Home PHP Scripts Contact News Articles RSS Readers Donations

Malware

 
Main

Security

Anti-Malware
Malware
MSNBC Security
Security Fix
Security World News
Random Feeds

Archives

| Feb 2012 | Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |

Thu, 18 Jun 09
June's Crypto Challenge Results
http://pandalabs.pandasecurity.com/archive/June_2700_s-Crypto-Challenge-Results.aspx


June's Crypto Challenge has now came to a close and I'm glad to report that several participants were able to complete the challenge successfully. I've posted the solution below for everyone to see, so click here if you want to try and solve the challenge without looking at the answer first. 


Winners

1st - @apolkosnik 
2nd - @alecrwaters
3rd - @shftleft
4th - @RavenBlackthorn
5th - @schuetzdj
6th - @SecShoggoth
7th - @DuncanGilmore
8th - @thornmaker



Solution


Step 1: Decode Base64

NjggNzQgNzQgNzAgNzMgNjMgNnMgNnAgNnMgNnIgNzMgNnAgNjEgNzMgNjggNzMgNnAgNjEgNzMg
NjggNjQgNnAgNjQgNnMgNzQgNjcgNjUgNzQgNjQgNzIgNnMgNzAgNjIgNnMgNzggNjQgNnMgNzQg
NjMgNnMgNnEgNzMgNnAgNjEgNzMgNjggNzUgNzMgNnAgNjEgNzMgNjggMzIgMzIgMzAgMzggMzAg
NzMgNnAgNjEgNzMgNjggNjggNjkgNnIgNzQgNjQgNnMgNzQgNjggNzQgNnEgNnA=

Step 2: Decode ROT13

68 74 74 70 73 63 6s 6p 6s 6r 73 6p 61 73 68 73 6p 61 73 68 64 6p 64 6s 74 67 65 74 64 72 6s 70 62 6s 78 64 6s 74 63 6s 6q 73 6p 61 73 68 75 73 6p 61 73 68 32 32 30 38 30 73 6p 61 73 68 68 69 6r 74 64 6s 74 68 74 6q 6p

Step 3: Decode Hex

68 74 74 70 73 63 6f 6c 6f 6e 73 6c 61 73 68 73 6c 61 73 68 64 6c 64 6f 74 67 65 74 64 72 6f 70 62 6f 78 64 6f 74 63 6f 6d 73 6c 61 73 68 75 73 6c 61 73 68 32 32 30 38 30 73 6c 61 73 68 68 69 6e 74 64 6f 74 68 74 6d 6c

Step 4: Form URL

httpscolonslashslashdldotgetdropboxdotcomslashuslash22080slashhintdothtml

Step 5: View URL

http://dl.getdropbox.com/u/22080/hint.html



Step 6: Decode ASCII art using link at bottom of hint.html



Step 7: ASCII decodes to an image of a link (http://bit.ly/ciph3r).  Access the link to retrieve the ancient alphabet. 

Step 8: Revisit hint.html and decode the AES encrypted string.  Key and other hints are hidden in CSS.





Decoded: httpscolonslashslashdldotgetdropboxdotcomslashuslash22080slashfiledotzip

Step 8: Fix URL

https://dl.getdropbox.com/slash/u/22080/file.zip

Step 9: Download and Unzip the file

Step 10: Use Spectrogram 16 (hint from CSS) to analyze the WAV file



Step 10: Decode the image from the spectral analysis with the legend found in Step 7

Step 11: Decode  ROT13

graroebhf

Final Solution: Tenebous (It was the word of the day) :) 



 I'm going to start working on creating the next challenge soon, so feel free to send me your suggestions and I will factor them in next round.


 

 

 

Thu, 11 Jun 09
Visualizing the Twitter Trends Attack
http://pandalabs.pandasecurity.com/archive/Visualizing-the-Twitter-Trends-Attack.aspx



For the past week, cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs.  If the URLs were accessed, the victims would arrive at a rogueware website designed to trick them into thinking that their computer is infected, therefore justifying the need to purchase the fake software offered.

