- #PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS SOFTWARE#
- #PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS CODE#
- #PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS SERIES#
- #PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS WINDOWS#
Morto is now detected by Microsoft and F-Secure products, with other major vendors likely to follow suit. The worm is not harmful to infected machines and has infected only a few PCs at this point, according to an analysis by Trend Micro Inc.
#PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS SOFTWARE#
At that point, Morto was not yet detected by any anti-virus software packages. Anti-virus experts are watching a new worm that spreads through Microsoft Corp.s MSN Messenger client. Microsoft's Technet forum saw a cluster of reports of fully patched systems generating unusually high levels of traffic on port 3389. Morto was first spotted in the middle of last week. Microsoft has published a detailed analysis of Morto.
#PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS SERIES#
The malware is also able to perform standard bot functions – it contacts a series of domains to obtain new commands and components. Once installed on a newly infected computer, the worm sets about spreading further – as a result of which the Internet Storm Center has observed a huge spike in RDP port traffic. The worm then goes on to create more files including \windows\system32\sens32.dll and \windows\offline web pages\cache.txt. It then saves a file a.dll to the network share this file then initiates the infection. To infiltrate a system permanently, the worm creates an A:\ drive, which can then be addressed as a network share via RDP. If port forwarding is not set up, a system will only be accessible from other infected computers on the network. In such a case the port is only accessible from the web if port forwarding has been specifically set up for this port on the router.
#PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS WINDOWS#
On non-server versions of Windows, RDP server is only included in higher priced versions (Professional and up, under Windows 7) and is deactivated by default. The worm primarily infects Windows servers, where RDP is frequently activated and accessible via the web to allow remote maintenance. It does not exploit a Windows security vulnerability instead, it scans IP address ranges for RDP port 3389 and then tries to log in as an administrator to any computers which respond using a list of common passwords. PivX Labs has notified anti-virus vendors so that they can create signatures to defend against the latest threat, which is nowhere near as serious as the original Download.Ject worm.Anti-virus software vendor F-Secure is warning of a piece of malware by the name of Morto, which spreads using Windows' Remote Desktop Server (RDP server). Microsoft has since fixed the underlying flaw that Download.Ject exploited. Security clearing house US-CERT took the extraordinary step of advising users to ditch IE in favour of alternative browsers. Users visiting a website contaminated with Download.Ject activated a script that downloaded a Trojan horse (called Berbew) from a website in Russia.Īcting with law enforcement authorities, Microsoft was able to rapidly shut down the Russian website, but the affair still highlighted security concerns with IE. Websites running the latest versions of Microsoft IIS were unaffected.
#PHOTOMINER WORM SPREADS VIA INSECURE FTP SERVERS CODE#
On 24 June many websites running IIS 5 were infected with malicious JavaScript code called Download.Ject. The scope of the worm's spread is unclear but early analysis hasn't revealed any of the key logging features that made the original Download.Ject worm such a menace. The setting of an infected user's browser will also be changed to open up several browser windows displaying adult advertisement and referral links every time IE is loaded, according to preliminary analysis of the worm. Infection will modify a user's home page to a site called TargetSearch. These websites contains exploit code designed to infect surfers by taking advantages of a variety of well known IE exploits (such as Object Data, Ibiza CHM and MHTML Redirect). This link takes users to a one of a number of sites hosted in Uruguay, Russia and the US, from which a Trojan horse program is downloaded. The as-yet unnamed worm arrives as an innocuous looking instant message on AIM or ICQ which says: "My personal home page ". Published Friday 20th August 2004 15:26 GMTĪ Download.Ject-style worm which spreads through instant messages is spreading across the Net, according to intrusion prevention firm PivX.
0 kommentar(er)
