- Joined
- Jun 27, 2006
- Messages
- 23,048
- Thread Author
- #1
Original release date: May 20, 2013 | Last revised: May 21, 2013
[h=3]Systems Affected[/h]
[h=3]Description[/h] The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta Exploit Kit. The exploit kit script uses one of several known vulnerabilities to attempt to download an executable:
[h=3]Impact[/h] The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to Link Removed, the malware also downloads and installs a variant of FakeAV/Kazy malware.
The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.
After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port UDP/16464 to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.
[h=3]Solution[/h] Apply Updates
Monitor activity to the following IPs as a potential indicator of infection where permitted and practical:
This product is provided subject to this Link Removed and this Link Removed policy.
Syndicated from the United States Security Readiness Team (US-CERT). Link Removed
[h=3]Systems Affected[/h]
- Microsoft Windows systems running Adobe Reader, Acrobat, or Oracle Java
[h=3]Description[/h] The compromised websites were modified to contain a hidden iframe referencing a JavaScript file on a dynamic-DNS host. The file returned from this site was identified as the Fiesta Exploit Kit. The exploit kit script uses one of several known vulnerabilities to attempt to download an executable:
- CVE-2009-0927: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
- CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat
- Link Removed
[h=3]Impact[/h] The exploit kit, once successful, delivers and executes a known variant of the ZeroAccess Trojan. Additionally, according to Link Removed, the malware also downloads and installs a variant of FakeAV/Kazy malware.
The ZeroAccess Trojan attempts to beacon to one of two hardcoded command-and-control addresses, 194[.]165[.]17[.]3 and 209[.]68[.]32[.]176. The beaconing occurs using an HTTP GET using the Opera/10 user-agent string.
After beaconing, the malware then downloads a custom Microsoft Cabinet file and the malware uses port UDP/16464 to connect to the peer-to-peer network. This cabinet file contains several lists of IP addresses, as well as a fake flash installer.
[h=3]Solution[/h] Apply Updates
- Adobe has provided updates for these vulnerabilities in Adobe Security Bulletin APSB09-04 and APSB10-07.
- Oracle has provided updates for this vulnerability in Link Removed.
Monitor activity to the following IPs as a potential indicator of infection where permitted and practical:
- 209.68.32.176
- 194.165.17.3
- Link Removed
- APSB09-04
- Stack-based buffer overflow in Adobe Reader and Adobe Acrobat
- APSB10-07
- Unspecified vulnerability in Adobe Reader and Acrobat
- Multiple vulnerabilities in Oracle Java 7 before Update 11
- Link Removed
- Link Removed
- Initial release
This product is provided subject to this Link Removed and this Link Removed policy.
Syndicated from the United States Security Readiness Team (US-CERT). Link Removed