Company FireEye reported the discovery of a critical vulnerability in the Java Runtime Environment version 1.7x, which received the designation CVE-2012-4681. Oracle has released a patch on security only on August 30, and, therefore, the vulnerability remained unclosed for at least four days than not long exploited. The specialists of "Doctor Web" found that using this exploit spread more malware, including Trojan was discovered Trojan.Rodricter.
In order to spread malware attackers used a hacked web sites, which, in particular, modify files. htaccess. At the time of referral to a Web site that contains an embedded malicious malicious script runs a chain of redirects, the address of the end node of which depends on your computer's operating system user. Windows users redirected to a Web page that contains calls to various exploits. It is noteworthy that the server addresses, which were transferred to users, dynamically generated, and change every hour.
Downloaded into the user's browser the web page immediately exploited two vulnerabilities: CVE-2012-1723 and CVE-2012-4681. Used by cybercriminals exploit depends on the version of Java Runtime: for version 7.05 and 7.06 bypass security came with vulnerability CVE-2012-4681. If the application of vulnerability was a success, Java-applet decrypts the file class, the main purpose of which - download and run the executable.
Trojan.Rodricter.21 Trojan uses rootkit technology and consists of several components. So, run on the infected computer, the malware dropper checks in the system and antivirus software debuggers, and then tries to increase its privileges: for this, in particular, may be vulnerable OS. On computers that use User Account Control, the Trojan disables UAC. Further action algorithm Trojan.Rodricter.21 depends on what rights he has in the infected system. Trojan saves to disk the main component, and if he's got enough for this privilege, infects one of the standard Windows drivers in order to hide the main unit on the affected system.
Thus, Trojan.Rodricter.21 well be classified as Trojans rootkits. Among other things, the malware is able to change the settings of browsers Microsoft Internet Explorer and Mozilla Firefox, for example, in the last Trojan installs a folder \ searchplugins \ additional plug-search engine, and replaces User-Agent and configure the default search engine. The result sent to the user queries are given http://findgala.com/?&uid =% d && q = {search term}, where% d - the unique identifier of the Trojan. Trojan.Rodricter.21 also modifies the contents of the file hosts, prescribing where the attacker addresses of websites.
The main module Trojan.Rodricter.21 saved as an executable file in the temporary folder, it is intended to spoof the user traffic and the introduction into it of any content.
Source:xakepy.cc
0 comments:
Post a Comment