Today, Sean-Paul and I are at the Blackhat Conference to discuss our latest research on the Rogueware economy. We have been meeting with many people in the last few days and we most recently spoke at the SecurityBsides conference.
We published the full study "The Business of Rogueware" this morning. You can access it here.
If you are in town and would like to meet with us, just shoot us a message on Twitter and we would be glad to meet you.
Luis: @Luis_Corrons
Sean-Paul: @lithium
The 3rd and final Panda Challenge has ended. You had to find out some hiddent text, and that was it:
"Panda Cloud Antivirus provide Advanced Protection against new and uNknown viruses. cloudAntivirus "
And the winner of the Amazon Gift Card and the AV license, who sent the right answer in less than 4 hours is…:
Simon Elén
And the winners of the AV license:
Andrey Belenko
Lose Myself
William Whistler
Vladimir Gneushev
Thank you all for participating.
El tercer y último reto Panda llega a su fin. Teníais que encontrar un texto oculto, que era el siguiente:
"Panda Cloud Antivirus provide Advanced Protection against new and uNknown viruses. cloudAntivirus "
El ganador de la tarjeta regalo de Amazon y de la licencia de antivirus, que además envió la respuesta correcta en menos de 4 horas es…:
Simon Elén
Y los ganadores de la licencia de antivirus:
Andrey Belenko
Lose Myself
William Whistler
Vladimir Gneushev
Gracias a todos por participar.
Welcome to the final Panda Challenge. This is the hard one; let's see who can solve it first. In the medium one we had just a few right answers. Carlos has been the creator of this challenge, and this is what he wants you to know before starting:
"If you leave the program running and you're really patient, some day it will show a message. We are not that patient as we need to know the content of the message urgently, so the first who finds it out will have a prize.
By the way, don't look for the message inside the program, as it is closer to you than it seems"
The file can be downloaded here. Enjoy yourselves and don’t forget to send the solution with the explanation on how you obtained it to pandachallenge at pandasecurity dot com
I will be publishing updates on Twitter, and next Monday I'll let you know the final results.
The terms and conditions of the competition can be downloaded from here.
Bienvenidos al reto final Panda. Este es el difícil, veamos quién puede resolverlo primero. En el anterior reto tuvimos sólo unos pocos acertantes. Carlos ha sido el creador de este reto, y esto es lo que quiere que sepáis antes de comenzar:
“Si dejas el programa en ejecución y tienes mucha paciencia, algún día mostrará un mensaje en pantalla. Nosotros no tenemos tanta paciencia ya que necesitamos conocer urgentemente el contenido del mensaje, por lo que el primero que nos lo diga obtendrá un premio.
Por cierto, no busques el texto del mensaje dentro del programa ya que está mucho más cerca de ti de lo que parece.”
El fichero puede ser descargado desde aquí. Disfrutad y no olvidéis enviar la solución junto con la explicación de cómo lo habéis obtenido a pandachallenge arroba pandasecurity punto com
Iré actualizando información desde Twitter, y el próximo lunes publicaré los resultados finales.
Los términos y condiciones del reto las podéis descargar aquí.
As I promised, this challenge was going to be quite more difficult. Here you have the solution:
The file we created is a program which receives data via the standard input and prints data via the standard output. The program is a generator of random 50×50 labyrinths and in order to solve it you have to create a program which, by communicating with it, automatically exits the labyrinth; obviously, the labyrinth is not visible.
The players can move to the North, South, East and West, as well as diagonally (Northeast, Southeast, etc…) and can ask for their position. The reversers have to guess which commands are necessary to move in one or other position and to ask in which position they are.
By the way, the generator of labyrinths is “imperfect”: a labyrinth may have a solution or may not. However, once you are in the protocol, you can calculate your exact position in the labyrinth and you can ask for a new labyrinth if you think that the labyrinth you are in has no exit.
Additionally, it has some other problems:
1.- If the players make 6 consecutive mistakes, the game is over.
2.- If the players enter a wrong character, the game is over.
