【警告】台灣出現零時差攻擊 (Zero-Day Attack) [Site Map]

贊助商連結

頁 : [1] 2

sai7sai

2007-03-30, 02:11 PM

在最近分析的樣本中，有幾個樣本非常詭異，昨天晚上稍微檢查他們的檔案格式，發現是 Animated Cursor (*.ani) (但卻取名為 *.jpg)，今天早上有個朋友通知我，微軟公佈一個安全漏洞 (Vulnerability in Windows Animated Cursor Handling)，才恍然大悟，原來是零時差攻擊 (Zero-Day Attack)。

到目前為止，下面的防毒軟體可以偵測這些惡意檔案：

ANI_attack-all/1.jpg:
[ Kaspersky ], “Trojan-Downloader.Win32.Ani.g”
[ McAfee ], “Exploit-ANIfile.c”
ANI_attack-all/2.jpg:
[ Kaspersky ], “Trojan-Downloader.Win32.Ani.g”
[ McAfee ], “Exploit-ANIfile.c”
ANI_attack-all/7888p.jpg:
[ Kaspersky ], “Trojan-Downloader.Win32.Ani.g”
[ McAfee ], “Exploit-ANIfile.c”
ANI_attack-all/9197p.jpg:
[ Kaspersky ], “Trojan-Downloader.Win32.Ani.g”
[ McAfee ], “Exploit-ANIfile.c”
ANI_attack-all/da.jpg:
[ Kaspersky ], “Trojan-Downloader.Win32.Ani.g”
[ McAfee ], “Exploit-ANIfile.c”

詳細的資訊，請參考「台灣出現零時差攻擊 (Zero-Day Attack) (http://malware-test.com/blog/archives/2007/03/30/914)」。:eek:

贊助商連結

hn1271n

2007-03-30, 06:24 PM

請問使用火狐瀏覽器也會受影響嗎

hertw

2007-03-30, 06:45 PM

請問使用火狐瀏覽器也會受影響嗎

看那個樣子是用 VBScript 寫的，所以 Firefox 應該是不受影響。

hn1271n

2007-03-30, 07:24 PM

看那個樣子是用 VBScript 寫的，所以 Firefox 應該是不受影響。
Firefox好像也不支持ani語法

黑衣~魂

2007-03-31, 12:39 AM

mcafee在3/28號已經公佈Exploit-ANIfile.c定義,詳細資訊參考
http://tw.mcafee.com/virusInfo/default.asp?id=description&virus_k=141860

Kaspersky在3/30號公佈Trojan-Downloader.Win32.Ani.g定義,目前尚無詳細資訊
http://www.viruslist.com/en/find?search_mode=full&words=Trojan-Downloader.Win32.Ani.g&x=0&y=0

symantec(norton)在3/30號公佈Bloodhound.Exploit.131定義,詳細資訊參考
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-300308-3019-99
樣本一virustotal測試
http://www.storage4all.com/uploads/fc6364f73e.jpg

harry_chang2003

2007-03-31, 10:21 AM

TrendMicro詳細說明:http://www.trendmicro.com/vinfo/zh-tw/virusencyclo/default5.asp?VName=TROJ%5FANICMOO%2EAX

--------------------------------------------------------------------------------------------以下資訊擷取自"趨勢科技網路安全百科(台灣)"

惡意程式類別: Trojan

別名: No Alias Found

廣泛傳播: 是

破壞性的: 不

語言: English

平台: Windows XP

加密的: 不

整體的風險程度: 低度

--------------------------------------------------------------------------------

回報的感染案例: 低度

損害可能性: 中度

散佈可能性: 低度

--------------------------------------------------------------------------------

描述:

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message.

It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page:

Security Advisory 935423
It uses the said vulnerability to download and execute files from several URLs. One of the downloaded files is detected by Trend Micro as TROJ_SMALL.DRF. As a result, routines of the downloaded Trojan may also be exhibited on the affected system.

掃描引擎版本最低需求: 8.000

需要的病毒碼: 4.375.00

病毒碼發佈日期: Mar 28, 2007

--------------------------------------------------------------------------------

解決方案:

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_ANICMOO.AX and TROJ_SMALL.DRF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Note: As of this writing, there is no available patch for the Windows vulnerability that this malware exploits. Trend Micro recommends checking the Microsoft Web site for the latest patches and updates.

常駐記憶體: 不

惡意程式大小: 794 Bytes

最初收到的樣本: Mar 28, 2007

相關: TROJ_SMALL.DRF

--------------------------------------------------------------------------------

病毒發作情形 1: Downloads files

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

細節:

This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message.

It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page:

Security Advisory 935423
It uses the said vulnerability to download and execute files from the following URLs:

http://220.71.{BLOCKLED}.189/wincf.exe - detected as TROJ_SMALL.DRF
http://{BLOCKED}yadsfdg.biz/adv/014/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/102/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/109/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/110/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/113/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/114/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/133/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/134/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/139/
http://{BLOCKED}yadsfdg.biz/adv/139/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/147/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/152/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/153/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/159/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/161/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/163/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/165/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/169/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/171/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/176/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/177/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/180/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/185/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/186/win32.exe
http://{BLOCKED}yadsfdg.biz/adv/198/win32.exe
http://www.{BLOCKED}vmtek.com/2/11.exe
http://www.{BLOCKED}vmtek.com/2/11.exe
http://www.{BLOCKED}crcmedia.net/exe/flash.exe
http://www.{BLOCKED}crcmedia.net/exe/flash.exe
http://www.{BLOCKED}softhelp.com/update.exe
http://www.{BLOCKED}softhelp.com/update.exe
As a result, routines of the downloaded files may also be exhibited on the affected system.

This Trojan runs on Windows XP.

黑衣~魂

2007-03-31, 02:05 PM

再來一個VT測試
http://www.storage4all.com/uploads/b13bc8234e.jpg

jaker333

2007-03-31, 03:12 PM

病毒真的日新月異
防不勝防

yuhsheng

2007-04-01, 09:20 PM

不是VB Script,也不是特殊的語法,我看過的問題Html原始碼大概是含:
<DIV style=3D"CURSOR: =url('http://xxxx.xxx.xxx.xxx/xxxx.jpg')">
<DIV=20 style=3D"CURSOR: =url('http://xxx.xxx.xxx.xxx/yyyy.jpg'')"></DIV></DIV>
很可怕,郵件一開就中木馬了,也不用點附加檔案,外觀也看不出來.
防毒廠商竟認為是低風險,我想很多被入侵的網頁會被改成此手法.
只希望微軟快出修正程式.

huseinma

2007-04-02, 02:16 PM

在別的網站(360安全衛士, 360Safe)有看到說有更新程式, 但不是MS發佈的,所以不知道該不該下載安裝?