Archive for the ‘Software Release’ Category
Thursday, August 27th, 2009
It seemed strange when the steady stream of changing, but similar, Mebroot (also known as Sinowal) executables dried up in late July. But alas, the mbr infecting family seems to have simply run out of flour and wheat for their “pasta theory” code, as described by Elia Florio and Kimmo Kasslin.
The spaghetti code typical of the Mebroot family for so long seems to have been straightened out. Known for downloading banking and financial service password stealers, it also developed a reputation for oodles of obfuscation in its executables. Now, instead of the neverending jmps, rets and scrambled code flow, the family seems to be released without the pasta and with a series of bogus calls — some DeviceIoControl with a stack full of NULL parameters, some bogus filenames passed to CreateFile, etc. Otherwise, the components observed in the lab match up with past Mebroot components, so we are digging deeper into the chances that we really are witnessing a new generation of the malware.
At the time we started digging into the dropper, googling “dedkeopght.com”, the site from which the malcrafted pdf file fetched this Mbr injecting payload, turned up no results whatsoever. Neither did scanning the payload file (the dropper) with a variety of AV file scanners. However, ThreatFire users are safe, and TF continues to prevent its injections and Mbr infection techniques.
Be sure to regularly update your software and add a behavioral solution to your system.
Thursday, April 30th, 2009
As Koobface has proven, stealing biscuits can get malware distributors a long ways.
Another technique and tool has just been posted to abuse stolen biscuits, much like the Koobface worm, and it supports changing a wall without the password. The author claims to have just completed “FBController – The Ultimate Utility to Control Facebook accounts without the Password”.
Be aware that downloading and executing code from untrusted sources is always a problem, and please do not fall for the ongoing phony video codec or software update ploys.
Update – a cnet writer finds the techniques interesting.
Friday, March 6th, 2009
As 2009 moves through a worldwide financial crisis, the underground markets continue to thrive.
A recent perusal through prices offered various services shows that a user can obtain a private spambot kit for just under $5000, an exploit kit for another ~$400 complete with the newest pdf, flash, and browser exploits (Internet Explorer, Firefox, and Opera covered here), subscribe to an AV-detection/evasion service for under $100/month, and subscribe to an email address harvesting service that boasts almost a billion verified private addresses all for a low price of under $100 per 1 million sorted addresses. These marketplaces are currently very active.
The technologies being peddled are slowly adapting as the defenses in the field change, with promises of multi-platform effectiveness (XP, Vista, etc) in feature lists and pro-active/heuristic detection functionality addressed by evasion services.
Based on a walk through the market like this one, it’s easy to predict that client side attacks, delivering spambots and DdoSbots will continue with high levels of activity, regardless of the recession.