3.- From a certain row on, random “fire” can appear. If the players don’t change their position, that is, if the movement they made is wrong, they will “burn” themselves, and obviously the game will be over.
Well, this time we’ve received only 22 answers, and the winner of the 250€ Amazon gift card, who was the first to solve the challenge correctly, is:
Kaspars Osis
And the winners of the AV license:
William Whistler
Matthew Hinson
Vladimir Gneushev
bbuc
Thank you all for participating. Tomorrow, I will publish the last challenge, with which you can get another Amazon gift card, this time valued at 450€.
Tal y como prometí, este reto ha sido bastante más complicado. La solución es la siguiente:
El fichero que creamos es un programa que recibe datos por la entrada estándar e imprime datos por la salida estándar. El programa es un generador de laberintos de 50×50 aleatorios y para solucionarlo hay que hacer un programa que comunicándose con este, salga del laberinto automáticamente; por supuesto el laberinto no es visible.
El jugador puede moverse en las posiciones norte, sur, este y oeste, así como en diagonal (noroeste, sudeste, etc…) y preguntar por su posición. El reverser tiene que averiguar cuáles son los comandos para que se mueva en una u otra posición y preguntar en que posición está.
El generador de laberintos es "imperfecto", a propósito: un laberinto puede tener o no solución. Sin embargo, dentro del protocolo puedes averiguar tu posición exacta en el laberinto y puedes pedir que se genere un nuevo laberinto si consideras que el laberinto en el que estás no tiene salida.
Además tiene algunas otras pegas:
1.- Si el jugador se equivoca 6 veces seguidas, acaba el juego.
2.- Si el jugador escribe un solo carácter mal, acaba el juego.3.- A partir de cierta fila, puede aparecer "fuego" aleatorio. Si no se mueve de posición, es decir, si el movimiento que hace es erróneo, se "quemará" y, claro, acaba el juego.
Bueno, esta vez sólo hemos recibido 22 respuestas, y el ganador de la tarjeta de regalo de Amazon de 250€, que fue el primero en resolver correctamente el reto, ha sido:
Kaspars Osis
Y los ganadores de la licencia de antivirus:
William Whistler
Matthew Hinson
Vladimir Gneushev
bbuc
Gracias a todos por participar. Mañana publicaré el último reto, con el que podreis ganar otra tarjeta de regalo de Amazon, esta vez valorada en 450€.
Welcome to the 2nd Panda Challenge. As promised, this will be harder. In the previous one we had more than 1 thousand downloads and just 44 right answers, let's see how this goes. Joxean has been the creator of this challenge. This are the "instructions" that Joxean wants you to know before starting:
"To create a program which automatically solves the problem posed by the program by communicating with it using the protocol this program understands."
The file can be downloaded here. Enjoy yourselves and don’t forget to send the challenge solution (the created program) to pandachallenge at pandasecurity dot com
I will be publishing updates on Twitter, and next Monday I'll let you know the final results.
The terms and conditions of the competition can be downloaded from here.
Bienvenidos al 2º reto Panda. Tal y como prometí, este será más complicado. En el anterior tuvimos más de mil descargas y 44 respuestas correctas, vamos a ver qué tal va este. Joxean ha sido el creador de este reto. Estas son las "instrucciones" que Joxean quiere que sepáis antes de comenzar:
“Hacer un programa que resuelva automáticamente el problema planteado por el programa comunicándose con él por el protocolo que dicho programa entienda”
El fichero puede ser descargado desde aquí. Disfrutad y no olvidéis enviar la solución al reto (el programa creado) a pandachallenge arroba pandasecurity punto com
Iré actualizando información desde Twitter, y el próximo lunes publicaré los resultados finales.
Los términos y condiciones del reto las podéis descargar aquí.
First of all, let me thank you all for having participated in this challenge. The solution to this challenge is described below:
The binary was packed in UPX, and we changed a section name to .reloc, to make it “uncomfortable” while using IDA. Renaming the section to its original name (UPX0) overcomes this obstacle.
