|
Archive for February, 2009
Tuesday, February 24th, 2009
It’s always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.
So when we observe “underground” activity, it’s never a surprise to see ongoing and more sophisticated efforts in developing malware that evades AV detection. Some of the efforts are getting more organized, and we continue to see more professional looking services and amateur looking betas popping up that replace the venerable and legitimate Virustotal and Jotti virusscan sites. We’ve presented before on some underground services, where blackhat developers offer to write fully undetected stubs (undetected by all of the major anti-virus products), and once they are detected, the developer sends on a limited number of new undetected stubs to their customers. When that limit is reached, the customer shells out some more cash for their new AV evasion kit.
Not only the major media grabbers like Storm, Waledac, and botnets related to McColo, but smaller, under-the-radar efforts like the distributors of rogueware and fakeav benefit financially and further this sort of work.
Below is a snapshot of one fairly recent effort put together with malicious intent, to help provide a confirmation that those stubs remain fully undetected without exposing the upload to distribution to AV companies (Virustotal and Jotti both distribute samples to AV companies). Many of the blackhat forums bring on new, unexperienced members that upload new undetected crypters to the legitimate sites, which sends the samples on to AV vendors and has been a problem for their efforts in the past. The site is in beta and slow as molasses.
Posted in Blackhat, Evasion technique, Strategy, Undetected malware | 1 Comment »
Monday, February 23rd, 2009
The Waledac themes are moving away from love and towards a more economizing theme. Below is a screenshot of their newest coupon clipping themes.
Click on the “Waledac” label below for posts describing previous themes for the malware family.
Posted in Social Engineering, Waledac | No Comments »
Friday, February 20th, 2009
The ThreatFire community is preventing an unusual hosts file modification in higher prevalence than usual that seems to be related to “Spyware Protect 2009″. On unprotected systems, the end result can be that your browser appears to be visiting “browser-security.microsoft.com” when it’s really not the legitimate microsoft.com site, alerting you to a familiar browser warning “visiting this site may harm your computer!”. You can see the spoofed microsoft.com url circled in red in the image:
So far, getting the user to run an executable (or exploiting a system running vulnerable third party pdf reader plugins) that modifies the hosts file with “browser-security.microsoft.com” to redirect to 195.245.119.131 and launch a browser to a page on that domain seems to be a fairly prevalent tactic. The links on the page direct the user to pay for another piece of rogueware called “Spyware Protect 2009″. In no way is this site associated with the real microsoft.com web presence.
Other domains shared by the group right now are sys-protection.com, sysguard2009.com, os-protection.com, swp2009.com, spy-protect-2009.com, spywprotect.com and some adult entertainment links. Avoid these domains and rogueware.
Update: The “Malware Analysis and Diagnostic” blog posted some additional information on the rogueware. Looks like an interesting blog, and for english readers, Google translate is your friend.
Update: More of the same technique found here.
Update: Michael Hale Ligh posted details of his investigation into a related incident here. In an update, he comments that the user’s system had an outdated version of Adobe Acrobat Reader, which was most likely the targeted vulnerable application. It’s excellent work and a great read for those interested in technical details.
Posted in Adware, FakeAlert, Rogueware, Social Engineering, Trojan | 4 Comments »
|
|
|
|
