Waledac's 276 domain names seized
A federal magistrate judge has recommended that Microsoft be given ownership of 276 internet addresses used to control “Waledac,” a massive botnet that the software company has been working to bring down.…
Who said that Cutwail/pushdo botnet was dead? The recent Cutwail/Pushdo takedown was a great help on stopping this huge botnet in sending spammed messages all over the world.
Yesterday however, a new wave of fake Facebook messages have been sent through some Cutwail zombies for about 30 minutes which is around 5000 spammed emails.
The spammed message informs user that they received a private message and contains a bogus Facebook link which actually points users to {BLOCKED}icy.com, a Canadian pharmacy website hosted in China. However, as of this writing, the said site is no longer online.
This recent Pushdo/Cutwail update shows us that the cybercriminals behind this botnet are moving and building back the structure to be able to revive the botnet.
Post from: TrendLabs | Malware Blog - by Trend Micro
New Fake Facebook Spam Waves Send Through Cutwail/Pushdo Botnet
The crimeware is one of the most used by cyber criminals to gather intelligence enabling the identification of trends and customs around by people who use the Internet daily.
This seeks to obtain relevant information on time and complete details of the victims who, further, they allow criminals to know about which factors to emphasize their "improvements" in the web application, and botmaster
No mitigations for click-and-get-hacked exploit
Researchers have uncovered sophisticated attack code circulating on the net that exploits a critical vulnerability in the most recent version of Adobe Reader.…
At the start of this week I posted a warning on this blog that the TechCrunch Europe website had fallen victim to a hacking attack, and was spreading malware to its readers.
At the time I was concerned that the popular technology blog had referred on Twitter to malware warnings being seen by readers as "annoying", and said that I hoped that aside from cleaning-up the infection by a member of the Zbot malware family, they would also post a message onto their site warning users that they could have been infected.
I'm delighted to say that yesterday evening, TechCrunch Europe posted a brief message advising readers to check their computers with an up-to-date anti-virus product.
Of course, it would have been nice if TechCrunch had posted a warning on its site as soon as the problem was identified - but this is better than nothing! If you visited TechCrunch Europe's website at the beginning of this week you would be sensible to scan your computer now - just in case.
Drive-by download guard
Tuesday marked a busy day for alternative browser security updates with patches from both Apple and Mozilla.…
Email salary details to everyone ploy foiled
A court has ordered a UK hacker to pay compensation after he used a purloined laptop to hack into his ex-employer's personnel database.…
All of us have heard about SpyEye, a malware family comprising information/data stealers like ZeuS/ZBOT. This malware is sometimes known as a “ZeuS killer,” as it stops ZeuS malware from running on affected systems, assuming that the latter is already present. This topic was discussed before in the blog post, “Keeping an Eye on the EYEBOT and a Possible Bot War.”
We were able to further investigate a command-and-control (C&C) server of a SpyEye botnet, most of whose zombies were located in Poland. This is somewhat unusual, as bot herders prefer to target Western countries like the United States, the United Kingdom, Germany, Italy, Spain, and France.
This particular SpyEye C&C server is located in the Ukraine:
IP address: {BLOCKED}.{BLOCKED}.159.29
Org: Tavria Host Network
ISP: PAN-SAM Ltd.
ASN: AS196814
We were able to access different Control Panel tabs on this SpyEye server and saw some interesting bits of information such as its number of bots and their locations:
A statistical breakdown of the bots by OS, Internet Explorer version, and whether they run as administrators or not was also found:
We also came across botnet configuration and stolen data details:
After digging through all the data, we found that several credentials have been stolen. These credentials come from banks, social networking sites, and career/job-hunting sites. The server was not particularly secure. In fact, the bot herder who used this particular server left several open folders as well as readable configuration files. We also gathered 400MB of stolen data from this particular C&C server.
After having infected users with SpyEye malware, the bot master is now pushing a new TDSS variant detected as TROJ_TDSS.VAD. This links SpyEye to one of the major families that we know to be part of the pay-per-install (PPI) business:
We will continue to monitor this particular C&C server, as well as the Spyeye botnet as a whole. Further developments may be posted here at the Malware Blog.
Post from: TrendLabs | Malware Blog - by Trend Micro
Uncovered Spyeye C&C Server Targets Polish Users
myLoader is a web application that allows offenders to collect statistical information related to different factors and features on each of the infected computers. The crimeware is sold in the underground market at an average cost of $ 700.
The botnet Oficla started their criminal activities at the beginning of 2010 and just the executable binary detected by antivirus engines as Oficla or Sasfis
BKCNET "SIA" IZZI, also known as or simply ATECH-SAGADE is an AS (Autonomous System) numbers in 6851, currently is one of the most active of crimeware through which are distributed daily a large amount of malicious code , besides being the control base for the accommodation of several C&C which feed the underground economy.
Your geolocation is in Latvia and, as I mentioned on another occasion, "
6,671 travelers searched (so far)
Privacy advocates have sued the Obama administration over its practice of seizing laptops, cell phones, and other devices at US borders and copying their contents even when the owner isn't suspected of wrongdoing.…
One-click vuln 'ridiculously easy to attack'
Twitter has been bitten by a hard-to-kill web-application bug that's being actively exploited to steal users' authentication credentials, a security expert said Tuesday.…
Greedy sprats
Fraudsters have wasted no time jumping on news of a tax mix-up in the UK as a hook for scams.…
Tax authorities in the UK are contacting millions of people, telling them that they have paid the wrong amount of tax.
As the BBC reports, the mistakes in tax payment calculations have been uncovered following the introduction of a new computer system.
So, it's good news for some (who will be receiving an unexpected windfall in the form of a tax rebate) and bad news for others, who will find that they are being asked to make uncomfortable additional payments to the HMRC.
But if you think you had enough to worry about with the possibility of an unexpected extra tax demand, UK internet users are also at risk as scammers exploit the confusion.
For instance, here's a message we caught in our spam traps this morning which claimed to come from HMRC with the subject line "You Have An HMRC Refund":
Part of the email reads:
Following an upgrade of our computer systems and review of our records we have investigated your payments and latest tax returns over the past years, our calculations show you have made over payments of 317.66GBP
Due to the high volume of refunds you must complete the online application.
Your refund may take up to 6 weeks to process please make sure you complete the form correctly.
In order to process your refund you will need to complete the attached application form.
Attached to the email is a file called Refund-Form.zip, which contains an HTML file called Refund-Form.htm which asks for information including your credit card details, full date of birth, and mother's maiden name.
If you do make the mistake of filling in the form, your confidential data is uploaded to a Chinese server. You're not going to receive a windfall because of this form - you've just been phished.
The real HMRC website contains advice about scams like this, and clearly states that they would never customers of a tax rebate via email, or invite them to complete an online form to receive a rebate of tax.
You have been warned - don't let your eagerness for a tax refund lead to you throwing caution to the wind.
Share this
Spammers have taken advantage of a vulnerability in Facebook to spread auto-replicating links, a trick that makes it possible to spread crud without using social engineering.…
One of the themes that has been coming through loud and clear in the security world for the last few months has been the use by scammers of revenue-generating surveys.
I've reported about many of these on the Clu-blog, mostly impacting Facebook users, where unsuspecting computer owners click on a link shared with them via the social networking site only to discover that they have to complete a survey before seeing some typically salacious content. The scammers, meanwhile, earn their crust by receiving a small commission for each survey that is completed.
These survey scams, however, are not just limited to Facebook.
Here's a message I received via the SophosLabs YouTube channel, for instance:
At first glance you may feel flattered that someone has praised the videos you have been making, but in fact the point of the email is to take you to a third-party website.
And, sure enough, if you click on the link a revenue-generating survey will pop up claiming you could win a free new Apple iPad or a year's free shopping at Sainsbury's:
It doesn't matter if you receive a message via Facebook, YouTube or traditional email - you should always be suspicious of unsolicited communications and think before you click.
Oh, God
TechCrunch Europe has cleaned up its website following the discovery of malicious code that left visiting surfers exposed to infection by a variant of the infamous Zeus banking Trojan.…
Twitter
discontinued support for basic user authentication in third-party applications yesterday morning.
Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.
All third-party applications must now use Twitter's OAuth.
So, that being the case… we have a feature request.
The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".
If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).
We don't suspect Boy George is behind this…
Okay, so it's a spam application. Time to visit
Settings/Connections and revoke its access.
And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.
Cheers!
On 01/09/10 At 03:36 PM
Wikipedia's
affiliate marketing entry includes the following sentence: "Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers."
This is very true — affiliate marketing methods definitely attract abuse from spammers.
Our recent posts on
Facebook and
YouTube spam linked to cost per action (
CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investing social networking spam, and one of the more interesting companies that we frequently see abused is CPAlead.com.
CPAlead claims to be
to be one of the largest affiliate networks with nearly 11 thousand members in its
Facebook Group. They also have an interesting Twitter profile that
lists their daily top earners.
They've tweeted 258 times since June 18th and the total amount of daily top earnings is $485,188.34.
There were 281+ thousand leads (completed surveys) and 3.7+ million clicks. That's a 7.5% conversion rate for the top earners.
With numbers such as that… there's little wonder why spammers are attracted.
On 31/08/10 At 09:44 PM
In today's episode of
What Can You Find On the Web, we give you an online store for purchasing fake passports that we ran into.
Prices of these range from $650 to $1000. They don't seem to (yet?) offer passports with embedded RFID chips.
Some screenshots:
On 06/09/10 At 02:20 PM
Today we have an example of yet another Facebook spam (YAFS).
This particular spam links to a Facebook Page called "I May NEVER T�XT AGAIN After Reading THI$!!".
As you can see, there are over 200 thousand likes.
The Facebook user must click the Like button in order to continue.
But not really. Let's skip step 1 and take a look at the selection source.
Step 2 requests (but doesn't enforce) sharing the Page and step 3 provides a link to Blogger.
JavaScript for a CPAlead (an affiliate marketing vendor) kicks in when you visit the Blogger page.
This actually surprised us as we wouldn't have expected Google to allow this sort of thing on a page hosted at blogspot.com.
In order to view the Blogger page, you have to fill out a survey.
But not really. A browser add-on such as
NoScript can be used to disable the JavaScript and view the page.
Adblock Plus also works.
The "Never Texting Again" blog looks like this once you disable the survey.
The Blogger page was created in May 2010 and simply copies
this switched.com article from September 2008.
So how many people filled out the survey in order to view the page? That's difficult to say as there aren't any counters on the page.
Another similarly themed spam link from June 29th offers a hint:
There were nearly 300 thousands clicks on the bit.ly link…
But remember — clicks don't equal conversions.
The bit.ly statistics show that the link was only liked 3048 times.
That's just a one percent conversion rate from Clicks to Likes (step 1 to step 2). And as
we mentioned yesterday, even fewer people appear to fill out the surveys (step 3).
Yes. The links do "spread virally". But as a wise man once wrote: Don't Panic!
The links are just spam, and the majority of people recognize it as such — just like e-mail spam, which also links to surveys, scams, and dubious offers.
This spammer has several Blogger pages:
And they all seem to fit Google's definition of spam:
So we reported the entire account to Google.
Done, and done.
We don't really care for the sort of "news" that CPA spammers continue to hype — and you probably don't either — but perhaps you have a friend that frequently falls for this sort of spam? Then check out
Bypass Facebook Fan Pages. The site tracks Facebook spam and links to the material on which the CPA affiliates are trying to capitalize. They also have a
Twitter account.
Cut the spammers out of the loop.
On 24/08/10 At 04:50 PM
"
Computer viruses may have contributed to the Spanair passenger plane crash which killed 154 people in Madrid two years ago",
reports the Spanish newspaper El Pais.
"
The Spanair central computer which registered technical problems in airplanes was not functioning properly because it had been contaminated by harmful computer programs", the magazine continues.
We cannot confirm whether malware played a part, nor do we know which particular malware it could have been. However, over the years, we have seen real-world infrastructure affected by computer problems. In most cases, this has been just a side effect; the malware behind the problem wasn't trying to take systems down, it just did.
This was especially bad in 2003, when we saw malware induced problems in real-life systems unprecedented in their severity. The main culprits were network worms
Slammer and
Blaster.
The network congestion caused by Slammer dramatically slowed down the network traffic of the entire Internet. One of the world's largest automatic teller machine networks crashed and remained inoperative over the whole weekend. Many international airports reported that their air traffic control systems slowed down. Emergency phone systems were reported to have problems in different parts of the USA. The worm even managed to enter the internal network of the Davis-Besse nuclear power plant in Ohio, taking down the computer monitoring the state of the nuclear reactor.
The RPC traffic created by Blaster caused big problems worldwide. Problems were reported in banking systems and in the networks or large system integrators. Also, several airlines reported problems in their systems caused by Blaster and Welchi, and flights had to be canceled. Welchi also infected Windows XP-based automatic teller machines made by Diebold, which hampered monetary transactions. The operation of the US State Department's visa system suffered. The rail company CSX reported that the worm had interfered with the train signaling systems stopping all passenger and freight traffic. As a result of this, all commuter trains around the US capital stopped on their tracks.
There was a lot of attention to the indirect effects of Blaster on a
major power blackout in the Northeastern USA which occurred during the outbreak week. According to the report of the blackout investigative committee there were four main reasons behind the power failure, one of them being specifically computer problems. We believe these problems were to a great extent caused by the Blaster.
It is important to note that even though the system problems caused by Slammer and Blaster were truly considerable, they were only byproducts of the worms. The worms only tried to propagate: they were not intended to affect critical systems. The malware affected environments that had nothing to do with Windows: it was the massive network traffic caused by the worms that alone disrupted normal operations.
On 20/08/10 At 12:53 PM
Last week, the lab identified a curious set of spammed malware; files signed with a valid Authenticode code signing certificate.
This is something we've seen before. But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.
I searched for a company that matched the name and address in the certificate and found small consulting firm that provides services related to industrial process control and optimization.
I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.
I investigated the case with the help of the victim and Comodo, the Certification Authority that had signed the fraudulent certificate. I discovered that the certificate had been requested in name of an actual employee and that Comodo had used both phone call verification as well as e-mail. The fraudster had access to the employee's e-mail and the phone call verification either ended up with wrong person, or there was some misunderstanding. So the phone check offered no prevention this case.
