Trend Micro

Just when you think old-school network bots are dead, a group of
cybercriminals revives them from them grave in the name of Chuck
Norris. Dubbed the “Chuck Norris botnet,” based on the Italian
comment in its source code, in nome di Chuck Norris
(translation: “in the name of Chuck Norris”), this botnet infects
vulnerable DSL modems and routers to
spread a worm Trend Micro detects as WORM_IRCBOT.ABJ.

This worm tries to gain access to a target router by guessing the
router’s configuration password using brute force. It may also spread
via shared networks by exploiting a known Microsoft vulnerability, MS03-039
Buffer Overrun in RPCSS Service. The worm’s routines make
users who are connected to the same network or router at risk of being
infected.

Following the
shutdown of the Mariposa botnet recently, three
alleged members of the group behind the said botnet were finally
arrested last week by the Spanish Police, although they are
still pursuing another suspect that may still be at large somewhere
in South America.

The Mariposa botnet was one of the largest botnets to date. It was
reportedly responsible for attacking millions of businesses around the
world, including Fortune 1000 companies, in a mission to steal online
banking, business, and personal information from compromised systems.

The changing threat landscape has brought about more sophisticated
Web threats, and left the online population clamoring for better
security features in the systems and applications that they use. This
has pushed Microsoft to develop security mechanisms
within its applications like Windows’ Data Execution
Protection (DEP) and Address Space Layout
Randomization (ASLR).

Both DEP and ASLR are security mechanisms that
Microsoft included in its latest Windows releases starting with XP SP2
and Vista, respectively, which should ideally protect systems from being
attacked by exploit codes. DEP prevents the
execution of code (including malicious shellcode) from certain regions
of computer memory (nonexecutable). ASLR, on the other hand,
randomizes the layout of regions (data areas) in memory to make guessing
the exact location more difficult. But what if these security
mechanisms are not so secure after all?

Within days of Adobe’s release of out-of-band
security updates for both Acrobat and Reader, word now
comes from security researcher Aviv Raff, of another new vulnerability in an Adobe
product.

The flaw was found in Adobe Download Manager (DLM),
an application Adobe uses to deliver common applications (e.g., Flash
and Reader) to users’ systems. Normally, it cannot be used to
download non-Adobe files onto users’ systems. However, according to
Raff, a vulnerability in DLM that allows third parties to
download and install files onto users’ systems, in effect, making it
vulnerable for use as a malware downloader.

It seems that a recent Windows “patch” has been the
cause of a series of blue screen crashes after users install a so-called
Microsoft security update. The said patch, MS10-015,
is said to be linked to this system malfunction, which leaves user
systems with blue-screen-of-death (BSoD) errors.

According to an
entry in the official Microsoft Blog, the distribution of
the said Windows Update has since been suspended.  However the
company also issued a statement that the cause of the BSoD error may be malware
related.

There is a new bot in town and it seems that it has set out to rival
the notorious ZBOT
botnet. Trend Micro threat researchers recently came across a
new spyware detected as TSPY_EYEBOT.A.
Certain EYEBOT behaviors cause us to believe that this
could lead to a new bot war similar to the worm wars we saw years
back between NETSKY
and MYDOOM.

EYEBOT is still just a “newbie,” but should the ZBOT
criminal minds choose to respond, there is some potential for a Bot war
to ensue.  However, at this stage, we cannot be certain what if any
response, the ZBOT criminals are likely to make. On the
other hand, both EYEBOT and ZBOT use
rootkit technology even though the former behaves more like a
“backdoor.”