Latest Posts | Page 130


A few days ago, an application named 'SMS Replicator Secret' was pulled out of the Android market. Like many other spyware of its kind, it silently forwarded incoming SMS messages to a configurable phone number, the official idea being to spy on your girlfriend. I don't like these types of 'applications' (women solidarity? next time advertise it as spying your boyfriend ;), even if they are meant as jokes, because one day they will end up in the wrong hands and do much more damage than expected. The recent Zitmo malware is a perfect illustration... [Read More]
by RSS Axelle Apvrille  |  Nov 12, 2010  |  Filed in: Security Research
In prevision of the anticipated merge between the two infamous banking malware ZeuS and SpyEye, our Threat Analyst Kyle Yang spent some time dissecting the most current version of SpyEye we could get our hands on (W32/SpyEye.C!tr.spy). While SpyEye shares some similarities with ZeuS (encrypted/compressed configuration file, updateable injection scripts, drop zones, update zones for binary and config update, etc ...), an extra feature quickly caught our attention: SpyEye connects to a "log server" that is different than the server where it fetches... [Read More]
by RSS Guillaume Lovet  |  Nov 10, 2010  |  Filed in: Security Research
In our previous post, we detailed how Zeus bots locate, download and decode their configuration data upon installation.The second step in the early communication protocol consists of bots reporting various info to the C&C server.As a third step, the latter sends back commands to the bot. We will address both the second and the third step in this post. POST data encryption routine After the configuration has been fully deciphered, the Zeus bot feeds the C&C server with data about the infected computer via HTTP POST. This data is encrypted... [Read More]
by RSS Kyle Yang  |  Nov 08, 2010  |  Filed in: Security Research
Tags: zeus
Some interesting DNS queries were captured earlier on while Patrick Yu was analyzing a Hiloti sample downloaded from a Bredolab server. Both Hiloti and Bredolab are bots that download and install other malware pieces on the infected computer they run on (for financial gain, more on this below). Here's the actual DNS query: 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty.5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com This apparently invalid hostname surprisingly resolved to 95.211.131.67, which is also the nameserver... [Read More]
by RSS Patrick Yu  |  Nov 08, 2010  |  Filed in: Security Research
Tags:
To commemorate the 20th anniversary of the VB conference, the organization set out to honor some of the most influential security researchers of the past decade. The VB2010 Awards included six categories: greatest contribution to the anti-malware industry, greatest contribution to the anti-spam industry, best educator in the anti-malware industry, most innovative idea in the anti-malware/anti-spam industry, lifetime achievement, and, finally, best newcomer. Guillaume Lovet, senior manager, threat response team for FortiGuard Labs and technical... [Read More]
by RSS Rick Popko  |  Nov 05, 2010  |  Filed in: Security Research
An Internet Access Point, shortened IAP, is a "a collection of settings that define how a connection to a particular network is made" [1]. For example, it stores the Access Point Name (APN) for GPRS networks, the SSID for Wifi etc. On Symbian mobile phones, IAPs are stored in a table of the Communication Database. In the SymbOS/Yxes worm (2009 / 2010), we had already seen the worm search through available IAPs on the mobile phone, select all outgoing WCDMA entries, add them to a list and silently use one of those to connect to Internet [2]. Since... [Read More]
by RSS Axelle Apvrille  |  Nov 04, 2010  |  Filed in: Security Research
On this episode of Network World’s Security Landscape, Derek Manky from FortiGuard Labs and reporter Keith Shaw discuss the biggest network security stories from October: This month’s story topics include: Everything you’ve ever wanted to know about money mules but were afraid to ask. The episode addresses how today’s money mules are laundering money from crimeware operations and what to watch out for to make sure you don’t become their next victim. The show concludes with a recap of the recent takedown of the Bredolab botnet by Dutch... [Read More]
by RSS Rick Popko  |  Nov 02, 2010  |  Filed in: Security Research
Tags:
In the October edition of Security Minute with Fortinet, researcher Derek Manky talks about the most prevalent threats and threat trends plaguing the internet over the last 30 days, including this month’s Bredolab takedown, the latest ransomware iterations and how today’s money mules are being used. [Read More]
by RSS Rick Popko  |  Oct 29, 2010  |  Filed in: Security Research
Tags:
We’ve just spent two days looking into the ‘new’ variant of Zbot, a.k.a. ZeuS, the infamous crimeware kit. There are many interesting features, like the VNC plugin, API hooks, ftp password stealer, etc. In this series of posts, we’ll focus on the communication protocol between the bot and its Command & Control Server, in the early stages of infection. Pre-configuration data, hardcoded and encrypted in the bot binary, contains the URL of a configuration file to download, and the key to decrypt it (among other parameters, that... [Read More]
by RSS Kyle Yang  |  Oct 28, 2010  |  Filed in: Security Research
Tags: zeus
On this episode of Network World's Security Landscape, Derek Manky from Fortinet and Keith Shaw discuss the latest security threats seen worldwide. This includes the rise of do-it-yourself crimeware botnet kits, as well as the possibility of another iPhone jailbreak vulnerability on Oct. 10, 2010. [Read More]
by RSS Rick Popko  |  Oct 14, 2010  |  Filed in: Security Research