Welcome to Super Antivirus Blog

I am a Jedi. 我：http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件

New ways to distribute rogueware

Nowadays, the most prevalent infections belong to rogueware, which are those fake antivirus, antispyware or anti-anything that try to take the money from the users by making them pay to remove nonexistent threats. As we showed recently, they are making huge amounts of money.

They are usually installed on victim's computers using drive-by-download techniques, as well as using the typical social engineering stuff we see to distribute any kind of malware through spam. We see this kind of spam on a daily basis, some samples are the usual spam message with a link to a supposed greeting card, others come with a trojan downloader that if run will download & install the rogueware, anothers are links to websites with photos or videos that will ask you to install some fake codecs (rogueware) to see them:

 

 

But today we have found an even more smart way to fool users. At first I though it was the typical message flowing around to get valid e-mail addresses:

 

Once you click on the link it takes you this place:

When clicking on "Download" the user will find out that it was not as free as he could have thought:

 

Of course the rogueware is not free; in fact it is not at all, as you pay and obtain nothing in exchange. Taking a look at the URL, I've notice that it has the word "antivirus2" in it. Then I removed the "2" and that's what I've obtained: 

Of course it belongs to a diiferent scam from the same guys.

As stock market drops malware rises

As the U.S. stock market indexes dramatically declined in September, cybercriminals began organizing their efforts to sustain profitability. While the stock market shows a sharp declining trend, malware has a very different trend which indicates growth during periods of economic uncertainty or recession. In essence, cybercriminals are adapting tactics in response to changes in the market, therefore proving that they are gaining rather than losing ground in these times of economic upheaval.

When the lab began looking into the specific effects cybercriminals had on the economy during times of duress, we found a startling and unexpected connection: the criminal economy is closely interrelated with our own economy. Based on our extensive research and analysis of malware patterns, we believe criminal organizations are closely watching market performance and adapting to ensure maximum profit: activity appears to increase during times of fluctuation in the markets and the economy.

Between Sept. 1st and Oct. 9th, as the stock market values continued to drop, the threat activity continually increased: activity on the “malware market” grew substantially as the stock markets declined.

This appears to be a deliberate strategy to infect as many consumers as possible during heightened economic fear as a way of changing the odds in their favor to maximize profits. A notable example is the recent orange alert PandaLabs issued earlier this month: 30 million victims were infected with fake security software, and of those infected 3.5 percent paid out of fear of loss from identity theft due to the compelling pop-ups informing that the computer was severely infected.

Heightened fear during economics crises plays into cybercrime strategies: as the Dow looses significant value, the perception of economic instability leads to more victims succumbing to fake AV software. Essentially out of fear of loosing everything the victim pays. This strategy is working very well as it plays into the lack of confidence in the markets. When timed right it works very well in terms of generating mass revenue ($14 million USD per month) in a short period of time..

Figure 1 shows the general decline of market indicators (average of DJIA, NASDAQ, and S&P 500) for a period of one and a half months with correlating significant spikes in new malware detections.

Figure 2 narrows the range to between Sept. 8 and Sept. 16. The indexes dropped 3.0% on Sept. 9 while malware increased to over 24,000 new threats: over 100% increase from previous day. Sept. 16 saw more than 5.5% decline in value while malware threats climbed to over 31,000 new intances.

Figure # 1 – U.S. stock market vs. malware market 9/1/08 – 10/9/08

Figure # 2 – U.S. stock market vs. malware market 9/8/08 – 9/16/08

As evidenced by this compelling data, there will be no end to the persistence and pervasiveness of cybercriminals and their attempts at exploiting malware for financial gain. Regardless of the economic state we are in, cybercriminals are continually adjusting their strategies, and from this evidence are capitalizing on economic lows to prey on unsuspecting victims and enterprises. With continued analysis, we have a deeper understanding of the relationship between the economy and the evolution of cybercrime. By remaining vigilant and aware of these findings, we can all become better prepared to protect ourselves and the economy from the very real dangers of malware.

Fake Email of the Federal Police of Brazil (Computer crimes investigation unit)

This fake email seems to be sent from the Computer crimes investigation unit of the Brazilian federal police department. It pretends to frighten users by accussing them of having accessed to ilegal websites from their computer and entices them to view the report by following a link. However, it is just another bait used by the cyber-crooks to install in our computers a worm related with banking entities.

This "police report" which we have called W32/Banbra.GDB.worm, initially works as if it were a Trojan downloader, allowing it to download the rest of the components of the worm.

