PandaLabs : Malware

Zero day in MSVIDCTL.DLL

Luis Corrons — Wed, 08 Jul 2009 07:21:00 GMT

A couple of days ago we started spotting a new vulnerability affecting Microsoft Video ActiveX Control. Even though it's been said there are thousands of web sites affected, they are only a few dozens and most of them are in China: Anyway, it is a matter of time to see this attack expanding worldwide. We've seen this zero day installing a Lineage Trojan, but this could change and cybercriminals could install any kind of malware.

Microsoft has published an advisory with a workaround while they prepare a final solution. An important message to everyone: please apply this workaround ASAP.

If you are a Panda user with TruPrevent Technologies, then you are not in a hurry, as it is proactively stopping it. The best thing is that you don't need to install some kind of beta or technology preview, it just works in all of our consumer and corporate products as long as they have enabled TruPrevent. No matter which version you have installed, it covers not only the brand new 2010 products but any old version with TruPrevent.

Sean-Paul shows you here why and how you are protected:

New Storm Worm: Waledacs

Asier Martínez — Mon, 06 Jul 2009 07:53:00 GMT

After several months of calm, a new Waledac campaign has just started. This time a significant date has been used as social engineering: the Independence Day celebrated on 4th of July.

Nearly 30 domains are being used to spread this malware using the following interface:

After clicking the video, a message will be displayed to download an executable file. The name it uses are the following: fireworks.exe, video.exe, install.exe, patch.exe, setup.exe and run.exe.

The affected computer sends spam messages like this:

HAMLET. "Something is rotten in the state of Malware"

Luis Corrons — Thu, 23 Apr 2009 17:54:00 GMT

Written on behalf of José Julio Ruiz de Loizaga.

Today being the birthday of William Shakespeare, I felt the urge to write this post. When reversing files, one is prepared to find anything - well, almost anything. I was analyzing a dll and was surprised to find passages from Hamlet. At first I thought "My God, a trojan that promotes literacy, how odd." My surprise increased when the next files, two additional dlls, also contained fragments of The Bard's prose.

First dll.

It was clear that these three files were related. There were two possibilities, either the malware author was a fan of sixteenth century renaissance literature, or that the text was used to make detection more difficult.

This method has been seen before in phishing emails. Anti-phishing engines look at keywords in the body of a message. When these words are found, they are correlated to the length of the message. In other words, a keyword has greater weight the more times it is repeated in a short message, which is why it is not unusual to find phishing emails with some literary text rendered white, so as to be invisible to the reader. Although the recipient does not see the extra words, the anti-phishing engine is fooled by the additional words.

Second dll.

This technique isn't exactly the same, but it has the same goal; to trick the antivirus. In this case, the signature file engine is the target. The additional text is inserted with the intention of changing the file's signature, thereby avoiding detection. The truth is that this is an interesting and educational way of doing so.

Third dll.

P.S., I would have personally chosen "100 Years of Solitude", but well, "Hamlet" is not bad either.

New waledac's campaign

Asier Martínez — Thu, 16 Apr 2009 08:00:00 GMT

Waledac family activity has increased during the last months. The malware creators have been using several social engineering techniques to spread these samples: important dates like Christmas and Valentine’s Day, important events such as the appointment of Barack Obama as president of the United States or fake news.

Currently, the technique is to offer a service that allows someone to read the sms received in a certain phone number. Obviously, it is a completely fake service and it could even be described as illegal and immoral. After accessing the website, downloading and running the software, the computer is infected and immediately starts hosting the infection website and executable on the victims computer.

Visualization

Snapshot of the Waledac Network:

The main function of the Waledac family, besides its own propagation, is to send spam messages to the email accounts obtained from the infected computer. Additionally, it can carry out other malicious actions, such as downloading malware, opening ports in order to receive instructions (acting as a botnet) and stealing passwords which are then sent to remote URLs.

The following graph represents the evolution of the files detected as Waledac received in our inboxes during the last three months:

Taking into account the data regarding the first two weeks of April, there has been an increase of almost 200% comparing with February's figures.

Which will be the next subject used by the malware creators to spread this worm? We’ll know it soon…

Chapter 2. The Conficker countdown melodrama.

Luis Corrons — Tue, 31 Mar 2009 15:27:00 GMT

The melodramatic Conficker countdown is starting to resemble one of those never-ending TV soap operas; everyone is talking about it, but it never draws to an end. Well, at last the countdown is in the final straight, because if not we could end up with mass hysteria.

So let's see what new information there is about Conficker. It would seem that some opportunists are taking advantage of the notoriety of Conficker, downloading malware onto computers from domains that are ranked highly in Google searches for the name of this virus. It’s not surprising, when you see how widely the news is being reported. Google Trends illustrates the point:

What is most interesting is the ranking of countries where this information is being most widely reported, and where most people are searching for this information. Bearing in mind the number of domains that are downloading malware by exploiting the interest in Conficker, without actually having any connection with it, it is likely that although people in these countries may escape the wrath of Conficker, there may still be users who have downloaded other Trojans simply by searching for news about Conficker… Ironic really. Perhaps on April 2 we will be talking about another epidemic in Indonesia or Austria…

What new information is there about Conficker? Absolutely none, other than everyone is waiting with baited breath to see when the apocalypse starts. This all takes me back to when, in the laboratory, we had a calendar for marking the payload dates of notorious viruses such as Friday 13 or Barrotes. So does this mean we are returning to the days of epidemics with payloads and countdowns?

Paradoxically, while we are all waiting to see what happens tomorrow, who knows what is actually going on in the background, and how many people are lining their pockets thanks to Conficker. And to get back to soap operas, what are the odds on a happy ending to the Conficker saga?

