Wednesday, December 15, 2010

RapidShare used to spread rogueware

Besides the usual spam this morning, in the likes of "very good news . now you can buy new iphone 4 from this site! ",

I had also received an email from someone I know. It was sent to all of his contacts, including me. The message only contained the following URL:


Link to Rapidshare to download a file called "surprise.exe" I have obfuscated the URL for your safety.

It comes to no surprise that actually this file is rogueware with the name Security Shield. Below you can find an example screenshot of this rogue:


Security Shield rogueware


surprise.exe
Result: 11/42 (26.2%)
MD5: a6af97e7a5fd59c82b4c08a568eae882
VirusTotal
Anubis Report
ThreatExpert Report

When executing the downloaded file ( surprise.exe ):



Conclusion


Besides coming from a trusted person, this rogueware program is also using Rapidshare as a 'mirror' for spreading. Also, the file has the name "surprise.exe" which may convince you even further that your friend has just sent you a message with a nice surprise e-card or similar. After all, you know the person who sent it, why would it hurt ?

The above pictures proove why. I doubt you'd want some rogueware sitting on your computer. The trick is you should never trust an email which has:

- only a URL included in the message
- crappy spelling and grammar if there is content in the message
- been sent out to everyone in the sender's address book
- been sent from an unknown sender
- promises you can buy something for a very cheap price
- No subject or strange subjects ( eg.: "0 enjoy yourself" )

If you have downloaded a program and you are unsure about its intentions, you can always upload it to VirusTotal or other online virusscanners (VirScan, Jotti). Keep in mind that if a file is not detected by any engine, it is not necessarily clean!

Peace out.

Saturday, December 4, 2010

new rogue: PCoptimizer 2010

As already stated in my previous post, there are two new rogues (rogue security software, rogueware) lurking around:

PrivacyGuard 2010 and PCoptimizer 2010

You can be presented with either of these GUIs:


PrivacyGuard 2010 (picture: BleepingComputer)



PCoptimizer 2010


If you execute any program, you can be presented with the following pop-up:


PCoptimizer 2010 pop-up


I also made a small video on how you can disable this rogue and access your programs again. In this video I targeted PCoptimizer 2010, but you can also apply these steps on PrivacyGuard 2010.



Direct link to HD video on YouTube


6 easy steps:

1) Go to Start > Run
2) Type in: C:\windows\system32
3) Find taskmgr.exe and make a copy
4) Paste taskmgr.exe on your desktop (for example) and rename to explorer.exe
5) Locate the process for the rogue (in this case, PCoptimizer 2010.exe) and click on End Process
6) You can now execute your Antivirus or Antimalware tools again, or browse the internet and download one :) .

Thursday, December 2, 2010

new rogue domain: privacyguard2010.com


Registrant Contact:
Name: Bayangol Duureg, Undsen Khuuliyn Gudamj 24
Address: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Ulaanbaatar
Country: Mongolia

hxxp://privacyguard2010.com
Result: 3/17 (18 %)
Domain Hash: fec975d80b19c2ec3ce80fac1cd7800b
Note: this page does not trigger a "scan" of your computer, however, you can download a malicious file. Visit at own risk !

Some related domains:
hxxp://pcprotectioncenter.com/
hxxp://privacycorrector.com/
hxxp://pcoptimizer2010.com/
hxxp://psccenter.com/
hxxp://controlcenter2011.com/


The following file was downloaded:
setup.msi
Result: 1/43 (2.3%)
MD5: 92577052e1f4f51cb74d37727d032168

This file drops:
PCoptimizer2010.exe
Result: 2/43 (4.7%)
MD5: 6ad932b045a4ac666659d496a81af52d
VirusTotal
Anubis Report
ThreatExpert Report

Screenshot examples:

PrivacyGuard 2010 home page


When executing the file (PCoptimizer2010.exe)
PrivacyGuard 2010 installation wizard

Tuesday, November 23, 2010

New scam/phishing tactics

Recently I've seen some new scam/phishing tactics rising to the surface:



Email inviting you to download the newest PDF reader



Email inviting you to download Google Earth


Basically they just want you to pay for a product you can download for free. This time it's Adobe PDF Reader and Google Earth that are being targeted.

