Sure we have heard a lot about bots and botnets. One key component of a botnet is the command-and-control (C&C) server, which as we know can come in several flavours (IRC, Web pages, newsgroups, custom servers, etc.). Yet, here comes Trojan.Whitewell, which, being tired of old C&C channels, decides to pick up Facebook as a coordinator for the C&C server. I use the word “coordinator” because the Trojan only receives some configuration data from its Facebook account—the actual command execution and data reporting is done through a third party Web server.
The Trojan was sent through a popular malware distribution channel that is also related to other prevalent threats such as Trojan.Bredolab. The distribution technique is pretty simple: they send documents (PDF, or MS Office formats) containing exploits for known vulnerabilities. These documents usually...
We are pretty familiar with “ransomware” threats. When run, they will try and tamper with some functionality on the compromised computer, asking the user to send money to some account in order to undo the tampering. You may remember the case of the Trojan.Gpcoder family, where the main purpose of the Trojan was to heavily encrypt documents on a computer and then ask the user for money in order to receive the decryption key/tool.
We have found another ransomware threat recently: Trojan.Ransomlock. Though not as tough as Trojan.Gpcoder (it doesn’t encrypt documents), the Trojan locks the user out of his or her desktop, so that they are unable to access the computer in any way.
When run, the Trojan displays the following window...
We have already seen malicious code using SQL as a spreading vector—you may remember the case of Trojan.Eskiuel. Unfortunately, it is not a rare case. Lately I have been seeing malware trying to exploit SQL servers in several ways, which shows that they still pose a good target for attackers. I came across a popular Spybot variant that (among all of its features) has the capability of attacking SQL servers, too, possibly by exploiting weak passwords and gaining administrator access to the server. The interesting thing, again, is that once the SQL server is successfully attacked, it can be used to gain control of the whole machine by escalating root privileges.
As for Trojan.Eskiuel, the aim of Spybot is to find a SQL server that is poorly configured with weak/empty passwords or with incorrect privilege accesses. The first stage of the attack...
We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors—it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers).
After analyzing the sample, we discovered it contained many interesting payloads. So, we executed it on a test...
Modern SQL databases are flexible, efficient, and can run commands at an OS level easily-a perfect target from a malicious code perspective! Our honeypot servers are full of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher.
Some of you may remember the W32.SQLExp.Worm back in 2003—it was a bad worm that tried to exploit a vulnerability in SQL servers in order to spread. Similar threats exist, such as Hacktool.SQLck and various security assessment tools like SQL Ninja.
We have been seeing several vulnerabilities of non executable file formats used in the wild recently. For example, we can mention the Trojan.Mdropper.AA family that exploits a bug in a Microsoft Excel file format, or the case of the MSJET vulnerability (still unpatched) that affects MS Access files. The hunt for new vulnerabilities in popular file formats is still a good research area in the security world, especially when we talk about malicious code writers.
A proof of concept of a new bug that affects Windows Explorer has been reported in the wild on the milw0rm Web site. The bug affects the code that parses Word documents in order to extract and display summary information (for example,...
New fake codec Web sites often appear outof nowhere (we are pretty used to seeing them) and in most cases if youdownload and run the "codec" you get infected with a variant ofTrojan.Zlob. Nothing new, but this time I found something different. Iwas testing a fake codec Web site when I came upon a new variant. Theinstallation step is the usual:
Figure 1: Standard installation process
However, after that the browser is started with a Google search forthe word “sex.” The interesting stuff is that while browsing, you willnow be frequently faced with this popup:
Given the choice when browsing, I woulddownload and save an executable file rather than directly run it. Freewill has always been a hot topic in philosophy and when it comes to Webbrowser security the topic suddenly gets hot as well! I was recentlybrowsing a well known adware vendor Web site when I decided to downloada game and try it. As usual I came across a normal download page:
Figure 1: The standard Web download interface
After clicking “continue” I was prompted with the usual “FileDownload” message box from Internet Explorer, but it actually took me awhile to realize something was missing:
A couple of weeks ago in thisblog entry, we learned how misleading applications advertise themselveson the Web. Now we'll take a closer look at the other side of things tosee how misleading applications infiltrate users' machines in order toconvince people to download and purchase them.
We are used to seeing malware that uses all sorts of tricks tocompromise a user's machine in order to steal valuable information orperform fraudulent activities. The purpose of all of this? Of course!Money! Why else would the miscreants otherwise make the effort ofstudying new tricks and developing new malware when they can simplyconvince users to give up their money spontaneously?
This is how it goes with misleading applications. They can appear inseveral ways, such as in downloaders or simply via browseradvertisements: "Your...
We have seen malicious code steal a lot of information in the past: bank credentials and certificates, email accounts, IM passwords, online gaming accounts; but, that was not enough! Now, satellite shared accounts are going to have a turn.
There is a service out there called "cardsharing" that allows you to use the subscription rights of one satellite smartcard on multiple satellite receivers. Using this service, the receivers download the smartcard key information from the Internet or a LAN instead of the original smartcard, which will allow simultaneous viewing of satellite television on several receivers.
A cardsharing user needs to install a couple of computer programs on their local hard drive (WinCSC and ProgDVB), which store a configuration file containing the legitimate account data required to access the satellite service. All of the information is stored in plain text format and the configuration file contains the username and...
