spexta trojan installs to protected folder

David H. Lipman wrote:
> From: "shawn modersohn" <smmodersohn DeleteThis @hotmail.com>
>
> | Running XP SP2,
> |
> | I have just seen a curious virus identified by Symantec Corporate 10.1.
> | The virus is called trojan.spexta and is a mass mailing worm. The
> | computer is locked down. Users are only given limited accounts. I am
> | the only user who logs in as Admin and I assure you I am careful in this
> | account. The issue I am having and according to the logs, is that this
> | particular virus somehow manages to write directly to c: and
> | c:\windows\system32 with a file called eventmgr.exe. I have seen this
> | process eat 100% of the system resources. I think that it might be
> | getting in through a users web mail of choice. This system is fully
> | patched so how is this possible? As far as I can fathom, this virus
> | must be using some exploit that overrides folder security.
>
> It is a spam Trojan and NOT a virus. It does NOT self replicate.
> http://www.symantec.com/security_response/writeup.jsp?docid=2005-07101...940-99&
>
> There are also anti virus News Groups for this kind of subject matter. In the Microsoft.*
> hierarchy there is; news://msnews.microsoft.com/microsoft.public.security.virus
>
> What most people fail to realize is that vulnerabilities may be exploited and there are so
> amny of them. Many vulnerabilities exist in buffer overflow conditions where result is an
> elevation of priveledges. It is this "elevation of priveledges" that people miss. That
> means even on a limited account if an exploitation is successfully accomplished the
> exploitation will be able to take advantage of the OS and install any kind of malware at its
> pleasure.
>
> Since this is a Trojan, not a virus, it requires assistance to get installed and
> explotations are often used. It could be a simple Social Engineering methos or a complex
> PHP or HTML web page. There are many software that can be exploted to install this spam
> Trojan. Vulnerabilities in; Sun Java, IE, Apple Quicktime, Adobe/Macromedia Flash, etc.
>
> What is *most* important is this is a spamming tool and the PC in question MUST be taken off
> the Internet prior to it being cleaned.
>
>

Thanks for your input and echoing my suspicions. Also a good point that
the exploit might not be solely Window's fault. As you mentioned in
your examples, this exploit could be manipulated through any number of
software packages. Adobe Reader, Flash, Quick Time, etc. At least on
the desktop level, I still maintain that it is the operating system's
responsibility to protect system files and folders from writing despite
any flaw in any said software. Doesn't this mean there is a patch that
windowsupdate.com owes us?
 >> Stay informed about: spexta trojan installs to protected folder 

From: "shawn modersohn" <smmodersohn RemoveThis @hotmail.com>


| Thanks for your input and echoing my suspicions. Also a good point that
| the exploit might not be solely Window's fault. As you mentioned in
| your examples, this exploit could be manipulated through any number of
| software packages. Adobe Reader, Flash, Quick Time, etc. At least on
| the desktop level, I still maintain that it is the operating system's
| responsibility to protect system files and folders from writing despite
| any flaw in any said software. Doesn't this mean there is a patch that
| windowsupdate.com owes us?

Whast was the point of exploitation ?

Use the Secunia Software Inspector to find any/all known vulnerabilities.
http://secunia.com/software_inspector

Then you can mitigate the threats.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 >> Stay informed about: spexta trojan installs to protected folder 

"shawn modersohn" wrote:


> I still maintain that it is the operating system's
> responsibility to protect system files and folders from writing despite
> any flaw in any said software.

Should it do so even when the user has TOLD it to go ahead and install the
software, though? That is the question.

It's very easy to craft an Internet Explorer window that looks like a
message from Adobe or Real to the effect that your player needs updating...
only it does nothing of the sort, but installs a Trojan instead. I think it's
reasonable to assume that Vista's user-elevation mechanism offers no
protection in such cases either, because the user will be _expecting_ to see
an admin-access prompt, and will respond Yes.

IMHO it would be better if these products didn't pop automatic-update
prompts; if they instead simply stated that they need updating to show this
particular content, that would be much more secure.

It's also true that a lot of websites create unnecessary problems by
including Flash/Real/Acrobat code that triggers an auto-update prompt even
when the user's player is adequate for the content, so users are constantly
pestered by update-requests for no good reason, and the habit of hitting
Yes...Yes... Yes... -without looking or thinking- gets ingrained as a result.
Again it would be much better from a security point of view if this practice
was avoided.
 >> Stay informed about: spexta trojan installs to protected folder