Panda Software

Greetings from Vienna

Luis Corrons — Wed, 19 Sep 2007 12:10:00 GMT

Virus Bulletin 2007 is taking place this week, at the Hilton Vienna Hotel. This event, which starts today and ends on Friday, offers a wide range of interesting conferences about typical issues in the security area, such as crimeware, spam, phishing and all kind of malware and antimalware techniques. The program can ve viewed here.

PandaLabs Quarterly Report

Sergio Piñeiro — Fri, 31 Aug 2007 08:44:00 GMT

Today we have published our Quarterly Report. The new Panda required a new look, so we have done our best to improve these reports. All the team hopes that you like them. Your comments are welcomed.

Inside the report you can find plenty of information regarding what has happened in the last 3 months, Relevant issues, trends, and very interesting articles.

Have you ever wondered how much does it cost to hire a Denial of Service attack? Find it inside.

Here you can find a link to the complete report. Enjoy it! English Spanish

Has your credit card been stolen?

Luis Corrons — Tue, 21 Aug 2007 06:51:00 GMT

In the last three months we have seen some activity regarding a bot C&C Server named Apophis. Here you can see a few screenshots:

- Login:

- Statistics: - Configuration:

- Settings: - Templates:

- And a few more:

Today we have gained access to a new Apophis C&C Server. Looking at the files stored in the Server, we have found an encrypted file that seemed to have valuable information. We have decrypted it, it is an excel file that has information about 1,435 people. It includes:

- Full name

- Address (Street, City, State, Zip, Country)

- Phone

- E-mail

- CC number

- cvv

- CC exp. date

- Bank info

This is the number of affected users per country:

Users	Country
994	USA
64	Italy
53	Netherlands
48	Israel
47	Belgium
43	Sweden
38	Norway
32	United Kingdom
21	Canada
15	Spain
14	Grecia
14	Switzerland
13	France
12	Germany
7	Austria
5	China
3	Bulgaria
3	Croacia
3	Polland
1	Estonia
1	Iceland
1	Latvia
1	Lithuania
1	Russia
1	Ukraine

It has all the information in all fields but the phone and e-mail addresses, these ones are stored for 994 users. All of them are from 3 countries: USA, UK and Canada. Scary. We are contacting the different banks in order to avoid major problems for the users.

Thanks to Vicente for all the research.

Easy money: affiliate programs

Vicente Martinez — Tue, 14 Aug 2007 11:29:00 GMT

Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.

They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.

Here we can see some examples obtained from these pages:

We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan

Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:

A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:

There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.

The web sites where they promote themselves use to be very eye-catching, here you can see some examples:

JavaScript de-obfuscation with Rhino

Ismael Briones — Mon, 06 Aug 2007 07:00:00 GMT

Last Friday, I received a URL which used several exploits to spread malware. As always, I started to investigate it. As you may know, these sites use javascript to exploit web browser, ActiveX or third party vulnerabilities, and of course JS obfuscation is used most of the time.

I don't like using web browsers to de-obfuscate these codes, basically because these js are dangerous and I want to avoid an infection. I know that some researchers use debugging techniques to de-obfuscate these js codes, but I really think there are safer, faster and more automated methods to do the same job.

I prefer to use Rhino to accomplish these tasks. Rhino is "an open-source implementation of JavaScript written entirely in Java". With this js engine and a Linux system I'm able to de-obfuscate these codes, without using any web browser. I recommend you the CanWest presentation Reverse Engineering Malicious Javascript (Jose Nazario, Ph. D. Arbor).

I'm going to show the process with an example (the same js code I received on Friday).
This is a special case, because it uses a trick to avoid the modification of the code: arguments.callee.toString() (This call returns the code of the funcion where it's called). Any modification of the code will affect the final result and therefore avoid an automated de-obfuscation of the code.

The js code has two functions: bodipyri(ii) and cynolapy(a1,b1). The Function's names are dinamically generated every time the page is loaded. Analyzing the second function, I saw there was a return with an eval call:

function cynolapy(a1,b1)
{
if(!b1){
return eval(bodipyri("ZG9jdW1lbnQud3JpdGUoY[DELETED]2csIiIpKSk7")); }

[DELETED]
}
This function is first called only with an argument:

cynolapy('YSYsMTs5IHAkOGlvIid7ZDZ9IGo5cD4[DELETED]VrY2SVSXZnKzJakIk=');

so the function cynolapy returns the eval result.

