Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice,...
While investigating the worm W32.Waledac recently, we got a shock (and a few laughs) from what popped up on ours screens (yes, unfortunately this is what passes for kicks in the virus lab during the holiday season):
(to see how we received this – skip to “Arnold Surprise” below)
First, I’ll tell you a little bit about the worm. W32.Waledac is a worm that sends emails containing a link to an apparent Christmas e-card that you have received. However, when the link for the e-card in the email is visited, you receive a copy of the worm instead of a greeting card. The file name used by the worm is ecard.exe and the links are all Christmas related, such as:
When someone is asked to present an analysis of a modern threat, the explanation often becomes complicated very quickly. Here I will present a brief analysis of a Trojan that uses the KISS approach-"keep it simple, stupid."
The reason for this article is that upon hearing what I do for a living, people often ask, "why do people write viruses?" After explaining the various dangers of using a computer online, people often follow up with the following question: "I don't bank online, I don't shop online, etc... so why would someone want to attack my computer?" This article is dedicated to anyone who has ever sat beside me on a plane/train/automobile and asked me these questions. ;-)
The Trojan that is shown below will help to explain why a computer is still valuable to an attacker, even if that computer contains no sensitive data. The Trojan presented is a Trojan that does not steal private data (such as banking credentials, etc.); however,...
On Monday we saw that Trojan.Silentbanker had added rootkit functionality in order to hide its own files. Today we'll look at another change that the new version of the Trojan has introduced, namely, the new configuration file format that the Trojan uses.
Trojan.Silentbanker's configuration files have always been protected, ever since the first version of the Trojan that we encountered. The reason for this protection is to make it difficult to understand what the Trojan is doing, and in particular, to hide which sites the Trojan is targeting. The original version targeted over 400 banking pages. Although, the actual list of pages being targeted was only clearly visible after the protection had been removed from the configuration files.
In order to discover the list of sites being targeted by any version of the Trojan the protection needs to be...
Trojan.Silentbanker has been in the wild since late last year; however, the most recent release of this Trojan has had some interesting features added to it. Namely, the most recent version has added rootkit functionality to make the Trojan even stealthier. If you are unfamiliar with Trojan.Silentbanker, have a look at this blog first.
In particular, the Trojan tries to hide its own files from the system in order to avoid someone noticing the files and to hide its configuration from prying eyes. This is a common technique used by other Trojans to stay invisible on a system. Trojan.Silentbanker stores its executable files and configuration files in the "system32" folder using a file name that consists of a series of numbers...
Old school virus methods appear to be invogue at the moment! Hot on the heels of Trojan.Mebroot, whichoverwrote the MBR, we have discovered a new worm that is revivinganother old school trick in order to hide itself. At first glance itappears to be a regular worm, but there is more going on here thanmeets the eye.
The worm in question is called W32.Joydotto and it initiallyappeared to be just another worm that spreads by copying itself and anautorun.inf file to all removable devices. However, upon closerexamination it was seen that the worm copies itself to removabledevices without using a file name for itself. By doing this the wormcannot be seen using any file-listing tools since there is no filenameto find. In addition to this the worm ensures its longevity by markingpart of the disk as being corrupted. In this way it will not beoverwritten because that part of the disk is thought to be corrupt. Infact the only way to find the worm on the disk is to...
Targeting over 400 banks (including my own:( ! ) and having the ability to circumvent two-factor authenticationare just two of the features that push Trojan.Silentbanker into thelimelight. The scale and sophistication of this emerging banking Trojanis worrying, even for someone who sees banking Trojans on a daily basis.
This Trojan downloads a configuration file that contains the domainnames of over 400 banks. Not only are the usual large American bankstargeted but banks in many other countries are also targeted, includingFrance, Spain, Ireland, the UK, Finland, Turkey—the list goes on.
