You may come across some sites that offer online searches in cool formats. For example, we found this Italian website that does a search in both Google and Yahoo!.

It works well and presents the results in two diffent window panes:

However, digging into the source code for that page, we found an infamous drive-by download (loader.exe) that happens to be nothing less than a Trojan Downloader.

That Trojan will download additional malware (dialer, password stealer) onto your computer.

As a general rule, it is safer to use your search engine directly from the main site (i.e. google.com). Many sites offer a search from their own page that claims to search the major search engines. However, it is often biased results that are returned, or even worse, malicious programs.

JSegura

When it comes to analyzing malware, each company has its own methods. Due to the volume of daily threats, most vendors will develop some sort of automation to process hundreds of signatures very rapidly. However, human analysts are needed to understand the mechanisms used by malware authors.

I can see at least two ways of analyzing a piece of malware:

- reverse engineer it
- execute it

Reverse engineering consists of taking apart the sample to understand how it works. Basically, the file is made of instructions written in the source code. When a malware author (or anybody) writes a program, they will compile all those instructions into a language that the machine can understand. The job of the security analyst is to go back to those lines of codes in order to reveal the hacker’s intentions.

Needless to say that this is a lengthy and sometimes difficult process. Also, the security analyst needs to have the proprer skills to understand different programming languages and identify the portions of code that present a security risk.

The other alternative to reverse engineering is much more simple and quicker but radically different. While the first method was mainly static, the second one consists of running the sample on a machine.
Security analysts use special machines, such as virtual environments, or machines that can be infected, formated and re-installed.
Samples are run and their behaviour is recorded. That behaviour is also called payload and includes: file creation, registry modification, network traffic etc.
At that point it is fairly easy to identify behaviours . When in doubt we upload the sample or a file from its payload to an online malware scanner. That can help us classify the sample into a category (i.e. Password Stealing Trojan).

In order to protect our end users, we must add the malware “payload” to our security products.  Here we use the term signature which is made of file names, paths (i.e. c:\windows), and other uniquely identifiable information such as MD5.
We regularly release database updates that include the latest threats we found.

Another part of malware analysis deals with cleaning malware samples we have added to our products. Here we want to make sure that our software is capable of removing all infections without damaging the Operating System.

The loop has been completed, from malware infection, to detection and finally removal.

There goes the day of a Malware Analyst

JSegura

As part of my “patching the end user” efforts, I figured I would write about keyloggers.

This is the definition I found on the internet: “A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer’s keyboard.” In short, not something you would ever want on your computer.

Not too long ago, I decided to manually download all the keyloggers I could find on the internet and update our database as far as that type of threat is concerned. I figured it would keep me busy for a day or so. Oh boy, was I ever wrong! There is a rather large amount of programs that log your keystrokes, for some ones else convenient later perusal. It’s big business.

I must have spent a good solid week downloading  keylogger after keylogger. Every time I thought I was nearing the end, I would stumble onto another sample. As my collection efforts finally dwindled, I noticed that some of the depreciated keyloggers migrated from pseudo legality, to downright illegality. Essentially, when some of the more “fly-by-night” outfits that market keyloggers go out of business, the source code tends to be recycled by the malware community.

I found this on a website that reviews keyloggers. I also witnessed similar disclaimers during the installation of the more commercially marketed samples I tested.

“DISCLAIMER: Logging other people’s keystrokes or breaking into other people’s computer without their permission can be considered illegal by the courts of many countries. The monitoring software reviewed here is ONLY for authorized system administrators and/or owners of computers. We assume no liability and are not responsible for any misuse or damage caused by the keylogging software. The end user of this software is obliged to obey all applicable local, state, federal and other laws in his country of residence.”

This has to say something about the ethical issues that surround using this type of software.

Here are a few select screen captures of different keylogger administrative interfaces.

Not very subtle, now are we? As far as I am concerned if you aren’t presented with a disclaimer, or explicitly made aware that your keystrokes are logged, it should be illegal.

When you are given the option to disable the warning message and make the keylogger go into full stealth mode, it even further muddies the waters. The software maker can claim to take the high road, as these are not checked by default. 

I’m in a peculiar situation, as I’ve experienced first hand having a keylogger installed on my machine. The profound breach of trust that it engenders is devastating. Many of these applications are marketed towards the Spouse/parent/partner as a peace of mind device. The landing pages for some of these applications are eerily similar to the scare tactics pages used for rogue antispyware software.

 If you have to resort to spying, and lets not kid ourselves, that is what these programs and devices do, there is so little implied present trust in the relationship, that logging keys should be the least of your concerns…

Jean “TinFoilHatMan” Taggart

Those rogue apps, although looking legit are scams which you need to stay away from.

