TrojanHunter 5.2 Released

August 27, 2009

TrojanHunter 5.2 has been released!

Download: http://www.misec.net/products/TrojanHunterSetup.exe

________________________________________________
TrojanHunter 5.2 Build 987 (Released 2009-08-27)

* Added detection of hidden Internet Explorer processes launched via COM automation
* Added trojan mutex detection
* Added bug reporting option if TrojanHunter crashes
* Added detection of suspicious svchost processes
* Added “This is a list of all the trojans TrojanHunter currently detects” label to Trojans page
* The Exit button is back
* Fixed bug with TrojanHunter Guard appearing at desktop center when using two monitors


Fake Adobe Flash Player Monitors Your Google Searches

August 25, 2009

We found a new one today that’s pretty interesting.

Detected by TrojanHunter as TrojanClicker.VB.395, this piece of malware purports to be an updater for your Adobe Flash installation. When run, it goes through the motions of updating the Flash player, and most users will think nothing of it. The installer for this seems to be spread via forum posts that use JavaScript to link to the malware.

Update: This is what the malicious pop-up looks like:

ExploitPopup

Cheekily, the malware asks you to shut down Firefox if it’s running during the installation. The reason for this is that it installs a Firefox plugin. Upon restarting Firefox after the malware is installed you will see this:

Fake Firefox Extension

This shows that a new Firefox extension has been installed. And it does look pretty legitimate, doesn’t it? The GUID for the extension is 191d3f14-ff4c-4895-bdea-db54526cb49a and the extension’s name and version number is “Adobe Flash Player 0.2″.

So what does this extension do? It, in conjunction with a trojan executable named smc.exe, monitors all your Google searches and sends them off to the server msjupdate.com where the keywords you search for will be stored in a database. The Firefox extension will inject ads into the web pages you view based on the keywords, but the bigger threat to privacy is of course that anything you search for will be recorded at a malicious server. Many users will Google their own name from time to time, which makes it possible to identify individual users along with their search queries.

So how do you know if you have this trojan on your system? Any of these signs indicate that you’re infected:

  • A running process named smc.exe Edit: Sygate Firewall also uses this process name so this is not a reliable indicator of infection.
  • A Firefox plugin named “Adobe Flash Player 0.2″
  • Having recently installed a file called install_flash_player.exe or Install_Flash.exe from an unknown source

Of course, TrojanHunter detects this as well so you can use it to check for and clean out any infection.

Update: Further research has shown that this malware also monitors all URLs you visit in Internet Explorer and submits them to the malware creator’s server. So this is worse than we initially thought. If you have this on your system then you basically have no privacy left.


TrojanHunter 5.2 Coming Soon

August 17, 2009

Just a heads-up to let you know that TrojanHunter 5.2 will go into beta soon with a final version release hopefully before the end of August. Just to give you a taste of what’s changed, here’s an excerpt from WhatsNew.txt:

________________________________________________
TrojanHunter 5.2 Build 9xx (Released 2009-)

* Added detection of hidden Internet Explorer processes launched via COM automation
* Added trojan mutex detection
* Added bug reporting option if TrojanHunter crashes
* Added detection of suspicious svchost processes


“Image File Execution Options” is an Evil Registry Key

August 14, 2009

Came across a variant of Antivirus XP today that uses a particularly nasty way to ensure reinfection. It adds new subkeys to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. The subkeys are the names of common programs such as notepad.exe or zonealarm.exe. It then adds a debugger value for each file, like so:

  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Image File Execution Options\zonealarm.exe\Debugger = "svchost.exe"

This means that everytime you try to launch ZoneAlarm.exe, svchost.exe will be launced instead – and in this case that is a trojan executable.

Thinking of adding TrojanHunter detection for any Image File Execution Options sub-key that has a Debugger value… it’s not that common on user systems.


Hidden IExplore.exe Detection

August 12, 2009

Currently working on the next TrojanHunter version. It will feature detection of hidden Internet Explorer instances. Malware will often launch hidden IE instances via COM automation to download files or reload pages with ads to make a commission.


WordPress Password Reset Vulnerability

August 11, 2009

A vulnerability affects WordPress installations with a version number of 2.8.3 and below.

When you want to reset your admin password (because you have forgotten it), you get sent a link by WordPress that looks like the following: http://yoursite.com/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsiu

The key argument is there to ensure that only the person who received the email can reset the password. The exploits consists of sending a request string that looks like key[]=. This passes an array to the WordPress PHP script and thus bypasses the need for the key.

Technical details on the exploit are available over at seclists.org


Interesting Research Video from Symantec

April 23, 2009


BitDefender Now Also Hacked

February 9, 2009

In a post on the same blog that revealed the Kaspersky SQL injection vulnerability, it is now revealed that the BitDefender site suffers from the same vulnerability. The post shows a successful SQL injection exploit against the BitDefender site, complete with screenshots of customer names, email addresses, postal addresses and phone numbers.

http://hackersblog.org/2009/02/09/hackedbitdefender-portugal-exposes-sensitive-customer-data/


Kaspersky Web Site Hacked

February 8, 2009

Looks like the US Kaspersky site has been hacked through an SQL injection vulnerability. The initial blog post describing this lists several hundred SQL tables associated with the Kaspersky database. It looks like some of the tables contain customer and sales information. There are also screenshots showing which part of the web site was exploited to gain access to the database – from the looks of it the hacker used the US help portal pages to gain access.

“I hope that Kaspersky administrators fix this vulnerability rather quickly as they no doubt have a large customer base, and it would appear that all those customers are now exposed”

– Gunter Ollmann, chief security strategist at IBM’s Internet Security Systems (from his blog post)

The Register has an article about this.


How to Monitor Your Web Sites using Alertra

February 6, 2009

If you have a web site with a reasonable amount of traffic and are concerned about it going down or becoming unavailable without you knowing about it, then this post is for you. Alertra allows you to monitor your web sites and get notified if they become unavailable. Alertra has numerous servers around the globe that the company uses to connect to your server. If it notices that one of your servers has gone down you can receive an email, text (SMS) message or an alert to a pager. You can even get an automated voice phone call if a service goes down. (Alertra allows you monitor other services such as SMTP servers as well.)

And no, we’re not affiliated to the company in any way. We do however use their services to monitor www.misec.net and www.trojanhunter.com. So far this has worked flawlessly, and allows us to correct any problems with the web site very rapidly. The service is very reasonably priced with the monthly charge depending on how often you want Alertra to check up on your servers. As an example, an twice-hourly check of your web server costs $1.95 per month with a charge of $0.19 for each text message sent out if your service goes down. Email alerts are free of charge. You can see the complete pricing here.