Archive for September, 2009

« Older Entries

PCTools and Virus Bulletin 2009

Friday, September 25th, 2009

This year’s annual Virus Bulletin 2009 is being held in Geneva, Switzerland. The presentations are very interesting with topics covering Waledac, Koobface, botnets, and other malware families ThreatFire is most effectively protecting users against every day.

PC Tools’ Kurt Baumgartner presented a survey of Peter Ferrie’s series of papers on anti-unpacking techniques, and how these techniques are and are not implemented within the “worst families” of 2008-2009. Slides here from the Virus Bulletin 2009 slides page. It was exciting to discuss with at least a dozen other researchers the questions and answers we provided about Waledac and its consistent use of Int 0×2e within its packer. We examined other families and specific decryption algorithms implemented by each, and unusual techniques malware writers are using to throw off automated research and file scanners. You can find Peter Ferrie’s “Anti-Unpacker Tricks” Virus Bulletin papers at his web page, under his “International Publications” section.

Righard Zwienenberg presented on the progress AMTSO is making, a group that PC Tools has actively participated in since its start. There was much interest in its activity and some of its current work that we are pleased to take part in driving forward. The upcoming meeting in Prague will bring with it discussion over one of its most controversial papers, “Issues in the Creation of Malware” [for testing purposes], which hopefully will be voted on and released soon. We encourage testers and reviewers to join and actively participant in this group.

Topics of interest included “The real face of Koobface” by Ivan Maclintal, and “Brazil, land of plentiful bankers” from Dmitry Bestuzhev. The Brazilian banker presentation discussed many issues resulting in the thriving banking password stealing efforts and groups in Brazil, and the surprising presence of the Induc virus infecting Bancos password stealers that ThreatFire effectively prevents. Also of interest is the malware working group connecting the AV industry, with Igor Muttik discussing the Industry Connection Security Group’s proposed xml structure and content for sharing samples and information amongst vendors and testers. It’s something we’ll probably exchange thoughts on at the upcoming AMTSO meeting.

Posted in Virus Bulletin | No Comments »

Captcha Cracking Koobface

Wednesday, September 16th, 2009

In a post last December on the ThreatExpert blog, Sergei proposed a method to defeat Koobface — hit ‘em in the pocketbook where it hurts. The CAPTCHA cracking services that the Koobface gang uses could be the weak link in its chain and could be abused to interrupt their scams. Unfortunately, no one seems to be taking up that proposal. Koobface relentlessly is released and spread across multiple distribution groups with its captcha crackers in action.

The Koobface malware recently was slightly altered in several ways. The binary carries with it the functionality to phone back to one of two sites for its captcha cracking needs.

Perhaps these are the new weak links to target.

Posted in Koobface, Password stealing | No Comments »

NY Times FakeAv Banner Ads Certainly not New

Monday, September 14th, 2009

The banner ads allegedly rotating through the NY Times website over the weekend delivered FakeAv/Rogueware from servers that have been delivering the same stuff since around July 19th. The current Url over the weekend was protection-check07. com, but it changes frequently.

The ThreatFire community has seen this stuff effectively prevented on desktops using a variety of names since the servers have been delivering the FakeAv, also known as Downloader.MisleadApp, Trojan.Fakeavalert, XPAntivirus and Trojan:Win32/FakeXPA. Here are just a few of the resource variations that ThreatFire has identified over the past few months:

88.198.107.25 /DOWNLOAD/ANTIVIRUS-5920E_2007.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-E92EFB7_2024-2.EXE
88.198.107.25 /DOWNLOAD/ANTIVIRUS-8023A_2024-2.EXE

94.102.51.26 /DOWNLOAD/INSTALL-C8D161_2006-31.EXE
94.102.51.26 /DOWNLOAD/SETUP-A3B7FBB_2024-3.EXE
94.102.51.26 /DOWNLOAD/SETUP-3985EC_2009-2152.EXE

91.212.107.5 /DOWNLOAD/ANTIVIRUS-9F83_2024-5.EXE
91.212.107.5 /DOWNLOAD/INSTALL-9EC30A_2006-71.EXE
91.212.107.5 /DOWNLOAD/INSTALL-C22753_2004.EXE

These servers are hosted in Germany, the Netherlands, and Cyprus, but their victims are located throughout the world. In this case, potentially where-ever NY Times readers may be located. Be sure to add a behavioral based security solution to your system. The banner ads seem to have been acted on quickly, as there has been no additional reports and there have been no further identifiable malicious banners.

Posted in FakeAlert, Rogueware | No Comments »

« Older Entries