In April 2008, Following Security Alerts were given by CERT-IN:
| Issue Date | Security Alert | Description |
|
8 April, 2008 |
BANCORKUT WORM |
Bancorkut is a mass mailing worm. It spreads when a user clicks upon the malicious link embedded within the email message body. The worm collects the confidential information such as username and passwords from the infected system and some websites to send the collected information to a remote server under attacker's control. These credentials are further used for performing illegal banking activities.
Typical e-mail contents are as follows :
Upon execution, the Worm : |
|
15 April, 2008 |
GOLDUN TROJAN |
An information stealing Trojan called Goldun is spreading via email. It comes as an email attachment or as a malicious link inside the email body which pretends to appear from E-Gold online bank or from Yahoo Shopping. The “subject line” of the email entices users to open the attachment or visit the malicious link and install the Trojan on their system. Upon successful installation the Trojan opens a backdoor and steals confidential information such as usernames and passwords for financial accounts from the infected system and sends this information to the remote server which is under the control of the attacker. These stolen credentials are used for performing illegal online banking activities. Further the Trojan downloads additional malware onto the infected system. It has been observed that variants of this Trojan are spreading widely. The Trojan variant contains a hidden process that steals personal information for financial accounts. It then sends this data to a remote server located at some location.
Typical e-mail contents are as follows: From: E-gold "IPod For Your" ipod4your@yahoo.com Subject: Attention! E-gold service pack MS Windows/Critical Error Track your order Body: Dear User, Please read the following message carefully. We notify that your order was approved and shipped to you via FedEx 2Day. Service, track 792531968828. The amount of $479.95 USD was recieved from your e-gold account.The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in characteristics of chosen product. We appreciate your choice! According to the rules, refund must be based on your original method of payment.
Any requests to refund using e-gold are not accepted, if the payment method was credit card. IPod For Your, Yahoo Shopping. Attachment: setup.zip (contains the file setup.exe) MsWindowsUpdate.rar (contains the file MsWindowsUpdate.exe) OrderInfo69.exe
Upon execution, the Trojan variant : |
| 25 April, 2008 | VUNDO TROJAN |
It
is dropped by some dropper as a DLL component on user's system. It
installs itself as browser helper object (BHO) and gets injected into
Explorer DOT exe . After successful installation it generates popup ads for rogue antispyware installation on the infected system which may appear as visible or hidden window. The Trojan further downloads and executes malicious files by contacting malicious domain www DOT virtumonde DOT com . It also opens a backdoor on the infected system and listens to remote attacker commands. Upon execution, the Trojan: * Copies itself to the Windows system folder using a random filename generated from random alphabetical characters. * Drops several non-malicious data files to the Windows system folder. These file names will be the reverse order of the dropped DLL file name and have one of the following extensions: .ini, .bak1, .bak2, .ini2, .tmp * The above said executable files are randomly generated by joining some of the following strings and appending .exe to the end: abr, ac, acc, ad, anti, ap, as, av, bak, bas, bin, c, cab, cat, cmd, com,cr, db, disk, dll, dns, doc, dos, drv, dvd, eula, exp, fax, font, ftp,hard, iis, img, inet, info, ip, java, kb, key, lib, log, main, mc, mfc, mp3, ms, msvc, net, nut, odbc, ole, pc, play, ps, ras, reg, run, s, srv,svc, svr, sys, api, task, tcp, un, url, util, vb, vga, vss, w, wave, web,win, wms, xml * Stores a list of URLs in the file which, when visited, there will be no popups. This list contains popular search engines and domain names of ad servers, such as: 1) yahoo.com 2) search.ebay.com 3) web.ask.com 4) www2.yesadvertising.com 5) banners.pennyweb.com 6) ads2.revenue.net, |
SOLUTIONS:
| Sl. No. | Security Alert | Countermeasures / Solutions |
|
1 |
BANCORKUT WORM |
Advice to users: * Do not click upon the links provided in untrusted email messages. * Block access to the malicious domains mentioned above at gateway. * Search for the malicious files and processes created/initiated by Bancorkut Worm and delete the same. * Search for the registry entries, made by the Bancorkut Worm as mentioned and delete the same. * Enforce password policy to make it difficult to crack password files on compromised computers * Keep up-to-date patches and fixes on the operating system and application software. * Keep up-to-date Antivirus and Antispyware signatures. |
|
2 |
GOLDUN TROJAN |
Advice to users: |
| 3 | VUNDO TROJAN |
Advice to users: * Search for the malicious files and processes created/initiated by the Trojan and delete the same. * Search for the registry entries mentioned above made by the Trojan and delete the same. * Remain cautious while visiting trusted / untrusted websites. * Exercise caution while opening e-mail attachments received from unknown sources. * Block access to the malicious domain mentioned above at gateway. * Keep up-to-date patches and fixes on the operating system and application software. * Keep up-to-date Antivirus and Antispyware signatures. References: http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan:Win32/Vundo.K http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan:Win32/Vundo.gen!D |