New Oficla trojan in emails with subject "Your facebook password has been changed"
Date: Sep 25th, 2010 5:59:53 am - Subscribe
A new trojan distribution campaign by email were intercepted by Ax3soft, the subject of this email may be "Facebook password details changed!", "Facebook password has been changed!" or "Facebook Password Reset Confirmation!".
The email is send from the some spoofed address, for example: “firstname.lastname@example.org”, "email@example.com", "firstname.lastname@example.org", "email@example.com", "firstname.lastname@example.org", "email@example.com" or "firstname.lastname@example.org".
The body of the email:
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
The attachedZIP file has the name Facebook_document.zip and contains the 36 kB large file Facebook_document.exe.
The trojan is known as Win32/Oficla.II (NOD), Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32:Trojan-gen (Avast).
Create files as followings:
Created the registry key as following :
The following registry key is modified:
1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htmand download Malwarebytes' Anti-Malware to help you.
2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm
How to Detect Hacker Attack With Sax2
Date: Mar 22nd, 2009 2:59:20 am - Subscribe
Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.
Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user, but Sax2 will let it become very easy, Sax2 is a professional intrusion detection and prevention system (NIDS) and it provides a wealth of security policy. This article gives a few basic solution to help you figure out either if your machine is under attack or if the security of your system has been compromised.
Diagnosis View is the most direct and effective place to detect hacker attack and should be our first choice. Sax2 can detects most of hacker attack and generate invasion events, if Sax2 confirm that the current attack are very dangerous, it will automatically block or interfere with the conversation. Picture 1 is an example of detection "Erazer Lite" backdoor.
See E-mail log, Check for suspicious mail, Trojan usually will send a E-mail message in order to steal your important information, such as bank account and password.
Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet. About how to monitor network traffic, please visits http://www.ids-sax2.com/articles/MonitorNetworkTraffic.htm.
Quick Locate ARP Attack Source with Sax2
Date: Mar 22nd, 2009 2:58:50 am - Subscribe
Address Resolution Protocol (ARP), because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment.
ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP and not another method.
With Ax3soft Sax2, we can quickly and accurately locate ARP source when ARP attack happens to the network, so as to ensure normal and reliable network operation.
Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.
Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 will provide reasons of such ARP attacks and corresponding solutions.
How to Monitor IM Activities with Sax2
Date: Mar 22nd, 2009 2:58:25 am - Subscribe
In Logs Window, besides the three original logs: HTTP Requests, Email and FTP Transfers , we can monitor real-time activities and detailed messages of MSN instant messengers. The following picture 1 is an example of MSN Activities.
1.Automatically save all messages for future reference
By default Sax2 will not save logs of those IM activities, to enable this function, we have to make some log settings. Let's take MSN log as an example:
Click "Options" button on the menu bar and then a dialog box will pop up as displayed in picture 2, then switch to "MSN Analyzer" Settings page,
We can see Log File(s) is disabled. To enable log files, we have to click "..." to open another dialog box where we can define full path to log file.
2.IM Activities Information
Date - date information of the activity;
Time - time information of the activity;
IP1 - IP address of the node that is conducting the IM activity;
Account - account that is conducting the IM activity;
Transactions - detailed message content;
All IM messages are listed in time sequence, Picture 3 is an example of MSN messages.
* No need to purchase another IM monitor;
* Monitor all IM activities in real time;
* Save all IM messages for future reference;
* Prevent business secretes from leaking out via IM activities;
* Learn how much time your employees are spending in personal chatting during working hours;
How to Monitor Email Activity
Date: Mar 22nd, 2009 2:57:53 am - Subscribe
Step1: Click "Tool \ Option" to pop-up options settings window, and then switch to "Email Analyzer" Settings page, as shown below, and then change the value of "Save Email" to a "yes" and set up the " Save Path ".
Step2: Switch to the logs page, choose Email log, and then double-click to view the message body
Free Blog Hosting Join Today
Content Copyrighted devidhuang at Aeonity Blog