Be alerted when you receive an email with subjects like:

New 2010 Version for Google Earth
Update to PDF Reader 2010 for Windows‏
Get more out of Google Earth‏
New PDF Reader with Activation Code‏
Update your PDF Reader for Windows


Do not click on any of the links, and don't be fooled if the URL doesn't look 'funny'.
They might use URL shortener services such as bit.ly or tinyurl.com to hide the real URL.

If you are really interested in any of the forementioned applications, go to the original site and download it *for free ;)* from their website.




Screenshot of the 'PDF' website



Screenshot of the 'Google Earth' website


Conclusion

The conclusion is pretty simple: delete these emails and never reply on them !
If you are unsure if the email is legit or not, I would delete it anyway.
For instance: Google will not email you with a request to download their Google Earth application and pay for it.

You can always use URLvoid and VirusTotal URL scanners as a reference.

Be safe people, and don't fall for these tricks.

Sunday, October 24, 2010

The Botnet Wars: a Q&A

The Botnet Wars: a Q&A
A Q&A written by @bartblaze

Note: you can also download this article as a PDF on MediaFire.

Introduction


Picture of a botnet with the Command & Control server and botnet herder

Botnet kits. Crimeware kits. Exploit kits. Who hasn't heard these words nowadays? Sold in underground forums, they are becoming more popular due to a drop in prices and the fact you do not need to be a technological wonder to use them.

But what are these kits exactly? Which features does it have? Who develops them? How do they get used? More importantly, how can we stop the spreading of these kits and how can users protect themselves against the dangers they pose?

In today's article (which will be a Q&A, a question & answer), I hope to be able to clear up the mystery behind these kits. I have been able to interview experts in the anti-malware world. They will each give their opinion on this particular subject.

I will pose my question and place the answer of each expert right beneath it, for your convenience.

Included is a link to their website, and a link to their Twitter page. If you have Twitter, I strongly advise you to follow them if you aren't already. The experts are the following:

Iftach Ian Amit - Security Art VP Business Development - @iiamit
Luis Corrons - PandaLabs Technical Director - @Luis_Corrons
David Harley - Eset Anti-malware researcher/author - @DavidHarleyBlog
Mikko H. Hypponen - F-Secure Chief Research Officer - @mikko
Paolo Milani - isecLAB Malware/Threat researcher - @paolo_milani
David Sancho - Trend Micro Senior Malware Researcher - @dsancho66
Steve Santorelli - Team Cymru Malware/Threat Researcher - @teamcymru
Lenny Zeltser - Savvis Security Consultant & Malware/Threat Researcher - @lennyzeltser

Note: Mr. Harley did not have much time as he was travelling, but succeeded in providing me answers anyway. Thanks !




Iftach Ian Amit provides us with the difference between an exploit kit and a crimeware kit:

The exploit kits are usually focused on serving the attack vector of drive-by downloads and browser exploitations where criminals "reach out" to get their victims abused. An example for an exploit kit is Mpack, IcePack, Neosploit, etc…

The crimeware kits (or more specifically the Trojan kits) serve the more persistent part of the attack and are the ones being deployed after the exploit kit managed to gain access to the victim's system. Trojan kit examples are Limbo, ZeuS, SpyEye, Sinowal, etc…

Now, time to fire off those questions ! Each expert will give their opinion and elaborate.
(You can also immediately skip to the conclusion if you'd like.)



a) Let us start with a basic question. What is, in your opinion, an exploit kit ? Which features does it have and which risks pose they?




Iftach Ian Amit:An exploit kit specifically is an aggregation of "weaponized" exploits geared towards ease of use in deployment. These usually have a basic installation script (DB backed), and a management interface. Some exploit kits include multiple-user support and a granular permission system to allow users from different "groups" to manage their own data. The exploit kit does NOT contain a payload (usually a Trojan, Spyware, or a rootkit), but allows the manager to set one up to be used on PCs it successfully exploits.

