Death Star

Regarding malware, on some occasions we have made graphic representations of it. This reminds me of a study carried out in PandaLabs that dealt with analyses of malware families, in which the similarities among variants of the same family could be observed just by looking at the graphic representation of the calls to several functions made in each file.

We have recently come across a quite odd case, belonging to one of so many bots (Gaobot.AAF). When we took a look at the results, we thought that something had gone wrong with our algorithm. So, we studied it in depth and, actually, the results were right. This was the graphic result that surprised us so much:

[Imageattachment]

Perhaps Star Wars fans have recognised the picture at once, it is similar to the Death Star.

One of the characteristics of the Gaobot family is that their source code has been massively published on the net, in such a way that several virus-writing communities have been adding new functionalities, such as exploitation of new vulnerabilities, etc, which gives rise to very complex and little optimised code. It is not a surprise either, as virus writers are not precisely characterised by being good programmers.

The future is here

The square evolved to the circle, and the floppy disk evolves to USB. There is a PoC of a "piece of malware" (discussion may start here about its real nature), capable of stealing information. Amazing, isn't it? The evolution comes on the way it works. The code is located in a USB device that runs at boot. It presumably can retrieve the information on the disk and send it via email to the attacker. After that, it can be completely cleaned from the system.

Talking about evolution, the "walkman" (which contained no malware) evolved to the iPod, which can contain malware from the very beginning.

 

Spam as a financial tool (II)

The Mexican one was not a success as far as we can see. But we are seeing a lot of similar spam messages everyday, here is an example:

[imageattachment]

VML, Viking and Lineage… Any further bids?

We have been aware of a site hosting a page that exploits the VML vulnerability. Through this exploit, it downloads a W32/Viking variant. This Viking downloads several Trj/Lineage variants. And finally, these Lineage variants are responsible for gathering victim's data, such as passwords. Have a careful surfing…

Spam as a financial tool

Everyone knows that spam is used to advertise all kind of products and that hackers use it in other ways (installing malware through exploits, etc.). The message usually links to an external site, but it's not always like that. We have recently seen spam messages about a deal from a Canadian company. The message was an advice to buy stocks from that company on Thursday, 21st September 2006.

How can we measure the success of the message? Well, let's take a look at the stock prices of that day:

[ImageAttachment]

As we can see, someone could earn a lot of money buying stocks, sending this kind of spam and selling all the stocks the same day, when everyone else is trying to buy. I have just received a similar one. This time it is a Mexican company, let's follow it up, tomorrow I'll publish the evolution of these stocks.

 

Spamta.CY

This is a heads up. Today we have received several submissions of the email worm Spamta.CY. During the last days we have seen many variants (right now we are on the DD one) and some of them have caused some incidents. Not an alert but a heads up. TruPrevent (TM) was able to proactively detect it, as with previous variants.