|
Archive for the ‘Password stealing’ Category
Wednesday, September 16th, 2009
In a post last December on the ThreatExpert blog, Sergei proposed a method to defeat Koobface — hit ‘em in the pocketbook where it hurts. The CAPTCHA cracking services that the Koobface gang uses could be the weak link in its chain and could be abused to interrupt their scams. Unfortunately, no one seems to be taking up that proposal. Koobface relentlessly is released and spread across multiple distribution groups with its captcha crackers in action.
The Koobface malware recently was slightly altered in several ways. The binary carries with it the functionality to phone back to one of two sites for its captcha cracking needs.
Perhaps these are the new weak links to target.
Posted in Koobface, Password stealing | No Comments »
Thursday, August 27th, 2009
It seemed strange when the steady stream of changing, but similar, Mebroot (also known as Sinowal) executables dried up in late July. But alas, the mbr infecting family seems to have simply run out of flour and wheat for their “pasta theory” code, as described by Elia Florio and Kimmo Kasslin.
The spaghetti code typical of the Mebroot family for so long seems to have been straightened out. Known for downloading banking and financial service password stealers, it also developed a reputation for oodles of obfuscation in its executables. Now, instead of the neverending jmps, rets and scrambled code flow, the family seems to be released without the pasta and with a series of bogus calls — some DeviceIoControl with a stack full of NULL parameters, some bogus filenames passed to CreateFile, etc. Otherwise, the components observed in the lab match up with past Mebroot components, so we are digging deeper into the chances that we really are witnessing a new generation of the malware.
At the time we started digging into the dropper, googling “dedkeopght.com”, the site from which the malcrafted pdf file fetched this Mbr injecting payload, turned up no results whatsoever. Neither did scanning the payload file (the dropper) with a variety of AV file scanners. However, ThreatFire users are safe, and TF continues to prevent its injections and Mbr infection techniques.
Be sure to regularly update your software and add a behavioral solution to your system.
Posted in Crimeware, Downloader, Password stealing, Software Release, Undetected malware | No Comments »
Monday, August 3rd, 2009
A number of users are being duped into downloading and running a file currently given names similar to foto049.com, which is being served off of a system hosted in Moscow:
vfoto.fromru.su /foto049. com
The link appears to be spread over email in messages claiming to link to photos and videos.
The file is a downloader that pulls down multiple encypted executable files from systems in Brazil that also are known to serve up Zbot banking password stealers. These encypted files are downloaded and copied with “.html” and “.txt” extensions into a “\winnt_” directory that the downloader creates off of the system’s root drive. The seven files are decrypted, renamed, added to autorun locations in the registry and run. As you can see in the ThreatExpert report, the files are consistently given names looking similar to system filenames:
C:\winnt_\winntR1.exe
C:\winnt_\winntR2.exe
C:\winnt_\winnt2.exe
C:\winnt_\winnt3.exe
C:\winnt_\winnt4.exe
C:\winnt_\winnt5.exe
C:\winnt_\winnt6.exe
One component harvests email addresses from Orkut and other accounts, and others appear to be mainly interested in stealing information provided to Brazilian banks like Itau, Bradesco, BancoBrasil, etc. Our ThreatFire community in Brazil and other parts of the world has been protected from the threat since this variant first appeared on Friday, and users must be wary of running unsigned (or any) executables from links that are spread over email, even from friends.
Posted in Password stealing, Social Engineering | No Comments »
|
|
|
|
