PandaLabs BlogPandaLabs BlogThis blog started in October 2006, and we will be providing further in-depth information about new malware, new technologies, new trends Articles
XRumer
2007-07-24 08:26:00 As we commented in Spam in PHP forums and in Spam in PHP forums (II), it has become more and more usual to see websites (forums, blogs, wikis, guestbooks, etc...) that contain advertising comments or links that direct to sites that infect with malware. We are going to talk about a program that allows this type of comments to be created: the XRumer. It is sold for $450, and for $50 more you can have the Hrefer, which includes more functions. This application, with regard to the web section, is more powerful than Zunker, as this is only able to post in phpBB and VBulleting. Xrumer allows to post in phpBB and PHP-Nuke (with any modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org. Basically, it follows the process below: ; It looks for websites where comments can be inserted. ; It regis...
XRumer
2007-07-24 08:26:00 As we commented in Spam in PHP forums and in Spam in PHP forums (II), it has become more and more usual to see websites (forums, blogs, wikis, guestbooks, etc...) that contain advertising comments or links that direct to sites that infect with malware. We are going to talk about a program that allows this type of comments to be created: the XRumer. It is sold for $450, and for $50 more you can have the Hrefer, which includes more functions. This application, with regard to the web section, is more powerful than Zunker, as this is only able to post in phpBB and VBulleting. Xrumer allows to post in phpBB and PHP-Nuke (with any modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org. Basically, it follows the process below: ; It looks for websites where comments can be inserted. ; It regis...
More about Mpack (II)
2007-07-20 08:35:00 Today I have come across a server hosting an Mpack that has 292 different websites with iframes that make reference to it. Most of the infected users are Italian, as in the case we explained a month ago. You can check the information by following this link: http://blogs.pandasoftware.com/blogs/pand alabs/archive/2007/06/19/More-about-Mpack .aspx But, the most curious thing is that after analyzing the range of the IP addresses, we have seen that the websites are hosted in the same Italian provider as in the other case. The version of this Mpack is 0.91. However, the latest version we have found is 0.94. More About: Pack
More about Mpack (II)
2007-07-20 08:35:00 Today I have come across a server hosting an Mpack that has 292 different websites with iframes that make reference to it. Most of the infected users are Italian, as in the case we explained a month ago. You can check the information by following this link: http://blogs.pandasoftware.com/blogs/pand alabs/archive/2007/06/19/More-about-Mpack .aspx But, the most curious thing is that after analyzing the range of the IP addresses, we have seen that the websites are hosted in the same Italian provider as in the other case. The version of this Mpack is 0.91. However, the latest version we have found is 0.94.
More about Mpack (II)
2007-07-20 08:35:00 Today I have come across a server hosting an Mpack that has 292 different websites with iframes that make reference to it. Most of the infected users are Italian, as in the case we explained a month ago. You can check the information by following this link: http://blogs.pandasoftware.com/blogs/pand alabs/archive/2007/06/19/More-about-Mpack .aspx But, the most curious thing is that after analyzing the range of the IP addresses, we have seen that the websites are hosted in the same Italian provider as in the other case. The version of this Mpack is 0.91. However, the latest version we have found is 0.94.
PINCH, THE TROJAN CREATOR
2007-07-18 10:41:00 Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ?builders?, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in. It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ?annoying? services such as those of antiviruses? Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences. First, attackers must choose th... More About: Creator , Roja , Rojan
PINCH, THE TROJAN CREATOR
2007-07-18 10:41:00 Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ?builders?, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in. It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ?annoying? services such as those of antiviruses? Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences. First, attackers must choose th... More About: Creator , Roja , Rojan
PINCH, THE TROJAN CREATOR
2007-07-18 10:41:00 Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in. It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses… Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences. First, attackers must... More About: Creator , Roja , Rojan
A new case of RansomWare !!!
2007-07-17 08:45:00 We have detected a new case of Ransom Ware. Once the malware infects users and encrypts their files, several ?read_me.txt? files are created in the infected system, which warn users that their data files have been encrypted and that they won?t be able to access them unless they pay a ransom of $300. The email addresses indicated in the message may vary: kiloglamour@gmail.com tristanniglam@gmail.com oxyglamour@gmail.com glamourepalace@gmail.com The ?personal code? may also vary depending on the random value that is used to encrypt the data. The encrypted files usually begin with the text ?GLAMOUR?: We have managed to access the data of the infected systems and there are 1,108 infected computers. Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers. The ?construction kit? of Trj/Sinowal has been used to create this Trojan. We have already mentioned this malware family in the eCrime 2007 http://research.pandasoftware.com/blogs/r ese... More About: Case
A new case of RansomWare !!!