Comodo has revoked the fraudulent certificate and any files signed with that certificate will be blocked automatically.
Also during the investigation I learned that the compromised employee had received a phone call from Thawte, another CA company. Thawte asked if she requested a code signing certificate in the company's name, to which she had answered "no", and Thawte then aborted the certification process. So it seems that the malware authors tried multiple CAs until everything fell into place in gaming the application process.
This case gives cause for serious concern about the trustworthiness of code signing in general.
When scammers have access to a company's e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine. Mistakes will also happen in the future. It is very likely that we'll see more of these cases in which an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.
Certification Authorities already have measures to pass information about suspicious certification attempts, and other kinds of system abuse. However these systems are maintained by humans, and are thus fallible, and we have to accept the fact that that with current system, certificates are not 100% proof of a file's origin.
The current situation of a single entity being served by several certification authorities is not good from a security point of view. Certification Authorities should have similar process as with domain names where a single domain name, for example f-secure.com, can be hosted by only one registrar at a time.
Also, code signing or SSL certificates should be allowed to be signed by only one CA at the time.
So if someone would like to get certificate in name of F-Secure they would only be able to get that from the same CA where F-Secure currently gets its certificates, which has an existing business relationship with F-Secure, and thus any new certification requests would be verified from existing business contacts. For this to be possible, the CA would need to have a central information resource.
The current model of any CA being able to issue a certificate in any name is simply not ever going to be secure as there are way too many possibilities for scams and social engineering.
For those interested in hearing more about code signing abuse, I will be giving
a presentation at T2 Information security conference in October.
Signing off,
Jarno
On 25/08/10 At 12:46 PM
Facebook spam (erroneously called scams) has been making headlines recently…
And with all the attention on "virally spreading" links, we wondered, just how effective is it? What's the conversion rate? Links spread virally — but so what? That's only one step in the process. How many people actually fill out the CPA surveys that make the money?
Here's one recent example of spam attempting to use
English football player Peter Crouch as bait.
Only 269 "likes" — doesn't seem that interesting…
But wait, what's that in the bottom right hand corner? A counter of some sort?
Indeed, this particular spammer is using a statistics site called http://whos.amung.us.
Here's the dashboard view for the football spam:
The most action that this spam managed was 208 hits in one hour.
Here's another, more popular spam about an unlucky McDonald's Happy Meal:
This spam uses bit.ly links to spread itself on Facebook.
The links lead to http://happytruthblog.co.cc and there are just over 32,000 clicks. The stats also show the number of likes. Clicks to likes, what's the conversion rate? One link has around 40% and the other about 48%.
The dashboard reflects the successful traffic.
40% is an excellent conversion rate, much better than e-mail spam.
However, the 32,000 clicks is far less than similar spam from
just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks.
Returns are diminishing as people are exposed, develop a resistance, and recognize Facebook spam for what it is.
In fact, the spammers themselves seem to know this and are working harder to convince people.
This version of the Happy Meal spam promises "no need to complete surveys."
And the initial likes and the site's dashboard stats reflect well on that promise.
But it's the same old spammer lie.
This page has an anti-spam bot "test", which is just a survey by another name.
Let's close the page. Wait, what's this?
Please take one minute to complete a spam-free market research survey?!?
Unbelievable.
Screw the spammers! Let's take a look at what they're trying to cover up with their JavaScript.
Here's the page source for the spam page:
Rather than "like" the page and then "share" it with our friends on Facebook, let's skip to "step 3" and open /reveal.html.
Hmm, that reveals a reference to widget.php.
And widget.php's page source gives us the final result:
What? Really? The Happy Meal story is
from November 2007? Cripes…
If that's the type of "free content" that these bonehead spammers are pushing, it's no wonder that there's a diminishing return on their efforts. What a joke.
A couple of other examples that we examined today used video bait (video.php). Those spam pages eventually linked to YouTube videos, and those view statistics only showed tens of views from the embedded sources.
That's good news. Examination of the data demonstrates that fewer and fewer people actually continue on to "step 3", which is filling out the survey. The vast majority of people bail out of the process after simply liking the page, or after sharing the link.
But here's the bad news.
Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts. Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made. And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon.
On 23/08/10 At 08:09 PM
A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.
But clicking on any of these application spam links is enough to "share" the application to the user's Wall.
See the search results below:
Note that each of search results were posted "via Mobile Web", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.
It's also interesting that the application links seem almost polymorphic or Captcha-like.
All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.
Tip hat to All Facebook, read more
here.
On 06/09/10 At 11:46 PM
The survey spam worm
that spread across Facebook yesterday was posted to profile Walls "via Mobile Web".
In here the lab, we're always interested in all things mobile, so we took another look at All Facebook's
post. In an update, they show that the spam was also spreading via messages.
And there is a link visible in the screenshot pointing to artcentertransportation.com:
That site is registered to a "Jane Doe" and is hosted in the USA by Dynamic Dolphin. Visiting the URL from Finland simply redirects to another site called Wixawin (via tracklead.net) which offers "Mobile Entertainment". And what kind of entertainment do they offer?
The kind that could cost you upwards of €17.50 per month in subscription fees.
This is what you'll see if you attempt to visit Wixawin with our Mobile Security Browsing Protection enabled.
The affiliate ID that appears to be behind much of this mischief is: "affiliateid=WANE". Perhaps the spam was being posted via Mobile Web so that it included the necessary referrer?
In any case, let's hope that the affiliate network revokes whatever leads this spammer may have made.
On 07/09/10 At 11:59 AM
In the past days, a class of exploits that fall under the category of DLL hijacking (or "binary planting") have gotten a lot of attention. Apple's iTunes
had problems, and a lot of other applications seem to be falling for the same thing.
The problem is really quite simple. An attacker will try to trick someone into opening a data file (for example, an MP3 file in the case of iTunes) from a folder while at the same time placing a malicious Dynamic-link Library (DLL) somewhere under the same location. By doing this, he can force a vulnerable application to execute the malicious code. So, double-clicking on the wrong file on a network share might get your machine infected.
The whole class of problems is really nothing new. As Thierry Zoller
points out, a nearly identical issue was
reported a good 10 years ago. Why are we seeing lots of new vulnerabilities now? A lot can be attributed to a new tool that was made available by HD Moore last Sunday. It makes finding such vulnerabilities very easy.
So what can you do to keep safe? Microsoft has
Security Advisory 2269637 out on the issue. It has several ways to mitigate the risks. You should also make sure to apply updates from different vendors for vulnerabilities in their products.
We'll of course be following this closely and adding detection for any malicious DLLs abusing the vulnerabilities.
Currently we are not aware of any vulnerabilities in our own software, but we are continuing further investigations on the matter.
Signing off,
Antti
P.S. Those of you developing Windows software: isn't it funny that a single function with a single argument,
LoadLibrary("mylibrary.dll"), can be so difficult to get right?
The
documentation for LoadLibrary has about 1100 words, the
page describing it in more detail has 1000 words, and the
page that tells you how to really get it right has 900 more. That's around 3000 words, or ten times the length of this post. You just gotta love LoadLibrary!
On 25/08/10 At 05:45 PM
Have you seen messages like these being posted by your Facebook friends?
I thought this survey stuff was GARBAGE but i just went on a shopping spree at walmart thanks to FB = <link> , this wont last long so gooo!
I thought this survey stuff was BULL** but i swear I just used the Best Buy giftcard they sent me here <link> to buy a laptop!
I've removed the links from the above examples, but they point to Facebook applications.
In the examples I've seen, the messages have one thing beyond their wording in common - they're all posted "via Mobile Web", suggesting that the posts (which weren't made by your friends, just in case you were still in any doubt) may be using a common vulnerability.
What's interesting is that the application's name seems to change each time. That obviously makes it harder to tell users what to look out for, but potentially could also make it more tricky for Facebook's security team to shut down.
Facebook's security team may already be on to it - all of the links I have clicked on so far have been blocked (no, I'm not suggesting you try it at home folks). But if there is an unpatched vulnerability which scammers are exploiting it's possible we might see a renewed attack wearing a different disguise in the near future.
What's worrying is that our friends at All Facebook report that the worm can automatically post to your wall and message your friends - helping it to spread virally.
This has been confirmed by one of my colleagues at Sophos - who sent me the following message after one of his online friends was hit in the attack:
"There IS a vulnerability... You click on the link and it automatically adds the app into your apps profile. And it automatically reposts a status (with another random link). Spent an hour checking my friends... and my own apps settings."
Be on your guard against suspicious posts made by your Facebook friends, and if you want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.
Updated The European website of TechCrunch (eu.techcrunch.com), one of the world's most popular blogs, appears to have fallen victim to hackers, who have planted a malicious script on their site, designed to infect unsuspecting visitors.
TechCrunch Europe posted a message on its Twitter feed earlier today describing warnings about malware being distributed via the site as "annoying". Perhaps a rather unusual turn of phrase, which might suggest to observers that the warnings were erroneous rather than the result of a serious security problem.
A closer examination of TechCrunch Europe's site reveals that the offending code - which uses a malicious iFrame - is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to your computer a nasty infection from the ZBot (also known as Zeus) malware family.
Sophos customers who have already switched on the "Live Protection" in version Sophos Endpoint Security and Data Protection 9.5, are already protected - benefiting from our very latest in-the-cloud technology to defend against the latest threats like this, efficiently and proactively. There's a lesson here: "If you are using Sophos version 9.5, turn on live protection!" It's worth it!
Users of some web browsers may also be protected - for instance, here's a screenshot of Firefox intercepting one of the infected pages on TechCrunch Europe.
The problem appears to have been present on TechCrunch Europe's website for some time, and yet there's been no obvious warning to visitors posted on its site nor - seemingly - no attempt to remove the malicious script or block users from visiting the infected pages.
One has to wonder whether malicious hackers are taking advantage of the Labor Day holiday in North America today which may mean that less of TechCrunch's support team (who might be able to fix this problem) are available today.
SophosLabs have analysed the malware being spread via the infection, which we detect as Troj/Zbot-YP.
Update Andy Brett, an engineer who works for TechCrunch in California contacted me at about 10pm UK time, to tell me that the malicious JavaScript code has been removed from the site, although it may take some time before browsers which rely on third-party blacklists stop warning about pages on the site.
Ideally TechCrunch will post a message on its site (on the TechCrunch Europe site, at least) informing users about the incident and advising that they check their PCs with an up-to-date anti-virus. I don't see any message to that effect yet on that site - but I'm hopeful.
Yes, some firms are embarrassed when their websites become infected - and it's not the kind of event that we would wish upon anyone. But let's not forget that TechCrunch is the victim of a criminal act, and although in an ideal world their site would not have been compromised in this way they are not - ultimately - the ones to blame for the wrongdoing.
What they can do, as a responsible member of the internet community, is advise anyone who might have visited the site while it was infected to double-check their computer systems. That's the kind of behaviour that we would expect of any website that suffered a security problem - and is, indeeed, the kind of behaviour that technology media websites like TechCrunch would expect from others too.
Hat-tip: Thanks to @theharmonyguy who first made me aware of this issue.
URL shortening shenanigans
Microsoft is investigating reports of a new bug in Internet Explorer.…
Any regular reader of this blog knows that malware can infect a system in several ways—email, browser exploits, instant-messaging applications, peer-to-peer (P2P) networks, and others. Even organizations that take great lengths to secure their Internet gateways have found themselves compromised via one of the oldest infection methods—physical media attacks with USB flash drives taking the place of floppy drives.
It is also safe to say that the majority of malware is designed for simple financial gain and that they have been massively successful in this regard. Recently, however, we have seen more and more attacks that look like they could be plots for the latest Hollywood blockbusters. This year, we have read reports about the STUXNET malware family, the first to exploit the Windows shortcut vulnerability and which could supposedly hijack power plants. We’ve also heard how a malware was able to breach the computer systems of the most powerful military force on earth. Malware has even been accused of crashing airplanes, albeit falsely.
The motivation behind these events has yet to be determined—the Spanair incident was almost certainly just a normal infection but the other two raised a lot of questions. Most users will certainly be left wondering how such “high-profile” and “secure” facilities could become victims of malware.
The Future of Threats
In our 2010 threat forecast, “The Future of Threats and Threat Technologies,” Trend Micro researchers mentioned that new attack vectors will arise for virtual/cloud environments. To add to this, critical infrastructures such as a SCADA network will become another serious potential target for cybercriminals. When we think about SCADA networks (e.g., electrical grids and factory software) or large virtual systems, it is easy to think that these will only be targeted by attackers with espionage in mind whether to take over a factory’s software for hacktivism or to infiltrate a rival’s cloud infrastructure.
Unfortunately, a far simpler and more lucrative reason for attacking these targets is to simply blackmail the target organizations and businesses. Online poker companies discovered this in the early part of this century, as they were threatened with having their sites shut down by launching distributed denial-of-service (DDoS) attacks unless a ransom was paid. As bandwidth has increased and the use of content delivery services such as Akamai has become more widespread, these types of network-saturating DDoS attacks have become more difficult, although far from impossible, to carry out. Unfortunately, rather than deterring attackers, cybercriminals simply used different approaches. They first infiltrated an organization’s critical resources then held these hostage.
All of these varied attacks tell us that attackers are becoming increasing innovative in their attacks and that every organization is a potential target. The risks malware pose are now growing from “simple” financial theft to more sophisticated, targeted attacks.
Post from: TrendLabs | Malware Blog - by Trend Micro
Cybercriminals Hone in on Critical Systems
Plummy-voiced property crumpet Kirstie Allsopp has fallen foul of hackers on Twitter, who posted messages pointing to free iPad scams this weekend from her account.
The British TV presenter, best known for her Channel 4 property programmes "Location, Location, Location" and "Kirstie's Homemade Home", only found out that her account had been hacked when some of her 47,000 Twitter followers alerted her to the out-of-character tweets.
The links took unsuspecting fans to webpages which encouraged them to apply for free iPads by handing over personal information and signing up for scams that charged £4.50 per week.
