Malware

Are malware authors and spammers suffering from the same affliction of “word salad“, or are they perhaps devoted students of Afringlish? Why else would one combine random words in an attempt to look legitimate? The reason is a simple one – not only are humans good at associating meaning to names, they are also exceptionally good at filling in the blanks, while machines are not. Thus, by carefully selecting particular names for insertion into the version information of malware samples, such as those of reputable software houses, the authors attempt to exploit this human condition. Presumably, they also hope to bypass security scanners which approve files based on such superficial attributes. ...

We’ve been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques). For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera. Now we’re seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst’s daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors. ...

A massive earthquake struck near the Chilean city of Concepcion in the early hours of the morning of February 27th, 2010. The quake measuring 8.8 on the Richter scale was considerably stronger than the one that recently caused widespread destruction on the island of Haiti. Fortunately, despite the size of this latest quake, so far there has been few reported casualties. The quake occurred near the coast and tsumani warnings were issued for many countries bordering on the Pacific ocean. Unfortunately as with any major news event, miscreants are not slow to pounce when such opportunities arise to further their aims. ...

People looking to take advantage of the savings from the government during these harder financial times are being hit with other financial burdens (Rogue AV software). Our (environmentally conscious) researcher Adam Thomas heard about a “green” hot water heater that might be a good addition to his Earth-friendly home. So he did a Web search for “GE geo spring water heater.” What he found wasn’t Earth or anything else-friendly! SEO poisoning galore: ...

In this post I want to highlight how SEO attacks are working: Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue). When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below). There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple). Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application. ...

Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY. It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site: Unfortunately, the old site also contains a malicious script, appended after the closing /HTML tag. ...

Imagine that you’re sitting at home catching up on your email backlog. In comes an email from your ISP, FooBarBazCo (some creativity required here, I know). The email seems to be from Technical Support – ‘From: FooBarBazCo.com Team’ – and states that you need to update your email settings as a result of a recent security upgrade. Can you trust it? Today we observed an increase in spam messages containing links to a particular malicious URL. The messages masquerade as having come from mail administrators, with the ‘from’ address spoofed so that they appear to have come from the same network domain as the address to which the mails are sent (the ‘from’ and ‘to’ addresses are actually identical, although this will not be visible in most email programs). ...

Herndon, Va., forensics firm NetWitness has said that the Zeus botnet has breached the networks of nearly 2,500 organizations in nearly 200 countries, including 10 U.S. federal agencies. NetWitness researchers said many victims are Fortune 500 companies in energy, finance and high tech sectors. NetWitness based its conclusions on information from a 75-gigabyte collection of data that they intercepted. It was information the botnet had stolen in one month. ...

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla. The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.” ...

“Dammed thieves. Stole our logo. I suppose we should be flattered, though.” — A.E. Old rogue, new package: AntivirusProtectionCenter av2009.exe : crc6:7f3d73762762 crc8:003091628c68decc md5:d71d1e303ab963fdae76936ba52a05b7\ AMC.exe : crc6:1d6922972762 crc8:003005cfbb91b729 md5:e5555754fd758fc2be1374796f9433e2\ Hash’s different from their PersonalAntiMalware added 2/16/2010 opener_.exe : crc6:8ee75c08081d \ crc8:00dc55e5aaa82efa md5:5bb290cd1eb419ca98ca1f31273f7219\ ...