PandaLabs BlogPandaLabs BlogThis blog started in October 2006, and we will be providing further in-depth information about new malware, new technologies, new trends Articles
Be careful with Tixcet.A
2008-06-02 10:45:00 PandaLabs has recently discovered the worm Tixcet.AIt is a very destructive worm, as it deletes files with several extensions and replaces them with a copy of itself keeping the same name as the original files. Among the affected extensions are the following: .DOC, .PPT, .MP3, .MOV, .ZIP and .JPG. This means that we can lose our photos, songs, Word documents and other important files for us.Additionally, it does not allow files to be copied, as it disables the option Paste and contents to be copied, as the text that is copied is not the selected by the user but one selected by the worm.It reaches the computer passing itself off as a Word document in order to deceive users. It also creates several files that contain a signature of the author, like the following: PandaLabs has analysed this worm deeply and has prepared an interesting video where we can see some of the actions it carries out in the affected computers. More About: Careful
Lost in Translation (II)
2008-05-27 12:25:00 As promised, here you can see some pictures. This is the Grand Prince Hotel Akasaka, where the meeting is taking place:This is me inside the hotel:This is the Tokyo Tower, a 250-meter-high tower from which you can see the whole city:Finally, I recommend you to visit Japan, it’s an unforgettable experience:Well, this is all for the moment, you’ll hear from me soon.Signing off,Luis More About: Lost , Translation
Lost In Translation
2008-05-26 09:56:00 Today it has just begun the 2nd Counter eCrime Operations Summit (CeCOS II), taking place in Tokyo. It is really exciting to meet so many people that are working to fight against the eCrime, sharing information and trying to build a safer "eWorld". The meeting is organized by the AntiPhishing Working Group.Even though all the Japanese speakers are presenting in Japanese, thankfully the simultaneous interpretation is really good, as the slides are also in Japanese! It is very interesting to see how some attacks are really targeting specific countries. Geok Meng Ong and Shinsuke Honjo, from McAfee, have explained some local attacks happened in South Korea and Japan.Tomorrow I'll upload some pictures from the event and this awesome city. More About: Lost , Translation
Fake Security Center
2008-05-22 11:58:00 PandaLabs has detected the Adware/XP-Shield which passes itself off as the Windows Security Center .This malware, which is installed after running the XPShieldSetup.exe file, creates a shortcut in the Desktop and in Start menu. This fake security center simulates an analysis of the computer which warns us that our system is infected. In order to eliminate the malware, we are requested to purchase a certain program.Peridiocally, it displays popups on the screen reminding us again that the system is infected: In spite of closing the program, it remains resident in the system: It is possible that while we are visiting different websites, several popups are displayed informing us that our system is infected or that our computer is not working properly and in order to solve these problems they recommend us to purchase a certain program. Be careful with this type of software, which will not really solve the problem and will make you lose money. Anyway, it is always advisabl... More About: Fake
Microsoft Updates for May
2008-05-14 16:52:00 Four new security bulletins have been published (from MS08-026 to MS08-029) as part of the usual launch of Microsoft updates. We recommend you to update your systems as soon as possible, as according to Microsoft’s classification three of the bulletins are rated as “critical”, while the last one is rated as “moderate”.You can find more information about the security bulletins by clicking the following links: MS08-026: An update for Microsoft Word which solves two vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file.MS08-027: An update for Microsoft Publisher which solves a vulnerability that could be exploited in order to execute arbitrary code if a user opens a malicious Publisher file.MS08-028: An update to solve a remote code execution vulnerability in Microsoft Jet Database Engine.MS08-029: A security update in order to match two vulnerabilities in the Microsoft Malware Engine, which could allow a... More About: Updates , Microsoft Updates
Firefox Vietnamese Language Pack Infected
