Wednesday, November 07, 2007

and the _other_ shoe drops

Hi folks,

There are two important things happening at the moment, and one shoe dropping. One is that we have the feeling that the Bad Guys are re-grouping... moving countries, and reorganizing.

The second is that the pre-packaged exploits like MPack and Icepack have largely disappeared...replaced by social engineering tricks which are being used _extensively_.

The other shoe that's dropped is that the Storm boyz have been relatively quiet for a while, which is never a good sign. Our respected colleague, Nick FitzGerald pointed out tonight that they've added two new exploits to their exploit package. One seems to be for AOL's SuperBuddy, and the other is the NCTAudioFile2 dll, used with lots of widely adopted packages, such as Movavi. CERT has a nice write-up here ... http://www.kb.cert.org/vuls/id/292713.

Now, we have to stress that neither of these is 0-day... SuperBuddy seems to be from March 2007, and NCTAudioFile2 seems to be from January, but these dlls are probably not part of a systematic upgrade, so there are likely to be enough unpatched systems around to make it worth their while. And it may not even be new for Storm, but we've only just noticed, so there's a good chance it is new for them. They keep using the same encryption/ obfuscation routines so it looks enough like Storm, that we've been detecting it anyway.

Anyway, I certainly feel that this is the _other_ shoe dropping for Storm, and explains why they've been quiet for a while.

Cheers

Roger

Labels:

1 Comments:

At 7:48 AM, Anonymous Anonymous said...

Roger, any chance you would tell us what types of social engineering tricks are being used? Is this a shift away from using the kinds of exploits that LinkScanner protects against?

 

Post a Comment

<< Home