PandaLabs Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

2012 Security Trends
2011-12-15 13:26:00
2011 is coming to an end, so now it’s time to try to see what we have to expect for the next 12 months: Social networks: Social engineering techniques exploiting users’ weaknesses have become the leading attack method in social networks. Trending topics such as the Olympics or the next US Presidential elections will be used as a bait. Cybercriminals will continue to target social media sites to steal personal data. Malware increase: In the past few years, the number of malware threats has grown exponentially, and everything seems to indicate that the trend will continue in 2012. In fact, malware is the weapon use by cybercriminals to carry on their attacks. Trojans: they are cyber-crooks’ weapon of choice for their attacks, as shown by the fact that three out of every four new malware strains created in 2011 were Trojans, designed to sit silently on users’ computers and steal their information. Cyberwar: or maybe it is more accurate to say cyberespionage. 2011 has...
More About: Security , Trends

Could targeted attacks be avoided?
2011-12-02 12:37:00
This could be a long blog post, but I’ll try to make it short. However, for those of you that are lazy, here you can read the answer to the question, and the ones interested on the whole story (I will make it short, I promise) just follow the * mark: NO (*) (*): One of the characteristics of a targeted attack is that the attacker has previously studied the victim (who is a specific person or organization). This attacker will study the victim: Which systems he is running, where the most valuable information is located, what defenses are built in place, etc. And not only that, also the person(s) will be investigated, in which fields are they working, what hobbies they have, etc. This is why it is almost impossible to avoid these kinds of attacks. However, this is not a reason to lower our defenses, and that’s something that really puzzles me: taking a look at some of the major attacks we have seen in the last years, many of them were possible because there were servers wit...

Fake Cloud AV 2012
2011-11-30 12:59:00
There is a new friend in the village. Many people thought that the fake antivirus (aka rogueware) business had decreased, and it was true that for a few months rogueware infections were not that prevalent, mainly due to the efforts made by law enforcement with the help of security companies, but it was a matter of time to have them back. In the last weeks we have seen an increase in the infections, and today I want to show you a new one that calls itself “Cloud AV 2012″. Cybercriminals always try to confuse their victims, so they use names similar or equal to those used in real antivirus products. In this case they have taken advantage of the famous Panda Cloud AV to do their trick. Once it is installed in your computer, it will create a link in your desktop to open the program, but you won’t need to do it as as soon as it is installed it will open itself and will launch a system scan, which will give you as a result loads of malware found in your system. Of course...
More About: Fake

Hong Kong, AVAR 2011
2011-11-11 03:07:00
Greetings from Hong Kong ! This week we are enjoying the security conference AVAR, which is taking place in Hong Kong. Some interesting topics are being covered, such as the talk “Malware in EFI”, where Intel’s Igor Muttik showed us how malware could take advantage of the the EFI (Extensible Firmware Interface)  and the challenges we could be facing, as well as the countermeasures that can be taken. Another topic that has been around a lot is malware in mobile devices. Even though it is not that prevalent, it is true that it is an emerging threat and it raises some interesting thoughts. Of course the cloud is another topic covered here, but one of the most interesting ones are those that are talking about targeted attacks in certain countries in Asia, as South Korea and Japan. The full program is here in case you want to take a look at it. As some of you may remember, in last year’s AVAR in Bali I was awarded the “Wildlist Reporter of the year” pr...

PandaLabs Report – Q3 2011
2011-11-03 09:26:00
The new PandaLabs Report Q3 11 is out. Take a look at what has happened in the computer security field during the last 3 months. Just click on the picture. In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information. The Anonymous Group, who starred in the second quarter, has continued making the headlines in this period, due to the arrest of some members, theft of data from different web sites and operation PayPal. The PandaLabs report also includes information about cybercrime, cyberwar, social networks, Mac and cell phones, social networks and a wide section to explain about exploits. The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information.