2008-05-08 18:54:00 Mozilla has published in its blog some news regarding the incidence with the Vietnamese language pack for Firefox 2.In February, a Vietnamese language pack for Firefox was published. The problem was that before being uploaded to the corresponding server, it had been already infected, as the internal code of the *.xhtml files had been modified and included the following instruction:The files which contain that malicious code are detected as W32/Xorer.T.This instruction resolves to: http://js.k0102.com/01.asp , don’t worry because this URL is currently offline.The question is: how can anybody be sure that their computer is malware free?You can check it in http://www.infectedornot.com, and scan your computer with the ActiveScan 2.0 online scanner, a security solution that operates on the basis of 'collective intelligence', which allows many more threats to be detected. More About: Language , Pack , Infected
Phishing & ScamPages Kits
2008-05-07 17:26:00 Nowadays launching a phishing attack or creating an online service fake website is quite an easy task for anybody. There is no need for advanced technical knowledge or significant financial resources.Generally we tend to relate phishing only to fake webs of banking entities. However, there are also kits related to other online services such as Gmail, Yahoo, Youtube, Fotolog, Hi5, etc… as we have commented in a previous post.It is possible to find information or even instructions of how to use these kits and how to carry out the attacks in forums, blogs, online videos, etc. Additionally, sometimes not only you can find the instructions but the tools themselves for free. Below you can see some examples of the availability of these kits: The way these kits work is similar whether the attack is launched against a banking entity or any other service. Using a mass mailing tool, a fake message -which passes itself off as the real entity or service-, is sent to a wide ... More About: Phishing , Kits
2nd CARO Workshop
2008-05-02 11:37:00 Actually it is taking place the 2nd CARO meeting at the Crowne Plaza Hoofddorp in The Netherlans. This year's topic is about Packers, Decryptors and Obfuscators, and indeed some of the presentations are superb. The program is published here. While I'm writing this post, Mike Morgenstern & Andreas Marx, from AV-Test.org are giving a speach about their Runtime Packer Testing Experiences.In a few minutes we'll have 3 different talks about detection and blacklisting of packers, which is both interesting and controversial. More About: Workshop
Looks can be deceiving
2008-04-30 18:00:00 We have recently detected another spam message that contains a malicious URL. This is nothing new, but what if you receive an email message coming from a reliable source, such as a security company? This is what has happened with a spam message that uses our free online analysis tool Activescan as a bait to deceive users. The following image is the fake message that the user would receive. Note that it contains the logo of our company, but as we can see the analysis tool points to a malicious URL and not Panda’s. If the link is followed, a file called ScanActive.zip will be downloaded, as can be seen in the image below: This file is not really our online analysis tool but a Banker Trojan belonging to the Banbra family, concretely Banbra.FRJ, which is designed to steal confidential information related to certain Brazilian banking entities.
IFRAMES Attack !!! (Update II)
2008-04-28 11:58:00 The first thing we observed when we analysed the attack which included an iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites. For security reasons, the whole asp code has not been included. More About: Update , Attack
IFRAMES Attack !!! (Update)
2008-04-25 14:19:00 This graph is an example of the infection process that takes place from the moment when a user accesses a legitimate website that has been modified until the possible infection is effective.Thanks to Oscar and Olaiz for their collaboration. More About: Update , Attack
IFRAMES Attack !!!
2008-04-24 19:27:00 Nowadays it is usually taken for granted that we can only get infected if we visit malicious websites or run files coming from untrustworthy sources. However, lately we have detected several cases in which by exploiting vulnerabilities in the web servers malicious code can be introduced in the websites hosted in them. Therefore, we might come across trustworthy websites which contain malicious code introduced by a cyber-crook.The following is one piece of code we found introduced in certain websites: It must be noted that up to now the number of websites that contain this piece of code are approximately 282.000. This malicious script of the web, known as iframe, contains instructions that will be interpreted by the browser, redirecting it to a web or to the downloading of a malicious file. The instructions it contains are the following: In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against... More About: Attack
Kiss me!!!
