|
Archive for the ‘Blackhat’ Category
Thursday, July 16th, 2009
The gang distributing FakeAv downloaders and more have moved their goods and scheme to yet another server and adult theme. In addition to downloader filenames like streamviewer.45043.exe, tubeviewer.ver.6.21586.exe, onlinemovies.45023.exe, the group is finding success in their new addition, freepornmovies.40067.exe. The ThreatFire community is protected from these downloaders, and the newest is showing up in higher volumes.
For the most part, this downloader is being served from 64.20.38.172. The following domains currently resolve to that address: exe-direct. com exe-get. com exe-online-world. com exe-paste. com exe-porto. com exe-site. com exefileformat. com exenetsfiles. com freeexefiles. com hotexefiles. com my-exe-load. com newexefile. com red-exe. com robo-exe. com soft-exe. net the-exefiles. com tiaexe. com
The downloader itself currently is pulling down embedded, encrypted malicious files, described in a previous post, from myart-gallery. com robert-art. com superarthome. com
Be wary of codecs that may be tempting to download and run.
Posted in Blackhat, Embedded trojan, FakeAlert, Rogueware | No Comments »
Friday, March 6th, 2009
As 2009 moves through a worldwide financial crisis, the underground markets continue to thrive.
A recent perusal through prices offered various services shows that a user can obtain a private spambot kit for just under $5000, an exploit kit for another ~$400 complete with the newest pdf, flash, and browser exploits (Internet Explorer, Firefox, and Opera covered here), subscribe to an AV-detection/evasion service for under $100/month, and subscribe to an email address harvesting service that boasts almost a billion verified private addresses all for a low price of under $100 per 1 million sorted addresses. These marketplaces are currently very active. The technologies being peddled are slowly adapting as the defenses in the field change, with promises of multi-platform effectiveness (XP, Vista, etc) in feature lists and pro-active/heuristic detection functionality addressed by evasion services. Based on a walk through the market like this one, it’s easy to predict that client side attacks, delivering spambots and DdoSbots will continue with high levels of activity, regardless of the recession.
Posted in Blackhat, Bot, Commodity Kit, Evasion technique, Exploit, Software Release, Spam, Undetected malware, cybercrime | No Comments »
Tuesday, February 24th, 2009
It’s always disappointing to see traditional antivirus scanners miss malware detections, especially those in the formal WildList (the WildList is not dead! Well, not completely). It does and will happen, even with the best performing scanners. And witnessing the detection rates and delays in AV detection updates for various malware families that are being run on end user systems but prevented by behavioral protection can be a bit overwhelming. Layered protection is an important part of keeping a system secure.
So when we observe “underground” activity, it’s never a surprise to see ongoing and more sophisticated efforts in developing malware that evades AV detection. Some of the efforts are getting more organized, and we continue to see more professional looking services and amateur looking betas popping up that replace the venerable and legitimate Virustotal and Jotti virusscan sites. We’ve presented before on some underground services, where blackhat developers offer to write fully undetected stubs (undetected by all of the major anti-virus products), and once they are detected, the developer sends on a limited number of new undetected stubs to their customers. When that limit is reached, the customer shells out some more cash for their new AV evasion kit. Not only the major media grabbers like Storm, Waledac, and botnets related to McColo, but smaller, under-the-radar efforts like the distributors of rogueware and fakeav benefit financially and further this sort of work.
Below is a snapshot of one fairly recent effort put together with malicious intent, to help provide a confirmation that those stubs remain fully undetected without exposing the upload to distribution to AV companies (Virustotal and Jotti both distribute samples to AV companies). Many of the blackhat forums bring on new, unexperienced members that upload new undetected crypters to the legitimate sites, which sends the samples on to AV vendors and has been a problem for their efforts in the past. The site is in beta and slow as molasses.

Posted in Blackhat, Evasion technique, Strategy, Undetected malware | 1 Comment »
|
|
|
|