Deobfuscating malicious code layer by layer
2011-10-20 11:25:00
Article written by David Sánchez Lavado This post explains how to analyze the malicious code used in current Exploit Kits. There are many ways to analyze this type of code, and you can find tools that do most of the job automatically. However, as researchers who like to understand how things work, we are going to analyze it with no other tools than a text editor and a Web browser. My goal is to lay the basis for you to learn how to remove the different obfuscation layers that a malicious JavaScript code may employ. I will teach you how to remove those layers step by until you get to the last layer where the logic that exploits the relevant vulnerability is found. IMPORTANT: I recommend that you perform this type of analysis on a virtual machine on its own isolated network in a laboratory dedicated exclusively to this type of research to avoid unwanted infection. BASIC CONCEPTS Generally speaking, malicious code is used to exploit vulnerabilities in Web browsers and PDF readers l...
More About: Code

R.I.P. Steve Jobs
2011-10-06 16:36:00
As you all probably know, Steve Jobs passed away yesterday. These are sad news, and everyone is talking about him and his life as he has achieved so many fantastic things. Social Networks are flooded with quotes from Steve, and all of us have only good words to talk about him. But as you can imagine, there are always people trying to take advantage of these situations. Some cybercriminals created a Facebook page called “R.I.P. Steve Jobs ”, and innocent people have been joining by the thousands. In just a few hours it had more than 90,000 fans. Criminals published a link using the popular shortener service bit.ly, where they said that Apple will be giving away 50 iPads. Of course all the stuff is a scam, and once you click to that URL (which ended with “restinpeace-steve-jobs”) you were redirected to a place where you are offered a number of gifts, such as iPads, Sony Bravia TVs. For that they ask for your information, such as Full Name, Address, Phone Number...

Greetings from Barcelona
2011-10-04 10:13:00
This week I am in Barcelona , where the Virus Bulletin conference is taking place. I will be attending some preVB meetings, such as the AVPD (AntiVirus Product Developers) hosted by ICSA Labs and the WildList meeting, where we’ll talk about some future plans. Hesperia Tower Hotel All the meetings and the conference itself will take place at the Hesperia Tower Hotel, a nice place with a huge conference center, which looks promising. The Virus Bulletin conference this year will be covering many topics, from social networks attacks to all kind of cybercrime. There are a number of highly interesting talks, you can take a look at all of them in the programme. At the same time the conference is taking place, a major event will be happening: Table Football World Championship 2011. As usual it is sponsored by our friends and competitors from GData, and 9 teams from all around the world will be facing each other. Pedro Bustamante, our table soccer star, won’t be attending this yea...

Xandora presented in the next Hack In The Box conference
2011-09-26 12:51:00
In a couple of weeks in Kuala Lumpur, Malaysia, it will take place this year edition of the security conference Hack in the Box. This is a great conference I had the pleasure to talk in last year. This year Panda Security will be also participating, this time it will be KaiJern Lau, our Technical Director for Panda Security in APAC, the one in charge of it. He will talk about Xandora, a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Xandora was created by KaiJern and has proven to be an excelent tool. We use all the information gathered by Xandora in our Collective Intelligence system, and several antivirus companies are suscribed to it and use it to obtain both information and malware samples. If you want to know a bit more about this you can visit Xandora’s web or even better listen how it works if you can attend his talk “Malware Sandboxing the Xandora Way.”

The good all scams: new countries, same tricks
2011-09-20 10:19:00
This blog post could have been titled also as “A trip from Nigeria to Libya”. Perhaps one of the best-known email scams is the Nigerian letter scam and its many variants. The http://pandalabs.pandasecurity.com/es/wp- admin/post-new.phpinitial email tries to convince recipients that there are several million dollars which cannot legally leave Nigeria unless transferred to a foreign account. The fraudsters offer a commission to the recipient of the email for helping them get the money out of the country, but ask for an advanced fee from the intended victim (under a myriad pretexts depending on the particular variation of the scam). However, the whole operation is a fraud, and you will lose any money you pay. These kind of scams are among the first ones in the Internet era, dating back to the 80′s (yeah, that’s a long time, where many people haven’t heard yet about the Internet.) And they work, they will be always there as long as ...
More About: Tricks , Scams , Countries , Good

Security Blogger Summit 2011
2011-01-17 11:44:00
In a few weeks will take place in Madrid this year’s Security Blogger Summit .  2 main topic’s will be the focus of discussion: -          Cyber-activism: A new Internet sensation. -          Cyber-terrorism and cyber-war: Reality or fiction? As always, the event is free, you just have to send an e-mail to comunicacion@pandasecurity.com with your details. And it includes coffee and snacks in the afternoon and a cocktail party at the end of the event, plus the opportunity to talk to the participants. I will be around in case you want to share a beer Who is going to be in the table? Well, these are some of the names we have: Enrique Dans: Lecturer in IT systems at the IE Business School, he contributes to numerous newspapers and magazines and is a respected opinion leader regarding new technologies. Elinor Mills: Senior writer at CNET News on security issues, she has been working in this field for more than 20 years. Robert McMill...