2008-04-16 13:06:00 Several years ago, the main aim of cyber-crooks was to achieve notoriety with their creations, that is, to be famous. In order to do so, they wanted to attract as much attention as possible and causing massive epidemics was their springboard to fameTheir motivation has changed and now is purely economic. The best way to obtain money is to carry out malicious actions as stealthily as possible. It has become a usual technique to hide malware creations using rootkits, such as the famous Stormworm family.This trend has made malware creation become a very lucrative business.However, we still come across with samples as eye-catching as W32/MSNworm.EI.worm, which spreads via the MSN Messenger and displays a funny picture of a little pig sending us a kiss while it is infecting our computer: More About: Kiss
Microsoft Updates for April
2008-04-09 12:34:00 Five critical and three important updates have been released (from MS08-018 to MS08-025). It's time to start updating your system if you haven't done it yet. Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.Most of them allow remote code execution, so don't forget to update your system asap. You can find more information about the security bulletins by clicking the following link: MS08-April More About: Updates , Microsoft Updates
You are nominated?to distribute malware!!! (II)
2008-04-04 14:11:00 Big Brother Brasil again. I am not very fond of this type of programs, but spammers have made me pay attention to them. JThen, we wondered who would be the following participant selected to distribute malware. We thought they would make the selection among the finalists. However, this time the candidate has been a female participant called “Juliana”, who had already been evicted from the house. These spam messages, which contain malicious websites, have subjects such as “Juliana do BBB do modo como você queria ver.” or “Chegou um Vivo FotoTorpedo para voce !!!”, and will invite us to view a video or photos of this participant. However, when the link of the message is followed (http://www.gallimard-jeunesse.fr/[Remove d]/visualizer/Visualizar.php), we will be redirected to a web from which the malware detected as Trj/Banbra.FPJ will be downloaded:This Trojan is designed to obtain the affected users’ access keys to several banking e... More About: Malware , Nominated
April Fools' Day malware
2008-04-01 14:10:00 The social engineering never ends. Today is April Fools' Day, and we have received a spam message with a link, similar to the ones we could see in Saint Valentine. Some of the subjects we have seen so far:- Today's Joke!- Happy All Fools!- Gotcha! April Fool!- Happy April Fool's Day.- All Fools' Day- Surprise! The joke's on you.This is what you see when you go to the site: We have seen different file names being downloaded, as kickme.exe, foolsday.exe or funny.exe, but it is the same file, the name is the only thing that changes. We are detecting this malware as W32/Nuwar.SK.worm. Be careful, and as always, never trust this kind of messages. More About: Malware
Quarterly Report January-March 2008
2008-04-01 12:42:00 We have just published the latest PandaLabs Quarterly Report . There, you can find statistics and information about the current situation of malware as well as different sections analyzing the most interesting events of the first quarter. Regarding malware, Trojans continue being the most relevant category of malware, at 62.16%.The well-known Storm Worm attack, which infected thousands of computers worldwide, is still active. That’s why it is worth mentioning and we have prepared a section in which we remember the most significant dates of its infection and the social engineering techniques it used to spread. We also approach you about some of the tools used by the malware creators in order to check their creations’ undetectability.Nowadays, the use of Web 2.0 services is very widespread, being the social networks one of the most extended services. The wider and more active a social network is, the higher the possibilities are of malware spreading on the network and reach... More About: January , March , March 2008 , 2008
Do-It-Yourself AV comparatives
2008-03-27 15:55:00 I've just read a press release form AV-Comparatives where they announce a partnership with AntiMalware Test Lab. Long time ago we decided not to participate in AV-Comparatives tests, for a number of reasons. Our opinion is the following:- The tests should be run by skilled people that must be able to distinguish a malware sample from a goodware one. - The testers should have a malware test-bed, and of course it should include malware files, with no clean files, no damaged files, etc. It also has to be representative, it does not make sense to test malware that died 15 years ago. - The testers should check the detection capabilities of each and every product. To do that you will run different samples and see what each product is able to do (behaviour blocking, heuristics, signatures, etc.). - The testers should be vendor independent, to avoid any bias. Even though the new alliance won't solve all the mentioned problems, at least we know that now there is ...
Greetings from Amsterdam
2008-03-27 06:58:00 It seems that today we are going to have good weather; this photo has been already taken from the Mövenpck Hotel. 2 days ago it was snowing, but the temperature has risen and it seems that we are going to have a sunny day:Yesterday I gave a speech in the Black Hats Seminar, in the session "Black Hats Sessions Part VI: Hacking for profit". More than 100 people were present in the speech I gave about the cybercrime. Throughout today and tomorrow the BlackHat Europe 2008 briefings, which have nothing to do with the Black Hats Seminars, are going to take place. The schedule can be consulted here. I hope to come across interesting information. More About: Amsterdam
You are nominated?to distribute malware!!!