Kitten-heeled Kirstie had deleted all of the offending tweets from Twitter by the time I went looking for them this morning, but I managed to track down two examples that had been cached elsewhere:
free ipads!!! [link removed]
omg free ipad, witha train skin =D [link removed]
You'll notice that the spam messages say that they were sent "via web", suggesting that it wasn't a third-party application or linked website that was used to send the messages. The most likely conclusion is that Kirstie Allsopp's Twitter password was stolen via phishing or spyware infection on her computer, or that she was using the same password on multiple websites - which is never a good idea.
Kirstie says that she has now changed her Twitter password (hopefully she wasn't using the old one on anywhere else on the net), and deleted the iPad-related messages. To my mind she would also be sensible to scan her computer with an up-to-date anti-virus product too.
In one message she described her new Twitter profile picture thus:
that's me, in bed on laptop, p***** off with hackers!
Other celebrities who have had their Twitter accounts hacked include Axl Rose, politican Ed Miliband and Britney Spears.
Remember, you should always choose a non-dictionary word that's hard to guess as your Twitter password, and never use the same password on multiple websites.
Also, be on your guard against phishing sites and ensure that your computer is running up-to-date anti-virus software to protect against keylogging spyware which may attempt to steal your information.
Finally, consider carefully which third-party applications and websites you allow to connect with your Twitter account.
With it being a long holiday weekend in North America there are probably plenty of people who will be spending some extra time on Facebook, and you can bet your bottom dollar that the scammers will be up there taking advantage of the unwary.
Take this scam which I spotted today, for instance.
It start like this. You notice one of your Facebook friends has shared a link to a Facebook page called:
10 Things Adults NEVER Tell Their Kids !!
It may sound exactly the kind of fun link that your friends have shared with you in the past - and you may be tempted to click and find out some more. After all, you'll probably get a few minutes' entertainment of out of it, right?
Bzzt. Wrong.
Clicking on the link takes you to a Facebook page all right, but it asks you to jump through various hoops ("liking" the page, and sharing the link with your Facebook friends) before it will be prepared to reveal the things that adults never tell their kids.
And if you do like and share the link, you're playing into the hands of the scammers and doing their dirty work for them. After all, you're helping the link spread virally to others on the social network.
If you're prepared to do that you'll be taken to a Blogspot blog about the lies parents tell, but an online survey will pop up in front of the content demanding that you complete it before allowing you to read on.
And, as regular readers of the Clu-blog should know by now, the scammers earn commision for every survey completed. A nice little earner for them, and you've just increased their chances of making more cash by forwarding their link to others.
Don't make life easy for the scammers, and refuse to promote these survey scams. Always question what you are "liking" and "sharing" with your online friends.
If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.
Malware hides behind a business. Without a doubt, I believe that no one denies this claim. Day by day is an important flow of malicious code that, while general purpose have a story in its activities, seeking final feedback on the business behind through fraudulent mechanisms and strategies.
One of the most popular business models is to pay a percentage of money given to those who successfully
Updated Facebook's security team has posted a message on the walls of users who were hit by cybercriminals promoting a free iPhone scam earlier this week.
Although the notice from Facebook reassures customers that their account security was not compromised, the wording of Facebook's note does raise a few question marks about how the scammers managed to post photos onto users' walls without their permission.
Thousands of Facebook users are believed to have been struck in an attack which attempted to lure victims into visiting webpages with the promise of free iPads and iPhones if they completed a survey.
Even one of Mark Zuckerberg's friends had hackers post images to her profile promoting the revenue-generating links, causing the Facebook CEO to ask her if her account had been hacked.
At the time it was assumed that the affected Facebook accounts had been broken into, perhaps as the result of a phishing campaign, but the statement from Facebook's security team appears to rule this out:
A Note from the Facebook Security Team
For a few hours on Sunday, there was a spamming incident on Facebook. During this time, photos (mostly of supposedly "free" iPhones) were posted to some people's Walls, including yours. We've removed the photo from your Wall and fixed the issue that allowed spammers to do this. We're sorry about the photo, but can assure you that did this did not affect the security of your account in any way.
So, if the attack "did not affect the security" of the Facebook accounts, just how were unauthorised photos and links uploaded to users' walls? Facebook appears to be saying this wasn't the result of hackers stealing passwords, so it can't be that the scammers logged in as these users.
Facebook also says that they've now "fixed the issue that allowed spammers to do this". What was that issue? Was there a vulnerability in Facebook which allowed strangers to post content to other Facebook users' walls?
If so, that would be a serious security issue - and I hope it's now been properly plugged.
If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.
Update More information has now come to light regarding the bug in Facebook which allowed these hacks to occur. And it turns out that I was right - there was a serious vulnerability that the spammers exploited.
IDG journalist Robert McMillan reports that correct checks were not made as to whether photos could be posted to a user's profile, giving a hole through the spammers could squirm through their messages.
McMillan managed to get a Facebook spokesperson to shed more light on how the spam was being spread:
"Earlier this week, we discovered a bug in the code that processes photos as they're uploaded. This bug caused us not to make the correct checks when determining whether a photo should be posted to a person's profile," Facebook said Friday in an e-mailed statement. "We quickly worked to resolve the issue and fixed it shortly after discovering it. For a short period of time before it was fixed, a single spammer was able to post photos to people's profiles that they hadn't approved."
Spammers are becoming more and more attracted to abusing social networking sites like Facebook to spread their messages - we all need to hope that sites will be quick to close security loopholes like this one when they appear.
Last week it was reported that the Pushdo botnet, used to send spam using the Cutwail spamming module, was taken down, thanks to the efforts of several security researchers. Thirty command-and-control (C&C) servers of the Pushdo/Cutwail botnet were identified, almost 20 of which were taken down after their Internet hosting providers were notified.
So far, the takedown appears to have been effective. Our monitoring indicates that the volume of spam sent using the Cutwail bots has significantly decreased. Our monitoring of the C&C servers Pushdo used indicates that the botnet has fallen silent since the takedown.
It’s too early to see if this particular takedown will have real long-term effects. There have been many takedowns before such as that of McColo in late 2008. However, in many of these cases, the affected botnets were able to recover and resume their operation within weeks.
Taking down botnets is a good thing but is not enough to stop the spam pandemic. The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime. Trend Micro will continue to work closely with law enforcement to ensure that criminals like these are put behind bars
Last year, our researchers looked into the activities of the Pushdo/Cutwail botnet and released their findings in the paper “A Study of the Pushdo/Cutwail Botnet.”
The issue here is that while this botnet may have been crippled, the Spammers behind it are still at large – and can continue to create botnets in the future. Spammers like this must be arrested and should spend time in jail if we are to have any real chance of winning this war on Cybercrime.
Post from: TrendLabs | Malware Blog - by Trend Micro
Pushdo Takedown Damages Botnet
In this guest blog product manager John Stringer explores how Sophos's Data Loss Protection (DLP) technology can help companies tackling Information Rights Management. Over to you John..
In "Up in the Air" George Clooney's character loved to travel - for the reward points and the free miles kickback. Now, in business, it's not just the axe man that likes to travel; documents fly all over the place too. But for a business the kickback can be less welcome.
Protecting sensitive information beyond the network perimeter is critical and Information Rights
Management (IRM) is a mature technology that provides an answer.
So where does DLP come into the mix? Well, DLP can be used to identify IRM-protected documents, audit their transfer and - where appropriate - apply IRM classification based on document content. This complements traditional methods for applying IRM such as manual classification by employees.
At Sophos we're really excited about working with a number of IRM vendors, such as Oracle, to achieve exactly this.
Today the Sophos DLP "engine" can identify files protected by both Oracle and Microsoft IRM. As the video below demonstrates, this is actually pretty useful if you use or plan to use IRM.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
A policy can easily be put in place to simply monitor the transfer of IRM protected file (audit when and how they are leaving your organisation) or even to limit document transfer onto removable storage i.e. only allow files protected by IRM.
IRM provides the document protection and Sophos DLP an enforcement control. Expect to see more on this in the future.
Learn more about Sophos's integrated DLP solution and Oracle's IRM.
I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:
The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:
The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:
One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.
That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:
This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.
Post from: TrendLabs | Malware Blog - by Trend Micro
“IQ Test” Spam Proliferating via Instant Messages
It's possible that some of you are finding the seemingly endless wave of spammed-out scams on Facebook rather predictable. Clearly they must be working for the bad guys, though. Otherwise, why would they be putting effort into creating new variants of the scams to outsmart Facebook users into passing them on?
Here's one of the latest - which claims to be something that many Facebook users would want - an "I Don't Care Button".
Finally!..The I Dont Care Button Is Here! Get It Now For Free...
The I Don't Care Button Is Here
Get It Now And Show That You Don't Care!
96% Wanted This and Now Its Here!.
If you were eager to show your general meh-ness about someone's post on Facebook you might be keen for an "I Don't Care" button, but clicking on the link takes you to a familiar-looking webpage which encourages you to "like" it and share the link with your friends, before you will be given anything else.
A clear reason to be suspicious.
And if you're a regular reader of this blog there should have been warning bells ringing in your head - after all, it was just last month that we warned about the "Dislike button" scam we saw spreading virally across Facebook.
DownloadSquad wrote back in April about a genuine "I Don't Care" button available in the form of an extension for the Google Chrome browser, but there's no official "Dislike" or "I Don't Care" option within Facebook.
Don't make life easy for the scammers, and refuse to help them take advantage of your Facebook account. Always question what you are "liking" and "sharing" with your online friends.
If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.
Timing is everything, especially if you’re trying to spread malware. Last week, the developers of the popular Twitter application TweetDeck notified users that due to changes in the authentication protocols Twitter supports, users of older versions will have to upgrade.
Naturally, cybercriminals latched onto this bit of news and sent out their own Tweets saying the same thing. However, their malicious Tweets contained a URL-shortened link to what was supposedly a TweetDeck installer named tweetdeck-08302010-update.exe.
This particular file is not a legitimate installer but a TDSS variant detected by Trend Micro as TROJ_TDSS.FAT. The TDSS malware family functions as rootkits that can take complete control of affected systems. In addition, their complexity and sophistication makes them difficult to remove.
TweetDeck has officially warned users not to fall prey to this attack. In addition to detecting the malicious “installer,” the website hosting the malicious file has been blocked as well.
Trend Micro advanced threats researcher Paul Ferguson was earlier interviewed about this threat by PC World. His comments may be found here.
Post from: TrendLabs | Malware Blog - by Trend Micro
TDSS Pretending to Be TweetDeck Update
An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, Web application vulnerabilities, and proof-of-concept (POC) exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed during the month.
According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced refer to a collection of old and new ones primarily targeting Microsoft. The new vulnerabilities can be considered zero-day flaws and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time. Until then, users should use any suggested workarounds.
It is also believed that detailed information for recently released advisories will be published. It is possible that the information released includes POC code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.
Any new information released during this period will likely be quickly exploited, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the POC code’s announcement. Portions of the many exploits already in the wild can be reused in any new exploit attack, further hastening the process.
Enterprise users should note that server applications will be part of the list of vulnerable applications exposed in September. These applications may take longer to patch. In addition, the potential for damage if one server is affected is greater than if one user system is affected.
Vendors will certainly rush out patches to fix any announced vulnerability but hopefully the accelerated development will not cause complications. There have been cases in the past when vendors released patches that did not fix the vulnerabilities completely, resulting in reissued patches.
For users, protecting themselves will prove difficult. No centralized update notification mechanism exists for third-party software, which means that ordinary users may not be aware that certain applications need to be updated. Many applications now integrate some form of auto-update feature but this will still impose unnecessary burden on users who just want their systems to work.
Users should be on guard for any popular application that has vulnerabilities, as exploits for these are likely to spread even faster than usual. Applying patches and/or workarounds for identified vulnerable software is highly recommended.
While patching systems remains essential, Trend Micro also offers several free tools that can help prevent computer compromise, you may download them here.
Post from: TrendLabs | Malware Blog - by Trend Micro
New Zero-Day Vulnerabilities Imminent
Generally cheating strategies designed for the dissemination of false antivirus (AV Rogue) consist of online simulation of a scan for malware, showing an interface that mimics Windows Explorer and which always face the same threats, including when using operating systems other than Windows.
Conventional strategy of deception
This is one of the many templates. It shows a supposed scan to verify
I am sure If historians ever write about botnet take downs, they wont forget to mention the pushdo botnet. It's the third time in last two years or so that there has been an attempt to take down this botnet. The first attempt was back in Nov 2008 when the McColo ISP shutdown crippled Pushdo along with other spam botnets like Srizbi and Rustock. The second attempt was earlier this year when FireEye got a...
Despite the consistent media exposure that FAKEAV malware has been receiving, it continues to be business as usual for FAKEAV proponents. To find out why the notorious malware family persists, Trend Micro researchers looked into three important aspects—social engineering techniques, the FAKEAV technology, and the FAKEAV business itself.
Social Engineering
Social engineering is a technique used in furthering malicious activities both online and offline. Online, however, FAKEAV is a good example of a social engineering “success story.” By leveraging human weakness, FAKEAV effectively utilizes social engineering techniques such as blackhat search engine optimization (SEO) to trick users.
The Technology Behind FAKEAV
Behind the professional-looking GUIs, annoying pop-ups, and other scareware tactics FAKEAV uses lies a simple technology. It can thus be said that the FAKEAV technology is more tricky than complex. Despite the relative simplicity of the FAKEAV technology, however, it continues to plays a critical role in the success of FAKEAV’s social engineering tactics.
The FAKEAV Business
Of course, a malicious campaign is meaningless if it does not benefit its proponents. When it comes to the FAKEAV business, the stakes are high. Apart from taking away about US$40–100 from a user’s account as payment for rogue software, the more pressing concern with regard to FAKEAV is information theft.
Learn more about the persistent FAKEAV malware and its three fundamental aspects in the Security Spotlight article, “Why FAKEAV Persist.”
Post from: TrendLabs | Malware Blog - by Trend Micro
The Persistence of FAKEAV
There are two general ways a complex problem can be solved, using a good approach or a bad one. The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work. The good thing with most humans is that they learn from their mistakes and move forward. This is what we are seeing happen at...
