AIM attack the work of Middle East hackers

	SecurityReason
News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

	WLB
WLB Database

Send to WLB

About WLB

	RSS
News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

	Corporate
Contact

About us

	Services
SecurePHP


	Note
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive : exploit()securityreason()com

News from: Virus

» Topic: AIM attack the work of Middle East hackers

» Added by: Matthew Broersma

» Date: 19.11.2005

The W32/Sdbot-ADD worm infecting some users of AOL Instant Messenger is more dangerous than previously thought, according to Facetime Security Labs, the researchers who originally discovered the worm last month.

The rootkit installed by the worm, lockx.exe, is allowing systems to be further compromised by a group of attackers based in the Middle East, Facetime said. The attackers are installing additional malicious code capable of stealing personal information, according to the group.

At least tens of thousands of systems appear to be infected, Facetime said. The company's president and chief executive, Kailash Ambwani, said that the network of infected machines could, like other large botnets, be used to carry out denial of service attacks against particular websites.

"We have delivered detailed research information to the US federal authorities and are fully cooperating with their efforts," Ambwani said in a statement.

The worm attacks via AIM, asking users to open a link, apparently at the request of one of the user's "buddies" or contacts. Clicking on this the initiates infection sequence, which starts with the dropping of a number of adware files, and the rootkit software itself, lockx.exe.

Once on the PC, the malware attempts to shut down anti-virus software, install software that allows the PC to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine with which to collect email addresses.

Facetime's newer research has found that lockx.exe is being actively used as a backdoor to install additional malware on systems. The additional malware can steal usernames, passwords and other information, and can be controlled via the IRC messaging system, Facetime said.

One of the files installed via lockx.exe, called ster.exe, specifically allows attackers to upload, download and monitor the infected PC, said Facetime. Other files allow theft of Outlook Express passwords, keystroke logging and launching additional attacks on Web sites or networks.

A group in the Middle East appears to be behind the additional malware, according to Facetime. The group has compromised servers in various countries around the world to distribute the new malware.

Facetime has published an online scanning tool that can detect and disable lockx.exe, the company said.

source: Techworld

	Alert
Microsoft VISTA TCP/IP stack buffer overflow - 2008-11-27 Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.


	Apache
» Apache Tomcat information disclosure

» Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

» Apache Tomcat information disclosure vulnerability

» Apache Tomcat XSS vulnerability



	PHP
» PHP 5.2.6 dba_replace() destroying file

» PHP 5.2.6 (error_log) safe_mode bypass

» PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

» PHP 5.2.6 posix_access() (posix ext) safe_mode bypass