The risk that exploit kits pose is from an ease-of-use perspective, as they enable even the most non-technical criminal to start utilizing the internet as a venue for their fraud.



Luis Corrons:It is a “kit for infecting computers for dummies.” Pretty popular nowadays, we are just talking about a software package very easy to use, that enables anyone to create their infection spread platform. They come with a number of exploits for different software, they usually include tech support & updates (if you pay for it), statistics, etc. You can even decide which users you want to infect (per country, language, etc.) and some also include a module to infect websites injecting iframes which will point to the exploit kit server, where the software is installed and where the exploits are launched from.



David Harley:I’d actually favour quite a lax definition: some “exploit kits” are not much more than Proof of Concept code that illustrates a vulnerability. Not that information about a vulnerability is a trivial issue. In fact we had to be rather careful in our research into Stuxnet not to make too much information available about currently unpatched vulnerabilities that we’ve turned up during our analysis work, though it’s difficult to strike a balance between releasing enough generally useful information and too much info for comfort. The prompt take-up of the CVE-2010-2568 vulnerability originally found in Stuxnet by other malware families illustrates the problem.

The risks here are generally indirect as far as the user is concerned: they depend on the ability of criminals to turn a specific kit to their advantage: however glamorous the bug, it can still be the quality of the social engineering that makes it successful.



Mikko H. Hypponen:An exploit kit is a collection of multiple exploits, targeting various different vulnerabilities. Most of these focus on drive-by-attacks, targeting web surfers.



Paolo Milani:I think an exploit kit can be all sorts of different things, and will become yet more varied as time goes by. Cybercrime is developing into a service economy, with many specialized actors with completely different levels of technical sophistication, and different levels of involvement into illegal activities, who provide services to one another. So some people develop and sell 0-days, others operate and rent botnets, and others provide software tools for different parts of this ecosystem, from ready-to-use bot code to tools for drive-by download exploits or blackhat search engine optimization. Any of these software tools can in the wider sense be called "exploit kits".



David Sancho:Exploit kits are web front-ends whose main objective is to infect the users when they access the page. In order to do this, they identify the user's browser and send the right exploits to make sure they get infected. In addition to this, modern exploits have logging capabilities that crunch the numbers so that the owner can see how many users have been infected, what country they were coming from, what vulnerabilities are the most successful ones and other similar items.

Exploit kits ultimately mean that a criminal can put up a malicious web site to infect users. They can do this with a minimal programming effort, with low cost and with good reporting stats that will allow them to tweak their attacks to maximize the number of infections.

These are similar to botnet kits, which allow the criminals to create botnets. Botnet kits have both server and client side and can be customized so that the information they steal from the victim's pc is automatically reported to the command and control console so that the botnet's owner can access it. Botnet kits have automated botnet creation and maintenance in such a way that it has impulsed malware growth enormously. Proliferation of malware is in part due to the ease which criminals have access to automated tools to infect new victims.





Steve Santorelli:A package that contains everything needed to infect and leverage those infected machines without needing to know much coding, if any. One of the major problems is that this enables a far broader base of criminals to adopt and use these kits as a lack of technical knowledge is no longer a barrier. There is also often centralized, highly reactive and highly experienced development and technical support available to the exploit kit users. Advertising, pricing and reputation all come into play here, just as with any other type of sales 'in real life'.



Lenny Zeltser:An exploit kit is a toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser. Common exploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment and Adobe Flash Player.

A key characteristic of an exploit kit is the ease with which it can be used even by attackers who are not IT or security experts. The attacker doesn’t need to know how to create exploits to benefit from infecting systems. Further, an exploit kit typically provides a user-friendly web interface that helps the attacker track the infection campaign.

Some exploit kits offer capabilities for remotely controlling the exploited system, allowing the attacker to create an Internet crimeware platform for further malicious activities.





b) Do you suspect that the phenomena of an exploit kit disabling one another, will appear more? In other words, do you think the authors of these kits will more and more start to target each other to infect more users or to steal each other's botnets?

