Monday, August 29, 2011

Aug 28 Morto / Tsclient - RDP worm with DDoS features

According to Microsoft, Morto is a worm that spreads by trying to compromise (lame) administrator passwords for Remote Desktop connections on a network. They also note it can perform Denial of Service attacks against attacker-specified targets. 
I can add that it runs what it looks like a quick DoS test against one Google IP. In addition, it creates a lot of traffic: RDP scans, downloads, receiving commands, and interesting DNS queries for command and control servers.
Judging by the domain owners of CC servers (China) and their location (Hong Kong), I would say it is likely it be cybercrimeware originating in erm,...Asia. I don't know how difficult it is for a foreigner to register domains with  Jiangsu Bangning Science & technology Co. China. One of the domains existed for a few years and changed several Chinese registrars and hosting companies. Like in Russia, DDoS attack crimes are very common in China (I don't have stats for other Asian countries but I am guessing common there too :)

I want to thank and for the sample.

Thursday, August 11, 2011

Targeted attacks against personal Gmail accounts Part II - CNAS Report
I am posting this only to highlight the fact that once compromises happen and are covered in the news, they do not disappear and attackers don't give up or stop. They continue their business as usual. Here is a small update to the post dated Feb 17, 2011 Targeted attacks against personal accounts of military, government employees and associates. This post was mentioned a few times in the news thanks to Google mention in their blogpost in June 2011 

I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.

P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.

Wednesday, August 10, 2011

Microsoft and Adobe Flash patches vs corresponding document and web exploits (non PDF, CVE numbered)

Again, thanks to Malware Tracker keeping exploit timeline for Microsoft products (MS Office, HTML help, Windows thumbnail), these are the patches you need to have installed for protection or should not  *not* have if you want successful sandbox testing of these exploits.

Some of these like Flash were also used as Web exploits. The table below includes only exploits used in documents.

There are too many Flash exploits to list with the links, however, the two lists below allow very easy correlation

Tuesday, August 9, 2011

Adobe Reader versions vs corresponding exploits (CVE numbered) - Downloads for testing

Building VM sandbox environment for testing malicious documents? I found that sometimes tracking all the full versions and minor updates of Adobe Reader via Old Apps or and corresponding CVE numbers is more time consuming than actual testing.  Here are all the necessary for testing versions available from Contagio download. In some cases you need to install the base version and then apply all the incremental updates to get to the version you need

Many thanks to Malware tracker for making this easier - see their PDF threats timeline post here Current PDF Threats

Or, Download all together from HERE