Since the initial discovery, we have been keeping a close eye on this attack, but the malicious tweets continue.  From June 2nd – 3rd we noticed over 3,000 of these malicious tweets (actually, the number is a lot higher than 3k because we only tracked the main abuse site and excluded the shortened URL’s from the initial search).  On June 6th the main site was taken offline and the attack shifted from Adware/PrivacyCenter to the Adware/FastScan. 

Current targeted phrases:

Wordpress 2, Fallon, Top Chef, Tila Tequila Live, AT&T, Limp Bizkit, Sytycd, iPhone, Adam Lambert, Wipeout, Holocaust Museum, Miss California, Claim your Facebook, Squarespace, Lakers, NBA Finals, Zack Morris, addict, video, trailer.

Current Scareware site:

Adware/FastAntivirus Download Site

File: Setup_build6_27.exe (MD5: efe9ddbea8bd71fdfee44d44811e4695 )

Installer:

Adware/FastAntivirus Installer

Adware/FastAntivirus

Adware/FastAntivirus

At the moment, we have identified over 20 accounts and 1200+ tweets still targeting the trending topics on Twitter.  The criminals are using various URL shortening services and the Twitter staff is making an effort to suspend the accounts, but as soon as they do, another account is created by the cyber criminals.  

Here is what that data looks like visualized.

Update:  As of 1:00 AM 6/11/09 we have identified an additional 21active accounts spreading malicious links. 
( new accounts not included in the visualization below)

Blue = Twitter Account
Purple = Malicious URL
Red = Tweet
Visualization of Twitter Trend Attack

 Zoom in:

Visualization of Twitter Trend Attack

The ease of carrying out this type of attack leaves us to believe that this will not go away anytime soon.  We’re all going to have to work together in taking these threats down and the good news, in this case, is that I have already received a response from the abuse team at TinyURL and they have responded by killing the redirections on their end.  Now all we need is for everyone else to start working together and we’ll be able to help take these dangerous accounts down sooner!   

Sat, 6 Jun 09
More rogueware campaigns on Twitter...
http://pandalabs.pandasecurity.com/archive/More-rogueware-campaigns-on-Twitter_2E002E002E00_-.aspx


Again cybercriminals are using the Trending Topics to spread rogueware. In this case the Trending Topic is David Carradine:

 

When you click on the links you go to this website:

 

Or this one:

 

Or many other similar ones. And at the end you will have installed an Adware/PrivacyCenter:



 

 

Fri, 5 Jun 09
Cyber Criminals Exploit Drupal CMS to Distribute Malware
http://pandalabs.pandasecurity.com/archive/Cyber-Criminals-Exploit-Drupal-CMS-to-Distribute-Malware.aspx


In a previous post, I stressed the importance of updating web applications frequently. Cyber criminals are always on the lookout for newly exploitable distribution methods and will go to great lengths to take advantage of any website. It may not be widely known, but web application vulnerabilities pop-up just as frequently as Software or Operating System vulnerabilities do.

If you are using dynamic web applications, such as Content Management Software, E-Commerce or blogging software, then it's especially important to make sure that those applications are always up-to-date with the latest security patches. If you don't, not only do you put your viewers at risk for possible SQL injection related infections, but you also open up to the possibility of a data breach, which can leak all kinds of sensitive data out to the hands of cyber criminals.

Today, I came across a State University website which was running a vulnerable version of the popular Drupal CMS software. The site was exploited by cyber criminals and over 3600 links were injected and indexed by Google in less than 10 hours of exploitation.

Search Results:
a

Malicious Site:

Rogue Site

If any of the links are accessed, the user is put through a series of redirections to various Rogueware sites where the user is told that their computer is infected and prompted to install a file called onlinescan.exe, which we detect as Adware/PrivacyCenter

Adware/PrivacyCenter ,a

Fri, 5 Jun 09
Two years of Collective Intelligence
http://pandalabs.pandasecurity.com/archive/Two-years-of-Collective-Intelligence.aspx


I still remember the very first meeting we started talking about the cloud three years ago. It was 2006, a sunny day, and a few of us were meeting in a room on the 7th floor of our old building. Mikel Urizarbarrena, our founder, started talking about the evolution of the Internet, and how we could take advantage of it to improve our customer's protection level. Many buzzwords like Web 2.0 started floating around, and I was reminded of the first time we talked about TruPrevent, back in 2002... so it was going to be something big :-)

