PandaLabs BlogPandaLabs BlogThis blog started in October 2006, and we will be providing further in-depth information about new malware, new technologies, new trends Articles
New Zero day PDF exploit for Adobe Acrobat
2007-10-16 18:55:00 We have received a new 0-Day exploit for Adobe Acro bat via full-disclosure mailing list. This vulnerability was announced on September 20th, 2007 in the site gnucitizien.org. In the advisory, the following can be read:"The issue is quite critical given the fact that PDF documents are in the core of today’s modern business. This and the fact that it may take a while for Adobe to fix their closed source product, are the reasons why I am not going to publish any POCs. You have to take my word for it. The POCs will be released when an update is available." But somebody, who had read the original advisory, has discovered where the vulnerability is and has developed a working PoC. This PoC has been sent to full-disclosure, a public mailing list. The PoC isn't harmful, however, when the PoC file is opened with a vulnerable version of Adobe Acrobat , calc.exe will be executed Looking inside the PoC: we can see the string that exploit the vulnerability. TruPreve... More About: Exploit
Malware articles in Virus Bulletin
2007-10-09 11:40:00 Taking a look at McAfee's Blog, I've seen a post talking about an old "friend" of us: the virus Virutas, and I have realized that I hadn't linked the latest articles we published in the Virus Bulletin Magazine.The first one, Beyond Virtu(e) and Evil, written by Mario and Victor, analyses the virus Virutas in depth. It was published in the May edition of the Virus Bulletin. The second one, The Life Cycle of Bots, was published in the number of September 2007. This article, which was written by me, goes through the whole life cycle of bots, where we can see how some bots have almost a life if their own.Enjoy them! More About: Articles , Malware , Artic
Automatic classification of malware
2007-10-05 13:57:00 Last year we posted an article about graphic representations of malware, in which we commented that it's possible to automatically identify and classify malware into a family based on their graphical structure representation. This representation is based on the relationship between function calls in the executable. These relationships create a graph of the internal structure of the executable. These graphs are very similar among samples of the same family or among samples which share the same source code. There are several publications about this technique (Ero Carrera & Gergely Erdély [VB2004]) and all of us have heard about Sabre Security VxClass Project, which is a system to automatically unpack and classify a binary into a family. PandaLabs is 'two or three steps ahead' too and we have developed our own system to automatically identify and classify the samples we receive daily. Of course, this system works with unpacked samples, that'... More About: Malware , Automatic
September spyware list
2007-10-01 13:52:00 This month, there have been no changes in the first positions of the ranking, so the list remains the same as last month’s: 1.- Application/MyWebSearch2.- Adware/Gator3.- Adware/Lop4.- Spyware /Virtumonde 5.- Adware/Savenow 6.- Adware/ActiveSearch In the 9th position, we find Adware/SystemDoctor, which goes up from the 13th position. It is an adware that promotes the fake error repairing program Application/SystemDoctor2006. Adware /NaviPromo goes up from 19th to 15th position.It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox.Finally, we highlight Adware/WinAntivirus2007, which goes up from 58th to 25th position. It is an adware that promotes the rogue antispyware program Application/WinAntivirus2007. More About: List , September
Let’s go fishing Barracudas
2007-09-28 13:58:00 Several months ago we mentioned Barra cuda, which is a bot that can be updated with the files we indicate it, launch DDoS attacks and turn the infected computers into proxies. Today, when analysing several malicious sites, I have come across a server that had 84,631 bots, from which 2,072 were connected, and 20,448 proxies, from which 532 were connected. More About: Fishing
Kits for installing malware --> Traffic Pro
2007-09-27 14:10:00 We have talked quite a few times about kits for installing malware, such as MPack and IcePack. Vicente has been studying for a while another kit called Traffic Pro. Although it's older than MPack and IcePack, it's cheaper (about $20 - $40), that's why it has become so popular.In order to access the control panel you have the typical login page: Of course, you can check all the infections in detail: For a detailed explanation of how it works, take a look at the report written by Vicente. More About: Malware , Kits
Do AV companies create viruses?
