|
Archive for the ‘Virus Bulletin’ Category
Friday, September 25th, 2009
This year’s annual Virus Bulletin 2009 is being held in Geneva, Switzerland. The presentations are very interesting with topics covering Waledac, Koobface, botnets, and other malware families ThreatFire is most effectively protecting users against every day.
PC Tools’ Kurt Baumgartner presented a survey of Peter Ferrie’s series of papers on anti-unpacking techniques, and how these techniques are and are not implemented within the “worst families” of 2008-2009. Slides here from the Virus Bulletin 2009 slides page. It was exciting to discuss with at least a dozen other researchers the questions and answers we provided about Waledac and its consistent use of Int 0×2e within its packer. We examined other families and specific decryption algorithms implemented by each, and unusual techniques malware writers are using to throw off automated research and file scanners. You can find Peter Ferrie’s “Anti-Unpacker Tricks” Virus Bulletin papers at his web page, under his “International Publications” section.
Righard Zwienenberg presented on the progress AMTSO is making, a group that PC Tools has actively participated in since its start. There was much interest in its activity and some of its current work that we are pleased to take part in driving forward. The upcoming meeting in Prague will bring with it discussion over one of its most controversial papers, “Issues in the Creation of Malware” [for testing purposes], which hopefully will be voted on and released soon. We encourage testers and reviewers to join and actively participant in this group.
Topics of interest included “The real face of Koobface” by Ivan Maclintal, and “Brazil, land of plentiful bankers” from Dmitry Bestuzhev. The Brazilian banker presentation discussed many issues resulting in the thriving banking password stealing efforts and groups in Brazil, and the surprising presence of the Induc virus infecting Bancos password stealers that ThreatFire effectively prevents. Also of interest is the malware working group connecting the AV industry, with Igor Muttik discussing the Industry Connection Security Group’s proposed xml structure and content for sharing samples and information amongst vendors and testers. It’s something we’ll probably exchange thoughts on at the upcoming AMTSO meeting.
Posted in Virus Bulletin | No Comments »
Monday, October 6th, 2008
A variation on an old IM-Worm is making the rounds in Thailand and Vietnam. It just may be interrupting your Virus Bulletin reading — the papers were good this year.
The worm is another AutoIt script compiled as “ssvichosst.exe” designed to interact with Yahoo! Messenger — among other things, the process searches for a window with the title “Yahoo! Messenger”, and then sends out one of a list of 10 fairly random Vietnamese or Thai messages to the user’s buddies. Sorry, we don’t have a speaker nearby right now, here are a few examples in which google didn’t pick up anything obscene:
“E may, vao day coi co con nho nay ngon lam”
“Vao day nghe bai nay di ban”
“Biet tin gi chua, vao day coi di”
“Trang Web nay coi cung hay, vao coi thu di”
It performs a number of operations to turn off Vietnamese based security products like “Bach Khoa AntiVirus” and “FireLion”, and disables system configuration tools. It will disable any display of folder options, and disable the task manager and registry tools.
In the meantime, Peter Szor’s Virus Bulletin 2008 Conference presentation on the possibility of the true evolution of malcode is a fascinating idea, and must have been a lot of fun to work on, but does not hold a lot of weight. While Peter Szor deserves credit and respect for writing the book on malware in “The Art of Computer Virus Research and Defense”, this presentation didn’t seem to have the same impact. The abstract suggested that an evolution could occur in software code that attacks behavioral based products such that, “As a consequence, we predict behaviour-based virus detection would quickly become ineffective if malware can evolve based on the Darwinian paradigm.” A friend thought that such an occurrence is as likely as a pack of monkeys in front of keyboards eventually typing out Shakespeare. Too true.
Szor’s paper co-author C. Adami provided the academic efforts and study of evolution to back up their thoughts. The open source software Avida that he used to display potential can be found on sourceforge (was developed at the Michigan State Devolab), and creates an extraordinarily dynamic and fascinating evolutionary environment right on your laptop, with the text version looking much like this:
While it is apparent that bypass techniques can be designed against most any software solution, it will continue to require a human to figure out bypass techniques. It is interesting when malware authors write a separate and legitimate looking set of actions into their code for times when it is run in a VMWare environment, or if a debug dll is loaded. But no additional number of monkeys or amount of time will make it probable that randomly mutated software will figure them out in a sequence that will morph into such an evasive danger. Szor provided a couple examples of corrupted infections that their research team has found including macro viruses, and examples of viral payloads piggybacking on worms for crossbreeding, but there really isn’t any evidence that malcode payloads exist containing random mutations resulting in evasion of behavioral based security technologies.
The Yahlover script will continue making the rounds in Vietnam and elsewhere, infecting AV scanner-protected machines. No realistic amount of accidental corruption is going to help it past behavioral based protection, but maybe an unemployed script writing monkey could help.
Posted in AntiMalware Solutions, Fun, Virus Bulletin, Worm | No Comments »
Monday, September 29th, 2008
While we’ve been calling it Rogueware for years around here, Microsoft and the state of Washington Attorney General’s office is filing a set of complaints against “scareware” makers. It’s interesting that lawsuits can be filed against “John Doe” actors in the complaints, as written up by Elinor Mills on CNet:
“Microsoft filed five new lawsuits and amended two previous complaints against SMP Soft, all relating to programs that allegedly falsely alert consumers to problems on their computers and offer to sell software fixes. The programs listed include Scan & Repair, Antivirus 2009, MalwareCore, WinDefenderXPDefender.com and WinSpywareProtect. Most of the defendants are listed as “John Doe” because investigators do not yet know the identities of the people behind the programs.”
Chief Threat Officer of our research group Kurt Baumgartner was selected to present a timely last minute technical presentation on Thursday of this week on “Recent rogueware” at Virus Bulletin 2008 in Ottawa, Canada. The presentation will focus mostly on technical aspects of Rogueware currently in the wild including a couple of software packages listed in the complaint, the ridiculous but popular MonaRonaDona hoax, and various methods of delivery.
Regardless of the filings, the threats continue to evolve online and are active today, much like the image above.
Posted in FakeAlert, Rogueware, Virus Bulletin, Vundo, Zlob | No Comments »
|
|
|
|
