It seems the PDF URI handling vulnerability is being exploited and guess who shows up from the whois lookup? From the honeyblog analysis:
The URL handling vulnerability in Windows XP and Windows Server 2003 is being actively exploited in the wild according to a posting to full-disclosure. The PDF file attached to that mail contains an exploit for this vulnerability, which contains shellcode to download a binary via FTP from 81.95.146.130. A whois lookup of this IP shows that it belongs to RBN, the Russian Business Network. RBN was quite often in the press recently.
The downloaded binary injects itself into several Windows processes and collects various information from the infected machine. This data is then sent to http://81.95.147.107/cgi-bin/pstore.cgi, another IP address within the RBN network. A complete CWSandbox analysis of the binary is also available.
Shouldn't we be blocking the entire AS by now?
Thursday
PDF URI exploitation and the RBN
Subscribe to:
Post Comments (Atom)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment