http://blogs.paretologic.com/malwarediaries Malware Diaries, a blog about the job of a security researcher Sat, 07 Nov 2009 01:53:32 +0000 http://backend.userland.com/rss092 en I'm trying to run a script with crontab so that it runs at a certain time. Nothing new here... However, my script involves PGP and for some strange reason, PGP will not decrypt anything while in crontab (user-agent blablabla... and other bogus errors). The frustrating thing was that the script runs ... http://blogs.paretologic.com/malwarediaries/index.php/2009/11/06/crontab-way-around-in-linux/ Fake porn sites (real Trojan Horses), fake watches (real scams), password cracking (wallet cracking) : Welcome to the world of online crime! All these sites were taken from the same IP address, namely 210.51.187.{sanitized}. I'm going to show you a wide portfolio of online threats and scams. To start off, a fake porn ... http://blogs.paretologic.com/malwarediaries/index.php/2009/11/03/fakefakefake/ We are doing some more testing and putting the final pieces together on our URL Clearing House project. When will it be ready? I can't say for sure yet. We need to add user accounts (don't worry, the service will be free) for our own stats, put a Terms Of Service, do ... http://blogs.paretologic.com/malwarediaries/index.php/2009/11/02/mdl-url-clearing-house/ Our HoneyPot was missing an important feature, given that many (if not most) malicious websites use PHP to serve their payload. Up until now, our HoneyPot was only looking for pure exploits in: - browser - flash - pdf - quicktime - java However, a large number of malware files is downloaded using PHP. Here is this new feature ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/30/new-feature-added-to-the-honeypot/ This one comes as a zip file, extracts to yahoo.html.exe 0l.zzkk11.com/yahoo.html.zip and it is an OnlineGames Trojan. Jerome Segura Malware ID: 133e78f1e76aace342e4d07cea6f80f9.zip http://blogs.paretologic.com/malwarediaries/index.php/2009/10/29/malware-in-a-zip/ I downloaded an update for Adobe Reader today and I was quite unimpressed to watch the Adobe Download Manager show me a bunch of Ads. Is this a new form of advertisement? I also couldn't help but notice that the traditional Google Toolbar "bundle" had been replaced by a McAfee Security ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/28/ad-manager/ The following site (Russian language), igra.newvksoft.org.ua, downloads a rar file onto your computer. If you extract the file you will get this: file.exe is malware It's not often I see malware coming through a rar file. Did you know?  The rar file compression format was developed by a Russian software engineer, Eugene Roshal. It probably ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/28/malware-in-a-rar/ The following Czech site (otylkaaotesanek.cz ) contains an exploit: In Google Chrome you will see a PDF automatically downloaded (thankfully I did not have Adobe reader installed on this machine) The malware author took the time to credit this PDF to security researcher miekiemoes. That sounds pretty similar to a Dancho Danchev ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/27/mikieomes/ globalfundforeducation.org has been compromised. Obfuscated JavaScript: A little bit of fiddling around with the JS code allows us to display what it actually does: An iframe: Which is also referenced in the main code: The final payload seemed to come from soft-siski.com in the form of several executables. Jerome Segura Warning: all links contained in this post ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/26/ambass/ There's an article about: "Don't bug me: why Macs are still virus free" I read today. "The real answer is UNIX, the foundation technology Mac OS X is based on" says Neal Costello. While it is true that Unix systems have been designed with a very different approach, it does not mean ... http://blogs.paretologic.com/malwarediaries/index.php/2009/10/26/mac-os-x-bot/