Malware
Main
Security
Anti-MalwareMalware
MSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Feb 2012 | Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |Fri, 24 Apr 09
HAMLET. "Something is rotten in the state of Malware"
http://pandalabs.pandasecurity.com/archive/HAMLET.-_2200_Something-is-rotten-in-the-state-of-Malware_2200_.aspx
Written on behalf of José Julio Ruiz de Loizaga.
Today being the birthday of William Shakespeare, I felt the urge to write this post. When reversing files, one is prepared to find anything - well, almost anything. I was analyzing a dll and was surprised to find passages from Hamlet. At first I thought "My God, a trojan that promotes literacy, how odd." My surprise increased when the next files, two additional dlls, also contained fragments of The Bard's prose.
First dll.
It was clear that these three files were related. There were two possibilities, either the malware author was a fan of sixteenth century renaissance literature, or that the text was used to make detection more difficult.
This method has been seen before in phishing emails. Anti-phishing engines look at keywords in the body of a message. When these words are found, they are correlated to the length of the message. In other words, a keyword has greater weight the more times it is repeated in a short message, which is why it is not unusual to find phishing emails with some literary text rendered white, so as to be invisible to the reader. Although the recipient does not see the extra words, the anti-phishing engine is fooled by the additional words.
Second dll.
This technique isn't exactly the same, but it has the same goal; to trick the antivirus. In this case, the signature file engine is the target. The additional text is inserted with the intention of changing the file's signature, thereby avoiding detection. The truth is that this is an interesting and educational way of doing so.
Third dll.
P.S., I would have personally chosen "100 Years of Solitude", but well, "Hamlet" is not bad either.
Fri, 24 Apr 09
New Blackhat SEO attack exploits vulnerabilities in Wordpress to distribute rogue antivirus software
http://pandalabs.pandasecurity.com/archive/New-Blackhat-SEO-attack-exploits-vulnerabilities-in-Wordpress-to-distribute-rogue-antivirus-software.aspx
Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular Wordpress blog software. Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week’s attack against Ford Motor, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results. When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.
You can checkout a video demonstrating how this particular attack works below:
Both attacks involve a vulnerability in an older version of Wordpress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors. Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at Wordpress to get clarification.
In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack. We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers. Here’s what we found:
Song - Appeared 1303 times
Software - Appeared 879 times
Free - Appeared 244 times
Lyrics - Appeared 210 times
Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below, PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3.
Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide.
Tue, 21 Apr 09
Ransomware Reloaded
http://pandalabs.pandasecurity.com/archive/Ransomware-Reloaded.aspx
One of the latest examples of ransomware we have seen is Trj/SMSlock.A
The main aim of this malware is to make users pay ransom for their computer in order to have it completely operative.
Until now some of the functionalities we had seen in ransomware were to encrypt certain documents or extensions of the computer or to empty the emails of the user’s inbox and the contact list, among others. However, in the case of Trj/SMSlock.A, it locks the access to the system (leaving the computer unusable), and it displays on the screen a message in Russian which contains the instructions so that users send an sms as a random for their system:
Note: Below you have the transcription in English of the message displayed on the screen.
To unlock you need to send an SMS with the text
4121800286
to the number
3649
Enter the resulting code:
Any attempt to reinstall the system may lead to loss of important information and computer damage
Fri, 17 Apr 09
New waledac's campaign
http://pandalabs.pandasecurity.com/archive/New-waledac_2700_s-campaign.aspx
Waledac family activity has increased during the last months. The malware creators have been using several social engineering techniques to spread these samples: important dates like Christmas and Valentine’s Day, important events such as the appointment of Barack Obama as president of the United States or fake news.
Currently, the technique is to offer a service that allows someone to read the sms received in a certain phone number. Obviously, it is a completely fake service and it could even be described as illegal and immoral. After accessing the website, downloading and running the software, the computer is infected and immediately starts hosting the infection website and executable on the victims computer.
Visualization
Snapshot of the Waledac Network:
The main function of the Waledac family, besides its own propagation, is to send spam messages to the email accounts obtained from the infected computer. Additionally, it can carry out other malicious actions, such as downloading malware, opening ports in order to receive instructions (acting as a botnet) and stealing passwords which are then sent to remote URLs.
The following graph represents the evolution of the files detected as Waledac received in our inboxes during the last three months:
Taking into account the data regarding the first two weeks of April, there has been an increase of almost 200% comparing with February's figures.
Which will be the next subject used by the malware creators to spread this worm? We’ll know it soon…
Thu, 16 Apr 09
Targeted Blackhat SEO Attack against Ford Motor Co. (Updated)
http://pandalabs.pandasecurity.com/archive/Targeted-Blackhat-SEO-Attack-against-Ford-Motor-Co_2E00_.aspx
Recently, we have talked about Blackhat SEO fueled Rogue Software Campaigns. Today, we have uncovered a similar campaign with over 1 Million links all targeting the Ford Motor Company.