Iftach Ian Amit:I'm assuming here you either refer to Trojan-builders or auto-pawn tools (which infect legitimate websites with the malicious code from exploit kits). These two tool categories have shown over the last few years (at least 3-4 years from my personal experience) that the competition is fierce in the online criminal world, as they have been added with features to disable/uninstall "competing" tools.

I'm definitely expecting the competition in the Trojan market to step up in terms of gaining more marketshare - especially if it’s affecting a competing botnet.



Luis Corrons:We have seen malware disabling other malware since a long time ago. Some of you may remember the fight that the Netsky and Bagle authors had 6 years ago, they were at that time creating some variants that were disabling or uninstalling each other’s malware. The exploits kits are used to install malware, so from a criminal point of view it is useful to remove other malware that is present there and could interfere with their business.



David Harley:I don’t know if it will increase, but it’s not unlikely: piggybacking and botnet theft have long been prevalent at the malicious application level, and it makes sense that such targeting is seen as a selling point for exploit kits too.



Mikko H. Hypponen:Exploit kits are often commercial in the sense that they are being sold in the underground between hackers. This means that there's concrete competition between these criminals. As a result we do see cases where particular attacks will try to disable previous attacks from a machine in order to gain control of them.



Paolo Milani:That's quite possible, we've seen this back in the day of network worms that were scanning for each other's backdoors. Also, security researchers have been known to take over botnets that do not use strong authentication for bot commands. However, in the future I expect increasing professionalism and sophistication on the part of the bot masters, who I think will more and more use standard cryptography or other sound technical means to ensure they maintain control of their bots.



David Sancho:Botnet kits have had a tendency lately of disabling each other. This is possibly a sign of rivalry between the programmers of each kit. Stealing other botnet's clients is definitely a possibility and if they haven't thought of it, they will pretty soon. I actually think this will become commonplace because once a bot takes over a victim machine, if it was previously infected, that bot belongs to both botnets. Checking this eventuality and preventing it purely denies competing botnets access to their own resources.



Steve Santorelli:SpyEye has had a 'Kill Zeus' option for a while now. Most evolution of tools and techniques in the Underground Economy is driven by business/economic need and a desire to maintain a low risk and high reward ratio. As such if you approach a position where the majority of infect-able machines are already infected, it's logical to assume that miscreants will start to fight over the pool of available machines: they are making good money so they won't stop just because it's becoming slightly harder to do business.
They will adapt and overcome: we see this constantly in the Underground Economy.



Lenny Zeltser:I may be defining an exploit kit more narrowly than how you use the term. In my mind, the exploit kit is the launching platform used to deliver other payload, which may include a bot, a backdoor, spyware or another type of malware. In this context, exploit kit authors and distributors compete for customers.

Overall, it’s not uncommon for criminals of all shapes and sizes to battle one another for control. I’m not surprised we’re seeing such battles in the Internet world as well. Though there are a lot of potential targets for competing attackers to infect, it’s natural for the attacker to wish to assert full control over newly-compromised system. If the host is already infected, the new attacker will need to remove the presence of a competing entity. It’s a variation of a children’s game called King of the Hill, though obviously with more severe repercussions.








c) More and more exploit kits are sold in underground forums, which is increasing the use of these kits. Do you expect that the source of attacks will be more widespread, i.e. more countries getting involved instead of the traditional ones? (Russia, China, ..)

Iftach Ian Amit:Definitely - even the forums are opening up more and more to members that are not specifically from the "local" countries. We have been seeing that in the pricing models used for selling such tools (speaking Russian/Chinese usually means a lower price), as well as in the openness tosell to foreigners that identify themselves as such (whereas in the past you had to "prove" some locality to get the really tricked up kits).

This, in addition to more criminal venues finding the online market a major additional revenue source, and the limping economy which brings more people to try and find ways to make a quick buck, is a sure way to see continued growth in the popularity of exploit kits and Trojan creation/management kits.



Luis Corrons:This should makes us think a few things. It seems that if you are a good developer and you’re living in the US, Europe or Japan, you’d work any good IT company that will pay you really well. But if you are living in China or Russia, and you need food to eat, for you and your family, and you are a really good developer but with no choice to work for an IT company, what would you do? Those are the guys that can make a lot of money developing these kits and selling them, it’s an easy way to make a lot of money really fast.

