Malware City/Blog/

Sep
25
Filed Under:
WEEKLY REVIEW

Recycling older exploits is cheaper then producing new ones

25 September 2008
Recycling is cheaper then producing. This fact seems to apply to the malware industry as well. Engineering new exploits is time and energy consuming.

So todays cyber-criminals mostly recycle older exploits, repack them, and ship them out into the wide world of the web. 

Exploit.JS.Agent.F

As the name says, this e-threat is an exploit for a vulnerability in the XMLHTTP ActiveX control within Microsoft XML Core Services. All users that have an unpatched MSXML 4.0 and 6.0 installed are prone to this exploit. Exploitation takes place when the user visits a specially crafted website. Upon execution Exploit.JS.Agent.F downloads an executable file to the Content.IE5 folder (ex: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5). It will also launch the application, which probably is another malware and will further compromise the users machine.

Details: http://www.bitdefender.com/VIRUS-1000399-en--Exploit.JS.Agent.F.html

 

Trojan.Exploit.JS.RealPlr.S

This JavaScript is not an actual exploit, but an exploit hider. What it does is add additional encryption layers to the existing Exploit.SinaDloader.B described in the previous weekly review . It takes three steps to fully decrypt the code, the first is Base-64 encoding, the second is the xxtea encryption algorithm and the third a conversion from UTF-8 to UTF16. The clean content is now server on the affected websites using the document.write Javascript method.

After this content is executed, the script will basically run Exploit.SinaDloader which will start serving the 9 exploits in order to compromise vulnerable machines.

Details: http://www.bitdefender.com/VIRUS-1000395-en--Trojan.Exploit.JS.RealPlr.S.html


Trojan.Downloader.Wimad.D

We all remember Trojan.Downloader.WMA.Wimad.N , don't we? Yes, it was part of our very first review published on the BitDefender forum. Well, a new version of this exploit has shown up.

It's called Trojan.Downloader.Wimad.D and brings some interesting new features with itself. Unlike it's predecessor Wimad.N, the media files that try to exploit this Windows Media Player flaw, have actual playable content.

A browser window will pop up only at the end of playback, pointing users at http://www.[hidden]sx.com. It resides for about 3 seconds on this website, allowing the victims to get the "new version" of the media file they just viewed. After this fixed amount of time has passed, they will be redirected to an adult rated website.

This e-threat is not able to spread by itself and relies on websites or file sharing applications to do so. It has adware like behavior.

Details: http://www.bitdefender.com/VIRUS-1000400-en--Trojan.Downloader.Wimad.D.html

 

Information in this article is available courtesy of BitDefender virus researcher:

Daniel Chipiristeanu

Dana Stanut

Adrian Stefan Popescu


RELATED INFO:
Other Weekly Reviews


Related

19-09-2008 | Focused Malicious Activities

08-09-2008 | Interesting Trojans

29-08-2008 | Some harmless fakealerts

15-08-2008 | The weekly BitDefender review has reached its 10th release

Comment on this

Name:

Email:

Website:

Your email adress will not be published.