The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015

Explanation of Osama bin Laden RTF Exploit

A targeted attack has been spotted against RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). An email containing a Laden's Death.doc file attachment was personally sent to many recipients.

File information

File: Laden's Death.doc
File size: 163065 bytes
MD5: dad4f2a0f79db83f8976809a88d260c5
SHA1: d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File extension:.doc
Distribution method: email
VirusTotal detection rate: 16 of 41

The vulnerability exploited by this malware was patched last November in MS10-087.

According to VirusTotal 16 of 41 antiviruses recognize this file as a threat (http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304649567).

The email was sent from a Lotus Notes mail server (IP 220.228.120.6) which most likely was compromised.

Message body

Tue, 03 May 2011 11:34:06 -0400 (EDT)
Source-IP: 220.228.120.62 
Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
From: XXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXX
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


This is a multi-part message in MIME format.

------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: text/plain;
        format=flowed;
        charset="big5";
        reply-type=original
Content-Transfer-Encoding: 7bit

To whom it may concern.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: application/octet-stream;
        name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Laden's Death.doc"

When RTF file is opened, the exploit executes the shellcode, then creates and executes a file C:/RECYCLER/server.exe. This file performs following actions:

  • Created a file in the system`s temporary folder vmm2.tmp
  • Renamed the file vmm2.tmp into dhcpsrv.dll and moves it into c:\windows\system32\
  • Modifies the registry to run the hijacked DHCP service.

File information on malicious c:\windows\system32\dhcpsrv.dll

File: dhcpsrv.dll
File size: 44504 bytes
MD5: 06ddf39bc4b5c7a8950f1e8d11c44446
SHA1: b8c11c68f3e92b60cc4b208bd5905c0365f28978
SHA256: bb854e8e5a3799d0c1dac65a4cc963265034a04007862aabf281e0f31dbc386a
File extension:.dll
Distribution method: dropped by Exploit:W32/Cve-2010-3333.G
VirusTotal detection rate: 13 of 42

After a successful start the Trojan tries to resolve the following domains:

Domain

Port/ Protocol

checkerror.ucparlnet.com

80/TCP

ssi.ucparlnet.com

80/TCP

www.dnswatch.info

 


picture.ucparlnet.com

443/TCP

We advise all users to install patches for MS10-087.

Description of vulnerability along with links to patches can be found here: http://www.naked-security.com/nsa/198110.htm

(c) Naked Security


Security Advisories Database

Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

A remote attacker can execute arbitrary code on the target system.

07/21/2015

SQL Injection Vulnerability in Piwigo

SQL inection vulnerability has been discovered in Piwigo.

02/05/2015

Cross-site Scripting Vulnerability in DotNetNuke

A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

02/05/2015

Cross-site Scripting Vulnerability in Hitachi Command Suite

A cross-site scripting vulnerability was found in Hitachi Command Suite.

02/02/2015

Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in MalwareBytes Anti-Exploit &quot;mbae.sys&quot;

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Linux Kernel splice

An attacker can perform a denial of service attack.

01/29/2015

Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

An attacker can perform a denial of service attack.

01/20/2015