PandaLabs Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6

FirePack for the winter
2008-02-14 16:03:00
Do you remember IcePack? It seems that some kits for installing malware are somehow “seasonal”, as we found IcePack in summer, and in late 2007 we found yet another one that suits better for winter, called FirePack: Anyway it is not as advanced as other kits (IcePack, MPack , Traffic Pro, etc.) Furthermore, it is really expensive compared to other kits: 3,000$, while the official price for MPack is 1,000$, IcePack Platinum Edition 700$, Traffic Pro 40$ and IcePack Lite just 30$.We have found two different versions so far, 0.11 and 0.17. This is what you can see when you log in the control panel; this is the Russian version, there is also an English version:
More About: Winter

Microsoft Updates for February
2008-02-13 09:48:00
This month Microsoft has released 11 security bulletins (from MS08-03 to MS08-013). Six of them are rated as critical and five are Important. We recommend you to update your systems ASAP, as most of the vulnerabilities allow remote code execution.Last Thursday's Security Bulletin Advance Notification included details on twelve issues however only eleven have been published. What has happened?These bulletins updates the following software: LSASS, DirectShow, Internet Explorer, Macrovision Driver, JScript, VBscript, Office Suite, Media File Formats, Message Queuing Service. 
More About: Updates , Microsoft Updates , February

Happy Saint Valentine!
2008-02-12 16:39:00
As Saint Valentine ’s Day is approaching, we start to observe how this special day is used as an effective bait in order to spread malware.In the last hours, we have noticed how the malicious files called “withlove.exe” which we saw one month ago in the emails related to the Storm worm are being adapted to “valentine.exe”.These last files, which have been detected as W32/Nuwar.QI.worm, reach the computer with subjects such as "I Love You," "Me & You," "My Love For You," "Happy Valentine's Day!...", or as in this case "Valentine's Day":Not only love fills our inboxes in this special date but also malware!

Playboy TV Spam
2008-02-08 11:40:00
I suppose we are in a way getting accustomed to see unwanted messages in our inbox, either advertising rolex watches at reasonable prices or Viagra, “miraculous” beauty products, among many others. That’s nothing new and the figures speak for themselves: as we mentioned in the 2007 Annual Report about 95% of email in circulation globally is spam. In this case, we have detected a spam message that not only uses a TV channel as a social engineering technique, but also whose content cannot be clearly read as it is blurred in order to avoid antispam filters. The message, which is in Spanish, starts with the sentence “Mira el video y no te pierdas la sorpresa al final” whose translation is: “Look at the video and don’t miss the surprise at the end”. It entices users to view a video by clicking on a link. If any of the three links included in the message is followed, we will get a bad surprise and our system will be compromised.Once one...
More About: Spam

January Adware/Spyware List
2008-02-05 17:29:00
In January , the first position has not changed with regard to the previous month. However, Savenow and Virtumonde interchange their positions, making Virtumonde obtain the second position.The 4th and 5th positions remain unchanged but Adware /ActiveSearch goes up two positions and replaces Adware/cws, which was in the 6th position.Adware/BaiduBar, which is in the 7th position, keeps its persistence in spite of all the changes.Adware/SweetBar enters the top ten in the 8th position, going up from the 12th position.Adware/WUpd and Adware/NaviPromo interchange their positions like we have seen before with Savenow and Virtumonde.This is the current list:
More About: Spyware , List

AntiMalware Testing Standards Organization (AMTSO)
2008-02-04 09:01:00
Two weeks ago we had a really interesting meeting in Bilbao. It was about something that started in Iceland, in the International Antivirus Testing Workshop in May 2007. I had a meeting with some of the AV industry people that were there, talking about testing: what should be tested, how should be tested... That conversation didn't stop and we continued talking and having meetings in Virus Bulletin and AVAR. Finally we decided that we should go further, and create a group to work on this, and that's how AMTSO was born.Today we have just published our web, with a press release announcing the creation of the group. Many people from the industry have joined the group. This is the charter of AMTSO:Provide a forum for discussions related to the testing of anti-malware and related products; Develop and publicize objective standards and best practices for testing of anti-malware and related products; Promote education and awareness of issues related to the testing of anti-malw...
More About: Standards , Organization

