Backdoor Uses Evernote as Command-and-Control Server

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks. We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. The malware attempts to connect to Evernote via, which is a legitimate URL. The sample we gathered consists of an executable file, which drops a ....

March 29, 2013 · 1 min · 98 words · Omid Farhang

Turkish FlashPlayer? no! It’s malware

I recently came across the file “FlashPlayer.exe” during the course of regular research. The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish: Obviously, it’s disguised as an Adobe Flash Player 11 installer. Here is more info about the file: 1 2 3 4 5 6 7 8 9 10 File Name: FlashPlayer.exe MD5: e2856b1ad6c74c51767cab05bdedc5d1 SHA1: 1ac150ddb964722b6b7c96808763b3e4d0472daf CRC32: a8464606 SHA-256: b5f37cc44365a5a1b240e649ea07bbb17959ceddc3f8b67a793df694a6f03a88 SHA-512: e2d1388bd5feec51227cfa10a5606f7d3bc58f12ea95d688acb5178ff31a156a1092f739e7dd276f4c5368d89c33ed6a15b08ff5df294b9c3647905c1083921d SHA-384: 5d622afcf87e33334a446df5dfd2be7769cab596cc9a121bfd6269bc85ee980f75e1a2d1472f0eb379788845230d883b File Size: 561,152 Version: 2....

March 28, 2013 · 1 min · 98 words · Omid Farhang

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Cross-posted from Surelist The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland....

August 2, 2012 · 6 min · 1112 words · Omid Farhang

A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

Microsoft Malware Protection Center wrote: Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player and earlier is vulnerable. If you’re using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation....

May 25, 2012 · 1 min · 96 words · Omid Farhang

New CAPTCHA method or just another likejacking scam?

Sorin Mustaca wrote at Avira TechBlog: In case you’ve seen this on Facebook, try to not click on it even if you understand French (it appears to be only in Franch) because it will take you on a road where you don’t want to be. But, we like to live dangerous, so we analyzed this for you. Continue Reading at Avira TechBlog:

February 13, 2012 · 1 min · 63 words · Omid Farhang

New worm targeting weak passwords on Remote Desktop connections (port 3389)

Microsoft Malware Protection Center: We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of at Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords....

August 29, 2011 · 2 min · 327 words · Omid Farhang

Analysis of TR/Spy.SpyEye

Avira TechBlog: SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products. The Trojan is able to inject code in running processes and can perform the following functions: Capture network traffic Send and receive network packets in order to bypass application firewalls Hide and prevent access to the startup registry entry Hide and prevent access to the binary code Hide the own process on injected processes Steal information from Internet Explorer and Mozilla Firefox A detailed analysis of this malware by Liviu Serban, Virus Researcher at Avira....

March 30, 2011 · 1 min · 120 words · Omid Farhang