Riding the wave of spyware and privacy, malware authors are making a lot of money.

The recipe is pretty simple: use scare tactics and sell a “magic” program that will solve all the troubles.

Today we are taking a classic example of IE Antivirus, the latest rogue software. After browsing a couple of known bad sites, I found myself subject to many annoying pop-ups. They all seem to tell me that my PC is in great danger and, as good samaritans, they also show me the cure: IE Antivirus.

I am glad to hear that most credit cards are accepted, and that I will benefit from a full money back guarantee.

However, I am a little worried about the cost, around $70… I’m thinking there are a lot of well known programs out there a lot cheaper than that, but there must be a reason for this one to come right to me.
Also, I can get their Alpha wipe cleaner for a very small one time fee.

The total charge is now around $80.

It’s hard to tell how many people will purchase the product, but it’s fair to say that those scams are very profitable. It’s sad to think that way but that’s how the world goes on.

Your best choice to eradicate these pests is to clean your PC with a real, trustworthy program. Maybe not just one, but several as not all may be able to detect the Trojan responsible for it. Malware authors will design thousands of variants of their Trojan in order to evade regular anti virus detection.

Our job in the SWAT team is to find all those threats before you do so that we can protect your PC before you even get infected. There are many ways to find those things. We like to replicate regular end user behaviour by making extensive use of our honeypots and other system traps.

JSegura

We have seen so many different rogue programs these past couple of years. They try real hard to look legitimate using fancy graphics and Microsoft Windows’s style. Most of them actually look much nicer than some of your popular applications.

There is one simple reason behind that: to gain the trust of the user. Many people that I know have been duped that way, downloading and buying a totally bogus anti spyware program that claims to remove all those annoying pop ups.

But in the SWAT team, we have a good eye for details. At least, I have a thing for spelling mistakes: they simply bother me. Also, it may be a hint there is something dubious about the program.

So here are a few examples we have encountered.

Figure 1: Allert / Alert

Figure 2: 7 dangerous infection / 7 dangerous infections

Figure 3: Malaware Removal / Malware Removal

Figure 4: Most Jeopardy threats. Does that make sense?

Figure 5: operation system / operating system

Figure 6: pervent any unathorised / prevent any unauthorized

Figure 7: how many registries are there?

Figure 8: that one has to be the best

Figure 9: “YOUR’RE”  - The ‘R’ Spanish style

And the list goes on…

It’s a story we’ve heard before… Fake warnings of spyware infections… Well branded products to the rescue… PC-Antipsyware & PC-Cleaner.
But let’s check out the registrar for antispyware-reviews.biz, just out of curiosity.

ESTDOMAINS! Ah, now that makes sense. These guys are well known for their bad practices and the rogue anti-spyware programs they host. Stay away from those at all costs!

If you happen to be already infected, do not get lured to buy the rogue product. Many people fall for those scams by giving ourt their credit card number.
Instead, proceed to remove it using legitimate software. If you are not sure about the choice, ask your friends or anybody you can trust.

Traditionally, we have seen advanced behavior in malware trickle down from the top tier threats to the more common samples. One such disturbing trend is armoring. This is when malware actively defends itself against removal and analysis. This can be achieved in many different ways and we often use the less subtle of these traits as a quick method of confirming infection.  It is obvious that a system is infected with malware, if the user suddenly finds he cannot run common tools, such as the registry editor, or the task manager.

We now routinely encounter samples that go one step further, preventing common code analysis tools such as ollydbg, or IDApro from running, or executing a different payload altogether. This is an effort on the part of the bad guys to delay analysis for as long as possible.  It also forces the development of expensive in-house tools to take malware apart.

Most security analyst use virtualization in one form or another as part of their day to day operations. Launching samples inside of a guest virtual machine, running on a host computer is much faster than actually infecting a real computer. You don’t have to re-image your machine once the malware has been scrutinized, simply reset the image. This makes virtual machines an ideally suited testing environment. The malware authors have become aware of this, and are now implementing methods in which malcode will actually verify if it in a virtual environment before executing.

 As this trend gradually becomes the norm, we are seeing 3rd party software, that offer anti-virtualization armoring techniques for the less skilled attackers.  

What was once reserved for advanced threats has now become the norm. It is disheartening to see how rapidly this occured. These new capabilities do have the strange side effect of making the use of virtualization safer, from an end user’s perspective, as most of the malware will assume it is in this environment for dissection purposes, and thus refuse to execute.

Jean Taggart

I am very pleased to see the Malware Diaries now online.

I have been working in the security industry for a little more than two years now. It is definitely a very captivating and challenging place.