These attacks work by misleading search engines to falsely promote malicious pages to the top of the search results. Once the user visits one of the malicious sites, they are prompted to download and install a malicious "codec", which then installs the MS AntiSpyware 2009 (softwarefortubeview.40030.exe) Rogue Security Software, which we detect as Adware/MSAntiSpyware2009.
This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand.
I have made a video demonstrating how the Blackhat SEO attacks work and you can see it below:
Partial List of Hijacked Search Terms:
*Update* The SEO attack is starting to switch from Ford to Nissan Motor Co.
Diagram Of A 1998 Nissan Pathfinder Blower Motor
1989 Nissan Pickup Voltage Regulator
2006 Nissan Skyline Gtr Vs 2005 Mustang Gt Cobra Youtube
Where Is The Horn Relay On A 2002 Nissan Sentra
1992 Rear Bumper Nissan Pickup Truck
17 Gold Rims Wheels Nissan Honda Ford Toyota Hyundai
Ford Dealership Car Dealership Beside Iee Nissan Wilson N.c.
We Love rocky ford kansas!
Mustang Gt Or Nissan 350z
Dash Cover Nissan Pickup
1992 Rear Bumper Nissan Pickup Truck
Bumper For 1993 Nissan Pickup
Relay Box On 1991 Nissan Pickup Truck
1997 Nissan Maxima Trunk Emblem
1993 Nissan Truck Door Panels
2007 Nissan Versa Gauges Glow
Nissan Sentra 2004 Horn Location
1994 Nissan Extended Cab Truck Seat
Pic Of 1983 Nissan Truck
1989 Nissan Pickup Truck Engine Check Light Troubleshooting
Fuel Tank Capacity On 1992 Sentra On 1992 Nissan Sentra
How To Install A 1991 Nissan Pathfinder Windshield
Auto Wheel Bearing Replace 1997 Nissan Sentra
Nissan Micra 1.3 Metallic Green
Dimensions And 1998 Nissan Pathfinder
2005 Nissan Frontier Modesto
87 Nissan Pathfinder Nuetral Starter Safety Switch
1990 Nissan Pickup 2400 Motor Recalls
Used Nissan Frontier 2006
Frontier Titan 2006
Ford Ranger
Parkway Ford
Ford Uk
Ford Finance
Mustang Ford
Evergreen Ford
Kayser Ford
Ford Anchorage
Walker Ford
2009 Ford
Rochester Ford
6 Ford Speed Transmission
Ford Scamatic
Sheehy Ford
Ford Commercial
Parr Ford
Ford F8tz3504abrm
1993 Ford Taurus
1993 Ford Tauru
Titan Ford
Luther Ford Fargo
Ford Freestar Problems
Ford Crate Engine
Ford Aftermarket Distributor
Ford Ranger 2008
Ford Falcon Sale
1941 Ford Truck
F150 Ford 2001
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
Ford Window Guards
1960 Ford Sunliner
1960 Ford Sunline
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Ford Taurus Repair
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Grappone Ford
Ford Radio Removal
Ford Expedition Diesel
Ford Parts Catalog
1940 Ford Coupe
1966 Ford Mustangs
Ford Door Lock
Ford Escape Hybrid
1930 Ford Coupe
Ford Parts Look Up
1968 Ford Trucks
1995 Ford F150 Lightning
Joe Machens Ford
1956 Ford Panel
Ford Global Terms
2000 Ford Explorer Overheating
1999 Ford F150 Engine
Ford 6 Cyl
Ford Ranger 4x4
Door 2005 Ford F150
Ford Falcon Futura Sprint
Ford Ranger Engine
Ford Escort Harrier
Ford F150 Used 4x4
1969 Custom Ford Ranger
Ford Truck F150 Forum
Only Ford Expedition Pics
Diesel Ford Ranger
Ford F150 Throttle Body
2001 Ford Escort Reviews
1998 Ford F150 Bumper
1989 Ford Mustang Wallpaper
1939 Ford For Sale
Ford Ranger Directional Rims
2009 Ford Mustang Reviews
Rowe Ford Hyundai
Remanufactured Ford V8 Engines
Ford Ranger 4x4 Automatic
Rogue Information:
File: softwarefortubeview.40030.exe
MD5: 3C146F57FE65BF03CAB8289F31B57618
Detected as: Adware/MSAntiSpyware2009
Registrar and Host Information:
| ICANN Registrar: | REGTIME LTD. |
| Created: | 2009-03-17 |
| Expires: | 2010-03-17 |
| Updated: | 2009-03-31 |
| Registrar Status: | ok |
| Name Server: | NS1.GLOBEXTUBES.COM |
| Name Server: | NS2.GLOBEXTUBES.COM |
| Whois Server: | whois.regtime.net |
Server Data
| Server Type: | Apache/1.3.39 (Unix) PHP/5.2.5 |
| IP Location |  - California - Los Angeles - Coreexpress |
| Domain Status: | Registered And Active Website |
If you have any questions about the attack, you could always reach me on Twitter (@lithium)
Special thanks to Greg Feezel for the heads up on this one!
