Tuesday, July 7, 2009

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

Vulnerable Microsoft's Video ActiveX Control Allows Remote Access [ 0-day attacks]

As made public on June 6'2009, Microsoft's Video ActiveX has Remote Code Exploit threat, where using a malformed web-page Remote code execution could be enabled on the target machine. Cybercriminals are using the vulnerability to install a data stealing trojan on target machine affecting Microsoft Directshow.

If the target user is using IE, then attacker could get local user rights using exploits by without any user-intervention. So, the CyberCriminal just need to pursue victim to view it's malformed web-page and the victim's machine gets compromised.

Microsoft states it is aware of the vulnerability and suggests Kill-bit MPEG2TuneRequest ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF) as the workaround to avoid the threat.
The defense it would provide is more than the minor side-effects it would cause.

To Avoid Threat
This kill-bit to avoid the threat can be automatically applied to your windows machine by "Microsoft Fix It" from online utility provided by Microsoft.com @ http://support.microsoft.com/kb/972890

Microsoft's Link : Enable The Fix || Workaround
Microsoft's Link : Disable The Fix || Workaround

Data 'bout Threat
Can be exploited via any kind of HTML document, a website or e-mail, etc. . This vulnerability is not a risk if you are using Windows Vista.

. 967 Chinese websites replorted to successive redirecting to finally download a JPG file containing the exploit, detected by Trend Micro as JS_DLOADER.BD., that downloads another malware detected as WORM_KILLAV.AI. This malware disables and terminates AV processes, and drops other malware on the affected system.

Detailed Info from Microsoft
Security Advisory

Friday, July 3, 2009

First Firefox Malware : Trojans Stealing Passwords Typed in Firefox using Firefox Add-on Disguise

First Firefox Malware : Trojans using Firefox Add-on Disguise
Roll your mouse over topics to expand them... :)
Information On Malware

Symptoms of Infection

List of Accounts mainly under attack

What To Do If Infected
Bitdefender released information on this threat naming it as Trojan.PWS.ChromeInject.A, which spawns with the execution of Firefox and poses as a Plug-in to it, mainly works on Key Banking... can get access to all your passwords entered in the Password boxes opened in Firefox Browser.

The ChromeInject suffix refers to the Chrome component Firefox has. This malware infects your machine via drive-by download or download duping.
Once installed on the machine it registers itself as a fake 'GreaseMonkey' (a great firefox add-on for website customization using javascripts), and using javascript checks your machine for mainly banking passwords of more than 100 sites (like PayPal, etc.).
All this sensitive data collected by it is then transferred online to a server supposed to be located in Russia.

So, don't stop using Greasemonkey... but make sure you download it from Mozilla.com, so that you don't fall pray to malware.