Malware Diaries

July 22nd, 2008

More and more malware authors are tricking people with YouTube knock-offs. And amazingly, it works quite well.

Curiosity kills the cat. Well, here it kills your computer.

JSegura

July 21st, 2008

First, can’t help but notice the spelling mistake: Anjelia?

Her full name is: Angelina Jolie Voight
I only knew the Angelina Jolie part, so thanks to this little research I learned that her father is actor Jon Voight.

Anyway, yet another spam campaing extremely popular, which I even got in my personal mailbox.

Funny how the spammers are trying to lure people with Microsoft’s blessing. Looks like some solid cut and paste.

If you click one the link if will open a nasty Trojan.

JSegura

July 16th, 2008

Today, our HoneyPot captured a new Trojan named after movie star Angelina Jolie (file name: nude-anjelina.avi.exe). This is a massive spam campaign using different domain names but the same IP address.

Interestingly enough, the domains are registered to a Chinese company although the IP is located in Germany.

Fake suspended account still delivers malware:

Check out the registrar and the IP location:

Fairly new to AV vendors… unknown to most:

JSegura

July 15th, 2008

I came across this picture for a rogue anti-spyware program called IE Antivirus. It kind of made me laugh for two reasons:

the hacker is wearing a nice shirt and tie
The laptop he is hacking into and the icon for the computer logo are both Macs.

Well, I like the degree of professionalism seen here, but I’m not sure it’s depicting the real stuff. They’d be better off showing a kid in his basement playing Halo and checking the status of his botnet every now and again.

Anyway, the domain for IE Antivirus is hosted by ESTDOMAINS. (from Russia, with Love)

Domain Name: free-{removed}.com

Status: clientTransferProhibited

Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com

Expiration Date: 2009-06-18
Creation Date: 2008-06-18
Last Update Date: 2008-06-18

JSegura

July 14th, 2008

Malware authors seem to be having fun these days. They stole the BSOD screensaver from SysInternals and turned it into malware.

Note the message: “SYSINTERNALS_GREAT_SITE”

The screensaver is injected in two locations: the System32 folder, of course, as well as in the System Restore disk.

SysInternals (now owned by Microsoft) has made some really great tools: Process Explorer, Rootkit Revealer just to name a few.

JSegura

July 14th, 2008

It’s hard these days not to be aware of global warming. It already affects millions of people and is going at an alarming pace.
Recently, I was reading an article from a computer magazine, titled something like “Go green”. in this article they looked at how much energy computers are using and also if any of their parts could be recycled. That was an interesting reminder that most of today’s electronics are big energy suckers. Also, our society’s way of consuming electronics has changed drastically over the past 50 years. It used to be that you would buy a television that would last you years. Nowadays, the life span of most of our electronics is very short. Of course there is a reason behind it. It’s not in the manufacturers best interest to make a product that will last a lifetime. And of course, technology changes constantly, and along with aggressive marketing, peer pressure and the like, you have to have the latest thingy.

Anyway, I could go on and on about this, but it would really help too much, would it? Now, as far as our energy consumption goes, there are many things we can and probably should do. Back in the 80’s and 90’s, people were advised to leave lights on (apparently it cost more to start a light, than to leave it on all night). I’m not too sure about that one. Today however, there is a general consensus to turn appliances OFF when you are not using them. I couldn’t agree more with that statement. There is also another reason why you should do it, and this has to do with malware attacks (finally )

In today’s malware threats, botnets are the big topic. They are groups of zombie computers that participate in illegal activities. Zombie computers are anybody’s PCs, which happen to be infected and controlled by hackers. You may not know it, but chances are that your computer is sending out spam while you’re sleeping at night. Hackers can detect if a computer is idle and launch a task, instead of risking the chance of being exposed while you are on it. (why are my hard drive and modem lights going insane?).
Or you computer may be used as storage for child pornography: the hacker is safe, but you’re not if the authorities raid your house and discover illegal material on your PC.

Anytime your computer is online, you are at risk of being attacked. Contrary to some beliefs, you don’t have to be downloading stuff or surfing the web for something bad to happen. Also, if your machine is already infected, it will gladly enjoy having 100% free resources again after you leave.

For the sake of the environment and for your own protection, it makes sense to turn the PC off when you’re not using it. It’s a hacker’s worse nightmare when he sees his bot infected machines go offline because suddenly, he can’t control them anymore and his chance of harming you and other people goes down.

JSegura

July 9th, 2008

I was going to title this post differently, but I thought it wouldn’t be appropriate for this blog.

Anyway, beware of the dog! (picture), it contains a dangerous Trojan that will infect your PC.

It comes in the form of an executable that uses social engineering:

- it has a photo editor type of icon

- its name is id_dog0704jpg.exe

Upon running it, a picture of a grumpy-looking dog appears:

In the background, things are happening. It hooks into your system by creating two files set to run when you restart your computer:

It is detected by most (not all though) anti-virus companies.

JSegura

July 8th, 2008

I came across this annoying little program that pushes a Rogue. I say annoying because it locks your desktop to display either an all white page or a black one, with some fake error message.

The file locker.exe creates an Internet Explorer window (containing that fake error) and also an executable that seems to prevent different keystrokes. For example, you can’t do Ctrl+Tab, or Alt+F4.

Needless to say, I am also assaulted by various pop ups and such.

And finally, the app everybody was waiting for, at a cheap price of only $99.95 (”you save more than $400):

JSegura

July 3rd, 2008

There is something annoying about certain pieces of malware: they are shy and hide from you.

However, they do some real nasty stuff in the background, so much so that you may want to get rid of them.

I was analyzing some malware samples and found this fake Soundman.exe (the real one is a process from RealTek sound cards). I use Process Explorer (a better Taskmanager-like utility) to show me what running processes are on my PC, and see this SoundMan.exe process, right there, doing some bad stuff.

Process Explorer tells me that the file is located under c:\Windows, but I can’t find it!

Reason is, this file is a rootkit, which means it has capability of hidding itself from Windows, as well as other processes. If Windows won’t show it to you, most likely your Anti Virus won’t either. You may want to use a rootkit scanner to find it out, there are several free tools available. Keep it mind though that not all rootkit scanners will detect AND let you remove the files.

Personally, I prefer to use a more “hands on” approach: I grab a Linux boot CD (here I use Ubuntu, one of Linux’s several distros) and reboot the PC under the Linux OS. Then I mount the Windows disk, search for the file and voila!