Over the weekend, Microsoft issued a new security advisory which covered a vulnerability in how Windows handles DLL files. The attack scenario would go this way: a vulnerable application would be used to open a file.
The opened file can be a perfectly legitimate file; however the malicious file must be located in the same directory and given the same file name as a legitimate DLL file. When the vulnerable application loads, instead of calling the legitimate DLL file the malicious file is loaded instead.
This is because of errors in how Windows selects which DLL files to load, giving preference to libraries located in the same directory as the opened file instead of those in the correct system directories. Any code in the malicious file would be executed, causing a full-fledged problem for users.
These kinds of attacks–known as binary planting or DLL preloading–have been known for years. However, they were not much of a threat because the malicious file had to already be on the user’s system. Recently, however, independent researchers have found a way to exploit this attack remotely, via network shares. This resulted in Microsoft issuing the said advisory.
Popular applications like Firefox and Powerpoint are among those initially reported as affected by the vulnerability. However, more exploits for many other applications have been found, and reports on attacks actively exploiting the bug have been posted.
The existence of malware attacks actively leveraging on the said vulnerability may drive Microsoft to take more drastic action. Until a clear solution is given, users are strongly advised to be careful about files opened from network shares.
Enterprise users with certain Trend Micro products such as Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in may download the latest rules to help protect themselves against this threat; these rules prevent DLLs from being loaded from remote shares.
Post from: TrendLabs | Malware Blog - by Trend Micro
New DLL Vulnerability Exploited in the Wild
The common DownloadURLToFileA(some EXE file) and WinExec(it) shellcode in use today hasn't changed much in eight years. (Probably because everyone just copies the code out of Metasploit for their exploits.) This is a byte by byte analysis of that shellcode.
A spammed message supposedly from Newegg, a popular online computer hardware/software seller has been found in the wild. It informs users that their online purchase has been charged to their Visa card. It also contains two clickable links that point to the same malicious page, an example of which is http://{BLOCKED}nthenet.net/1.html. Clicking the link leads to a series of redirections that ultimately land users on a FAKEAV-hosting site where TROJ_FAKEAV.FNZ may be downloaded.
In addition to the FAKEAV download, the binary on the landing page constantly changes so users may also end up with TROJ_HILOTI.FNZ and ADWARE_ZANGO infections, too.
Upon further investigation, we discovered that the email is not the only malware vector the cybercriminals behind the attack are employing. They also leveraged compromised Blogspot pages to host the same spam. We believe that the cybercriminals are using Blogspot’s email feature. The secret email addresses set up by the blog owners may have somehow been harvested to send out spam, in effect auto-posting these in Blogspot pages. The followers of compromised Blogspot pages can thus be potentially infected, too, since the malicious spam is hosted on a known source.
Threats analyst Edgardo Diaz adds that one of the download binary connections lead to {BLOCKED}.{BLOCKED}.117.21, which has its own status page. Further analysis of the IP address and the compromised Blogspot pages revealed that some of the compromised pages’ URLs point to domains hosted on the same IP address.
Users are advised to be wary of clicking any link even if it is posted on a trusted source. Furthermore, changing one’s secret Mail2Blogger email address once found to have been used in a spam run will definitely help, as the attacker can easily reuse this address to instigate another spam run.
Trend Micro product users need not worry, however, as they are already protected from this attack via the Smart Protection Network™ , which prevents the spammed messages from even reaching users’ inboxes, blocks access to all malicious URLs, and detects all related malware.
Additional analysis and screenshots provided by threats analysts Patrick Estavillo and Edgardo Diaz.
Update as of August 25, 2010, 10:30 p.m. (UTC)
After further investigation, we’ve found that other kinds of spam were also found posted in affected Blogspot pages. Spam related to UPS, Amazon, LinkedIn, and run-of-the-mill Resume and eCard spam messages were found posted in the said blogs. Affected Blogspot users are advised to change their Mail2Blogger email address as soon as possible.
Post from: TrendLabs | Malware Blog - by Trend Micro
Blogspot Mail2Blogger Secret Email Address Used in Spam Attack
Second part of the article from the Crime Scene Investigation:Internet
series has now been published by
c't magazine.
This time the Action Script's p-code deobfuscation technique is illustrated.
You can read this article
in German or
in English.
Criminal alternatives grow very fast in an ecosystem where day to day business opportunities are conceived through fraudulent processes. In this sense, the demand for resources for the cyber criminal isn't expected and is constantly growing.
Generally I find new crimeware looking to get a place and a good acceptance in the virtual streets of the world underground, trying to reflect a balance on
Have you ever heard the saying "You never get a second chance to make a first impression"? The same applies to malware analysis, and information security in general.
This morning I was doing some research into some malicious spam emails that were coming in. They were your normal click-on-a-link-and-be-redirected-to-50-sites emails and I had tracked it down to the last site. After decoding the JS it gave out, I could see the attacks it was going to perform and the URLs it was going to go to. So close to the malicious executable...so close.
So I typed the followed at my prompt:
curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12"See any problems?
Curl writes anything it downloads to standard output by default. In other words, since I didn't redirect the output to a file or use the -O option, the file from the malicious site was written to my screen. Normally, this wouldn't have been such a bad thing except it was gzip compressed, so my screen was filled with binary characters.
No problem, right? All I have to do is download it again, this time redirecting. Here's what happened:
curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12" > 1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 00 bytes downloaded? What happened?
Many web-based malicious toolkits used by attackers have an option to only allow the attack file to be downloaded once per IP address. This prevents multiple re-infections on clients and analysts (like me) from exploring their site. When I initially requested the file and didn't redirect the output, I used my one shot. The second time I went to download it, the site saw me and didn't let me access it again. Of course, there are ways around this, but thats for another post.
So, what did I take away from this?
1. Everyone makes mistakes. Hell, I make alot of them. If anyone tells you they don't, they're lying. Learn and move on.
2. I need better web download tools. Well, the tools (eg. curl) work fine. I'm flawed. I've already started to create a script that does all that needs done for me. No more mess ups.
I hope others can read this and learn from my mistake. I'd love to hear how others download malicious websites.
Affiliate programs are a growing business model more profitable for criminals and create a complete circuit of spreading / malware infection among many other alternatives, encouraging its customers with a percentage of money they get in terms of success their own business.
One of the systems with greater uptake in this business model is provided by the facility payment, Pay-per-Install, where
Once again I will be teaching my
Introduction to Malware Analysis course this year at the
NE Ohio Information Security Summit that takes place on October 11-15, 2010 in Cleveland, Ohio. My course is in the
pre-conference training and will take place on Oct 12-13.
The 2 day introduction to malware analysis class is geared to those who want to learn malware analysis or are just starting out. We'll cover all of the basics for malware analysis including setting up your analysis lab, static analysis and dynamic analysis. In the end, you'll walk out of the class with the knowledge of how to take a malware sample and determine what it does, who it contacts and what risk it poses.
The class is structured around labs where you'll use the techniques taught to analyse live malware. Since we will be analyzing actual malware, students will need to bring their own laptops (requirements will be posted closer to the class).
The end of the class will also feature an analysis contest where students will compete to win some cool prizes. Last year I gave away a copies of
Hacker and
Pandemic...so we'll see what happens this year!
Even if you don't take my course, I highly recommend
attending the conference. Its an amazing conference for the price ($300 until 9/15). There are lots of great speakers (many of which speak at Black Hat, Defcon, Shmoocon, etc.).
Look forward to seeing you there!
One of the most profitable businesses in the area computer crime, what are the affiliate programs. These are systems which adhere offenders an economic return for a commission, as in this case, for each successful installation of malware that takes place through the system distributed.
VIVA INSTALLS, belonging to the same criminal group that is facing HAPPY INSTALLS, is one of them. This system
Phoenix Exploit's Pack (PEK) is another crimeware programs more widely accepted within the online criminal ecosystem, whose use in the past week massifies spreading a large amount of malware.Executable binaries that are part of the campaign so far is active, spread under the default name of the executable that incorporates the package, called exe.exe. Some of the executables that are part of this
It took some time, some patience and some extra samples analysed to see how the
original blog post on a Flash exploit has eventually evolved into an article for a German computer magazine
c't (magazin für computertechnik).
Original article in German is available at
this link. Its translation into English is available
here.
Thanks to Frank Boldewin and Jürgen Schmidt for making it happen.
The malware landscape has always been very dynamic. New threat types and malware always replace the old ones. The prevalence of a particular malware family at any given time is dependent upon multiple factors like the business model, the efficiency of the person(s) driving this malware, and sometimes, actions by the anti malware industry. For example, due to efforts of the research community, Storm 1.0 and Srizbi, which were once the world's largest botnets, are...
After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.
This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.
As shown in the catch, when you attempt to access any of
Acrobat will parse some very badly formed PDF files. It's possible to remove almost everything from a PDF file, and still launch Javascript. A minimum of 58 bytes are all that is required to execute Javascript within Acrobat.
In March earlier this year, Spanish police arrested three men linked to the Mariposa botnet. After this move it was widely believed that the massive botnet had shutdown. From what I have seen over the last week, that is not the case. Some Mariposa CnCs are still active and spreading. The screen shot below is a snapshot of a Mariposa sample (ad7a5b6755089ba83001f224a7067ec1) communicating to its CnC. On this occasion it received a command to spread...
Neosploit encodes into the URL, various bits of version information about a victim's browser and OS. It's using Java exploits, and is spread via malicious advertisements.
In the first two parts of this blog series, I detailed an issue I found where not all of the user environment variables were set for a program run with winexe. This was causing an issue during analysis of some malware since the samples were looking for those variables. As a work-around, a batch script was uploaded to the Windows sandbox and scheduled to run. When the scheduled job ran, all of the environment variables were set and the malware ran as it normally would.
The whole situation got me thinking - are public sandboxes setting all of the environment variables? As was seen, some malware rely on these variables and if they aren't set the malware won't run. If someone were to use a public sandnet to test malware that relies on these variables and the malware didn't run, they could be under the false impression that the program is benign.
Before I go on I should state that this post is not a knock against public sandboxes. They provide a great service to the security community. I did not do this to find any weaknesses in them to exploit or publish maliciously. My goal here was to determine which sandboxes, if any, miss some variables that may be required for malware to run.
To test this, I wrote a program that would obtain the environment variables and write each one to its own registry key/value pair. Since the public sandboxes report any registry modifications made by the program, I would be able to see all of the environment variables available to the program. This program was then uploaded to a number of different public sandboxes and the results analyzed. The sandboxes I used were
Anubis,
Comodo,
CWSandbox,
Joebox,
ThreatExpert,
BitBlaze and the
Norman Sandbox.
In my testing, none of the sandboxes set all 30 of the environment variables I originally saw in my test. BitBlaze set 29; Anubis, Comodo, CWSandbox and Joebox set 28; and the Norman Sandbox only set 16. For some reason, ThreatExpert did not report anything back from my program - this could be a problem with my program or some type of security measure on their part.
* Note: I will not say which variables were and were not set. That information could be used by malware to determine it was running in one of these sandnets and that is not my purpose.Due to the way the malware is executed in my system, I think that having only 28 or 29 environment variables is a perfectly normal variation. Therefore, my conclusion to all of this is that with the exception of Norman Sandbox, the sandnets appear to be setting the variables they should and represent a likely variation in the systems malware would run on.
As for Norman Sandbox, they are setting a small number of environment variables. This is perhaps a likely scenario for some systems. However, the variation of such a small amount being set would concern me as I don't know if all malware would work as it normally would. Only further testing can tell.
In my last post I discussed the problem I found with
winexe and how it did not set all the Windows environment variables needed to simulate a complete user experience. This problem was preventing some malware from running in my malware analysis sandnet - a problem I needed to overcome.
The way I looked at it, I had 3 options:
- Modify the source code for winexe to get it to work as I wanted. However, this was more than I wanted to do at this time. Maybe later.
- Use a program like webjob to provide another means to remotely execute the program. However, this would require me to modify the Windows analysis host which, for reasons I won't go into, is a huge PITA. Any solution that required me to modify the host was out for now.
- Figure out a way to remotely execute the malware on the Windows system using already present tools and still get the user environment I wanted.
I decided to start with the third option. I knew I couldn't use winexe to directly execute the malware as I wouldn't get the correct environment variables set. But, what if I used winexe to execute another program to launch the malware?
Using winexe to run 'cmd /c malware.exe' was out as this was the method I was using before. I then tried creating a batch script to run the malware and executing it with winexe. No luck there either; the environment variables weren't created. Finally, I had an idea...what if I scheduled a job to run the malware? If I scheduled it as the user it should inherit all of the correct variables and run correctly.
To test it out I created a batch script (named test.bat) in the Windows system that would run
set and redirect the output into a file. I then ran the following command (from the Linux box):
winexe -U administrator%mypass //192.168.1.5 'schtasks /create /tn testjob /tr c:\temp\test.bat /sc minute /mo 1 /ru administrator /rp mypass'
Success!!! When the script ran and dumped the environment variables into a file, all 30 were there! The next step was to create a script to run the malware in the system.
The automation script was modified to upload the malware to the Windows box along with a batch script that performs the following commands:
schtasks /delete /tn jobname /f
start c:\path\to\malware.exe
The automation script then schedules a job to run the uploaded script. When the scheduled job kicks off, the batch file runs. The batch file deletes the scheduled job and run the malware.
Why delete the scheduled job? When scheduling the job, it is scheduled to run every minute. By deleting the scheduled job there's no worry the malware will run more than once. Why schedule it to run every minute? Call it paranoia. :)
After making the modifications to my automation script and testing it, I ran it with the Koobface sample that started all my problems and...success! The results showed the sample ran correctly, dropped the right files and set the right registry keys. Tests with additional malware have shown that its working correctly as well.
This test got me thinking...how do publicly available sandnets work? Are they setting the environment settings correctly? I'll discuss this in the part 3 of this post.
Part of malware analysis, especially automated malware analysis, is to simulate the user environment as closely as possible. After all, our goal is to determine how malware behaves when it is run by a user. For the last few months I've worked on an automated malware analysis system which I thought did just that.
