Executive Summary

Gozi is a well known Trojan that has been around for a number of years now.

Quick note: we're still occasionally getting reports of DNSChanger trojan variants altering the DNS information on both the infected system and on certain ADSL modems. It's an old, unsophisticated problem, but more awareness of it can't hurt.

There are a couple twists on the basic strategy — the trojan may modify the modem's settings to use a rogue DNS server (that serves tainted information) or it can install a DHCP driver on the modem. Either way, it redirects users to a malicious site doing drive-by downloads.

Yesterday a new vulnerability was announced in Microsoft Office Web Components and as with all new exploits that can be used in drive-by downloads we tried it with F-Secure ISTP and ExploitShield. Yet again ExploitShield protected the user without the need for any updates.

So Firefox 3.5 is available and it has quickly become a hot download item, with almost 24 million downloads worldwide so far. The browser itself is touted as faster, safer and just better — but that's no reason not to be cautious.

As mentioned in the previous post there's a new 0-day vulnerability in Microsoft's ActiveX Video Controls, more specifically in the file msvidctl.dll. Microsoft now has published an advisory about the vulnerability and in the advisory they recommend that you set the killbit to disable the vulnerable CLSIDs, all 45 of them.

As this vulnerability is actively being used in drive-by downloads it's a good idea to do this.

A 0-Day vulnerability that's being used to exploit Microsoft DirectShow has been discovered in the wild.

Drive-by attacks using thousands of compromised websites are reportedly involved.

SANS Internet Storm Center has details (including a killbit) in their Handler's Diary. There is not yet a Microsoft Advisory.

We detect the exploit as Exploit:W32/Agent.LBV.

The exploit targets Microsoft Internet Explorer… so one workaround is kind of obvious.

The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address.

Symantec Security Response has been monitoring a recent spate of Web-based attacks and drive-by downloads from compromised websites that are infecting end-users’ computers. This latest round of attacks has a payload that maliciously alters Web search engine results on the compromised machines. There have also been some recent blog posts and articles written about compromised websites rendering drive-by downloads, including malware, with obfuscated attacks coming from a malicious Gumblar domain in China.

A handful of academic researchers recently completed another thorough and fascinating report about Torpig: "Taking over the Torpig Botnet". Torpig is an especially evil little piece of Crimeware. Over the past couple of years, ThreatFire has been preventing fairly high numbers of Torpig/Sinowal/Anserin infections all over the world, keeping this bank account and credit card number snorting nastiness penned up.

Mebroot/Sinowal/MBR/Torpig has been active since end of 2007 and is one of the most sophisticated and also one of the most successul trojans of our time (see Wikipedia – http://en.wikipedia.org/wiki/Mebroot).