It's Halloween time, folks!

Ah! What a wonderful day, It is time for dwarfs, tombs, ghosts, sweets,pumpkins and of course malware.

We, at Panda Security, are getting used to be reminded of these special dates, when malware tries to benefit from a social event like this. In this case, a quite infamous malware already known as "Storm worm" aka "Nuwar" aka "Nurech" aka "Alanchum" wishes a good halloween by sending the usual lot of spam.

These messages carries different subjects:

If your in your office, keep the speakers low, lol
Happy Halloween
Dancing Bones
Halloween Fun
Watch him dance
This will make you laugh
You'll laugh your but off
Man this is funny
I am sending this to everyone
Have a Happy Halloween everyone
Party on this Halloween
Nothing is funnier this Halloween
Make him dance
Dancing skeleton
The most amazing dancing skeleton
For people with a sense of humor only
If your in your office, keep the speakers low, lol
To much fun I played with this for hours
Show this to the kids
Send this to your friends
Man this rocks

Inside the mesage we will find a link to a website, and a dosis of social engineering. You know, the usual "This is great", "Great fun","This is cool". We have seen several different messages, with different links to different sites.

If you navigate to the site you will see a…Dancing Skeleton. Funny isn't it? The site provides a download link, just in case you want the skeleton in your desktop.

If you follow the link, you will find a file called "Halloween.exe", guess what? It's MALWARE! If you run it, you will transform your beloved pc into a zombie one. To make your infection more entertaining a song will be playing on the background…[Update "Boom Boom Boom"(Venga Boys)]

Please be careful and Happy halloween!. Thanks to Xabier Francisco for gathering the information.

 

Spam & politics

Spam is really annoying, mainly because you may think spammers have a really bad image of you: lack of hair, lack of sexual abilities, lack of money, lack of university degrees, lack of girl/boyfriends… After all, they just try to cheat you and sell something in the best cases… if they are not trying to spread malware.

But we have now a new spam message: for politics. We had received a message that shows figures about a survey in Argentina. Last weekend they elected a new president, and the message claims “we are bad”. Who? Which party? Will the message try to modify the vote in some people? Will it try to increase the participation?

The message comes form a “gmail.con” domain, and it claims the survey has been done by “McKenzy Associates”, which domain is not valid: “mckenzyassociates.com” is not a valid domain name.

Regardless of the intention, we can classify it as a new spam message category: vote spam. So, PandaLabs can name it, following the costume of giving new names: it’s “vospam”. Wait for the next US elections, we will have more of them.

 Thanks a lot to Fernando de la Cuadra for this post.

A new way of social engineering

Sometimes, when we speak about social engineering, we think about people at the other side of the phone trying to get our passwords to gain unauthorized access to our accounts. When this data is in their hands, panic spreads: intrusion on companies, espionage, identity theft…all the classic goals of this kind of attacks.

But let’s not forget the underlying reason of social engineering. Therefore, I particularly like the following definition, which I think is the essence of these attacks: “the art and science of getting people to comply with your wishes”.

Under the premise of this thinking, this week at PandaLabs we have discovered a new way to apply this concept. It is very simple and pleasant. You receive a small application on your desktop that shows a woman offering you a striptease.

 

How can we take off this woman’s clothes? Just typing a few letters displayed next to the girl as we can see in the following image:

 

Hmmm, can you recognise this kind of image? Yes, it’s a captcha (Completely Automated Public Turing Test to Tell Computers and Humans Apart) image. Now, look at yourself, you are a human automated captcha reader. If you type the correct interpretation of the image, you are sending the information necessary to break the protection of the targeted site. This attack could be used to create massive mail accounts, for comment posting… for all the services that use captchas to authenticate a person instead of a computer. In this particular case, the captchas were from Yahoo.

 

A sample of this client side application is detected as Trj/RompeCaptchas.A, whose translation is Captcha Breaker.

Thanks a lot to Unai Fernández & Francisco Berenguer for this post.

Security in VoIP Systems

One of the tasks of security companies is to "forecast" what will happen in the future based in the data and trends we observe. This is a really important task, as this way we can provide users with guidelines and base our researchs in the possible protection mechanisms we will have to develop in the future.

Some days ago, a Trojan entered the fray which attempts to deceive users passing itself off as a security program for Skype. It is called Skype Defender and its main aim is to steal the user's data of Skype. It is then when we shall look back and bring to mind what we told about VoIP attacks almost 2 years ago. In January 2006, we published a document about security in VoIP systems, written by Fernando de la Cuadra and Enrique González Ochoa. We presented it in the 5th Iberoamerican Conference on Systems, Cybernetics and Computer Science CISCI 2006, in Orlando, Florida.

