<![CDATA[[SecurityRatty] tag: russiannews]]> http://securityratty.com/tag/russiannews Sun, 23 Dec 2007 18:01:52 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Pinch Variant Embedded Within RussianNews.ru]]> http://securityratty.com/article/5c1543c93dcbfb2efe5750392b281e1c http://securityratty.com/article/5c1543c93dcbfb2efe5750392b281e1c This is a perfect and currently live example demonstrating how a once compromised site can also be used as a web dropper compared to the default infection vector mentality we've been witnessing on pretty much each and every related case of malware embedded sites during 2007. The URL at a popular news portal for Russian/Iranian related news at : russiannews.ru/arabic/data/news/upload/exp is serving a Pinch variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php

Trojan-PSW.Win32.LdPinch.dzr
File Size: 22016 bytes
MD5 : cb0a480fd845632b9c4df0400f512bb3
SHA1 : 83bb4132d1df8a42603977bd2b1f9c4de07463ab

What's important to point out in this case, is that the main index and the pages within the site are clean, so instead of trying to infect the visitors, the malicious parties are basically using it as a web dropper. Moreover, in the wake of Pinch-ing the Pinch authors, this variant generated on the fly courtesy of their tool fully confirms the simple logic that once released in the wild, DIY malware builders and open source malware greatly extend their lifecycles and possibility for added innovation on behalf of the community behind them.
]]> Sun, 23 Dec 2007 18:01:52 +0000 variant pinch variant diy malware builders russiannews malware popular news portal web dropper news simple stupid strategy Pinch Variant Embedded Within RussianNews.ru