Trick or Treat: Storm's Halloween

Wednesday, October 31. 2007
Tonight is Halloween. The Storm Worm has changed - as usually - the social engineering scheme according to the upcoming holiday.
The mails used for propagation now point to a website with a Halloween theme. The website shows a Skeleton and exploits several browser vulnerabilities when the user-agent indicates an exploitable browser. The text "Click here for a spooky good time" gets an interesting meaning in this context :-)
Posted by Thorsten Holz in malware at 13:42 | Comments (0) | Trackbacks (0)

URI Handling Vulnerability and RBN

Thursday, October 25. 2007
The URL handling vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild according to a posting to full-disclosure. The PDF file attached to that mail contains an exploit for this vulnerability, which contains shellcode to download a binary via FTP from 81.95.146.130. A whois lookup of this IP shows that it belongs to RBN, the Russian Business Network. RBN was quite often in the press recently.

The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.

Continue reading "URI Handling Vulnerability and RBN"

Posted by Thorsten Holz in malware at 10:27 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 2 entries)