Multi AVs Scanners

From the point of view of a malware developer, one of the main goals when developing a new creation is to avoid antivirus detections, via signature or heuristic technologies. There are different ways to do it, such as using free on-line scanners offered by most of the vendors. But this is something tedious, as you have to go from one to another all the time.

When VirusTotal was born a few years ago, some people were claiming that it was being used by malware developers to test their creations. In some cases, we knew it was true, as we have seen some advertisements in forums showing the scanning results from VirusTotal claiming that certain malware was not detected by any vendor. On January 3rd, VirusTotal decided to remove the option "Do not distribute the sample", so each and every file could be sent to any antivirus vendor.

Since then, we have seen that some underground communities have retaken several projects that allow users to have a tool for analysing their creations.
This is one of the first tools that have been used, known as KIMS:

The interface is half English half Spanish. Even though it seems to be a great tool, it has an incredible disadvantage: you have to install each and every antivirus product locally.

Another tool is one known as Scanlix, with a very simple but very effective interface:

 

It uses some kind of "install & forget" philosophy. When you install it, you do not need to do anything else, but updating it from time to time. If you take a look at the update option, you’ll see that the different signature files will be updated. Maybe its disadvantage is the limited number of engines it uses, though they are likely to improve it considerably in future versions.

Finally, one of the latest projects in this field has been the Multi AVs Fixer, provided with a wide range of engines. However, more than an evolution, it follows the pattern of KIMS, sharing the same disadvantage, as it is necessary to install the antivirus programs locally:

The good thing is that they are still not able to check if the Trojan would be detected by a proactive behaviour technology (as TruPrevent), so we are still one step ahead. We'll keep an eye on future development in this field.

Not all phishing is about banking

When we think about phishing, we think about e-mails that try to get information from online banks, eBay or PayPal accounts. While in most of the cases this is true, it must be noted that the aim of the guys behind these attacks is the money. So, wherever there is money, there will be attempts to steal our information. Nowadays another common target are online games, specially MMORPG (Massive Multiplayer Online Role Playing Games) as World of Warcraft or Lineage.

Last week I found this bid in eBay, selling four 70 level characters starting at US$ 27,000:

Last year “Andy” Deokyoung Jung from AhnLab made a very good presentation about online gaming and hackers at AVAR. It is clear that all kind of accounts are likely to be under attack. For example, on February 22nd I saw a new phishing attack targeting Yahoo Sponsored Search users:  

 

Of course when you click on the link, it will take you to a bogus site:

 

This is the real one:

 

As I always say, please be careful and delete any message that tries to get your information. It’s simple but effective.

Yet Another Web Attack Toolkit –> Exploit Multipackage 0.2

Last week we received an email message written in German which advertised a casino called Lux Imperial Casino. However, this message was not just spam but also included a malicious link to a toolkit called Exploit Multipackage.

The URL infection, which is http://58.65.239.98/%5Bremoved%5D/index.php, allows a malicious user to analyse the system in search for vulnerabilities. If it finds any, a Trojan detected as Nabload.DBD will be installed in the computer. This Trojan, in turn, will download another one detected as Banker.KQS, which is designed to obtain confidential information related with banking entities.

We could access its control panel, which is hosted in Hong Kong. Although it has not been active for a long time, in the following images we can view the most affected operating systems and browsers. Other interesting data we can see is that the control panel is in Russian and the most affected country is Germany.

This control panel is similar to the Traffic Pro one, so it could be an evolution of this one. Last year, we published a complete report about this kit, which you can check here.

 

This is the list of vulnerabilities it attempts to exploit in the systems:

If you want to know more information about the exploited vulnerabilities and how to update the system in order to avoid them, visit the following websites:

Microsoft Security Bulletin MS03-011 [Flaw in Microsoft VM Could Enable System Compromise (816093)]

Microsoft Security Bulletin MS06-014 [Vulnerability in the Microsoft Data Access Components Function Could Allow Code Execution (911562)]

Microsoft Security Bulletin MS06-044 [Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)]

Microsoft Security Bulletin MS07-017 [Vulnerabilities in GDI Could Allow Remote Code Execution (925902)]

Microsoft Security Bulletin MS07-055 [Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)]

Yahoo! ActiveX GetFile () [Vulnerability in Yahoo! Messenger (8.1.0.421) CYFT FT60.DLL]

QuickTime ActiveX [QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow]

Thanks to Christian for his collaboration.

Sensation.New Video – make haste to look!!!

Since last week we have been noticing a significant increase in certain spam messages, which have several features in common.

The subject of all of them is “Sensation.New Video – make haste to look!!!”, and as a social engineering technique they include a video that makes reference to different news; the latest one we have seem is related to the trailer of a film premiere.

All of them enclose a link which starts with a google url in order to go unnoticed.

Server: http://pousadarecantonatureza.com.br/
IP: 67.15.48.41
City / Country: Houston (Texas) [United States]

Server: http://www.neufeld-media.de/
IP: 81.169.145.72
City / Country: Berlin [Germany]
 

http://www.google.com/pagead/iclk?sa=l&ai=fXfafaD&num=67154&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?lddhUCE
http://www.google.com/pagead/iclk?sa=l&ai=sqxtEvL&num=93594&adurl=http://www.neufeld-media.de/<removed>/news/rdown.php?xssqxtE

http://www.google.com/pagead/iclk?sa=l&ai=DtxxsAu&num=85078&amp;adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?mVLuOuc

From these URLs a file called "news_m.exe" is downloaded, which is detected as Trj/Downloader.SQV. This downloader will download another file called "vshost.exe" detected as Trj/Spammer.AGF, whose objective is to send more spam messages like these ones.