2007-09-25 16:48:00 As someone working in the lab of an antivirus company, I've often been asked if we are the ones that create viruses. Not only the journalists, but even my friends and family have been asking me about this for a while.I'm bringing this issue up because several months ago I received a call from a journalist who asked me if we were somehow involved in the creation and / or distribution of a virus that was spreading in Asia, specifically in China. It was designed to steal users' information belonging to online games, but it had a curious payload; it changed the icons of certain files to the image of a panda: Obviously, it wasn't us who created this virus and to certify it (and to avoid more calls about this issue ;-) today the virus creator and his henchmen have been sentenced to several years in jail. More About: Companies , Viruses , Create
Virus Bulletin 2007
2007-09-24 17:15:00 To avoid publishing 2 similar posts, here you are a link to Panda Research blog about the last Virus Bulletin , where I did one of the presentations and Panda finished second on the IT-Security Table Soccer World Championship:
Greetings from Vienna
2007-09-19 14:18:00 Virus Bulletin 2007 is taking place this week, at the Hilton Vienna Hotel. This event, which starts today and ends on Friday, offers a wide range of interesting conferences about typical issues in the security area, such as crimeware, spam, phishing and all kind of malware and antimalware techniques. The program can be viewed here. More About: Greeting
August spyware list
2007-09-04 13:23:00 This month there has been some changes in the first positions with regard to the previous one: Adware/Gator goes up from the third to the second position and, therefore, Adware/Lop loses one position. 1.- Application/MyWebSearch2.- Adware/Gator3.- Adware/Lop4.- Spyware /Virtumonde 5.- Adware/Savenow 6.- Adware/ActiveSearchApplication/RealSpy, as the previous month, continues gaining ground and goes up from the 13th to the 11th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.Adware/SystemDoctor goes up from 23th to 13th position. It is an adware that promotes the fake error repairing program Application/SystemDoctor2006Trj/Lineage.B ZE continues gaining ground and goes up from the 24th to the 18th position. It is a Trojan that steals passwords from the MORPG Lineage. More About: List , August
August spyware list
2007-09-04 13:23:00 This month there has been some changes in the first positions with regard to the previous one: Adware/Gator goes up from the third to the second position and, therefore, Adware/Lop loses one position. 1.- Application/MyWebSearch2.- Adware/Gator3.- Adware/Lop4.- Spyware /Virtumonde 5.- Adware/Savenow 6.- Adware/ActiveSearchApplication/RealSpy, as the previous month, continues gaining ground and goes up from the 13th to the 11th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.Adware/SystemDoctor goes up from 23th to 13th position. It is an adware that promotes the fake error repairing program Application/SystemDoctor2006Trj/Lineage.B ZE continues gaining ground and goes up from the 24th to the 18th position. It is a Trojan that steals passwords from the MORPG Lineage. More About: List , August
PandaLabs Quarterly Report
2007-08-31 11:45:00 Today we have published our Quarter ly Report . The new Panda required a new look, so we have done our best to improve these reports. All the team hopes that you like them. Your comments are welcomed.Inside the report you can find plenty of information regarding what has happened in the last 3 months, Relevant issues, trends, and very interesting articles.Have you ever wondered how much does it cost to hire a Denial of Service attack? Find it inside.Here you can find a link to the complete report. Enjoy it! English Spanish
PandaLabs Quarterly Report
2007-08-31 11:45:00 Today we have published our Quarter ly Report . The new Panda required a new look, so we have done our best to improve these reports. All the team hopes that you like them. Your comments are welcomed.Inside the report you can find plenty of information regarding what has happened in the last 3 months, Relevant issues, trends, and very interesting articles.Have you ever wondered how much does it cost to hire a Denial of Service attack? Find it inside.Here you can find a link to the complete report. Enjoy it! English Spanish
PandaLabs Quarterly Report
2007-08-31 10:44:00 Today we have published our Quarter ly Report . The new Panda required a new look, so we have done our best to improve these reports. All the team hopes that you like them. Your comments are welcomed. Inside the report you can find plenty of information regarding what has happened in the last 3 months, Relevant issues, trends, and very interesting articles. Have you ever wondered how much does it cost to hire a Denial of Service attack? Find it inside. Here you can find a link to the complete report. Enjoy it! English Spanish
Easy money: affiliate programs
2007-08-23 13:56:00 Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.Here we can see some examples obtained from these pages:We will pay you for installs coming from 16 countries as exposed here :$0.40 for USA, Canada $0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands$0.01 for China, Korea, JapanAlthough some of these marketing enterpr... More About: Money , Affiliate Programs , Programs , Affiliate , Easy
Easy money: affiliate programs
2007-08-23 13:56:00 Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.Here we can see some examples obtained from these pages:We will pay you for installs coming from 16 countries as exposed here :$0.40 for USA, Canada $0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands$0.01 for China, Korea, JapanAlthough some of these marketing enterpr... More About: Money , Affiliate Programs , Programs , Affiliate , Easy
Has your credit card been stolen?
