We’ve received two new trojan droppers exploiting the talked about MSWord 2000 0-day vulnerability. These trojans will be detected as TROJ_MDROPPER.BT and TROJ_MDROPPER.BS in the upcoming urgent Official Pattern Release. The discovery of the new trojan malwares is alarming. It is very probable that new malwares will be exploiting the said vulnerability until it is given a security patch.

For now, it is advised that users regularly update their anti-virus pattern files to be protected from new malwares discovered in the wild.

Other Related Articles:

• MS Word 0-DAY Exploited by Malware
• One Attack, Two Injuries.. An Old Trick That Still Works?

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Most of the time, the common assumption in DoS attacks is that they are often caused by multiple sources using spoofed IP addresses. However, a study done by University of Michigan, Carnegie-Mellon University and AT&T shows results that contradict this assumption. The study claims that most DoS attacks are created by less than 50 sources and that IP spoofing is not often used in DoS attacks,as it was previously surmised. The study further shows that network traffic in most DoS attacks indicate that the source can be easily identified and blocked off. Moreover, the attacks always originate from the same point, implying that DoS problems encountered can be solved by just simply blocking the traffic coming from a known DoS attack source.

Take a closer look at the claims of this study here.

The hit TV series
Househad its much anticipated season premiere Tuesday, September 5. Only a few hours after the show, copies of the episode were made available for download on the Internet.

To watch the
Houseepisode, which is most likely in AVI format, in your computer, you might need to install a codec, so that your media player can play the file properly.

A codec, short for coder-decoder or compressor-decompressor, is a program that encodes and decodes digital data stream or signal. Media files, being naturally large, are often compressed for easy transmission. If a media file is compressed using a certain codec, that codec should also be present on your system, so that it can be decompressed and your media player can play it.

Codecs are widely available on the Internet. If you don’t already have the necessary codec installed on your computer, it’s easy to find, download, and install one.

Just make sure it’s a legitimate codec installer you’re running and not the new Trojan posing as a codec installer.

The new Trojan, detected as TROJ_ZLOB.ALF, even displays a fake EULA, tricking users into thinking it is a normal installer, all while dropping a malicious file. The dropped malicious file modifies the registry to alter DNS settings.

DNS, which stands for domain name system, is the Internet service that, among other tasks, translates domain names to IP addresses. TROJ_ZLOB.ALF changes the registry so that the affected computers DNS points to a remote DNS server, which is likely controlled by a malicious user. Using this setup, the said malicious user can then decide what IP address the affected system connects to when the user tries to access a domain name.

As of this writing, an affected user who accesses certain domain names may be redirected to adult-themed sites. Of course, the DNS server could be easily changed, so that connections are redirected to malicious sites instead.

If you were searching for a codec installer and came across this malicious file, instead of being able to watch that Houseepisode, you just got your DNS settings messed up, giving a remote malicious user some amount of control and opening chances for acquiring more damage.

One of the malware that ended up being processed here last week was a particular variant of WORM_SDBOT. Like its other siblings, this WORM_SDBOT variant propagated through network shares and exploited unpatched vulnerabilities. Throw in a number of backdoor capabilities and some information theft routine on the side and you would think that this was your average, run-of-the-mill WORM_SDBOT variant.

Not entirely.

You see, this particular variant, which Trend now detects as WORM_SDBOT.ADK, does something more interesting as compared to other SDBOT variants. In order to maximize its network connection, WORM_SDBOT.ADK attempts to overwrite several system files such as tcpip.sys, ftp.exe, etc. Being components of the operating system, these system files are protected by the Windows File Protection feature, a security mechanism that prevents other programs from altering such critical files. Ideally, when a program attempts to modify critical system files, the operating system would prevent it.

But WORM_SDBOT.ADK happens to have a way to work around this particular security measure. One of the files needed to implement Windows File Protection is SFC.DLL. Modifying or overwriting this file would render the WFP feature useless and that’s what WORM_SDBOT.ADK does. By altering SFC.DLL for its own purposes, this WORM_SDBOT variant achieves its objective of bypassing security. The modified SFC.DLL acts as an “accomplice” malware, enabling the worm accomplish its malicious activities on the affected system

The detection pattern for WORM_SDBOT.ADK is available since CPR 3.694.01 and CPR 3.731.00 respectively.