From the lab's point of view, we were already overwhelmed with an increasing and non stopping flood of malware at that time. Nothing new, the amount of malware was multiplying per a factor of two every year, and even though the cloud had some issues –and still has, because there is no perfect technology- it was a smart approach to solve the different problems we were facing at that time (adding a huge volume of detections, faster updates, etc.). Furthermore, we saw an early opportunity to use the cloud for some exciting stuff:

- Adding some self-developed technologies that could not otherwise be run on a user's computer.
- Detecting good files (aka goodware.)
- Using new approaches to detect malware (contextual information, correlation of different behaviours.)

At the time, one of our major concerns was that a lot of people were infected even if they were supposed to be protected, and even worse, they didn't know that they were infected. Se we started building up what we now call Collective Intelligence 1.0, a database with all the knowledge we had about malware. At the same time we were developing a proof of concept in-the-cloud scanner (code name: Nanoscan) to validate that our feeling about infection rates was right, and to test the cloud technology and confirm it was worth the effort.

A few months later we released Nanoscan. It was light (~300kb), and it could scan the different processes the computer was running at the same time as the scan. Collective Intelligence back then was not able to run all the technologies we had in the lab, but it was good enough to show us what was happening out there. And as far as we know it was able to detect more malware than any antivirus product (including Panda!) since no one else had this kind of technology integrated in an antivirus. Another nice feature in Nanoscan was that it queried the Windows Security Center so we could know if there was an antivirus installed, which one it was and if it was active and updated. We gathered data for a couple of months (a few million computers scanned) and the results were as bad as we were afraid of: 23 percent of the computers scanned that had an antivirus running and updated had malware loaded in the memory. It didn't matter which antivirus it was, everyone had many users infected: McAfee (24%), Panda (15%), Symantec (23%), Trend (17%), etc. We wrote a paper about this, which you can download here.

In that moment we decided that we had to move forward and develop Collective Intelligence. And we did. Later we launched 2009 products, the same kind of products we had in the past but they were capable of connecting to the cloud when running an on-demand scan, as well as in the perimeter real time protections. A few weeks ago we launched Panda Cloud Antivirus, a brand new product we created from scratch, which is basically the first antivirus thin-client from the cloud.

So now it’s the 2nd anniversary of Collective Intelligence, and I have been playing around with the numbers, which are huge:

- + 26 millions of malware samples
- + 900,000,000,000 registries in the database
- + 18 Tb of information (now you can wonder why we don’t create a signature file with this ;-)

Some curiosities:

- To send all the data through a regular DSL, would take 3 years.
- If we write down all the data on paper, it would be equivalent to 727,373 Encyclopaedia Britannica.
- If we put all that paper sheets one after another, we could walk to the moon and come back… 12 times!

We have published a nice video about Collective Intelligence in YouTube.

Thu, 4 Jun 09
Rogueware campaign on Twitter continues...
http://pandalabs.pandasecurity.com/archive/Rogueware-campaign-on-Twitter-continues_2E002E002E00_.aspx

The Twitter Trends based attack we blogged about yesterday has expanded from just one trend to nearly all of them!   Over the past 24 hours, there have been several thousand tweets targeting trending topics on Twitter and the numbers continue to rise. 

@lithium

Example Tweets:

Malicious Tweets

As you can see from the example tweets, the cyber criminals are targeting twitter trends in real-time.    I went ahead and captured every tweet up until about 8PM tonight and put together a Tag Cloud so that you can see what terms were targeted more frequently.

Tag Cloud

Clicking on any of the links will put you through a series of redirects, at which point you will arrive at a website prompting you to install a fake Adobe Flash plugin (flash_player_plugin.exe).  If the so-called “plugin” is installed, then the computer will be infected with Adware/PrivacyCenter.

Malicious Site

The emergence of this type of threat distribution method demonstrates how cyber criminals are adjusting and evolving to the newer services offered on the Internet.  It’s especially dangerous with sites like Twitter, which offer up to the second updates (or live tweets) of events as they unfold in real time.  In the future, sites which promote an unfiltered and open dialog through a global hive of users will have to think twice about the potential threats exposed by features or even API services that they offer.    

