» Malware

Microsoft confirms Russian pill-pusher attack on its network

carrumba — Thu, 14 Oct 2010 12:35:52 +0000

Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals push Viagra, Human Growth Hormone, and other knockoff pharmaceuticals.

The admission came in response to an article The Register published on Tuesday. It reported that two internet addresses belonging to Microsoft were helping to route traffic to more than 1,000 websites that belong to a fraudulent online pharmacy known as the Canadian Health&Care Mall. Microsoft on Wednesday said an investigation of that report confirmed the hijacking was the result of an attack on machines connected to its network.

Read more here.

Stuxnet ‘a game changer for malware defence’

carrumba — Mon, 11 Oct 2010 07:16:09 +0000

The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned.

ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future.

The worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark.

Read more here.

The domination of autorun malware

carrumba — Fri, 01 Oct 2010 14:54:34 +0000

The top ranking e-threat for the third quarter, with 11 percent of the total infections in the world, is Trojan.AutorunINF.Gen. This piece of malware is consistently among the most “popular” threats each month as it easily spreads via removable devices and Windows shared folders. The Windows Autorun feature is exploited by malware authors to force the execution of dangerous files located on infected USB drives.

Ranking second is Win32.Worm.Downadup.Gen with six percent of the total infections in the world. This worm, also making use of the autorun feature, typically appears in the malware distribution charts alongside Trojan.AutorunInf.Gen.

Read more here.

Ethical malcoders get their own conference

carrumba — Tue, 31 Aug 2010 08:51:44 +0000

Found on Help Net Security.
You have heard of Black Hat, Defcon, RSA Conference and Info Security, but does the name MalCon ring a bell?

Probably not, since the newly started conference on malware is yet to be held for the first time and it’s only in the call-for-papers phase of its existence. But, the main theme is likely to raise a few eyebrows in the security community, for many may feel as Bruce Schneier does: “The bad guys produce more than enough malware to stimulate research.”

But this opinion will not prevent him to make an appearance as leading speaker in Mumbai and Pune (India) on December 3rd and 5th, respectively, when the conference is scheduled to be hosted.

Likewise intrigued by the notion, Brian Krebs contacted Rajshekhar Murthy, MalCon’s coordinator, to find out more about the event.

Read more here.

China stomps cybercrook training outfit

carrumba — Mon, 08 Feb 2010 12:32:49 +0000

Chinese authorities have closed down a firm that allegedly trained hackers to develop spyware and launch cyberattacks.

Police in the central Chinese province of Hubei province arrested three people when they closed down Black Hawk Safety Net, described by the official Xinhua news agency as running the country’s biggest hacker training website.

Black Hawk Safety Net offered hacker tools and Trojan software to 12,000 VIP paid-up members. Another 170,000 had signed up to the site for the reduced set of tools available to casual, non-paying members. The firm is also accused of running ‘hacking for cybercrooks’ courses.

Read more here.

Exeter Uni goes offline to fight mystery malware

carrumba — Fri, 22 Jan 2010 12:03:59 +0000

The University of Exeter took the unusual step of temporarily taking its network down this week in response to a virulent virus outbreak.

Computers at the south west England university were taken offline on Monday for a clean-up in response to an unidentified malware outbreak, which has since been contained.

By Thursday the vast majority of the network was back up and running, according to the Uni’s lastest status update. Exeter is the seat of learning for 15,000 students with three campuses, two in Exeter and a smaller facility in Cornwall.

David Allen, registrar and deputy chief executive of the university, told students and lecturers that taking the campus network offline was a necessary step in fighting the infection, which came in through “PCs running Microsoft Windows Vista Service Pack 2″.

“Experience of dealing with data corrupting viruses elsewhere indicates that it is essential to shut down the network ASAP to avoid so many machines and files being corrupted that it takes weeks to recover,” Allen explained. “Therefore, although this is a PC rather than a network problem, we had to shut down the network to isolate the virus.”

Exeter is yet to respond to our query on what strain of malware was involved in the attack.

Read more here.

Automatic analysis of malware behavior

carrumba — Mon, 04 Jan 2010 16:40:36 +0000

I just read about the tool Malheur designed for malware analysis. It looks interesting, I don’t know what other tools like this one are out there (if you know some of them, please leave a comment) but it is worth some minutes to read through their page.

After thinking some minutes about their approach using the MIST (malware instruction set) would the software still detect the malicious behaviour if instead of calling a function inside the software itself to create a new process with the according parameters.

instead of collecting all sensitive data and transferring it to the dropzone and triggering the alarm bell separating these two functions by calling :

malware.exe -collect >output.txt
malware -drop output.txt

I implemented it like that inside the SkypeTrojan.

Malheur is a tool for automatic analysis of program behavior recorded from malware. It has been designed to support the regular analysis of malicious software and the development of detection and defense measures.

Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning techniques.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox.

TJX sniffer author jailed for two years

carrumba — Tue, 29 Dec 2009 19:52:03 +0000

The malware coder who wrote the sniffer program used in the infamous TJX credit card heist has been jailed for two years.

Stephen Watt, 25, from New York, was also order to spend a further three years on probation following his release. He was also ordered to pay $171.5m in restitution.

Watts was part of a gang led by Alberto Gonzalez that captured more than 40 million credit and debit card records from TJX and other retailers between 2003 and 2007. The gang typically used the insecure wireless networks of retail branches to launch deeper attacks on corporate systems, ultimately targeting credit card databases.

Read more here.

2010 cyberthreat forecast: Attack vectors

carrumba — Mon, 21 Dec 2009 12:12:51 +0000

2009 was dominated by sophisticated malicious programs with rootkit functionality, Conficker, web attacks and botnets, SMS fraud and attacks on social networks. With the start of 2010 quickly approaching, researchers and analysts from Kaspersky Lab have come up with a list of six predictions for what will be the New Year’s greatest threats and newest attack vectors.

1. A rise in attacks originating from file sharing networks. In the coming year we will see a shift in the types of attacks on users, from attacks via websites and applications toward attacks originating from file sharing networks.

2. An increase in mass malware epidemics via P2P networks. In 2009 a series of mass malware epidemics has been “supported” by malicious files that are spread via file sharing networks. This method has been used to spread notorious threats such as TDSS and Virut as well as the first backdoor for Mac OS X. In 2010, we expect to see a significant increase in these types of incidents on P2P networks.

Read more here.

Malware trends in 2009

carrumba — Wed, 16 Dec 2009 19:27:16 +0000

MessageLabs released their 2009 Annual Security Report, and here is what they have to say about the malware that plagued us in the passing year.

1 of every 286.4 emails carried a virus, which is a decided improvement on 2008, when there was one in every 143.8 emails. This drastic decline is due to a greater variety of malware – more variants – that is delivered in lesser numbers per strain than before. 15 percent of emails had a malicious link inside, rather that malware in the attachment.

The great majority of malware that we have seen recently aims to achieve one of three things (or a combination of them):

* Fraud
* Theft of personal information
* Infection of the machine and harnessing it into a botnet.

Read more here.