2008-03-14 12:39:00 Since some days ago, we have been detecting some news related to BBB8 (Big Brother Brasil 8) that is being used as a social engineering technique in order to distribute malware.Several weeks ago, the image of Giselle, one of the paticipants of this reality show, was used to distribute malware through the Orkut social network by enticing users to watch a YouTube video of her. When the user followed the link to the video, a message was displayed, notifying that a codec must be installed to view the video. Of course, this codec is in fact the Trojan detected as Orkut.AT.The last example we have seen regarding BBB8 is an email inviting users to view a video of some erotic scenes of Taty and Marcos, who are contestants of this program as well. However, if any of the links included in the email is followed, the malicious code detected as Trj/Dadobra.AOC will be installed in the computer. It is designed to download malware oriented to steal access data to certain banking entities. The... More About: Malware , Nominated
Microsoft Updates for March
2008-03-13 10:36:00 As usual, every second Tuesday Microsoft published security updates for its products. On 11th March , Microsoft published four updates (from MS08-014 to MS08-017), all of them rated as critical and affecting Microsoft Office suite.We recommend you to update your systems as soon as possible, as all this flaws could allow remote code execution to be run.You can find more information about the security bulletins by clicking the following links:MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution.MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution. More About: Updates , Microsoft Updates
Fake death of Fidel Castro
2008-03-07 12:26:00 Today PandaLabs has detected W32/Fake Death .A.worm. This worm spreads itself in an email message with the subject “Mala Noticia” (Bad news) and makes reference to the supposed death of Fidel Castro .The message entices users to know more information about the news by clicking a link to a video about it.When clicking the link to the supposed video (UnivisionMultimedia_flashplayer_swf.exe) , we will be redirected to a website displaying the news published by the newspaper Diario Clarín on 30th of August 1997 about the fake death of the Cuban ex-president.At the same time this website is displayed, a copy of the worm is being downloaded to the computer. The main aim of this worm is to spread itself via P2P programs. Although our TruPrevent Technologies have automatically detect it, be careful if you get one of these. More About: Fidel Castro
Greetings from London
2008-03-07 07:17:00 The 6th e-Crime Congress has just finished. With more than 600 delegates, this meeting is becoming one of the most important ones related to the fight against cybercrime. As a strategic sponsor, we had an exhibitor stand: Speakers from around the world have come to share their knowledge and expertise, you can take a look at the program here. On Wednesday, at session 6 – Going Underground – I presented “The Business of Cybercrime”. You can take a look at the slides here. More About: London
February Adware/Spyware List
2008-03-06 12:52:00 One more time, this month there haven’t been significant changes in the adware/spyware list; the first five positions seem immutable.Both Adware /ActiveSearch and Adware/BaidurBar go down two positions, placing themselves in the 8th and 9th positions respectively.Taking advantage of these changes, the free positions have been filled with Adware/Sweetbar and Adware/Wupd (in the 6th and 7th position).With regard to those which leave the list, Adware/NaviPromo doesn’t move away too far and goes down 3 positions, placing itself in the 12th position.Regarding the newcomers to the top Adware/Spyware list, the only one is PurityScan, which gains 4 positions and places itself in the 10th position. More About: List , February
New MS Access exploit
2008-03-03 09:32:00 Last week, John Fellers sent us a sample that exploited a flaw in MS Access . We thought it was the same vulnerability sent to Bugtraq on November and announced by McAfee in December. However a deeper analysis reveals that it's a new vulnerability. We are still analyzing the exploit to find out more information, though at first sight it seems to be a flaw in Jet Engine (msjet40.dll). A simple search in Google (with the name of the mdb file as the query) reveals it was sent to a public forum in Nabble in February. Although these vulnerabilities allow remote code execution, Microsoft replied that they would not fix these mdb vulnerabilities, as it seems they will not acknowledge vulnerabilities which are from .mdb files: "You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/9... More About: Exploit
Multi AVs Scanners