Besides, another file called "Loca.exe" will be downloaded. This file belongs to Trj/KillFiles.BU, which will delete some *.sys files from the system32/drivers directory, causing a certain instability in the system.

Other contents used in these spam mesages are:

Pamela Anderson divorces in third times!!!                     
CIA tortures prisoners!!!                      
Harry Potter was purchased by pentkhaus!!!
Two powerful earthquakes happened in the USA!!!
Michael Jakson glued up a person plaster!!!
Madonna reinvents herself as film director!!!
The extramarital son of John Kennedy appeared in Canada!!!

 

Phishing Ecosystem

Taking a look at one of the thousands of malware samples we are processing everyday, we have found a Trojan that was looking for e-mail addresses, apparently nothing special. Unlike other Trojans, it was not looking for e-mail addresses in every location, but only in the valid contact list. All of them were saved in a text file and uploaded via FTP to the hacker’s server. The guy was fool enough to leave the ftp credentials in plain text, so we could access effortlessly.

We accessed the server, which was running a RedHat Linux distribution. Once there, we could see a few thousands of stolen e-mail addresses, plus some phishing pages belonging to different banks from Italy, Brazil, and some other countries:

The server contained some scripts to send out phishing e-mails to the stolen addresses, as well as to send the Trojan. So it was an easy task: send out the Trojan, wait for stolen e-mail data to come, send out phishing attacks and wait for the stolen credentials. And as I have mentioned before, this is just one of the thousands of malware samples we deal with everyday. Be careful.

FirePack for the winter

Do you remember IcePack? It seems that some kits for installing malware are somehow “seasonal”, as we found IcePack in summer, and in late 2007 we found yet another one that suits better for winter, called FirePack:

 

Anyway it is not as advanced as other kits (IcePack, MPack , Traffic Pro, etc.) Furthermore, it is really expensive compared to other kits: 3,000$, while the official price for MPack is 1,000$, IcePack Platinum Edition 700$, Traffic Pro 40$ and IcePack Lite just 30$.

We have found two different versions so far, 0.11 and 0.17. This is what you can see when you log in the control panel; this is the Russian version, there is also an English version:

Microsoft Updates for February

This month Microsoft has released 11 security bulletins (from MS08-03 to MS08-013). Six of them are rated as critical and five are Important. We recommend you to update your systems ASAP, as most of the vulnerabilities allow remote code execution.

Last Thursday's Security Bulletin Advance Notification included details on twelve issues however only eleven have been published. What has happened?

These bulletins updates the following software: LSASS, DirectShow, Internet Explorer, Macrovision Driver, JScript, VBscript, Office Suite, Media File Formats, Message Queuing Service.

 

Happy Saint Valentine!

As Saint Valentine’s Day is approaching, we start to observe how this special day is used as an effective bait in order to spread malware.

In the last hours, we have noticed how the malicious files called “withlove.exe” which we saw one month ago in the emails related to the Storm worm are being adapted to “valentine.exe”.

These last files, which have been detected as W32/Nuwar.QI.worm, reach the computer with subjects such as "I Love You," "Me & You," "My Love For You," "Happy Valentine's Day!…", or as in this case "Valentine's Day":

Not only love fills our inboxes in this special date but also malware!

Playboy TV Spam

I suppose we are in a way getting accustomed to see unwanted messages in our inbox, either advertising rolex watches at reasonable prices or Viagra, “miraculous” beauty products, among many others. That’s nothing new and the figures speak for themselves: as we mentioned in the 2007 Annual Report about 95% of email in circulation globally is spam.

In this case, we have detected a spam message that not only uses a TV channel as a social engineering technique, but also whose content cannot be clearly read as it is blurred in order to avoid antispam filters. 

The message, which is in Spanish, starts with the sentence “Mira el video y no te pierdas la sorpresa al final” whose translation is: “Look at the video and don’t miss the surprise at the end”. It entices users to view a video by clicking on a link. If any of the three links included in the message is followed, we will get a bad surprise and our system will be compromised.

Once one of these links is followed, we are required to install a file called "PlayboyTV-MediaPlayer.exe" that seems to be a codec necessary to view the video. However, this file will install a malicious code detected as W32/MSNworm.CV.worm in the computer.

In order to go unnoticed, it displays a YouTube video of a playboy girl. Taking a look at this video it's easy to understand why some people don't notice that they are being infected while they're watching it.

http://es.youtube.com/watch?v=kkebSFRnCrA

January Adware/Spyware List

In January, the first position has not changed with regard to the previous month. However, Savenow and Virtumonde interchange their positions, making Virtumonde obtain the second position.

The 4th and 5th positions remain unchanged but Adware/ActiveSearch goes up two positions and replaces Adware/cws, which was in the 6th position.

Adware/BaiduBar, which is in the 7th position, keeps its persistence in spite of all the changes.

Adware/SweetBar enters the top ten in the 8th position, going up from the 12th position.

Adware/WUpd and Adware/NaviPromo interchange their positions like we have seen before with Savenow and Virtumonde.

This is the current list: