Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [security] Trojan downloader may be dropping FireFox and IE specific

from [Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]] Network Security [Permanent Link]
Subject: Re: [security] Trojan downloader may be dropping FireFox and IE specific components
Date: Wed, 26 Jul 2006 15:09:52 -0700
Say it is so.... Malware is big business. 

Opera just has a "month o browser bugs' posted up on Metasploit.

As long as we're running with admin rights... malware has easy pickin's.......

http://msmvps.com/blogs/harrywaldron/archive/2006/07/26/105854.aspx
http://browserfun.blogspot.com/2006/07/mobb-26-opera-css-background.html

Hayes, Bill wrote:

While reading a couple of recent entries in security bogs by McAfee and Symantec, I had 
one of those "say it isn't so" momements. A careful read of the descriptions by 
McAfee of the Trojan Downloader Downloader-AXM and McAfee's description of Formspy for 
Firefox and Symantec's description of Haxdoor for IE seems to indicate that 
Downloader-AXM is able to distinguish between system configurations and install malware 
specifically developed for either Firefox or IE boxes.

I haven't been able to find out any further info from other virus 
encyclopedias. Hopefully they should have entries soon.

Formspy was detected by Mcafee today (July 25th) and Haxdoor-0 by Symantec yesterday 
(July 24th). Both are currently being spammed by an e-mail note purporing to be an order 
confirmation.  McAfee does have the full text of the spam in its description of 
Downloader-AXM. According to McAfee, the downloader is present in an attachment called 
"wc2905036.exe".

Symantec says in its blog that Haxdoor is downloaded through an attachment it calls WC2905036.zip which yields WC2905036.exe, and in passing that the spammed note is a bogus order confirmation. 

Symantec states that there have been two different versions of the e-mail 
message and two different attachments. They don't say if the file name remained 
the same. So, are we looking at backdoors that use two separate downloaders or 
one downloader for two different malware installations? This would also 
indicate that the same folks are behind both Formspy and Haxdoor-0. Symantec 
states that this version of Haxdoor may be of Russian origin.

References:

AvertLabs blog - http://www.avertlabs.com/research/blog/?p=62
FormSpy Downloader - http://vil.nai.com/vil/content/v_140257.htm
FormSpy - http://vil.nai.com/vil/content/v_140256.htm
Backdoor.Haxdoor-0 - 
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072413-3859-99
Symantec Security Response Weblog - 
http://www.symantec.com/enterprise/security_response/weblog/2006/07/there_they_go_again_1.html
      
_______________________________________________
Get your free port scan here: http://www.seifried.org/freescan2/

security mailing list
security@lists.seifried.org
https://lists.seifried.org/mailman/listinfo/security




--
Letting your vendors set your risk analysis these days? http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] rPSA-2006-0137-1 firefox, Justin M. Forbes
Next by Date:  [Full-disclosure] Yahoo! Mail + Firefox Filter Bypass, simo
Previous by Thread:  Trojan downloader may be dropping FireFox and IE specific components, Hayes, Bill
Next by Thread:  Re: Trojan downloader may be dropping FireFox and IE specific components, Hayes, Bill
Indexes:  [Date] [Thread] [Top] [All Lists]