Let me explain my automated analysis system. It is similar to the one I described in
my Hakin9 articles last year. Basically I have a host system running Linux that executes an automation script. The automation script starts up a VM, launches some monitoring tools, uploads and executes the malware, records the results and performs cleanup. In all, it takes about 5-7 minutes per malware, depending on the settings I am running. So far it performed extremely well and cut my analysis time down dramatically.
Imagine my frustration this week when I ran a new Koobface sample in it only to find the malware didn't do anything. It would launch, perform some start-up operations, then exit. No registry modifications, no process injection, no network traffic. However, when I would manually launch it or run it through
ThreatExpert, it would run fine.
In looking closer, I found out that the malware was trying to place a copy of itself in the %APPDATA% directory. Since %APPDATA% is an environment variable for the user, it should have been set - or so I thought.
I took a step back and started to examine the method I was using to execute the malware. My "host" system which executes the automation scripts runs Linux. In order to execute the malware in the Windows system,
smbclient is used to upload the malware and
winexe is used to execute it. After some thought, I came up with a theory that winexe was not setting all of the environment variables when it executed malware. I was right.
It turns out that in a default Windows XP SP3 system, 30 environment variables are set. With the way I was running winexe (--system --interactive=1), only 22 of the variables were set - %APPDATA%, %CLIENTNAME%, %HOMEDRIVE%, %HOMEPATH%, %LOGONSERVER%, %SESSIONNAME%, %USERDOMAIN% and %USERNAME% are missing.
To make sure it wasn't because of the way I was running winexe, I ran a number of tests. Each test consisted of running winexe with different settings. The command that was run was "cmd.exe /c set > outfile". To be fair, I also tested
PsExec (from another Windows system). These are the results I found:
| winexe |
|---|
| no settings | interactive | interactive + system |
|---|
| %APPDATA% | | | |
| %CLIENTNAME% | | | |
| %HOMEDRIVE% | | | |
| %HOMEPATH% | | | |
| %LOGONSERVER% | | | |
| %SESSIONNAME% | | | |
| %USERDOMAIN% | | | |
| %USERNAME% | | | |
| psexec |
|---|
| no settings | interactive | interactive + system |
|---|
| %APPDATA% | X | X | |
| %CLIENTNAME% | X | X | |
| %HOMEDRIVE% | X | X | |
| %HOMEPATH% | X | X | |
| %LOGONSERVER% | X | X | |
| %SESSIONNAME% | X | X | |
| %USERDOMAIN% | X | X | |
| %USERNAME% | X | X | |
It turns out that no matter what options you use, winexe does not set the environment variables above. Note that I also ran winexe with the --runas option and got the same results. PsExec sets all of the environment variables, except when you specify it to run as SYSTEM. This makes sense as most of those variables are used to specify user settings and SYSTEM would not have those.
Obviously, winexe wasn't going to cut it any more because it wasn't setting a complete user environment which, in turn, was preventing malware from running. So, what to do? Winexe was my only way to remotely execute a program on a Windows system from a Linux system (without modifying the Windows system and installing other programs). To find out what I did, you'll have to stay tuned for part 2! :)
As a side note, if anyone knows of another program similar to winexe, please let me know. Also, if anyone knows of a way to get winexe to run correctly, I'd love to hear it.
ZeuS 2.0 kit release introduces a few tricks designed to complicate the analysis of its configuration files.
Apart from randomized side-effects that the new
trojan leaves on a system, including its ability to morph in order to avoid hash-based detections (well, hash-based detections never worked against ZeuS anyway, given the sheer volume and frequency of the generated samples and the variety of used packers), it seems that this time a great care was taken in protecting its configuration files.
The
trojan now uses more layers in order to decrypt its configuration files.
Shrek:
Onions have layers. Ogres have layers... You get it? We both have layers.Donkey:
Oh, you both have layers..
The new decryption steps are illustrated below:
It starts from initializing a 256-byte key table. At first, its bytes are set to value N, where N is a position of the byte in the key table (from 0 to 255).
Next, the code utilizes a large permutation table - a dynamically constructed table with a variable size around 40,177 bytes, in order to generate a new key table.
The newly generated key table is then used to decipher (RC4) another dynamically constructed table, called in the scheme above a "small table".
Once deciphered, the small table will contain both the configuration file URL and a new key table to decipher (RC4) the configuration file that the trojan requests from the remote server.
The new key table is stored inside the small table at a variable offset.
Due to polymorphic nature of the trojan, the locations of the large permutation table, encrypted small table and the offset of the key inside the decrypted small table are random.
Nevertheless, these random values are recoverable from the heap memory of any process infected with ZeuS.
In order to decrypt configuration files of ZeuS 2.0 on a host infected with ZeuS (e.g. under a virtual machine), a special tool can be built.
The tool would firstly need to identify ZeuS heap pages with the signatures and then check for the presence of the following code within the same ZeuS page:
// 55 push ebp
// 8B EC mov ebp, esp
// 51 push ecx
// A1 ?? ?? ?? ?? mov eax, ds:image_base
// 8B 0D ?? ?? ?? ?? mov ecx, ds:dwSmallTableOffsetVA
// 56 push esi
// 8D 34 01 lea esi, [ecx+eax]
// A1 ?? ?? ?? ?? mov eax, ds:XX
// 8B 0D ?? ?? ?? ?? mov ecx, ds:dwLargeTablePtrVA
// 89 4D FC mov [ebp+large_table_ptr], ecx
// 83 F8 02 cmp eax, 2
// 76 41 jbe short XX
// 57 push edi
The 1st wildcard (??) in the listing is the virtual address of the allocated page within the host process.
The 2nd wildcard is the virtual address of the small table offset within the same injected page; for example, the small table offset could be 0x33000. The first word of that table is the size of the large permutation table, with the actual small table following that word. The size of the small table is constant – it is 700 bytes in size.
The 4th wildcard in the listing is the virtual address of the large permutation table within the infected process. It is normally allocated as a separate heap page within the same host process.
Another offset still needs to be recovered from the identified malicious heap page – it is the offset of the key within the decrypted small table that is used to decipher (RC4) the configuration file itself. The value of this offset varies from 0 to 255.
To locate that offset, the infected memory page can be scanned for the presence of the following code:
// 8B 03 mov eax, [ebx]
// 56 push esi
// 57 push edi
// C6 45 FF 00 mov [ebp+flag], 0
// 85 C0 test eax, eax
// 74 6E jz short quit
// 8B 7B 04 mov edi, [ebx+4]
// 81 C1 ?? 00 00 00 add ecx, bKeyOffset
// 51 push ecx
// E8 ?? ?? ?? ?? call dec_rc4_xor
// 89 43 04 mov [ebx+4], eax
// 85 C0 test eax, eax
The key offset is the first wildcard in the listing above.
Once the tables and the key offset are fully recovered from the memory of an infected process, the tool can now decrypt the configuration file by using decryption algorithms derived from ZeuS via reverse engineering.
To assist those researchers who need to decrypt and analyze the contents of the ZeuS 2.0 configuration files, the ZeusDecryptor tool is available for download
here.
Online gaming password stealers form a large malware category.
Moreover, it is growing: there is strong demand in the virtual experience, there is supply, there are online auction
sites where such experience is sold to those who are ready to pay for it. That is, there are mechanisms for converting the virtual experience into the real money. And then there are bad guys are trying to hook into that chain for their personal gain by trying to compromise online gaming accounts in order to steal the virtual experience and then resell it.
However, why there is demand for the virtual experience in the first place?
What state of mind is required in order to pay several hundred dollars for something as virtual as this:
Why the practicality becomes less important and the virtual assets become more and more appealing up to the point when they are associated with a certain social status? Is it the same force that drives the sales of the sleek, glossy and shiny (but questionable practically) i-gadgets, the same sort of virtuality? Is this some kind of "this is me and I am not part of the crowd" message sent to the rest of the world, an attempt to demonstrate an open mind attitude that dismisses anything dogmatic?
By buying the virtual status in gaming, whether it is virtual gold or a level or experience, what are they trying to say? Is this a way to demonstrate to their friends how keen there are and how far they are prepared to go to gain their own social status in the modern world? But why buying the virtual social status instead of building one physically?
Hmm, this must be our evolution then.
I got very excited when I heard that recently Steven Adair from Shadowserver has spotted a slightly modified Storm variant live in action. But I was little surprised when I read the details of this alleged new variant. This new variant (a modified version of actual storm) was discovered back in 2008 and I got a chance to write about it in quite a detail. From my article written back in 2008: Another interesting nugget...
Wow - I'm posting!! :)
Today I, and others around the Internet, received an email that stated:
Subject: setting for your mailbox are changed
SMTP and POP3 servers for YOUREMAILADDRHERE mailbox are
changed. Please carefully read the attached instructions
before updating settings.
The email had a PDF attached to it. Given the
number of malicious PDFs that have been seen lately, this was likely a bad thing.
Examining the PDF with
Didier Steven's pdfid.py showed that there was an OpenAction in the PDF, but no JavaScript. Interesting. Using pdf-parser.py, the object pointed to by the OpenAction was examined:
This shows that the
/Launch vulnerability/feature of PDFs is being used to drop a VB script and execute it. What is interesting is the VB script (named script.vbs) parses the original PDF for another VBS to run! A quick look at the PDF finds the other VBS:
(The image above has had code removed for brevity.)
The new VBS (named batscript.vbs) contains an executable broken up into its hex bytes. The script will write each byte out to a file named game.exe and then will execute it. After executing, it sleeps for 3 seconds then covers its tracks by deleting game.exe, batscript.vbs and script.vbs.
game.exe, meanwhile, will copy itself to
c:\program files\microsoft common\svchost.exe and set itself up to run in the registry whenever explorer.exe runs.
While I know the /Launch vulnerability has been exploited recently, this is the first I've seen on a mass-email scale (
but isn't the first ever). I'm sure we'll be seeing more of these as time goes on.
Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom. ------------- The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks. This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation. I...
Initially malc0de.com was created to link domains that were serving the same executable. What I found out in a very short period of time is the binaries are updated so frequently that this becomes almost impossible. Storing the MD5 is still useful just not as useful as I originally thought. The only purpose malc0de.com is to store and keep track of domains that host malicious binaries.
I have recently made a few adjustments to the database which should speed up the queries. I have also linked the IP addresses to a good friend of mines newly created website www.malwaregroup.com. Think of it as a robtex for malware domains.
For example here we can find a domain hosting the Neosploit exploit pack. The domain is hosted on 75.125.212.58. By searching malwaregroup.com we can see domains hosted on the same IP that are named in a similar fashion and are most likely also hosting Neosploit or being staged.
A reference table for Windows API Function Name Hashes, used in many shellcode examples. Also, daylight saving time is dumb.
The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.
The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.
The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.
Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.
Same as we posted last week, Trojan.FakeAv continues to be one of the highest hitting families of malware prevented in the ThreatFire community again this week. And, because so many users continue using Windows XP, it is this variant of the family that continues to pop up the most. Frequently, the malware resides simply as “av.exe” on users’ systems:
The bogus software follows the trends that we presented at Virus Bulletin 2008 two years ago, where we noted the rising FakeAv families and technical details of “Recent Rogueware”, similarities with previous other malware families, and their delivery.
The victory over dozens of Zeus botnets that was declared over the past couple of days may have been premature, as the Troyak-AS upstream provider that was de-peered from its upstream providers was busy finding new peers to the internet. Yet another check shows that the provider succeeded in regaining connectivity, and only two of the ISP’s that are home to handfuls of Zeus C&C’s are withdrawn (as of 11:30 a.m. Mountain Time 3/11/2010):
50215 TROYAK-AS Starchenko Roman Fedorovich
Adjacency: 5 Upstream: 1 Downstream: 4
Upstream Adjacent AS list
AS8342 RTCOMM-AS RTComm.RU Autonomous System
With the original de-peering, it was thought that 68 monitored Zeus C&C’s were disconnected from the net. But, of the six ISP’s hosting almost five dozen Zeus C&C’s, only two remain de-peered, leaving 43 monitored Zeus C&C up and running. We hope to see these come down soon. In the meantime, ensure that a protective layer like ThreatFire is installed on your system, effective against Zbot attacks. And cheers to the awesome zeustracker site.
Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.
There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.
This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.
A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.
Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.
The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.
Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:
<root>…..<pause>15</pause>..<clickable>250</clickable>..<visible>100</visible>..<searchlimit>3600</searchlimit>..<time>126593</time>…
<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m
edia.com/st?ad_type=iframe&ad_size=468x60§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=300x250§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=120x600§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=160x600§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>
After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:
After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:
hxxp://ad1.ad–vo. com/st?ad_type=iframe&ad_size=728×90§ion=758786
hxxp://ad2.ad–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad2.ad–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
hxxp://ad1.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad2.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.as–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=6.0.79.0&url=http%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26–ler.com%2Fiframe3%0juvrDBw5kMNESk6cFF%3D%3D%2C%2Chttp%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ
Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:
hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/
ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.
The Bangkok Post’s article on a Malaysian man’s arrest and extradition to the U.S., charged with identity theft, a part of a prosecution begun in 2008, exposes potentially the 12th person known only by his handle “Delpiero”. The man will be extradited for theft and sale of over 40 million credit card numbers and personal information. From a 2008 article reporting the original case:
“Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname “Delpiero” were also unsealed in San Diego.”
Damages from the hack(s) were not estimated in 2008: ‘”They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said at a news conference. “And in total, they caused widespread losses by banks, retailers, and consumers. Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point”‘, but the Bangkok Post article seems to cite an estimated $150 million for the ring’s take.
As published in the
previous blog post, analysis of the current version of Koobface uncovered a very interesting part about it – its "ability" to resolve CAPTCHA protection at the Facebook web site. To put it simply, if Koobface was unable to resolve Facebook’s CAPTCHA protection, it would’ve been unable replicating because in order to submit a new message, one needs to resolve CAPTCHA image first.
Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer.
You wonder if it's financially sustainable?