I deleted all the html code, changed the eval call with a print, and executed rhino against the file. This was the result:

document.write(cynolapy(a1,arguments.callee.toString().replace(/\s/g,"")));

The js code is recursively calling the same function but with a second argument. This new argument is the known arguments.callee.toString() trick used to avoid code modifications. Since I had modified eval with print, I was modifing the value of the second parameter and therefore changing the final result. That's bad and avoided an automated de-obfuscation of the code. This example has to be manually de-obfuscated.
The arguments.callee.toString().replace(/\s/g,"")) function returns the cynolapy function source code and then strips all white spaces.

Therefore, in order to to get the real js code we have to call this function with this second argument. I got the original js code again (with the eval call), and added the following code at the end of the file:

print cynolapy('YSYsMTs5IHAkNGlhIj97aDZ9[DELETED]24viw==','functiontumawyzu(a1,b1){if(!b1){returneval(cynolapy("ZG9[DELETED]returno;}');

What I'm doing here is calling cynolapy function with the expected second parameter. After parsing this code with Rhino this is the resulting code:

This de-obfuscated code is loading an iframe with a new site. This site is used to exploit several vulnerabilities: ANI/ANR, Java/ByteVerify, ADODB.Stream,...

PandaLabs is developing an automated engine to de-obfuscate js, but sometimes it's not possible and we need to do it manually.

July spyware list

Vicente Martinez — Wed, 01 Aug 2007 11:50:00 GMT

This month, the first positions of the list are very similar to last month’s.

1.- Application/MyWebSearch

2.- Adware/Lop

3.- Adware/Gator

4.- Adware/ActiveSearch

5.- Spyware/Virtumonde

6.- Adware/Savenow

Adware/VideoActiveXObject goes up from the 10th to 7th position.

It is the most active version of the known fakecodecs.

Application/RealSpy goes up from the 17th to the 13th position.

It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.

Trj/Lineage.BZE goes up from the 34th to the 24th position.

It is a Trojan that steals passwords from the MORPG Lineage.

Ice(Pack) for the summer

Luis Corrons — Thu, 26 Jul 2007 12:01:00 GMT

It's summer, about 29ºC - 84ºF in Bilbao, a sunny and beautiful day. Good time for an ice-cream. But today we'll change the menu and we'll have an IcePack instead.

IcePack Platinum is the name of a new "Kit for installing malware through exploits". Regarding the exploits it uses, nothing new can be added, it is very similar to Mpack, which takes advantage of the last exploits that have appeared. This way, they have more chances to infect the users that are not patched with the last updates:

- MS06-014 Internet Explorer 6 - MS06-006 Firefox 1.5

- MS06-006 Opera 7

- WVF Overflow

- QuickTime Overflow

- WinZip Overflow

- VML Overflow

Here you have an image of the ftp checker:

IcePack is programmed by other group (IDT Group) different from Mpack creators (Dream Coders Team) . The price of this tool is also lower than the Mpack and can be purchased for $400 .

XRumer

Vicente Martinez — Tue, 24 Jul 2007 06:26:00 GMT

As we commented in Spam in PHP forums and in Spam in PHP forums (II), it has become more and more usual to see websites (forums, blogs, wikis, guestbooks, etc...) that contain advertising comments or links that direct to sites that infect with malware.

We are going to talk about a program that allows this type of comments to be created: the XRumer.

It is sold for $450, and for $50 more you can have the Hrefer, which includes more functions.

This application, with regard to the web section, is more powerful than Zunker, as this is only able to post in phpBB and VBulleting.

Xrumer allows to post in phpBB and PHP-Nuke (with any modification), yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB, and phorum.org.

Basically, it follows the process below:

It looks for websites where comments can be inserted.

It registers itself as a user.

It posts the message.

This type of websites usually include human verification codes, in order to make automatic registration more difficult for this kind of robots or they use filters in order to block IP addresses that carry out suspicious operations.

That’s why, this program is able to recognize the texts in the following type of images:

It also allows to connect to a list of proxies in order to use different IP addresses.

Here you have a video where the working of the program is shown.

According to the comments of its creators, it is able to post 1100 links in only 15 minutes.