So answering the question, even though these attacks happen everywhere, and from each and every country, I don’t think we’ll see anytime soon a major change in the actual situation where certain countries are the ones attacking the most. Explanation: Easy money + little risk + no other choices



David Harley:While certain kinds of attack are particularly and popularly associated with certain regions, I don’t actually think that regionalization has ever been such a hard and fast issue, and in a depressed economic climate the old differences between hobby malware and malware for profit have tended to dissipate, and I’d expect the trend to be upward.



Mikko H. Hypponen:We do expect most of these kits continue to be from the usual suspects. Russia, Ukraine, Belarus, China etc.



Paolo Milani:Hard to say. I think this type of patterns can also change dramatically with the legal and regulatory framework around the internet and internet crime in individual countries (like the recent change in the domain registration policies in china).



David Sancho:This is already happening. The Mariposa botnet surfaced in February 2010 in Spain, which is a country not normally tied to these kinds of attacks. There have been other instances of new botnets surfacing everywhere else and this is no doubt caused by the wide availability of botnet kits and other software designed to make criminals' lives easier.



Steve Santorelli:We are already seeing it: miscreants from multiple countries and regions, all co-operating irrespective of any cultural, language or even religious differences that might separate them in real life: they are all primarily and overwhelmingly interested in making money whilst maintaining a low risk and high reward equation.



Lenny Zeltser:I haven’t researched geographic patterns associated with the usage of exploit kits. Certainly some of the toolkits are developed and marketed in a specific country and, therefore, will be used more widely by attackers who speak that language or who hang out in those forums. However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. My point is that it’s hard to attribute malicious activity to actors located in a particular country by simply looking at IP addresses observed during the immediate attack.




d) Additionally, the kits are getting cheaper and more options are available. Is it acceptable to presume that more and more users with low or no technical skills will use these kits for profit? For example look at the Mariposa case, where the botnet operators had little knowledge about technical subjects.

Iftach Ian Amit:Of course. In a lot of the cases that we have been seeing, the botnet herder wasn't really technically savvy. The kits are designed to focus on the "business" side of things and takes care of all the major technical aspects of running a successful botnet. As I mentioned before, criminal operations that seek to enter the online market find it very easy to just buy a kit, have a few henchmen run it, and if needed take the fall for it (see Mariposa again).

Luis Corrons:Yes, of course, these packages are point – and click, as I was saying it is for dummies, you don’t need to be an expert, not even an average user to learn how to use them.



David Harley:I’d agree with that, in general.



Mikko H. Hypponen:Yes, most of the exploit kit customers have limited technical skills and would be unable to create the exploits themselves.



Paolo Milani:Yes, I think this is part of the specialization of the industry. More technologically savvy actors develop malicious software, which in many countries is not in and of itself a crime. Other actors, who may not be as technically competent but are more willing to take risks, actually go out and use the software to commit crimes.



David Sancho:Exactly. I don't even think the cost is a factor anymore. Zeus is a very popular botnet kit that is not precisely cheap but a resourceful criminal can amortize the cost in no time. This is becoming such a bountiful market that a high license fee, say between $5,000 and $10,000, is a reasonable investment for cybercriminals.



Steve Santorelli:Yes, as answered in a), this is one of the major problems - it is a package that contains everything needed to infect and leverage those infected machines without needing to know much coding. This enables a far broader base of criminals to adopt and use these kits as a lack of technical knowledge is no longer a barrier.



Lenny Zeltser:Indeed, the ease of use and affordability of exploit kits makes it possible even for people with low technical skills to become a “hacker,” be it for profit, politics or other reasons.








e) And, last but not least, how can we prevent these exploit kits to spread and what are the best practices for users to protect themselves against mischief?

