Messages from Malware authors in Malware

During our analysis of the different malware families we sometimes stumble upon some messages inside the viruses placed there by their authors. For example, the TDSS Trojan family is known to contain random strings from “Hamlet” and from the Bible. Also there is the Koobface family which contains random sentences – mostly taken from Wikipedia articles, like in the last variant we discovered, about the Tower of London. TDSS: ...

October 2, 2010 Â· 1 min Â· 189 words Â· Omid Farhang

Stuxnet in the news

The Stuxnet Trojan is very well covered in the media as more and more details about its sophisticated code become public. It abuses four previously unknown security vulnerabilities in Windows to enter the system and is specialized on attacking Siemens processing systems. An interesting information which didn’t get much attention yet comes from heise Security: The nuclear plant in Busheer isn’t really the target of the worm as rumours say, as the attacked systems aren’t approved for usage in nuclear plants. ...

September 30, 2010 Â· 1 min Â· 81 words Â· Omid Farhang

More Spam with JavaScript redirectors

We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”. The decrypted JavaScript consists of new JavaScript code. This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains. ...

September 23, 2010 Â· 1 min Â· 96 words Â· Omid Farhang

Security issues on Android

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated. ...

September 20, 2010 Â· 4 min Â· 670 words Â· Omid Farhang

“Here you have” worm linked to cyber jihadists

A worm collectively dubbed by the security industry as the “Here you have worm” has been making its way onto corporate networks over the past 24 hours. The worm arrives via e-mail using the subject line “Here you have” or “Just For you“ along with an executable disguised as a PDF file. It first appeared last month sending spam e-mails from [email protected]. The worm creates the following files: (Note: See the full report in our sandbox -> http://x.maldb.com/?p=44309#more-44309) ...

September 11, 2010 Â· 2 min Â· 307 words Â· Omid Farhang

Malicious warez site offers Firefox 4.0 beta download scam

Like a lot of seedy stuff, this started with a Twitter post:. The current working version of Mozilla’s Firefox browser is 3.6.8. Version 4 is in beta testing. You get them FREE from Mozilla.. Why would you need a crack (program with its password broken) or a keygen (application that generates a password for a password-protected program) for something that is FREE? ...

August 29, 2010 Â· 1 min Â· 176 words Â· Omid Farhang

The bad guys are going after the Pirates

File-sharing organization Pirate Bay has been controversial for a long time, like maybe the length of its entire existence. It’s been in the news recently because a number of governments are trying to shut it down. That’s a situation ripe for social engineering. We found this scheme this morning: a number of typo-squatting sites carrying the following. (Note: the REAL Pirate Bay site is thepiratebay.org.) What would lead a victim to this? The phony site piratebay.com (below) comes up as the third result on a Google search for “piratebay” or fourth for “pirate bay.” ...

August 29, 2010 Â· 1 min Â· 189 words Â· Omid Farhang

DLL Hijacking Evolved

Back in November 2007, I’ve seen this technique used by one of the variant of Worm called W32/Drom. The technique was not to execute the malicious file or component of the worm but to prevent Antivirus Program from running. The Worm queries the following Antivirus registries to get the Installation Path, once acquired, it creates a folder named “ws2_32.dll” with Hidden and System attributes on that location. ...

August 27, 2010 Â· 1 min Â· 199 words Â· Omid Farhang

Brand new 0-day Exploit. The world is going to end! Yet again


Sigh
 The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days. In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect. ...

August 27, 2010 Â· 3 min Â· 440 words Â· Omid Farhang

My “friend” has invited me “to Twitter!”

“What are you doing? “To join or to see who invited you, check the attachment.” Hmmm. That looked interesting. After I clicked on it (in virtual environment), Yahoo renamed the attachment from “Invitation+Card.zip” to “Neutral.gif” and gave a warning: Nice work Yahoo.

August 14, 2010 Â· 1 min Â· 42 words Â· Omid Farhang