You can never be sure

OpenSSL Comic:

Provide by metasploit

Ridnu.H

Some detailed information about the worm first:

It specially write romantic messages like “WHEN THE STARS FILL THE SKY, I WILL MEET YOU MY LOVELY PRINCESS” or “DEAR MY PRINCESS” when you run Notepad and if you go to Start > Run – it will change the Run’s window title to “MR COOLFACE !. If you run My Documents the window title is “Mr_Coolface” and the worm turns off the monitor every 5 minutes.

It changes the Windows Explorer Toolbar and when you start Internet Explorer it shows a html page the worm itself makes. It spreads naming the files with Antivirus applications file names. It also disables System Restore in addition. The worm is programmed in Visual C++ V6.

I might be doing a virus example video later since I got all info on my friend’s test computer and got images and info only =(. So i got to get the virus right now, that’s all…

Panda CommandLine Signature =)

Yeah!, I know it’s a little wierd (You have to have the Panda Software), and I’m not really about talking about how to keep yourself safe from malware but what about downloading an update to make your AV really cool eh!? It only works for NT/Me/2000/2003/XP/Vista — Click here for Download – When it’s done downloading go to your desktop for the Panda’s AV Shortcut then Right Click > Properties > Search Destiny, Paste there the PAV.sig file and it will show a message saying “Do you want to re-write this file?” “Ok”, “Yes”, “Accept” (Whatever it shows up, its different sometimes). Maybe the Panda AV Will be screwed up but I tried it and it really, really worked for me as the file has some little more information, but I don’t really trust 100% this updates as they say they can screw up the software…

It will look something like this (sorry for bad quality but im running out of space):

Fake Security Center?

Well there is always a fake security adware saying you are infected and some viruses will show as fake, you’ll need the full version of the product (purchasing it) and you are not even infected, you just lose money in a dumb way.

This malware, which is installed after running the XPShieldSetup.exe file, creates a shortcut in the Desktop and in Start menu.

This fake security center simulates an analysis of the computer which warns us that our system is infected. In order to eliminate the malware, we are requested to purchase a certain program.

Peridiocally, it displays popups on the screen reminding us again that the system is infected:

In spite of closing the program, it remains resident in the system:

It is possible that while you are visiting different websites, several popups are displayed informing us that our system is infected or that our computer is not working properly and in order to solve these problems they recommend us to purchase a certain program.

So I just recomend you to recognize this kind of programs and decline downloading or opening them…

Generic Malware & Lineage Leading these days

Well, as almost everybody knows our malware folks, Generic’s and Lineage.

The Generic Malware as always, is leading at the top of the analystic list, Lineage is spreading and making familly of it as hell (making other variants and other types of same trojan). Yeah!, you would like the code of those malware types aren’t you?, well you are not the only one, many other people is being curiously at those codes but if I had those codes I would even not share them!, I’m not being jealous of people that have malware that I have but it’s just that I know how you will use the code. Whatever, that’s not the main tging I want to say… Here you have a picture of the top malware list:

Yeah, there is other malware but they are not leasing for now (Last week the manclick.B was leading).

So if your AV detects as hell any type of that malware, don’t be saying that why that happened to you =D.

Fenomen Game Downloader!?

One of the problems with automation of antivirus signature creation is that if a few AV vendors start detecting something as malicious, even with heuristics, “automagically” soon afterwards other AV vendors start doing the same without even checking if the file in question is in fact malicious or not, even going as far as creating specific signatures for it via automated systems.

An example of such a False Positive (FP) problem with automatic AV signature creation is the case of Fenomen Games (aka Gamecentersolution), by Legacy Interactive. Fenomen is a company that creates and distributes games. They do so via a bunch of “Game Downloaders” which basically allow users to choose and download different games on-the-fly. The problem is that these “Game Downloaders” have very similar characteristics to known “Trojan Downloaders”, such as the runtime-packing and their behaviour (connecting to the Internet, downloading something, executing it and then exiting), so they naturally set off heuristic alarms like a christmas tree.

After manual analysis the only thing I found truly suspicious about it is the fact that we have over 200.000 different unique “Game Downloaders” from Fenomen Games in around all the Internet. The ones I checked are not malicious in any way nor do they do anything different than what they advertise (if you have evidence of the contrary please let me know). Fenomen seems pretty active from a partner/affiliate perspective and this could be the reason for the multitude of unique MD5’s.

