Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-03-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malwares

Published: 2006-03-04
Last Updated: 2006-03-06 19:53:40 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Some interesting malwares reported that you may want to take note. Currently, they are not reported to be prevalent but is worth the effort to understand the threat pose by malwares. Information theft will be one of the biggest threat caused by malware.

1) JS.Ffsniff
JS.Ffsniff is a JavaScript Trojan horse that logs information from HTML forms in Web pages and sends the information to a predefined email address. It can be included with a malicious Mozilla Firefox browser extension.
http://securityresponse.symantec.com/avcenter/venc/data/js.ffsniff.html

2) PWSteal.Rivarts
PWSteal.Rivarts is a Trojan horse that steals bank account and sensitive information and sends it to a remote server. It also gathers SSL web certificates and can hijack a browser connection.
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.rivarts.html

3) PE_ICABDI.A
Trend Micro has notified us on a Proof-of-Concept infector for Microsoft InfoPath. Infopath is an application used to develop XML-based user forms.

The PoC attempts to infect InfoPath XSN files by:
- Creating a temp directory named "iCab".
- Copying a target xsn file to the directory.
- Extracting the contents of the XSN file.
- Opening the 'script.js' file of the original XSN.
- Inserting a malicious script inside the script.js file, most possibly overwriting the Document:Onload function in the original script. *
- Recreating the original file using makecab.exe, with a specified directive file. *
- Deleting all temporary files and directories. *

However, the behavior (marked with *) was not replicated successfully. Trend Micro named it as PE_ICABDI.A.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FICABDI%2EA&VSect=P

4) UNIX_MARE.G
UNIX_MARE.G affects systems running Unix. Upon execution, it connects to some predefined websites via TCP port 8080 to download malware. It then opens the affected system to further malicious attacks. It deletes all files in the /tmp folder. It also creates a hidden subfolder named .sess_a4c1cb9ea15105441fb0366b06479082 inside the folder.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=UNIX%5FMARE%2EG&VSect=T

Keywords:
0 comment(s)
Diary Archives