MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.6.09

ElFiesta. Recruitment zombie across multiple threats

ElFiesta is another member of the family of web applications, created by Russian developer and made available to cyber-criminals, who can't only monitor and manage each of the infected computers as part of its network (zombies), but also execute attacks via the web through various techniques that involve the exploitation of vulnerabilities.

One of the modules has ElFiesta precisely target the spread/infection via PDF (Portable Document Format) looking for vulnerabilities in some versions of Adobe Acrobat Reader.


In this case, the downloaded file is called 4573.pdf (MD5: b7b7d52a205e950adf4795c14c7f7178), whose name is random, has a detection rate of almost 50%, thus a very important infection rate at the moment.

As mentioned above, exploits a vulnerability (the CVE-2007-5659) multiple causes a buffer overflow through the pdf file previously handled by embedding a malicious script in the same JavaScript that downloads and executes a binary called load.exe (MD5: 5ee26f43139a2cdb3a79a835574285a0) from /load.php?id=1118&spl=3.


Another focuses ElFiesta modules incorporating a method of attack scripting subject to an obfuscation technique.

Making a deeper analysis of the case, we found a newly implemented version ElFiesta. In the following screen shows that the statistical information corresponds to our data.


These methods are common to most of crimeware applications of this style, but we appreciate a more interesting detail: the domain used is a known scareware called XP Police Antivirus.

Consequently, the first question that comes to mind is: XP Police Antivirus working with the recruitment ElFiesta zombie? 

Related information this Blog
Fusión. Un concepto adoptado por el crimeware actual
Estrategia de infección agresiva de XP Police Antivirus
Campaña de propagación de XP Police Antivirus a través de Ingeniería Social Visual

Jorge Mieres

0 comentarios:

Post a Comment