Malware

Malware has traditionally been easy to spot and classify, mainly because it was created to serve a specific nefarious purpose and nothing else. In the ongoing arms race between malware authors and the security industry, stealth and other ‘in plain sight‘ technologies are emerging as clear favorites. Case in point is a recent Craigslist phish, disguised as a phone update – nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive – and thus not inherently malicious. ...

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last. Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions. The interesting thing is that when she plugged the phone to her PC via USB her Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into. ...

Hmmm. A new vector for malware: USB battery chargers. Wonderful. The U.S. Computer Emergency Response Team (CERT) is warning that Energizer DUO USB battery chargers have been found infected with a Trojan that loads backdoor malware on a victim PC along with its battery monitoring software. The charger copies a .dll file named UsbCharger.dll in the application’s directory and another named Arucer.dll in the Windows system32 directory. USBCharger sets a registry entry to autoexecute Arucer.dll when Windows starts. ...

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it. We can’t say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files. Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com: ...

Sources on a number of forums tell me that a certain application is going to be released into the wild in a few days, promoted heavily via sites such as Youtube to attract as many potential victims as possible. I thought it might be beneficial to get a head start on the bad guys and get word out before they hit their big green “Go” switch. What is it? I believe the following screenshot can answer that question: ...

We frequently read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes. This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices. ...

We all know Brazilian hackers have mastered the art of creating banking trojans. The Chinese are very fond of password stealers targeting online games. The bad guys do have preferences for what type of malware they are creating based on their geolocation. Well, I found this exploit source code from a domain named kuwait{removed}.com The exploit downloads a file named unek.exe, very well known to be an IRC bot. ...

Recently, We received some malicious files which appeared to be signed by “Adobe Systems Incorporated”. On closer inspection, however, it was seen that the signature was just a ruse used by the malware author to give an air of legitimacy to the files. Virus writers are getting smarter and going that extra mile to digitally sign their files. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked. ...

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it’s getting even sneakier… Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF. And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file. Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google’s cache. ...

As we have commented before when content served up from adservers is compromised, the effects can be far reaching, potentially exposing huge numbers of victims to the malicious code as they innocently browse legitimate sites. The problem is further complicated by the fact that legitimate ad content is often heavily obfuscated, in order to evade ad-blocking technology. During the latter half of this week we have seen a whole batch of compromised adservers injected with malicious JavaScript to silently load malicious content from a remote site. A significant number of popular sites that load ads content from these servers have therefore been affected by this attack. ...