Nov28
10:50 am (UTC-7)   |   by JM Hipolito (Technical Communications)

SANS Internet Storm Center reports that an exploit code that takes advantage of a buffer flow vulnerability in WinRAR archiving software is making rounds in the wild. The said exploit code affects WinRAR versions 3.50 and earlier.

Further analysis by TrendLabs researchers reveal that the said exploit (detected as TROJ_RDROPPER.A) arrives as a malicious .RAR file. Once the said file successfully exploits the WinRAR flaw, it proceeds to drop the file %User Temp%WINRAR.EXE, which is detected by Trend Micro as BKDR_DARKMOON.AH. The dropped backdoor, in turn, opens a random port and allows remote code execution by a malicious user.

This is not the first time a bug was discovered in earlier versions of WinRAR. As early as 2005, Threat Researchers Jonell Baltazar and Joey Costoya were able to procure of an exploit code that also takes advantage of a buffer overflow vulnerability. At that time, however, they concluded that the said exploit could not be used for malicious purposes.

Trend Micro strongly recommends WinRAR users that they upgrade to the latest version of the program (3.61) to avoid possible infection. Users of Trend Micro products are also advised to update their patterns.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, November 28th, 2007 at 10:50 am and is filed under Exploits, Malware . Responses are closed, but you can trackback from your own site.



Comments are closed.


More Muck Against Mac
QuickTime Player Gets Exploited via RTSP


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice