Mine is bigger than yours!

In the latest months, there have been some discussions about malware figures. My colleague Stuart wrote in the SophosLabs blog a post about this, as well as our colleagues at McAfee did. Today I’ve seen a press release from F-Secure, where they announce the publication of their 2008 first half data security summary (I have to talk to Mikko to see how they can summarize something that hasn’t finished yet 😉

So now we have a small ranking, listed in alphabetical order:

F-Secure 900,000
McAfee 400,000 – 10,000,000
Sophos 4,600,000
Symantec 1,122,311
Panda 13,225,535

Q&A:

Does this mean that we detect more than they do?
No, it doesn’t mean that. It is like comparing apples and oranges.

So are you detecting less than the others?
No, as said before you shouldn’t compare apples and oranges.

Why some are apples and the other oranges?
You can be counting just files or detections. With one good detection you can detect thousands of malicious files.

The more signatures a product has, the best the product is?
No. Product A could have X signatures, and product B could have X/2 and detect more than product A.

Finally, when AV companies are talking about this kind of figures, they are referred as detections, malware files or similar. So no proactive technologies are involved in those figures… and that’s part of the solution – as well as the signatures- for the ever growing malware landscape that we have. Last week, Eva Chen, Trend’s Micro CEO said that ‘AV Industry sucks’. Even though I know what she meant and I do agree, I would have used different words. But what I want to point out about this is a different thing –> scanning "in the cloud". I’m really happy to see that we have created a trend and that now Trend Micro is following us. I really think that this is the best AV companies can do right now, and I hope the others will follow us too. We published almost one year ago a paper about this, we released a proof of concept of that technology within a memory online scan engine called Nanoscan. Later we applied some of this technology in our 2008 products, and it is completely integrated in our 2009 products, which are right now on public beta. Let’s see if we can build a safer world!

Malicious Spam Related to False Porntube Page

It seems that the activity of this type of spamtraps has increased since the first time we detected it last week.

Like every spam message with malicious intentions, it tries to attract the user’s attention with interesting subjects so that they visit the attached link.

Below we can see some of the subjects used:

"Eiffel Tower suffers structural damage, collapse possible?"
"London rocked by gas attack, army on high alert?"
Britney found hanged in locker room?
Celtics disqualified from NBA title?
China Earthquake claims 1 million lives?
Dan Brown's latest novel?
Nokia unveils revolutionary new phone design?
Obama withdraws from elections?

The attached links can be different regarding their domain, though those we have seen up to this moment make reference to a file /r.html, which is a fake website of Porntube.

Once there, an error message will be displayed indicating the user that they need to install a component of Video ActiveX, which will install the file ideo.exe detected as Trj/Exchanger.G

Although the malware is hosted in the same domains to which the link of the spam makes reference, it connects to an IP address located in Beijing [ CHINA ] from which the creator probably view the statistics of the infected computers.

T2W –> Trojan to Worm

We have detected an application whose main function is to turn an executable file into a worm, giving it the capacity to spread itself. Even though it’s aim is to give a Trojan the spread capability of  a worm, it works with any executable file.

As you can see in the image below, Constructor/Wormer is an eye-catching tool and very easy to use. By checking different flags, you can design a worm with different functionalities, such as compress it with UPX, enable MuteX, select icons, etc.

It also has advanced options to select a certain infection date, disable different options of the operating system, such as the Task Manager, the Windows Registry Editor, Folder Options, and different browsers such as Internet Explorer, Firefox or Opera. Additionally, the worms can be configured to display a message when they are run or activate themselves when Windows is started.

One curious option is that you can avoid the infection of removable drives, such as PenDrives, indicating the username and the name of the drive.

The tool seems to have been created in Spain. You can switch the language of the tool to English, Spanish, Portuguese and Catalan. As you can see, nowadays there are tools that allow any user, no matter their technical knowledge, to create malware very easily.

Thanks to Oscar Anduiza for the information.

Malicious use of Akihabara's killer news

It is surprising how fast the cyber-crooks take advantage of any eye-catching news to distribute malware. Less than two days after the tragic event that took place in Tokyo “Tomohiro Kato – Akihabara Killer”, we detected an email that used this news as a bait to deceive users.

The email seemed to come from an address belonging to the RPP news (Radio Programas del Perú) in order to pass itself as a trustworthy source. However, you can check in the following URL, which makes reference to the official news published by RPP, that it is totally different to the news included in the malicious email message, where after a brief description of the event, users are enticed to download and see a video regarding this news. However, what they actually download and install in the system is the Trojan QHost.IH.

 

This malware is designed to modify the hosts file by adding four fake websites of a certain banking entity. This way, if users visit any of the websites included in the hosts file, they will not be redirected to the original one but to another imitating the original website.

Another trojan creator…

Everybody knows that nowadays it is very easy to create malicious programs or new variants of malware generally with the help of programs like virus constructors, which are publicly released by real experts in creating malware.

As we mentioned in a previously published post, these “beginners” in creating malware use different antivirus scanners with which they test their creations until they are undetectable. 

In this case, one of these tools is Constructor/Turkojan, which offers new different functionalities with each version, currently the v4.0. Among the options offered, the following are included:

Remote Desktop / Webcam Streaming / Audio Streaming / Remote passwords / MSN Sniffer / Remote Shell / Advanced File Manager / Online & Offline keylogger / Information about remote computer / Etc..

You may be wondering which benefits the author gains with this tool.  Obviously, there is a financial reason behind this. Almost all users who design this type of tools offer versions with different services, which include customized support depending on the sum of money paid.

 

This is a clear example that shows that cybercrooks are more are more professional and that there is a real organized business which looks for the profitability of their creations.

Be careful with Tixcet.A

PandaLabs has recently discovered the worm Tixcet.A

It is a very destructive worm, as it deletes files with several extensions and replaces them with a copy of itself keeping the same name as the original files. Among the affected extensions are the following: .DOC, .PPT, .MP3, .MOV, .ZIP and .JPG. This means that we can lose our photos, songs, Word documents and other important files for us.

Additionally, it does not allow files to be copied, as it disables the option Paste and contents to be copied, as the text that is copied is not the selected by the user but one selected by the worm.

It reaches the computer passing itself off as a Word document in order to deceive users.

It also creates several files that contain a signature of the author, like the following:

 

PandaLabs has analysed this worm deeply and has prepared an interesting video where we can see some of the actions it carries out in the affected computers.