The SWAT team here at Paretologic is responsible for Malware Research and Database Updates. Our job is to find the bad stuff floating on the Internet and analyze it in our lab before adding detection signatures to our security products.
We actively seek malware with different tools which consist of traps (also known as HoneyPots). as well as human research.
As you may imagine we get to see a wide variety of threats from simple social engineering attacks to very well crafted exploits.

The malware diaries will tell you various stories about online security. The purpose is to be informative, accessible to the novice and interesting to the expert. My partner in crime Jean Taggart will share the pen with me along the journey.

Feel free to browse as you wish or use the menu on the right side to pick a category. We welcome your feedback.

Enjoy!

J. Segura
Computer Security Analyst, Malware Diaries author

——

Hello world!

My name is Jean Taggart and I am a computer security analyst here at Paretologic.

I firmly believe that “patching” the end user is a good thing. That is essentially what we do when we inform someone through our blog postings on the seedier side of the net. When we describe how a scam works, explain how the bad guys are trying to fool users in parting with their hard earned money, we disarm them.

I have seen the threat landscape change dramaticaly over the past few years. From adware that you could simply uninstall, soon followed by programs that intentionnaly obfuscated their file names and how they hooked into the registry, and eventually applications that have monitoring processes and exhibit rootkit like traits.

If we can entertain you at the same time that we inform you on these emerging threats, so much the better.

Jean Taggart
Computer Security Analyst, Malware Diaries co-author

More and more sensitive information is exchanged online, so much so that, most of the time we don’t realize it. We log into our email account(s), our bank sites, our eBay account etc. Every time we do that, a transaction happens. We send in passwords, usernames or credit card numbers onto an external server. Of course, we know about why it is so important to choose a strong password, but do we know it is totally useless if we cannot trust the recipient we are sending it to?

That is where anyone can I exploit that trust. Phishing is any action made to fraudulently acquire private information by pretending to be a real and trustworthy entity.

Very soon, hackers have realized how much value there was in doing Phishing scams. Stealing somebody’s credentials can give full access to very private information and basically be in total control of someone’s life (provided that the person does some online banking, logs into her healthcare site and so on).

There are many ways to carry out a phishing scam. First of all, the victim needs to be contacted in some way. It could be from an email, that leads you to a fake site, or it could be from a typical malware infection, that hijacks the web browser and redirects it to fraudulent
websites whenever the victim types in the URL, or clicks on a bookmark.

Secondly, because the phishing site will be hosted on a different domain than the real one, the hacker needs to trick the

Figure 1: phishing site targeting Facebook users. Notice the URL ending in “.cn”

user into believing this is the correct URL. A classic example is to
slightly modify the domain name. Also, typos are commonly used.

Real: www.google.com
Fake: www.go0gle.com

Real: ww.facebook.com
Fake: www.facebook.com.profile.php.id.37122.cn

Another technique called website forgery involves the use of scripts to
alter the address bar. The legitimate address bar can be closed in order to display a hacked one. More simply, a JavaScript can be used to display a picture in place of the address bar, so that everything looks legitimate.

Let’s take an example of a Phishing scam targeted at Facebook’s users (Figure 1).

A similar face plate is created, that looks identical to the legitimate one. The URL in the address bar is slightly different, but the average user may not notice it. In fact, this page is hosted in China.

Then let’s enter the email address and password in the form. Figure 2 shows that the credentials are being sent to the phishing server somewhere in China.

Interestingly enough, after entering the login information, the real login page for

Figure 2: data transfer between the client and the malware server
Facebook is loaded this time. The user might just think she typed something wrong and re-enter the login again. Now, it will work and most likely the user won’t have noticed a thing.

Meanwhile, a hacker has received a valid email address that he can use for spam, not mentioning that he can log into the Facebook account at any time. However, there is something even better he can get access to, with a bit of luck. A lot of people use the same password for the different services they long into.

Now, the hacker gets into your personal email account. Due to the larger storage available, people don’t bother deleting old emails. This is a gold mine for hackers. They will do a simple keyword search (“password”, “credit card”, “confidential”), and find even more juicy stuff.

The conclusion to this story is that Phishing is a real and dangerous online threat. Although efforts are being made to protect users, the problem is so large that not one solution can fix it.
Internet Explorer 7 does include a filter capable of detecting phishing sites. But it’s not 100% trustworthy. There are public groups combating fishing and reporting live stats as well as taking them down. The PIRT (Phishing Incident Reporting and Termination) team at Castlecops.com is one of them doing a very good job.

Ultimately, this is something that users will have to become familiar with and more vigilant. Effectively blocking spam emails which are full of phishing scams would be a good start. Browser add-ons or applications running in the background can also detect in real time dangerous websites and block them.

Jerome Segura