Home PHP Scripts Contact News Articles RSS Readers Donations

Malware

 
Main

Security

Anti-Malware
Malware
MSNBC Security
Security Fix
Security World News
Random Feeds

Archives

| Feb 2012 | Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |

Fri, 22 May 09
YouTube riddled with comments leading to Malware
http://pandalabs.pandasecurity.com/archive/YouTube-riddled-with-comments-leading-to-Malware.aspx


A few months ago, we talked about YouTube's Annotations feature being used as a tool for Cyber Criminals to help spread their malicious Rogueware campaigns. Today, we have a similar case, but this time its automated comment Malspam (Malware spam). My initial search turned up about 30,000 malspam comments all pointing to a fake pornography website called "PornTube 2.0".



Like the last time, Cyber Criminals are targeting people who are searching YouTube for pornography. In the comments each malicious link is accompanied by a few search terms. Some common keywords we have seen are Adalt (sic), Tit s, Latina, Kinky, Girl, Porn, Sex, and the names of various pornography stars.

Example comments:



By targeting these keywords the Cyber Criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material.

Note: It appears that all of the malicious links have brackets in between the " .com" portion of the comment. It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection.

Upon arriving at the website, we see a page that looks like a legitimate video website labeled "PornTube 2.0", but it is actually the malware site.

Malware Site:

Click for the original uncensored image (Warning: NSFW)



If you click anything on the website it will prompt you to download a fake Adobe Flash plugin, which is the malware installer for Adware/Privacy Center

Click for the original uncensored image (Warning: NSFW)



Adware/PrivacyCenter Rogue (fake) Antivirus


Rogue Antivirus is one of the most prolific Malware in the threat landscape today. PandaLabs has received more Rogue Antivirus samples in Q1 of 2009 than in all of 2008 as demonstrated by the following illustration.



In this case, Cyber Criminals aim to profit from human vulnerabilities and inherent curiosities.

Fri, 15 May 09
MS08-066 in the wild
http://pandalabs.pandasecurity.com/archive/MS08_2D00_066-in-the-wild.aspx

We always recommend not to use a Windows user with admin privileges as our default Windows user. Actually, most of the malware relies in the fact that people use high privileges users on their system so when a malware is executed it can control the entire system.

It’s very recommendable to use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware.

 

Let me show you an example.

Several months ago I was analyzing a new malware. The malware code had several features (creation of files in system directories, service/driver installation, code injection, creation of new autorun registry entries) that require administrative privileges to be accomplished. If the malware is executed as a regular user, it tries to exploit the MS08-066 vulnerability to elevate its privileges. By this way, if the system hasn’t been patched with MS08-066 it gets control of the entire system and the malware is executed with administrative rights.

Look at the following code:

 

UPX0:29A02A67                 push    offset aAdvpack_dll ; "advpack.dll"

UPX0:29A02A6C                 call    LoadLibraryA

UPX0:29A02A72                 test    eax, eax

UPX0:29A02A74                 jz      short loc_29A02A84

UPX0:29A02A76                 push    offset aIsntadmin ; "IsNTAdmin"

UPX0:29A02A7B                 push    eax             ; hModule

UPX0:29A02A7C                 call    GetProcAddress

UPX0:29A02A82                 jmp     short loc_29A02A88

 

First it checks whether the user has administrative privileges. If not, it tries to exploit the MS08-066 vulnerability to elevate its privileges:

UPX0:29A02A96 ms08_066_Exploit:            ; CODE XREF: MalwareActions+5Aj

UPX0:29A02A96                 call    sub_29A013E0

UPX0:29A02A9B                 test    eax, eax

UPX0:29A02A9D                 jnz     short loc_29A02AAD

UPX0:29A02A9F                 call    sub_29A01520

UPX0:29A02AA4                 test    eax, eax

UPX0:29A02AA6                 jnz     short loc_29A02AAD

[…]

UPX0:29A01471                 call    WSAStartup

UPX0:29A01476                 push    offset aHaldispatchtab ; "HalDispatchTable"

UPX0:29A0147B                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A01480                 push    offset aPslookupproces ; "PsLookupProcessByProcessId"

UPX0:29A01485                 mov     Handle_HalDispatchTable, eax

UPX0:29A0148A                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A0148F                 cmp     Handle_HalDispatchTable, 0

UPX0:29A01496                 mov     Handle_PsLookupProcessByProcessId, eax

UPX0:29A0149B                 jz      short loc_29A014BD

 

 

With this piece of code, if the system hasn’t been updated with the MS08-066 patch, the malware would be able to do whatever it want. So even if your Windows user hasn’t got admin privileges you should update your system every month. It’s really important if you don’t want to be owned.

Wed, 6 May 09
Swine flu and the Blackhat SEO techniques
http://pandalabs.pandasecurity.com/archive/Swin-flu-and-the-Blackhat-SEO-techniques.aspx


You should be careful when you’re looking for information on the web. Not everything is as it seems, and even more when the Blackhat SEO techniques are so frequently used, which enable malicious websites to be positioned in search engines.

And why not using these techniques with the swine flu subject? Cyber-crooks are aware of this and have started using them. Just look what we found in Google: a search engine which offers information about the swine flu.

 

 

When clicking on the results displayed by the search engine, we are redirected to porn sites where we can view videos. However, to view a video we are required to install the last version of a player.





 Actually, the file is not a player but an adware program which has been detected as Adware/WebMediaPlayer.

UPDATE:

We’ve tried other searches with this malicious engine.



On the one hand, we’ve tried with words related to antivirus solutions, like “Spyware remover” and different results have been displayed:

 

 

When accessing some of them, we’ve been redirected to a website that simulates a fake system scan and warns us that our computer is infected. The purpose of this is to offer us a solution (which is actually false). 



On the other hand, we’ve tried with other text strings, like celebrities (Paris Hilton, Angelina Jolie...), mortages, jobs and we’ve been redirected to porn websites as those we’ve previously mentioned when we talked about the swine flu.

We’ll continue researching this and keep you informed if we find anything new about this.   

Mon, 4 May 09
New Panda Cloud Antivirus
http://pandalabs.pandasecurity.com/archive/New-Panda-Cloud-Antivirus.aspx
Today, we have launched Panda Cloud Antivirus, an exciting new product, Light, Secure, Easy & Free.Visit http://www.cloudantivirus.com/ Try it!!!

 

© amigura.co.uk All Rights Reserved.