Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Trojan downloader may be dropping FireFox and IE specific components

from [Hayes, Bill] Network Security [Permanent Link]
Subject: Re: Trojan downloader may be dropping FireFox and IE specific components
Date: Fri, 28 Jul 2006 13:44:19 -0500 
Computer Associates eTrust Spyware Encyclopedia now has an entry for Haxdoor.G 
that states this malware seems to have the same distribution as Formspy, which 
CA calls Ursnif.B. The CA entry Haxdoor.G states that its name is equivalent to 
Symantec's name of Haxdoor-0. 

At first glance, this seems to vindicate the notion that Downloader-AXM 
(McAfee) does indeed discriminate between browser installations and installs 
the appropriate malware -- either FormSpy for Firefox or Haxdoor-0 for IE. This 
would be much more efficient than sending out two sets of spam with identical 
wording and different attachments. It would also mean that we've turned a dark 
corner and that downloaders from this point on will become more sophisticated 
in determining what kind of malware to install. As Susan Bradley seemed to 
infer, that could mean that Opera-related exploits could also be installed from 
the same downloader that attacks IE and Firefox browsers.

However, it is possible that the folks behind Downloader-AXM did turn out two 
different mass-spam mailings -- one for Haxdoor-O and one for FormSpy. McAfee 
in its July 25th update of the Downloader-AXM page states that two 
Downloader-AXM mailings were detected on the 24th and the 25th of July. While 
the message had the identical content, McAfee claims that Downloader-AXM had 
been repackaged. I think it means that the attachment was first presented as 
wc2905036.exe and then on the second mailing put in a zip file called 
WC2905036.zip. 

Has anyone examined the attachments from these two mass-spammings? Are they 
indeed functionally identical? If so, can they download Formspy and Haxdoor-O?
 

References:

Downloader-AXM (McAfee) - http://vil.nai.com/vil/content/v_140257.htm
(Downloader-AXM) Win32/SillydI.AT0 - (CA) 
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=57188
(Downloader-AXM) 29Down (CA) - 
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098985
(Downloader-AXM) Troj/Dloadr-AKL (Sophos) - 
http://www.sophos.com/virusinfo/analyses/trojdloadrakl.html
(Downloader-AXM) Downloader.Traus (Symantec) - 
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072610-0431-99
(Downloader-AXM) TROJ_DLOAD.AH - 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.AH
FormSpy (McAfee) - http://vil.nai.com/vil/content/v_140256.htm
(FormSpy) Ursnif.B  (CA) - 
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098986
(FormSpy) SnifSteal.A (Panda) - 
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=124440
(FormSpy) Troj/Firespy-A (Sophos) - 
http://www.sophos.com/security/analyses/trojfirespya.html
(FormSpy) InfoStealer.Snifula (Symantec) - 
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072610-2145-99
(FormSpy) TSPY_SNIFSTEAL.A (Trend) - 
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_SNIFSTEAL.A
Haxdoor-0  (Symantec) - 
http://www.symantec.com/security_response/writeup.jsp?docid=2006-072413-3859-99&tabid=1
(Haxdoor-0) Haxdoor.G (CA) - 
http://www3.ca.com/securityadvisor/pest/pest.aspx?ID=453098984
(Haxdoor-0) Haxdoor.CP (Sophos) - 
http://www.sophos.com/security/analyses/trojhaxdoorcp.html
(Haxdoor-0_ BKDR_HAXDOOR.GP (Trend) - 
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.GP

Related References:

Win32/SillyDI Family (CA) - 
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39574
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PrinceClan Chess Mambo Com <= 0.8 Remote Inclusion Vulnerability, tr_zindan
Next by Date:  [Full-disclosure] RE: TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability, Desai, Deepen
Previous by Thread:  Re: [security] Trojan downloader may be dropping FireFox and IE specific components, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Next by Thread:  [ MDKSA-2006:131 ] - Updated perl-Net-Server packages fix format string vulnerability, security
Indexes:  [Date] [Thread] [Top] [All Lists]