PandaLabs Annual Report 2010
2011-01-05 11:09:00
2011 has just started, so it is time to look back at what has happened in the last year. Today we publish the 2010 Annual Security Report covering an extremely interesting year with regard to cyber-crime, cyber-war and cyber-activism. In 2010, cyber-criminals have created and distributed a third of all existing viruses. That is, in just 12 months, they have created 34 percent of all malware that has ever existed and has been classified by the company. Furthermore, the Collective Intelligence system, which automatically detects, analyzes and classifies 99.4 percent of all malware received, currently stores 134 million unique files, out of which 60 million are malware (viruses, worms, Trojans and other computer threats). Trojans still dominate the ranking of new malware that has appeared in 2010 (56 percent of all samples), followed by viruses and worms. It is interesting to note that 11.6 percent of all the malware gathered in the Collective Intelligence database is rogueware or fak...

New trick from cybercriminals
2011-01-04 10:22:00
Due to the artistic nature of cybercriminals, they never run out of ideas. After using social media, popping up fake-av, hacking into websites… what’s more? We’ve discovered a rogueware campaign using “useable apps” to distribute rogueware. When the victim runs the binary, this rogueware will run and pop up “Installing Flash FLV Player”: Right after we spotted that, we found another rogueware doing almost the same thing. This is more interesting and colorful. We shall name it, the updated version: No doubt, this is a more colorful version, and maybe XVID means something more interesting ? Our final word? Most of the common media players will be able to play most of the video formats. You don’t need a “Special Player” to play yet another video format.
More About: Trick

Interview with Rubén Santamarta about security in SCADA systems
2010-12-20 11:57:00
Luis Corrons – Rubén, could you first tell the readers of the blog a little bit about yourself. Despite being quite young, you’ve been involved in the world of security for some years and in some circles you’re practically considered a guru. Rubén Santamarta – Well, my first contact with the world of reverse engineering was through the study of software protection, when I was 15 or 16 years old. I started to work as a programmer when I finished high school, but then I gave it up… Some five years later I got back into it, when I started at Panda. This was when I discovered that I could make a living out of looking for vulnerabilities, among other things. This helped me gain access to interesting projects and people. We’re now putting a lot of effort into starting up our own small enterprise, Wintercore. Luis – For the uninitiated, could you tell us what a SCADA system is? Rubén – These are industrial control systems, used for example in ch...
More About: Security , Interview , Systems

Twitter used for Rogueware Distribution
2010-12-16 02:38:00
Cyber criminals are using social media more frequently to distribute their malicious creations. Pft! As if Blackhat SEO, fake advertisements, and hacked websites weren’t enough?! Today we’ll take a look at a Rogueware campaign using Twitter for distribution.  Several fake profiles (and compromised ones too) started tweeting “a very good antivirus” followed by a shortened link. A very "good" antivirus Clicking the link in Firefox leads us to a fake Firefox warning screen, which attempts to social engineer users into believing that Firefox is prompting for a security update. Fake Firefox Security Alert Once “Start Protection” is clicked, the user is prompted to install Setup.exe, which we detect as Adware/ThinkPoint.  After the malware is installed, the computer prompts to restart. Once the computer is restarted, the following screen appears: ThinkPoint Rogueware The software then automatically performs a “scan” and reports a number...
More About: Distribution

Security trends for 2011
2010-12-13 14:14:00
Our great leader and CEO Juan Santana (you know, this is the time of the year when I have to butter him up and try to improve my salary for 2011 ) has invited me to write in his blog, Panda Security Insight. So I have taken this chance to use my crystal ball and figure out what will happen in 2011. If you want to find out which are the trends in security for the next year, just click on the crystal ball:
More About: Trends

