|
Bagle.IB includes rootkit functions. These functions allow it to hide files, Windows registry entries or processes. In order to go unnoticed on the compromised system, it tries to disable no less than 495 different processes, all of them related to security solutions such as antivirus solutions and firewalls. Bagle.HZ uses almost exactly the same system as the IB variant, but disables a total of 525 processes. Both variants of Bagle use a file called M_HOOK.SYS, which is in fact the rootkit component. Thanks to this component, the Bagle processes remain hidden to searches carried out. This technique used by rootkits represents a serious problem, as the hidden processes could be performing dangerous actions such as capturing passwords or stealing user data, without symptoms that can be detected by certain security tools. Finally we look at the code created specifically to exploit the "createTextRange()"
vulnerability in Due to this vulnerability, if Internet Explorer tries to display a web page with an unexpected "createTextRange()" method call to HTML objects, system memory can be corrupted, allowing arbitrary code to be run on the vulnerable computer. A TextRange object represents text in an HTML document and is used to recover and modify text, to find specific text strings and to run commands that affect the appearance of the text. To exploit this vulnerability, hackers host malicious code on a web page and then try to convince users to visit it. In addition, it can also be exploited through the sending of messages with links to a malicious web page.
|