Then, we have the unpacked PE file. When run, nothing will happen unless you use a parameter; a basic analysis using a debugger will let you know that. Then, you could try to brute force it, but there is a smarter way of doing it: the file has attached a file as a resource; it is a JPEG file xored with a byte 0xFF mask. The name of the file is Acrostic.JPG, and once unencrypted, you could see the following text:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…
Taking a look at it, you will notice the hidden message:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…
Once you take a look inside the file, the following message can be seen:
>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<
Running the file using easy_challenge as parameter, then next messagebox will appear:
Oric Atmos is the name o fan ancient 8 bits microcomputer.
The name of the file is taken and the CRC32 of this name is calculated, given as a result a value of 32 bits. With this value, a new hidden message is decoded. In this case the result is not showed on screen but it is saved in an internal variable (just to make things a little bit awkward.) You have to pay attention to notice that the text is there (it is something that you see straight away analyzing the disassembled code.)
And the final hidden message is:
Congratulations!!
You reached the end of this crackme.
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009
As you can see, it was not that hard, was it? In fact, we have received more than 100 answers in the first hours, and finally we have received 44 right answers. This is the winner of the Amazon Gift Card and the AV license, who sent the right answer in just 24 minutes:
Bbuc
And the winners of the AV license:
Kaspars Osis
Vyacheslav Rusakov
kokezaru 김지환 DB분석팀
Thank you all for participating. Tomorrow, I will publish the second challenge, which I promise it’s going to be much harder 😉
En primer lugar, agradeceros a todos la participación en este reto. La solución al reto la pódéis encontrar aquí:
El binario estaba empaquetado en UPX, y cambiamos el nombre de la sección a .reloc para dificultar su seguimiento con IDA. Renombrando la sección a su nombre original (UPX0) se puede salvar este obstáculo.
A continuación tenemos el fichero PE desempaquetado. Al ejecutarlo no sucede nada a menos que se utilice un determinado parámetro; un análisis básico con un debugger nos deja clara esta parte. A continuación puedes intentar sacarlo por fuerza bruta, pero hay una forma más elegante de hacerlo: el binario tiene adjunto un fichero como recurso; es un fichero JPEG xoreado con una máscara de un byte 0xFF. El nombre del fichero es Acrostic.JPG, y una vez desencriptado se puede observar el siguiente texto al abrir el fichero:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…
Si nos fijamos un poco, veremos el mensaje escondido:
To solve
almost each
known challenge you could
easily find
a solution.
Look carefully
on each word,
on each sentence, because
knowledge is hidden.
At this time you'd probably
take into account that this is not
more than garbage or
encrypted text…
Mirando el fichero por dentro, veremos el siguiente mensaje:
>>> USE easy_challenge as pwd!!!! (STAGE 1/2)<<<
Ejecutando el fichero original con el parámetro easy_challenge, aparecerá la siguiente ventana:
Oric Atmos es el nombre de un antiguo microcomputador de 8 bits.
Calculando el CRC32 del nombre del fichero obtendremos un valor de 32 bits. Con este valor se puede decodificar un nuevo mensaje escondido. En este caso el mensaje no es mostrado en pantalla, sino salvado en una variable interna local (para dificultar un poco las cosas). Prestando un poco de atención ves cómo el texto está ahí (es algo que se ve a simple vista analizando el código desensamblado).
Y el mensaje final es:
Congratulations!!
You reached the end of this crackme.
The secret message is "There is no place like 8 bit world!"
Panda Security AMR Team 2009
Como podéis ver, no ha sido tan difícil, ¿verdad? De hecho recibimos más de 100 respuestas durante las primeras horas, y finalmente tenemos 44 respuestas correctas. Este es el ganador de la tarjeta regalo de Amazon y de la licencia de antivirus, que además envió la respuesta correcta en tan sólo 24 minutos:
Bbuc
Y los ganadores de la licencia de antivirus:
Kaspars Osis
Vyacheslav Rusakov
kokezaru 김지환 DB분석팀
Gracias a todos por participar. Mañana p
ublicaré el segundo reto, prometo que va a ser bastante más complicado 😉
A few days ago the Koobface worm started to appear on Twitter. Today, the Koobface worm returns by hijacking several Twitter user accounts to assist in propagating the worm. The malicious tweets start with the text “My Home Video :)” followed by a link to one of 20 or so malicious sites.
