Fewer viruses

One of the most prolific and well known groups from the vx scene has closed up shop this February:









Can't say that we'll miss the virus writing from 29A.

This Spanish-based group released their first "zine" back in the mid-90's -- that was ten years and eight issues ago.
Unfortunately, we're seeing that the activities of these guys in 2008 is being replaced with the sort of scam software that we're calling "Rogueware", password stealing of all sorts, and ongoing botnet activity. The motivations behind malware development continues to move away from virus writing for reputation and towards malware development for financial gain.

IM Skype Spam

We continue to get copies of IM Spam in our Skype accounts. "ATTENTION! Security Center has detected malware on your computer!", all from "Mr. AntiVirus Notice". Chances are, you are too. Last year, variants of malicious worms were using skype to spread, and then slowly the rogueware money makers decided to cash in on the same methods.

We decided to visit the web sites in our labs, to find out what they still have to offer. Here is the original message. It appears that distribution of this spam message has been hitting peaks a couple of times a month since November:


























When we visited the site at the provided link, the page seemed to somehow, without prompting, scan the system for malware through my Firefox browser (legitimate software cannot and does not do this on a computer). Little progress bars began filling up and scary things were reported to be detected:






















When this supposed scan finished, the page presented a stunning warning, bad stuff was detected:





















Even though this system is completely clean, it might be fun to select the "Remove All" button. The next page that is provided is their shopping cart -- just a quick suggestion, really:






















Knowing that my system was completely clean, I clicked on the "close" button for this shopping cart. Instead of closing the shopping cart, the site immediately warned that my system would be infected, in other words, if I didn't cough up the cash. "Don't close this window if you want your PC to be clean.":





















Finally, when the user has been intimidated or confused enough to cave in and clicks "Ok", they are presented with a final order form:





















Is any malware on the machine? No. Does this user need to pay $20.00 to clean Rootkits and Backdoors off a system here? No. Ignore Skype spam and misleading advertisers.

Here come the mounties

I wonder if they didn't see the bright red jackets galloping towards their hard drives? Another botnet ring got busted in Canada.

This story is bigger than I thought..."Police in Quebec arrested 17 people on computer-hacking-related charges in the largest sweep of its kind in Canada".

It's not just the U.S. Fbi performing these major 2008 investigations and arrests.

cDc Hacktivist Tool Release

The Cult of the Dead Cow is a group that has been around for over a decade, presented by its members as an underground hacker/do-it-yourself media group. Every now and then, they release another "tool" as a result of their research. They are known mostly for their Back Orifice tool release in the late 1990's. Unfortunately, it was only a taste of what was to come from the world of "RAT" development, or so-called remote administration tools. These sorts of tools were often used to maintain botnets and control over compromised systems for malicious purposes.

















This new tool, the Goolag Scanner, is a stab at using Google's technologies for security research (open to definitions of white, grey, or black hat), and a part of the cDc hacktivist response "to Google's decision to comply with China's Internet censorship policy and censor search results in the mainland-Chinese version of its search engine." Its interface is similar to the popular Nessus vulnerability scanner. While use of the scanner most likely violates every contractual licensing agreement in the Google's terms of service, it provides an automated method of evaluating web sites for vulnerabilities using "Google Hacks", or "Dorks" that were popularized by "Johnny Hack" and his "Google Hacking Database".

In line with their generally dark humor, this version of the scanner is being released as the "Stanley Kowalski" version, most likely in reference to an awful character from Tennessee Williams' "Streetcar Named Desire", along with a tough love usage statement:
"If this software does something bad to your computer or network or provides information that you have no legal right to see, then that's your problem. In some countries this software might be illegal. Don't be stupid, and don't come whining to us if you get into trouble. You've been warned."

Discussions on various security mailing lists wager on how long the site will remain up. It seems that the cDc presents the site as a parody of the google site itself:
"It isn't even a particularly good parody. As such, it is protected by the First Amendment." It most likely will be up for a while:

















Web admins should be sure to attend to the security needs of their servers.

