Archive for August, 2009

« Older Entries

Total Security and pav.exe

Monday, August 31st, 2009

Previous posts showed spam-based scams attempting to deliver a payload named “pav.exe” onto your system. The scam is continuing with the title “Total Security” for the familiar scareware messages. Be aware that there is a legitimate security suite that includes those words in its name, but this scam is not that legitimate package. You can recognize the fake scan with phony detections here:

Phony scan offering and immediate scan requirement here:
“Warning!!! Your system requires immediate anti viruses scan! Total Security can perform fast and free virus and malicious software scan of your computer .”

Full phony detection message here:
“Harmful and malicious software detected. Such programs may damage your computer and steal your private information. Online Security Scanner requires Total Security components to repair your computer. Please click OK to download and install Total Security tool.”

Today and yesterday’s most active domains/ip addresses included:
88.198.120.177
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-online-scan7 .com
best-antivirus9 .com
live-virus-scanner3 .com
online-best-scanv3 .com
premium-antispy-scanv3 .com
premium-antispy-scanv7 .com
professionalcomputerscanv2 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com
secure-spyware-scannerv3 .com

91.212.127.200
antispyware-scanner2 .com
antispyware-scanner5 .com
antivirus-online-scan7 .com
best-antivirus9 .com
live-virus-scanner3 .com
professionalcomputerscanv2 .com
safeonlinescannerv4 .com
safeonlinescanv4 .com

88.198.81.153
antivirus-scannerv17 .com
best-security-scanv8 .com
bestantispywarescanv4 .com
professionalspywarescanv8 .com
professionalvirusscanv3 .com

78.46.251.43
antivirus-online-scan5 .com
antivirus-scannerv12 .com
antivirus-scannerv15 .com
getyourantivirusv3 .com

83.133.126.201
antivirus-scannerv17.com
bestantispywarescanv4.com
professionalspywarescanv8.com
professionalvirusscanv3.com
protectedsecurityaudit.cn

ThreatFire preventions for this scareware/rogueware payload continue to be on the rise. Before installing any software, be sure to inform yourself by looking into opinions and reviews of legitimate products.

Posted in FakeAlert, Rogueware | No Comments »

PC Tools at Virus Bulletin 2009

Monday, August 31st, 2009

One of the most enjoyable and informative annual anti-malware conferences is being held in Geneva, Switzerland this year. The upcoming Virus Bulletin 2009 will bring presentations over three days on two tracks, business and technical, taking place 23-25 September 2009. Online registration is available on the site.

On the technical track, Kurt Baumgartner from our PC Tools ThreatFire research team will be presenting for a third year. “AntiRE En Masse” will be a discussion of anti reversing techniques documented in Peter Ferrie’s recent set of papers published in multiple Virus Bulletin magazines over the past year and their implementation (or lack thereof) in a set of the past year’s most prevalent or active malware families. Waledac, Koobface, Taterf/Gamepass, and other crimeware nailed by ThreatFire on a daily basis will be dissected and examined in this light. We look forward to seeing you there.

Posted in Conference | 1 Comment »

Mebroot Noodles Straightened Out?

Thursday, August 27th, 2009

It seemed strange when the steady stream of changing, but similar, Mebroot (also known as Sinowal) executables dried up in late July. But alas, the mbr infecting family seems to have simply run out of flour and wheat for their “pasta theory” code, as described by Elia Florio and Kimmo Kasslin.

The spaghetti code typical of the Mebroot family for so long seems to have been straightened out. Known for downloading banking and financial service password stealers, it also developed a reputation for oodles of obfuscation in its executables. Now, instead of the neverending jmps, rets and scrambled code flow, the family seems to be released without the pasta and with a series of bogus calls — some DeviceIoControl with a stack full of NULL parameters, some bogus filenames passed to CreateFile, etc. Otherwise, the components observed in the lab match up with past Mebroot components, so we are digging deeper into the chances that we really are witnessing a new generation of the malware.

At the time we started digging into the dropper, googling “dedkeopght.com”, the site from which the malcrafted pdf file fetched this Mbr injecting payload, turned up no results whatsoever. Neither did scanning the payload file (the dropper) with a variety of AV file scanners. However, ThreatFire users are safe, and TF continues to prevent its injections and Mbr infection techniques.

Be sure to regularly update your software and add a behavioral solution to your system.

Posted in Crimeware, Downloader, Password stealing, Software Release, Undetected malware | No Comments »

« Older Entries