Greetings from Seoul

AVAR is taking place this week, at the Seoul Plaza Hotel, South Korea.

 

Yesterday we had a WildList reporter meeting as well as an AntiVirus Product Developer (AVPD) meeting, and we are looking forward to the presentations that start today, such as:

– Testing of "Dynamic Detection" (Maik Morgenstern & Andreas Marx – AV-Test.org).

– The Cybercrime: Fact, reasons, trends (Eugene Kaspersky – Kaspersky Lab).

– Design of X86 Emulator for Generic Unpacking (Chandra Prakash – Sunbelt Software).

I will let you know how is it going. BTW, there is no Tablesoccer World Championship, so we'll have to wait until 2008 for the revenge!

 

Off Topic – PandaLabs bloggers

I am usually asked about the people who writes posts in the blog. This is a photo we've just taken today to the top 3 bloggers, so you can know who is who:

From left to right: Vicente Martínez, Luis Corrons & Ismael Briones.

Another typical question is whether there are girls working in the lab. Of course there are, and they are very professional and skilled people, in fact they are some of our best malware analysts. These are some of them:

From left to right: Lucía, Cristina, Merce, Ane, Almike, Olaiz, Ana & Iratxe.

Fake Microsoft Update

This morning we have seen an e-mail that was supposed to contain a Windows update for the vulnerability in the Kodak image viewer, which could allow arbitrary code to be remotely executed.

The e-mail seems to come from Microsoft Corp, though the domain from which it was created has no relation with this company:

The email subject is “Boletнn de seguridad de Microsoft MS07-055 – Crнtico”, though it is possible that there are more e-mails referring to different updates. The message contains real information about the security bulletin called MS07-055. However, the links included in the text lead to a different website, which is almost the same as Microsoft’s.
 
This is the website to which we are redirected. If we don’t pay much attention to the web address, we will be downloading a backdoor detected as Bck/Bandok.BO:

A really curious thing is that this malware is in fact installing the real MS update, plus a free backdoor to open your system to the bad guys. This is what you see when you run it:

Microsoft Official Update
MS07-055  WindowsXP-KB923810-x86-ENU.exe
MD5: a2d27a703f93c860e842af732ff3d93f

Fake Microsoft Update
MS07-055   WindowsXP-KB923810-x86-ENU.exe
MD5: b59d788bc907d9aecb15375abe09c606

Thanks to Fernando de la Cuadra and Xabier Francisco for this one!

Video Spam 2.0

As far as I can remember, the first time I talked about "Malware 2.0" was at the begining of this year, talking to Pedro Bustamante about a banking Trojan. He used it in his e-Crime Congress presentation, and since then I have seen it in many places, even when talking about spam. What happens is that it was related to add spam in blog comments, through Youtube accounts, Myspace, etc., so it was the old Spam using new distribution channels.

As you already know, spam is a profitable business, and the spammers are looking for new ways of increasing their benefits. A few weeks ago we saw the new MP3 Spam and I finished that post wondering how long we should wait to see MP4 spam… well, that time has come. Today we have received a spam message with a URL to a Youtube video. It is not a fake link, you click on it and you will see a video advertising an online casino and showing how to use the Martingale betting system.

In the same spam message they give you another link in case you want to bet. It is an affiliate link to the Casino they are promoting. Do you wonder how much money can they earn with this? Take a look at this:

Pandalabs Quarterly Report July-September 2007

Today, we have released our Quarterly Report. Inside you will find interesting information regarding trends on malware. This time we include a comparative review of "Kits for installing malware", as they have become one of the most used tools for spreading malware. 

Also, we make a review of the state of the vulnerabilities landscape. A list of unpatched vulnerabilities is also included.

You can download it in english or in spanish.

Enjoy it!

 

Having a bot is not a crime…yet

Sometimes, after reading news you may be really shocked: Techie jailed due to an IP confussion.

In this case, the information is not so deep, but we can extract a conclussion: be aware with your IP, you can be arrested (at least in Bangalore).

But if we take a look to the latest information, provided by PandaLabs, the 75% of the new samples of malware received were trojans. It means the main goal for hackers is staying in the computer waiting for something. And this something may be downloading something in your computer on behalf of the hacker. Or post something.

What happens if this download or upload is an illegal content? Will the police arrest you due to the lack of protection in your computer? Having a bot, for example, is not a crime. As today…

Special Thanks to Fernando de la Cuadra

October spyware list

This month the two first positions have not changed, but Spyware/Virtumonde and Adware/Savenow gain a position each, leaving Adware/Lop in the fifth position.

Adware/VideoActiveXObject goes up from the 7th to 6th position.
It is the most active version of the known fakecodecs.

Adware/NaviPromo goes up from 15th to 14th position.
It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox.

Application/Bestoffer goes down from the 22nd to 33rd position.
It is an application that displays advertising, but it will be gradually losing positions until disappearing from the list because “Best Offers” and “Direct Revenue” have given up offering their services.

Mac Trojan: OSX/RxPlug.A

Today, we have found a Mac OS X trojan. It is usually said that only windows users should be worried by malware. As we show today, this is not true.

It all starts with a lot of porn sites:

ispfiltersporn.com land-porn.com lineporn.net look-porn.com play-porn.com playhardmovie.com playxvideo.com playxxxvideo.net porn-abc.com porn-contact.com porn-global.net porn-go.net porn-group.net porn-party.net porn-play.net porn-plus.net porn-power.net

pornissex.com pornname.net pornxxxfilm.com relatedporn.net seek-porn.net stephieporn.com superadultfriend.com theadulteye.com time-porn.net use-porn.com withpornstars.com worldbestadult.com porn-room.net pornabout.com porndrive.net pornhelp.net

They all host some videos with names like: Download Sample Movie, Free movie clip, Get movie clip

This malware hides as a QuickTime plugin. When you try to download a video file, you are encouraged to download this plugin. It also, asks the user for the administrator password, in order to get installed.

Once installed, it runs a script that changes de DNS configuration, to redirect users to phishing sites of banks, eBay, or Paypal.

As always, be careful!

Thanks to Adrian and Oscar for this one.