New malware research posted on Resources at InfoSec Institute

Discussion in 'malware problems & news' started by lotuseclat79, Apr 21, 2011.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,087
    New malware research posted on Resources at InfoSec Institute.

    -- Tom
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanks for posting :thumb:

    They never stop finding ways in, but then i don't expect them to !

    Introduction

    *

    *

     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:

    That is the remote code execution method. I wondered if there is anything new, so I checked around:

    TDL4 exploits Windows Task Scheduler flaw
    Dec. 12th, 2010
    http://www.prevx.com/blog/164/TDL-exploits-Windows-Task-Scheduler-flaw.html

    BITS and PC's - News From the Trenches!
    http://secure-computer-solutions.com/blog/2010/10/why_you_should_backup_your_mbr.html

    So, the same two tried and proven methods!

    I've not seen statistics showing which attack vector is the more successful:

    • remote code execution (drive-by on the internet via exploit kit; infected USB drive), or

    • social engineering attack

    That might be difficult to determine...

    -rich
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    I thought you might be interested in the article ;)

    That would be a revealing piece of info, i'm surprised it hasn't been done, or if it has we havn't seen it !

    Quote From the article

    I imagine these days it's more likely that the above type of social engineering trick is more common ?
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    (My bolding)
    Not just these days -- this is from 3-1/2 years ago

    http://isc.sans.edu/diary.html?storyid=3595
    The user is then prompted to install the package and during this process
    he will have to supply the administrator credentials. Yep, it’s game over
    from this point in time (and the attack is exactly the same as on Windows –
    keep in mind that these users *will* willingly supply these credentials.

    mac.gif

    Several years ago, Marco of Prevx wrote in his blog:

    http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html
    Posted by: Marco Giuliani
    -rich
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    When i wrote,

    My thoughts were, more common than remote code execution.

    Your following MG quote,

    Answers our question :thumb: And as you showed, it's not just Windows that it can apply to !
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For me, not exactly - - others have made similar observations but don't provide statistics showing whether or not a TDSS infection on a given system, for example, intruded by one attack vector or the other, which would probably be difficult to do, in the manner that researchers break down exploits by type, country, etc.

    regards,

    -rich
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    Yes i agree, seeing a nice list of statistics would be good :thumb:
     
Loading...
Thread Status:
Not open for further replies.