Think about it this way:
according to the World Bank, at least 80% of humanity lives on less than $10 a day. In the same time, web resources like
this one, give its users an opportunity to make that kind of money ($9) in three hours by resolving CAPTCHA images relayed to them. Don’t you think the potential army of CAPTCHA resolvers has all the reasons to grow?
Detailed analysis of traffic between Koobface and its command-and-control server allowed tapping into its communication channel and injecting various CAPTCHA images in it to assess response time and accuracy. The results are astonishing – the remote site resolved them all.
But here is a twist: uploading a large number of random CAPTCHA images into its communication channel will load its processing capacity, potentially up to a denial-of-service point. Well, if not that far, then at least it could potentially harm its business model, considering that the cost of resolving all those injected images would eventually be paid by the Koobface gang.
The tapping mechanism is best illustrated with the following scheme:
There was a tool specifically built to upload CAPTCHA images to the Kobface C&C server and receive the responses. It is available for download
here (the ZIP file contains a few test images to upload).
The tool opens up an interesting "dialog" with the back-end operators, a dialog with some interesting discoveries.
At first, the response clearly looks like it was produced by automation:
As seen in this example, the automation tried to OCR the image (which contains a very specific Russian word) – it’s very unlikely that a human would have provided such answer.
Trying to submit it images with the provocative phrases had no luck either – the remote server resolves them vigorously – as if it was a bot, or maybe a smart operator instructed to reply as if he or she was a bot:
But given that no automation can presumably handle really complex images – images that are difficult even for humans to resolve, let’s try to submit with the tool the more complex ones. Here are the results:
As seen on the picture, all Facebook’s CAPTCHAs were resolved pretty well.
But here are a couple of bloopers – these images were resubmitted because the original answers were totally wrong:
Let’s see how it withstands Google’s CAPTCHAs. Here is another blooper revealed:
The wrong answers like "edtgted rghf", "edrfb dfbn", "dfgd dfg", and "asdf df" mean it was not an automation. Otherwise, it would have tried to resolve the images at least partially, or maybe provided nonsense for the noise detected in the picture or any other answer suggesting it was a bot. In the end, the wrong answers would have been at least consistent across several attempts.
These wrong answers simply mean someone was hitting the keyboard (check these keys location), giving those pictures up as too complex puzzles that require too much time/attention, in order to proceed to the easier ones.
These results could mean that the back-end CAPTCHA server has a queue of CAPTCHA images to resolve, and in front of that queue there must be an automation that firstly tries to resolve CAPTCHAs automatically, by using optic image recognition techniques. If the automation fails, it then passes the image down into the queue to be further distributed and picked up by an operator to be processed manually. Such relaying obviously has no method to oppose, as it destroys the very meaning of CAPTCHA – to distinguish a bot from a human. By having them eventually processed by humans, the only reason to keep CAPTCHA protection is to make the resolving process as expensive as 0.5 cent per image.
The question is: is it expensive enough to be justified at all? Probably, it’s expensive enough for the kids who build malware out of curiosity or self-determination (compare it with a trivial latch on your window). But it’s nothing for those guys who build malware for any kind of profit (case with Koobface) as more than likely they can afford 0.5 cent per image.
Taking the C&C down? Maybe, but it will rather pop up in a different place the very next day.
A different way of destroying it is via poisoning its traffic with the fake CAPTCHAs that look exactly as the ones that are passed by a valid Koobface worm. In this case, Koobface authors will be paying for every fake CAPTCHA resolved, the ones generated in the lab, not the real-wild-world ones.
Destroying it financially could be a better option in the end.
A detailed write up describing the the command and control structure of the Aurora Botnet was recently released of by a security company called Damballa. The 31 page PDF which can be found here makes some interesting connections and is definitely worth reading.
Damballa’s findings concerning Operation Aurora can be summarized by the following:
At the time the attack was first noticed by Google in December 2009, systems within at least 7 countries had already been affected. By the time Google made the public disclosure of the attack on January 12 2010, systems in over 22 countries had been affected and were attempting to contact the CnC servers – the top five countries being the United States, China, Germany, Taiwan and the United Kingdom.
The Trojan.Hydraq malware, which has been previously identified as the primary malware used by the attackers, is actually a later staging of a series of malware used in the attacks which consisted of at least three different malware ‘families’. Two additional families of malware (and their evolutionary variants) have been identified, and they were deployed using fake antivirus infection messages tricking the victim into installing the malicious botnet agents.
The attacks that eventually targeted Google can be traced back to July 2009, with what appears to be the first testing of the botnet by its criminal operators. The analysis identifies the various CnC testing, deployment, management and shutdown phases of the botnet CnC channels.
The botnets used dozens of domains in diverse Dynamic DNS networks for CnC. Some of the botnets focused on victims outside of Google, suggesting that each set of domains might have been dedicated to a distinct class or vertical of victims.
Some of the CnC domains appear to have been dormant for a period of time after they had infected a number of victim systems. This can occur after the botnet operator has updated the botnet malware with new (more powerful) variants or when the criminal operator sells/trades a segment of the botnet to another criminal operator.
There were network artifacts that suggest that the botnet malware operating with the US-based victims’ networks made use of email services to extract the stolen data from the breached organizations.
There is evidence that there were multiple criminal operators involved, and that the botnet operators were of an amateur level. The botnet has a simple command topology and makes extensive use of Dynamic DNS CnC techniques. The construction of the botnet would be classed as “old-school”, and is rarely used by professional botnet criminal operators today
The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:
The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.
Past posts on Koobface here.
If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.
The U.S. Secretary of Homeland Security Janet Napolitano was this morning’s keynote speaker at RSA Conference 2010, speaking about succeeding in the cybersecurity battle. She joins the list of prominent speakers this week, along with Symantec’s Enrique Salem on “Defeating the Enemy: The Road to Confidence”. The conference continues through the week, and you can keep up to date with links to interactive webcasts here.
This year’s Cryptographer’s Panel discussed some interesting work on the new MD6 hash algorithm within the SHA-3 Competition, and MD5 as a ”dead hash algorithm”. This talk marked hopefully the last year of commercial Md5 use, in light of Md5’s fairly substantial and vulnerable use by vendors, webmasters and Certificate Authorities up through the beginning of 2009. May its death arrive quickly and a new, performance sensitive MD6 born soon.
Spanish law enforcement nabbed three operators of the Mariposa botnet: “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”
The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.
If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.
A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains pursued by the powerful legal team. On the other hand, in the meantime, users’ systems continue to be infected with Waledac. And much like the FakeAv organizations and the “John Doe” defendants that Microsoft has filed against in the courts in the past, cybercriminals herding Waledac most likely will pick up and continue to operate in the shadows beyond the reach of law enforcement — the domains and malware most likely will change to evade the takedowns pushed by their court approach. It’s a situation that has been described as “wrestling with a pig”.
In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.
Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.
Zeus is an extremely effective bot builder kit designed and developed to be sold in underground markets as a cybercrime kit, enabling buyers to easily build identity theft related spyware that evades many security solutions. The writers have been known to do custom work as well, all for a price.
The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.
We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.
These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.
Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.
I've been publicly quiet on the whole APT discussions as of late, with good reason. There are lots of blogs out there which share (and do not share) my opinion, so there is no need for me to chime into the myriad of voices out there.
However, an anonymous comment on one of the
recent taosecurity posts brought up a point that I have not seen anyone else talk about. The comment stated:
Reading the Mandiant Report, we see:
1.) Government
2.) Defense Contractors
3.) Fortune XXX acquiring a Chinese compnay
4.) A Law Firm involved in a Chinese civil litigation case
5.) A non-profit trying to spread "democracy and free enterprise in China" (maybe they could also do that in the USA).
Look, it doesn't take Arthur Conan Doyle to piece together the storyline here. This clearly isn't "everyone's problem". It's a problem for those that are seen as an enemy of certain nation-states.
The part I'd like to focus on is the last statement. The APT problem is
not only the problem of those seen as the enemy of certain nation states. It is the problem of everyone.
If you read Mandiant's excellent report, you will see specific examples (mentioned in the comment above) which are documented APT targets. Yes, these are what you think of as nation-state attack targets.
However, I have personally seen the APT attack and compromise systems in networks which have no ties to that nation-state and you would not consider enemies of that nation-state (or any for that matter). In these cases, the organizations were small-medium sized companies whose systems were compromised in order to be used as command and control systems for the APT's backdoors.
Of course, there are those that will say that this is the same technique that all attackers use - compromise less secure systems and use them as a go-between to attack other systems. And I will 100% agree with them on that! But that re-enforces my point as well! No one is safe from attack from APT and therefore there should be no reason why organizations should not take every reasonable precaution to against these (or any) attackers and learn as much as they can.
Yes, there will be those companies that use the term APT as a marketing tool. Yes, there will be those who say this is a limited threat to some organizations (and to some extent I agree with that). But in the end, it is a real threat that exists and any organization that does not perform the due diligence to at least learn about the potential threat will be at a disadvantage when they do get attacked; maybe not by the APT but by the next threat.
Zief[dot]pl and a handful of other domains hosted on the same IP address (61.235.117.71) are currently attempting to distribute Trojan W32/Virut by using various client side exploits. The Trojan W32/Virut family is particularly nasty and consists of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.
Upon execution Win32/Virut will open a connection with one of the IRC servers over a non standard IRC port. This channel is used for communication allowing the attacker to control the machine or download additional malicious components onto the system.
One example:
Server: proxima.ircgalaxy.pl
Port: 65520
Channel: &virtu
What happened when Google visited this site?
Of the 42 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-30, and the last time suspicious content was found on this site was on 2010-01-30.Malicious software includes 738 exploit(s), 416 virus, 320 scripting exploit(s).
This site was hosted on 3 network(s) including AS4134 (China Telecom backbone), AS9394 (CRNET), AS38356 (TIMENET).
This campaign has been going on for more then 30 days from the same IP address hosted in China (big surprise).
inetnum: 61.235.117.0 – 61.235.117.255
netname: CRGdSzS
country: CN
descr: China Railcom Guangdong Shenzhen Subbranch
descr: Telecommunication Company
descr: Shenzhen City,Guangdong Province
All activity including timeframe, domains, md5s and IP’s can be found here.
**Update 02/27/2010**
A more detailed analysis of Trojan Virut can be found here. Thanks Nicolas Brulez for bringing this to my attention.
The post describes functionality (static analysis) of the trojan that was
reported in the recent targeted attacks against some large companies.
Trojan.Hydraq trojan is a DLL that runs as a service within the context of the system process svchost.exe.
In order to be executed within the process svchost.exe at the system startup, the trojan employs no injection techniques - this is achieved with the steps described below.
Firstly, the trojan registers itself as a system service RaS[4 random characters] by creating registry entries under the newly created key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
The "ImagePath" value of its service registry key is set to start svchost.exe, as shown below:
"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
This will force the system process svchost.exe to look up its multi-string value "netsvcs", load all services specified in it into its address space, and then call their ServiceMain() exports.
To make svchost.exe aware of its existence and be loaded too, the trojan adds its service name into the list of strings (service names) stored in the value "netsvcs" of the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
To make sure its service name is added to the list of services only once, the trojan queries the contents of the value "netsvcs" to make sure that the multiple strings stored in that value do not contain any string that starts from "RaS" (case-sensitive).
Other parameters of the newly installed service are specified in the values:
ObjectName = LocalSystem
Type = dword:0x20 (a win32 service that can share a process with other win32 services)
Start = 2 (to be loaded automatically for all startups)
of the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
Finally, to let svchost.exe process know where to load the DLL from, the image path of the trojan's service DLL is saved by setting the value:
ServiceDll = [path to trojan DLL]
of the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]\Parameters
The file name of the trojan DLL is retrieved by calling GetModuleFileNameA() API, as the trojan knows its name may vary.
For instance, the trojan can create a copy of itself under a random filename in the %TEMP% directory; if it locates a file %TEMP%\c_1758.nls, it may rename that file under a different file name.
NOTE: %TEMP% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP), or C:\User\[UserName]\AppData\Local\Temp (Windows Vista, Windows 7).
The Hydraq trojan installs a backdoor trojan that listens for incoming commands. The commands allow the trojan to perform multiple actions - the trojan organizes them into groups - these commands are enlisted below with the [group number].[internal command number] prefixes:
- [0.0] adjust token privileges
- [0.1] terminate processes
- [1.0] enumerate name and status for all system services
- [1.1] control arbitrary services
- [1.2] query status for arbitrary services
- [2.0] receive remote file and save it as %TEMP%\mdm.exe, then launch it by using command control program %SYSTEM%\cmd.exe
- [3.0] enumerate registry keys under the specified key
- [3.1] enumerate registry values for the specified key
- [3.3] query registry values
- [3.4] set registry values conditionally
- [3.5] set registry values unconditionally
- [3.6] delete registry keys
- [3.7] create registry keys conditionally
- [3.8] create registry keys unconditionally
- [4.0] retrieve the list of logical drives on a system
- [4.1] read files from the local file system
- [4.2] execute arbitrary files
- [4.3] copy files in the local file system
- [4.4] delete arbitrary directories
- [4.5] rename files
- [4.6] change file attributes
- [5.1] power off computer
- [5.2] reboot Windows
- [5.3] uninstall itself by deleting the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
- [5.5] clear all system event logs (application, security, and system pools)
- [6.0] enumerate files in the specified path
- [7.11] check if %SYSTEM%\acelpvc.dll is present - if it is present, load it and call its EntryMain() export; check the presence of the DLL %SYSTEM%\VedioDriver.dll
- [9.1] open the file %SYSTEM%\drivers\etc\networks.ics and read 616 bytes from it
- [9.2] delete the file %SYSTEM%\drivers\etc\networks.ics
In addition to the commands enlisted above, the trojan retrieves CPU speed by querying the "~MHz" value from the registry key:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
The stolen details are then delivered to the remote site.
Hydraq trojan is capable to keep inter-process communications with other components via a named pipe - a separate thread is spawned for that purpose.
Internal data or configuration is stored by the trojan in the values "IsoTp" and "AppleTlk" in the dedicated registry key:
HKEY_LOCAL_MACHINE\Software\Sun\1.1.2
Continued in
part II.
I was testing out some functionality with the Poison Ivy backdoor today when I grabbed this screenshot. Very psychedelic!