The main feature of the worms is to spread themselves, but this malware is also designed to carry out more malicious actions. On the one hand, it downloads from different domains located in Brazil & United States the configuration files to create the spam messages that will be sent to other users, and on the other, it is activated when the user accesses the website of a certain Brazilian banking entity in order to obtain the access data to such bank.

Who Wants to Be a Millionaire?

During the last months I’ve been asked the same question almost every day: why are there so many rogueware infections? We have already published some data in the blog, as well as in the 2008 Q3 Report. The number of infections are somehow relevant:

As you can see, Adware is the top one, and this is due to the rogueware detections, included in the Adware category. With all the sensors we have now in the new products, which are connected to the Collective Intelligence, and due to this wave of infections I wanted to know if the feeling I had was real or not. From the 1st of June 2008 until yesterday, we have received reports from more than 2 million different computers. Even though our user base is much higher, I have only taken the data from products using the connection to the cloud and that have agreed to share information, which means that most of them are users of our free online scanner ActiveScan.

The next query was easy: how many computers out of these 2 millions have detected rogueware? About 70,000 different computers. That makes about a 3% of those 2 million computers.

How can we translate this to the whole world? We can extrapolate this information; even though this is not 100% accurate, it can throw some light on this issue. According to Forrester, there are about 1 billion computers (US billions, one thousand million for non US readers). That would make 30 million rogueware infected computers (3%.)

Then we have Gartner, which said that about a 3.30% of people is losing money due to phishing, so these are people that are actually sending their banking information to the phishers. Rogueware is much more agressive than phishing, but as we do not know how many users are being fooled to buy that "software" to get rid of fake infections, let's say that only that 3.30% of the people is paying. That would mean almost 1 million users buying rogueware (only in 4 months and 2 weeks!)

The price of each rogueware application varies, but let's say that 50€ is the average price. These are not difficult maths:

50€ * 1,000,000 = 50,000,000 € (US$ 69,000,000)

Ok, they are not earning this money at once, this is in 4 months and 2 weeks… so that means more than 11,000,000€ (US$ 15,000,000) per month.

So… Who Wants to Be a Millionaire?

The Emergence of Crimeware as a Service (CaaS)

As the malware threat landscape continues to evolve, hackers are constantly changing techniques to counteract detection technologies vendors develop. By using sophisticated methods to evade antivirus technologies, hackers continue to be relentless in their pursuit of damaging IT systems and gaining access to personal information.

In the past, hackers used polymorphism and metamorphism as tactics to constantly generate new variants of worms. Essentially, through polymorphism, the virus would morph itself into different variations to bypass signature-based technologies. The antivirus industry eventually responded to polymorphism by creating emulation technologies to counteract this new breed of virus. Emulation engines were designed to mimic the properties of the morphed virus so it could be detected by other means (signature and heuristics). This approach was dependent on the researcher's access to the polymorphic engine — meaning the logic had to be decoded before you could develop protection for specific mutations.

Hackers are shifting their interests from fame (among shady peers) to profit and go after financial gain by developing new and innovative ways to slip below the radar. Some of these methods are innovative and are evidence of thinking out of the box when it comes to crime. Hence the development of custom HTML injection by Banker Torjans, for example, to obtain protected information.

As we begin to map the evolution of malware, there are several themes using stealth and camouflage techniques, including:

• Custom run-time packers (compression)
• Server-side polymorphism

A major risk to security is the emergence of server-side polymorphism or “Crimeware as a Service (CaaS)”, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume; and PCs that are part of a botnet — a specific bot variant can mutate remotely via a command over HTTP. This is called crimeware as a service because the actual viral code does not actually reside on the host, but in the cloud — similar to a software-as-a-service platform. In other words, CaaS provides malware on demand to the infected host.

For the complete article written by myself please see the posting at SC Magazine online.

VML, Viking and Lineage… Any further bids?

We have been aware of a site hosting a page that exploits the VML vulnerability. Through this exploit, it downloads a W32/Viking variant. This Viking downloads several Trj/Lineage variants. And finally, these Lineage variants are responsible for gathering victim's data, such as passwords. Have a careful surfing…

Spam as a financial tool

Everyone knows that spam is used to advertise all kind of products and that hackers use it in other ways (installing malware through exploits, etc.). The message usually links to an external site, but it's not always like that. We have recently seen spam messages about a deal from a Canadian company. The message was an advice to buy stocks from that company on Thursday, 21st September 2006.

How can we measure the success of the message? Well, let's take a look at the stock prices of that day:

[ImageAttachment]

As we can see, someone could earn a lot of money buying stocks, sending this kind of spam and selling all the stocks the same day, when everyone else is trying to buy. I have just received a similar one. This time it is a Mexican company, let's follow it up, tomorrow I'll publish the evolution of these stocks.