Welcome to Super Antivirus Blog

I am a Jedi. 我：http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件

http://pandalabs.pandasecurity.com/archive/This-way-works-the-worm-for-iPhone.aspx

We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:

/var/lock/bbot.lock

This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:

Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist

to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.

 

“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.

Zero day in MSVIDCTL.DLL

A couple of days ago we started spotting a new vulnerability affecting Microsoft Video ActiveX Control. Even though it's been said there are thousands of web sites affected, they are only a few dozens and most of them are in China: Anyway, it is a matter of time to see this attack expanding worldwide. We've seen this zero day installing a Lineage Trojan, but this could change and cybercriminals could install any kind of malware.

Microsoft has published an advisory with a workaround while they prepare a final solution. An important message to everyone: please apply this workaround ASAP.

If you are a Panda user with TruPrevent Technologies, then you are not in a hurry, as it is proactively stopping it. The best thing is that you don't need to install some kind of beta or technology preview, it just works in all of our consumer and corporate products as long as they have enabled TruPrevent. No matter which version you have installed, it covers not only the brand new 2010 products but any old version with TruPrevent.

Sean-Paul shows you here why and how you are protected:

New Storm Worm: Waledacs

After several months of calm, a new Waledac campaign has just started. This time a significant date has been used as social engineering: the Independence Day celebrated on 4th of July.

Nearly 30 domains are being used to spread this malware using the following interface:

After clicking the video, a message will be displayed to download an executable file. The name it uses are the following: fireworks.exe, video.exe, install.exe, patch.exe, setup.exe and run.exe.

The affected computer sends spam messages like this:

 

HAMLET. "Something is rotten in the state of Malware"

Written on behalf of José Julio Ruiz de Loizaga. 

Today being the birthday of William Shakespeare, I felt the urge to write this post.  When reversing files, one is prepared to find anything – well, almost anything. I was analyzing a dll and was surprised to find passages from Hamlet.  At first I thought "My God, a trojan that promotes literacy, how odd." My surprise increased when the next files, two additional dlls, also contained fragments of The Bard's prose.

First dll.

It was clear that these three files were related.  There were two possibilities, either the malware author was a fan of sixteenth century renaissance literature, or that the text was used to make detection more difficult.

This method has been seen before in phishing emails.  Anti-phishing engines look at keywords in the body of a message.  When these words are found, they are correlated to the length of the message.  In other words, a keyword has greater weight the more times it is repeated in a short message, which is why it is not unusual to find phishing emails with some literary text rendered white, so as to be invisible to the reader.  Although the recipient does not see the extra words, the anti-phishing engine is fooled by the additional words.

 
Second dll.

This technique isn't exactly the same, but it has the same goal; to trick the antivirus.  In this case, the signature file engine is the target.  The additional text is inserted with the intention of changing the file's signature, thereby avoiding detection.  The truth is that this is an interesting and educational way of doing so.

 
Third dll.

P.S., I would have personally chosen "100 Years of Solitude", but well, "Hamlet" is not bad either.

New waledac's campaign

Waledac family activity has increased during the last months. The malware creators have been using several social engineering techniques to spread these samples: important dates like Christmas and Valentine’s Day, important events such as the appointment of Barack Obama as president of the United States or fake news.

Currently, the technique is to offer a service that allows someone to read the sms received in a certain phone number. Obviously, it is a completely fake service and it could even be described as illegal and immoral. After accessing the website, downloading and running the software, the computer is infected and immediately starts hosting the infection website and executable on the victims computer.

 Visualization

 Snapshot of the Waledac Network:

The main function of the Waledac family, besides its own propagation, is to send spam messages to the email accounts obtained from the infected computer. Additionally, it can carry out other malicious actions, such as downloading malware, opening ports in order to receive instructions (acting as a botnet) and stealing passwords which are then sent to remote URLs.

The following graph represents the evolution of the files detected as Waledac received in our inboxes during the last three months:

 

Taking into account the data regarding the first two weeks of April, there has been an increase of almost 200% comparing with February's figures.

 

Which will be the next subject used by the malware creators to spread this worm?  We’ll know it soon…

Chapter 2. The Conficker countdown melodrama.

The melodramatic Conficker countdown is starting to resemble one of those never-ending TV soap operas; everyone is talking about it, but it never draws to an end. Well, at last the countdown is in the final straight, because if not we could end up with mass hysteria.

So let's see what new information there is about Conficker. It would seem that some opportunists are taking advantage of the notoriety of Conficker, downloading malware onto computers from domains that are ranked highly in Google searches for the name of this virus. It’s not surprising, when you see how widely the news is being reported.  Google Trends illustrates the point:

What is most interesting is the ranking of countries where this information is being most widely reported, and where most people are searching for this information. Bearing in mind the number of domains that are downloading malware by exploiting the interest in Conficker, without actually having any connection with it, it is likely that although people in these countries may escape the wrath of Conficker, there may still be users who have downloaded other Trojans simply by searching for news about Conficker… Ironic really. Perhaps on April 2 we will be talking about another epidemic in Indonesia or Austria…

What new information is there about Conficker? Absolutely none, other than everyone is waiting with baited breath to see when the apocalypse starts. This all takes me back to when, in the laboratory, we had a calendar for marking the payload dates of notorious viruses such as Friday 13 or Barrotes. So does this mean we are returning to the days of epidemics with payloads and countdowns?

Paradoxically, while we are all waiting to see what happens tomorrow, who knows what is actually going on in the background, and how many people are lining their pockets thanks to Conficker. And to get back to soap operas, what are the odds on a happy ending to the Conficker saga?

Facebook Malware Refocusing on Bank of America

The perpetrators behind the recent Classmates and Facebook Malware incident are now refocusing their attack on Bank of America customers.  The new website is designed to look like a Bank of America Help page and reads:
“You have not been permitted to access the Bank of America Direct® login page because your browser did not provide a valid digital certificate. In order to access Bank of America Direct, you must have a valid Digital Certificate installed on your PC.  For help, please select from the help links below.”

The page includes a fake video which is labeled as an “Installation Demo” but points to a Malicious Executable named Adobeflashplayer.exe, which we detect as Trj/Spyforms.BZ.

Trj/Spyforms.BZ is primarily distributed through links in spam e-mails and the Trojan is designed to monitor network traffic and steal ftp, icq, pop3, and imap passwords.  The stolen data is then sent back to a server located in Hong Kong. 

ID Theft Malware is Infecting Computers at Alarming Rates

Today
we're announcing results of a study that analyzed 67 million computers in 2008
and revealed that 1.1 percent of the worldwide population of Internet users
have been actively exposed to identity theft malware. We predict that the
infection rate will increase by an additional 336 percent per month throughout
2009, based on the trend of the previous 14 months.

Here
are the highlights from our study on the evolution of online identity theft:

–Over
three million of the audited users in the U.S. and more than 10 million users
worldwide were infected with active identity theft-based malware last year

–1.07%
of all PCs scanned in 2008 were infected with active malware (resident in
memory during the scan) related to identity theft, such as banker Trojans

–35%
of the infected PCs had up-to-date antivirus software installed

–The
number of PCs infected with identify theft malware increased by 800 percent
from the first half of 2008 to the second half

–Arizona, California and Florida
continue to be the states with the highest per-capita incidence of reported
identity theft

Active
malware means malware that is loaded into the PC's memory and actively running
as a process. For example, users of PCs infected with this type of identity
theft malware who utilize online services such as shopping, banking, and social
networking, have had their identities stolen in some fashion. According to the
Federal Trade Commission (FTC), the average time victims spend resolving identity
theft issues is 30
hours per incident. The cumulative cost in hours alone from identity theft
related malware based on Panda Security's projected infection rate could reach
90 million hours. 

The
study revealed that an alarming 35 percent of the PCs infected with this type
of malware were using up-to-date antivirus software. Antivirus labs are
receiving a massive amount of new malware samples each day (22,000 new samples
per day according to PandaLabs), and antivirus vendors are continually updating
their services to keep up with the overwhelming volume of new malware surfacing
each day. AV detection labs such as PandaLabs have made advances in automated
detection and classification capabilities. These new detection methods as well
as improved surveillance and cloud-based detection techniques have reduced the
risk of individual identity theft incidents and its associated costs. Some
global banks, notably in Brazil,
have made changes to banking authentications using electronic tokens and
virtual keyboards, but these approaches have been slow to be adopted in the U.S.

Malware in Social Media

A few weeks ago we talked about cyber-criminals using Digg.com to spread malware. Today we see that the very same group responsible for the Digg.com incident was using the same tactic on YouTube through the use of YouTube's Annotations feature. Video Annotations is a way to add interactive commentary to videos on YouTube.

The following image displays a video using the annotations feature to guide users over to a malware ridden website:

Although the YouTube description malware is not as prevalent as the Digg.com comment abuse, it does show that Social Media websites are increasingly being used to spread Malware. We expect to see plenty of new examples similar to this throughout 2009.

Thanks to Dancho Danchev for the information.