Trojan.Bankpatch.D
Risk Level 2: Low
Discovered: April 12, 2009
Updated: April 12, 2009 10:50:33 AM
Type: Trojan
Infection Length: 28,880 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Trojan.Bankpatch.D is a Trojan horse that modifies system files and attempts to steal information from the compromised computer.
Protection
* Initial Rapid Release version April 12, 2009 revision 033
* Latest Rapid Release version April 12, 2009 revision 033
* Initial Daily Certified version April 12, 2009 revision 033
* Latest Daily Certified version April 12, 2009 revision 033
* Initial Weekly Certified release date April 15, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
* Payload: Modifies system files and steals information from the compromised computer.
Distribution
* Distribution Level: Low
Showing posts with label Trojan. Show all posts
Showing posts with label Trojan. Show all posts
Saturday, April 18, 2009
Monday, March 2, 2009
SecurityOrb.com Security Advisory
New malware is popping up all the time, here is another one titled "Trojan.Neprodoor!inf". Information on it can be found below:
Trojan.Neprodoor!inf
Risk Level 1: Very Low
Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.
Protection
* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
• Distribution Level: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Once the infected driver file executes, it will inject a malicious thread into services.exe process.
The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]
Then the infected driver file may modify the following registry entries:
* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"
Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:
* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227
It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:
* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy
The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.
Trojan.Neprodoor!inf
Risk Level 1: Very Low
Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.
Protection
* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
• Distribution Level: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Once the infected driver file executes, it will inject a malicious thread into services.exe process.
The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]
Then the infected driver file may modify the following registry entries:
* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"
Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:
* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227
It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:
* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy
The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.
Tuesday, February 24, 2009
Crimeware
Crimeware is malicious software used to initiate a crime that is typically Internet-based. During the past two years, crimeware attacks have increased at a far greater rate than the normal virus. International gangs of virus writers, hackers and spammers are joining forces to steal information and collect huge profits illegally.
A classic example of crimeware is a backdoor keylogger trojan that collects keystroke information and transmits it back to an attacker.
For example, a bank login ID and password may be collected and sent back to an attacker. The attacker typically will use this information in order to collect illegal profits.
Ransomware is another form of crimeware. In this case, a malicious Trojan encrypts files on an unsuspecting user's hard drive. Once the files are encrypted the Trojan then displays a message, or leaves behind a ransom note demanding money from the user for the decryption key.
Given the newness of this threat type, and the potential of how it might evolve in the future, further clarification and dissection of the definition of crimeware will likely be required.
Monday, February 23, 2009
SecurityOrb.com Security Bulletin: Adobe Reader PDF Vulnerability
A recently discovered vulnerability in Adobe Reader allows an attacker to compromise the system with the privileges of the user running Reader. The vulnerability occurs because of the way Reader parses PDF files. Opening a malicious PDF file may trigger the bug, causing exploitation.
Attacks using this vulnerability have been seen in the wild. There are reports that adversaries are actively targeting a number of users, for exploitation.
The only known workaround to date is to disable Acrobat JavaScript. Any user can disable Adobe JavaScript by following these simple steps:
1. Start Adobe Reader.
2. Select Edit, then Preferences from the menu. The Preferences dialog box opens.
3. Select JavaScript from the list of Categories to the left.
4. Click to uncheck the option “Enable Acrobat JavaScript.”
5. Click OK.
For more details about this vulnerability and a video demonstration of the steps to disable Adobe JavaScript, please visit the following posting on SecurityOrb.com: http://www.securityorb.com/
Monday, February 16, 2009
Microsoft puts $250,000 bounty on conficker authors
Microsoft 'Posse' puts $250,000 bounty on conficker authors - Creators of Conficker/Downadup worm now carry a price on their heads
Source: Darkreading.com
Thursday, February 12, 2009
Valentine's Day Malware Attack
Valentine's Day is not just for lovers; it's for malware writers, too. At the center of the recent surge in spam related to Valentine's Day is the Waledac botnet, successor to the Storm botnet, but other botnets have joined the fray as well, security researchers warn.
Source: eweek.com
Source: eweek.com
Friday, December 5, 2008
Firefox Malware - Trojan.PWS.ChromeInject.A
Firefox users are targeted by a new malware named Trojan.PWS.ChromeInject.A, which collects passwords from banking sites.
Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.
The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.
The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.
Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.
Users could be infected with the Trojan either from a drive-by download.
Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.
The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.
The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.
Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.
Users could be infected with the Trojan either from a drive-by download.
Tuesday, December 2, 2008
US Department of Defense's decision to ban the use of USB drives and other removable data storage devices
Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown
The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.
http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story
The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.
http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story
Removable media causes security concerns
Removable media causes security concerns
The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.
Source: http://www.fiercecio.com/story/removable-media-causes-security-concerns/2007-03-19
Some interesting information pertaining to the security issues with removal drives:
The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.
Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc
The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.
http://www.gcn.com/online/vol1_no1/47646-1.html/?s=dailyNL
Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.
Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.
http://www.gcn.com/online/vol1_no1/47657-1.html/?s=dailyNL
NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.
New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.
The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.
Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”
The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.
The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.