Once on the malicious site, the victim becomes assaulted with a fake flash update and the infection starts to communicate with Facebook and Twitter immediately after downloading two additional executables from a domain hosted in Belgium.
Fake codec site:
Connections:
After attempting to spread the infection on Facebook and Twitter, the W32/Koobface.DU.worm further capitalizes on its efforts by installing the Adware/InternetAntivirusPro Rogue Antivirus.
Twitter has responded to the threat quickly and have already made an effort of removing the malicious tweets. We detected around 100 still active malicious tweets at the time of writing this.
Visual representation of malicious tweets:
There is currently a DDoS attack against a number of websites, most of them belong to US and South Korea goverment sites. The malware involved in the attack has been detected as Mydoom.HN. This is the list of URLs that is targeting:
www.president.go.kr
www.mnd.go.kr
www.mofat.go.kr
www.assembly.go.kr
www.usfk.mil
blog.naver.com
mail.naver.com
banking.nonghyup.com
ezbank.shinhan.com
ebank.keb.co.kr
www.hannara.or.kr
www.chosun.com
www.auction.co.kr
www.whitehouse.gov
www.faa.gov
www.dhs.gov
www.state.gov
www.voanews.com
www.defenselink.mil
www.nyse.com
www.nasdaq.com
finance.yahoo.com
www.usauctionslive.com
www.usbank.com
www.washingtonpost.com
www.ustreas.gov
whitehouse.gov
faa.gov
evisaforms.state.gov
www.moneyfactory.gov
www.dot.gov
www.ftc.gov
www.nsa.gov
www.usps.gov
www.voa.gov
www.yahoo.com
travel.state.gov
www.nyse.com
www.site-by-site.com
www.marketwatch.com
www.amazon.com
A couple of days ago we started spotting a new vulnerability affecting Microsoft Video ActiveX Control. Even though it's been said there are thousands of web sites affected, they are only a few dozens and most of them are in China: Anyway, it is a matter of time to see this attack expanding worldwide. We've seen this zero day installing a Lineage Trojan, but this could change and cybercriminals could install any kind of malware.
Microsoft has published an advisory with a workaround while they prepare a final solution. An important message to everyone: please apply this workaround ASAP.
If you are a Panda user with TruPrevent Technologies, then you are not in a hurry, as it is proactively stopping it. The best thing is that you don't need to install some kind of beta or technology preview, it just works in all of our consumer and corporate products as long as they have enabled TruPrevent. No matter which version you have installed, it covers not only the brand new 2010 products but any old version with TruPrevent.
Sean-Paul shows you here why and how you are protected:
Arrizen has been the creator of this challenge. I've got the full explanation, and even though he says it’s really easy, I'm not that sure 🙂
This is everything Arrizen wants you to know before starting:
“All that glitters is not gold”
The file can be downloaded here. Enjoy yourselves and don’t forget to send the challenge solution and the explanation of how you got it to pandachallenge at pandasecurity dot com
I will be publishing updates on Twitter, and next Monday I'll let you know the final results.
The terms and conditions of the competition can be downloaded from here.
Arrizen ha sido el creador de este reto. Tengo la explicación completa, y aunque él dice que es realmente sencillo, no las tengo todas conmigo 🙂
Esto es todo lo que Arrizen quiere que sepáis antes de empezar:
“No es oro todo lo que reluce”
El fichero puede ser descargado desde aquí. Disfrutad y no olvidéis enviar la solución al reto y la explicación de cómo lo habéis conseguido a pandachallenge arroba pandasecurity punto com
Iré actualizando información desde Twitter, y el próximo lunes publicaré los resultados finales.
Los términos y condiciones del reto las podéis descargar aquí.
SuperAntivirus's Blog 