PCZONE 版規 帳號無法發言? 註冊 個人設定 悄悄話 搜尋文章 最新文章 今日所有文章 會員登出 | | |
| PCZONE 版規 帳號無法發言? | |
| 首頁 註冊 個人設定 悄悄話 搜尋文章 最新文章 今日所有文章 會員登出 | |
2007-03-30, 02:11 PM
| #1 | ||
| 會員  註冊日期: 2006-03-29 住址: 12MB
文章: 248
 |
在最近分析的樣本中,有幾個樣本非常詭異,昨天晚上稍微檢查他們的檔案格式,發現是 Animated Cursor (*.ani) (但卻取名為 *.jpg),今天早上有個朋友通知我,微軟公佈一個安全漏洞 (Vulnerability in Windows Animated Cursor Handling),才恍然大悟,原來是零時差攻擊 (Zero-Day Attack)。 到目前為止,下面的防毒軟體可以偵測這些惡意檔案: ANI_attack-all/1.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/2.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/7888p.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/9197p.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/da.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” 詳細的資訊,請參考「台灣出現零時差攻擊 (Zero-Day Attack)」。  | ||
|  |
|
2007-03-31, 12:39 AM
| #5 | ||
| 會員  註冊日期: 2006-11-22 住址: ADSL 2M
文章: 62
|
mcafee在3/28號已經公佈Exploit-ANIfile.c定義,詳細資訊參考 http://tw.mcafee.com/virusInfo/defau...virus_k=141860 Kaspersky在3/30號公佈Trojan-Downloader.Win32.Ani.g定義,目前尚無詳細資訊 http://www.viruslist.com/en/find?sea....Ani.g&x=0&y=0 symantec(norton)在3/30號公佈Bloodhound.Exploit.131定義,詳細資訊參考 http://www.symantec.com/enterprise/s...300308-3019-99 樣本一virustotal測試  | ||
|
| |
|
2007-03-31, 10:21 AM
| #6 | ||
| 會員  註冊日期: 2006-05-24 住址: CABLE
文章: 533
|
TrendMicro詳細說明:http://www.trendmicro.com/vinfo/zh-t...5FANICMOO%2EAX --------------------------------------------------------------------------------------------以下資訊擷取自"趨勢科技網路安全百科(台灣)" 惡意程式類別: Trojan 別名: No Alias Found 廣泛傳播: 是 破壞性的: 不 語言: English 平台: Windows XP 加密的: 不 整體的風險程度: 低度 -------------------------------------------------------------------------------- 回報的感染案例: 低度 損害可能性: 中度 散佈可能性: 低度 -------------------------------------------------------------------------------- 描述: To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below. Malware Overview This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message. It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page: Security Advisory 935423 It uses the said vulnerability to download and execute files from several URLs. One of the downloaded files is detected by Trend Micro as TROJ_SMALL.DRF. As a result, routines of the downloaded Trojan may also be exhibited on the affected system. 掃描引擎版本最低需求: 8.000 需要的病毒碼: 4.375.00 病毒碼發佈日期: Mar 28, 2007 -------------------------------------------------------------------------------- 解決方案: Important Windows XP Cleaning Instructions Users running Windows XP must disable System Restore to allow full scanning of infected computers. Users running other Windows versions can proceed with the succeeding solution set(s). Running Trend Micro Antivirus If you are currently running in safe mode, please restart your computer normally before performing the following solution. Scan your computer with Trend Micro antivirus and delete files detected as TROJ_ANICMOO.AX and TROJ_SMALL.DRF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner. Note: As of this writing, there is no available patch for the Windows vulnerability that this malware exploits. Trend Micro recommends checking the Microsoft Web site for the latest patches and updates. 常駐記憶體: 不 惡意程式大小: 794 Bytes 最初收到的樣本: Mar 28, 2007 相關: TROJ_SMALL.DRF -------------------------------------------------------------------------------- 病毒發作情形 1: Downloads files -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- 細節: This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message. It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page: Security Advisory 935423 It uses the said vulnerability to download and execute files from the following URLs: http://220.71.{BLOCKLED}.189/wincf.exe - detected as TROJ_SMALL.DRF http://{BLOCKED}yadsfdg.biz/adv/014/win32.exe http://{BLOCKED}yadsfdg.biz/adv/102/win32.exe http://{BLOCKED}yadsfdg.biz/adv/109/win32.exe http://{BLOCKED}yadsfdg.biz/adv/110/win32.exe http://{BLOCKED}yadsfdg.biz/adv/113/win32.exe http://{BLOCKED}yadsfdg.biz/adv/114/win32.exe http://{BLOCKED}yadsfdg.biz/adv/133/win32.exe http://{BLOCKED}yadsfdg.biz/adv/134/win32.exe http://{BLOCKED}yadsfdg.biz/adv/139/ http://{BLOCKED}yadsfdg.biz/adv/139/win32.exe http://{BLOCKED}yadsfdg.biz/adv/147/win32.exe http://{BLOCKED}yadsfdg.biz/adv/152/win32.exe http://{BLOCKED}yadsfdg.biz/adv/153/win32.exe http://{BLOCKED}yadsfdg.biz/adv/159/win32.exe http://{BLOCKED}yadsfdg.biz/adv/161/win32.exe http://{BLOCKED}yadsfdg.biz/adv/163/win32.exe http://{BLOCKED}yadsfdg.biz/adv/165/win32.exe http://{BLOCKED}yadsfdg.biz/adv/169/win32.exe http://{BLOCKED}yadsfdg.biz/adv/171/win32.exe http://{BLOCKED}yadsfdg.biz/adv/176/win32.exe http://{BLOCKED}yadsfdg.biz/adv/177/win32.exe http://{BLOCKED}yadsfdg.biz/adv/180/win32.exe http://{BLOCKED}yadsfdg.biz/adv/185/win32.exe http://{BLOCKED}yadsfdg.biz/adv/186/win32.exe http://{BLOCKED}yadsfdg.biz/adv/198/win32.exe http://www.{BLOCKED}vmtek.com/2/11.exe http://www.{BLOCKED}vmtek.com/2/11.exe http://www.{BLOCKED}crcmedia.net/exe/flash.exe http://www.{BLOCKED}crcmedia.net/exe/flash.exe http://www.{BLOCKED}softhelp.com/update.exe http://www.{BLOCKED}softhelp.com/update.exe As a result, routines of the downloaded files may also be exhibited on the affected system. This Trojan runs on Windows XP.
__________________  華碩電腦 | ||
|
| |
|
2007-04-01, 09:20 PM
| #9 | ||
| 會員 註冊日期: 2002-03-27
文章: 230
|
不是VB Script,也不是特殊的語法,我看過的問題Html原始碼大概是含: <DIV style=3D"CURSOR: =url('http://xxxx.xxx.xxx.xxx/xxxx.jpg')"> <DIV=20 style=3D"CURSOR: =url('http://xxx.xxx.xxx.xxx/yyyy.jpg'')"></DIV></DIV> 很可怕,郵件一開就中木馬了,也不用點附加檔案,外觀也看不出來. 防毒廠商竟認為是低風險,我想很多被入侵的網頁會被改成此手法. 只希望微軟快出修正程式. | ||
|
| |
