May’s series of Web site compromises were replaced with spam and spoofed sites last June. Users were also served with a bigger serving of spam with a malware aftertaste, as many of the malware that emerged this month used were distributed through spam links.
This malware, which could be downloaded from a malicious URL, was revealed to have the capability to exploit an unknown vulnerability in Adobe Acrobat. When exploited successfully, Acrobat would download another malware from the same malicious URL and execute it. What makes TROJ_PIDIEF.AC notable is that it deceives the user into thinking that it has caused a BSOD (Blue Screen of Death), which is actually a fake one.
When Nuwar first appeared, it used the threat of a nuclear war to attract the user’s attention into reading the spammed mail and executing the malware from the download location. It seems that is has reverted to its old tactics once again. This particular variant of Nuwar informs the user of a “new” earthquake that has struck China. Of course the claim is a fake one and is meant to entice users to click on the link to download a copy of the worm.
TROJ_ZLOB.CCS and TROJ_ZLOB.CCT
These new variants of Zlob were first reported to have emerged during the second week of June. Unlike their other codec-posing-but-actually-a-malware-in-disguise brethren, TROJ_ZLOB.CCS and TROJ_ZLOB.CCT target the routers to redirect URL requests to malicious URLs. It does this by accessing the web page file used in setting up the routers and supplies its own predefined list of login names and passwords to hack into the configuration. If successful, the Trojan modifies the system’s DNS records so that requests for legitimate URLs would point to malicious ones.
An incident involving ransomware some time ago made use of a 660-bit algorithm for encrypting an unwitting user’s files and holding it for “ransom” . Another version of this kind of threat has come out recently, in the form of TROJ_GPCODE.AD, which uses a 1024-bit key, thus making it more difficult to decrypt the files.
Exploits and Vulnerabilities
BKDR_HOVDY.A is known to exploit a vulnerability in Apple’s Remote Desktop feature. This backdoor elevates the user privilege level to root and upon doing so can perform a variety of backdoor functions that include adding a hidden admin user, opening ports in the firewall and enabling personal web sharing. Thus once the system has been compromised, it makes it more vulnerable for future attacks and can be possibly used for malware distribution purposes.
Firefox 3.0 Vulnerability
A vulnerability has been disclosed to be present in Mozilla Firefox 3.0. When exploited, this vulnerability could allow malicious code to be executed but it requires user interaction. As of now, Mozilla has yet to issue a patch for this vulnernability.
For June, there were less reported incidents of Web sites being compromised. Instead, there were a lot of instances of scam and spoofed sites emerging. Furthermore, there were a lot of malware whose distribution tactics relied on spammed mail with links to malicious URLs.