PandaLabs : Video

Rogueware with new Ransomware Technology™

Sean-Paul Correll — Thu, 08 Oct 2009 11:05:00 GMT

The criminals behind Rogueware attacks are becoming increasingly aggressive in their approach to make money. We recently stumbled across a sample (Adware/TotalSecurity2009) which uses a ransomware technique to improve its sales. Once the computer becomes infected, Total Security forces the victim to purchase it before it will allow any files from being accessed on the system. When attempting to open a file, a message pops up in the notification area claiming that the application was blocked due to infection. The pop up recommends activating the "antivirus" software, which costs $79.95.

This would be a devistating blow to any user and would likely force the victim to purchase it, so we went ahead and cracked the sample to reveal all of the valid serial numbers. We're hoping that victims can find this blog post before shelling out any hard earned cash to these criminals.

Watch the video to see it in action:

Valid serials for Adware/TotalSecurity2009:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

You can download a free trial to completely remove the infection once the ransomware feature is removed.

Special thanks to Sherab Giovannini for extracting the serials.

Live Demo: Banking Trojans

Sean-Paul Correll — Tue, 08 Sep 2009 22:09:00 GMT

Banking Trojans are one of the most prevalent Malware species in the threat landscape today. Malware authors aim to keep infections live and undetected long enough so that they can get what they are really after: money. Financial motivations lead malware developers to craft the stealthiest banking Trojans to steal personal and financial data for further exploitation on the black market. Day after day innocent victims are hacked with the end result being an emptied out bank account. This video demonstrates how dangerous and stealthy banking Trojans can be and why we must continue to raise awareness on the issue.

Zero day in MSVIDCTL.DLL

Luis Corrons — Wed, 08 Jul 2009 07:21:00 GMT

A couple of days ago we started spotting a new vulnerability affecting Microsoft Video ActiveX Control. Even though it's been said there are thousands of web sites affected, they are only a few dozens and most of them are in China: Anyway, it is a matter of time to see this attack expanding worldwide. We've seen this zero day installing a Lineage Trojan, but this could change and cybercriminals could install any kind of malware.

Microsoft has published an advisory with a workaround while they prepare a final solution. An important message to everyone: please apply this workaround ASAP.

If you are a Panda user with TruPrevent Technologies, then you are not in a hurry, as it is proactively stopping it. The best thing is that you don't need to install some kind of beta or technology preview, it just works in all of our consumer and corporate products as long as they have enabled TruPrevent. No matter which version you have installed, it covers not only the brand new 2010 products but any old version with TruPrevent.

Sean-Paul shows you here why and how you are protected:

New Blackhat SEO attack exploits vulnerabilities in Wordpress to distribute rogue antivirus software

Sean-Paul Correll — Thu, 23 Apr 2009 16:50:00 GMT

Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular Wordpress blog software. Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week’s attack against Ford Motor, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results. When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.

You can checkout a video demonstrating how this particular attack works below:

Both attacks involve a vulnerability in an older version of Wordpress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors. Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at Wordpress to get clarification.

In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack. We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers. Here’s what we found:

Song - Appeared 1303 times
Software - Appeared 879 times
Free - Appeared 244 times
Lyrics - Appeared 210 times

Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below, PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3.

Remember, It's just as important to update your web applications as it is to update your operating system. If you use Wordpress as a platform for your blog or website, then I recommend viewing the official hardening guide.