Active malware wave
2008-02-01 14:05:00
In the last 3 days, we have seen a lot of activity in this Trojan, detected as Trj/Nabload.CXU, which downloads another 2 Trojans: Trj/Banker.KKQ and Trj/Banker.KKU.At certain hours of the day, it has represented up to 21% of all messages received in PandaLabs. These messages have been sent massively in Portuguese with the subject: A Pessoa com o Maior Rabo do Mundo and the following text:Here it is a graph representing the evolution of this malware in the last days:In order to go unnoticed, this malware shows a YouTube video related to the subject of the email. However, it connects to various Urls transparently, which contain the necessary information for downloading the 2 Banker Trojans mentioned previously:Be careful these days with the messages received in your Inbox.
More About: Malware , Active , Wave

Mortgage spam!
2008-02-01 09:00:00
Are you looking for the ideal mortgage for your home? Which is the best choice? Where can you find it? What a dilemma!It’s really easy, you only have to take a look at the Inbox of your email account, concretely in the spam folder. There has been an increase in the number of email messages offering mortgages. In the last quarter of 2007, the 2% of the Spam was of this type but at the beginning of 2008 it has increased up to 10%.Which are the reasons for this increase? Bad guys are always trying to take advantage of any news to fool people. The current global economic panorama has much to do with this: the crisis in the USA has led to another fall in the interest rate, the continuous increase in the euribor, the historical falls in the European stock markets… all this makes spammers offer more and more bargain mortgages.The year 2008 has just started and it seems that this mortgage spam will continue increasing...
More About: Mortgage

Annual Report 2007 PandaLabs
2008-01-17 09:59:00
We have just released the Annual report PandaLabs 2007, which summarizes the most important events of the last year. Inside you will find interesting information regarding trends on malware, among other current topics. Additionally, we have also included a complete report on spam.You can download it in English or in Spanish.Enjoy it!BTW, in case you want to give us some feedback about the report, we have created a poll (English / Spanish). Thanks for your help!
More About: Report

Stealth techniques in rootkits
2008-01-11 21:21:00
Some days ago MR Team members warned that a new stealth technique was being used by some rootkits.When this type of malware is run in a system, it makes a copy of the original MBR in the absolute sector 62 of the hard disk and overwrites the one existing in the sector 0 with malicious instructions. Additionally, it installs itself at the end of the hard disk, being its code of approximately 240kb in size. The next time the computer is started, the first sector of the drive will be loaded before the operating system. The first sector of the drive contains the modified MBR, whose code will load the other part of the malware (~240Kb). This part, in turn, is responsible for the network communication established between the operating system and the BIOS interruption 13h, hiding the modified MBR and the malicious code. This technique allows any type of malware to be camouflaged in the system, making its detection more difficult. Thanks to Arrizen Pérez for his explanations.
More About: Rootkits , Stealth

Stealth techniques in rootkits
2008-01-11 14:10:00
Some days ago MR Team members warned that a new stealth technique was being used by some rootkits.When this type of malware is run in a system, it makes a copy of the original MBR in the absolute sector 62 of the hard disk and overwrites the one existing in the sector 0 with malicious instructions. Additionally, it installs itself at the end of the hard disk, being its code of approximately 240kb in size. The next time the computer is started, the first sector of the drive will be loaded before the operating system. The first sector of the drive contains the modified MBR, whose code will load the other part of the malware (~240Kb). This part, in turn, is responsible for the network communication established between the operating system and the BIOS interruption 13h, hiding the modified MBR and the malicious code. This technique allows any type of malware to be camouflaged in the system, making its detection more difficult. Thanks to Xabier Francisco & Arrizen Pérez f...
More About: Rootkits , Stealth

New Year, new patches
2008-01-09 17:18:00
Microsoft has released its patches for this month. There are two patches: one critical and another rated as important. The critical patch involve Windows TCP/IP and the important one is for a vulnerability in LSASS. As always, it's important to upgrade you system via Windows Update: 
More About: New Year , Patches , Year

