Well, when it rains it pours and today it seems it has been raining malware. Although, I can't say I'm sad since I enjoy playing with malware so much. We have been busy doing to analysis on three different pieces of malware that had been submitted to us. Due to space constraints, I'm only going to post information on one of them below that was the most interesting. We also looked at malware that appeared to be a more targeted attack on a group and the latest RINBOT/DELBOT or whatever you want to call that bot variant.
One of the is the first things I'd like to highlight is the recent news media attention to that has been generated over the latest version of RINBOT/DELBOT/SDBOT (depending on the AV folks your talking to). I only bring this up since we've had many people writing in and wanting to know if we were going to post a diary on this. I'm only going to post a few thoughts and then move on. We already covered this malware in a previous diary entry. The only that that seems to have changed is maybe an update to the vulnerabilities it can use to spread and the latest rant at whoever the author is mad at now. In this case, Symantec seems to be the target now. With that in mind, its surprising that its getting so much publicity when its just another bot variant. It is sad, but bots are very common place on the internet today. Now, on to some other interesting pieces of malware that are new. We received an email from a reader named Chris who had a user report their system attempted to connect to a remote network. The firewall alert ed the user to the outbound traffic. The file that requested the outbound traffic was a file called ~.exe. A few of us looked at the file, but saw nothing malicious about the file itself. It opened a message box with a title of OK. No outbound traffic occurred. After a few more email exchanges, we got some more critical information: "The user states that their Firewall (COMODO Firewall Pro) alerted to it after visiting hxxp://www.owned.com/Owned_Pictures - they checked the site again and NOD32 Nice, now we have a good starting point. Several of us did some analysis on how the site was doing the exploit. I would like to post the results from fellow handler Bojan Zdrnja who did an outstanding job with this, especially the de-obfuscation of the javascript. For those wanting to try their hand at it, Bojan used the SpiderMonkey technique described here. Now for his analysis of what was found: The initial infection site is definitely http:// www [dot] So, check your logs. And remember its not a very nice site if you decide to play:>) |
Lorna 165 Posts ISC Handler Mar 2nd 2007 |
Thread locked Subscribe |
Mar 2nd 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!