What's in a name? -- Adclicker agent spambots

Sometimes family names from various AV products don't really fit the behavior of samples that we are seeing. The naming conundrum has been an ongoing challenge for the AV industry. One serious attempt at a naming standard put forth by CARO in 1991 has been casually used for some time. But no product has been absolutely compliant over the past 17 years, and a message at the group's site makes it seem that the group, and its half-used standards, is running out of steam:























Some leaders in the industry have called the latest attempt, the CME naming standard, dead. That is arguable, but the question remains, how effective is the CME standard at helping consumers of security software understand what they are being protected against and reducing the public's confusion in referencing threats during "malware incidents"? Has it improved communication and information sharing between vendors and the rest of the community?

Currently, we are looking at a surge in malicious binaries in our user community that either are currently undetected by the major AV scanners or have been misnamed altogether. The file names for these binaries are random, but look like:
ciocrw.exe
fhydx.exe

The files are custom packed to make reversing more difficult. Most of these samples use an interesting encoded series of communication that would be described as botlike activity. This morning, they are pulling down "install_cn.exe" from a variety of sites, and then go on to spam out messages with sex-themed content from the infected host (links below intentionally modified):

You really can make your wife more gratified!
You dont know what to do? It's more than simply
Follow this link to learn more
http://kfc< >esa.com/
Have an impassionedzealous love!

You have a nice chance to say goodbye to your sexual troubles
You dont know what to do? Here a recipe for you....
Use link to learn more...
http://dontw< >forsizes.com/
Have a passionate nights!

Make your lady-love satisfied!
You dont know how? It's simply!
All details are here:
http://www.incr< >esizesnow.com/
Have a fervent love!


Related malware reports of previously detected and undetected samples, dating back to the end of November, show that the effort to release this stuff exhibiting similar behaviors and communicating with the same domains is not entirely new, and that family names provided by scanners differ across all the samples when they are first released.

Unfortunately, this leads us to believe that 2008 is becoming another banner year for spam and rogueware (the new adware).
So what to call it? We'll see updates and modifications for this one, and it blurs the lines of the adclicker, spambot, zlob family characteristics and more. Right now, you might see this one prevented by ThreatFire as Trojan.ClizxkBot or Trojan.AdClicker. We hope not.

Infested stock message boards and a quick response

Sometimes, surprising events in the financial news draw users to the message boards. On Yahoo!, individual stock message boards are usually a safe haven for posting and browsing.
Right now, one stock at the Yahoo finance site appeared to have an almost 60% drop for the day. Instead, the company might be performing a reverse split with little notice. There is no news headline about a reverse split for the company, so the next logical step would be to check out the message boards and see what other users might be sharing.

Once on the message boards, a user may fall for friendly advice like "This Video Forecast should help“"(link intentionally removed). DO NOT FOLLOW THESE LINKS RIGHT NOW. We decided to follow these links once we saw them. After following one of them, our goat lab systems became totally infected by malware and completely unusable. Adware, worms, multiple processes and more were overloading the system's capacity. We can only post an image at this point of the link to the infecting site (DO NOT VISIT THESE LINKS). These attackers are acting quickly on the confusing financial news:

























UPDATE: It seems that the web links spammed to the message boards may be linked to a handful of web servers that were compromised. For example, here is a list of spammed links to another message board. We highlight one in particular in red:
















Here is the web page at the highlighted link's destination, apparently revealing a compromised site. Most likely, the malware and exploits served up at these sites were the result of compromised servers:














The operators of these sites seem to be on top of the problem, and almost all of the links we're visiting are now cleaned up.

These short lived and effective attacks can ruin your day. They lurk in the most unexpected of places, not just the adult and warez sites. Be sure to keep your security solutions updated.

AMTSO website

The work of the AntiMalware Testing Standards Organization, or AMTSO, is moving forward. This morning, the group's website went up, thanks to the efforts of volunteers. It presents the group's charter, pro-tem committees, membership, and a brief list of resources all related to anti-malware technology testing.

The group continues to grow in its formative stage:

"AMTSO is dedicated to helping improve the objectivity, quality and relevance of anti-malware technology testing. AMTSO membership is open to industry-wide academics, reviewers, testers and vendors, subject to guidelines determined by AMTSO."


The press is catching the buzz as well with articles at SecurityFocus, Fox Business, InformationWeek, SCMagazine and the Washington Post.
We look forward to further helping open efforts to better evaluate and understand security solutions as an AMTSO member.