2007-07-17 08:45:00 We have detected a new case of Ransom Ware. Once the malware infects users and encrypts their files, several ?read_me.txt? files are created in the infected system, which warn users that their data files have been encrypted and that they won?t be able to access them unless they pay a ransom of $300. The email addresses indicated in the message may vary: kiloglamour@gmail.com tristanniglam@gmail.com oxyglamour@gmail.com glamourepalace@gmail.com The ?personal code? may also vary depending on the random value that is used to encrypt the data. The encrypted files usually begin with the text ?GLAMOUR?: We have managed to access the data of the infected systems and there are 1,108 infected computers. Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers. The ?construction kit? of Trj/Sinowal has been used to create this Trojan. We have already mentioned this malware family in the eCrime 2007 http://research.pandasoftware.com/blogs/r ese... More About: Case
Spammers: PDF rules!
2007-07-11 14:18:00 A few weeks ago a spam attack was launched ? as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what?s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below: It must have been successful somehow, as the number of these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots: But you can find some which look better: As you can see most of the times they are just copy-pasting the body of the "old" spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone?s curiosity arouse. If the message is opened, there is a PDF attached, whose name is... More About: Rules , Spammers , Rule
Spammers: PDF rules!
2007-07-11 14:18:00 A few weeks ago a spam attack was launched ? as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what?s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below: It must have been successful somehow, as the number of these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots: But you can find some which look better: As you can see most of the times they are just copy-pasting the body of the "old" spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone?s curiosity arouse. If the message is opened, there is a PDF attached, whose name is... More About: Rules , Spammer , Spammers , Rule
Guidded shopping
2007-07-10 09:58:00 Last week we have heard about an online shop that sells Iphones. This matter wouldn?t be unusual except for the fact that it is the classic case of phishing. Basically, you access the web thinking you are buying in an Apple?s official shop but, in fact, it?s not. No matter how many Iphones you purchase and pay, you won?t receive any. I?ve gone a little bit further in order to see how the swindle has been carried out and I?ve been really surprised by the discovery. They have plenty of resources in order to make you visit their website instead of the official one. We have never seen before a deployment in resources and organization like this. We?ve already known about the existence of banker Trojans that send all the information they obtain to a server. But in addition, they turn your computer into a bot that is completely controlled by a central server, from which each bot and the stolen information can be managed? Well, I have come across a variation of thi... More About: Shopping , Ping , Guid
June spyware list
2007-07-04 14:06:00 This month, Application/MyWebSearch joins the list in the first position, with only 36 detections less than Adware/Lop, which goes down to the second position. 1.- Application/MyWebSearch 2.- Adware/Lop 3.- Adware/Gator 4.- Dialer.XD 5.- Spyware /Virtumonde 6.- Application/SystemDoctor2006 Application/SystemDoctor2006 goes up from the 11th to the 6th position. It is a fake error-repairing program that is usually installed by Adware/SystemDoctor. There are also many websites or advertisements that simulate an analysis of the machine so that users install the program. Then, they are requested to purchase, for a modest price, a program to remove them. Adware/Navipromo goes up from the 21st to 19th position. It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox . Trj/Torpig, which is a banker Trojan, keeps the 37th position as... More About: June , List
A profitable use for stolen credit cards
2007-06-27 13:11:00 We have often talked about the freedom with which certain cyber-crooks circulate around the Internet, but I must admit that even I am surprised sometimes? The theft of credit card details and trading of this information is the order of the day. How is this information being used? We could make assumptions, carry out research or try to infiltrate some of these groups, but?why bother if they talk about it all so openly on their websites? This is what appears on one of these websites: As usual, everything is in perfect Russian. Basically, they are selling laptops, PDAs, cell phones, etc. for 20% of their real value. How is this possible? Well, if you visit their section "Answers to frequently asked questions-F.A.Q.", the first question is: How can you offer such good prices? Pay attention to the answer: "It?s very simple. We buy these products in Western countries with stolen credit cards. You don?t run any risk when purchasing these products." It couldn?t be any clearer. They even h... More About: Credit Cards , Credit , Stolen , Cards , Profitable
Dream System
