PandaLabs

Quarterly Report April-June 2008

Luis Corrons — Mon, 07 Jul 2008 06:38:00 GMT

It’s time to see what has happened in the last three months and what we can expect for the second half of the year. We have been taking a look at the countries with most active malware:

When we talk about active malware we mean computers that have malware processes running in memory. Yes, it is scary, isn’t it?

We also make a review of the main banking Trojan families and their distribution throughout the first half of 2008:

Additionally, you can also be informed of the last massive infections via websites, spam evolution, phishing kits, vulnerabilities appeared during these months... Enjoy it!

English: Spanish:

Independence Day's Worm

Xabier Francisco — Fri, 04 Jul 2008 10:05:00 GMT

Once again the Stormworm as in many other special dates reaches our mailboxes in order to infect our computers with malware.

This time it is related to a very special day in the United States:

Independence Day firework broke all records

Amazing Independence Day show

Celebrating the Glory of our Nation

Celebrating 4th of July

Super 4th!

Etc…

This is what we will view in the web after clicking the link included in these emails:

Evidently, as in many other occasions, it is not an embedded video, so while we are seeing this website, our browser will be trying to install W32/Nurech.BG.worm in our computer.

The cases we have seen up to now follow the same pattern, the links point to different websites whose IPs are located in the United States and a malicious file will be downloaded “http://xxx.xxx.xxx.xxx/fireworks.exe ”.

World of Authentication

Luis Corrons — Wed, 02 Jul 2008 06:24:00 GMT

Those hardcore gamers already know that last weekend the 2008 Blizzard Entertainment Worldwide Invitational took place in Paris. There were very important announcements, as the development of Diablo III. But there was something that did not receive that much publicity, even though IMO it is very important: Blizzard Authenticator.

Basically, this is a hardware authentication token for World of Warcraft. Two-factor authentication based on hardware generated tokens is not new, but as far as I know it is the first time used in a MMORPG, even in any kind of game. Some banks have been using this kind of security measures for years, while others don’t even have two-factor authentication. Just imagine the amount of money that is handled in this game and the real risk that it implies so that Blizzard is offering this solution to the users of World of Warcraft. In the last two years we have seen a huge increase of banking Trojans, as well as malware targetting online games, basically for the two most popular: World of Warcraft and Lineage.

It is very comforting to see that Wizzard is getting involved in their user´s security; many companies should follow Blizzard's footsteps.

Mine is bigger than yours!

Luis Corrons — Tue, 24 Jun 2008 12:19:00 GMT

In the latest months, there have been some discussions about malware figures. My colleague Stuart wrote in the SophosLabs blog a post about this, as well as our colleagues at McAfee did. Today I’ve seen a press release from F-Secure, where they announce the publication of their 2008 first half data security summary (I have to talk to Mikko to see how they can summarize something that hasn’t finished yet ;-)

So now we have a small ranking, listed in alphabetical order:

F-Secure 900,000
McAfee 400,000 – 10,000,000
Sophos 4,600,000
Symantec 1,122,311
Panda 13,225,535

Q&A:

Does this mean that we detect more than they do?
No, it doesn’t mean that. It is like comparing apples and oranges.

So are you detecting less than the others?
No, as said before you shouldn’t compare apples and oranges.

Why some are apples and the other oranges?
You can be counting just files or detections. With one good detection you can detect thousands of malicious files.

The more signatures a product has, the best the product is?
No. Product A could have X signatures, and product B could have X/2 and detect more than product A.

Finally, when AV companies are talking about this kind of figures, they are referred as detections, malware files or similar. So no proactive technologies are involved in those figures… and that’s part of the solution – as well as the signatures- for the ever growing malware landscape that we have. Last week, Eva Chen, Trend’s Micro CEO said that ‘AV Industry sucks’. Even though I know what she meant and I do agree, I would have used different words. But what I want to point out about this is a different thing --> scanning "in the cloud". I’m really happy to see that we have created a trend and that now Trend Micro is following us. I really think that this is the best AV companies can do right now, and I hope the others will follow us too. We published almost one year ago a paper about this, we released a proof of concept of that technology within a memory online scan engine called Nanoscan. Later we applied some of this technology in our 2008 products, and it is completely integrated in our 2009 products, which are right now on public beta. Let’s see if we can build a safer world!

Malicious Spam Related to False Porntube Page

Xabier Francisco — Fri, 20 Jun 2008 12:04:00 GMT

It seems that the activity of this type of spamtraps has increased since the first time we detected it last week.

Like every spam message with malicious intentions, it tries to attract the user’s attention with interesting subjects so that they visit the attached link.

Below we can see some of the subjects used:

"Eiffel Tower suffers structural damage, collapse possible?"
"London rocked by gas attack, army on high alert?"
Britney found hanged in locker room?
Celtics disqualified from NBA title?
China Earthquake claims 1 million lives?
Dan Brown's latest novel?
Nokia unveils revolutionary new phone design?
Obama withdraws from elections?

