Malware
Main
Security
Anti-MalwareMalware
MSNBC Security
Security Fix
Security World News
Random Feeds
Archives
| Feb 2012 | Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |Thu, 30 Jul 09
Greetings from Las Vegas
http://pandalabs.pandasecurity.com/archive/Greetings-from-Las-Vegas.aspx
Today, Sean-Paul and I are at the Blackhat Conference to discuss our latest research on the Rogueware economy. We have been meeting with many people in the last few days and we most recently spoke at the SecurityBsides conference.
We published the full study "The Business of Rogueware" this morning. You can access it here.
If you are in town and would like to meet with us, just shoot us a message on Twitter and we would be glad to meet you.
Luis: @Luis_Corrons
Sean-Paul: @lithium
Tue, 28 Jul 09
3rd Panda Challenge solution & winners
http://pandalabs.pandasecurity.com/archive/3rd-Panda-Challenge-solution-_2600_-winner.aspx
The 3rd and final Panda Challenge has ended. You had to find out some hiddent text, and that was it:
"Panda Cloud Antivirus provide Advanced Protection against new and uNknown viruses. cloudAntivirus "
And the winner of the Amazon Gift Card and the AV license, who sent the right answer in less than 4 hours is...:
Simon Elén
And the winners of the AV license:
Andrey Belenko
Lose Myself
William Whistler
Vladimir Gneushev
Thank you all for participating. 
El tercer y último reto Panda llega a su fin. Teníais que encontrar un texto oculto, que era el siguiente:
"Panda Cloud Antivirus provide Advanced Protection against new and uNknown viruses. cloudAntivirus "
El ganador de la tarjeta regalo de Amazon y de la licencia de antivirus, que además envió la respuesta correcta en menos de 4 horas es...:
Simon Elén
Y los ganadores de la licencia de antivirus:
Andrey Belenko
Lose Myself
William Whistler
Vladimir Gneushev
Gracias a todos por participar.
Tue, 21 Jul 09
2nd Panda Challenge solution & winners
http://pandalabs.pandasecurity.com/archive/2nd-Panda-Challenge-Solution-_2600_-Winners.aspx
As I promised, this challenge was going to be quite more difficult. Here you have the solution:
The file we created is a program which receives data via the standard input and prints data via the standard output. The program is a generator of random 50x50 labyrinths and in order to solve it you have to create a program which, by communicating with it, automatically exits the labyrinth; obviously, the labyrinth is not visible.
The players can move to the North, South, East and West, as well as diagonally (Northeast, Southeast, etc…) and can ask for their position. The reversers have to guess which commands are necessary to move in one or other position and to ask in which position they are.
By the way, the generator of labyrinths is “imperfect”: a labyrinth may have a solution or may not. However, once you are in the protocol, you can calculate your exact position in the labyrinth and you can ask for a new labyrinth if you think that the labyrinth you are in has no exit.
Additionally, it has some other problems:
1.- If the players make 6 consecutive mistakes, the game is over.
2.- If the players enter a wrong character, the game is over.
3.- From a certain row on, random “fire” can appear. If the players don’t change their position, that is, if the movement they made is wrong, they will “burn” themselves, and obviously the game will be over.
Well, this time we’ve received only 22 answers, and the winner of the 250€ Amazon gift card, who was the first to solve the challenge correctly, is:
Kaspars Osis
And the winners of the AV license:
William Whistler
Matthew Hinson
Vladimir Gneushev
bbuc
Thank you all for participating. Tomorrow, I will publish the last challenge, with which you can get another Amazon gift card, this time valued at 450€.
Tal y como prometí, este reto ha sido bastante más complicado. La solución es la siguiente:
El fichero que creamos es un programa que recibe datos por la entrada estándar e imprime datos por la salida estándar. El programa es un generador de laberintos de 50x50 aleatorios y para solucionarlo hay que hacer un programa que comunicándose con este, salga del laberinto automáticamente; por supuesto el laberinto no es visible.
El jugador puede moverse en las posiciones norte, sur, este y oeste, así como en diagonal (noroeste, sudeste, etc...) y preguntar por su posición. El reverser tiene que averiguar cuáles son los comandos para que se mueva en una u otra posición y preguntar en que posición está.
El generador de laberintos es "imperfecto", a propósito: un laberinto puede tener o no solución. Sin embargo, dentro del protocolo puedes averiguar tu posición exacta en el laberinto y puedes pedir que se genere un nuevo laberinto si consideras que el laberinto en el que estás no tiene salida.
Además tiene algunas otras pegas:
1.- Si el jugador se equivoca 6 veces seguidas, acaba el juego.
2.- Si el jugador escribe un solo carácter mal, acaba el juego.3.- A partir de cierta fila, puede aparecer "fuego" aleatorio. Si no se mueve de posición, es decir, si el movimiento que hace es erróneo, se "quemará" y, claro, acaba el juego.
