Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Websense Security Labs(tm) Has Received Reports Of New Malicious Websites Designed To Install Trojan Horse


  • Please log in to reply
1 reply to this topic

#1 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:06:04 PM

Posted 21 February 2007 - 02:04 PM

Websense Security Labs™ has received reports of new malicious websites designed to install Trojan Horse bots that allow attackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites.

The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The "iexplorer.exe" file downloads and installs five additional files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll


Here is the whole article of Websense

BC AdBot (Login to Remove)

 


#2 lucent

lucent

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:04 PM

Posted 22 February 2007 - 12:25 AM

Thanks for the heads up fozzie. Here is some more info on the bot from the briefly mentioned Australian Prime Minister incident review from Symantec.

See here:
http://www.symantec.com/enterprise/securit..._in_action.html

Cheers, Lucent.
Posted Image
Special thanks to efizzer for the signature




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users