Zyxel Threat Intelligence (Release Date: 2022-03-01)

zyxel_Lin

ZyWALLs latest virus/malware signature update protects you against more malware and threats. See how ZyWALL defends against these threats.

Part 1 – Virus/Malware Spotlight

Part 2 – Intrusion Detection Highlight

Part 3 – Application Patrol Highlight

This article focuses on TeslaCrypt. Part 2 and 3 will be included in the March Monthly Threat Report covering Intrusion Detection and Application Patrol update. You can view more about their details, history, and signature information in Zyxel Encyclopedia.
]

Part 1 Virus/Malware Spotlight
(Number of updated Virus/Malware signatures:51,126)

Zyxel keeps malware detection up-to-date. Currently, Zyxel detects and removes the threats including  Gen.Variant.TeslaCrypt and  Backdoor/Aimbot.

Name: Gen.Variant.TeslaCrypt

What is TeslaCrypt?

TeslaCrypt ransomware is a copycat of the CryptoLocker, encrypting files with the AES-256 encryption algorithm. Unlike other types of ransomware, TeslaCrypt has a special focus on popular games like Minecraft, World of Warcraft, and Steam. Demands for a ransom of $250 to $1000 to get the decryption key to access the affected files.

How it works

TeslaCrypt ransomware uses website drive-by download and e-mail to transmit. When a victim is infected, the pop-up window shows the warning indicating the computer’s files have been encrypted. They are provided with several methods to access the TeslaCrypt website with instructions on how to pay the ransom. They often require the payment in bitcoin because it is less traceable than other form of payments.

How can I protect myself?

Individuals and small businesses should create copies of all your important files on a regular basis, update your software and firmware to the latest version especially with web browsers and their plugins.

Name: Backdoor/Aimbot

Backdoor/Aimbot is a backdoor that exploits Kazaa sharing and mIRC propagation. The "Aimbot" spreads to users' computers that have been infected with backdoors. Create a shared folder under Kazaa, naming as same as common software to deceive others to download it.

Connect to the specified IRC server and follow hacker commands to upload or download specific files. Additionally, it terminates some of the processes in anti-virus software and conduct DoS attacks on specified targets, etc.

Search for characters related to “online banking” and “online payment” in the browser window. Once found, it starts recording keystrokes and stealing user’s account passwords. Prohibits users from conducting online transactions through legitimate accounts.

Part 2 Intrusion Detection 
(Updated: 2/Cover Total: 5510)

Highlight

CVE-2003-0715  CRITICAL

Microsoft RPCSS DCERPC DCOM Object Activation Packet Length Heap Corruption Vulnerability

Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. (Source: NIST)

Wordpress Massimo Theme Full Path Disclosure Vulnerability

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path. From PHP error messages information, the attacker may learn the file system structure from the web server. The attackers may abuse the knowledge to conduct further attacks.

Part 3 Application Patrol
(Added Application:12/ All Application: 3854)

To make your life easier in managing your licenses for your devices, the Marketplace has been opened to buy licenses conveniently and securely.

These are the three major benefits for you as a customer when using the Marketplace:

•Get immediate license renewal

•Avoid incorrect license(s) purchased with our filtered product listing

•Review your device and license status online