Actus Sécurité Confirmé 2012 S11

=> Citadel : le fichier de configuration. 12/03/2012. «Nous nous sommes récemment intéressés au dernier venu dans le monde des malwares bancaires : Citadel. La publication du code source du malware Zeus a rendu possible la création de nouveaux malwares bancaires, et Citadel fait partie de ceux-ci (…).»
Source :
Billets en relation :
12/03/2012. Citadel: configuration file :

=> Manual for ZeuS & SpyEye trojan. 12/03/2012. «Manual for ZeuS & SpyEye trojan (…).»
Source :!/bartblaze/statuses/179550924333785088

=> Microsoft’s Guidance on CVE-2012-0002. 14/03/2012. «First: Microsoft’s Remote Desktop Protocol is disabled on Windows by default. So most computers are unaffected by issues highlighted as a result of the month’s « Patch Tuesday ». However: If you administer RDP enabled workstations — then you probably should read Microsoft’s Security Research & Defense post about CVE-2012-0002 (…).» ‘Patch Tuesday’, isolé cette partie qui faisait pas mal causer.
Source :
Billets en relation :
13/03/2012. CVE-2012-0002: A closer look at MS12-020’s critical issue :
13/03/2012. MS12-020 BinaryDiff :
13/03/2012. Bulletin de sécurité Microsoft MS12-020 – Critique :
13/03/2012. Patch Tuesday March 2012 – Remote Desktop Pre-Auth Ring0 Use-After-Free RCE! :
14/03/2012. RDP+RCE=Bad News (MS12-020) :
15/03/2012. The Race for MS12-020 :
15/03/2012. Hackers Offer Bounty for Windows RDP Exploit :
16/03/2012. MS12-020 RDP Code Leak Mystery Deepens As Microsoft Remains Silent :
16/03/2012. Another MS12-020 DOS PoC smaller than « chinese shit » :!/2gg/statuses/180586278725750785
16/03/2012. MS12-020 RDP Exploit Found, Researchers Say Code May Have Leaked From Security Vendor :
16/03/2012. Proof-of-concept RDP vulnerability code discovered. Patch Windows now :
16/03/2012. Update to this Month’s Patch Tuesday Post on MS12-020/CVE-2012-0002 :
17/03/2012. Faille Windows RDP – MS12-020 :

=> 64-Bit System Driver Infected and Signed After UAC Bypassed. 14/03/2012. «What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor.Hackersdoor and its newer variant Backdoor.Conpee (…).»
Source :

=> Mediyes – the dropper with a valid signature. 15/03/2012. «In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Win64.Mediyes respectively (…).»
Source :
Billets en relation :
15/03/2012. Trojan Dropper Uses Valid Certificate Issued For Swiss Company :

=> It’s not the end of the world: DarkComet misses by a mile. 16/03/2012. «This blog post is the fourth installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families. Previous subjects have included Armageddon, Khan (now believed to be a very close “cousin” of Dirt Jumper version 5), and PonyDOS. Today we’ll be diving deep into the details of the DarkComet RAT’s crypto (…).»
Source :
Billets en relation :
13/03/2012. Reversing the DarkComet RAT’s crypto- 3/13/2012 :
16/03/2012. DarkComet Analysis – Understanding the Trojan used in Syrian Uprising :
16/03/2012. DarkComet Analysis – Understanding the Trojan used in Syrian Uprising :

=> A unique ‘fileless’ bot attacks news site visitors. 16/03/2012. «In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive (…).»
Source :

Publié par


Canard boiteux numérique ; juste intéressé, juste passionné.