Archive for September, 2006

E-Cards deliver Rootkits

Friday, September 22nd, 2006

Researchers at Exploit Prevention Labs have discovered a large Cyber Criminal gang operating out of Australia. It was found that nearly every bank in Australia had customers who had their bank details used by the criminals. Users in Australia were send what looked like an eCard from Yahoo. The computer user would click on the eCard and be brought to an Exploit server. The Exploit server would check to see what vulnerabilities the users browser had and would use the hole it found to install a Keylogger and a Rootkit to hide the Keylogger. The Exploit Server was using the Webattacker Script which is updated regularly and can be purchased very easily and cheaply.
The user would then be sent to the Yahoo eCard site so as to make it look like a nothing untoward has happened.

Roger Thompson, Exploit Prevention Labs’ CTO, discovered the Australian eCard scam and has been tracking the evolving threat.
“The user receives an eCard in their email inbox,” said Thompson. “The card appears to come through one of the major eCard companies, so it is assumed to be safe, despite the user not recognizing the sender’s name on the card. The user clicks the link to view the card, which doesn’t tell you who it’s really from, so they just close it and continue with whatever they were doing before. Unfortunately, what’s actually happened is that a rootkit has been delivered to the user’s PC before they even pick up the card.”

“We started tracking MDAC back in June, shortly after WebAttacker was upgraded. Initially, it was just a tiny blip on the radar, registering 0.5% in our Exploit Prevalence Survey for that month. In July, it was up to 3.51%, and last month it reached 6.69%. If that pattern continues, we can expect to see both vendors and traditional anti-malware vendors experiencing significant problems in trying to keep up with the threat.”

This attack goes to show that unless users have all the latest security updates and patches on their computer they have a bigger chance of falling victim to such an attack. No amount of Anti-Virus or Anti-Spyware can thwart such an attack. Even if a user has a fully patched computer they can still get caught by what are called Zero Day attacks. These are attacks on program holes that the program maker is not yet aware of.

The best way to avoid Rootkits getting onto your PC is to run as an ordinary user and not to have any administrator rights.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in E-Cards, News | No Comments »

New AOL IM Worm delivers Rootkit

Monday, September 18th, 2006

A new worm is propagating the AOL Instant Messaging Network. The worm called W32.pipeline was found by Security Experts over at Facetime Security Labs today. The worm arrives as what looks like a picture file but is actually an executable. When executed the worm downloads from a variety of other files including a Rootkit to hide itself. The worm then tries to propagate via the infected users Buddy List.

“Like many IM worms, W32.pipeline first appears as an instant message from a familiar contact, luring users into clicking on a link with a contextual phrase. The IM message “hey would it okay if i upload this picture of you to my blog?” downloads a command file called image18.com, which is disguised as a JPEG. Running the file results in csts.exe being created in the user’s system32 folder, part of the Windows operating system.”

Once installed the worm payload may include sending private information about the infected user back to the attacker, perform Distributed Denial Of Service attacks on websites or sending out spam messages to millions of users worldwide.

Facetime says that the attack seems to be carried out by individuals who want to create a Botnet, a network of computers “owned” by the attacker. Once a member of the Botnet the computer can carry out any operation that the attacker wants.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Instant Messaging, News | No Comments »

Trojan Exploits MS06-040 Windows Vulnerability, Drops Rootkit

Friday, September 15th, 2006

Another Instant Messaging worm is being used to spread malware that is hidden by dropping a Rootkit. Security Experts at MicroWorld Technologies have said that a Trojan Bot is exploiting multiple Windows vulnerabilities to spread in networks, whilst using a Rootkit component to hide its files and processes. Backdoor.Rbot.ayg is spread via AOL Instant messaging and once it has installed itself on your PC it will go looking for other PC to infect. This backdoor is hidden on the computer by using a Rootkit known Win32.Rootkit.l.
One of the vulnerabilities that the malware targets is the recent Server Service Vulnerability-MS06-040 and earlier flaws like MS03-049 in Microsoft Windows. PC users who do not have their computers updated with the latest patches can get the malware and rootkit.

From Microworld “Backdoor.Rbot.ayg uses ‘Win32.Rootkit.l’ to hide its files and processes. It communicates to the remote attacker via IRC channels and accepts and executes commands. The Bot can shutdown and restart the computer, log on to websites and download malicious code, log off current user, send files to the intruder, capture network user information and search disks for files.”

So once again the lesson for us all is keep your system updated with the latest patches and always remember to use your PC with an non-administrative account.
Keep Safe

regards
Steo
www.antirootkit.com

Posted in Instant Messaging, News | No Comments »

The Gromozon rootkit is on 250000 PC’s – Prevx releases Removal Tool

Friday, September 1st, 2006

Prevx Ltd, a UK Internet Security company , has released a long awaited removal tool for the Gromozon Rootkit. It said in a Press Release today that according to it’s estimates the Gromozon Rootkit is currently on about 250000 PC’s in the US alone.

I blogged about the Gromozon Rootkit around a week ago here. It is a very hard rootkit to remove because of the various methods of stealth it uses. The Gromozon rootkit had been around for a short while before it was found. After maybe only a few weeks in existance Prevx estimate the Gromozon rootkit is on about 250000 computers in the US alone. It was originally found to be very prevalent in Europe, especially Italy.

We received a large amount of hits on the GROMOZON.COM – The strange case of Dr.Rootkit and Mr.Adware article. Most of these hits were from Google’s Italian users who had Googled words like img.tif and FreeAccess.ocx, both components of the rootkit attack. This rootkit sure has got around in the days since it’s release. The method by which the rootkit spread is agressive and the stealth capability is great so I am sure that we havent heard the last of Gromozon. Indeed the whole Gromozon episode shows that attackers are coming up with more prolific and stealthy attacks on our computers. What will be the next big rootkit infestation?

The Gromozon Removal Tool is available from Prevx here http://www.prevx.com/gromozon.asp
Keep Safe

regards
Steo
www.antirootkit.com

Posted in Gromozon, News | 1 Comment »