32 -filter *.dll -force | where { $_.attributes -eq "ReadOnly, Hidden, System, Archive" }
}
else { write-host "$serv is not responding" -for Red}
}
foreach ($serv in ($servers))
{
Find-Infection | select Length,Mode,FullName | ft -auto
}
Subscribe to:
Posts (Atom)