The attached links can be different regarding their domain, though those we have seen up to this moment make reference to a file /r.html, which is a fake website of Porntube.

Once there, an error message will be displayed indicating the user that they need to install a component of Video ActiveX, which will install the file ideo.exe detected as Trj/Exchanger.G

Although the malware is hosted in the same domains to which the link of the spam makes reference, it connects to an IP address located in Beijing [ CHINA ] from which the creator probably view the statistics of the infected computers.

T2W --> Trojan to Worm

ocavada — Tue, 17 Jun 2008 16:04:00 GMT

We have detected an application whose main function is to turn an executable file into a worm, giving it the capacity to spread itself. Even though it’s aim is to give a Trojan the spread capability of a worm, it works with any executable file.

As you can see in the image below, Constructor/Wormer is an eye-catching tool and very easy to use. By checking different flags, you can design a worm with different functionalities, such as compress it with UPX, enable MuteX, select icons, etc.

It also has advanced options to select a certain infection date, disable different options of the operating system, such as the Task Manager, the Windows Registry Editor, Folder Options, and different browsers such as Internet Explorer, Firefox or Opera. Additionally, the worms can be configured to display a message when they are run or activate themselves when Windows is started.

One curious option is that you can avoid the infection of removable drives, such as PenDrives, indicating the username and the name of the drive.

The tool seems to have been created in Spain. You can switch the language of the tool to English, Spanish, Portuguese and Catalan. As you can see, nowadays there are tools that allow any user, no matter their technical knowledge, to create malware very easily.

Thanks to Oscar Anduiza for the information.

Malicious use of Akihabara's killer news

Xabier Francisco — Wed, 11 Jun 2008 10:31:00 GMT

It is surprising how fast the cyber-crooks take advantage of any eye-catching news to distribute malware. Less than two days after the tragic event that took place in Tokyo “Tomohiro Kato - Akihabara Killer”, we detected an email that used this news as a bait to deceive users.

The email seemed to come from an address belonging to the RPP news (Radio Programas del Perú) in order to pass itself as a trustworthy source. However, you can check in the following URL, which makes reference to the official news published by RPP, that it is totally different to the news included in the malicious email message, where after a brief description of the event, users are enticed to download and see a video regarding this news. However, what they actually download and install in the system is the Trojan QHost.IH.

This malware is designed to modify the hosts file by adding four fake websites of a certain banking entity. This way, if users visit any of the websites included in the hosts file, they will not be redirected to the original one but to another imitating the original website.

Another trojan creator...

Xabier Francisco — Mon, 09 Jun 2008 16:33:00 GMT

Everybody knows that nowadays it is very easy to create malicious programs or new variants of malware generally with the help of programs like virus constructors, which are publicly released by real experts in creating malware.

As we mentioned in a previously published post, these “beginners” in creating malware use different antivirus scanners with which they test their creations until they are undetectable.

In this case, one of these tools is Constructor/Turkojan, which offers new different functionalities with each version, currently the v4.0. Among the options offered, the following are included:

Remote Desktop / Webcam Streaming / Audio Streaming / Remote passwords / MSN Sniffer / Remote Shell / Advanced File Manager / Online & Offline keylogger / Information about remote computer / Etc..

You may be wondering which benefits the author gains with this tool. Obviously, there is a financial reason behind this. Almost all users who design this type of tools offer versions with different services, which include customized support depending on the sum of money paid.

This is a clear example that shows that cybercrooks are more are more professional and that there is a real organized business which looks for the profitability of their creations.

Be careful with Tixcet.A

ocavada — Mon, 02 Jun 2008 08:45:00 GMT

PandaLabs has recently discovered the worm Tixcet.A

It is a very destructive worm, as it deletes files with several extensions and replaces them with a copy of itself keeping the same name as the original files. Among the affected extensions are the following: .DOC, .PPT, .MP3, .MOV, .ZIP and .JPG. This means that we can lose our photos, songs, Word documents and other important files for us.

Additionally, it does not allow files to be copied, as it disables the option Paste and contents to be copied, as the text that is copied is not the selected by the user but one selected by the worm.

It reaches the computer passing itself off as a Word document in order to deceive users.

It also creates several files that contain a signature of the author, like the following:

PandaLabs has analysed this worm deeply and has prepared an interesting video where we can see some of the actions it carries out in the affected computers.

Lost in Translation (II)

Luis Corrons — Tue, 27 May 2008 10:25:00 GMT

As promised, here you can see some pictures. This is the Grand Prince Hotel Akasaka, where the meeting is taking place:

This is me inside the hotel:

This is the Tokyo Tower, a 250-meter-high tower from which you can see the whole city:

Finally, I recommend you to visit Japan, it’s an unforgettable experience:

Well, this is all for the moment, you’ll hear from me soon.

Signing off,

Luis