In the recently concluded Defcon held in Las Vegas, one of the speakers, Jesse “x30n” D’Aguanno introduced an intersting way to utilize the immensely popular
Blackberry technology.

For those people who haven’t heard of Blackberry, it’s a handheld device pretty much like a Cellphone but with a lot more features. It was developed by Research in Motion (RIM) and it basically delivers information over the wireless data networks of cellular telephone companies. If i’m not mistaken, Blackberry users have accumulated to a whopping 5 million since its introduction in 1999. They have become extremely popular in the United States especially with large corporations where they are primarily used to provide email delivery to roaming employees. Blackberries, simply put, are computers with constant connection to the corporate LAN.

Well I’m guessing you guys can already see the major potential risk related to the exploitation of this sort of technology and the guys over at Defcon were given a pretty little demonstration on how this was possible. The attack toolkit was recently made available on the author’s
siteand we were able to secure a copy.

Successfully exploiting these devices can basically allow the attacker several options such as:

• talk to hosts behind the corporate firewall
• attack them
• undermine Intrusion Detection Systems (IDS) or data logging
• do it using a trojan
• sign the trojan anonymously and use all APIs

We are still currently determining what solutions we can provide our customers with to protect them against this exploit.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

We just received two malware samples exploiting the MS06-040 vulnerability (Vulnerability in Server Service Could Allow Remote Code Execution. Joey discussed about the MS06-040 public exploits in an earlier blog entry, “Public exploits for MS06-040″.The malware samples have different md5 hashes, however, they share a common characteristic where they point to the same command-and-control servers. These malwares are discussed in the following URLs:

• http://www.lurhq.com/mocbot-ms06040.html
  
• http://isc.sans.org

Update (JoneZ, Sun, 13 Aug 2006 11:27:53 AM)

The samples will be detected by Trend as WORM_IRCBOT.JK and WORM_IRCBOT.JL. 

Update (JoneZ, Sun, 13 Aug 2006 05:28:42 PM)

Complete Virus Report for the malwares can be viewed in our Virus Encyclopedia.

• WORM_IRCBOT.JK
  
• WORM_IRCBOT.JL

Please update your pattern files to the latest Official Pattern Release 3.651.00. This includes the detection for the malwares described above. Kindly follow the link below for Trend Micro official pattern download site.

• www.trendmicro.com/download/pattern.asp