Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    November 2012
    S M T W T F S
    « Oct   Dec »
  • Email Subscription

  • About Us

    Archive for November 13th, 2012

    This month, Microsoft releases six security bulletins, four of which are rated as critical. Included in this release is MS012-071 that addresses vulnerabilities in Internet Explorer. Accordingly, the said vulnerabilities could lead to remote code execution via a specially crafted website. As such, any remote attacker who exploits these can end up gaining user rights access thus compromising the security of the system.

    Microsoft also addressed vulnerabilities affecting the newly-release Windows 8 and Windows RT. Windows RT is the OS running on Windows tablets. Another notable security bulletin is MS12-076 that addressed the issue of vulnerabilities in Microsoft Excel and MS12-075 that could allow remote code execution in Kernel privileges.

    In other news, there were reports of a zero-day exploit targeting Adobe Reader. It is said that the exploit is being sold in the underground cybercrime and is used by the cybercriminals behind the Blackhole exploit kit. TrendLabs researchers are continually monitoring and investigating this for any developments.

    Trend Micro Deep Security and Office Scan with Intrusion Defense Firewall (IDF) plugin actively protects users against possible threats leveraging these vulnerabilities. For more information on the bulletins and their IDF rules, visit the Threat Encyclopedia page.

    Posted in Vulnerabilities | Comments Off on November 2012 Microsoft Bulletin Release Includes Fix for Internet Explorer Vulnerabilities

    Last month, we posted an entry about a planned massive fraud campaign targeting various US banks. This attack was expected to use the newly-developed Gozi-Prinimalka, a malware that exhibits Gozi-like behavior.

    There have been rumblings in the underground that this campaign has been shelved; however, we here at Trend Micro are still actively monitoring developments for this case. Rumor or not, it is best that customers and users out there should have the applicable solutions for the threat.

    Analysis on Gozi-Prinimalka

    To find out more about this Gozi-Prinimalka malware, we acquired samples and analyzed them to check the malware’s routines and notable behaviors. The first sample, detected as BKDR_URSNIF.B, monitors users’ browsing activities. It gathers information if it contains specific strings related to banking and financial institutions such as PayPal, Wells Fargo, and Wachovia among others.

    The second sample, which is detected as BKDR_URSNIF.DN checks the existence of the registry key, HKEY_CURRENT_USER\Software\Classes\FirefoxHTML\shell\open\command to locate firefox.exe. This is done to create a file that drops JS_URSNIF.DJ. Similar to BKDR_URSNIF.B, BKDR_URSNIF.DN is designed to monitor specific US banking and financial sites.

    If the said registry entry is not found, the malware will not perform its information stealing routines. However, it will still perform its other routines (backdoor communication etc.).

    To steal information, this backdoor injects JS_URNSIF.DJ into monitored sites. Once affected users encode their login credentials into these sites, the malicious JavaScript gathers this data and sends it to specific remote URLs via HTTP POST.

    Read the rest of this entry »



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice