Recycling older exploits is cheaper then producing new ones

Recycling is cheaper then producing. This fact seems to apply to the malware industry as well. Engineering new exploits is time and energy consuming.

So todays cyber-criminals mostly recycle older exploits, repack them, and ship them out into the wide world of the web. 


As the name says, this
e-threat is an exploit for a vulnerability in the XMLHTTP ActiveX control
within Microsoft XML Core Services. All users that have an unpatched MSXML 4.0
and 6.0 installed are prone to this exploit. Exploitation takes place when the
user visits a specially crafted website. Upon execution Exploit.JS.Agent.F
downloads an executable file to the Content.IE5 folder (ex: C:Documents and
SettingsAdministratorLocal SettingsTemporary Internet FilesContent.IE5). It
will also launch the application, which probably is another malware and will
further compromise the users machine.

Details: http://www.bitdefender.com/VIRUS-1000399-en–Exploit.JS.Agent.F.html



This JavaScript is not
an actual exploit, but an exploit hider. What it does is add additional
encryption layers to the existing Exploit.SinaDloader.B described in the previous weekly review . It takes three steps to fully decrypt the
code, the first is Base-64 encoding, the second is the xxtea encryption
algorithm and the third a conversion from UTF-8 to UTF16. The clean content is
now server on the affected websites using the document.write Javascript method.

After this content is
executed, the script will basically run Exploit.SinaDloader which will start serving the 9 exploits in
order to compromise vulnerable machines.

Details: http://www.bitdefender.com/VIRUS-1000395-en–Trojan.Exploit.JS.RealPlr.S.html


We all remember
Trojan.Downloader.WMA.Wimad.N , don’t we? Yes, it was part of our very first
published on the BitDefender forum. Well, a
new version of this exploit has shown up.

It’s called Trojan.Downloader.Wimad.D
and brings some interesting new features with itself. Unlike it’s predecessor
Wimad.N, the media files that try to exploit this Windows Media Player flaw,
have actual playable content.

A browser window will
pop up only at the end of playback, pointing users at
http://www.[hidden]sx.com. It resides for about 3 seconds on this website,
allowing the victims to get the “new version” of the media file they just
viewed. After this fixed amount of time has passed, they will be redirected to
an adult rated website.

This e-threat is not
able to spread by itself and relies on websites or file sharing applications to
do so. It has adware like behavior.



Information in
this article is available courtesy of BitDefender virus researcher:


Dana Stanut

Adrian Stefan Popescu