How to infect + 40.000 computers in 1 second?

Yes, I know we should talk about how to protect computers, not about how to infect them, but… aren’t you curious? We found a server managed by a hacker that controls more than 40.000 computers. Only yesterday, he created a new trojan and sent a command to all zombies: download & run.

This is not the typical IRC botnet, but a http-based botnet, so the hacker won’t find any problem if there is a firewall in the computer. It was just a downloader trojan that installed some malware in the infected computers:

– A spammer trojan (hey, this guy has + 40.000 PCs ready to send out spam and flood all of us!)

– An adware (Adware/Bravesentry) that change your desktop  to black and with big white letters saying that you are infected, and all the typical stuff. This adware intalls in the computer a rogue antispyware (Application/Bravesentry), a tool that is reporting all the time that you are infected until you purchase it. Once you buy it, it leaves you alone.

This was the first time we looked at it, some time latter it was downloading new stuff:

– W32/Nurech.B.worm (more info here).

– Rootkit/Nurech.A (to hide W32/Nurech.B.worm).

– Rootkit/Alanchum.GC (to hide the Trojan Trj/Abwiz.A).

– Trj/Abwiz.A (to steal passwords, e-mail addresses, etc.).

– Application/WinAntivirus2007 (just another rogue antispyware).

So you can see, many malware in many computers at the same time trying to take money and information from the users. And in just one second. Scary, isn’t it?

If you want to feel safe, just try a quick scan using our beta NanoScan (memory scan in a few seconds).

2006 PandaLabs Annual Report

We have just published the brand new 2006 PandaLabs Annual Report, you can download it from here.

Enjoy it!

A curious technique of social engineering

We have recently detected many infections of Trj/Abox.A. This high number of infections is due to the curious technique of social engineering that it uses in order to deceive users.

 

This malware sends email messages with an asx file attached.

 

The code of the file can be recognized in the following tags:

TITLE “Codec not found”, which deceives users into thinking that they have not the appropriate codec to watch the video.

REF HREF, which is the URL of the video that is displayed. Actually, it is a one-minute long video with a black background, whose main purpose is to make users think that they do not have the suitable codec.

MOREINFO HREF, which is the URL that is opened when the banner that appears in the video is clicked

 

This is what users see when they try to open the file .asx:

When users are infected, it downloads a downloader type Trojan (detected as Trj/Abox.A), which downloads via FTP 3 files that receive instructions from a server in order to send email messages. We have already detected some messages in Italian and Spanish, both distributing the Trojan and sending spam. Equally, it can be used as phishing or any other type of attack.

Malware, Banks & Google Maps (II)

It seems that this hacker is pretty active, the Trojan tries to update itself, and then downloads some SSL v.2 crypted packages, which seem to be the message body and e-mail addresses. Today we have intercepted phishing being sent out, and right now it is sending spam. Can you guess what it is about? Yes, you are right, it's Viagra:

We can find some text hidden in the e-mail in order to avoid antispam filters. The following text belongs to one of the messages:

Korea's development of nuclear weapons.

weapons programs and rejoin the international

he standoff over North Korea's nuclear weapons

boycott.

involving China, Japan, Russia, the two Koreas and the

Bush said the United States will remain a reliable

partner in liberalizing trade, confronting North Korea's

midterm elections to anti-war, anti-free trade

in Singapore

laundering.

Asia will not diminish.

good of their people, is to abandon its nuclear

The six-nation talks stalled a year ago when North

weapons programs and rejoin the international

partner in liberalizing trade, confronting North Korea's  

The information about the Trojan can be found here.

Malware, Banks & Google Maps

Yesterday, we detected a downloader that focused media attention because it was spammed using some "curious" subjects:

# "Current Australia’s Prime Minister survived a hear attack"

# "Prime Minister survived a heard attack"

# "The life of the Prime Minister is in grave danger"

There were a few thousand infections all around the world. It downloaded all kind of files, 6 of which were malware. Among them, there were a keylogger, a web server (it installs it on your computer in order to have a complete access to all your drives), 2 Trojans (to prevent the access to certain security and AntiVirus related web sites) and another 2 Trojans that redirect the traffic of some bank websites in order to steal information.

It also used Google Maps in order to somehow locate the infected users. This may be useless but curious anyway.

