SEARCH RESULTS
 
Showing 1-10 of 15 records
 
Expand article

Pinch Variant Embedded Within RussianNews.ru

The Article has images
2007-12-23 21:01:52 by HASH0x89b2224 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant thought an MDAC ActiveX code execution exploit - CVE-2006-0003, the type of virtual Keep it Simple Stupid strategy of using outdated vulnerabilities I discussed before. Deobfuscation leads us to : russiannews.ru/arabic/data/news/upload/exp/exe.php Trojan-PSW.Win32.LdPinch.dzr File Size : 22016 bytes MD5 :...
 
Tags: variant, pinch variant, diy malware builders, russiannews, malware, popular news portal, web dropper, news, simple stupid strategy
 
 
 
 
Expand article

Storm keeps coming (4th variant)

2007-12-27 10:43:00 by Russ McRee in HolisticInfoSec.org
 
...variant we reviewed, but some changes are apparent 1) Hash: 1f362ad74d62262bff6bcb1d078cbf7d 2) Aside from yet again changing the domain and binary, the hidden files written upon execution are as follows Helios Rootkit Detector Scanning File System For Hidden Files Scanning Drive C 1 C:WINDOWSsystem32bldy.config Hidden From API 2...
 
Tags: trojan, sys, kernel31 api log, api, zhelatin-asx, zhelatin, config, helios rootkit detector, driver file company
 
 
 
 
Expand article

More High Profile Sites IFRAME Injected

The Article has images
2008-03-12 09:49:36 by HASH0x8b74b5c in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant of Zlob is attempting to install though an ActiveX object. These are the high profile sites targeted by the same group within the past 48 hours, with number of locally cached and IFRAME injected pages within their search engines NCSU Libraries - lib.ncsu.edu - 372,000 pages FullDownloads.us - fulldownloads.us - 13,000 pages Central...
 
Tags: info, info txmwxb, info kbsxet, info bhrsaa, info sezejc, info cgjttz, info wmtwes, info cqqxkh, info qwhhxq
 
 
 
 
Expand article

A Portfolio of Fake Video Codecs

The Article has images
2008-03-19 17:27:56 by HASH0x8b5b564 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant on each and every of the domains, thereby acting as a great example of what malicious economies of scale means? But of course. As I've pointed out in a previous post, on the tactical warfare front the output of a malicious IFRAME campaign is often neglected from the perspective of lacking the two/three layered IFRAME-ing and...
 
Tags: single zlob variant, zlob variant, zlob, zlob malware variant, net, malware, domains, huge domains portfolio, dvdaccess
 
 
 
 
Expand article

Storm Worm's St. Valentine Campaign

The Article has images
2008-01-15 21:01:01 by HASH0x8b48dc8 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant of Win32/Nuwar Prevx1 - Stormy:All Strains-All Variants Webwasher-Gateway - Win32.Malware.gen!88 (suspicious The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5C0FD37F3) and burito1205-67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry entries HKEY LOCAL...
 
Tags: hkey local, burito1205-67d5 hkey local, burito1205-67d5, storm worm, binary drops burito, short term window, md5, propagation vector, email campaign
 
 
 
 
Expand article

Anti-Malware Vendor's Site Serving Malware

The Article has images
2008-02-12 20:31:18 by HASH0x8b333c4 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs The IFRAME at the site used to point to...
 
Tags: site, virut virus, virus, indian anti-virus site, malware, web site downloads, antivirus site, hackers, hackers seed malware
 
 
 
 
Expand article

Terror on the Internet - Conflict of Interest

The Article has images
2008-03-18 19:58:23 by HASH0x8471fd8 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
...variant Shutting the communities down Before shuting them down you need to know where they are, their neighbourhood of supporters who will indirectly tip you on the their latest location once they have their previous domain shut down. Personal experience and third party research indicates that over 90% of the cyber jihadist...
 
Tags: cyber jihadist, cyber jihadist communities, novice cyber jihadists, jihadists, cyber jihadist forums, cyber jihadist sites, attract cyber jihadists, internet, cyber jihadists
 
 
 
 
Expand article

Storm-Bot stripshow analysis

2007-12-23 22:06:00 by Russ McRee in HolisticInfoSec.org
 
...variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can...
 
Tags: 40d9f1 connect, w32tm config syncfromflags, config, time, quick time check, w32tm config, exe, src78, dst192
 
 
 
 
Expand article

New Years Storm deja vu

2007-12-25 10:36:00 by Russ McRee in HolisticInfoSec.org
 
...variant's been around for a few days AntiVir - Worm/Zhelatin.ob Authentium - W32/StormWorm.P BitDefender - Trojan.Peed.IRE CAT-QuickHeal - (Suspicious) - DNAScan DrWeb - Trojan.Packed.263 eSafe - Suspicious File eTrust-Vet - Win32/Sintun.AT F-Prot - W32/StormWorm.P F-Secure - Packed.Win32.Tibs.gu Kaspersky - Packed.Win32.Tibs.gu Microsoft -...
 
Tags: trojan, spirits import company, disnisa, suspicious, christmas strip, worm-all variants, worm, exe, suspicious file