Thu, 16 Apr 09
New Zero-Day exploit for Microsoft PowerPoint: Exploit/PPT
http://pandalabs.pandasecurity.com/archive/New-exploit-for-Microsoft-PowerPoint_3A00_-Exploit_2F00_PPT.aspx
Yesterday Microsoft published a new advisory related to a vulnerability in Microsoft Office PowerPoint, which could allow remote code execution.
In the following image, you can see the versions affected by this vulnerability:
This vulnerability affects Windows and Mac Microsoft Office PowerPoint versions.
There is already a Zero-Day exploit that exploits this vulnerability which is detected as Exploit/PPT by PandaLabs.
The Zero-Day exploit is proactively detected by TruPrevent™ Technologies.
Thu, 16 Apr 09
Quarterly Report January-March 2009
http://pandalabs.pandasecurity.com/archive/Quarterly-Report-January_2D00_March-2009.aspx
We have just published the latest PandaLabs Quarterly Report. There, you can find statistics and information about the current situation of malware as well as different sections analyzing the most interesting events of the first quarter ( like the most active families Waledac and Conficker ).
You will also find an interesting article about the spam situation, vulnerabilities and other interesting articles. 
You can download it in English or in Spanish .
Enjoy it!
Thu, 16 Apr 09
Chapter 2. The Conficker countdown melodrama.
http://pandalabs.pandasecurity.com/archive/Chapter-2.-The-Conficker-countdown-melodrama_2E00_.aspx
The melodramatic Conficker countdown is starting to resemble one of those never-ending TV soap operas; everyone is talking about it, but it never draws to an end. Well, at last the countdown is in the final straight, because if not we could end up with mass hysteria.
So let's see what new information there is about Conficker. It would seem that some opportunists are taking advantage of the notoriety of Conficker, downloading malware onto computers from domains that are ranked highly in Google searches for the name of this virus. It’s not surprising, when you see how widely the news is being reported. Google Trends illustrates the point:
What is most interesting is the ranking of countries where this information is being most widely reported, and where most people are searching for this information. Bearing in mind the number of domains that are downloading malware by exploiting the interest in Conficker, without actually having any connection with it, it is likely that although people in these countries may escape the wrath of Conficker, there may still be users who have downloaded other Trojans simply by searching for news about Conficker… Ironic really. Perhaps on April 2 we will be talking about another epidemic in Indonesia or Austria…
What new information is there about Conficker? Absolutely none, other than everyone is waiting with baited breath to see when the apocalypse starts. This all takes me back to when, in the laboratory, we had a calendar for marking the payload dates of notorious viruses such as Friday 13 or Barrotes. So does this mean we are returning to the days of epidemics with payloads and countdowns?
Paradoxically, while we are all waiting to see what happens tomorrow, who knows what is actually going on in the background, and how many people are lining their pockets thanks to Conficker. And to get back to soap operas, what are the odds on a happy ending to the Conficker saga?
Thu, 16 Apr 09
Don’t get taken in by the Conficker panic
http://pandalabs.pandasecurity.com/archive/Don_1920_t-get-taken-in-by-the-Conficker-panic.aspx
Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st. It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious. But I also want to say that perhaps it does more harm than good. Let go back over the issues that are flying around the world.
Regarding the damn date… will Conficker be activated 1st April? No. But it will do something that day, won’t it? Yes, Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then 1st April? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware. It checks the date in the Internet; we say this in case somebody has thought of changing the system date of their computer ;-)
If any URL contains an update of the worm, which actions will the new variant carry out? In fact, no one has been able to guess the final aim of Conficker. What we remember from previous infections is that the author’s motive is to become famous, but we doubt very much if it all ends there. If we think about the different business models that there are currently behind malware (mentioned in this blog many times before), it is obvious that its author –or authors- will be looking to make money in some way. But, in which way? It can be by harnessing the infected PCs net to send spam, by installing on the infected PCs some type of rogue antimalware to warn users that their computer is infected enticing them to buy a fake antivirus, by downloading password stealer type Trojans… There are many speculations, but nothing for sure.