Proactive Detection Rates
2008-01-08 18:04:00
Today I've seen in Sophos blog a post about the proactive detection rate. Here you can see the results from the same test, but including the majority of the vendors, so you won't lose any information:Scanner TOTAL July August September ========================================= ============== Panda 91% 97% 78% 95% AntiVir 87% 94% 74% 89% Ikarus 87% 88% 78% 92% Sophos 86% 94% 74% 87% BitDefender 81% 75% 78% 87% AVG 71% 59% 65% 84% Kaspersky 69% 59% 61% 82% Nod32 69% 56% 74% 76% Trend Micro 68% 56% 57% 84% F-Secure 67% 53% 61% 82% Symantec 66% 53% 52% 84% McAfee 55% 47% 61% 58% Avast! 53% 31% 65% 63% eTrust-VET 52% 44% 43% 63% Dr Web 51% 41% 65% 50% F-Prot 51% 28% 57% 66% Microsoft 48% 25% 65% 58% Norman 46% 44% 61% 39% ClamAV 42% 28% 39% 55%Copyright © 2007 AV-Test GmbHIn Panda Research blog you can find more information.
More About: Detection , Proactive , Rates

Automatic classification of malware (II)
2008-01-03 12:05:00
Some months ago we showed you a tool based on graphs in order to classify malware. Today we'll show you another tool that we are currently using in the lab to determine whether a file is malware or goodware. This tool is called VMatchBinary.Basically, what we do is to identify similar byte blocks, obtaining a checksum for each one. This way, we obtain different checksums for every file, and we can compare the checksums of one file against all the checksums of all the files we have in our database. Many checksums of small and representative file blocks guarantee good results in the similarity identification at a file level. But the best thing to understand how it works is to see it in action, so click on the picture below and enjoy it!
More About: Malware , Automatic

IcePack uncovered
2007-12-18 17:45:00
In summer we had already talked about IcePack, which can be considered as the most complete "kit for installing malware through exploits” and one of the most used nowadays. For further details about how it works, you can have a look at the document I have prepared.

Tuesday patch from Microsoft: 7 patches
2007-12-12 10:10:00
Microsoft has released its patches for this month. As we posted on monday, there are 3 critical patches and 4 rates as important. Some of the software affected are: DirectX, Windows Media Format Runtime, Internet Explorer, DirectShow, Microsoft’s Message Queuing Service,  Vista’s Server Message Block version 2, Macrovision SafeDisc (secdrv.sys)... We recomend you to update your system ASAP. 
More About: Microsoft , Patches , Patch , Tuesday

Microsoft Updates (December 2007)
2007-12-10 15:56:00
We're close to second Tuesday of December , and as always Microsoft releases its vulnerability patches. This month there are 7 patches and the full version of the Microsoft Security Bulletin Advance Notification for this month can be found here .  
More About: Updates , Microsoft Updates , December 2007

Greetings from Seoul
2007-11-29 02:59:00
AVAR is taking place this week, at the Seoul Plaza Hotel, South Korea.  Yesterday we had a WildList reporter meeting as well as an AntiVirus Product Developer (AVPD) meeting, and we are looking forward to the presentations that start today, such as:- Testing of "Dynamic Detection" (Maik Morgenstern & Andreas Marx - AV-Test.org).- The Cybercrime: Fact, reasons, trends (Eugene Kaspersky - Kaspersky Lab).- Design of X86 Emulator for Generic Unpacking (Chandra Prakash - Sunbelt Software).I will let you know how is it going. BTW, there is no Tablesoccer World Championship, so we'll have to wait until 2008 for the revenge!  

Off Topic - PandaLabs bloggers
2007-11-23 13:44:00
I am usually asked about the people who writes posts in the blog. This is a photo we've just taken today to the top 3 bloggers, so you can know who is who:From left to right: Vicente Martínez, Luis Corrons & Ismael Briones.Another typical question is whether there are girls working in the lab. Of course there are, and they are very professional and skilled people, in fact they are some of our best malware analysts. These are some of them:From left to right: Lucía, Cristina, Merce, Ane, Almike, Olaiz, Ana & Iratxe.
More About: Bloggers , Topic