Bueno, esta vez sólo hemos recibido 22 respuestas, y el ganador de la tarjeta de regalo de Amazon de 250€, que fue el primero en resolver correctamente el reto, ha sido:
Kaspars Osis
Y los ganadores de la licencia de antivirus:
William Whistler
Matthew Hinson
Vladimir Gneushev
bbuc
Gracias a todos por participar. Mañana publicaré el último reto, con el que podreis ganar otra tarjeta de regalo de Amazon, esta vez valorada en 450€.
Tue, 14 Jul 09
1st Panda Challenge solution & winners
http://pandalabs.pandasecurity.com/archive/1st-Panda-Challenge-solution-_2600_-winners.aspx
First of all, let me thank you all for having participated in this challenge. The solution to this challenge is described below:
The binary was packed in UPX, and we changed a section name to .reloc, to make it “uncomfortable” while using IDA. Renaming the section to its original name (UPX0) overcomes this obstacle.
Then, we have the unpacked PE file. When run, nothing will happen unless you use a parameter; a basic analysis using a debugger will let you know that. Then, you could try to brute force it, but there is a smarter way of doing it: the file has attached a file as a resource; it is a JPEG file xored with a byte 0xFF mask. The name of the file is Acrostic.JPG, and once unencrypted, you could see the following text:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text...
Taking a look at it, you will notice the hidden message:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text...
Once you take a look inside the file, the following message can be seen:
>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<
Running the file using easy_challenge as parameter, then next messagebox will appear:
Oric Atmos is the name o fan ancient 8 bits microcomputer.
The name of the file is taken and the CRC32 of this name is calculated, given as a result a value of 32 bits. With this value, a new hidden message is decoded. In this case the result is not showed on screen but it is saved in an internal variable (just to make things a little bit awkward.) You have to pay attention to notice that the text is there (it is something that you see straight away analyzing the disassembled code.)
And the final hidden message is:
Congratulations!!
You reached the end of this crackme.
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009
As you can see, it was not that hard, was it? In fact, we have received more than 100 answers in the first hours, and finally we have received 44 right answers. This is the winner of the Amazon Gift Card and the AV license, who sent the right answer in just 24 minutes:
Bbuc
And the winners of the AV license:
Kaspars Osis
Vyacheslav Rusakov
kokezaru 김지환 DB분석팀
Thank you all for participating. Tomorrow, I will publish the second challenge, which I promise it’s going to be much harder ;-)
En primer lugar, agradeceros a todos la participación en este reto. La solución al reto la pódéis encontrar aquí:
El binario estaba empaquetado en UPX, y cambiamos el nombre de la sección a .reloc para dificultar su seguimiento con IDA. Renombrando la sección a su nombre original (UPX0) se puede salvar este obstáculo.
A continuación tenemos el fichero PE desempaquetado. Al ejecutarlo no sucede nada a menos que se utilice un determinado parámetro; un análisis básico con un debugger nos deja clara esta parte. A continuación puedes intentar sacarlo por fuerza bruta, pero hay una forma más elegante de hacerlo: el binario tiene adjunto un fichero como recurso; es un fichero JPEG xoreado con una máscara de un byte 0xFF. El nombre del fichero es Acrostic.JPG, y una vez desencriptado se puede observar el siguiente texto al abrir el fichero:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text...
Si nos fijamos un poco, veremos el mensaje escondido:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text...
Mirando el fichero por dentro, veremos el siguiente mensaje:
>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<
Ejecutando el fichero original con el parámetro easy_challenge, aparecerá la siguiente ventana:
Oric Atmos es el nombre de un antiguo microcomputador de 8 bits.
Calculando el CRC32 del nombre del fichero obtendremos un valor de 32 bits. Con este valor se puede decodificar un nuevo mensaje escondido. En este caso el mensaje no es mostrado en pantalla, sino salvado en una variable interna local (para dificultar un poco las cosas). Prestando un poco de atención ves cómo el texto está ahí (es algo que se ve a simple vista analizando el código desensamblado).
Y el mensaje final es:
Congratulations!!
You reached the end of this crackme.
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009
Como podéis ver, no ha sido tan difícil, ¿verdad? De hecho recibimos más de 100 respuestas durante las primeras horas, y finalmente tenemos 44 respuestas correctas. Este es el ganador de la tarjeta regalo de Amazon y de la licencia de antivirus, que además envió la respuesta correcta en tan sólo 24 minutos:
Bbuc
Y los ganadores de la licencia de antivirus:
Kaspars Osis
Vyacheslav Rusakov
kokezaru 김지환 DB분석팀
Gracias a todos por participar. Mañana publicaré el segundo reto, prometo que va a ser bastante más complicado ;-)
Sat, 11 Jul 09
Koobface.DU returns to Twitter
http://pandalabs.pandasecurity.com/archive/Koobface.DU-returns-to-Twitter.aspx
A few days ago the Koobface worm started to appear on Twitter. Today, the Koobface worm returns by hijacking several Twitter user accounts to assist in propagating the worm. The malicious tweets start with the text “My Home Video :)” followed by a link to one of 20 or so malicious sites.
Once on the malicious site, the victim becomes assaulted with a fake flash update and the infection starts to communicate with Facebook and Twitter immediately after downloading two additional executables from a domain hosted in Belgium.