BlackHat SEO attack – Target: Wikileaks
2010-12-13 11:17:00
Yet another BHSEO attack, and as always the cybercriminals are using the most popular terms, in this case Wikileaks related terms: Wikileaks Wikileaks killing video Wikileaks afghanistan Wikileaks video This is what you get when you search some of these terms: When clicking on any of these poisoned results, you get to a Youtube-like website: There is no video there, but you will get a message to download some codecs to watch it, but you will be infecting the computer with a fake antivirus detected as Adware/MySecurityEngine.
More About: Target

Operation:Payback broadens to “Operation Avenge Assange”
2010-12-06 11:59:00
==> Get up to the minute attack updates here <== The organizers behind the anonymous group responsible for Operation:Payback are in the midst of refocusing their campaign to assist WikiLeaks in their quest to release classified government documents. The following statement was made available on their website late Sunday afternoon: Wikileaks have been down because of Distributed-Denial-of-Service attacks (DDoS). There are reasons to believe that The United States Of America are behind this since due to the nature of the leak on Sunday 28th November 2010, where over 251000 documents (US diplomatic cables) were published on WikiLeaks. What is this all about? And what does it have to do with censorship and Operation Payback? While we don’t have much of an affiliation with WikiLeaks, we fight for the same reasons. We want transparency and we counter censorship. The attempts to silence WikiLeaks are long strides closer to a world where we can not say what we think and a...

‘Tis the Season of DDoS – WikiLeaks Edition
2010-12-04 13:47:00
Scroll to the bottom for the latest updates… DDoS attacks are flying across the Internet like there is no tomorrow.  Just a few days ago, a hacktivist operating under the handle “th3j35t3r” decided to single-handedly take down the Wikileaks website with a DoS tool of his (or their) own creation.  He issued a statement on Twitter shortly after explaining that the attacks against the WikiLeaks website were made for “attempting to endanger the lives of our troops, ‘other assets’ & foreign relations.”   According to our statistics, his attacks resulted in 1 day 3 hours and 50 minutes of downtime for WikiLeaks before the site was completely yanked offline by Amazon and EveryDNS. Note: Initiating a DDoS attack is illegal in many countries and we do not recommend that you participate in this or future campaigns. On the other side of the attack spectrum, the anonymous attackers involved in Operation:Payback have vowed to take a temporary b...
More About: Season

Dont Get Caught by the Grinch on Twitter
2010-12-02 08:09:00
Last year we documented the very first trending topic attack on Twitter .  The attack is similar to a Blackhat SEO campaign, where criminals leverage the many hot topics discussed on the Internet in order to position their malware campaigns in highly visible places on Twitter.   Earlier today we noticed over 300 Twitter accounts targeting various trending topics on Twitter. Thousands of Tweets ranging from “Nobody cares about Hanukkah” to “Shocking video of the Grinch” were accompanied by shortened malicious  URL’s.    Clicking on the link would lead to a fake codec site, which would then attempt to exploit your system with a PDF vulnerability (CVE-2010-2883) on top of prompting you to download a malicious “codec,” which in reality is a generic Trojan downloader. Tweets sent out for just one malicious URL (click for larger view) Malicious Tweet: Twitter Trending Topic Attack - Nobody cares about Hanukkuh Infection site: Twitter Trending...
More About: Caught

Blackhat SEO continues to ravage search results
2009-09-23 01:26:00
Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.    Most targeted search terms: Dallas Cowboys NFL School Emmy Awards Autumn Equinox (Mabon) Atlanta News ..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt Sample search result: Redirection to fake security (Rogueware) site: Rogueware: Adware/PCDefender Tag cloud of targeted terms:  
More About: Results , Search

Hack MySpace, ICQ, and Vkontakte for $100 (50% discount for Russians)
2009-09-21 21:43:00
The Ukrainian Facebook scam we blogged about on Friday has similar campaigns for MySpace, ICQ, and Vkontakte. All of the scam sites are identical in design and require the payment of $100 except for the Vkontakte scam site. Vkontakte is a Russian clone of Facebook and the scam offers to hack Vkontakte profiles for 1500 rubles, which is about $50 USD. MySpace ICQ Vkontakte What's strange here is that the Ukrainian scam crew responsible for these scam sites are making a run at conning Russians , which is a tactic we don't see very often in the labs. 
More About: Myspace , Hack , Scam , Discount