Fake Microsoft Update
2007-11-14 17:10:00
This morning we have seen an e-mail that was supposed to contain a Windows update for the vulnerability in the Kodak image viewer, which could allow arbitrary code to be remotely executed.The e-mail seems to come from Microsoft Corp, though the domain from which it was created has no relation with this company:The email subject is “Bolet?n de seguridad de Microsoft MS07-055 – Cr?tico”, though it is possible that there are more e-mails referring to different updates. The message contains real information about the security bulletin called MS07-055. However, the links included in the text lead to a different website, which is almost the same as Microsoft’s. This is the website to which we are redirected. If we don’t pay much attention to the web address, we will be downloading a backdoor detected as Bck/Bandok.BO: A really curious thing is that this malware is in fact installing the real MS update, plus a free backdoor to open your system to the bad ...
More About: Update , Fake

Video Spam 2.0
2007-11-13 12:58:00
As far as I can remember, the first time I talked about "Malware 2.0" was at the begining of this year, talking to Pedro Bustamante about a banking Trojan. He used it in his e-Crime Congress presentation, and since then I have seen it in many places, even when talking about spam. What happens is that it was related to add spam in blog comments, through Youtube accounts, Myspace, etc., so it was the old Spam using new distribution channels.As you already know, spam is a profitable business, and the spammers are looking for new ways of increasing their benefits. A few weeks ago we saw the new MP3 Spam and I finished that post wondering how long we should wait to see MP4 spam... well, that time has come. Today we have received a spam message with a URL to a Youtube video. It is not a fake link, you click on it and you will see a video advertising an online casino and showing how to use the Martingale betting system.In the same spam message they give you another link in c...
More About: Video

Pandalabs Quarterly Report July-September 2007
2007-11-12 17:22:00
Today, we have released our Quarterly Report . Inside you will find interesting information regarding trends on malware. This time we include a comparative review of "Kits for installing malware", as they have become one of the most used tools for spreading malware. Also, we make a review of the state of the vulnerabilities landscape. A list of unpatched vulnerabilities is also included.You can download it in english or in spanish.Enjoy it! 
More About: July , September , September 2007

Having a bot is not a crime...yet
2007-11-07 18:29:00
Sometimes, after reading news you may be really shocked: Techie jailed due to an IP confussion.In this case, the information is not so deep, but we can extract a conclussion: be aware with your IP, you can be arrested (at least in Bangalore).But if we take a look to the latest information, provided by PandaLabs, the 75% of the new samples of malware received were trojans. It means the main goal for hackers is staying in the computer waiting for something. And this something may be downloading something in your computer on behalf of the hacker. Or post something.What happens if this download or upload is an illegal content? Will the police arrest you due to the lack of protection in your computer? Having a bot, for example, is not a crime. As today...Special Thanks to Fernando de la Cuadra
More About: Crime

October spyware list
2007-11-05 13:42:00
This month the two first positions have not changed, but Spyware /Virtumonde and Adware/Savenow gain a position each, leaving Adware/Lop in the fifth position. Adware/VideoActiveXObject goes up from the 7th to 6th position.It is the most active version of the known fakecodecs.Adware/NaviPromo goes up from 15th to 14th position.It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox.Application/Bestoffer goes down from the 22nd to 33rd position.It is an application that displays advertising, but it will be gradually losing positions until disappearing from the list because “Best Offers” and “Direct Revenue” have given up offering their services.
More About: List , October

Mac Trojan: OSX/RxPlug.A
2007-11-02 14:03:00
Today, we have found a Mac OS X trojan. It is usually said that only windows users should be worried by malware. As we show today, this is not true.It all starts with a lot of porn sites:ispfiltersporn.comland-porn.comline porn.netlook-porn.complay-porn.complayhar dmovie.complayxvideo.complayxxxvideo.netp orn-abc.comporn-contact.comporn-global.ne tporn-go.netporn-group.netporn-party.netp orn-play.netporn-plus.netporn-power.netpo rnissex.compornname.netpornxxxfilm.comrel atedporn.netseek-porn.netstephieporn.coms uperadultfriend.comtheadulteye.comtime-po rn.netuse-porn.comwithpornstars.comworldb estadult.comporn-room.netpornabout.compor ndrive.netpornhelp.netThey all host some videos with names like: Download Sample Movie, Free movie clip, Get movie clipThis malware hides as a QuickTime plugin. When you try to download a video file, you are encouraged to download this plugin. It also, asks the user for the administrator password, in order to get installed.Once installed, it runs a script th...
More About: Trojan , Roja , Rojan

