New Panda Cloud Antivirus

Today, we have launched Panda Cloud Antivirus, an exciting new product, Light, Secure, Easy & Free.

Visit http://www.cloudantivirus.com/ 

Try it!!!

HAMLET. "Something is rotten in the state of Malware"

Written on behalf of José Julio Ruiz de Loizaga. 

Today being the birthday of William Shakespeare, I felt the urge to write this post.  When reversing files, one is prepared to find anything – well, almost anything. I was analyzing a dll and was surprised to find passages from Hamlet.  At first I thought "My God, a trojan that promotes literacy, how odd." My surprise increased when the next files, two additional dlls, also contained fragments of The Bard's prose.

First dll.

It was clear that these three files were related.  There were two possibilities, either the malware author was a fan of sixteenth century renaissance literature, or that the text was used to make detection more difficult.

This method has been seen before in phishing emails.  Anti-phishing engines look at keywords in the body of a message.  When these words are found, they are correlated to the length of the message.  In other words, a keyword has greater weight the more times it is repeated in a short message, which is why it is not unusual to find phishing emails with some literary text rendered white, so as to be invisible to the reader.  Although the recipient does not see the extra words, the anti-phishing engine is fooled by the additional words.

 
Second dll.

This technique isn't exactly the same, but it has the same goal; to trick the antivirus.  In this case, the signature file engine is the target.  The additional text is inserted with the intention of changing the file's signature, thereby avoiding detection.  The truth is that this is an interesting and educational way of doing so.

 
Third dll.

P.S., I would have personally chosen "100 Years of Solitude", but well, "Hamlet" is not bad either.

New Blackhat SEO attack exploits vulnerabilities in WordPress to distribute rogue antivirus software

Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular WordPress blog software.  Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week’s attack against Ford Motor, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results. When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.

You can checkout a video demonstrating how this particular attack works below:

Both attacks involve a vulnerability in an older version of WordPress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors.   Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at WordPress to get clarification. 

In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack.  We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers.  Here’s what we found:

Song – Appeared 1303 times
Software – Appeared 879 times
Free – Appeared 244 times
Lyrics – Appeared 210 times

Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks.  It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below,  PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3. 

Remember, It's just as important to update your web applications as it is to update your operating system. If you use WordPress as a platform for your blog or website, then I recommend viewing the official hardening guide.

Ransomware Reloaded

One of the latest examples of ransomware we have seen is Trj/SMSlock.A
The main aim of this malware is to make users pay ransom for their computer in order to have it completely operative.
Until now some of the functionalities we had seen in ransomware were to encrypt certain documents or extensions of the computer or to empty the emails of the user’s inbox and the contact list, among others. However, in the case of Trj/SMSlock.A, it locks the access to the system (leaving the computer unusable), and it displays on the screen a message in Russian which contains the instructions so that users send an sms as a random for their system:

 

Note: Below you have the transcription in English of the message displayed on the screen.

To unlock you need to send an SMS with the text
4121800286
to the number
3649
Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage

New waledac's campaign

Waledac family activity has increased during the last months. The malware creators have been using several social engineering techniques to spread these samples: important dates like Christmas and Valentine’s Day, important events such as the appointment of Barack Obama as president of the United States or fake news.

Currently, the technique is to offer a service that allows someone to read the sms received in a certain phone number. Obviously, it is a completely fake service and it could even be described as illegal and immoral. After accessing the website, downloading and running the software, the computer is infected and immediately starts hosting the infection website and executable on the victims computer.

 Visualization

 Snapshot of the Waledac Network:

The main function of the Waledac family, besides its own propagation, is to send spam messages to the email accounts obtained from the infected computer. Additionally, it can carry out other malicious actions, such as downloading malware, opening ports in order to receive instructions (acting as a botnet) and stealing passwords which are then sent to remote URLs.

The following graph represents the evolution of the files detected as Waledac received in our inboxes during the last three months:

 

Taking into account the data regarding the first two weeks of April, there has been an increase of almost 200% comparing with February's figures.

 

Which will be the next subject used by the malware creators to spread this worm?  We’ll know it soon…

Targeted Blackhat SEO Attack against Ford Motor Co. (Updated)

Recently, we have talked about Blackhat SEO fueled Rogue Software Campaigns. Today, we have uncovered a similar campaign with over 1 Million links all targeting the Ford Motor Company.

These attacks work by misleading search engines to falsely promote malicious pages to the top of the search results. Once the user visits one of the malicious sites, they are prompted to download and install a malicious "codec", which then installs the MS AntiSpyware 2009 (softwarefortubeview.40030.exe) Rogue Security Software, which we detect as  Adware/MSAntiSpyware2009.

This case is especially interesting because it’s one of the few SEO attacks that we have seen targeting a single, specific brand.

I have made a video demonstrating how the Blackhat SEO attacks work and you can see it below:

Partial List of Hijacked Search Terms:

*Update*  The SEO attack is starting to switch from Ford to Nissan Motor Co.  