Here you have an extract of the document:

"Identity Theft. A malicious application could steal a VoIP system user ID, deactivate the user's connection to avoid duplicity and use the stolen ID in its own VoIP network. In this way, the theft victim would be paying for the account when in fact the thief would be the one using it. This use of communication lines is an update of "phreaking" techniques, which use telephone lines to make connections or have conversations unbeknownst to their legitimate owners."

It seems that some of the predictions we made have come true. I have published this document here again in case you want to know which threats are awaiting us.

MP3 spam

Yes. It's true. Believe it or not, this is another step in the malware world. We are seeing spam sent with MP3 attachments, the audio quality is pretty bad, and the file names are different but try to trick users using names as oursong.mp3, bartsimpson.mp3, ciara.mp3, cassidy.mp3, etc.

Actually, it is a pump and dump spam that talks about a Canadian company that could have incredible results in USA. It seems that it is being sent out from the Storm Worm network. Be careful and of course, don't pay attention to these kind of messages.

How long should we wait to see an MP4 spam?

New Zero day PDF exploit for Adobe Acrobat

We have received a new 0-Day exploit for Adobe
Acrobat via full-disclosure mailing list. This vulnerability was
announced on September 20th, 2007 in the site gnucitizien.org. In the advisory, the following can be read:

"The issue is quite critical given the fact that PDF
documents are in the core of today’s modern business. This and the fact
that it may take a while for Adobe to fix their closed source product,
are the reasons why I am not going to publish any POCs. You have to
take my word for it. The POCs will be released when an update is
available."

But somebody, who had read the original
advisory, has discovered where the vulnerability is and has developed a
working PoC. This PoC has been sent to full-disclosure, a public
mailing list.

The PoC isn't harmful, however, when the PoC file is opened with a vulnerable version of Adobe Acrobat, calc.exe will be executed

Looking inside the PoC:

 

we can see the string that exploit the vulnerability.

TruPrevent is able to block this vulnerability (from the very first day). However, if you try the PoC with TruPrevent, the PoC will work because calc.exe is a trustworthy application for TruPrevent. Whereas if the vulnerability is modified to drop a malware, TruPrevent will block the vulnerability, avoiding the malware infection.

 

Malware articles in Virus Bulletin

Taking a look at McAfee's Blog, I've seen a post talking about an old "friend" of us: the virus Virutas, and I have realized that I hadn't linked the latest articles we published in the Virus Bulletin Magazine.

The first one, Beyond Virtu(e) and Evil, written by Mario and Victor, analyses the virus Virutas in depth. It was published in the May edition of the Virus Bulletin. 

The second one, The Life Cycle of Bots, was published in the number of September 2007. This article, which was written by me, goes through the whole life cycle of bots, where we can see how some bots have almost a life of their own.

Enjoy them!

Automatic classification of malware

Last year we posted an article
about graphic
representations of malware, in which we commented that it's possible
to automatically
identify and classify malware into a family based on
their graphical structure
representation. This representation is based on the relationship between
function calls in the executable.
These relationships create a graph of the internal structure of the
executable. These graphs are very similar among samples of the same
family or among samples which share the same
source code. There are several publications about this technique (Ero Carrera &
Gergely Erdély [VB2004]) and all of us have heard about Sabre
Security VxClass
Project, which is a system to automatically unpack and classify a binary into
a family.

PandaLabs is 'two or three steps ahead' too and we
have developed our own system to automatically identify and classify the samples
we receive daily. Of course, this system
works with unpacked samples, that's why we use it with our
generic unpacker engine. We have made a flash video [14 MB] (to show you how this system works. Basically the steps are:

• Unpack the sample
  (the system only works with unpacked binaries)
• Drag&Drop it into the client
  application
• The client
  application sends it to the graph
  server
• The server analyzes it with IDA and uses several python
  scripts to extract:
• Graph of
  function calls
• Control Flow Graph (cfg) of
  functions
• Entropy
• CRC32 and custom CRC of
  functions
• Preselect samples from the database, applying several filters: entropy,
  compiler, filesize,… Then, the resulting ones will be compared with our sample.

This data will be used to compare the
sample with our entire graph database (Actually, we have already analyzed and stored in the graph database 185.000 samples).

September spyware list

This month, there have been no changes in the first positions of the ranking, so the list remains the same as last month’s:

 

1.- Application/MyWebSearch

2.- Adware/Gator

3.- Adware/Lop

4.- Spyware/Virtumonde

5.- Adware/Savenow

6.- Adware/ActiveSearch

 

In the 9th position, we find Adware/SystemDoctor, which goes up from the 13th position. 

It is an adware that promotes the fake error repairing program Application/SystemDoctor2006. 

Adware/NaviPromo goes up from 19th to 15th position.

It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox.

Finally, we highlight Adware/WinAntivirus2007, which goes up from 58th to 25th position. It is an adware that promotes the rogue antispyware program Application/WinAntivirus2007.