More about Mpack (II)

Vicente Martinez — Fri, 20 Jul 2007 06:35:00 GMT

Today I have come across a server hosting an Mpack that has 292 different websites with iframes that make reference to it.

Most of the infected users are Italian, as in the case we explained a month ago. You can check the information by following this link: http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/06/19/More-about-Mpack.aspx

But, the most curious thing is that after analyzing the range of the IP addresses, we have seen that the websites are hosted in the same Italian provider as in the other case.

The version of this Mpack is 0.91. However, the latest version we have found is 0.94.

PINCH, THE TROJAN CREATOR

Luis Corrons — Wed, 18 Jul 2007 08:41:00 GMT

Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.

It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…

Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.

First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.

If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending

If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.

If the FILE method is chosen, the name of the file created with the information and its path must be specified.

There are several tabs in the middle of the screen where the parameters below can be specified:

PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.

RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:

+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.

It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.

SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.

NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.

BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.

ETC: Allows the Trojan to be hidden using typical joiner methods.

KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.

IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.

WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.

IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.

It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.

Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.

The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:

The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:

A new case of RansomWare !!!

Vicente Martinez — Tue, 17 Jul 2007 06:45:00 GMT

We have detected a new case of RansomWare.

Once the malware infects users and encrypts their files, several “read_me.txt” files are created in the infected system, which warn users that their data files have been encrypted and that they won’t be able to access them unless they pay a ransom of $300.

The email addresses indicated in the message may vary:

kiloglamour@gmail.com

tristanniglam@gmail.com

oxyglamour@gmail.com

glamourepalace@gmail.com

The “personal code” may also vary depending on the random value that is used to encrypt the data.

The encrypted files usually begin with the text “GLAMOUR”:

We have managed to access the data of the infected systems and there are 1,108 infected computers.

Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers.

The “construction kit” of Trj/Sinowal has been used to create this Trojan.

We have already mentioned this malware family in the eCrime 2007

http://research.pandasoftware.com/blogs/research/archive/2007/03/29/eCrime-2007-Congress.aspx

According to SecureWorks, this “construction kit” is sold for around $1,000.

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=3740

This variant has been detected as Trj/Sinowal.FY in the signature file.

Spammers: PDF rules!

Luis Corrons — Wed, 11 Jul 2007 12:18:00 GMT

A few weeks ago a spam attack was launched – as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what’s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below:

It must have been successful somehow, as the number of these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots:

But you can find some which look better:

As you can see most of the times they are just copy-pasting the body of the "old" spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone’s curiosity arouse. If the message is opened, there is a PDF attached, whose name is the name and surname of the user’s mail account! When it is opened, we discover that we will be given $500 if we reactivate an online casino account, finally it was not so exciting:

Guidded shopping

pmontoya — Tue, 10 Jul 2007 07:58:00 GMT

Last week we have heard about an online shop that sells Iphones. This matter wouldn’t be unusual except for the fact that it is the classic case of phishing. Basically, you access the web thinking you are buying in an Apple’s official shop but, in fact, it’s not. No matter how many Iphones you purchase and pay, you won’t receive any.

I’ve gone a little bit further in order to see how the swindle has been carried out and I’ve been really surprised by the discovery.

They have plenty of resources in order to make you visit their website instead of the official one. We have never seen before a deployment in resources and organization like this.

We’ve already known about the existence of banker Trojans that send all the information they obtain to a server. But in addition, they turn your computer into a bot that is completely controlled by a central server, from which each bot and the stolen information can be managed… Well, I have come across a variation of this framework, which is totally focused on the Iphone swindle.

When a PC is infected by the Trojan, it automatically turns into a bot of the server in question. The first time you connect to the Internet, the Trojan will send several requests to the server, in order to receive some instructions that will be carried out by the Trojan in your computer.

The server sends several data in such a way that when you visit certain websites, you are redirected to other ones without being aware. Up to the moment this can seem normal, but what surprises me most is that as well as being redirected, it is able to display popups and banners, and it can even modify the results offered by the most usual Internet search engines, such as Google, when certain searches are made.

When an infected PC visits www.iphone.com in order to purchase an Iphone, the user will be actually buying it in their website instead of in the official one.

As you can see, they are able to carry out all kind of operations from the control panel, in order to guide us to their Iphone online shop.

