oCERT Releases Advisory for Unpatched UnZip Vulnerability

Original release date: December 22, 2014

The Open Source Computer Security Incident Response Team (oCERT) has released an advisory addressing vulnerabilities in all versions of UnZip. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system if a user opens a specially crafted zip file.

US-CERT recommends users and administrators to review the oCERT Advisory for more details.

This product is provided subject to this Notification and this Privacy & Use policy.

Slow File Infector Spies on Victims

In the middle of 2012 McAfee Labs observed the complex malware XDocCrypt infecting documents, Excel workbooks, and executable files. Recently we have seen a similar infection method that attacks PDF, MSI (Windows installer), and executables, though the current malware is not as complex as XDocCrypt.

W32/PDFCrypt is not complex. The coding standards, propagation methods, stealth mechanism, and the payload binaries clearly indicate that this author is a novice.

W32/PDFCrypt adds selective parasitic capabilities to infect PDF, MSI, and executable files–the last named setup.exe (all lowercase)–as shown in the following screen capture, which names the file types that this malware can infect. Infections occur only through removable media and writable mapped network drives. We saw no infections on the local host. Nothing appeared to happen during the first 30 minutes, but then the malware started to work.


The hijacked original files are compressed using the APLIB compression library. Then the original file is replaced with the infected executable and the compressed data (original file) is added in resource data directory “RT_DATA 2AF8”.

Though coded to infect PDF, MSI, and setup.exe files, we saw active infections only on PDFs. This malware did not have the intelligence to check for the actual file type; rather it just read the file extension.

The malware decompresses the original file (pdf, msi, exe) and copies it to %temp% with a random name. It then executes the original file from %temp% along with the following files. The malware creates these files if they do not exist:

• %APPDATA%SoftwareProtectionPlatformsppc.exe
• %WINDIR%SYSTEM32wsauth.exe
• temp.exe

Wsauth.exe runs as a service and hides from Windows Explorer by hooking the function NtQueryDirectoryFile in ntdll.dll.

We saw temp.exe, which ensures the host becomes infected, only on removable media. It has the icon of a folder to lure users.

This malware does not ask for any ransom to decompress the original files–unlike the ransomware CryptoLocker. W32/PDFCrypt spies on its victims, collecting user data by hooking onto browsers such as Internet Explorer, Firefox, and Chrome.

The malware gathers the following information from the compromised system:


After a delay of around 45 minutes, the malware downloaded an old Conficker worm, which McAfee has detected since January 2013.
The resource data directory contained the following DLLs and corresponding resource IDs.

DLL name

Resource ID
32-bit aplib.dll 6Ah
64-bit aplib.dll 6Bh
client.dll 65h
client64.dll 66h
miniresources.dll 69h

The files client.dll, on 32-bit machines, and client64.dll, on 64-bit machines, are the main infectors. Once in the memory of explorer.exe, this file carries out the complete infection cycle. Client*.dll uses the file *bit aplib.dll to compress the target files. It also runs the file wsauth.exe as a service component.

The miniresource.dll file hosts the icons for PDF and MSI files. The icon and resource information of the original executable is reused by the infected file. Miniresource.dll builds the resource information on the infected executable.

Like Conficker, this malware can generate domains using the Domain Generation Algorithmand uses DNS to check the status of the remote host. Once connected to a live server, the malware downloads further payloads, in our case Conficker. W32/PDFCrypt can also connect to remote control servers.

This malware is not widespread at this point. We have seen it in very few places around the world. McAfee DATs detect the dropper component. Infected PDF and exe files can be restored using the latest beta DATs and the McAfee Stinger tool.

The post Slow File Infector Spies on Victims appeared first on McAfee.

North Korea and cyberterrorists won big in Sony hack, researcher says

It looks like the great cyber-war with North Korea has begun, at least by proxy. The entirety of North Korea was knocked off-line today by a distributed denial of service attack—not a difficult feat, considering that all of North Korea is connected to the global Internet by a single connection. And while Americans are undoubtedly carrying out the attacks, it’s doubtful that they are taking direction from the government at this point (unless you think Anonymous and Lizard Squad are directed by the National Security Agency).

It’s an interesting dichotomy, because the evidence presented thus far by the US government that North Korea is indeed responsible for the attack is extremely weak. None of the Internet Protocol addresses embedded in the malware used in the attack were in North Korea, and most of them were exploited systems that could have been (and probably were) used by any number of cybercriminals and black hat hackers. All of the IP addresses were clearly acting as proxy servers, and some were used for spam and malware distribution.

Only the similarity to other attacks that were apparently launched by North Korea, the apparent motive, and Occam's Razor suggest that the Guardians of Peace were in the employ of the Democratic People’s Republic of Korea, rather than some random group of laid-off employees or supporters of Kim Dotcom. But if what was done to Sony Pictures Entertainment was in fact North Korean directed cyber-terrorism, it was extremely effective.

Read 17 remaining paragraphs | Comments

Cluster of Tor servers taken down in unexplained outage

On Friday, a warning of a possible effort to hijack significant portions of the anonymizing Tor network was leaked to the Tor Project. And over the weekend, a cluster of servers in a Netherlands' data center that were used as Tor “exit nodes” and as mirrors for two Tor Project services were taken offline. However, it’s not clear who took the servers down or if law enforcement was involved.

Thomas White, an operator of a large cluster of servers providing an exit point for Tor traffic in the Netherlands, reported to a Tor news list that there was suspicious activity overnight on the servers. The servers, according to DNS data, were hosted in a data center in Rotterdam.

“I have now lost control of all servers under the ISP and my account has been suspended,” White wrote late on Sunday, December 21, in his first message on the takedown. “Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.”

Read 7 remaining paragraphs | Comments