2010年3月31日 星期三

FW: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

-------------------------------------------
From: Jamz Yaneza (RD-US)
Sent: Wednesday, March 31, 2010 4:56:12 PM
To: Paul Ferguson (RD-US); Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture
Auto forwarded by a Rule

Looks like we have all but 2 of these.
4 are already in pattern,
another 4 pending detection.

Here's the SMS report just now:
35f5478e190cc6614a6a5d4f1f380855 Undetected
663267d3ed4af3582ea57ba03fb0da92 Undetected
18bc32bb8a8d5a85cdafad5a4ecc4c73 SPYW_PERFLOG
7231b6c5ca6addd905db7677200833e2 Undetected
80ee23ede41504b1a83654334148306f No Sample
994ffae187f4e567c6efee378af66ad0 SPYW_PERFECT.AN
5e289e10a2f3fe6b3080825f5dbf588f Undetected
bae0fb25bcf05a5da7fde8dce759ee0d SPYW_PERFECT.AS
4cf8307cac714fe4f2cbc5d46f5cf243 SPYW_PCSPYKEYLOG
3f4ad41f10ec18a7f27f2339ee500dda No Sample


Cheers,
Jamz

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:35 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Second correction:

We also detect: bae0fb25bcf05a5da7fde8dce759ee0d

Trend Micro SPYW_PERFECT.AS
Trend Micro (Cons.)     SPYW_PERFECT.AS
Trend Micro (CPR) SPYW_PERFECT.AS

Trend Micro lpt961.zip  2010-03-31  03:00
Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15
Trend Micro (CPR) lpt960.zip  2010-03-30  22:45


I think that's it, though.

FYI,

-ferg


From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:22 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Correction:

We already detect: 18bc32bb8a8d5a85cdafad5a4ecc4c73

...as:

Trend Micro TSPY_Keylog
Trend Micro (Cons.)     TSPY_Keylog
Trend Micro (CPR) TSPY_Keylog

Trend Micro lpt961.zip  2010-03-31  03:00
Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15
Trend Micro (CPR) lpt960.zip  2010-03-30  22:45

-ferg


From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:19 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Unfortunately, this is very bad - detect nothing, even though some have been out there for over a year"

35f5478e190cc6614a6a5d4f1f380855  Undetected
663267d3ed4af3582ea57ba03fb0da92  Undetected
18bc32bb8a8d5a85cdafad5a4ecc4c73  Undetected
7231b6c5ca6addd905db7677200833e2  Undetected
80ee23ede41504b1a83654334148306f  Cannot Obtain Sample
994ffae187f4e567c6efee378af66ad0  Undetected
5e289e10a2f3fe6b3080825f5dbf588f  Undetected
bae0fb25bcf05a5da7fde8dce759ee0d  Undetected
4cf8307cac714fe4f2cbc5d46f5cf243  Undetected
3f4ad41f10ec18a7f27f2339ee500dda  Cannot Obtain Sample

I am forwarding all obtained samples to AV_Query for processing now, and also trying to obtain the missing samples.

-ferg

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 10:51 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Checking...

-ferg

--
"Fergie", a.k.a. Paul Ferguson
 Threat Research,
 CoreTech Engineering
 Trend Micro, Inc., Cupertino, California USA

From: Juan Castro (SAL-LA)
Sent: Tuesday, March 30, 2010 10:48 PM
To: Newsbank
Subject: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Hi All,

Do we have detections for the binaries mentioned in the Visa security alert?

http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf?Mar292010

Filename
Size
MD5
bpkhk.dll
489,984
35f5478e190cc6614a6a5d4f1f380855
bpk.exe
1,090,560
663267d3ed4af3582ea57ba03fb0da92
bpk.exe
401,408
18bc32bb8a8d5a85cdafad5a4ecc4c73
bpkr.exe
747,520
7231b6c5ca6addd905db7677200833e2
fstsmtp.exe
1,560,661
80ee23ede41504b1a83654334148306f
xxx.exe
Unknown
994ffae187f4e567c6efee378af66ad0
SMTPListener
Unknown
5e289e10a2f3fe6b3080825f5dbf588f
dll32.exe
438,272
bae0fb25bcf05a5da7fde8dce759ee0d
ToolKeylogger
2,007,040
4cf8307cac714fe4f2cbc5d46f5cf243
ToolKeylogger
6,432
3f4ad41f10ec18a7f27f2339ee500dda

Regards

Juan


 
Juan Pablo Castro | xSP, Latin America Region
Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico
Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

沒有留言: