Posts Tagged Malware
Fake Windows IME Trojan
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Vulnerabilities & attacks on July 11, 2010
Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.
The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.
Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.
By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.
At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.
Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys
As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.
make sure you subscribe to my RSS feed!
Asprox is back!
Posted by Mourad Ben Lakhoua in Cybercrime, Cybercrime & Hacking, Vulnerabilities & attacks on June 27, 2010
Security researchers warn of a fast increase in the infected website with spam-botnet Asprox. Asprox botnet is carrying out attack using SQL-injection, which allowed this botnet to double its presence on the service provider’s access application. For one night the number of compromised resources increased from 5 to 11 thousand.
The botnet usually starts by scanning the network searching for a vulnerable host and if it detects a vulnerable website it conducts an attack on the targeted hosts.
M86 Security Company are currently monitoring and tracking the new threat. On a blog post Rodel Mendrez reported that the pattern of Asprox behavior have changed, while previously it used only to send spams, now it is implementing a massive SQL-injection.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU
These three servers are the bot command and control servers, by analyzing the malware binary there are SQL statement as the picture shows:
By decrypting the XML file which the bot receives. Screen shot shows information about the targeted website:
And finally a simple search on Google shows that more than 5000 websites already infected.
As you can see that criminals are always searching for new ways to spread their malwares.
make sure you subscribe to my RSS feed!
Fake YouTube Pages Spreading Malware
Posted by Mourad Ben Lakhoua in Cybercrime, Internet, News, Vulnerabilities & attacks on June 10, 2010
Researchers at eSoft Threat Prevention Team have discovered thousands of fake websites that looks like YouTube. The website contains video which leads to installing a downloader Trojan with a less than 20% detection rate according to Virus Total.
The site is looking very closely to Youtube with a high quality to make it looks legitimate and trick victims. Cybercriminals exploit the trust of users in youtube video hosting to have as much as possible of machine.
The pages contain some “Hot Video”, like Want to see a revealing video about the Gulf oil spill in Mexico or the NBA Finals?
This will attract victims so they agree to install the malicious application with a big possibility that the Antivirus even do not suspect in this file.
According to the eSoft Threat Prevention Team, there are now over 135,000 such sites sprouting up all over the Web this can be found by Google search engine. So do not trust websites and try as much as possible to update your antivirus definition with use web filters to detect and prevent these threats.
make sure you subscribe to my RSS feed!
Symantec Detects WoW Game as a Malware
Posted by Mourad Ben Lakhoua in Anti-Viruses, News on May 18, 2010
A New update for Symantec Antivirus released by this weekend detects the popular game World of Warcraft as a malicious application.
Instead of playing users were forced to post their issue on the game forum with a description that Symantec AntiVirus takes scan.dll.new as a Trojan for stealing user’s data. A number of posts revealed that the problem remains not solved.
According Internet Storm Centre specialists, in last month’s there has been detected a lot of false positive despite the continues improvement of algorithms ,programs and accuracy of Anti-Virus products to protect users from malicious applications and this is due to the explosive growth of different viruses.
Some reports revealed that on a daily bases there is about 50 000 new malware samples, which forces Malware lab to accelerate updating their signature, and sometimes affects the quality of this update as the case of Symantec.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 2)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on March 7, 2010
Today’s Malware Strategy and Tactics are advanced and sophisticated. The main purpose for that is to trick antiviruses. Some are using encryption to make the detection difficult for any security software product, other add an AutoRuns to the registry entries to defend itself against anti-malware software or just adding a line to the host file to prevent the antivirus from updating their definition.
ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. The produced report by ThreatExpert includes very important information regarding any file and is divided to two parts:
- Submission Summary:
- File submitted information (Date, processing Time and Malware Alias).
- Summary of the findings: here you will find the severity level and what is the impact on the machine (like Creates a startup registry entry, Contains characteristics of an identified security risk, etc).
- Technical Details:
- Possible Security Risk this mean the Threat Category with a short description.
