1 min read

BitDefender weekly review

Bogdan BOTEZATU

April 24, 2009

Promo Protect all your devices, without slowing them down.
Free 30-day trial
BitDefender weekly review

 Although the fix for these vulnerabilities has been released on 14th Nov. 2007, attackers still exploit these flaws to spread malware without the users consent.

Trojan.Buzus.CV

After execution, with Trojan starts a new process with the same name as its filename.
It inject an executable into the process’ memory and then it drops it into a
system file called netmon.exe. It creates registry keys to ensure that the
dropped executable file is started on each boot.

The
injected netmon.exe drops a driver into %system%driverssysdrv32.sys and
registers it as a service.

In order to
spread it creates copies of itself on every detected removable drive and uses
an autorun.inf file to execute them.

To protect
itself, it is hidden from user mode.

 

Exploit.Baofeng.A

Baofeng
Storm Player is a popular Chinese media player. It comes bundled with an
ActiveX Control used for media playback on websites. However certain versions
of it are prone to multiple buffer overflow vulnerabilities which allow
attackers to execute arbitrary code on the affected system.

The methods
“advancedOpen()”, “isDVDPath()” and “rawParse()” and
the properties “backImage”, “titleImage” and
“URL” which reside inside “sparser.dll” and “mps.dll”
fail to validate user supplied input and allow the attacker to gain control
over the system within the security context of the running process. Vulnerable
versions are all below 2.08.

Currently
only the method “rawParse()” has been seen in the wild, exploiting the above
mentioned vulnerabilities. Specially crafted websites make use of this method
to spread other malware. The exploit is downloading executable files from URLs
like http://[removed]de.com/bf.css and http://[removed]p.cn:6135/qwer/bf.css,
saves them inside the system32 folder under the name “a.exe” and executes them
with the priviledges of the browser.

BitDefender
recommends immediate upgrade to the latest version of the player, since that
has fixed these vulnerabilities.

 

Information
in this article is available courtesy of BitDefender virus researchers: Marius
Barat and Balazs Biro

tags


Author


Bogdan BOTEZATU

Bogdan is living his second childhood at Bitdefender as director of threat research.

View all posts

You might also like

Bookmarks


loader