2007-08-23 04:58:00 In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots: - Login: - Statistics: ; &nbs p; &nb sp; &n bsp; & nbsp; ; &nbs p; &nb sp; &n bsp; - Configuration: - Settings: &n bsp; & nbsp; ; &nbs p; &nb sp; &n bsp; & nbsp; &n... More About: Card , Credit , Stolen , Credit Card , Been
Has your credit card been stolen?
2007-08-23 04:58:00 In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots: - Login: - Statistics: ; &nbs p; &nb sp; &n bsp; & nbsp; ; &nbs p; &nb sp; &n bsp; - Configuration: - Settings: &n bsp; & nbsp; ; &nbs p; &nb sp; &n bsp; & nbsp; &n... More About: Card , Credit , Stolen , Credit Card , Been
Has your credit card been stolen?
2007-08-21 08:51:00 In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots: - Login: - Statistics: ; &nbs p; &nb sp; &n bsp; & nbsp; ; &nbs p; &nb sp; &n bsp; - Configuration: ; - Settings: &n bsp; & nbsp; ; &nbs p; &nb sp; &nb... More About: Card , Credit , Stolen , Credit Card , Been
Easy money: affiliate programs
2007-08-14 13:29:00 Today we?re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc. They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid. Here we can see some examples obtained from these pages: We will pay you for installs coming from 16 countries as exposed here :$0.40 for USA, Canada $0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands$0.01 for China, Korea, Japan Although some of these marketing enterprises ca... More About: Money , Affiliate Programs , Programs , Affiliate , Easy
JavaScript de-obfuscation with Rhino
2007-08-06 09:00:00 Last Friday, I received a URL which used several exploits to spread malware. As always, I started to investigate it. As you may know, these sites use javascript to exploit web browser, ActiveX or third party vulnerabilities, and of course JS obfuscation is used most of the time. I don't like using web browsers to de-obfuscate these codes, basically because these js are dangerous and I want to avoid an infection. I know that some researchers use debugging techniques to de-obfuscate these js codes, but I really think there are safer, faster and more automated methods to do the same job. I prefer to use Rhin o to accomplish these tasks. Rhino is "an open-source implementation of JavaScript written entirely in Java". With this js engine and a Linux system I'm able to de-obfuscate these codes, without using any web browser. I recommend you the CanWest presentation Reverse Engineering Malicious Javascript (Jose Nazario, Ph. D. Arbor). I'm going to show...
JavaScript de-obfuscation with Rhino
2007-08-06 09:00:00 Last Friday, I received a URL which used several exploits to spread malware. As always, I started to investigate it. As you may know, these sites use javascript to exploit web browser, ActiveX or third party vulnerabilities, and of course JS obfuscation is used most of the time. I don't like using web browsers to de-obfuscate these codes, basically because these js are dangerous and I want to avoid an infection. I know that some researchers use debugging techniques to de-obfuscate these js codes, but I really think there are safer, faster and more automated methods to do the same job. I prefer to use Rhin o to accomplish these tasks. Rhino is "an open-source implementation of JavaScript written entirely in Java". With this js engine and a Linux system I'm able to de-obfuscate these codes, without using any web browser. I recommend you the CanWest presentation Reverse Engineering Malicious Javascript (Jose Nazario, Ph. D. Arbor). I'm going to show...
JavaScript de-obfuscation with Rhino
2007-08-06 09:00:00 Last Friday, I received a URL which used several exploits to spread malware. As always, I started to investigate it. As you may know, these sites use javascript to exploit web browser, ActiveX or third party vulnerabilities, and of course JS obfuscation is used most of the time. I don't like using web browsers to de-obfuscate these codes, basically because these js are dangerous and I want to avoid an infection. I know that some researchers use debugging techniques to de-obfuscate these js codes, but I really think there are safer, faster and more automated methods to do the same job. I prefer to use Rhin o to accomplish these tasks. Rhino is "an open-source implementation of JavaScript written entirely in Java". With this js engine and a Linux system I'm able to de-obfuscate these codes, without using any web browser. I recommend you the CanWest presentation Reverse Engineering Malicious Javascript (Jose Nazario, Ph. D. Arbor). I'm going to show...