Diagram Of A 1998 Nissan Pathfinder Blower Motor
1989 Nissan Pickup Voltage Regulator
2006 Nissan Skyline Gtr Vs 2005 Mustang Gt Cobra Youtube
Where Is The Horn Relay On A 2002 Nissan Sentra
1992 Rear Bumper Nissan Pickup Truck
17 Gold Rims Wheels Nissan Honda Ford Toyota Hyundai
Ford Dealership Car Dealership Beside Iee Nissan Wilson N.c.
We Love rocky ford kansas!
Mustang Gt Or Nissan 350z
Dash Cover Nissan Pickup
1992 Rear Bumper Nissan Pickup Truck
Bumper For 1993 Nissan Pickup
Relay Box On 1991 Nissan Pickup Truck
1997 Nissan Maxima Trunk Emblem
1993 Nissan Truck Door Panels
2007 Nissan Versa Gauges Glow
Nissan Sentra 2004 Horn Location
1994 Nissan Extended Cab Truck Seat
Pic Of 1983 Nissan Truck
1989 Nissan Pickup Truck Engine Check Light Troubleshooting
Fuel Tank Capacity On 1992 Sentra On 1992 Nissan Sentra
How To Install A 1991 Nissan Pathfinder Windshield
Auto Wheel Bearing Replace 1997 Nissan Sentra
Nissan Micra 1.3 Metallic Green
Dimensions And 1998 Nissan Pathfinder
2005 Nissan Frontier Modesto
87 Nissan Pathfinder Nuetral Starter Safety Switch
1990 Nissan Pickup 2400 Motor Recalls
Used Nissan Frontier 2006
Frontier Titan 2006
Ford Ranger
Parkway Ford
Ford Uk
Ford Finance
Mustang Ford
Evergreen Ford
Kayser Ford
Ford Anchorage
Walker Ford
2009 Ford
Rochester Ford
6 Ford Speed Transmission
Ford Scamatic
Sheehy Ford
Ford Commercial
Parr Ford
Ford F8tz3504abrm
1993 Ford Taurus
1993 Ford Tauru
Titan Ford
Luther Ford Fargo
Ford Freestar Problems
Ford Crate Engine
Ford Aftermarket Distributor
Ford Ranger 2008
Ford Falcon Sale
1941 Ford Truck
F150 Ford 2001
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
Ford Window Guards
1960 Ford Sunliner
1960 Ford Sunline
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Ford Taurus Repair
Ford Window Guards
1960 Ford Sunliner
Ford Ironman Wisconsin
2008 Ford Mustang
New Orleans Ford
Inventor Henry Ford
Ford Van Seats
1950s Ford Thunderbirds
Don Vance Ford
F150 Ford 2001
Grappone Ford
Ford Radio Removal
Ford Expedition Diesel
Ford Parts Catalog
1940 Ford Coupe
1966 Ford Mustangs
Ford Door Lock
Ford Escape Hybrid
1930 Ford Coupe
Ford Parts Look Up
1968 Ford Trucks
1995 Ford F150 Lightning
Joe Machens Ford
1956 Ford Panel
Ford Global Terms
2000 Ford Explorer Overheating
1999 Ford F150 Engine
Ford 6 Cyl
Ford Ranger 4×4
Door 2005 Ford F150
Ford Falcon Futura Sprint
Ford Ranger Engine
Ford Escort Harrier
Ford F150 Used 4×4
1969 Custom Ford Ranger
Ford Truck F150 Forum
Only Ford Expedition Pics
Diesel Ford Ranger
Ford F150 Throttle Body
2001 Ford Escort Reviews
1998 Ford F150 Bumper
1989 Ford Mustang Wallpaper
1939 Ford For Sale
Ford Ranger Directional Rims
2009 Ford Mustang Reviews
Rowe Ford Hyundai
Remanufactured Ford V8 Engines
Ford Ranger 4×4 Automatic

Rogue Information:

File: softwarefortubeview.40030.exe
MD5: 3C146F57FE65BF03CAB8289F31B57618
Detected as: Adware/MSAntiSpyware2009

Registrar and Host Information:

ICANN Registrar:	REGTIME LTD.
Created:	2009-03-17
Expires:	2010-03-17
Updated:	2009-03-31
Registrar Status:	ok
Name Server:	NS1.GLOBEXTUBES.COM
Name Server:	NS2.GLOBEXTUBES.COM
Whois Server:	whois.regtime.net

Server Data

Server Type:	Apache/1.3.39 (Unix) PHP/5.2.5
IP Location	– California – Los Angeles – Coreexpress
Domain Status:	Registered And Active Website

If you have any questions about the attack, you could always reach me on Twitter (@lithium)

Special thanks to Greg Feezel for the heads up on this one!

 

New Zero-Day exploit for Microsoft PowerPoint: Exploit/PPT

Yesterday Microsoft published a new advisory related to a vulnerability in Microsoft Office PowerPoint, which could allow remote code execution.

In the following image, you can see the versions affected by this vulnerability:

This vulnerability affects Windows and Mac Microsoft Office PowerPoint versions.

There is already a Zero-Day exploit that exploits this vulnerability which is detected as Exploit/PPT by PandaLabs.

The Zero-Day exploit is proactively detected by TruPrevent™ Technologies.

Quarterly Report January-March 2009

We have just published the latest PandaLabs Quarterly Report. There, you can find statistics and information about the current situation of malware as well as different sections analyzing the most interesting events of the first quarter ( like the most active families Waledac and Conficker ).

You will also find an interesting article about the spam situation, vulnerabilities and other interesting articles.

You can download it in English or in Spanish .

Enjoy it!