McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 

McAfee Research Blog

Password-Stealing Trojan Spreads Through Zero-Day Vulnerability

October 24th, 2008

A critical security hole fixed by Microsoft with Security Bulletin MS08-067 is actively exploited in the wild by a new password-stealing Trojan. Next to gathering and stealing Windows Live-, Protected Storage- and Microsoft Outlook-credentials which are phoned home to China, the Trojan downloads an additional exploit component from the Internet. It exploits the above mentioned vulnerability on attacked hosts and causes the shellcode to download the very same Trojan from the Internet onto the victim’s computer and immediately executes it in place. This new infected system then again downloads the exploit component to infect other systems and the whole worm-like process starts from scratch.

The screenshot above shows a disassembly of the shellcode which downloads and executes the Trojan. The hardcoded URL of the Trojan is simply appended to the payload, as can be seen in the screenshot below.

The Secure Anti-Malware Engine detects the malware, which may be installed to an affected system through the successful exploitation of the vulnerability, as ‘Trojan.Dldr.Agent.gcx‘ (as of update 7000.7081.1630) and the exploit component as ‘Trojan.Agent.311296.12‘.

Mitigation:
Deploy the provided patches from Microsoft as soon as possible. Furthermore the attack could be mitigated by a perimeter firewall. Inside attack scenarios could be mitigated by deploying a desktop firewall and disabled file/printer sharing.

More technical details about MS08-067:
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.