July spyware list
2007-08-01 13:50:00 This month, the first positions of the list are very similar to last month?s. 1.- Application/MyWebSearch 2.- Adware/Lop 3.- Adware/Gator 4.- Adware/ActiveSearch 5.- Spyware /Virtumonde 6.- Adware/Savenow Adware/VideoActiveXObject goes up from the 10th to 7th position. It is the most active version of the known fakecodecs. Application/RealSpy goes up from the 17th to the 13th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo. Trj/Lineage.BZE goes up from the 34th to the 24th position. It is a Trojan that steals passwords from the MORPG Lineage. More About: List , July
July spyware list
2007-08-01 13:50:00 This month, the first positions of the list are very similar to last month’s. 1.- Application/MyWebSearch 2.- Adware/Lop 3.- Adware/Gator 4.- Adware/ActiveSearch 5.- Spyware /Virtumonde 6.- Adware/Savenow Adware/VideoActiveXObject goes up from the 10th to 7th position. It is the most active version of the known fakecodecs. Application/RealSpy goes up from the 17th to the 13th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo. Trj/Lineage.BZE goes up from the 34th to the 24th position. It is a Trojan that steals passwords from the MORPG Lineage. More About: List , July
July spyware list
2007-08-01 13:50:00 This month, the first positions of the list are very similar to last month?s. 1.- Application/MyWebSearch 2.- Adware/Lop 3.- Adware/Gator 4.- Adware/ActiveSearch 5.- Spyware /Virtumonde 6.- Adware/Savenow Adware/VideoActiveXObject goes up from the 10th to 7th position. It is the most active version of the known fakecodecs. Application/RealSpy goes up from the 17th to the 13th position. It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo. Trj/Lineage.BZE goes up from the 34th to the 24th position. It is a Trojan that steals passwords from the MORPG Lineage. More About: List , July
Ice(Pack) for the summer
2007-07-26 14:01:00 It's summer, about 29ºC - 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we'll change the menu and we'll have an IcePack instead. IcePack Platinum is the name of a new "Kit for installing malware through exploits". Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates: - MS06-014 Internet Explorer 6 - MS06-006 Firefox 1.5 - MS06-006 Opera 7 - WVF Overflow - QuickTime Overflow - WinZip Overflow - VML Overflow Here you have an image of the ftp checker: IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower than the Mpack and can be purchased for $400 . More About: Summer
Ice(Pack) for the summer
2007-07-26 14:01:00 It's summer, about 29ºC - 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we'll change the menu and we'll have an IcePack instead. IcePack Platinum is the name of a new "Kit for installing malware through exploits". Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates: - MS06-014 Internet Explorer 6 - MS06-006 Firefox 1.5 - MS06-006 Opera 7 - WVF Overflow - QuickTime Overflow - WinZip Overflow - VML Overflow Here you have an image of the ftp checker: IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower than the Mpack and can be purchased for $400 . More About: Summer
Ice(Pack) for the summer
2007-07-26 14:01:00 It's summer, about 29ºC - 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we'll change the menu and we'll have an IcePack instead. IcePack Platinum is the name of a new "Kit for installing malware through exploits". Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates: - MS06-014 Internet Explorer 6 - MS06-006 Firefox 1.5 - MS06-006 Opera 7 - WVF Overflow (It seems that it is a typo and it really makes reference to the old exploit that affects .WMF files) - QuickTime Overflow - WinZip Overflow - VML Overflow Here you have an image of the ftp checker: IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower t... More About: Summer
XRumer
More articles from this author:2007-07-24 08:26:00 As we commented in Spam in PHP forums and in Spam in PHP forums (II), it has become more and more usual to see websites (forums, blogs, wikis, guestbooks, etc...) that contain advertising comments or links that direct to sites that infect with malware. We are going to talk about a program that allows this type of comments to be created: the XRumer. It is sold for $450, and for $50 more you can have the Hrefer, which includes more functions. This application, with regard to the web section, is more powerful than Zunker, as this is only able to post in phpBB and VBulleting. Xrumer allows to post in phpBB and PHP-Nuke (with any modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org. Basically, it follows the process below: ; It looks for websites where comments can be inserted. ; It regis... 1, 2, 3, 4, 5, 6 |
|
 |
|
 |
