tag:blogger.com,1999:blog-27338326.post115368497649532219..comments2013-04-16T17:43:29.735+00:00Comments on Security Stories: The Scent of 1995UMACF24http://www.blogger.com/profile/02445329596237305760noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-27338326.post-1154043653450785792006-07-27T23:40:00.000+00:002006-07-27T23:40:00.000+00:00Oh, and by the way, new variants are out, and ONCE...Oh, and by the way, new variants are out, and ONCE AGAIN, they are currently undetected by *ALL* the antivirus engines (at least the ones on virustotal.com).TNThttps://www.blogger.com/profile/01252544602185283227noreply@blogger.comtag:blogger.com,1999:blog-27338326.post-1154043410649437402006-07-27T23:36:00.000+00:002006-07-27T23:36:00.000+00:00What it would have installed. A trojan downloader,...What it would have installed. A trojan downloader, which in turn would have downloaded a dropper and installed a rootkit. By the way, I "discovered" these trojans about 5 weeks ago, they were run (or attempted to) by several exploits on many web pages. And undetected by *ALL* the AV engines.<BR/><BR/>Three variants started getting detected when I manually submitted them to the AVs. Some had a fast inclusion response (Kaspersky, Ewido, BOClean) some decent (ClamAV), some godawful (F-Prot). <BR/><BR/>These trojans are loaded through a (very well done, I must say) javascript obfuscation which routinely loaded a "randomized" location on another remote site. The initial site was gromozon.com, now it's xearl.com. The javascript is on gbeb.cc.<BR/><BR/>These are all part of the notorious CWS crime ring.TNThttps://www.blogger.com/profile/01252544602185283227noreply@blogger.com