Iftach Ian Amit:Fortunately, most of the kits do not contain 0-day exploits. Unfortunately, most home (as well as business) users do not patch their systems and are left an easy prey for those kits. It's a combined effort from both software vendors to quickly patch (and test!) their software, as well as users to be more responsible in terms of making sure they are running the latest version of the software available to them. The numbers speak for themselves, and right now most kits have a good enough success rate without the true need for 0-days in them. If the status-quo will change and we will see more resilient software that updates itself quickly and seamlessly, as well as users that demand a secure operating environment, the exploit kits would have a hard time maintaining their reign over us.

Luis Corrons:Most of the exploit kits use known exploits that are not 0-day, so that means that there is a patch for each one. If people would patch, which means to update each and every piece of software installed in a computer, the kits would be useless.



David Harley:I don’t see this as (primarily) an area in which users can do much except to take the usual precautions (sound security software properly updated, patching, caution against social engineering and so on.) The most effective preventative measures are almost invisible to end users: anti-malware technology, of course, but also at the level of cooperation with law enforcement, ISPs and so forth at an international level, takedown of exploit resources, unobtrusive monitoring of new families and trends, etc.



Mikko H. Hypponen:Security companies must be very active in gaining access to the latest versions of various kits and then build generic detections against all the exploits they can generate. Alternatively, generic exploit-detection technologies help.




Paolo Milani:
I'm not sure we can prevent exploit kits from spreading. Insofar as they are traded on mostly open forums, security practitioners can do some amount of monitoring of what happens in these markets (see recent work at our lab: http://seclab.tuwien.ac.at/papers/underground_dimva.pdf).

Once the bad guys take the trading onto private channels, nothing short of police infiltration can really make a dent, and we know how hard that is across national jurisdiction boundaries.

David Sancho:Botnet kits and exploit kit sales happen in the underground so it's key that security companies keep an eye on what's happening there. Law enforcement agencies around the world are especially keen on apprehending the criminals so it's in their own interest that information flows. This is already happening and security professionals gather in private and public forums to exchange intelligence so that we can be on top of the attacks as soon as they happen.

From the user's perspective, if they don't want to become a victim they need to be aware of the tactics that the criminals use to infect and always be protected with an antivirus suite.

Steve Santorelli:Wow - this answer would take up a book. At a basic, user level, follow our tips here:

http://www.team-cymru.org/ReadingRoom/Tips/. At a network Administrator level, ping us at outreach[AT]cymru[DOT]com... We've got over 30 different community services that we offer at no cost that can help network admins protect their users but above all: DON'T PANIC and leverage the IT Security Community to help you. Some very smart folks (much smarter than me) have been working to combat these problems for years and they relish the opportunity to help anyone else who is willing to fight the good fight!

Lenny Zeltser:Though some exploit kits target zero-day vulnerabilities, a large number of exploits go after vulnerabilities for which patches exist. End-users and organizations should look closely at how they keep up with security patches on the desktop. End-users at home can use auto-update mechanisms of the targeted applications or specialized tools such as Secunia PSI. Enterprise environments should use automated tools to identify vulnerable systems, install relevant patches and validate that the patches are installed. It’s also important to lock down the environment so that when an individual system is affected, the attack is contained and discovered quickly.








Conclusion

I think we may come to the conclusion that Exploit Kits these days are easy-to-use and as one expert said; "it is a kit for infecting computers for dummies.” They usually exist of web front-ends to infect the user.

Will malware authors be targeting each other ? This is of course hard to predict, but it might be more common in the future.
A new development is however happening, as posted by Brian Krebs:
"Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests."

Will the attacks be more wide spread ? Yes, most experts think it will. One expert noted:
"However, the “beauty” of exploit kits is that they can be developed in Country A, sold in Country B, and used in Country C to attack Country D by using systems hosted in Country E. "

Will more and more users with bad intentions use these kits for profit ?
Yes, as been said before, take a look at the Mariposa case. The botnet herders weren't exactly technical savvy - the ease of use "is part of the specialization of the industry." Also, "The kits are designed to focus on the "business" side of things and takes care of all the major technical aspects of running a successful botnet."

How can we protect ourselves and which countermeasures can we take against these kits ?
The answer is: PATCH PATCH PATCH. Keep your Operating System up-to-date and use an Antivirus with a strong Firewall.