2007-06-20 17:04:00 ?Dream System ? is a bot that allows hackers to use infected machines as socket servers and to run any type of files in them. It launches two types of DDOS attacks: ; HTTP. ; UDP flood. The bot consists of: ; ; A server component, called ?Dream Bot builder?, which contains the configuration interface and allows servers to be generated. ; ; And a client component, which allows the bot to be managed from a web interface. The bot version 1.3 is sold for $750, including free updates for new versions. This bot is known as ?Dream System? or ?Dream soc... More About: Stem
MPack: how to infect thousands of websites
2007-06-20 14:04:00 We've been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack . Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ?IFRAME Manager tool?. We're familiar with this tool since about 4 months. It's real name is ?FTP-Toolz pack? and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale: And the tool itself: When we found MPack at the end of last year we also found also a similar tool named ?RooT [iFrame]? in one of the hacked servers. There is a funny thing about this one; if you buy it through the Russian version of the hacker?s website, it is just $25. In case you go to the English version of this hacker?s site, the price doubles, it?s $50. Finally we found yet another one named FTPCheckIframe, this time only in Russian and for $25. &nb... More About: Websites , Sands
More about Mpack
2007-06-19 16:16:00 In the last hours, many things have been said about the MPack massive infection with more than 10.000 affected websites. For more information, visit the Websense site http://www.websense.com/securitylabs/aler ts/alert.php?AlertID=782 . Although the data is astonishing, we are not very much surprised, as we carried out a small study about MPack, and in 2 months (April & May 2007) we discovered 41 different servers, and the statistics were frightening: more than 1 million users infected (1217741), and the iframe code was present in 366717 web pages. We don?t think that those 366717 websites had been hacked and infected manually one by one. Although we haven?t already found it, it seems that they are provided with a program that looks for vulnerable web servers, where it accesses the main file that loads the web page and adds an iframe reference to Mpack, so that the users who visit these websites are infected too. The version 0.90 of Mpack has recently come out. Among the last...
Botnet controller via web
2007-06-13 11:00:00 Today, when I was tracking the server to which a variant of Trj/LdPinch sends information, I have come across, among the files in the server, some .php files that are used to control a botnet via web. The image below would be the initial screen from which the infected systems can be viewed for geographical area: And the option ?Botnet controller? allows different actions to be carried out in the affected systems: More About: Controller , Troll , Roller
Critical Bugs Discovered In Yahoo Messenger and Microsoft GDI+
2007-06-08 10:05:00 Three new vulnerabilites have been make publicly this week. Two for Yahoo Messenger Webcam ActiveX and one for Microsoft GDI+Yahoo! Messenger Webcam Upload ActiveX Control Buffer Overflow Security company eEye Digital Security has discovered two vulnerabilities for Yahoo's instant messenger client software that were reported to Yahoo. The bugs are critical because allow remote [code] execution. Yahoo gave them its highest security threat rating.The vulnerable control is part of the code for Webcam image upload and viewing (ywcupl.dll). Yahoo is working in a patch, nevertheless two publicly available exploits have been submited to Bugtraq and Full-Disclousre mailing lists. We think it willl be actively exploited by malware in a few days.The PoC's are inoffensive (execution of calc.exe) but it would be very easy to add a more dangerous shellcodes.Yahoo! Messenger version 8.1.0.249, incorporating ywcupl.dll version 2.0.1.4 is vulnerable. This vulnerability is currently unp... More About: Bugs , Yahoo Messenger
May spyware list
2007-06-01 13:38:00 This month there have been changes in the first two positions. Adware/Lop occupies the first position and 47 detections below, the seconds position is occupied by Application/MyWebSearch. Meanwhile, Adware/Gator goes down to the third position of the ranking. 1: Adware/Lop 2: Application/MyWebSearch3: Adware/Gator4: Application/Winantivirus20065: Spyware /Virtumonde6: Adware/SaveNow Adware/SpyLocked goes up from the 23rd to 17th position. This adware promotes the rogue antipysware called SpyLocked and is mainly distributed by the fakecodecs. Trj/Abwiz.A is in the 34th position, which is a Trojan that registers itself as a BHO and steals passwords from the computer. Exploit/LoadImage joins the ranking in the 44th position. It is a generic detection of an exploit we had already mentioned that affects ANI files. Moreover, this exploit is one of the most used by kits for installing malware using exploits, such as Mpack. More About: List
The Cimuz uninstaller
2007-05-30 15:50:00 Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file: After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server. I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller. More About: Uninstall , Uninstaller
Pirates of the Caribbean: At World's End