Previous
post described the installation process of the trojan and its backdoor commands.
Now it's time to inspect its connection details, in particular - where does it retrieve the host name of the remote command-and-control (C&C) server.
The source code of the trojan contains a hard-coded host name 192.168.5.164 that is tried out every 5 seconds, but these values must have been used during testing only - they are replaced with the different ones during the runtime - we must establish which ones.
It is also worth noting that the trojan's code is very fragmented - it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls - tracing it requires quite a bit of a patience. Graph image of the disassembled source indeed reminds a serpent-like beast - hence, probably, the name.
Hydraq's call-only graph:
The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.
Decryption of the resource is performed in 4 stages:
- The first 8 bytes of the resource are skipped, the remaining 336 bytes are XOR-ed with 0x99
- Next, every byte from the 336 input buffer is translated according to the following logics:
- if the byte is a character from 'A' to 'Z', it is subtracted 'A' value (0x41)
- if the byte is a character from 'a' to 'z', it is subtracted 'G' value (0x47)
- if the byte is a character from '0' to '9', it is added 4
- if the byte is a character '+', its replaced with '>'
- if the byte is a character '/', its replaced with '?'
- if the byte is a character '=', its replaced with '\0'
- otherwise, the byte is left as is
- The input buffer is then converted into the resulting buffer which is 25% smaller. This is achieved by splitting every byte quartet (bytes 0-3) from the input buffer into 3 pairs (0-1, 1-2, 2-3), performing operations over these three pairs, and writing 3 byte results into the output buffer. This way, the 336 bytes will be converted into 252 bytes (4 -> 3 conversion); in some way, it's similar to unpacking all-ASCII base64 back into binary. The operations performed over the 3 pairs are illustrated below:
- Finally, the resulting 252 bytes are XOR-ed with 0xAB
The fully decrypted resource is shown below:
Knowing this logics, the decryption can now be reconstructed in a stand-alone tool; a function that retrieves and decrypts the resource from the trojan DLL is provided below (should be run from a virus lab as loading the DLL will invoke its entry point):
#define IDD_RES_NAME 100
#define IDD_RES_TYPE 243
void DecodeHydraqResource()
{
HMODULE hDll;
HRSRC hRes;
HGLOBAL hResLoad;
BYTE lpBuffer[0x150];
BYTE lpResult[0x150];
int iResultOffset;
int i;
char szHost[MAX_PATH];
int dwDelay;
int dwPort;
char szAltDnsServer[MAX_PATH];
char szMessage[MAX_PATH * 4];
BOOL bOk;
szHost[0] = '/0';
dwDelay = 0;
dwPort = 0;
szAltDnsServer[0] = '/0';
bOk = FALSE;
szMessage[0] = '/0';
hDll = LoadLibrary(_T("sample.dll"));
if (hDll)
{
hRes = FindResource(hDll, MAKEINTRESOURCE(IDD_RES_NAME), MAKEINTRESOURCE(IDD_RES_TYPE));
if (hRes)
{
hResLoad = LoadResource(hDll, hRes);
if (hResLoad)
{
memset(lpResult, 0, 0x150);
iResultOffset = 0;
if (SizeofResource(hDll, hRes) == 0x158)
{
memset(lpBuffer, 0, 0x150);
memcpy(lpBuffer, (LPBYTE)hResLoad + 8, 0x150);
for (i = 0; i < 0x150; i++)
{
lpBuffer[i] ^= 0x99;
if ((lpBuffer[i] >= 'A') && (lpBuffer[i] <= 'Z'))
{
lpBuffer[i] -= 'A';
}
else if ((lpBuffer[i] >= 'a') && (lpBuffer[i] <= 'z'))
{
lpBuffer[i] -= 'G';
}
else if ((lpBuffer[i] >= '0') && (lpBuffer[i] <= '9'))
{
lpBuffer[i] += 4;
}
else if (lpBuffer[i] == '+')
{
lpBuffer[i] = '>';
}
else if (lpBuffer[i] == '/')
{
lpBuffer[i] = '?';
}
else if (lpBuffer[i] == '=')
{
lpBuffer[i] = 0;
}
}
for (i = 0; i < 0x150; i++)
{
lpResult[iResultOffset++] = (lpBuffer[i] * 4) ^ (lpBuffer[i + 1] / 16);
lpResult[iResultOffset++] = (lpBuffer[i + 1] * 16) ^ (lpBuffer[i + 2] / 4);
lpResult[iResultOffset++] = (lpBuffer[i + 2] * 64) ^ (lpBuffer[i + 3]);
i += 3;
}
for (i = 0; i < 0x150; i++)
{
lpResult[i] ^= 0xAB;
}
i = strlen((LPSTR)lpResult);
if ((i > 0) && (i < MAX_PATH))
{
strcpy(szHost, (LPSTR)lpResult);
sprintf(szAltDnsServer,
_T("%d.%d.%d.%d"),
lpResult[iResultOffset - 4],
lpResult[iResultOffset - 3],
lpResult[iResultOffset - 2],
lpResult[iResultOffset - 1]);
dwPort = *(LPDWORD)(lpResult + iResultOffset - 12);
dwDelay = *(LPDWORD)(lpResult + iResultOffset - 8);
sprintf(szMessage,
_T("Remote Host: %s\nAlternative DNS Server: %s\nConnection Port: %d\nDelay between connection attempts: %d sec."),
szHost,
szAltDnsServer,
dwPort,
dwDelay);
bOk = TRUE;
}
}
}
}
FreeLibrary(hDll);
}
if (!bOk)
{
MessageBox(NULL, _T("Failed to retrieve any details!"), _T("Error"), MB_OK);
}
else
{
MessageBox(NULL, szMessage, _T("Success"), MB_OK);
}
}
Once the trojan knows its C&C server, it attempts to connect to it via the specified port - e.g. server sl1.homelinux.org, port 443.
It starts doing so by trying to resolve its host name first. If this attempt fails, the trojan makes a DNS query by crafting a TCP packet on port 53 of an alternative (legitimate) DNS server, also specified in its resource, in order to resolve the same host name. For example, the analysed sample has alternative DNS server 168.95.1.1 - this is dns.hinet.net server
located in Taiwan.
If Hydraq can't connect to the remote server, it falls asleep for the time specified in its resource (2 minutes), then repeats the beaconing again.
If the connection to remote host on port 443 succeeds, the malware prepares a packet to send - it is 20 bytes in size:
00 00 00 00 00 00 FF FF 01 00 00 00 00 00 00 00 00 00 77 00
The packet is encoded by inverting its bytes:
FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF
As soon as the packet is submitted to the live C&C server, it receives the response packet that is also 20 bytes in size. It is encrypted with the XOR 0xCC.
Hydraq decodes the received packet and retrieves the command ID from it - a number from 0 to 18, which is then converted into the backdoor command group - a number from 0 to 10. Conversion rules Command ID -> Backdoor Command Group are shown below:
- 0 -> 0 (adjust privileges, terminate processes)
- 1 -> 1 (control services group)
- 2 -> 2 (remote file execution)
- 3 -> 3 (registry manipulation group)
- 4 -> 4 (file system manipulation group)
- 5 -> 10 (receive more data)
- 6 -> 5 (system manipulations - power off/reboot/uninstall/clear events)
- 7 -> 6 (file search)
- 8 -> 7 (call other components)
- 9 -> 10
- 10 -> 8
- 11 -> 10
- 12 -> 10
- 13 -> 10
- 14 -> 10
- 15 -> 10
- 16 -> 10
- 17 -> 10
- 18 -> 9 (networks.ics file manipulations)
Next, a specific command from the chosen group is executed. For more details on backdoor groups and commands within them, please check the
previous post.
It may be assumed that upon successful connection to the remote C&C server (sl1.homelinux.org), the trojan was designed to be able to update itself. A new copy may have a different C&C server specified in its resource (e.g. yahooo.8866.org, 360.homeunix.com or as in the last seen sample - blog1.servebeer.com) in order to survive the shutdown of the old servers.
The presence of a resource that stores all the connection parameters could potentially indicate an intented cloud-based automation for updating the same template with a newly generated resource without the need to recompile the sample, with the obfuscation step added on top of it to evade existing detections. With the relatively high update frequency of such server-side polymorphism, the C&C server shutdown may always fall behind; given the fact the firewalls let the traffic on port 443 through (HTTPS traffic), a heuristic detection of Trojan.Hydraq (added as
Trojan.Hydraq!gen1) is a viable option that reliably breaks this vicious circle.
Early December I wrote about a fake DHL spam campaign which was found to be distributing Trojan Bredolab. The new spam campaign is very similar to the last but this time appears to be from UPS.
Example
Subject: UPS Tracking Number 5845190
“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox.
Thank you.
United Parcel Service of America.
[attachment UPS_invoice_NR12944.zip"
VirusTotal results for the attachment can be found here. Domains known to be contacted by Trojan Bredolab listed below.
20091217:http://mmsfoundsystem.ru, 193.104.12.20
20091227:http://preflopp.com, 95.211.8.170
20100105:http://greatmoder.cn, 122.115.63.19
20100108:http://213.108.56.125, 213.108.56.125
I just finished giving my webcast of
Malware Analysis in the Incident Response Process at
brighttalk.com. A few questions came in after the presentation ended so I'll answer them here and hopefully those who asked will see it.
You indicated it is inevitable to get malware. What is the best prevention…having dedicated PCs for missions critical functions (e.g. online banking)?I honestly believe that the best way to prevent getting malware on systems is to run users with reduced privileges. I have seen first hand where restricting what activities a user can do on their system (install software, etc) will significantly decrease the amount of malware compromises you have.
Of course, there are other options as well. A good defense in depth strategy will make it more difficult for malware to compromise your systems. Using up-to-date AV on the desktop and your email systems, restricting Internet access and requiring all web-traffic to go through filtering proxy servers will help.
Are there any books you would recommend for beginners to learn malware analysis?There are lots of great books out there that I would recommend to anyone who wants to learn malware analysis. The following are just a few of the ones I've read.
Malware Forensics by Aquilina, Casey and Malin
The Art of Computer Virus Research and Defense by Peter Szor
Malware: Fighting Malicious Code by Skoudis and Zeltser
There are others, but these are a good start.
Can you post a recent example of an analysis?Unfortunately, I do not have one. However, I recommend checking out the results from the
2008 Malware Challenge for some analysis reports. I will also try to post something in the next few weeks.
Thanks to those who listened to the webcast. If you have any other questions, feel free to post them in the comments or send me an email!
Next week I'll be giving an online presentation at BrightTalk on Malware Analysis in the Incident Response Process. The description of the talk is:
Malware has become the primary vector of compromise within organisations. Due to this, it has become necessary for incident response teams to have the ability to perform in-house malware analysis. This presentation will discuss how malware analysis can benefit an organisation and what options are available.
The talk is scheduled for next Tuesday, January 12 at 6PM EST and is part of their
Intrusion Prevention Summit. The summit has alot of interesting talks all day, so I recommend checking it out.
To attend my talk, you can go to the following URL:
http://www.brighttalk.com/webcasts/7977/attendHope you can join!
BETA can convert raw binary shellcode into text that can be used in exploit source-code. It can convert raw binary data to a large number of encodings. It can also do the reverse: decode encoded data into binary from the same types of encodings. The official page where you can download it can be found here.
The distribution of Koobface through Google Blogspot continues. Detailed information documented by Jorge Mieres of Pistus Malware Intelligence can be found here. The quick version is 39 domains using Googles Blogspot service redirect unsuspecting users to other domains which deliver Koobface using social engineering tactics.
The domains being used for delivery starting showing up in early December and can be found here. A majority of the 350+ domains are being hosted in the United States using GoDaddys web hosting service.The domains are geographically dispersed around the globe using a variety of hosting providers which helps the attackers ensure a slow takedown.
Results of a lengthy real-world malware protection study are published
here.
Watch out for the fake DHL emails claiming your item wasn’t shipped.
e.g.
“Hello!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly.
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you,
DHL Services.”
The email contains the following attachment
“DHL_Office_Get_Your_Parcel_NR.4957.zip”
Which is detected as TrojanDownloader:Win32/Bredolab.AB. Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. Additional information can be found here Currently this sample is detected by 27 out of 41 antivirus vendors.
List of Bredolab drop sites being used.
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://greatmoder.cn, 125.65.110.46
20091201:hxxp://statcount.cn, 218.93.205.228
20091201:hxxp://statcount.cn, 218.93.205.228
20091202:hxxp://greatmoder.cn, 125.65.110.46
20091202:hxxp://youaskedthedomain.cn, 91.213.126.93
20091203:hxxp://greatmoder.cn, 125.65.110.46
20091203:hxxp://youaskedthedomain.cn, 91.213.126.93
20091204:hxxp://greatmoder.cn, 125.65.110.46
20091204:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://greatmoder.cn, 125.65.110.46
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091205:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://91.213.126.93, 91.213.126.93
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://greatmoder.cn, 125.65.110.46
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091206:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091207:hxxp://youaskedthedomain.cn, 91.213.126.93
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru/, 193.104.12.20
20091208:hxxp://mmsfoundsystem.ru, 193.104.12.20
20091217:hxxp://mmsfoundsystem.ru, 193.104.12.20
Over the past few months there has been a number of ongoing spam campaigns that have been distributing Zeus/Zbot. You might have read about a few of them or you may have fallen victim. A good source of information regarding the zbot/zeus spam campaigns can be found here.
When Zbot/Zeus is executed it will drop a copy of itself in the system folder (c:/windows/system32). It also modifies the registry in order to execute each time Windows starts. Examples of which registry keys are added/modified can be found here
The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. This information is then forwarded to a remote database silently in the background with the victim never realizing what happened. The image below is a graphical representation that gives you an idea how this works.
Example of injected HTML
Zbot/Zeus sends information and receives instructions by contacting specific IP’s that are hardcoded into the binary. From the samples I have seen the following file names are being used by zbot/zeus to phone home.