Facebook Malware Refocusing on Bank of America

Sean-Paul Correll — Sat, 14 Mar 2009 00:32:00 GMT

The perpetrators behind the recent Classmates and Facebook Malware incident are now refocusing their attack on Bank of America customers. The new website is designed to look like a Bank of America Help page and reads:
“You have not been permitted to access the Bank of America Direct® login page because your browser did not provide a valid digital certificate. In order to access Bank of America Direct, you must have a valid Digital Certificate installed on your PC. For help, please select from the help links below.”

The page includes a fake video which is labeled as an “Installation Demo” but points to a Malicious Executable named Adobeflashplayer.exe, which we detect as Trj/Spyforms.BZ.

Trj/Spyforms.BZ is primarily distributed through links in spam e-mails and the Trojan is designed to monitor network traffic and steal ftp, icq, pop3, and imap passwords. The stolen data is then sent back to a server located in Hong Kong.

ID Theft Malware is Infecting Computers at Alarming Rates

Sean-Paul Correll — Mon, 09 Mar 2009 21:54:00 GMT

Today we're announcing results of a study that analyzed 67 million computers in 2008 and revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. We predict that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months.

Here are the highlights from our study on the evolution of online identity theft:

-Over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year

-1.07% of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans

-35% of the infected PCs had up-to-date antivirus software installed

-The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half

-Arizona, California and Florida continue to be the states with the highest per-capita incidence of reported identity theft

Active malware means malware that is loaded into the PC's memory and actively running as a process. For example, users of PCs infected with this type of identity theft malware who utilize online services such as shopping, banking, and social networking, have had their identities stolen in some fashion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security's projected infection rate could reach 90 million hours.

The study revealed that an alarming 35 percent of the PCs infected with this type of malware were using up-to-date antivirus software. Antivirus labs are receiving a massive amount of new malware samples each day (22,000 new samples per day according to PandaLabs), and antivirus vendors are continually updating their services to keep up with the overwhelming volume of new malware surfacing each day. AV detection labs such as PandaLabs have made advances in automated detection and classification capabilities. These new detection methods as well as improved surveillance and cloud-based detection techniques have reduced the risk of individual identity theft incidents and its associated costs. Some global banks, notably in Brazil, have made changes to banking authentications using electronic tokens and virtual keyboards, but these approaches have been slow to be adopted in the U.S.

Malware in Social Media

Sean-Paul Correll — Thu, 26 Feb 2009 17:17:00 GMT

A few weeks ago we talked about cyber-criminals using Digg.com to spread malware. Today we see that the very same group responsible for the Digg.com incident was using the same tactic on YouTube through the use of YouTube's Annotations feature. Video Annotations is a way to add interactive commentary to videos on YouTube.

The following image displays a video using the annotations feature to guide users over to a malware ridden website:

Although the YouTube description malware is not as prevalent as the Digg.com comment abuse, it does show that Social Media websites are increasingly being used to spread Malware. We expect to see plenty of new examples similar to this throughout 2009.

Thanks to Dancho Danchev for the information.

Good (?) old times

Luis Corrons — Tue, 17 Feb 2009 17:28:00 GMT

Right now we are dealing with about 25,000 new malware samples per day. From time to time we remember the old days, when we were almost fighting each other in order to disassemble the latest virus we had received in the lab. Well, what were you expecting? We're freaks ;-)

But the real thing is that nowadays most of the malware are Trojans, rogueware, etc. We are talking mainly about non-polymorphic and non-viral malware, and the major problem we may find are some packers or similar stuff trying to avoid AV signature detections, not a big deal when you have technologies such as TruPrevent, that are watching the behaviour of the program rather than the static file itself.

Malware evolves, and so do antimalware technologies. That’s why in our last Annual Report I was expecting that this year we would see an increase in the use of old techniques as a way to evade some of the technologies that the top AV vendors are using –> old viruses tricks, mixing virus & Trojans behaviours, etc. It turns out that we have seen this change already happening. The first week of February a new virus appeared, we called it W32/Sality.AO.

Why is this new variant of a well known file infector worth mentioning? Well, first it is smart enough to avoid being too promiscuous, as it will not scan the whole hard drive looking for files to infect, but will just infect some files upon running the malicious code and will also infect any new files that we run in our computer. Furthermore, it is using very complex techniques to infect PE files: EPO, Cavity, different encryption layers… and not always in the same way, one sample maybe infected using EPO and 1 encryption layer, another one using EPO, cavity and 2 encryption layers, and so on. If this wasn’t enough, it connects to an IRC server in order to receive commands. Even more, it will try to download files from the Internet in order to infect our computer with more malware. It also infects (I’d rather say "modifies") .PHP, .ASP and .HTML files by inserting an iFrame tag into them. When visiting any of these “infected” files through our web browser, it will use an exploit in order to download and run a new file. This file is a double-malware, a Trojan downloader infected with a virus.

And here we were missing some good old polymorphic and self-replicating action. Another variant of W32/Sality just came in. Looks like we're not going to get much sleep tonight.

Rogue ScanVirus site impersonates SaaS Anti-Virus

Sean-Paul Correll — Tue, 03 Feb 2009 13:23:00 GMT

Today we discovered a new site using an interesting tactic to trick users into infecting themselves with malware. This time the cyber-criminals opted to pretend to be a Software as a Service (SaaS) Anti-Virus solution.

The "Scan Virus" website uses several legitimate Anti-Malware logos and badges in order to gain the victims confidence. Immediately upon loading the site a fake scan will begin and shortly after that the site will prompt the user to download a file called AntiVir.exe, which we detect as Adware/Antivirus2009. The site attempts to scare users by displaying images such as, "Your PC is infected! Sorry, standard programs cannot disinfect your PC now", and "DOWNLOAD PATCH to fix this problem"