Safari 0day? Looks like...
Greetings from CanSecWest ! Ok, I am not there but I have some friends that are actually there :). The interesting news that they sent from there is regarding a 0-day exploit for the Apple's Safari web browser. According one post of the hacking contest, one fully patched OSX machine was owned due a exploitable flaw on Safari, triggered when visiting a malicious website. The bad thing is that there not a single word on the latest Apple Patch Release of any Safari related flaw. So, if you use Safari, stay tuned for more informations!
-----------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
-----------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)
Trojan posing as Codecs
One of readers (Gary) has come across a forum with posting on free porn movies links:
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to 85.255.119.210)
However, clicking on the link will open to another site in an iFrame:
http : //www. x-ratedclips.com/bdsm/dp/s5g2/movie1.php?bgcolor=000000&border=3C4553&id=1651
(Resolves to 81.0.250.226)
The x-ratedclips.com page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".
The "activex object" link is
http: // www. amultimediasource.com/download.php?id=1651
(Resolves to 85.255.113.222)
Note: 85.255.112.0 - 85.255.127.0 is a known source of evil (http://isc.sans.org/diary.html?storyid=1811)
Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:
AntiVir 7.3.1.53 04.20.2007 DR/Zlob.Gen
AVG 7.5.0.464 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
Fortinet 2.85.0.0 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 4.0.2.24 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New Malware.as
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 6.1.6.095 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen
http :// free-bdsm-movies. info/movies/1270174.avi
(Resolves to 85.255.119.210)
However, clicking on the link will open to another site in an iFrame:
http : //www. x-ratedclips.com/bdsm/dp/s5g2/movie1.php?bgcolor=000000&border=3C4553&id=1651
(Resolves to 81.0.250.226)
The x-ratedclips.com page has HTML code that checks for the presence of a Trojan (Zlob.Trojan). If it is not found, it will display a page to tell the viewer that the movie cannot be played and to download a "missing Video ActiveX Object".
The "activex object" link is
http: // www. amultimediasource.com/download.php?id=1651
(Resolves to 85.255.113.222)
Note: 85.255.112.0 - 85.255.127.0 is a known source of evil (http://isc.sans.org/diary.html?storyid=1811)
Not surprising, the downloaded file is actually a Trojan. Positive scan result from VirusTotal:
AntiVir 7.3.1.53 04.20.2007 DR/Zlob.Gen
AVG 7.5.0.464 04.20.2007 Downloader.Zlob.GG
BitDefender 7.2 04.21.2007 Trojan.Downloader.Zlob.RX
eSafe 7.0.15.0 04.19.2007 suspicious Trojan/Worm
Fortinet 2.85.0.0 04.21.2007 W32/Zlob.BRI!tr.dldr
Ikarus T3.1.1.5 04.20.2007 Trojan-Downloader.Win32.Zlob.bpg
Kaspersky 4.0.2.24 04.21.2007 Trojan-Downloader.Win32.Zlob.bqt
McAfee 5014 04.20.2007 New Malware.as
Sophos 4.16.0 04.20.2007 Troj/Zlob-Gen
TheHacker 6.1.6.095 04.15.2007 Trojan/Downloader.Zlob.bpl
Webwasher-Gateway 6.0.1 04.21.2007 Trojan.Zlob.Gen
Keywords:
0 comment(s)
×
Diary Archives
Comments