So let’s look at detections by different AV engines. Most of the Fenomen Game Downloaders out of the 200.000 we have checked are detected by anywhere from 4 to almost 20 different AV engines:

The problem with these detections are not the “heuristic” detections but the signature detections. Normally (traditionally that is) a signature detection signifies a “100% known malicious” program. However in today’s world where signatures are created automatically based on other criteria, False Positives are amplified and rolled-over to other engines freely.

Some statistics of detections per engine based on the 200.000 Fenomen Games Download samples we have (names have been omitted to protect the “innocent”):
       Scanner A               137.465 detections
       Scanner B               101.061 detections
       Scanner C                96.472 detections
       Scanner D                68.264 detections
       Scanner E                45.602 detections
       Scanner F                38.027 detections
       Scanner G                31.603 detections
       Scanner H                28.152 detections
And so on…

These include both heuristic and signature detections. All of the latter are false positives by very well known AV engines!

The other problem created by these “FPs generated by automated signature systems” is that, once considered malicious, samples of these FPs are included in regular “collection sharing packages” amongst different AV labs and, more importantly, independent research and testing organizations. These type of organizations, which rely on multi-scanners to classify their testbeds, should take good care of not falling into the same mistake. So the next time you see detection rates based on AV signatures published in a magazine or website, you should be asking yourselves “what” is truly being tested.

All in all, automation at the lab is an absolute must for any AV vendor that wants to keep up with the large volume of new incoming malware. However it is critical that these systems are well supervised, finetuned and backed by engineers who oversee the signatures generated automatically to avoid creating “fenomenal” false positive problems.

So the only thing to do is to prevent these tool for your “safe” PC

Firefox Vietnamese Vulnerability

Hello, Folks!

Detected by many pplz and AVs (also Mozilla company detected), you may be under malicious use… If you downloaded vietnamese pack add-on for Mozilla Firefox (I barely use Firefox so I’m not infected), you may be under malicious use /!DONT BE ALARMED!\, this may be a weak or medium type vulnerability that will show up some pop-ups (Maybe so much popups depending of wat sites you visit). I’m scanning now, for more information go to Mozilla’s Blog Article about this vulnerability. I will update this article l8r when I found out more, Read the next to know more about the vulnerability:

The files which contain that malicious code are detected as W32/Xorer.T.

This instruction resolves to: http://js.k0102.com/01.asp , don’t worry because this URL is currently offline.

The question is: how can anybody be sure that their computer is malware free?

You can check it in any AV online scanner.

Reproducible: Always

Steps to Reproduce:
1. Go to http://addons.mozilla.org/firefox/addon/5954
2. Save the xpi file
3. Scan that file with Avast, Kaspersky or any antivirus you have, 2/3 will
detect it.

UPDATE: A totally Hex Editor Scan Has been doing by unixrange (we’re just partners) Watch video on http://www.youtube.com/watch?v=jDMHp2HjpBQ

Scans performed by me:

What i’ve scanned, it says it makes a chrome dirctory and acess it to make it as the vuln temporary folder, but I’m not really sure about it, some codes make me confused!

So be aware, I Showed You the danger…

Phishing Games

When we think about phishing, we think about e-mails that try to get information from online banks, eBay or PayPal accounts. While in most of the cases this is true, it must be noted that the aim of the guys behind these attacks is the money. So, wherever there is money, there will be attempts to steal our information. Nowadays another common target are online games, specially MMORPG (Massive Multiplayer Online Role Playing Games) as World of Warcraft or Lineage.

Last week I found this bid in eBay, selling four 70 level characters starting at US$ 27,000:

Yahoo Sponsor Fake Phishing:

Of course when you click on the link, it will take you to a bogus site:

This is the real one:

 

Scam & Phishing

Nowadays launching a phishing attack or creating an online service fake website is quite an easy task for anybody. There is no need for advanced technical knowledge or significant financial resources.

Generally we tend to relate phishing only to fake webs of banking entities. However, there are also kits related to other online services such as Gmail, Yahoo, Youtube, Fotolog, Hi5, etc… as I have being looking.

It is possible to find information or even instructions of how to use these kits and how to carry out the attacks in forums, blogs, online videos, etc. Additionally, sometimes not only you can find the instructions but the tools themselves for free.
 
Below you can see some examples of the availability of these kits:

The way these kits work is similar whether the attack is launched against a banking entity or any other service. Using a mass mailing tool, a fake message -which passes itself off as the real entity or service-, is sent to a wide list of email addresses. This message contains an obfuscated link of the legitimate URL which will point to a fake website imitating the original one.

If the users are not aware of the fraud and enter their login credentials to that service, that information will be sent via email to the cyber-crook or hosted in a file at the cyber-crook’s disposal.

