Zeus 188.8.131.52 6 - Cracked
Compatible Windows 7 - Vista - XP - 2000 ...
F-Secure Lab just found a new, and it’s spreading in the wild. The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven’t seen before: RDP (Remote Desktop Protocol). Windows has built-in support for this protocol via Windows
Once you enable a computer for remote use, you can use any other computer to access it.
When you connect to another computer with this tool, you can remotely use the computer, just like you’d use a local computer.
enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.
When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:
Once you are connected to a remote system, you can access the drives of that server via Windows shares such as \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Morto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.
Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service.
Attackers could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials.
Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked.
It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.
Given their ties to the government and financial sectors it’s extremely important to find out the scope of the breach as quickly as possible. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.
Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern
Initially, Comodo argued that
A new social networking worm in the vein of Koobface is currently doing the rounds.
Unlike the majority of Facebook scams, this one actively infects your computer with malware instead of simply tricking you into taking surveys and passing on messages to other users.
The link in his Facebook chat from a friend pointed to an app.facebook.com/CENSORED link. Typically when you go to a Facebook app page it prompts you to add the application and grant it permission to post on your behalf or read your profile data. The scary part about this one is that it immediately prompts you to download a “FacebookPhotos#####.exe” file with no prompting or clicking required.
The screen reads “Photo has been moved. This photo has been moved to other location. To view this photo click View Photo.” If your computer has not already downloaded the malware, the “View Photo” button will download the virus for you.
It is really unfortunate that Facebook scams are moving back towards spreading malware. Fortunately, users of Sophos Anti-Virus had proactive protection from this threat with both our HIPS and suspicious file detection technologies; this particular strain is now identified by Sophos as W32/Palevo-BB.
The good news is that, Facebook removed the malicious application from its service. But there are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message.
Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.
By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.
He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.
“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”