Fake codec site:
Connections:
After attempting to spread the infection on Facebook and Twitter, the W32/Koobface.DU.worm further capitalizes on its efforts by installing the Adware/InternetAntivirusPro Rogue Antivirus.
Twitter has responded to the threat quickly and have already made an effort of removing the malicious tweets. We detected around 100 still active malicious tweets at the time of writing this.
Visual representation of malicious tweets:
Wed, 8 Jul 09
Panda Challenge - "All that glitters is not gold"
http://pandalabs.pandasecurity.com/archive/Panda-Challenge-_2D00_-_2200_All-that-glitters-is-not-gold_2200_.aspx
Arrizen has been the creator of this challenge. I've got the full explanation, and even though he says it’s really easy, I'm not that sure :-)
This is everything Arrizen wants you to know before starting:
“All that glitters is not gold”
The file can be downloaded here. Enjoy yourselves and don’t forget to send the challenge solution and the explanation of how you got it to pandachallenge at pandasecurity dot com
I will be publishing updates on Twitter, and next Monday I'll let you know the final results.
The terms and conditions of the competition can be downloaded from here.
Arrizen ha sido el creador de este reto. Tengo la explicación completa, y aunque él dice que es realmente sencillo, no las tengo todas conmigo :-)
Esto es todo lo que Arrizen quiere que sepáis antes de empezar:
“No es oro todo lo que reluce”
El fichero puede ser descargado desde aquí. Disfrutad y no olvidéis enviar la solución al reto y la explicación de cómo lo habéis conseguido a pandachallenge arroba pandasecurity punto com
Iré actualizando información desde Twitter, y el próximo lunes publicaré los resultados finales.
Los términos y condiciones del reto las podéis descargar aquí.
Tue, 7 Jul 09
Quarterly Report April-June 2009
http://pandalabs.pandasecurity.com/archive/Quarterly-Report-April_2D00_June-2009.aspx
We've just published our latest quarterly report. Apart from the different figures for the Q2 you'll find some interesting articles about topics like:
- Waledac
- BlackHat SEO
- Twitter Trends
- Malware seeding via spam
It is a good reading meanwhile you are waiting for the 1st Panda Challenge ;-)
English: 
Spanish: 
Enjoy!
Tue, 7 Jul 09
New Storm Worm: Waledacs
http://pandalabs.pandasecurity.com/archive/New-Storm-Worm_3A00_-Waledacs.aspx
After several months of calm, a new Waledac campaign has just started. This time a significant date has been used as social engineering: the Independence Day celebrated on 4th of July.
Nearly 30 domains are being used to spread this malware using the following interface:
After clicking the video, a message will be displayed to download an executable file. The name it uses are the following: fireworks.exe, video.exe, install.exe, patch.exe, setup.exe and run.exe.
The affected computer sends spam messages like this: 
Fri, 3 Jul 09
Panda Challenge
http://pandalabs.pandasecurity.com/archive/Panda-Challenge.aspx
It's summer time, daylights are longer and we have some extra spare time to enjoy doing some reversing, don't you think? Some weeks ago we launched in Spain a reverse challenge, and even though we had more than 800 answers, no one was able to solve the 3 different challenges.
Now we have decided to create 3 new challenges so that we can see what you are capable of. I will publish the first and easiest one next July 7th, the medium one on July 14th and the hardest on July 21st.
Even though I know you guys do this just for fun, we'll give you some incentives; we will reward the first one to solve each challenge with an Amazon Gift Card:
- Easy challenge: 150€ Amazon Gift Card
- Medium challenge: 250€ Amazon Gift Card
- Hard challenge: 450€ Amazon Gift Card
For each level we’ll also give an AV license to the first 5 winners. That’s it! The solution as well as the explanation of how you got it should be sent to pandachallenge at pandasecurity dot com
I will be publishing updates on the blog and also on Twitter
The terms and conditions of the competition can be downloaded from here.
Finally, for those who still haven't mastered Shakespeare's language, here you can find the same information in Spanish:
Ya es verano, los días son más largos y tenemos algo más de tiempo libre para hacer algo de reversing. Hace algunas semanas lanzamos en españa "El Reto Panda", y aunque recibimos más de 800 respuestas no hubo ningún participante que solucionara los 3 retos.
Ahora hemos creado 3 nuevos retos para ver de lo que sois capaces. Publicaré el primero -y más fácil- de los retos el 7 de Julio, el medio el 14 de Julio y el difícil el 21 de Julio.
Aunque sé que esto lo haréis sólo por diversión, daremos algunos incentivos; habrá tarjetas de regalo de Amazon para el primero que logre solucionar cada uno de los retos:
- Reto fácil: tarjeta regalo Amazon de 150€
- Reto medio: tarjeta regalo Amazon de 250€
- Reto difícil: tarjeta regalo Amazon de 450€
También daremos una licencia de Panda a los 5 primeros acertantes de cada reto. ¡Eso es todo! La solución así como la explicación de cómo lo has logrado hay que enviarla a pandachallenge arroba pandasecurity punto com
Iré actualizando información desde el blog y también en Twitter
Los términos y condiciones del reto las podéis descargar aquí.