본문 바로가기

malware

WordPress brute force attack via wp.getUsersBlogs Now that the XMLRPC "pingback" DDoS problem in WordPress is increasingly under control, the crooks now seem to try brute force password guessing attacks via the "wp.getUsersBlogs" method of xmlrpc.php. ISC reader Robert sent in some logs that show a massive distributed (> 3000 source IPs) attempt at guessing passwords on his Wordpress installation. The requests look like the one shown belowand a.. 더보기
Keeping the RATs out: the trap is sprung - Part 3 As we bring out three part series on RAT tools suffered upon our friends at Hazrat Supply we must visit the centerpiece of it all. The big dog in this fight is indeed the bybtt.cc3 file (Jake suspected this), Backdoor:Win32/Zegost.B. The file is unquestionably a PEDLL but renamed a .cc3 to hide on system like a CueCards Professional database file. Based on the TrendMicro writeup on this family, .. 더보기
Is use-after-free exploitation dead? The new IE memory protector will tell you The Isolated Heap for DOM objects included in the Microsoft Patch Tuesday for June 2014 was just a fire drill aimed at making the exploitation of use-after-free (UAF) vulnerabilities more difficult. The patch for July 2014, however, has been quite a shock to exploit developers! In this release, Microsoft showed some determination in fighting back against UAF bugs with this improvement - the intr.. 더보기
Keeping the RATs out: **it happens - Part 2 As we learned in Part One of our exploration of Hazrat Supply's series of unfortunate events, our malicious miscreants favored multiple tools. We first discussed developing IOCs for HackTool:Win32/Zeloxat.A which opens a convenient backdoor on a pwned host. One note on that front, during analysis I saw network calls to zeroplace.cn (no need to visit, just trust me) and therefore added matching U.. 더보기
Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information.During the last month, M.. 더보기
Is use-after-free exploitation dead? The new IE memory protector will tell you The Isolated Heap for DOM objects included in the Microsoft Patch Tuesday for June 2014 was just a fire drill aimed at making the exploitation of use-after-free (UAF) vulnerabilities more difficult. The patch for July 2014, however, has been quite a shock to exploit developers! In this release, Microsoft showed some determination in fighting back against UAF bugs with this improvement - the intr.. 더보기
Beware BlackEnergy If Involved In Europe/Ukraine Diplomacy The universe is full of "Black Energy" and so is cyberspace. Not so very long ago, we wrote about a sample of the BlackEnergy family discovered via VirusTotal. The family is allegedly the same malware used in the cyber-attack against Georgia in 2008. Last Friday, another fresh variant was submitted to VirusTotal. And this time it is more obvious on how it was being distributed: a zip file contai.. 더보기
표적 형 공격에 사용되는 "KIVARS": 새로운 64 비트 버전을 투입 Google은 2014 년 6 월 3 일 (미국 시간), 64 비트 버전의 「Google Chrome」의 출시를 발표했습니다. Google에 따르면, 64 비트 버전의 출시 를 단행 한 이유는 Windows 사용자의 대다수가 64 비트 Operating System (OS)를 사용하고 있기 때문에하고 있습니다. 64 비트 Windows 보급률은 Microsoft가 당초 예상보다 약간 완만가되고 있습니다 만, 확실히 성장해오고 있으며, 소프트웨어 개발 업체에서 지원을받을 수 있다는에서도 분명하다. 그러나 불행히도 64 비트 버전의 악성 프로그램이 공격자에 의해 진행되어 보급되어있는 것도 트렌드 마이크로는 확인하고 있습니다.본 블로그에서는 64 비트 버전 의 온라인 은행 사기 도구 "ZBOT '를 비롯해 지.. 더보기
Isolated Heap for Internet Explorer Helps Mitigate UAF Exploits In the recent Microsoft security bulletin for Internet Explorer, we found an interesting improvement for mitigating UAF (User After Free) vulnerability exploits. The improvement, which we will name as “isolated heap”, is designed to prepare an isolated heap for many objects which often suffers from UAF vulnerabilities.Let’s use Internet Explorer 11 as an example. Before it was patched, the funct.. 더보기
시작 시간이 설정된 RAT "PlugX"C & C 설정 다운로드에 Dropbox를 악용 네트워크 트래픽 모니터링은 IT 관리자가 네트워크 내에서 표적 형 공격을 받고 있는지 확인하는 수단의 하나입니다."Remote Access Tool (RAT) '는 일반적으로 표적 공격 캠페인에서 보인 명령 및 제어 (C & C)과의 통신을 위해 사용됩니다. RAT 네트워크 트래픽 중에서도 특히 "Gh0st」나 「PoisonIvy", "Hupigon", "PlugX"같은 RAT은 잘 알려져 있으며, 검출되어 있습니다. 그러나 공격자는 여전히 이러한 RAT를 표적 형 공격에 효과적으로 이용하고 있습니다.트렌드 마이크로는 2014 년 5 월, 대만의 정부 기관을 겨냥한 표적 공격을 확인했습니다. 공격자는이 표적 공격에서 RAT "PlugX"을 이용하여 온라인 스토리지 서비스 "Dropbox"을 악용하여 자신.. 더보기

티스토리툴바