Now thanks to TruPrevent(R) proactive technologies, we have caught its small brother (it will be for sure a huge family in the near future!). This time, instead of using google maps, it has a website with all the infected countries. The most affected one is Australia (almost 400 PCs infected in less than 24 hours), but you can also find some countries that may be considered as untypical, such as Irak, Vietnam, Malaysia, Madagascar, Malta or United Arab Emirates, as well as the most "usual" ones (USA, UK, Germany):

It has a link for each country where you can see every infected IP address with the infection date:

All of them are already detected as Generic Trojan with current signature file.

More fakecodecs!!!

Lately we have noticed an increase in the detection of fake codecs. They are supposed to be codecs that allow users to watch certain videos, usually for adults, but in fact they only register a key in the computer in order to check if they had been previously installed. If so, not only they allow users to watch  these videos, but also install certain malware in the computer.

As can be seen in the following video, one of these fake codecs installs malware in the computer in spite of not having accepted the EULA agreement. It can also be perceived how Adware/MegaTds, which is installed and uses rootkit techniques in order to go unnoticed, redirects the Internet searches to the websites that the adware wants to promote.

This is one of the different ways used to earn money by means of malicious software (malware), what is known as crimeware. You can watch it here.

PandaLabs BIO

Luis Corrons:
Luis has been working for Panda Security since 1999. He started in the technical support department, helping home and corporative users with virus incidents. A year later, he joined the international technical support team assisting Panda's technical support belonging to their partners distributed over 50 countries around the world. In 2002, he became PandaLabs' director as well as malware alerts coordinator in worldwide infection situations, dealing with worm such as Klez, SQLSlammer, Sobig, Blaster. Sasser, Mydoom, etc. During this time, he has coordinated several automated projects related with malware, such as the automatic analisys and response system, and the malware automatic information system.
His first contact with computers was at the age of 4, with a Sharp MZ-80K, which he started Basic language programming with. His main hobbies are his wife Nerea, his dog Robin and his work as well as chess and videogames.

Ismael Briones:
Ismael has been working for Panda Security since 2003. He studied a degree in Telecommunications Engineering, in the field of Electronic Systems. He started as a project manager in our R+D department, where he contributed to the development and definition of TruPrevent Technologies. A year later, he joined PandaLabs as a malware researcher. Among his main tasks, he is responsible for analyzing Internet security threats, carrying out the reverse engineering of malicious code, developing security mechanisms to improve the proactive technologies that are distributed with our products. Ismael's research interests include HoneyPots, automated malware classification, rootkits, vulnerability research, network security and systems administration. Before joining Panda, he had been working as a system administrator and software developer for the Spanish journal El Mundo. He has discovered vulnerabilities in Skype, Oracle database software, 3Com 812 Router and some Antivirus Software.

Vicente Martínez:
Vicente obtained a degree in Computer Applications Development. He has been working for Panda Security since 1999. He started in the technical support department, helping home and corporative users with virus incidents. Two years later, he became virus researcher in PandaLabs. In 2003, he became Senior Spyware Researcher. He has been heading the development of the antispyware technologies included in our products in PandaLabs. Thanks to these technologies, we have been awarded with several prizes and have reached the first positions in different comparatives. His main hobbies are playing games, above all Pro Evolution Soccer, and graph and video game programming.

Sergio Piñeiro:
Sergio joined Panda Security on September 2006, and is responsible of the Surveillance Department at PandaLabs. He has been a technology consultant for almost 7 years. He studied "Computer Engineering", and has a degree as "Internet Solutions Specialist". During his studies he worked as a developer for 3 years. On February 2000 he joined the consulting Division at PriceWaterhouseCoopers, where he worked for the Application Innovation Services line. On 2002 he joined IBM Global Services where he worked as a technology consultant dedicated to provide e-Business solutions to corporate clients.

Sean-Paul Correll:  Sean-Paul started at Panda Security back in 2005 in our technical support area.  Since that time, he has worn many hats throughout the organization all while staying true to his true passion–Security.  He specializes in threat surveillance with an emphasis on emerging threats. He is an active member of the security community and frequently volunteers his time to helping individuals with malware infections.
Social: 

Asier Martínez:
Asier has been working for Panda Security since 2005. He started in the Technical Support department, helping clients dealing with malware related incidences. One year later, he promoted to PandaLabs as Malware Researcher. Now, he is leading the critical malware research team, where the most prevalent malware is thoroughly analyzed, such as rogueware and other main threats. He likes design, web programming and everything related to computer security. Moreover, he is one of the organizers of different computer parties in Spain, one of them is the Euskal Encounter, Spain's oldest computer party where people, from computer amateurs to professionals, are looking for knowledge exchange and willing to be involved in any kind of activity related to computers for a few days.

