Archive for June, 2008

Caught in the web of AntiSpySpider

June 25th, 2008

Welcome to planet AntiSpy!

An awesome application, “created by the industry’s top spyware experts”. Shouldn’t it be “anti-spyware experts”? Oops… ;-)

Also, they “protect your computer and your privacy.html“. What’s my privacy.html, some web 2.0 application I don’t know?

Let’s take a look at how they protect my computer:

Hijack my desktop:

Hijack my HomePage:

Show me friendly warnings:

And a company everyone wishes they could work for:

I’m glad to hear about the “exceptional customer service” because I really need that right now!

 

JSegura


A gift for me?

June 23rd, 2008

Today I received this lovely file wrapped as a present.

Too curious, I had to open it for myself ;-)

Upon execution the file modifies your browser’s Start Page to point to a malicious website.

Everytime you open up your browser, the malicious site will try to download an executable (cf picture below). 

 The file is well known to AV companies and is classified as a Dialer.

Jerome Segura


A sick-looking bug demands money

June 20th, 2008

A new rogue, called MalWarior 2008 is making the rounds lately. Don’t get fooled by this sick looking bug, this is a scam. What is it supposed to be with that mic? A telemarketer..???

 

 

Warning #1: I say No….

 

warning #2: I say No…. again!

 

Man, do you want me to register or what?

 Special prices… no thanks…

 

Jerome Segura


Security researchers equivalent to “The funnies” :-)

June 17th, 2008

We get to see some pretty interesting stuff while hunting for malware. Take this helpful notice from the site administrators of an illegal warez site.

Ummm. Yeah, right. i am absolutly convinced that these are false positives, not “trojanized” programs.

I wonder why they specifically targeted AVG though?

I took a quick screen capture of one of our testing machine. I am strangly reminded of winning at solitaire.

                                        

And last, but not least, I guess there’s no honor among skript Kiddies, as we witness a warez site, victim of an old school defacement.

              

Jean “TinFoilHatMan” Taggart signing out.


Tools of the trade

June 16th, 2008

Security researchers have different backgrounds, some of them are very technical while others have more of an abstract knowledge of things. I’m kind of in between. Actually I graduated with a Masters in Business Administration with a specialisation in Information Technology. Let me tell you that there were certain courses I hated (accounting, law…) but overall when I look back at it, I’m glad to have that background because I am familiar with many things, not just one, such as programming.

There is one thing that I really like about doing malware research, other than the fact of seeing cool or scary stuff. I like the search and research aspect of it. More and more we are in a world where it’s all about information and of course technology. The thing is, technology has made information so much more accessible than ever before: in actuality we are swamped with data. That’s where the strength of Information Systems lies, which brings us back to malware research.

A year ago or so, I got interested in aggregating malware in an automated way. I had a basic understanding of the current threats and it seemed clear that most of them come from the web. Around the same time I had heard about the Google Stopbadware project which listed infected websites. I spent hours browsing those infected URLs, looking at their content… The result was simple: browsing with an unpatched browser was a sure way to get infected.

I started from scratch by building some batch scripts to do very simple things. I sure got some laughs when I showed I was writing 80’s technlogy batch scripts. But like I said earlier, the technical aspect doesn’t interest me as much as finding a concept that works.

The results were successful. It got me into reading more technical documentation and it’s at that point I realized I had built what experts call a Honeypot: an information systems (or more simply a trap) that attracts unauthorized attempts to exploit a system. Honeypots are a fascinating study. There is so much you can do with them, whether it may be to protect your company or be more pro active and capture malware.

After many different versions of my earlier work I deciced to get some skilled programmer’s help and make a robust program. Today, the Honeypot has the following features:

• Real end-user environment (no Virtual Machine)
• Scalable system to process large volumes of URLs
• Detection of infected web-sites in real time
• Identification of malware hosts
• Active shield for system integrity

There is not one recipe to collect malware. People use different tools, technologies and allocate the ressources they have. That’s the exciting thing: you can always come up with an idea that will definitely make a difference.

