Modern malware use every possible vector of attack to infect a system. Emails, which are available to almost everyone, are common carriers. In this type of attack, attackers try to lure users to open malicious attachments that look like documents, but have multiple file extensions, such as “financial.doc.exe”. Most of the time, the user only sees the “financial.doc” filename without the ".exe" extension, which makes it easy to assume that it is a Microsoft Word document. Once the file is clicked and executed, the... [Read More]
by RSS Raul Alvarez  |  Apr 29, 2015  |  Filed in: Security Research
Recently, we found a simple malicious downloader that downloads a fake PDF file.  Unlike a normal malicious loader that integrates the PE Loader code into its binary, this loader has stripped this part and has turned to fetching it online. Our FortiGuard Labs Threat Intelligence system can detect the traffic of this downloader, which we are detecting as W32/Upatre.FT!tr, efficiently aiding in the analysis of this malware. Registering Online Once executed, the loader grabs the local victim’s system information, generates them... [Read More]
by RSS He Xu  |  Feb 23, 2015  |  Filed in: Security Research
Recently, we have been receiving samples that use “decoys” to imitate what is to be expected from running a normal file. In this blog post, we will analyze one such sample that Fortinet detects as W32/Kryptik.CWXI!tr. Execution The sample uses an icon similar to Microsoft Word documents. Figure 1. File icon used by the malware. If our Windows Folder Options are set to “Hide extensions for known file types”, then we might not notice that the extension of this file is “scr”, which is associated with... [Read More]
by RSS Nathan Cheung  |  Feb 16, 2015  |  Filed in: Security Research
In early November, we experienced an influx of Microsoft Word documents that contained malicious macros. Just when the computer security industry was on the verge of forgetting these oldies, they rose to life once again, proving that they’re not allowing themselves to be eliminated that easily. In June, Ruhai Zhang warned of macro threats that continue to spread, particularly those that use Microsoft Excel. In this blog post, I will go over a family of Microsoft Word macros, detected as WM/Agent!tr, that I have encountered in the past couple... [Read More]
by RSS Sousan Yazdi  |  Jan 06, 2015  |  Filed in: Security Research
Bublik is a downloader malware that is used mostly for spreading P2P Zbot and other major bots. Over the years that our botnet monitoring system has tracked this bot's activities, we have found that this simple downloader has had at least three major updates that are directed more towards escaping detection from security software. Overview of Bublik Bublik is a simple one-time execution bot; it does not add any autorun registry entries. Once executed, it copies itself to the user's Temporary folder using the name budha.exe. The bot modifies this... [Read More]
by RSS He Xu  |  May 29, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ]( Downloaders are usually small and simple files whose goal is purely to download the 'main course' of a malware infection. The downloaded file (or 'downloadee') invariably has more features and functionalities than the downloader. In this article, we will look into a fairly new downloader variant, named W32/Onkod, and its downloaded file. THE DOWNLOADER Initial analysis of Onkod is made a little trickier and more time... [Read More]
by RSS Raul Alvarez  |  Feb 26, 2014  |  Filed in: Security Research
Advanced Persistent Threats (APTs) usually start off with using a common tactic, which is through a spear phishing email. Disguised as coming from a well-known organization, the email certainly draws the user's attention, as seen in the one that I've recently received. Figure 1: Spear phishing email The unsuspecting user may open up the attached ZIP file and double click the extracted file, which turns out to be malware. This particular malware, which we detect as W32/Bublik.BDYG!tr, is found to be a simple downloader which is relatively small... [Read More]
by RSS Danny Choi  |  Oct 28, 2013  |  Filed in: Security Research
Antivirus software installed on your machine can detect malware, if it knows the signature or can detect the unique pattern for malware. On the other hand, malware attached to an email or downloaded from a website can also be tagged as malicious using heuristic technology. Some heuristic detection methods involve looking into some readable and printable strings within the file, such as the names of APIs (Application Programming Interface) that can be used for malicious activities. These APIs are not malicious by themselves, but a combination of... [Read More]
by RSS Raul Alvarez  |  Oct 16, 2013  |  Filed in: Security Research
It's everywhere in the news, and I couldn't resist trying to figure out how it works. I think I roughly found out but we'll have to wait for Karsten Nohl's presentation at BlackHat to see if I was right :) Getting ciphertexts Mobile phones are capable of receiving OTA (Over The Air) commands ('update', 'get status'...) in the form of SMS messages sent by their service provider. Fortunately, those messages support encryption and integrity checks. More specifically, the secure packet header specifies the algorithm and key set identifier to use... [Read More]
by RSS Axelle Apvrille  |  Jul 24, 2013  |  Filed in: Security Research