- File System Modifications ( here you can find the filename Modified by Malware ,file size, file Hash , Alias and a Brief Note about the different system concerned )
- Memory modification (if there was a new process created in the system)
- Registry Modifications (The new Registry Values created/Modified or deleted)
- Other details (contains possible countries origin according to the analysis).
For using ThreatExpert services you can follow the Free Online File Scanner or install ThreatExpert Submission Applet for a quick and easy way to submit your samples but before submitting any files you need to register an account to be able to retrieve ThreatExpert reports.
What misses all previous tools is network suspicious traffic analyzing. For the web based threat we can use Anubis. Anubis helps user to submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process during visiting this URL. The negative point is that the service works slowly.
Flash, JavaScript, and PDF files can be scanned and handled with Wepawet. Wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or not and provides information to help you understand why it was classified in a way or the other. It also displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples.
Another tool to analyze Portable Executable (PE) format files is MANDIANT Red Curtain , MRC examines multiple aspects of an executable file by looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.” This score can be used to identify whether a set of files is worthy of further investigation.
Now you can quickly gather information for any suspicious file. Most of these tools are provided for free and can process a sample of a highly detailed report with technical details match or exceed antivirus Lab.
make sure you subscribe to my RSS feed!
Building your OWN Malware Lab (Part 1)
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Software Security, Tools on February 27, 2010
Malicious software pieces like viruses, worms and bots are currently one of the largest threats to the security of the Internet. Antivirus Labs have invested great Money for analyzing and reversing viruses, but for our case we can perform the analysis using some useful tools on our PC.
Let’s start with www.virustotal.com , if I feel that I have a suspicious file. First what I will do is to upload it to VirusTotal. VirusTotal gives the user the ability to analyze any file with more than 40 Antivirus products. With the latest signature definition, this brings a clear idea not only if your file is safe but also to know which AV is effective. The file can be uploaded directly from the site using SSL or sent over the email. You can also download the uploader to your PC and install it which enables you to directly send files from your system using the context menu.
Today it is very important for reversing malware to know virus behavior. User should run the program and detect the changes in the system but this can harm the main system. for this we need Sandboxie. Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. After installing Sandboxie you will have a big choice of tools for detecting and monitoring the changes on the system. you can use Process Monitor from sysinternal, API Monitor or free analyzing tools from iDEFENSE LABS.
CWSandbox is another very nice tool for performing malware analysis that fulfills the three design criteria of automation, effectiveness and correctness for the Win32 family of operating systems. CWSandbox allows tracing and monitoring all relevant system calls and generating an automated report that describes:
• which files the malware sample has created or modified,
• which changes the malware sample performed on the Windows registry,
• which dynamic link libraries (DLLs) were loaded before executing,
• which virtual memory areas were accessed,
• which processes were created, or which network connections were opened and what information was sent over such connections.
Malware can be so hard to remove, and sometimes the best approach to clean an infected machine is by restoring a clean copy of the operating system. Here we arrived to the end of this new series of Building your own malware Lab.
make sure you subscribe to my RSS feed!
Malware is Hiding in Amazon Cloud
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking, News on December 12, 2009
Cybercriminals have made this week unforgettable for Amazon team this is after that security researchers have reported existing of Zeus Botnet at The cloud-based EC2 (Elastic Compute Cloud) control center.
The incident has been detected after a Password-stealing Zeus banking Trojan had infected client computers where hackers were able to compromise a site on EC2 and use it as their own command and control operation.
Methusela Cebrian Ferrer, senior researcher at CA, said in a blog post the following:
“The group behind this criminal activity is obviously doing it for financial gain – stealing both your identity and your money,” Ferrer stated. “In this variant, we have learned how cloud on-demand pay-as-you-use — offerings could be used to fuel such online cybercrimes.”
After this Incident Amazon should review their entire environment to be sure that they provide a minimum level of security for their customers.