Source: http://www.fiercecio.com/story/removable-media-causes-security-concerns/2007-03-19
Some interesting information pertaining to the security issues with removal drives:
The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.
Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc
The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.
http://www.gcn.com/online/vol1_no1/47646-1.html/?s=dailyNL
Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.
Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.
http://www.gcn.com/online/vol1_no1/47657-1.html/?s=dailyNL
NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.
New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.
The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.
Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”
The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.
Thursday, September 4, 2008
Computer Malware and Preventive Recommendations
Computer Malware and Preventive Recommendations
It’s often what we don’t know can hurt us the most…
That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.
Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these individual bots under one controlling person called a bot herder.
The interesting thing is not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.
The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).
The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.
My recommendations are:
* Use a Mac OS X based system or even a Linux-based system if possible, if not
1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Just be smart
For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out http://www.securityorb.com/
Monday, June 23, 2008
Mac OS X Trojan reported in the wild
Mac OS X Trojan reported in the wild
By Jose Vilches, TechSpot.com
Published: June 20, 2008, 3:19 PM EST
Published: June 20, 2008, 3:19 PM EST
We typically hear about malware makers taking aim at Windows systems – which makes sense given the large install base – but with the rise in popularity of Apple and its OS X operating system, more and more we’re seeing dangerous malware, viruses and Trojans now being targeted for the Mac, too.A new Trojan reported by SecureMac is an example of that, with the security vendor saying that variants of the AppleScript.THT Trojan horse spotted in the wild could affect users of Mac OS X Tiger and Leopard. The Trojan exploits a vulnerability within the Apple Remote Desktop Agent enabling complete access to a user’s system. It can log keystrokes, take screen shots, take pictures with the iSight camera, and enable file sharing, all while avoiding detection by opening ports in the firewall and turning off system logging.
The vulnerability is rated critical and in order to get infected a user must first download and install the malicious file, which is being distributed as both a compiled AppleScript or as an application bundle. SecureMac of course took the opportunity to pitch its MacScan antispyware security software as a solution for against this threat.
Wednesday, May 28, 2008
Malware Infected Windows PCs
Lately, there has been a rash of PC infestations. In the past week, I have personally worked on 4 Intel based PCs that had slowed down to a crawl or did not allow the user to be productive.
In reviewing their PCs, I noticed the “Trojan.Smitfraud” to be of abundant on these systems amongst other malicious software.
I personally feel these compromised systems are lethal weapons that can allow hackers to attack our infrastructure, other businesses or committee crimes. Better software and usability measures need to be a priority.
I use Ultimate Boot CD for Windows to examine and repair these systems. I find that it work well and does not use the Windows based OS to do its analysis.
Information on Trojan.Smitfraud can be found below:
Trojan.Smitfraud
| Type | Malware |
| Type Description | Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks. |
| Category | Trojan |
| Category Description | Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior. |
| Level | High |
| Level Description | High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer. |
| Advice Type | Remove |
| Description | Trojan.Smitfraud is a group of programs that are used to download rogue security products and change the user's desktop to display false warnings that the computer is infected with spyware. |
| Add. Description | Trojan.Smitfraud downloads and installs programs that purport to scan for adware and spyware and typically display false reports of spyware in order to frighten the user into paying for the program. |
| Release Date | |
| Last updated on | May 9 2008 |
| File Traces | |
| | %SYSTEM%\ adobepnl.dll |
| | %SYSTEM%\ ccc3.dll |
| | %system%\ cdromdrv32.dll |
| | %SYSTEM%\ dcvwaah.dll |
| | %SYSTEM%\ dpfwu.dll |
| | %SYSTEM%\ ekvrlfzz.exe |
| | %SYSTEM%\ fyhhxw.dll |
| | %SYSTEM%\ gqagksr.dll |
| | %SYSTEM%\ gtpbx.dll |
| | %system%\ hjfjhigjxe.dll |
| | %SYSTEM%\ ishost.exe |
| | %SYSTEM%\ ismini.exe |
| | %SYSTEM%\ ismon.exe |
| | %SYSTEM%\ isnotify.exe |
| | %SYSTEM%\ issearch.exe |
| | %SYSTEM%\ ixt0.dll |
| | %SYSTEM%\ okkmtv.dll |
| | %system%\ olechs32.dll |
| | %SYSTEM%\ oqabf.dll |
| | %SYSTEM%\ sbnudh.dll |
| | %SYSTEM%\ syycum.dll |
| | %SYSTEM%\ titiau.dll |
| | %SYSTEM%\ urroxtl.dll |
| | %SYSTEM%\ users32.exe |
| | %SYSTEM%\ veklo.dll |
| | %SYSTEM%\ vwlummc.dll |
| | %SYSTEM%\ wuwbxp.dll |
| | %SYSTEM%\ xxfgmy.dll |
| | %SYSTEM%\ zphnok.dll |
| | %windows%\ dpvtporsdq.dll |
| | asgp32.dll |
| | flashwindow.exe |
| | loader.exe |
| | main.exe |
| | reger.exe |
| | wow.dll |
| | zloader3.exe |
Subscribe to:
Posts (Atom)
Posts