/rec.php
/ip.php
/config.bin
/cfg.bin
/cfg2.bin
Searching the malware database I maintain reveals a list of C&C servers geographically dispersed around the globe. The list of domains/IP’s is rather large so I just consolidated into a text file that can be found here. Converting the IP addresses to latitude and longitude generate the red dots on the map below which represent the C&C servers.
An updated list of domains distributing Zeus/Zbot can be found at the following link: malc0de.com Zbot Domains
Looking at the past 3 days of data collected the popular web hosting company Go Daddy surfaced 36 times for being related to the distribution of malware. I have contacted abuse@godaddy.com so hopefully these domains will be shut down shortly. In reality its only a drop in the bucket but every little bit helps.
**Caution All Domains Below Are Malicious**
216.69.170.12, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://aaasublet.com/.sys/?getexe=fb.75.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=get.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=go.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=pp.12.exe, 216.69.170.12
20091201:hxxp://aaasublet.com/.sys/?getexe=v2prx.exe, 216.69.170.12
97.74.156.157, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://brooksinfotech.com/.sys/?getexe=fb.75.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=get.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=pp.12.exe, 97.74.156.157
20091201:hxxp://brooksinfotech.com/.sys/?getexe=v2prx.exe, 97.74.156.157
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.200, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://counterstrikefc.com/.sys/?getexe=fb.75.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=ff2ie.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=get.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=pp.12.exe, 72.167.232.200
20091201:hxxp://counterstrikefc.com/.sys/?getexe=v2prx.exe, 72.167.232.200
72.167.232.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://customizeyourstory.com/.sys/?getexe=fb.75.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=get.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=go.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=pp.12.exe, 72.167.232.191
20091201:hxxp://customizeyourstory.com/.sys/?getexe=v2prx.exe, 72.167.232.191
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://homemadesandwiches.com/.sys/?getexe=ff2ie.exe, 97.74.144.128
72.167.232.33, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://irentphotobooths.com/.sys/?getexe=fb.75.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=go.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=pp.12.exe, 72.167.232.33
20091201:hxxp://irentphotobooths.com/.sys/?getexe=v2prx.exe, 72.167.232.33
72.167.232.185, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kickwithcolors.com/.sys/?getexe=fb.75.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=get.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=pp.12.exe, 72.167.232.185
20091201:hxxp://kickwithcolors.com/.sys/?getexe=v2prx.exe, 72.167.232.185
97.74.64.191, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://kronosagency.com/.sys/?getexe=fb.75.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=get.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=pp.12.exe, 97.74.64.191
20091201:hxxp://kronosagency.com/.sys/?getexe=v2prx.exe, 97.74.64.191
68.178.173.51, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://megabesucher.eu/.sys/?getexe=fb.75.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=get.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=go.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=pp.12.exe, 68.178.173.51
20091201:hxxp://megabesucher.eu/.sys/?getexe=v2prx.exe, 68.178.173.51
97.74.144.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://missionoch.org/.sys/?getexe=fb.75.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=get.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=go.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=pp.12.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=tw.07.exe, 97.74.144.197
20091201:hxxp://missionoch.org/.sys/?getexe=v2prx.exe, 97.74.144.197
72.167.19.15, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://movehits.at/.sys/?getexe=fb.75.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=get.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=pp.12.exe, 72.167.19.15
20091201:hxxp://movehits.at/.sys/?getexe=v2prx.exe, 72.167.19.15
97.74.144.104, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://outtouch.org/.sys/?getexe=fb.75.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=get.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=go.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=pp.12.exe, 97.74.144.104
20091201:hxxp://outtouch.org/.sys/?getexe=v2prx.exe, 97.74.144.104
97.74.211.187, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://patriotflag.org/.sys/?getexe=fb.75.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=get.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=go.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=pp.12.exe, 97.74.211.187
20091201:hxxp://patriotflag.org/.sys/?getexe=v2prx.exe, 97.74.211.187
72.167.232.74, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=fb.75.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=get.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=pp.12.exe, 72.167.232.74
20091201:hxxp://peakgrouptravel.com/.sys/?getexe=v2prx.exe, 72.167.232.74
72.167.232.186, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://pipelogicservices.com/.sys/?getexe=fb.75.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=go.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=pp.12.exe, 72.167.232.186
20091201:hxxp://pipelogicservices.com/.sys/?getexe=v2prx.exe, 72.167.232.186
97.74.144.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091125:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091126:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091127:hxxp://promed-net.com/css/abs.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=fb.75.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=get.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=pp.12.exe, 97.74.144.118
20091201:hxxp://facilicaresavannah.com/.sys/?getexe=v2prx.exe, 97.74.144.118
20091201:hxxp://promed-net.com/css/absderce2.exe, 97.74.144.118
97.74.144.88, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://robertomoran.com/.sys/?getexe=fb.75.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=get.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=pp.12.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2captcha.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2googlecheck.exe, 97.74.144.88
20091201:hxxp://robertomoran.com/.sys/?getexe=v2prx.exe, 97.74.144.88
97.74.50.246, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://runningguru.com/.sys/?getexe=fb.75.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=get.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=pp.12.exe, 97.74.50.246
20091201:hxxp://runningguru.com/.sys/?getexe=v2prx.exe, 97.74.50.246
72.167.232.177, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://ryanscarter.com/.sys/?getexe=fb.75.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=get.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=pp.12.exe, 72.167.232.177
20091201:hxxp://ryanscarter.com/.sys/?getexe=v2prx.exe, 72.167.232.177
97.74.144.91, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://speedysalesletter.com/.sys/?getexe=fb.75.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=get.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=pp.12.exe, 97.74.144.91
20091201:hxxp://speedysalesletter.com/.sys/?getexe=v2prx.exe, 97.74.144.91
72.167.232.171, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://str8upent.com/.sys/?getexe=fb.75.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=get.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=go.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=pp.12.exe, 72.167.232.171
20091201:hxxp://str8upent.com/.sys/?getexe=v2prx.exe, 72.167.232.171
72.167.232.75, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://theraymondgallery.com/.sys/?getexe=fb.75.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=get.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=pp.12.exe, 72.167.232.75
20091201:hxxp://theraymondgallery.com/.sys/?getexe=v2prx.exe, 72.167.232.75
72.167.232.70, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://travelsigna.com/.sys/?getexe=fb.75.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=get.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=pp.12.exe, 72.167.232.70
20091201:hxxp://travelsigna.com/.sys/?getexe=v2prx.exe, 72.167.232.70
72.167.232.197, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://v-questtx.net/.sys/?getexe=fb.75.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=get.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=go.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=pp.12.exe, 72.167.232.197
20091201:hxxp://v-questtx.net/.sys/?getexe=v2prx.exe, 72.167.232.197
97.74.126.232, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.birdystudio.com/.sys/?getexe=fb.75.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=get.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=pp.12.exe, 97.74.126.232
20091201:hxxp://www.birdystudio.com/.sys/?getexe=v2prx.exe, 97.74.126.232
72.167.232.94, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=fb.75.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=get.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=pp.12.exe, 72.167.232.94
20091201:hxxp://www.conference-professionals.com/.sys/?getexe=v2prx.exe, 72.167.232.94
72.167.232.198, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=fb.75.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=get.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=go.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=pp.12.exe, 72.167.232.198
20091201:hxxp://www.d-dmusic.com/.sys/?getexe=v2prx.exe, 72.167.232.198
97.74.127.146, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=fb.75.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=get.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=pp.12.exe, 97.74.127.146
20091201:hxxp://www.emeraldsunarts.com/.sys/?getexe=v2prx.exe, 97.74.127.146
72.167.232.210, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=fb.75.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=get.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=pp.12.exe, 72.167.232.210
20091201:hxxp://www.fallsmediaproductions.com/.sys/?getexe=v2prx.exe, 72.167.232.210
72.167.232.118, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.integrastor.com/.sys/?getexe=fb.75.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=get.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=pp.12.exe, 72.167.232.118
20091201:hxxp://www.integrastor.com/.sys/?getexe=v2prx.exe, 72.167.232.118
97.74.141.128, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=fb.75.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=go.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=pp.12.exe, 97.74.141.128
20091201:hxxp://www.onlinepcwizard.com/.sys/?getexe=v2prx.exe, 97.74.141.128
72.167.232.86, UNITED STATES, ARIZONA, GODADDY.COM INC
20091201:hxxp://yogaramatgan.com/.sys/?getexe=fb.75.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=get.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=pp.12.exe, 72.167.232.86
20091201:hxxp://yogaramatgan.com/.sys/?getexe=v2prx.exe, 72.167.232.86
97.74.144.168, UNITED STATES, ARIZONA, GODADDY.COM INC
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091124:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091125:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091126:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091127:htxx://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091127:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091129:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=mdac, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/exe.php?x=pdf, 97.74.144.168
20091201:hxxp://capitalbug.com/counter/yamba.exe, 97.74.144.168
72.167.232.205, UNITED STATES, ARIZONA, GODADDY.COM INC
20091126:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091126:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=pp.12.exe, 72.167.232.205
20091129:hxxp://milantrezur.com/.sys/?getexe=v2prx.exe, 72.167.232.205
It seems that the news on Chrome OS release have left no one
neutral; some observers are beating the drums of its imminent failure and premature death, by relying on rather oversimplified concepts of cloud computing and insinuating about the reasons why careless moms and dads just can't grasp the concept of strong passwords (
"how many times did we tell them to memorize Qp%n#82r$7D, but they keep writing it down on a piece of paper or even worse - keep choosing 12345?").
From the point of view of these observers, the new security model of Chrome OS is not much different from this:
Let's step back for a moment and try to give it a fresh and fair look. Let's also keep in mind that many good projects make their way into our lives by having 3 stages of its public perception: strong criticism (almost always, and that's where many fail), gradual, painful at start, then easier adoption, followed with a final stage that can be characterized as
"Well, what's so special about it?". We don't want to fall the victims of the first stage, no matter how natural for humans it is, right?
Well, Google claims that under Chrome OS hood "all apps are web apps".
Boo! But hold on a second, isn't it already true for Hotmail, Skype, online banking, and lots of other online web services that we are relying on so much every day?
Now come into a computer store (mentally) and look (again, mentally) at the average mom and dad who want to buy a new computer. Is it really a surprise to learn that most they're going to use it for will be "web apps" anyway, such as web, email, IM/chat/forums, Internet phone, documents editing/printing (bills/taxes/records), personal finance services (online banking, trading stocks), online gaming, etc. ?
Sure enough, with a web-only machine they won't be able to scan documents, but given the market exists, there will be dedicated scanners for the home users that will scan the documents and send the images over to their online accounts. They won't be able to listen or watch CD/DVD, but there are specialized devices that do it better anyway. They won't be able to play games with the powerful graphics, but there are plenty of gaming consoles for that purpose too.
Somehow it comes to a point – would you prefer to have a TV, a DVD/BD player, and a sound system as dedicated stand-alone devices, maybe from the different brands, or have all of them combined in one (cheaper) device? Would you prefer to have a printer, a scanner, and a telephone as separate devices, or a combined (cheaper) unit?
If you choose the second option, then you must really adore your phone's camera! If you choose first, even if it's a pricier option, doesn't it sound reasonable to have a dedicated device to handle web-only services?
For start, let's stick to just one such service – Internet Banking. Imagine having a dedicated 100% secure tiny netbook that allows you to bank online. It boots in 10 seconds and it can't run malware by design. Sure enough, hackers will try hacking a device like that to run Windows on it, but that won't be YOUR DEVICE. If your device gets stolen, it's useless – it stores nothing and you can't be impersonated with it. If you spill hot coffee on it and it shuts down instead of running faster, you'll buy another one (not coffee, netbook). Will it give you an extra hour of a good night sleep by knowing that no hacker can compromise your online banking account?
Now try to imagine how many threat families (keyloggers, banking Trojans, rootkits) instantly become irrelevant for you. Even if your other computer gets compromised with them, the only valuable thing the hackers might eventually steal from you will be a serial number of your antivirus product.
If you love your netbook, you might extend its application to online shopping or online trading. Then to anything that's online and is asking you for a password from that little soiled notes book from the middle section of your wallet. Extending its application further becomes a dangerous business as a flaw in one web service may affect your other services (e.g. a phishing email may affects your online banking account if you do both on one machine), just like it's not wise to put all your eggs in one basket.
The
security overview of Chrome OS is an interesting read.
By openly discussing the security challenges and suggested approaches to circumvent them the Chrome guys talk to us this way:
"Look, in our bank there is a vault with so much gold in it. The system is secure, but we're not sure about that air con duct – we think it's a weak point and the intruders may potentially crawl through it".
Given the source code is open, the potential intruders will get access to the internals' scheme immediately. But the moment they start studying it, the highly qualified white-hat professionals will start doing that as well. The idea is that any bugs, flaws or weaknesses will be revealed and fixed instantly, without leaving the intruders any chance to plan an attack.
Compare it with an alternative approach:
"Look, in our bank there is a vault with so much gold in it. The system is secure." After the robbery:
"The system is secure." After another one:
"Ok, we fixed it, the system is secure", and so on.
With the security being the main cornerstone of Chrome, it's a step away from the "traditional" development philosophy that we all are used to:
"make it usable and release it first, think about security later, when the bugs/flaws are discovered". Usability being priority #1 creates a cash flow that allows investing into security and fine-tune usability at a later stage. The problem with this approach is that when under-invested security fails, usability falls with it. Not just declines, but crashes spectacularly.
The only company that can afford to have security in the first place, in the blueprints, even before the developed software becomes available for users, will likely have a "cash cow" in a different product or solution. Otherwise, it will be trapped in a vicious circle when the product is not released because its model is not secure enough, thus there are no sales and therefore, no funding to make it secure enough to be released. Google's "cash cow" is in its ads program, giving it all the required conditions to build a truly secure OS.
Not an OS that replaces all other OS (this will never happen), but at least an OS that can safely and narrowly be used for those critical web-only applications that create so much headache for the customers in terms of stolen identity and money.
Will Google blow this chance or not, time will tell.
A routine laptop clean-up revealed a few month old video of unpacking the Limbo trojan dropper. Before it gets deleted, posting it here just in case some folks might find it useful [
link to video].
PS The sample was received from
Michael Hale Ligh. Thanks, Michael.