"Security companies must be very active in gaining access to the latest versions of various kits and then build generic detections against all the exploits they can generate. Alternatively, generic exploit-detection technologies help."

"Law enforcement agencies around the world are especially keen on apprehending the criminals so it's in their own interest that information flows. This is already happening and security professionals gather in private and public forums to exchange intelligence so that we can be on top of the attacks as soon as they happen."

Security companies must work together, cooperate, unite even, against these kits and the authors/operators behind it:
"The most effective preventative measures are almost invisible to end users: anti-malware technology, of course, but also at the level of cooperation with law enforcement, ISPs and so forth at an international level, takedown of exploit resources, unobtrusive monitoring of new families and trends, etc."

I would like to thank the experts for their time and of course their professional insight on the subject.




About me
I currently work at Panda Security. Obviously, my main interest lies in Malware Research.
If you would like to learn more, don't hesitate to contact me on Twitter:
@bartblaze

Thank you for reading and until next time.

The Botnet Wars: a Q&A (teaser)

Would YOU like to know more about exploit kits, crime packs, botnet kits and the current role they are playing ?

Then be sure to check out tomorrow's update on this blog as well as on MalwareDatabase. I will publish an article where I have interviewed several people from the antimalware industry.

These days, the kits are getting cheaper. Also, less tehcnical savvy people are able to use it. An example can be the Mariposa case, where the botnet operators had little knowledge about technical subjects.

A recent trend is that some exploit kits are focussing in disabling one another, like the recent integration in SpyEye to kill Zeus:


They will all give their expert opinion on the current problem and how we can prevent the spreading of the threats they pose. It will also include some best-practices on how one can protect itself.


Stay tuned !

Saturday, October 23, 2010

WinMHR: Free Malware Detector


Today I checked out WinMHR brought to you by: Team Cymru

Now, what exactly is WinMHR ? (This is copied from the website)

WinMHR is...


  • Free - No ads, reminders, or disabled features - for both non-commercial and commercial use.
  • Private - No files or any content is sent across the network.
  • Fast - No heavy analysis is done on your PC. Our servers take care of the heavy lifting.
  • Accurate - We aggregate results of over 30 anti-virus engines, so we detect a far greater percentage of malware than a single, traditional anti-virus product.
  • Up-to-Date - No "definition" or "signature" files need to be downloaded, all updates are done on our servers.
  • Easy to Use - A more user-friendly, point-and-click interface for our established and proven MHR service.

WinMHR is NOT...


  • intended as a replacement of traditional anti-virus, it is an augmentation of your existing anti-virus.
  • a malware removal or blocking tool; it is a malware detection tool.

I tested WinMHR on 10 samples of the infamous rogue AV 'Security Tool':
2 out of 10 samples are known malware


When you first start WinMHR, it does a scan of your running processes. This makes it very easy to view MD5s of all running processes, as well as which modules are loaded under each process.


Down below you can find an additional video on how to use WinMHR:

Link: http://media.team-cymru.org/WinMHR/movies/introduction.mov

You can download WinMHR from here.


Conclusion:

WinMHR is a good tool for having a second opinion, but if you really want to be sure about the validity of a file (malware/goodware), I advise to also use the VirusTotal Uploader or VT Uploader (http://www.virustotal.com/advanced.html )
Simply right click a file and send it to VirusTotal.

The big difference between WinMHR and VirusTotal is that WinMHR will not upload your file, it will only check the MD5 checksum. If you send a file to VirusTotal, you will upload it to their servers, and they can decide what to do with it.

Keep in mind that WinMHR does not prevent malware nor can it replace a traditonal antivirus. As a supplement it comes in very handy.

Additionally, it would be nice if x64 will be supported in the near future.


Note: I did not help or contribute in developing this tool, I simply reviewed it.

Tuesday, October 19, 2010

USPS Delivery Problem NR5808038‏

Recently I got an email in my Unwanted Email box from Hotmail.

I do not check this often, so only noticed this now.
There was an email in it which caught my attention:
USPS Delivery Problem NR5808038‏

In the mail, there was a file called USPSLabel.zip. The content of the mail was the following:



Only the picture and the attachment were in the email, nothing more, nothing less.
The attachment was already removed by Hotmail as "unknown virus".


