Analyze on Omid Farhang

Backdoor Uses Evernote as Command-and-Control Server

Fri, 29 Mar 2013 00:53:00 +0000

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.

We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. The malware attempts to connect to Evernote via https://evernote.com/intl/zh-cn, which is a legitimate URL.

The sample we gathered consists of an executable file, which drops a .DLL file and injects it into a legitimate process. The said .DLL file performs the actual backdoor routines.

Turkish FlashPlayer? no! It’s malware

Thu, 28 Mar 2013 17:37:00 +0000

I recently came across the file “FlashPlayer.exe” during the course of regular research.

The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:

Obviously, it’s disguised as an Adobe Flash Player 11 installer.

Here is more info about the file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


File Name: FlashPlayer.exe
MD5: e2856b1ad6c74c51767cab05bdedc5d1
SHA1: 1ac150ddb964722b6b7c96808763b3e4d0472daf
CRC32: a8464606
SHA-256: b5f37cc44365a5a1b240e649ea07bbb17959ceddc3f8b67a793df694a6f03a88
SHA-512: e2d1388bd5feec51227cfa10a5606f7d3bc58f12ea95d688acb5178ff31a156a1092f739e7dd276f4c5368d89c33ed6a15b08ff5df294b9c3647905c1083921d
SHA-384: 5d622afcf87e33334a446df5dfd2be7769cab596cc9a121bfd6269bc85ee980f75e1a2d1472f0eb379788845230d883b
File Size: 561,152
Version: 2.01
Source: hxxps://flash-player-download.com/FlashPlayer.exe

VirusTotal: Latest Report

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Thu, 02 Aug 2012 14:21:00 +0000

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

Fri, 25 May 2012 09:19:00 +0000

Microsoft Malware Protection Center wrote:

Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you’re using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation.

New CAPTCHA method or just another likejacking scam?

Mon, 13 Feb 2012 17:19:00 +0000

Sorin Mustaca wrote at Avira TechBlog:

In case you’ve seen this on Facebook, try to not click on it even if you understand French (it appears to be only in Franch) because it will take you on a road where you don’t want to be.

But, we like to live dangerous, so we analyzed this for you.

Continue Reading at Avira TechBlog: http://techblog.avira.com/2012/02/13/new-captcha-method-or-just-another-likejacking-scam/en/

New worm targeting weak passwords on Remote Desktop connections (port 3389)

Mon, 29 Aug 2011 14:13:00 +0000

Microsoft Malware Protection Center: We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A.

Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process.

Analysis of TR/Spy.SpyEye

Wed, 30 Mar 2011 14:48:00 +0000

Avira TechBlog: SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products.

The Trojan is able to inject code in running processes and can perform the following functions:

Capture network traffic
Send and receive network packets in order to bypass application firewalls
Hide and prevent access to the startup registry entry
Hide and prevent access to the binary code
Hide the own process on injected processes
Steal information from Internet Explorer and Mozilla Firefox

A detailed analysis of this malware by Liviu Serban, Virus Researcher at Avira.