Your Facebook account is worth $100
2009-09-18 09:07:00
Yesterday I came across (thanks Sean-Paul!) the following site, which really attracted my attention: As you can see, it is an online service which promises to hack any Facebook account just for 100 bucks (!). My first thought about this was "ok, just another scam", but I wanted to see how far they could go with this. The first thing they request you is to register in their site, which I did. The next step to hack an account was to provide them with the ID of the Facebook account you wanted to hack; first I created a temporary Facebook account for this test, and then went back to "hack" it. Obtaining the ID is something trivial, and with that ID anyone can obtain the Facebook username, but that's something that people is not familiar with, so at the end it gives extra credibility to this "service". Once you enter the ID and click on the "Hack it" button, you are given the owner of the Facebook account (the username) and ...
More About: Worth , Account

Blackhat SEO Attack Targets Obama's Speech
2009-09-10 01:52:00
Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites.  Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that.  Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week. Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:      Malware Info: Adware/SmartVirusEliminator  In vestigating the attack shows us a bigger picture of the targeted keywords:  Most commonly targeted keywords: Obama Speech GM group enterprisesAppleBeatlesAmericaWhite HouseJon GosselinLive InterviewSchool SeasonThe full list of targeted keywords can be downloaded here: BlackhatSEO2...

Live Demo: Banking Trojans
2009-09-09 00:09:00
Banking Trojans are one of the most prevalent Malware species in the threat landscape today.  Malware authors aim to keep infections live and undetected long enough so that they can get what they are really after: money. Financial motivations lead malware developers to craft the stealthiest banking Trojans to steal personal and financial data for further exploitation on the black market.  Day after day innocent victims are hacked with the end result being an emptied out bank account. This video demonstrates how dangerous and stealthy banking Trojans can be and why we must continue to raise awareness on the issue.
More About: Video , Banking , Live , Demo

Rogueware Demo: Online Antivirus
2009-09-05 03:51:00
Rogueware authors continue to push the limits when tricking innocent users into infecting themselves.  In this video example, we demonstrate the audio and visual cues used in a scareware campaign.
More About: Antivirus , Online , Demo

Be Careful With Your Search Results
2009-09-01 19:29:00
 Update:  Learn about the latest BHSEO attack here.Blackhat SEO (BHSEO) is currently one of the most prevalent distribution methods for Malware on the Internet.  It’s also one of the most dangerous methods because of the user-implied trust in search results.  A Forrester research study conducted in 2008 showed that 50 percent of Internet users trust content delivered by search engines. It’s no surprise that cyber criminals have been using malicious search results as a main monetization stream.The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links.  Upon clicking one of many malicious links in the top ranking search results, the victim is put through several redirections and final...
More About: Results , Search , Careful

Are Cyber Criminals Targeting Local Events In Your City?
2009-08-27 23:36:00
Panda Security has a California based office in Los Angeles.  We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it.  To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources. Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc    Once clicked, the site loads and checks to make sure the user came from Google.  If so, the following script begins the redirection to the Rogueware site: The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected.  If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer.  At that po...
More About: Events , Tips , Local , City , Cyber

A new family member: SaveDefense
2009-08-27 12:58:00
Two days ago about 3 different variants of the same rogueware family that were just changing the name of the "product". The family keeps growing, yesterday we found a new member, called SaveDefense:The payment gateway remains unchanged too: 
More About: Family

New Roguewares: SaveKeep, SaveSoldier & TrustNinja
2009-08-26 11:26:00
As you already know if you've read our paper about The Business of Rogueware this is a very lucrative business. Everyday we see thousands of new variants, and a few families that appear trying to infect users and to get their money. Three of the new families we've seen this week, called SaveKeep, SaveSoldier and TrustNinja are at the end the same rogueware but rebranded, which is one of the common strategies they use. Guess how we can know that the three of them are in fact the same rogueware:Another clue to find out that this is the same piece of malware is that they are using the same payment gateway: