Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:
After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.
I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.
No, it’s not about the Disney’s movie that you can see today at cinemas. There has been a massive sending of a message with a file attached that is supposed to be the movie trailer, the name of the file is:
Official_Trailer_Pirates_of_the_Caribbean_At_World’s_End.exe
We have received some hundreds samples proactively blocked by TruPrevent, most of them coming from Italy. Once you run the file (detected as Trj/Pirabbean.A), it shows you the following message:
At the same time, it downloads & installs a dialer, and also creates two shortcuts in the desktop:
It also changes some settings of Internet Explorer (adding 2 URLs in the Trusted Sites). In case you visit those URLs it will install you some more dialers.
VisualBreeze or VisualBriz is
another malware that is usually sold in forums of malware developers, similar to
the ones we mentioned in “Cybercime for sale”.
I have recently discovered a server
that hosted a new variant of this malware and contained 5.445 logs from infected
machines, which take up 2.61 Gigabytes.
After checking the server where it
was installed, I noticed that, unlike other variants of Briz, this one was
provided with a Parser module that sends the information of the
files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier
and faster to make searches in the information obtained from the infected
users.
This module has several
options:
The option “View” shows the logs and
allows searches by domain or by text to be made:
The option “Templates” allows
patterns to be made in order to filter the information:
The Server was provided with these
“Templates”, which were already created:
rapidshare.com
paypal.com
e-gold.com
ftp
ebay.de
yahoo.com
Apart from the information it
steals, it allows infected machines to be accessed in order to use them as
proxies:
Daily, around 478 new machines are
infected.
These are the statistics that the
module of proxies displays and that are continuously being updated:
This variant of Trj/Briz has been
detected by signature as Trj/Briz.X. But, before detecting it,
our TruPrevent Technologies detected and successfully blocked
it.
We have found a new malware that uses instant messaging to deceive users. It arrives as an .exe file disguised as a .jpg. If you open it, you will get infected, and your msn contacts will receive some messages and a file called “fotos_posse.zip“.
Here it is a picture of how the messages look like. For those of you who don’t know Spanish, here it is the translation “Hello”, “I hope you like the photographs” and the attachment.
It is been quite active, as you can see in the following evolution graphic of the messages received in the lab in the last 72 hours.
One of the active servers of the Zunker we mentioned yesterday installs another bot.
Although the first Zunker we talked about was configured to only affect computers with German IPs, this one only affects computers with Russian IPs:
This Zunker installs another bot, which we detect as Bck/Barracuda.A. This bot allows DDoS attacks to be launched and turns affected computers into proxies.
The following image is displayed when we log in through the control panel:
In this screenshot, we can see that there are 14,788 bots, 647 of which were connected at that moment.
There are also 3866 proxies, 171 of which were connected at that moment.
For example, 12133 bots have been assigned for the attack with ID 661700916; this attack started on the 14th May and would end in three day’s time, on the 17th May.
In the screenshot below, we can see how the data to launch DDoS attacks is entered:
Selecting this option, we can see the proxies:
Analyzing the pattern of the binary file installed by Zunker and comparing it with our samples, we have come across 32 similar files.
On the left, the graphical representation of the binary file belonging to the first Zunker we came across and on the right, the graphical representation of the new similar files we have found.
As you can notice, they are alike. If we compare these graphs with the ones belonging to other malware, such as Gaobot.AAF, we will see that they are very different from these ones.
Analyzing the similar files, we have come across 18 different servers where they were installed:
– 6 of them are active at the present moment.
– 4 of them contain files belonging to Zunker but they don’t seem to be working.
– 8 of them are inactive.
Among the servers that are active, different versions of the bot can be found:
ZUnker 1.4.4-1b
ZUnker 1.4.4-1b-10003
ZUnker 1.4.4b
ZUnker 1.4.5b
In "Cybercrime… for sale" we promised to talk about MPack. The latest version (MPack v0.851) we have just discovered is pretty active right now as you can see in the stats:
Where is this tool infecting? Well, it is a question very easy to answer:
It also has a list of the latest sites prepared to infect using MPack:
Vicente has been studying it for some time and has developed a fantastic report for us.
Our large malware honeynet also known as TruPrevent© is detecting a new Alanchun wave. In a few hours we have received some hundreds of reports about this one, named Trj/Alanchun.VT. It is just another Trojan with rootkit capabilities and prepared to flood the Internet with spam.
In case you have TruPrevent© don't worry, otherwise update your AV software right now!
Today I’ve got something special for you. It is the front-end of a botnet for spam, i.e. thousands of computers sending out mail indiscriminately,
Everything started when I was investigating neosploit (I’ll talk about that another day) and I came across an executable that looked a bit suspicious.
After taking it apart/infecting myself I reached a server with a of series dubious scripts so I decided to dig around a bit more and I came across ZUNKER!
The first surprise is the fact that it’s really neatly designed. It’s not hard to imagine what this server does when you take a look at the home page:
Anyway, you can see that bots are organized by country, and you can see how many bots you have, reports from each one, how much spam has been sent, what software has been used by the bots to send the spam (gmail, IM, forums, etc…):
You can also see in the statistics section number of bots, reports, and daily/monthly Spam statistics…not bad eh?:
So now you’ll ask how to tell the bots what to spam… it’s easy. Just go to the CONTROL menu and there’s a Templates section to define the mail/post that you want each bot to send. You can define the nature of the spam: a text for forums, another for IM, another for webmail, etc.
Once the text is defined, the bots will send/post it:
Another interesting option of ZUNKER is that you can download Trojans, viruses… whatever you like, to the bots. You can download an executable directly to all bots, or specify IPs, countries, etc…:
In this case, you can see that most of the bots are in Germany, although no doubt shortly there will be many more ‘clients’.
With a bit more investigation, I found out how the server gets new recruits… using a framework like MPACK, NEOSPLOIT, etc…an unsuspecting user visits a website…where an exe is downloaded and run using an exploit –because the system is not adequately updated-, poor user, now he’s just another………….ZOMBIE…..and you?.
We have just published the latest PandaLabs Quarterly Report. We have introduced several improvements in the presentation of the statistics. Our goal has been to expand the information and facilitate interpretation so readers will have a more precise vision of the dimension and complexity of the current malware situation.
Enjoy it!
SuperAntivirus's Blog 