Currently, this bot server controls 7519 bots, a number not to be sneezed at.

From the section “COMMANDS ADMIN”, all kind of commands can be sent to the bots, from downloading new executables to restarting the PC.

In “REDIRECTS ADMIN”, the redirection is specified. In order to do so, it is indicated the website the user thinks that they will be visiting and the website that they will be really visiting. As you can see, almost all the redirections belong to Apple websites.

In “SEARCH REDIR”, it is indicated the URLs that will be displayed when the bot makes a search with an Internet search engine, and the words that triggers the redirecting as well.

In “INJECTS ADMIN”, the “injects” are specified, that is, when a bot visits a URL that has been specified, the bot will inject code into the URL, in such a way that, for example, it can modify the links of the website. As you can see, all the injections make reference to Apple’s websites, and they inject code so that when a link of the website is followed, you will be redirected to their “online shop”.

In “POPUPS ADMIN” and “BANNERS ADMIN”, the banners and popups that will be displayed in the bot browser are specified. They always make reference to their online shop of Iphones sale.

We have never seen before a botnet that is specifically dedicated to “guide” its bots when their owners want to buy an Iphone. We can come to the conclusion that it is a very important business for them, above all for the determination with which they have developed it.

It is interesting to see how the most used tools in the world of Trojans and botnets are being used in the world of phishing. This proves that thousands of computer crimes are being committed, and the worst thing of all is that many people all over the world have been victims of these swindles.

This server is currently working and at the moment it is still sending commands to its bots so that the PCs are redirected to their illegal web.

The most interesting thing of all is that not only they can use this management device for one shop, but in a future they can also use it for other shops that offer brand-new and outstanding products, such as the case of the Apple’s Iphones. In fact, the shop is offline right now but I’m sure that they will use their Botnet again with other “Online shops”.

June spyware list

Vicente Martinez — Wed, 04 Jul 2007 12:06:00 GMT

This month, Application/MyWebSearch joins the list in the first position, with only 36 detections less than Adware/Lop, which goes down to the second position.

1.- Application/MyWebSearch

2.- Adware/Lop

3.- Adware/Gator

4.- Dialer.XD

5.- Spyware/Virtumonde

6.- Application/SystemDoctor2006

Application/SystemDoctor2006 goes up from the 11th to the 6th position. It is a fake error-repairing program that is usually installed by Adware/SystemDoctor. There are also many websites or advertisements that simulate an analysis of the machine so that users install the program. Then, they are requested to purchase, for a modest price, a program to remove them.

Adware/Navipromo goes up from the 21st to 19th position. It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer or InternetGameBox .

Trj/Torpig, which is a banker Trojan, keeps the 37th position as in the previous month. The families belonging to Trj/Torpig and Trj/Sinowal are very similar. We explained the techniques used by Trj/Sinowal in the eCrime Congress. You can take a look at the paper here.

NanoScan for Vista

jmtapiola — Fri, 29 Jun 2007 11:56:00 GMT

Finally, we have published the final version of NanoScan compatible with Windows Vista. Although the new operating system has new security features, users with Vista installed also need a double check of the PC.

You don’t need to go to a special site neither change something at your computer: just come to www.nanoscan.com, run the detection routine and that’s all, the application will recognise if you have Vista and runs exactly in the same way as if you have XP or any other operating system.

Of course, it is also able to detect any active virus, spyware or other threat on your PC.

Cool! Isn’t it? There are not so many on-line antivirus compatible with Vista. So, enjoy it!!!

A profitable use for stolen credit cards

Luis Corrons — Wed, 27 Jun 2007 11:11:00 GMT

We have often talked about the freedom with which certain cyber-crooks circulate around the Internet, but I must admit that even I am surprised sometimes…

The theft of credit card details and trading of this information is the order of the day. How is this information being used? We could make assumptions, carry out research or try to infiltrate some of these groups, but…why bother if they talk about it all so openly on their websites?

This is what appears on one of these websites:

As usual, everything is in perfect Russian. Basically, they are selling laptops, PDAs, cell phones, etc. for 20% of their real value. How is this possible? Well, if you visit their section "Answers to frequently asked questions-F.A.Q.", the first question is: How can you offer such good prices? Pay attention to the answer:

"It’s very simple. We buy these products in Western countries with stolen credit cards. You don’t run any risk when purchasing these products."