2007-05-25 11:00:00 No, it's not about the Disney's movie that you can see today at cinemas. There has been a massive sending of a message with a file attached that is supposed to be the movie trailer, the name of the file is: Official_Trailer_Pirates _of_the_Caribbean _At_World's_End.exe We have received some hundreds samples proactively blocked by TruPrevent, most of them coming from Italy. Once you run the file (detected as Trj/Pirabbean.A), it shows you the following message: At the same time, it downloads & installs a dialer, and also creates two shortcuts in the desktop: It also changes some settings of Internet Explorer (adding 2 URLs in the Trusted Sites). In case you visit those URLs it will install you some more dialers. More About: Pirates of the Caribbean , Rates , Rate
A new server hosting a Briz
2007-05-22 15:41:00 VisualBreeze or VisualBriz is another malware that is usually sold in forums of malware developers, similar to the ones we mentioned in ?Cybercime for sale?. I have recently discovered a server that hosted a new variant of this malware and contained 5.445 logs from infected machines, which take up 2.61 Gigabytes. After checking the server where it was installed, I noticed that, unlike other variants of Briz, this one was provided with a Parser module that sends the information of the files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier and faster to make searches in the information obtained from the infected users. This module has several options: The option ?View? shows the logs and allows searches by domain or by text to be made: The option ?Templates? allows patterns to be made in order to filter the information: The Serve r was provided with these ?Templates?, which we... More About: Hosting
W32/MsnPhoto.A.worm
2007-05-21 13:29:00 We have found a new malware that uses instant messaging to deceive users. It arrives as an .exe file disguised as a .jpg. If you open it, you will get infected, and your msn contacts will receive some messages and a file called "fotos_posse.zip". Here it is a picture of how the messages look like. For those of you who don't know Spanish, here it is the translation "Hello", "I hope you like the photographs" and the attachment. It is been quite active, as you can see in the following evolution graphic of the messages received in the lab in the last 72 hours. More About: Worm
Zunker that installs another Bot
2007-05-17 12:23:00 One of the active servers of the Zunker we mentioned yesterday installs another bot. Although the first Zunker we talked about was configured to only affect computers with German IPs, this one only affects computers with Russian IPs: This Zunker installs another bot, which we detect as Bck/Barracuda.A. This bot allows DDoS attacks to be launched and turns affected computers into proxies. The following image is displayed when we log in through the control panel: In this screenshot, we can see that there are 14,788 bots, 647 of which were connected at that moment. There are also 3866 proxies, 171 of which were connected at that moment. For example, 12133 bots have been assigned for the attack with ID 661700916; this attack started on the 14th May and would end in three day?s time, on the 17th May. In the screenshot below, we can see how the data to launch DDoS attacks is entered: Selecting this option, we can see the pro... More About: Another , That
More Zunkers!!!
2007-05-16 18:03:00 Analyzing the pattern of the binary file installed by Zunker and comparing it with our samples, we have come across 32 similar files. On the left, the graphical representation of the binary file belonging to the first Zunker we came across and on the right, the graphical representation of the new similar files we have found. As you can notice, they are alike. If we compare these graphs with the ones belonging to other malware, such as Gaobot.AAF, we will see that they are very different from these ones. Analyzing the similar files, we have come across 18 different servers where they were installed: ; - 6 of them are active at the present moment. ; - 4 of them contain files belonging to Zunker but they don?t seem to be working. ; - 8 of them are inact... More About: More
MPack uncovered!
2007-05-11 12:09:00 In "Cybercrime... for sale" we promised to talk about MPack . The latest version (MPack v0.851) we have just discovered is pretty active right now as you can see in the stats: Where is this tool infecting? Well, it is a question very easy to answer: It also has a list of the latest sites prepared to infect using MPack: Vicente has been studying it for some time and has developed a fantastic report for us. More About: Over , Covered
Quarterly Report January-March 2007
2007-05-07 13:12:00 We have just published the latest PandaLabs Quarterly Repo rt . We have introduced several improvements in the presentation of the statistics. Our goal has been to expand the information and facilitate interpretation so readers will have a more precise vision of the dimension and complexity of the current malware situation. Enjoy it! More About: January , March , Marc
Fake Internet Explorer 7.0 Beta
More articles from this author:2007-05-07 09:20:00 This weekend we have seen several spam messages sent in order to infect users with a new Trojan. It is being distributed as if it were an Internet Explorer 7.0 Beta update. This message is sent from a faked address, admin@microsoft.com, and the subject is "Internet Explorer 7.0 Beta". Once you open the message, you see the following picture: If you click on the image, a file named update.exe will be downloaded, which is the Trojan itself (detected as Trj/Spammer.AAO). More About: Fake 1, 2, 3, 4, 5, 6 |
|
 |
|
 |