The ability of this Trojan to perform man-in-the-middle attacks onvalid transactions is what is most worrying. The Trojan can intercepttransactions that require two-factor authentication. It can thensilently change the user-entered destination bank account details tothe attacker's account details instead. Of course the Trojan ensuresthat the user does not notice this...
We have previously discussed Trojan.Bayrob without describing theentire attack from end to end. This article will show how the entirescam works from initial contact right through to the actual sale.Security experts at eBay are already well aware of it and working toprotect their customers.
Tip: It should be noted from the outset thatpotential buyers should read safety tips and follow preventativemeasures provided by their service provider.
To start with, take a look at this video for a walk-through of our analysis:
In order to attract potential victims the scammers first list carsfor sale on various auction sites. These auctions are not scams per se,but they are "legit" auctions that are used solely to attract potentialvictims—whoever asks a question or bids on these auctions becomes apotential victim. Once these auctions have expired the scammers get towork...
Recent reports have shown thatTrojan.Bayrob is scamming people again. The latest victim lost over€5,000 to the scam but luckily was able to track down where the moneyhad been sent. Unfortunately the final destination for the money was aWestern Union outlet in Greece, after having been first sent through amoney mule in the US.
Once Trojan.Bayrob is executed on a user’s system it can interceptall traffic to eBay. It can then show the infected user any contentthat it chooses instead of the real pages and it can also alterinformation that is shown to the user from the real pages.Trojan.Bayrob is used to scam people who are trying to buy cars oneBay.
The attack is a targeted attack and as such it is difficult toestablish the exact methods that are used to distribute the Trojan;however, from evidence gathered thus far the attack works in a mannersimilar to the following: • The attacker posts an auction on eBay. • This auction is used to gain...
It’s the universal come back. No matter what insult is thrown your way, you can always escape just by saying “your momma” *.So I had to laugh when we received a variant of an MSN worm thatentices would be victims with “lol, your mom just sent me thispicture?” Even funnier was the fact that the bot operator infectedhimself with his own worm.
This variant of the worm has been named W32.Scrimge.E. The worm isn’t restricted to just the one question, either, offering up any one of these goodies:
- Did you take this picture? - Is that you on the left? - How drunk was I in this picture? - Is that your mom in this picture? - lol, your mom just sent me this picture?
Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?
The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.
When executed, the worm does the following:
Minimizes the real MSN Messenger login window;
Displays a fake Portuguese language MSN login screen;
Records the username and password that is typed;
Displays the real MSN Messenger login window (user must re-type password);
Last week saw the release of the Spanish Instant Messaging Worm W32.Posse.This week we have seen a similar Instant Messaging worm but this timeit can use messages in Spanish, German, Dutch, Italian, French andEnglish.
Although the default language that the worm uses is English, beforedeciding whether to use English messages the worm first checks thelocale of the infected computer. It then randomly chooses one of thefollowing messages depending on that locale.
If the infected machine has a locale value of:
ES (Spain), ME (?? – see not below) or VE (Venezuela) the worm uses: "mis fotos calientes" "mi fotograffas :p" "mis fotos calientes" "mis fotos calientes" "mis fotos calientes" "el lol mi hermana quisiera que le envia este album de foto"
DE (Germany) the worm uses: "meine hei¯en Fotos...
No, I’m not talking about typing 53704 intoyour calculator and turning it upside down! I’m referring to theincreasing popularity of inserting links to exploits into legitimateHTML pages in an attempt to infect users who visit the affected page,multiplying the effectiveness of the original infection. I’ll outlinebelow the steps used in one such attack that we recently received inour lab.
In this case the malicious links were added by hand after the Web server had been hacked. However, W32.Fujacks and W32.Fubalcause similar techniques to the ones discussed here to automaticallyinfect asp, aspx, htm, html, php and jsp files residing on the infectedmachine in order to spread themselves further. Infostealer.Lingling wasalso...
A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.
Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.
Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because...
On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).
In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the...
