Beware of search engines helpers
You may come across some sites that offer online searches in cool formats. For example, we found this Italian website that does a search in both Google and Yahoo!.
It works well and presents the results in two diffent window panes:
However, digging into the source code for that page, we found an infamous drive-by download (loader.exe) that happens to be nothing less than a Trojan Downloader.
That Trojan will download additional malware (dialer, password stealer) onto your computer.
As a general rule, it is safer to use your search engine directly from the main site (i.e. google.com). Many sites offer a search from their own page that claims to search the major search engines. However, it is often biased results that are returned, or even worse, malicious programs.
JSegura
|
A day in the life of a Malware Analyst
When it comes to analyzing malware, each company has its own methods. Due to the volume of daily threats, most vendors will develop some sort of automation to process hundreds of signatures very rapidly. However, human analysts are needed to understand the mechanisms used by malware authors.
I can see at least two ways of analyzing a piece of malware:
- reverse engineer it
- execute it
Reverse engineering consists of taking apart the sample to understand how it works. Basically, the file is made of instructions written in the source code. When a malware author (or anybody) writes a program, they will compile all those instructions into a language that the machine can understand. The job of the security analyst is to go back to those lines of codes in order to reveal the hacker’s intentions.
Needless to say that this is a lengthy and sometimes difficult process. Also, the security analyst needs to have the proprer skills to understand different programming languages and identify the portions of code that present a security risk.
The other alternative to reverse engineering is much more simple and quicker but radically different. While the first method was mainly static, the second one consists of running the sample on a machine.
Security analysts use special machines, such as virtual environments, or machines that can be infected, formated and re-installed.
Samples are run and their behaviour is recorded. That behaviour is also called payload and includes: file creation, registry modification, network traffic etc.
At that point it is fairly easy to identify behaviours . When in doubt we upload the sample or a file from its payload to an online malware scanner. That can help us classify the sample into a category (i.e. Password Stealing Trojan).
In order to protect our end users, we must add the malware “payload” to our security products. Here we use the term signature which is made of file names, paths (i.e. c:\windows), and other uniquely identifiable information such as MD5.
We regularly release database updates that include the latest threats we found.
Another part of malware analysis deals with cleaning malware samples we have added to our products. Here we want to make sure that our software is capable of removing all infections without damaging the Operating System.
The loop has been completed, from malware infection, to detection and finally removal.
There goes the day of a Malware Analyst 
JSegura
|
Keyloggers
As part of my “patching the end user” efforts, I figured I would write about keyloggers.
This is the definition I found on the internet: “A keylogger, sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer’s keyboard.” In short, not something you would ever want on your computer.
Not too long ago, I decided to manually download all the keyloggers I could find on the internet and update our database as far as that type of threat is concerned. I figured it would keep me busy for a day or so. Oh boy, was I ever wrong! There is a rather large amount of programs that log your keystrokes, for some ones else convenient later perusal. It’s big business.
I must have spent a good solid week downloading keylogger after keylogger. Every time I thought I was nearing the end, I would stumble onto another sample. As my collection efforts finally dwindled, I noticed that some of the depreciated keyloggers migrated from pseudo legality, to downright illegality. Essentially, when some of the more “fly-by-night” outfits that market keyloggers go out of business, the source code tends to be recycled by the malware community.
I found this on a website that reviews keyloggers. I also witnessed similar disclaimers during the installation of the more commercially marketed samples I tested.
“DISCLAIMER: Logging other people’s keystrokes or breaking into other people’s computer without their permission can be considered illegal by the courts of many countries. The monitoring software reviewed here is ONLY for authorized system administrators and/or owners of computers. We assume no liability and are not responsible for any misuse or damage caused by the keylogging software. The end user of this software is obliged to obey all applicable local, state, federal and other laws in his country of residence.”
This has to say something about the ethical issues that surround using this type of software.
Here are a few select screen captures of different keylogger administrative interfaces.
Not very subtle, now are we? As far as I am concerned if you aren’t presented with a disclaimer, or explicitly made aware that your keystrokes are logged, it should be illegal.
When you are given the option to disable the warning message and make the keylogger go into full stealth mode, it even further muddies the waters. The software maker can claim to take the high road, as these are not checked by default.
I’m in a peculiar situation, as I’ve experienced first hand having a keylogger installed on my machine. The profound breach of trust that it engenders is devastating. Many of these applications are marketed towards the Spouse/parent/partner as a peace of mind device. The landing pages for some of these applications are eerily similar to the scare tactics pages used for rogue antispyware software.
If you have to resort to spying, and lets not kid ourselves, that is what these programs and devices do, there is so little implied present trust in the relationship, that logging keys should be the least of your concerns…
Jean “TinFoilHatMan” Taggart
|
New rogues coming
Those rogue apps, although looking legit are scams which you need to stay away from.
|
The fine art of rogue scamming
Riding the wave of spyware and privacy, malware authors are making a lot of money.
The recipe is pretty simple: use scare tactics and sell a “magic” program that will solve all the troubles.
Today we are taking a classic example of IE Antivirus, the latest rogue software. After browsing a couple of known bad sites, I found myself subject to many annoying pop-ups. They all seem to tell me that my PC is in great danger and, as good samaritans, they also show me the cure: IE Antivirus.
I am glad to hear that most credit cards are accepted, and that I will benefit from a full money back guarantee.
However, I am a little worried about the cost, around $70… I’m thinking there are a lot of well known programs out there a lot cheaper than that, but there must be a reason for this one to come right to me.
Also, I can get their Alpha wipe cleaner for a very small one time fee.
The total charge is now around $80.
