lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060223091148.98eaac22@mbox.edmaster.it>
Date: Thu Feb 23 09:12:00 2006
From: eflorio at edmaster.it (eflorio)
Subject: Detours and Trojans

It's not the first time that malwares are using detours techniques. 
In case your malware is "Trojan.Anserin"
(http://securityresponse.symantec.com/avcenter/venc/data/trojan.anserin.html)

It tries to hooks several APIs of the common browsers for keylogging/password stealing purposes (IEXPLORE, FIREFOX, MOZILLA, OPERA).
It tries to steal bank accounts and other confindential information.

Some variants try also to patch NSPR4.DLL (Netscape lib) altering
the following functions: PR_Connect(), PR_Read(), PR_Write(), PR_Close()

EF


----- Original Message -----
From: Tiago Halm
[mailto:thalm@...mail.com]
To: full-disclosure@...ts.grok.org.uk
Sent: Wed,
22 Feb 2006 22:47:40 +0100
Subject: [Full-disclosure] Detours and Trojans


> Detours is being used on trojans.
> Just got one *sighs* and detours was making sure the processes could not be
> killed.
> 
> the files were:
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
> (around 48k)
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll
> (around 48k)
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe -->
> this file was 2k
> c:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll
> (around 48k)
> 
> current user "Run" was mapped to ibm00003.exe above.
> 
> Unfortunatelly I deleted the files (in case anyone was interested), because
> google did not show much info on this and I didn't know much more of what to
> do.
> did some strings on the files above and showed http posts (uploads) of some
> local files.
> sorry I don't have any more information. don't remember.
> 
> anyone saw this already?
> 
> Tiago Halm
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