MS deny the execution of IE7 if the executable file name isn't iexplore.exe

Some days ago, while we were doing some of our research, we
discovered a strange IE 7 behavior or "feature". We were trying to execute a
renamed IE 7 executable, but we noticed that it was always ended without any
system notification. After a basic debugging session of IE7, we discovered
the code responsible for this action is inside ieframe.dll for
Windows XP and iertutil.dll for Windows Vista (ieframe.dll in Vista has also some code to "detect" it).

This code
tries to match the executable name against some hardcoded values:
iexplore.exe, explorer.exe and ieuser.exe (in XP) and iexplore.exe, ieuser.exe,
ieinstall.exe and iedw.exe (in Vista). If the name doesn't match, the process
will be killed. What’s the reason for this "feature"? After some research, we
noticed this could be a feature derived from the inclusion of Protected Mode
for Internet Explorer in Windows Vista:

"In Microsoft Windows Vista,
Microsoft Internet Explorer 7 runs in Protected Mode, which helps
protect users from attack by running the Internet Explorer process with
greatly restricted privileges
[…]
While most Internet Explorer 7
security features will be available in Internet Explorer 7 for Windows
XP Service Pack 2, Protected Mode is only available on Windows Vista because
it is based on security features new to Windows Vista.
[…]
Two
higher privilege broker processes allow Internet Explorer and extensions to
perform elevated operations given user consent. For example, the user
privilege broker (IEUser.exe) process provides a set of functions that let
the user saves files to areas outside of low integrity areas. In addition, an
administrator privilege broker (IEInstal.exe) process allows Internet
Explorer to install ActiveX controls.
"

The system tries to verify if
this is a Browser Process to provide it with the privileges needed to browse
the Web. You can read more about this feature here . A few days ago, I read a post of Joanna Rutkowska (here) about Windows Vista User Account Control (UAC). In this post, she explains some methods that Vista uses to recognize installer executables. One of these is to match the filename against keywords like "install," "setup," "update," etc. MS is using the same method to recognize if a process belongs to Internet Explorer processes. Is this the right method?

Wifi comments ( Update )

We have received some comments, on our last post. There we said " 2.- Use encription WEP/WPA, something is better than nothing, although we know that this encription systems can't stop an attack for more than 5 minutes, at least, you make it harder."

What we mean is that WEP is very weak and that you should use WPA instead. A good password using WPA with AES is strong enough. We have corrected the previous post to make it clear that we were talking about WEP.

 

 

Wifi comments

Not long ago, one of my colleagues told me a story which was quite funny. He was at home, and one of his neighbours, called him. He asked if he was having problems with his internet connection. My colleague told him, that everything was working for him, and that the only change he had done was changing the router's password. The other guy, asked him for the password, as he was unable to connect. After a quite funny conversation between them, my colleague learned that this guy had been using his Wifi connection for a long time, and more or less, he felt he had the right to use it, and blamed him for changing the password, preventing him from doing so.

I was amazed with this story, so I decided to write a small guide.

Tips on securing a Wifi network

1.- Change the default password, it is amazing the number of devices which are still protected with the password provided on the manual, or something like, admin, administrator, password, etc, etc.

2.- Use encription WEP/WPA, something is better than nothing, although we know that this encription(WEP) sistem can't stop an attack for more than 5 minutes, at least, you make it harder.

3.- Hide your network,  You can change the default SSID.

4.- Disable SSID broadcasting. This feature allows new devices to automatically detect network settings. It is always harder to find something that it is not yelling "Hey, Crack me!!". Are you sure you want anyone who passes by to link to your access point?

5.- If you want more protection you can enable MAC filtering. On a home lan, usually you don't have many devices, so you can manually configure them, and no other devices will be able to connect to the router.

6.- You can also limit the number of devices connected to the network, but be careful, if your neighbour is an early bird, you will be banned from your own lan 😀
 
7.- Disable DHCP. If you know how to manually configure the parameters, new devices will have to be manually configured, and as we have said before, that makes things harder.

8.- Change passwords from time to time, if someone is using your network, and finds that you this regularly, he may choose to hack somewhere else.
 
9.- Switch off the access point when you are not using it. Ok, that never happens, that's why you bought it. But this really works against war-driving.

I forgot something, what happened to the guys on the story?…Well, they reached an agreement, and the neighbourg started paying for the use of the connection. How much? Strange as it may sound, he used fresh fruits. 5 Kg of oranges each week. He grew them, and were quite good. I know, I tasted them.

But be careful, if something goes wrong, you as the access point's owner, will be responsible.