Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.
The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually...
We are pretty familiar with “ransomware” threats. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. You may remember the case of the Trojan.Gpcoder family, where the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.
We have found another ransomware threat recently: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way.
When run, the Trojan displays the following window...
We have already seen malicious code using SQL as a spreading vector—you may remember the case of Trojan.Eskiuel. Unfortunately, it is not a rare case. Lately I have been seeing malware trying to exploit SQL servers in several ways, which shows that they still pose a good target for attackers. I came across a popular Spybot variant that (among all of its features) has the capability of attacking SQL servers, too, possibly by exploiting weak passwords and gaining administrator access to the server. The interesting thing, again, is that once the SQL server is successfully attacked, it can be used to gain control of the whole machine by escalating root privileges.
As for Trojan.Eskiuel, the aim of Spybot is to find a SQL server that is poorly configured with weak/empty passwords or with incorrect privilege accesses. The first stage of the attack...
Modern SQL databases are flexible, efficient, and can run commands at an OS level easily-a perfect target from a malicious code perspective! Our honeypot servers are full of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher.
Some of you may remember the W32.SQLExp.Worm back in 2003—it was a bad worm that tried to exploit a vulnerability in SQL servers in order to spread. Similar threats exist, such as Hacktool.SQLck and various security assessment tools like SQL Ninja.
New fake codec Web sites often appear outof nowhere (we are pretty used to seeing them) and in most cases if youdownload and run the "codec" you get infected with a variant ofTrojan.Zlob. Nothing new, but this time I found something different. Iwas testing a fake codec Web site when I came upon a new variant. Theinstallation step is the usual:
Figure 1: Standard installation process
However, after that the browser is started with a Google search forthe word “sex.” The interesting stuff is that while browsing, you willnow be frequently faced with this popup:
We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.
There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.
A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and...