 

 

 

 

 

 

JSegura


Fake Microsoft, real malware

June 4th, 2008

I was playing around with some malware when I noticed something interesting. A fake Microsoft website (actually a redirection) from microsoft-direct.net hosting malware.

If you browse to the aforementioned website, you get redirected to the legit Microsoft site. However, digging a little bit, I found that it also hosts some malware which, funnily enough, uses some famous Microsoft filenames.

 If you do some research, you will find that the website is hosted in Malaysia.

  

 Several malware files are hosted there. Those filenames certainly ring a bell for Windows users: winlogon.exe, svchost.exe….

 A VirusTotal scan of one of those files reveals its malicious nature:

Thanks for the download, but I think I will keep my own lsass.exe. :)


Fake codecs, porn and malware

June 3rd, 2008

There is a very popular fake codec going around lately. The domain is registered to EST Domains, a known dubious host involved in many bad practices.

The page is a Youtube look alike, although all the links aren’t actually working. You get an error message as soon as you try to watch one of the videos. It is trying to install a video codec (which is actually the well known Zlob Trojan).
One thing that bothered me was to see the AdultFriendFinder advert on the right side. Not that I care about them, but I thought they were trying to clean up their act. Advertising along with malware is NEVER a good thing. 

 Funnily enough, another page gets loaded as if trying to protect me from the bad guys.

 In fact, it is the bad guys themselves!!! pushing a rogue onto me.

Watch out for those YouTube look alikes! ;-)

JSegura


Targeted Phishing, an example.

June 2nd, 2008

I though it would be educative to break down a targeted phishing attempt, To help demonstrate how effective this type of attack can be.

I collect video games. In my quest for the ever rare peripheral, or the out of print classic game, I’ve often done business with strange companies based in far away lands.

One of those was a wonderful little outfit called Lik-Sang.  They used to carry all sorts of “hard to get” stuff from the Mecca of video game land: Japan.

Of course sometime items that were not intended for other markets could be had. Like a foreign console that would enable you to play the few titles that did not require intimate knowledge of Japanese well in advance of their US release.
This behavior generally tends to be frowned upon by the manufacturer of said products. That is why they have things such as region coded games after all.

As you would have it, Lik-Sang attracted the ire and more importantly, the scrutiny of the legal department at the Sony Corporation. This was followed by some legal entanglement better explained here: http://www.lik-sang.com/ and more importantly summarized by this comment: “As of today, Lik-Sang.com will not be in the position to accept any new orders and will cancel and refund all existing orders that have already been placed. Furthermore, Lik-Sang is working closely with banks and Paypal to refund any store credits held by the company, and the customer support department is taking care of any open transactions such as pending RMAs or repairs and shipping related matters. The staff of Lik-Sang will make sure that nobody will get hurt in the crossfire of this ordeal.”

I must admit I was disappointed that they went out of business. A couple of weeks later I received an email, apparently from Lik-Sang, informing me that I have a $10 credit on my account with them. Nothing too unusual there, as I had done business with them in the past. I was a little surprised, though. I didn’t remember any credit. I read further into the email, where they kindly asked me to fill in my Paypal user name and password account information so that they can refund me my money.

Hold on, wait a minute, my username and password?  This was a phishing attempt! I would like to believe that this was created by a crafty phisher, who decided to capitalize on the downfall of Lik-Sang, but it is much more probable that someone in the IT department at Lik-Sang decided to sell the email client list on their way out. This is another painful reminder that no matter how much you may trust the business entities that you share your email address with, things may change.

So now we have to worry about who has our email address in their databases and how well they secure this information. This only re-enforces my beliefs that the throw-away e-mail address is now a necessity. I diligently read what lands in that inbox, but everything is taken with a grain of salt.

Jean “TinFoilHatMan” Taggart

Location

You are currently browsing the Malware Diaries weblog archives for June, 2008.




ParetoLogic, a Microsoft Certified Partner

 

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site
Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 
Microsoft is a registered trademark of Microsoft Corporation in the United States and/or other countries.

© 2010 ParetoLogic Inc.