Malware authors have trouble with spelling and grammar
We have seen so many different rogue programs these past couple of years. They try real hard to look legitimate using fancy graphics and Microsoft Windows’s style. Most of them actually look much nicer than some of your popular applications.
There is one simple reason behind that: to gain the trust of the user. Many people that I know have been duped that way, downloading and buying a totally bogus anti spyware program that claims to remove all those annoying pop ups.
But in the SWAT team, we have a good eye for details. At least, I have a thing for spelling mistakes: they simply bother me. Also, it may be a hint there is something dubious about the program.
So here are a few examples we have encountered.
Figure 1: Allert / Alert
Figure 2: 7 dangerous infection / 7 dangerous infections
Figure 3: Malaware Removal / Malware Removal
Figure 4: Most Jeopardy threats. Does that make sense?
Figure 5: operation system / operating system
Figure 6: pervent any unathorised / prevent any unauthorized
Figure 7: how many registries are there?
Figure 8: that one has to be the best 
Figure 9: “YOUR’RE” - The ‘R’ Spanish style 
And the list goes on…
|
New rogues from well known domain
It’s a story we’ve heard before… Fake warnings of spyware infections… Well branded products to the rescue… PC-Antipsyware & PC-Cleaner.
But let’s check out the registrar for antispyware-reviews.biz, just out of curiosity.
ESTDOMAINS! Ah, now that makes sense. These guys are well known for their bad practices and the rogue anti-spyware programs they host. Stay away from those at all costs!
If you happen to be already infected, do not get lured to buy the rogue product. Many people fall for those scams by giving ourt their credit card number.
Instead, proceed to remove it using legitimate software. If you are not sure about the choice, ask your friends or anybody you can trust.
|
Malware armoring is now the norm. :’(
Traditionally, we have seen advanced behavior in malware trickle down from the top tier threats to the more common samples. One such disturbing trend is armoring. This is when malware actively defends itself against removal and analysis. This can be achieved in many different ways and we often use the less subtle of these traits as a quick method of confirming infection. It is obvious that a system is infected with malware, if the user suddenly finds he cannot run common tools, such as the registry editor, or the task manager.
We now routinely encounter samples that go one step further, preventing common code analysis tools such as ollydbg, or IDApro from running, or executing a different payload altogether. This is an effort on the part of the bad guys to delay analysis for as long as possible. It also forces the development of expensive in-house tools to take malware apart.
Most security analyst use virtualization in one form or another as part of their day to day operations. Launching samples inside of a guest virtual machine, running on a host computer is much faster than actually infecting a real computer. You don’t have to re-image your machine once the malware has been scrutinized, simply reset the image. This makes virtual machines an ideally suited testing environment. The malware authors have become aware of this, and are now implementing methods in which malcode will actually verify if it in a virtual environment before executing.
As this trend gradually becomes the norm, we are seeing 3rd party software, that offer anti-virtualization armoring techniques for the less skilled attackers.
What was once reserved for advanced threats has now become the norm. It is disheartening to see how rapidly this occured. These new capabilities do have the strange side effect of making the use of virtualization safer, from an end user’s perspective, as most of the malware will assume it is in this environment for dissection purposes, and thus refuse to execute.
Jean Taggart
|