Another question posed is if it’s really more dangerous than other types of malware. The answer is no, it’s not more dangerous, though its update functionality leaves a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent MS vulnerability to distribute itself, and that’s why, it has reached many PCs. In this way, its author has been smart and has taken the model of classic viruses. An “intelligent” move of the author has been to use different means of infection, especially through USB keys, MP3 players, etc. What is true is that from version to version it has made its detection more difficult by obfuscating code. And although we can’t talk about a polymorphic virus, it follows this direction.
What stands out from all these are the means of infections through USB devices, as we said before, is the attempt to reach the maximum number of PCs. And in the way that infected PCs can communicate with each other to update without the need to download a new version from an URL as they use P2P.
The infection level of the previous weeks has been reducing to low levels. There are probably still malware infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:
a) create a new variant which exploits another 0 day vulnerabilities takes no time to spread and this was the plan all alone for Conficker.
b) Keep alive the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…
We bet on option a). Not necessarily for April 1st, but on its way. It will be a shame to go to so much trouble without getting anything. Because of this we think that it won’t go away so easily.
Above all, don’t get taken in by the panic. What do users do on the April 1st? If you have your PCs protected by a good and updated antivirus, nothing. If you don’t have one, we recommend you to install one (you don’t have to wait until April 1st…) and you can use Panda ActiveScan to be sure you are not infected. And also we recommend you to install the free tool we have created to avoid contamination through UBS keys.
Thu, 16 Apr 09
How To: Infect yourself with Malware
http://pandalabs.pandasecurity.com/archive/How-To_3A00_-Infect-yourself-with-Malware.aspx
Last time we talked about cyber
criminals using YouTube's Video
Annotations feature
to guide victims to Malware ridden websites. Today we'll talk about
yet another method being used within YouTube and other social media
websites.
Malware distributors have been
creating instructional "How to" videos to get victims to willingly
visit malicious websites and infect their own computers.
Once on the site the victim is lured to install Adware/SystemSecurity rogue software.
The best way to avoid these types of scams is by researching the product prior to installing it on your computer. Sometimes a simple Google search can literally save you hundreds of dollars in repair costs.
Thu, 16 Apr 09
Blackhat SEO Fueled Rogue Security Campaign
http://pandalabs.pandasecurity.com/archive/Blackhat-SEO-Fueled-Rogue-Security-Campaign.aspx
Today we observed yet another Blackhat SEO campaign fueling the distribution of the System Security Rogue Anti-Malware from Pandora Software.
Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here.
(E.g. One of the hijacked searches)
Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software.
Sample hijacked search terms [Full List]:
Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles
This post has been written by Sean-Paul Correll.
Thu, 16 Apr 09
MS09-008. Does the patch work?
http://pandalabs.pandasecurity.com/archive/MS09_2D00_008.-Does-the-patch-work_3F00_.aspx
The vulnerability MS09-008 affects the DNS server, more specifically WPAD (Web Proxy Autodiscovery Protocol) registration. This is a service that allows automatic configuration of proxy settings of the computers wihin a network without user intervention.
This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.
As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters, as you can see in the following screenshot:
Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.
Usually, if you are vulnerable to an attack and you patch the system you feel safe. For instance, all of you know about Conficker, which infects the system using the vulnerability MS08-067. Even if you have been previously infected, you can apply the patch and you won’t be infected anymore through this vulnerability.
However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.
To sum up: in case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.
To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service.
Microsoft guys have blogged about this, you can find more information here.
Kudos to David Sanchez for the research.
Thu, 16 Apr 09
Facebook Malware Refocusing on Bank of America
http://pandalabs.pandasecurity.com/archive/Facebook-Malware-Refocusing-on-Bank-of-America-.aspx
The perpetrators behind the recent Classmates and Facebook Malware incident are now refocusing their attack on Bank of America customers. The new website is designed to look like a Bank of America Help page and reads:
“You have not been permitted to access the Bank of America Direct® login page because your browser did not provide a valid digital certificate. In order to access Bank of America Direct, you must have a valid Digital Certificate installed on your PC. For help, please select from the help links below.”
The page includes a fake video which is labeled as an “Installation Demo” but points to a Malicious Executable named Adobeflashplayer.exe, which we detect as Trj/Spyforms.BZ.
Trj/Spyforms.BZ is primarily distributed through links in spam e-mails and the Trojan is designed to monitor network traffic and steal ftp, icq, pop3, and imap passwords. The stolen data is then sent back to a server located in Hong Kong.
Thu, 16 Apr 09
Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan
http://pandalabs.pandasecurity.com/archive/Malware-Impersonates-Classmates-and-Facebook-to-Deliver-Password-Stealing-Trojan.aspx
Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ. Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website. The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player! Installation: Double-click the downloaded installer. Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe.
Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH). You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.