Malware City/Blog/

Apr
24
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – Remember Sina.DLoader?

24 April 2009
Sina.Dloader, does it ring any bells? It should, because this weeks highlight is something very similar. Baofeng Storm Player, which happens to be one of the more popular chineze media players out there, is vulnerable to several buffer overflow vulnerabilities.

 Although the fix for these vulnerabilities has been released on 14th Nov. 2007, attackers still exploit these flaws to spread malware without the users consent.

Trojan.Buzus.CV

After execution, with Trojan starts a new process with the same name as its filename. It inject an executable into the process' memory and then it drops it into a system file called netmon.exe. It creates registry keys to ensure that the dropped executable file is started on each boot.

The injected netmon.exe drops a driver into %system%\drivers\sysdrv32.sys and registers it as a service.

In order to spread it creates copies of itself on every detected removable drive and uses an autorun.inf file to execute them.

To protect itself, it is hidden from user mode.

 

Exploit.Baofeng.A

Baofeng Storm Player is a popular Chinese media player. It comes bundled with an ActiveX Control used for media playback on websites. However certain versions of it are prone to multiple buffer overflow vulnerabilities which allow attackers to execute arbitrary code on the affected system.

The methods "advancedOpen()", "isDVDPath()" and "rawParse()" and the properties "backImage", "titleImage" and "URL" which reside inside "sparser.dll" and "mps.dll" fail to validate user supplied input and allow the attacker to gain control over the system within the security context of the running process. Vulnerable versions are all below 2.08.

Currently only the method "rawParse()" has been seen in the wild, exploiting the above mentioned vulnerabilities. Specially crafted websites make use of this method to spread other malware. The exploit is downloading executable files from URLs like http://[removed]de.com/bf.css and http://[removed]p.cn:6135/qwer/bf.css, saves them inside the system32 folder under the name "a.exe" and executes them with the priviledges of the browser.

BitDefender recommends immediate upgrade to the latest version of the player, since that has fixed these vulnerabilities.

 

Information in this article is available courtesy of BitDefender virus researchers: Marius Barat and Balazs Biro





Related

10-04-2009 | BitDefender weekly review – Gamers take even more care

06-04-2009 | BitDefender weekly review – Gamers take care

27-03-2009 | BitDefender weekly review – The marvelous Antivirus 360

20-03-2009 | Avoiding firewalls - BitDefender weekly review

Comment on this

Name:

Email:

Website:

Your email adress will not be published.