Saturday, January 24, 2009

Something interesting tonight (and, boy, we have a great community)

Hi folks,

One of our friends, a security guy at the IRS, noticed a new FastFlux botnet today serving up exploits, and Nick FitzGerald a well-known anti malware guy investigated a bit further and found that the exploits were being fired based on which browser the visitor is using.

If you're using Internet Explorer, for example, it shoots a bunch of common IE exploits. Nothing too new here, so if you're patched, you're fine, but one interesting bit is that it looks to me like it's been lifted from a decrypted Neosploit, and tweaked a bit.

If you're using Firefox or Opera, it shoots a specific exploit for FF or Opera, and if you're using Chrome or Safari, it fires some generic pdf exploits at you.

The encryption technique is new, and bit cute in the way that it is hooked into the html, presumably to try to avoid decryption emulators.

Oh, and if it succeeds, it installs a fairly new rootkit, which AVG detects as an Agent variant. Oh, and from Russia, too.

So the first interesting thing is that it shows that the Bad Guys are constantly thinking and innovating and probing, but the second, and more important thing is that it highlights how well the anti-malware community cooperates, mostly unnoticed and unappreciated, behind the scenes.

Shout-outs to our friend at the IRS and Nick.



No comments: