Archive for the ‘Worms’ Category

Welcome to Super Antivirus Blog

December 17, 2009

I am a Jedi. http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件

Posted in 1007, Adware, Anti-Phishing, Banking Trojans, Blackhat, Blackhat SEO, Blogs, Botnet, Challenges, Cloud computing, CMS, Contest, Cryptography, Cybercrime, Data Breach, Demonstration, E3, Exploit, Facebook.com, Fast-flux, flash_player_plugin.exe, Hostfresh, How To, identity theft, Internet Antivirus Pro, Malicious links, Malware, Malware in Social Media, Microsoft, Off Topic, Panda Security, PandaLabs, Patch, Phishing, PornTube, Ransomware, Rickroll, Rogue Anti-malware, Rogue Antimalware, Rogueware, Rogueware: Worms, SaaS, Scam, Scareware, Security Conference, Security Reports, SEO, Skype, SMS, Social Media, Social Networks, Spam, Spyforms, SQL Injection, SystemSecurity, Total Security, Trends, Trojan, Tutorial, Twitter, Uncategorized, Video, Vulnerabilities & Exploits, Web Applications, Worms, YouTube | 1 Comment »

http://pandalabs.pandasecurity.com/archive/This-way-works-the-worm-for-iPhone.aspx

December 10, 2009

We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:

/var/lock/bbot.lock

This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:

IPs

Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist

to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.

WallPaper 

“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.

Posted in Malware, Worms | Leave a Comment »

Koobface: The saga continues

August 13, 2009

The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.

Sample malspam:

Koobface Link

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate. 

Koobface Site

Koobface connection log:

Koobface connection log

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

Koobface on infection

After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.

Adware/TotalSecurity

Posted in Rogueware, Social Networks, Worms | Comments Off on Koobface: The saga continues