[unisog] Significant Rogue DNS Activity To 85.255.112.0/22 (thanks to the "FreeVideo Player" Trojan)

Paul FM paulfm at me.umn.edu
Sat Nov 18 17:22:27 GMT 2006


Good security of the machines is a defense against these sorts of threats.

(broken record time)

Obviously it is hard to enforce this on personal machines - but on machines 
you maintain, the administration account should be separate from the standard 
user (who should not have any cabability of getting elevated privileges). One 
of the best things about MAC-OS and Linux/Unix is it makes this very easy for 
anyone to set up (mainly because software developers have to work on a secure 
system from the start).  You should enforce this on yourself (at work and at 
home) so you learn how to make the environment more friendly to your users 
(and for your own security).


Watch out for remote execution servers for software (the type that is a 
service that does the work for the user, as they tend to run as system - I am 
even sceptical about the security of the ITunes helper services that come 
with quicktime).  Not that these are trojans, but they may leave a gaping 
hole in the security of your system.



John Ladwig wrote:
> On Fri, Nov 17, 2006 at 03:32:22PM -0600, Brian Eckman wrote:
>> Warning: long, somewhat detailed analysis below.
> 
> Nice work.
> 
> 
> As you stated, bogus codecs are (and have been) a growth area for
> malware installation.  The Sunbelt software blog regularly warns about
> specific sites, including some very professional looking websites and
> installers. 
> 
> SANS-ISC had a "Follow the bouncing malware" piece over a year ago on
> a codec-installer trojan with EULA.  With the rapid mutation of
> modular droppers/installers, it's pretty hard to rely on anitvirus
> signatures to defend against this sort of threat. 
> 
>    -jml
> 
> 
> http://sunbeltblog.blogspot.com/2006/11/supercodec-latest-fake-codec.html
> Thursday, November 16, 2006
> SuperCodec -- latest fake codec
> 
> As always, do not download these fake codecs, as they are a hotbed of
> malware. 
> 
> IP: 69.50.188.99    
> supercodec.com           
> 
>  [ ... ]
> 
> 
> http://www.f-secure.com/weblog/archives/archive-112006.html#00001021
> Tuesday, November 14, 2006
> Codec No. 107 	Posted by Kamil @ 14:31 GMT
> 
> While browsing the Internet for movies . *cough* pr0n . people often
> end up downloading some DRM protected material, bundled with a license
> that uses social engineering tactics to push the victim into
> dowloading a "codec". These supposed codecs are downloading and
> installing malware known as Zlob. 
> 
> [ ... ]
> 
> 
> http://sunbeltblog.blogspot.com/2006/11/more-fake-codecssecurity-scam-hijack.html
> Friday, November 10, 2006
> More fake codecs/security scam hijack sites
> 
> IP: 216.255.187.70 
> lightcodec(dot)com 
> 
> IP: 69.50.188.104   
> elitecodec(dot)com 
> 
> IP: 85.255.118.243 
> eupdatepage(dot)com          
> 
> [ ... ]
> 
> 
> http://www.techworld.com/security/news/index.cfm?newsid=6781
> 04 September 2006
> zCodec promises video, delivers nasties
> 
> By Matthew Broersma, Techworld
> 
> Users looking for the latest and greatest video software may not just
> be in danger from media lawyers. Security firm Panda Software last
> week warned that zCodec, which claims to offer "up to 40 percent
> better (video) quality," is in fact an adware program that can install
> Trojans, rootkits and other malicious software. 
> 
> zCodec is freely available online and, as of Monday afternoon, was
> easy enough to find, offering downloads from its own website -
> zcodec.com. The site uses images from the films Sin City and Pulp
> Fiction, and claims zCodec will boost audio as well as video quality. 
> 
>  [ ... ]
> 
> 
> http://isc.sans.org/diary.php?date=2005-07-13
> Published: 2005-07-13,
> Last Updated: 2005-07-14 03:33:23 UTC by Tom Liston (Version: 1)
>   [...]
> The Big Con
> 
> The file that Joe downloaded was "vc3_05b.exe," a 16,373 byte long
> executable. On the VCodec site, there is also a file called
> "vc1_05a.exe" (9341 bytes) which is what you get if you follow the
> main "download" link on the VCodec site. Also, like an extra surprise,
> hidden on the vcodec.com index page is some JavaScript that attempts,
> in several ways, to download the file "vc105a.htm" which is simply a
> copy of vc1_05a.exe. Both files are packed with the executable
> compressor FSG, and while they are superficially different, running
> either of them has the same result: version 3.5 just has a
> dog-and-pony show to go along with it. 
> 
> Perhaps by now, you.ve gotten the idea that we.re not dealing with a
> plain old video codec here. After all, this *is* another installment
> of "Follow the Bouncing Malware." Well, no, it isn.t just a codec. 
> 
> In fact, it isn.t a codec at all.
> 
> [ ... ]
> 
> 
> Plenty other reports out there.
> 
>    -jml
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list