We are also detecting a big concentration on the Cloud based solution in the last time. Moxie Marlinspike has started a new WiFi (WPA) password cracking service hosted in the cloud. Password cracking system is based on comparing the hash from a WiFi AP against 135 million possibilities in 40 min.
make sure you subscribe to my RSS feed!
AVG prepares an Anti-Virus for Mac OS and iPhone
Posted by Mourad Ben Lakhoua in News, Software Security on August 11, 2009
The day when Apple was secured is gone .The increasing popularity of Apple not only attracts fans but also Hackers.After the recent reports of existing vulnerability in iPhones SMS and the keyboard MAC hacking method many security companies are working these days to provide a new ways to protects Apple users.
AVG the security software company announced on the CNET UK that they are preparing a new fully functional antivirus for OS X, and by the end of 2010 they will produce a real-time scanner for iPhone, however the increasing iPhone application development created a problem that the current smartphone does not allow applications to run on the background. So it is currently impossible for these embedded systems to scan in real time.
Well AVG is providing already a free product AVG Anti-Virus Free Edition and it is good to find AV companies focusing on the Mac community and games consoles.
make sure you subscribe to my RSS feed!
Beware the MJ virus
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking on July 3, 2009
ALABAMA, BIRMINGHAM – The world’s obsession with superstar Michael Jackson’s sudden death is being exploited by a range of digital crooks who – in at least one instance – are using it to infect computers with a virus that can steal bank-account numbers and passwords.
According to the University of Alabama at Birmingham (UAB) Spam Data Mine, cybercriminals are embedding the data- stealing virus in an e-mail “that claims to link you to a website that will reveal Michael Jackson’s killer”.
If you click on the message, you will open a door to malware that will invade your hard drive, dig up key information and even redirect certain Google searches you perform by inserting links to other virus-infected pages in the top positions of search results, warned Mr Gary Warner, UAB’s director of research in computer forensics.
In another e-attack, an Internet worm is being transmitted via a mass e-mail claiming to contain secret Jackson songs and photos, computer-security firm Sophos reported yesterday.
If you open the attachment, you risk infection. “Once infected, a computer will automatically spread the worm to other Internet users,” Sophos said.
Besides spreading via e-mail, Sophos experts note that the malware is also capable of spreading through an autorun component in USB memory sticks.
Even relatively less virulent e-attacks could land your e-mail address into a spam mailing list that is being compiled for sale.
The first Jackson-related cyber- threat emerged within eight hours of his death.
Sophos has also warned of another e-scam that is not malware, but rather a phoney humanitarian cause seeking money for the “Michael Jackson Organization”. – AGENCIES
[Source: digital.asiaone.com]
make sure you subscribe to my RSS feed!
Harry Potter next up for hackers
Posted by Mourad Ben Lakhoua in News on June 29, 2009
Cyber criminals are using the new Harry Potter film to distribute malware, according to new research from security vendor PC Tools.
The firm said that hackers are using the increasingly popular tactic of ‘black hat’ search engine optimisation (SEO) to infect users keen to download the film before it is screened.
The criminals are pushing optimised links to malicious sites into the blogosphere, accompanied with text intended to attract interest, such as ‘Watch Harry Potter and the Half-Blood Prince online free.’
These links take the unsuspecting user to blog site containing images of the movie and more links. However, clicking on any of these will redirect users again to a site prompting them to download and install a ‘streamviewer’ which contains the malware, according to PC Tools.
The firm is predicting that these tactics will be used in peer-to-peer and other file-sharing networks with increasing regularity over the coming months.
Black hat SEO manipulation attacks are becoming an increasingly common way for malware writers to cash in on a big event and spread malware. They were launched soon after the death of actor Heath Ledger, and have already been seen in the past day after the death of actress Farrah Fawcett.
Rik Ferguson, senior security adviser at security vendor Trend Micro, said that he “fully expected” to see black hat SEO techniques and spam runs using the news of Michael Jackson’s death as bait to ensnare unsuspecting users.
[Source: V3.co.uk]
make sure you subscribe to my RSS feed!
SUBSCRIBE
Latest Comments