Conclusion:
USPS or any other Postal Service will not send you an email stating that you need to open an attachment. Certainly do not open the email when you have never used their services before.

If you did order with them and you are in doubt, do not reply on the email but simply navigate to their website (in this case: http://www.usps.com ) and look for contact details.

Additionaly, (correct me if I'm wrong) you can easily compare your tracking number with the one in the subject.

Thursday, October 14, 2010

[SPAM] He found himself leading the process

Nothing new here, but interesting to note that this type of trick is still going around.

I am talking about an email you receive with (apparently) random text and attached a picture of viagra, cialis and other products you can buy at a very low price on some (Russian) website.

The email may look like this:

Email with attached picture.

With random text, I really mean sentences copy/pasted from books. Some examples:

On't stand it another winter!" "I'm not so sure it will be necessary,
after all," said their father, who seemed
to have dis

Source: Dab Kinzer by William O. Stoddard

The spiritual love their children
from their spiritual intelligence and moral life; thus they love them
from the fear of God and actual piety, or the piety of life, and at
the same time from affection and application
to uses serviceable to society, consequently from the virtues and
good morals which they possesse

Source: Delights of wisdom concerning conjugial love: after which follow pleasures ... by Emanuel Swedenborg

You can find either of these pictures in attachment:
Note: The URLs are already taken offline.



Picture 1


Picture 2


If we analyse the second link with VirusTotal's (fairly new) URL engine and URLVoid, we get these results:

VirusTotal - 0/6 (0.0 %) - VirusTotal Result
URLVoid - 3/17 (17 %) - URLVoid Result


Conclusion:
Again, do not open any attachments from senders you do not know or trust. If you see random text in an email and it doesn't seem to make sense, but you'd like to figure it out anyway, read more books or use your favorite search engine to look it up ;) .

Wednesday, September 29, 2010

please find enclosed.

Yesterday I received an email apparently coming from LinkedIn:



When we check the headers, the return path is: banquetedfwx14@rentanyapartment.com
I'm pretty sure LinkedIn does not use this email address for their communication ;) .

Enclosed is a file called resume_new.zip (40 KB)
MD5: 7227d2c555262145700be91ae991d91e
VirusTotal result is 25/43:
printable receipt.exe

Conclusion:
LinkedIn will not send you any emails where a "resume" is attached which is in fact an .exe file. Do not reply or open the attachment, simply delete the email.

Wednesday, September 22, 2010

[SPAM] Fresh event on Monday

A few days ago I received the following email:


-----Original Message-----
From: Clifford Hyatt [mailto:frobishere1@rothleycourt.com]
Sent: maandag 20 september 2010 15:37
To: *
Subject: Fresh event on Monday 9/27

Hey



Hope you are well.



Nissa asked that I email you information about the Fresh event we are hosting at Ger-Nis on Monday September 27th,
so if you wanted to you could be the mixologist and help us out with the drinks (beer and wine included).

Obviously, we will compensate you for your time, so if you are free,
we would love if you could help out!

Please find attached.

Please let me know as soon as you can.



Enjoy your weekend,



It contained an attachment called "02943Fresh event on Monday 927"

MD5: 69a8aca7452b5c1386f1933084dd5811
VirusTotal result: 20/43

At the time I was checking the link, it was already taken offline.
It tried to redirect me to http://nobletree.org/x.html .
Most probably you were redirected to a fake antivirus page.


Conclusion:

Please be careful when you receives messages from someone you
don't know, and certainly do not open any attachments.

Saturday, August 28, 2010

Introducing: Roguevertising

I made this post a while ago at MalwareDatabase, and decided to post it here as well. Be careful though, some of the links can still be active.

Down below you can find the introduction of the post and a link to it:
Introducing: Roguevertising
A new term in the rogue industry – written by Bart P


Today I will be talking about a new trend that spreads itself quite quickly throughout the internet.
In this document I will try to explain what it is all about and provide additional information like screenshots and measures that can be taken to tackle these threats.