Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

As made public on June 6'2009, Microsoft's Video ActiveX has Remote Code Exploit threat, where using a malformed web-page Remote code execution could be enabled on the target machine. Cybercriminals are using the vulnerability to install a data stealing trojan on target machine affecting Microsoft Directshow.

If the target user is using IE, then attacker could get local user rights using exploits by without any user-intervention. So, the CyberCriminal just need to pursue victim to view it's malformed web-page and the victim's machine gets compromised.

Microsoft states it is aware of the vulnerability and suggests Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) as the workaround to avoid the threat.
The defense it would provide is more than the minor side-effects it would cause.

To Avoid Threat
This kill-bit to avoid the threat can be automatically applied to your windows machine by "Microsoft Fix It" from online utility provided by Microsoft.com @ http://support.microsoft.com/kb/972890

Microsoft's Link : Enable The Fix || Workaround
Microsoft's Link : Disable The Fix || Workaround

Data 'bout Threat
Can be exploited via any kind of HTML document, a website or e-mail, etc. . This vulnerability is not a risk if you are using Windows Vista.

. 967 Chinese websites replorted to successive redirecting to finally download a JPG file containing the exploit, detected by Trend Micro as JS_DLOADER.BD., that downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Detailed Info from Microsoft Security Advisory

First Firefox Malware : Trojans Stealing Passwords Typed in Firefox using Firefox Add-on Disguise

First Firefox Malware : Trojans using Firefox Add-on Disguise
Roll your mouse over topics to expand them... :)
Information On Malware

Click Here [ Hide Me / Collapse ]

( Trojan-Spy:W32/Banker.IVX, Win32/Inject.NBT trojan, Troj/Bancos-BEX, TR/Drop.Small.abw )

Spreading:	very low
Damage:	very high
Size:	22kB
Discovered:	2008 Nov 28

Symptoms of Infection

Click Here [ Hide Me / Collapse ]

Presence of the:
"%ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll"
"%ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js"
files in the Mozilla Firefox's plugins and chrome folders.

List of Accounts mainly under attack

Click Here [ Hide Me / Collapse ]

It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials.

akbank.com
caixasabadell.net
credem.it
areasegura.banif.es
banca.cajaen.es
openbank.es
poste.it
banesto.es
carnet.cajarioja.es
gruposantander.es
intelvia.cajamurcia.es
net.kutxa.net
bancopastor.es
bancamarch.es
caixamanlleu.es
elmonte.es
ibercajadirecto.com
bancopopular.es
bancogallego.es
bancajaproximaempresas.com
caixa*.es
caja*.es
ccm.es
bancoherrero.com
bankoa.es
bbvanetoffice.com
bgnetplus.com
bv-i.bancodevalencia.es
clavenet.net
fibancmediolanum.es
sabadellatlantico.com
arquia.es
banking.*.de
westpac.com.au
adelaidebank.com.au
pncs.com.au
nationet.com
online.hbs.net.au
www.qccu.com.au
boq.com.au
banksa.com
anz.com
suncorpmetway.com.au
quiubi.it
cariparma.it
bancaintesa.it
popso.it
fmbcc.bcc.it
secservizi.it
bancamediolanum.it
csebanking.it
fineco.it
gbw2.it
gruppocarige.it
in-biz.it
isideonline.it
iwbank.it
bancaeuro.it
bancagenerali.it
bcp.it
unibanking.it
uno-e.com
unipolbanca.it
carifvg.com
cariparo.it
carisbo.it
islamic-bank.com
banking.first-direct.com
natwestibanking.com
itibank.co.uk
co-operativebank.co.uk
lloydstsb.co.uk
mybankoffshore.alil.co.im
abbeynational.co.uk
mybusinessbank.co.uk
barclays.com
online.co.uk
my.if.com
anbusiness.com
hsbc.co
anbusiness.com
co-operativebankonline.co.uk
halifax-online.co.uk
ibank.cahoot.com
smile.co.uk
caterallenonline.co.uk
tdcanadatrust.com
schwab.com
wachovia.com
bankofamerica
kfhonline.com
wamu.com
wellsfargo.com
procreditbank.bg
chase.com
53.com
citizensbankonline.com
e-gold.com
paypal.com
usbank.com
suntrust.com
banquepopulaire.fr
onlinebanking.nationalcity.com

What To Do If Infected

Click Here [ Hide Me / Collapse ]

Step1of2.
Close Your Firefox

Step2of2.
Install latest BitDefender (as they found it) and let it search and destroy the malware.

__________________________________________________
Bitdefender released information on this threat naming it as Trojan.PWS.ChromeInject.A, which spawns with the execution of Firefox and poses as a Plug-in to it, mainly works on Key Banking... can get access to all your passwords entered in the Password boxes opened in Firefox Browser.

The ChromeInject suffix refers to the Chrome component Firefox has. This malware infects your machine via drive-by download or download duping.
Once installed on the machine it registers itself as a fake 'GreaseMonkey' (a great firefox add-on for website customization using javascripts), and using javascript checks your machine for mainly banking passwords of more than 100 sites (like PayPal, etc.).
All this sensitive data collected by it is then transferred online to a server supposed to be located in Russia.

So, don't stop using Greasemonkey... but make sure you download it from Mozilla.com, so that you don't fall pray to malware.
__________________________________________________