Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 4th, 2008, 3:05pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   So many 'nasties' - what's next?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: So many 'nasties' - what's next?  (Read 635 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
So many 'nasties' - what's next?
« on: Mar 23rd, 2002, 1:41pm »		 Quote Quote  Modify Modify
Hi all,
 
It seems that rulesets and other updates are being released more frequently, each containing more 'new' things to trap than a similar update say one year ago. (Any stats to back this up, Magnus? Huh)
 
Are these all in response to new things being written, or just stuff that is pretty rare and only just coming to light? Do we have any information on the severity of the threats posed by the various Trojans in TH's lists? Just curious, that's all Grin
 
Mind you, a thought did cross my mind - if Eudora is prone to MS weaknesses, just because there are stray components of the MS engine kicking around in Windows, what's to stop a something being written that can exploit this in other apps?
 
We've seen how ZA security can be clicked through by an app that wants permission to go out and play. The next step will be an email payload that works totally independently of the mail app - in other words, that doesn't need the email to be read or the attachment run by duping the user into actually selecting it. All it would need to do is activate the standard Windows components once it arrives on the system, rather like the script system that some Worms use to carry on down the line.
 
Am I just being silly? Could this be the next threat?  Undecided
 
Ian
IP Logged
... but crap arrives pretty much straight away.
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4082
Re: So many 'nasties' - what's next?
« Reply #1 on: Mar 25th, 2002, 12:13pm »		 Quote Quote  Modify Modify
Sorry about the long reply time. I usually work weekends, but being totally knackered, I decided to take the better parts of saturday and sunday off.
 
Generally, the malware release count isn't diminishing by any means. Many trojans released are minor updates to existing ones, as well as files which have been disassembled and recompiled with slight modifications specficially to avoid detection by scanners. The "big boys" on the trojan scene haven't released anything for a while now, but the release of new versions of several of the major trojans is, I have recently learned, impending.  
 
The Eudora vulnerability is possible mainly because Eudora receives attachment files and stores them in a predictable directory. If any other application that uses Microsoft's viewer does the same thing, it would probably have the same vulnerability. The vulnerability actually only requires that the e-mail is viewed, and any file can be executed within seconds, without the user seeing anything to indicate what's happening. I can't really see how something like this could be achieved without the e-mail being even previewed, but then, we've seen that Code Red used a Microsoft vulnerability in IIS to spread without user intervention. The basic problem is that Microsoft products are used everywhere, and as soon as a vulnerability is publicly released, there are millions of systems that are sitting ducks, ready to be exploited.
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: So many 'nasties' - what's next?
« Reply #2 on: Mar 26th, 2002, 8:12pm »		 Quote Quote  Modify Modify
'Turn off the Preview Pane in IE' - hey, there's another button to add to the maybe-app Grin
 
Thanks for the info about Trojan 'recycling', plus the warnings of impending bother. Any indications as to the source of these new attacks? I only ask because I've been getting loads of unusual traffic from the Western Pacific Rim (mostly Japan) that seems to be trying ports that are/maybe IIS related (TCP2323 and TCP3456).
 
Mind you, it's hard to spot with all the Knapster, Gnutella and Kazaa requests bouncing off my firewall. (Now, if someone would invent a tool to use against that lot, I'd be happier Cheesy... oops - wrong forum  Cool)
IP Logged
... but crap arrives pretty much straight away.
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4082
Re: So many 'nasties' - what's next?
« Reply #3 on: Mar 26th, 2002, 9:14pm »		 Quote Quote  Modify Modify
I don't think those ports have anything with IIS to do. Sounds like they could be used by some sort of file sharing application, but then, unless you have a dynamic IP address, that wouldn't explain it.
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: So many 'nasties' - what's next?
« Reply #4 on: Mar 27th, 2002, 11:39pm »		 Quote Quote  Modify Modify
My IP is dynamic, but 'long-term' - ADSL doesn't drop the line unless I shut down the PC.
 
I did some digging re TCP3456 a while back, and unearthed something refering to 'VAT default data' - but there I drew a blank. Oh, and TerrorTrojan too. I found that info on IIS was basically telling me it could use many ports and protocols, if the connection had requested them, so not just 10, 53, 80, 110/111/ 121, 8080 etc.
 
I guess I pinned it all on IIS because so much has gone by that route before Grin
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register