NEWS FROM THE LAB - Wednesday, April 21, 2010

Finding Remote Vulnerabilities in a Trojan Posted by Mikko @ 10:40 GMT

Many of our readers are familiar with Poison Ivy, a Remote Access Trojan that is often used in various attacks — especially in targeted espionage attacks. More information on such RAT applications can be found from this blog post.

Poison Ivy RAT is developed by a Swedish coder called "Shapeless".


Now, we just learned about a new research paper by Andrzej Dereszowski of Signal11.


Andrzej was investigating a targeted attack case and discovered that Poison Ivy was used to steal data from the target. This got him thinking about the fact that lots of researchers do fuzzing and try to find vulnerabilities from Internet Explorer or Adobe PDF Reader — why not try to find vulnerabilities from Poison Ivy?

And then he did exactly this, uncovering a remote code execution vulnerability from Poison Ivy, making it possible for the victim to attack back at his attacker.


Nice work!

Full paper is available here.