It's Halloween time, folks!
2007-10-31 09:10:00
Ah! What a wonderful day, It is time for dwarfs, tombs, ghosts, sweets,pumpkins and of course malware.We, at Panda Security, are getting used to be reminded of these special dates, when malware tries to benefit from a social event like this. In this case, a quite infamous malware already known as "Storm worm" aka "Nuwar" aka "Nurech" aka "Alanchum" wishes a good halloween by sending the usual lot of spam.These messages carries different subjects:If your in your office, keep the speakers low, lolHappy Halloween Dancing BonesHalloween FunWatch him danceThis will make you laughYou'll laugh your but offMan this is funnyI am sending this to everyoneHave a Happy Halloween everyoneParty on this HalloweenNothing is funnier this HalloweenMake him danceDancing skeletonThe most amazing dancing skeletonFor people with a sense of humor onlyIf your in your office, keep the speakers low, lolTo much fun I played with this for ...
More About: Time , Allo

Spam & politics
2007-10-29 16:10:00
Spam is really annoying, mainly because you may think spammers have a really bad image of you: lack of hair, lack of sexual abilities, lack of money, lack of university degrees, lack of girl/boyfriends… After all, they just try to cheat you and sell something in the best cases… if they are not trying to spread malware.But we have now a new spam message: for politics. We had received a message that shows figures about a survey in Argentina. Last weekend they elected a new president, and the message claims “we are bad”. Who? Which party? Will the message try to modify the vote in some people? Will it try to increase the participation?The message comes form a “gmail.con” domain, and it claims the survey has been done by “McKenzy Associates”, which domain is not valid: “mckenzyassociates.com” is not a valid domain name. Regardless of the intention, we can classify it as a new spam message category: vote spam. So, PandaLabs ca...
More About: Politics , Spam , Politic

A new way of social engineering
2007-10-26 12:18:00
Sometimes, when we speak about social engineering, we think about people at the other side of the phone trying to get our passwords to gain unauthorized access to our accounts. When this data is in their hands, panic spreads: intrusion on companies, espionage, identity theft…all the classic goals of this kind of attacks.But let’s not forget the underlying reason of social engineering. Therefore, I particularly like the following definition, which I think is the essence of these attacks: “the art and science of getting people to comply with your wishes”.Under the premise of this thinking, this week at PandaLabs we have discovered a new way to apply this concept. It is very simple and pleasant. You receive a small application on your desktop that shows a woman offering you a striptease. How can we take off this woman’s clothes? Just typing a few letters displayed next to the girl as we can see in the following image: Hmmm, can you recognise thi...
More About: Social , Engineering , Erin , Social Engineering

Security in VoIP Systems
2007-10-24 12:17:00
One of the tasks of security companies is to "forecast" what will happen in the future based in the data and trends we observe. This is a really important task, as this way we can provide users with guidelines and base our researchs in the possible protection mechanisms we will have to develop in the future.Some days ago, a Trojan entered the fray which attempts to deceive users passing itself off as a security program for Skype. It is called Skype Defender and its main aim is to steal the user's data of Skype. It is then when we shall look back and bring to mind what we told about VoIP attacks almost 2 years ago. In January 2006, we published a document about security in VoIP systems, written by Fernando de la Cuadra and Enrique González Ochoa. We presented it in the 5th Iberoamerican Conference on Systems , Cybernetics and Computer Science CISCI 2006, in Orlando, Florida.Here you have an extract of the document:"Identity Theft. A malicious application coul...
More About: Security , Voip , Stem

MP3 spam
2007-10-18 09:27:00
Yes. It's true. Believe it or not, this is another step in the malware world. We are seeing spam sent with MP3 attachments, the audio quality is pretty bad, and the file names are different but try to trick users using names as oursong.mp3, bartsimpson.mp3, ciara.mp3, cassidy.mp3, etc.Actually, it is a pump and dump spam that talks about a Canadian company that could have incredible results in USA. It seems that it is being sent out from the Storm Worm network. Be careful and of course, don't pay attention to these kind of messages.How long should we wait to see an MP4 spam?
More About: Spam