The phishing attacks are also evolving and not only are they hidden in domains similar to the legitimate ones.  I have recently read in the blog of Dancho Danchev a curious phishing attack against myspace. In this case, the fake website is located in a profile of the legitimate domain of myspace, in which the cyber-crook has inserted a fake login website to myspace service in order to obtain the access keys of the unaware users that try to login in order to see the content of the profile.

Read the next 2 Posts….

AV Conference in CARO Workshop

Very Large Post!!

Actually it is taking place the 2nd CARO meeting at the Crowne Plaza Hoofddorp in The Netherlans. This year’s topic is about Packers, Decryptors and Obfuscators, and indeed some of the presentations are superb.The AVers are going to shit off the place… The program is published here. Mike Morgenstern & Andreas Marx, from the most fucking AV-Test.org are giving a speach about their Runtime Packer Testing Experiences, it seems to be wrong xD.

In a few minutes PANDA will have 3 different talks about detection and blacklisting of packers, which is both disinteresting and non-controversial xD!!.

Going back to the topic of Malware, we are now talking about Banking Trojans…

Here I will list the rest of the most dangerous of these types of malicious codes:

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
    %SystemRoot%\appwiz.dll
    %SystemRoot%\ipv6mmo??.dll
I have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
    HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
    HKEY_LOCAL_MACHINE\Software\MRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%\ieschedule.exe
    %SystemRoot%\dsrss.exe
    %SystemRoot%\ieserver.exe
    %SystemRoot%\websvr.exe
    %SystemRoot%\ieredir.exe
    %SystemRoot%\smss.exe
    %SystemRoot%\ib?.dll
Folders:
    %SystemRoot%\drv32dta
    %WindowsRoot%\websvr
Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%\IEGrabber.dll
    %SystemRoot%\CertGrabber.dll
    %SystemRoot%\FFGrabber.dll
    %SystemRoot%\IECookieKiller.dll
    %SystemRoot%\IEFaker.dll
    %SystemRoot%\IEMod.dll
    %SystemRoot%\IEScrGrabber.dll
    %SystemRoot%\IETanGrabber.dll
    %SystemRoot%\NetLocker.dll
    %SystemRoot%\ProxyMod.dll
    %SystemRoot%\PSGrabber.dll

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%\xvid.dll
    %SystemRoot%\xvid.ini
    %SystemRoot%\divx.ini
    %System%\drivers\ip.sys

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys

Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “ttool” = %WindowsRoot%\svcs.exe
    HKEY_CURRENT_USER\Software\Microsoft\InetData

BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll
And creates the files:
    %SystemRoot%\ldshfr.old
    %SystemRoot%\mentid.dmp
    %SystemRoot%\nwkr.ini
    %SystemRoot%\nwwnt.ini
Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%\appmgmt14.dll
    %SystemRoot%\dbgen47.dll
    %SystemRoot%\drmsto34.dll
    %SystemRoot%\faultre66.dll
    %SystemRoot%\kbddiv55.dll
    %SystemRoot%\kbddiv79.dll
    %SystemRoot%\msisi83.dll
    %SystemRoot%\msvcp793.dll
    %SystemRoot%\msvcr25.dll
    %SystemRoot%\nweven2.dll
    %SystemRoot%\pngfil51.dll
    %SystemRoot%\pschdpr89.dll
    %SystemRoot%\versio40.dll
    %SystemRoot%\wifema85.dll
    %SystemRoot%\winstr21.dll
    %SystemRoot%\wzcsv64.dll
Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”
If you are one of those normal persons or AVers, I recomend you to scan your computer, with ActiveScan 2.0.

If you are VXer (Virus maker or Cracker), you can take a look over Google typing these types of Malware and get more information for ideas, or you can put your ass in a comfotable form in the chair and read the next:

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
    %SystemRoot%\winldra.exe
    %WindowsRoot%\netdx.dat
    %WindowsRoot%\dvpd.dll
    %Temp%\fe43e701.htm
It also creates the following registry entries:
    HKEY_CURRENT_USER\Software\SARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = “%SystemRoot%\userinit.exe”
    Modified = “%SystemRoot%\userinit.exe”, “%SystemRoot%\ntos.exe”
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
    %WindowsRoot%\Temp\$_2341234.TMP
    %WindowsRoot%\Temp\$_2341233.TMP
The “?” is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        “Shell” = “%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe”
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.

Recent variants of Torpig, Xorpig and Mebroot:
The latest trend is that it modifies the computer’s Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
    %WindowsRoot%\temp\fa56d7ec.$$$
    %WindowsRoot%\temp\bca4e2da.$$$