2008-02-27 13:37:00 From the point of view of a malware developer, one of the main goals when developing a new creation is to avoid antivirus detections, via signature or heuristic technologies. There are different ways to do it, such as using free on-line scanners offered by most of the vendors. But this is something tedious, as you have to go from one to another all the time.When VirusTotal was born a few years ago, some people were claiming that it was being used by malware developers to test their creations. In some cases, we knew it was true, as we have seen some advertisements in forums showing the scanning results from VirusTotal claiming that certain malware was not detected by any vendor. On January 3rd, VirusTotal decided to remove the option "Do not distribute the sample", so each and every file could be sent to any antivirus vendor.Since then, we have seen that some underground communities have retaken several projects that allow users to have a tool for analysing their creations.... More About: Scanners , Multi
Not all phishing is about banking
2008-02-25 13:51:00 When we think about phishing, we think about e-mails that try to get information from online banks, eBay or PayPal accounts. While in most of the cases this is true, it must be noted that the aim of the guys behind these attacks is the money. So, wherever there is money, there will be attempts to steal our information. Nowadays another common target are online games, specially MMORPG (Massive Multiplayer Online Role Playing Games) as World of Warcraft or Lineage.Last week I found this bid in eBay, selling four 70 level characters starting at US$ 27,000:Last year “Andy” Deokyoung Jung from AhnLab made a very good presentation about online gaming and hackers at AVAR. It is clear that all kind of accounts are likely to be under attack. For example, on February 22nd I saw a new phishing attack targeting Yahoo Sponsored Search users: Of course when you click on the link, it will take you to a bogus site: This is the real one: As I always say, please... More About: Phishing , Banking
Yet Another Web Attack Toolkit --> Exploit Multipackage 0.2
2008-02-25 09:59:00 Last week we received an email message written in German which advertised a casino called Lux Imperial Casino. However, this message was not just spam but also included a malicious link to a toolkit called Exploit Multipackage.The URL infection, which is http://58.65.239.98/[removed]/index.php, allows a malicious user to analyse the system in search for vulnerabilities. If it finds any, a Trojan detected as Nabload.DBD will be installed in the computer. This Trojan, in turn, will download another one detected as Banker.KQS, which is designed to obtain confidential information related with banking entities. We could access its control panel, which is hosted in Hong Kong. Although it has not been active for a long time, in the following images we can view the most affected operating systems and browsers. Other interesting data we can see is that the control panel is in Russian and the most affected country is Germany. This control panel is similar to the Traffic Pro one, so it could b... More About: Toolkit , Attack
Sensation.New Video - make haste to look!!!
2008-02-19 15:50:00 Since last week we have been noticing a significant increase in certain spam messages, which have several features in common. The subject of all of them is “Sensation.New Video - make haste to look!!!”, and as a social engineering technique they include a video that makes reference to different news; the latest one we have seem is related to the trailer of a film premiere.All of them enclose a link which starts with a google url in order to go unnoticed.Server: http://pousadarecantonatureza.com.br/IP: 67.15.48.41 City / Country: Houston (Texas) [United States]Server: http://www.neufeld-media.de/IP: 81.169.145.72City / Country: Berlin [Germany] http://www.google.com/page ad/iclk?sa=l&ai=fXfafaD&num=67154 &adurl=http://pousadarecantonatureza. com.br/<removed>/rdown.php?lddhUCEh ttp://www.google.com/pagead/iclk?sa=l& ;ai=sqxtEvL&num=93594&adurl=http: //www.neufeld-media.de/<removed>/ne ws/rdown.php?xssqxtEhttp://www.google.com /pagead/ic... More About: Make
Phishing Ecosystem
More articles from this author:2008-02-18 11:11:00 Taking a look at one of the thousands of malware samples we are processing everyday, we have found a Trojan that was looking for e-mail addresses, apparently nothing special. Unlike other Trojans, it was not looking for e-mail addresses in every location, but only in the valid contact list. All of them were saved in a text file and uploaded via FTP to the hacker’s server. The guy was fool enough to leave the ftp credentials in plain text, so we could access effortlessly. We accessed the server, which was running a RedHat Linux distribution. Once there, we could see a few thousands of stolen e-mail addresses, plus some phishing pages belonging to different banks from Italy, Brazil, and some other countries:The server contained some scripts to send out phishing e-mails to the stolen addresses, as well as to send the Trojan. So it was an easy task: send out the Trojan, wait for stolen e-mail data to come, send out phishing attacks and wait for the stolen credentials. And as I hav... More About: Phishing , Ecosystem 1, 2, 3, 4, 5, 6 |
|
 |
|
 |
