New Malware: Bck/tnegA.A

For some time we are getting used to malware that checks if it is being monitored with different tools. As the race between malware creators and Antimalware companies continues, new tools and techniques are being developed to try to gain a small advantage against the others.

Stealth techniques have been used since the old days. As Nature teaches us, hiding is a good technique. This type of malware used to hide from antivirus programs by using different tricks, for example, patching the interruption vector table.

But evolution never stops, and nowadays we have malware that is capable of detecting virtual environments, there is a whole lot of Adware, disguised as media codecs, that use this technique.

Bck/tnegA.A tries to check different monitor applications like Ethereal, ProcessExplorer, RegistryMonitor, HijackThis, Regedit preventing them from being executed.

 

Security in wireless networks

WiFi has been around for several years now, and it is currently an established and accepted technology. Some WiFi spots allow users to access the Internet for free on public places, such as airports, libraries, hotels and pubs, which is great. There are several websites that provide a list of free WiFi spots, such as wififreespot.com, wi-fihotspotlist.com and hotspot-locations.com.

It's also on the news that WiFi while travelling by plane will be available pretty soon. People is getting used to having WiFi connectivity at their convenience everywhere.

However, the average Joe may not be aware of the security issues surrounding this technology: there are WiFi exploits available through Metasploit; several Security Incident Response Teams, such as FrSIRT, have released advisories reporting vulnerabilities; and every now and then, a survey shows how WiFi users do not control access to their network. Meanwhile, wardriving (and even warflying) is a fairly common practice.

So, it seems it's time to wake up and smell the coffee: you should secure your WiFi network or connection.

Some months ago, PandaLabs released a document on this matter. It discusses the technical characteristics of WiFi on a security level, the most widely used standards, the attacks they must head off and the measures available to users to secure this type of network.

You can download it from the White Papers section. Take the time to browse that section, we think it is worth your while.

First MS06-70, then WKSSVC

On November 14th, Microsoft released the security bulletin MS06-070, regarding a critical vulnerability in the Workstation service. This vulnerability can be exploited across the Internet, by sending specially crafted network messages to a vulnerable Windows XP/2000 computer.

There already exists a PoC (detected as WKSSVC) that exploits this vulnerability. This means we could be facing a real piece of malware using it in the near future (or not…).

As we mentioned in previous posts, this seems to be the "vulnerabilities quarter", so we expect some news about them.

You can find more information at the Malware Encyclopedia.

How lucky that you had already patched your computer…

Spamta goes on, and on, and on…

We were aching for another wave of Spamtas (Stration/Warezov), and here it is. We have seen "a few" more Spamtas around the clock and we have followed their steps. This is what we have come to from 00:00 to 14:00 (GMT +1):

[Imageattachment]

The "wave" seems to be pulling back. We have no crystal ball, but we are sure we will see new waves before Xmas (or may be right at Xmas, to keep us busy while others taste a mouth-watering turkey…). The saga will go on.

Of Pandas and colors

Recent studies reveal that giant pandas can distinguish between colors.

Yes, this has nothing to do with malware, security or anything like that, but nobody gets hurt from a bit of general culture.

Have a nice weekend…

New worm

We have come across a new worm in the lab, "Foamer". For an unknown reason it hates DOS command line screens, so it modifies the Windows Registry to prevent users from using it. If you get infected and try to open one, it displays the message "THE WORLD-WIDE DONT ACCEPT COMMAND PROMPT!!!!"  but it occurs so fast that the user may not able to see it.

Here is a screenshot of what it is being displayed.

 [Imageattachment]

As usual, you can find more information about it here. To learn about other viruses check the encyclopedia.

IMHO, DOS prompts are not so bad…

To whet your appetite

In a few days' time, PandaLabs will be publishing its 3rd Quarterly Report. We know we are a little late but… Luis' dog, Robin, ate the draft when we were just finishing it, and then there was a power outage and we hadn't saved the file, and then [insert an excuse of your choice here].

If we had to choose a single word to summarize the Report, it would be obvious: vulnerabilities. Vulnerabilities of all flavours: in web browsers, in office applications, in pictures. Vulnerabilities whose patch had to be reedited several times, and vulnerabilities whose patch was reverse-engineered to develop an exploit. Zero-day vulnerabilities and vulnerabilities solved months ago that users haven't patched yet.

It will also be a Report of numbers, but that's another story…

[Imageattachment]

Information Leaking: Malware vs. Garbage Bags

In the lab we have lots of examples of malware that steal information. We have banker Trojans, keyloggers, password stealers, etc.

We are getting used to hearing about laptop stealing, or information theft. We should also be aware of USB drives, flash memories and smartphones disposal. Who takes care of cleaning your personal data? Are you sure that when you press the 'delete' button, information is physically removed? It might be easier for the bad guys to buy a second-hand hard drive, and try to find something. There is plenty of information lying arount just waiting to be found. 

But sometimes things get worse and information is in fact lying around….in a garbage bag. We can read here how plenty of information has been literally thrown away to the street.

I am afraid that firewalls cannot help in these scenarios.

Goodbye Orlando

The meetings are over and the feedback is so positive. The whole community is getting involved (academic, corporate, law enforcement, etc.) and things are improving. However, this is not the end of it. In fact, it is just the beginning of it. The e-Crime Research Summit will celebrate a second edition next year and it will certainly be better than the first one. Regarding the APWG, the meetings will keep on taking place during 2007 and so will the ideas, needs and cooperation projects. We'll be back next week.

Just to be a little bit irreverent…

For those of us who are in the computer security business, it's difficult to forget the date when Microsoft publishes its security bulletins (you know, on the second Tuesday of each month).

Don't worry, this post is not aimed at advising you to install the patches, but at conducting a quick survey. So, those of you who have applied Microsoft's November security patches, will you please raise your hands? That will do. Thank you very much, and have a nice weekend!

Everybody else, please, open a Word document and type a hundred times* "I must apply the security patches for my vulnerable applications". But, before you do it, install those patches. For a fast reference, please visit the Latest Threats section at Security Info.

 

 * Of course, the use of Copy&Paste is forbidden…