Thu, 4 Jun 09
Cyber Criminals Target Air France, YouTube, E3, Microsoft, Project Natal, and moreā€¦
http://pandalabs.pandasecurity.com/archive/Cyber-Criminals-Target-Air-France_2C00_-YouTube_2C00_-E3_2C00_-Microsoft_2C00_-Project-Natal_2C00_-and-more_2620_.aspx


It seems like these days every other news breaking story is paralleled with a similar Blackhat SEO fueled Rogueware campaign. Today, Luis Corrons and I were talking about Microsoft’s recently announced Project Natal when his Google search for a video of the technology in action turned out to place a malicious link in the very top of the search results.




Connection: (Google to Rogue)



Rogue Site:



Knowing that this link wouldn’t be the only one, we started researching the domains and keywords being targeted and here is what we found:

Keywords:

16,000 links targeting “YouTube
10,500 links targeting "France" (Airline Crash)
  8,930 links targeting "Microsoft" (Project Natal)
  3,380 links targeting "E3"
  2,900 links targeting "Eminem" (MTV Awards/Bruno Incident)
  2,850 links targeting “Sony



The sites are all hosted via Lycos Tripod, which is a free web host. This allows the cyber criminals to create thousands of free sites to take advantage of the Blackhat SEO and then simply redirect the free sites to just a handful of their own servers.

Blackhat SEO is definitely one of the most prevalent threat distribution methods today. We expect to see several more examples of this type of attack throughout the year, so be especially careful when searching for news breaking stories. All of the links associated in this attack have already been blocked for Panda users.

Wed, 3 Jun 09
Rogueware Campaigns blending in with Twitter Trends
http://pandalabs.pandasecurity.com/archive/Rogueware-Campaigns-now-blending-into-Twitter-Trends.aspx


"PhishTube Broadcast" became a trending topic on Twitter today. The word “tube” is a big red flag to any Threat Researcher these days, so naturally I had to investigate it.

I clicked on the section inside of the trending topics group and ironically the links in the tweets looked fishy.



I started to investigate further and found that while there was definitely legitimate tweet traffic for the band Phish, several zombie accounts were posting hundreds of strange and highly suspicious messages. Eventually the links led me through several redirections and finally to PornTube malware websites.





Connections/Redirects leaving Twitter:



 

Clicking on any element inside of the PornTube page resulted in a run of the mill Adware/PrivacyCenter infection, but the interesting part of it all is that cyber criminals are starting to target social networking sites more than ever. In this case they took advantage of the open dialog on Twitter and essentially blended in with the trending topics in order to effectively trick unsuspecting users into clicking malicious links. This technique is strikingly similar to the Blackhat SEO tricks criminals use on search engines to place their malicious links at the top of search results.




 

 

Tue, 2 Jun 09
Crypto Challenge
http://pandalabs.pandasecurity.com/archive/Crypto-Challenge.aspx


Those of you who already follow me on Twitter know that every once in a while I throw together a quick, geeky puzzle for everyone to solve. After my last challenge, a few people asked me to make the next puzzle a little bit harder to solve. This meant including a few more steps and throwing in some visual elements in, as well.

The Top 10 people to direct message the solution to me on Twitter win a prize.

I hope you all have as much fun cracking it as I did putting it together! :)


NjggNzQgNzQgNzAgNzMgNjMgNnMgNnAgNnMgNnIgNzMgNnAgNjEgNzMgNjggNzMgNnAgNjEgNzMg NjggNjQgNnAgNjQgNnMgNzQgNjcgNjUgNzQgNjQgNzIgNnMgNzAgNjIgNnMgNzggNjQgNnMgNzQg NjMgNnMgNnEgNzMgNnAgNjEgNzMgNjggNzUgNzMgNnAgNjEgNzMgNjggMzIgMzIgMzAgMzggMzAg NzMgNnAgNjEgNzMgNjggNjggNjkgNnIgNzQgNjQgNnMgNzQgNjggNzQgNnEgNnA=

 

© amigura.co.uk All Rights Reserved.