we're screwed
An interesting analysis by Secureworks of a trojan that freely spread in the wild, infecting without being detected by AV for quite sometime & use SSL as covert channel to send information... we're screwed :(
but there is hope, once again IE is the culprit, moral of the tale: dont use IE, better block outbound connection by IE.
http://www.secureworks.com/research/threats/gozi/
Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS.
<snip>
Based on the reportedly accurate system clock of the infected PC, one can assume that, by this point, the trojan has been in the wild and mostly undetected for about 54 days
<snip>
<snip>
When scanned by 30 leading anti-virus products, none of them detected malware specifically; however, several of them using heuristics detected it as a "suspicious" file or "generic" threat based on the fact that it was compressed by a common malware packer...
<snip>
<snip>
Seven vendors still only identified it as a suspicious file or generic threat, including Symantec ("Downloader"), Sophos ("Mal/Packer"), F-Prot ("generic"), and four smaller vendors.
Notably, five of the antivirus vendors reported no threat at all, not even the suspicious use of an executable packer.
<snip>
<snip>
Each time a form submission was POSTed to the bank's server, another HTTP POST request was made to the malware's home sever.
<snip>
but there is hope, once again IE is the culprit, moral of the tale: dont use IE, better block outbound connection by IE.
http://www.secureworks.com/research/threats/gozi/
Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS.
<snip>
Based on the reportedly accurate system clock of the infected PC, one can assume that, by this point, the trojan has been in the wild and mostly undetected for about 54 days
<snip>
<snip>
When scanned by 30 leading anti-virus products, none of them detected malware specifically; however, several of them using heuristics detected it as a "suspicious" file or "generic" threat based on the fact that it was compressed by a common malware packer...
<snip>
<snip>
Seven vendors still only identified it as a suspicious file or generic threat, including Symantec ("Downloader"), Sophos ("Mal/Packer"), F-Prot ("generic"), and four smaller vendors.
Notably, five of the antivirus vendors reported no threat at all, not even the suspicious use of an executable packer.
<snip>
<snip>
Each time a form submission was POSTed to the bank's server, another HTTP POST request was made to the malware's home sever.
<snip>
Labels: security
0 Comments:
Post a Comment
<< Home