It couldn’t be any clearer. They even have a section for partners, where you are given the code you must include on your website and you get 25% of the money that comes from your website.

The first virus scan for personalized homepages

admin — Fri, 22 Jun 2007 08:34:00 GMT

Do you use personalized homepages as NetVibes, iGoogle or PageFlakes? If so, I think I have good news for you: from now on you'll be able to scan your PC for active viruses, spyware, Trojans, etc. right from your homepage. Yes, we've just launched the new NanoScan module for personalized homepages. You can add the module from your homepage's module directory. Once you added it you'll be able to NanoScan your PC as many times as you want without leaving your homepage.

These are some of the pages that are offering the NanoScan module: NetVibes, iGoogle, PageFlakes, ProtoPage, Widgipedia... and more to come.

Here's a screenshot from my desktop computer:

Note: as you can see in the screenshot NanoScan for Netvibes is really tiny (screen-wise). So, how do we call this new "Nano" NanoScan? :)

Hope you like it!

NanoScan now compatible with Firefox

admin — Fri, 22 Jun 2007 08:29:00 GMT

Good news for Firefox users: NanoScan is now compatible with this excellent browser.

To get the best results, we have opted to develop a plugin, and avoid Java, ActiveX controls and so on. This way, we have achieved complete compatibility and smooth operation of NanoScan with Firefox.

By the way, Neil Rubenking, from the online magazine AppScout, has already echoed this and seems happy with the new feature.

Installing the plugin has been made as simple as possible. And, we have prepared a series of screens to guide you through the process.

In any event, it is the same solution, capable of detecting almost 900,000 viruses (as of today, tomorrow it will be more), using our collective intelligence approach.

If you are a Firefox user, we encourage you to try NanoScan. Also, if you have any comments, questions or problems, don't hesitate to contact us.

Dream System

Vicente Martinez — Wed, 20 Jun 2007 15:04:00 GMT

“Dream System” is a bot that allows hackers to use infected machines as socket servers and to run any type of files in them.

It launches two types of DDOS attacks:

HTTP.

UDP flood.

The bot consists of:

A server component, called “Dream Bot builder”, which contains the configuration interface and allows servers to be generated.

And a client component, which allows the bot to be managed from a web interface.

The bot version 1.3 is sold for $750, including free updates for new versions.

This bot is known as “Dream System” or “Dream sockets”. It seems too much coincidence that the name of the program is very similar to “Dream Downloader” of the Mpack, which was programmed by DreamCoders Team. So, it is likely to be another software developed by this team.

It is detected in the signature file as part of the Bck/DreamSocks family.

MPack: how to infect thousands of websites

Luis Corrons — Wed, 20 Jun 2007 12:04:00 GMT

We've been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack. Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ‘IFRAME Manager tool’. We're familiar with this tool since about 4 months. It's real name is ‘FTP-Toolz pack’ and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale:

And the tool itself:

When we found MPack at the end of last year we also found also a similar tool named ‘RooT [iFrame]’ in one of the hacked servers. There is a funny thing about this one; if you buy it through the Russian version of the hacker’s website, it is just $25. In case you go to the English version of this hacker’s site, the price doubles, it’s $50. Finally we found yet another one named FTPCheckIframe, this time only in Russian and for $25.

Even though we are still wondering how they gain access to those servers, it seems that they make use of tools such as the ones mentioned and feed them a list of usernames and passwords, probably stolen by the same Trojans and keyloggers they have previously gathered or purchased. But… how to work with all that mess? I mean, they can have hundreds of thousands of ftp addresses with usernames and passwords, but they don’t know which ones are working, which ones have write access, etc.

Then we run into yet another tool, this time a PHP script that validates ftp accounts. The hacker loads the stolen account lists in a file called acc.txt, and by means of the script (ftp_check.php) he gets dumped the valid ones into a file called valid.txt.

So he can use that information with any of the previous programs: FTP-Toolz pack, RooT [iFrame] or FTPCheckIframe and automatically infect hundreds of thousands of web pages with the MPack IFRAME.

More about Mpack

Vicente Martinez — Tue, 19 Jun 2007 14:16:00 GMT

In the last hours, many things have been said about the MPack massive infection with more than 10.000 affected websites. For more information, visit the Websense site http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 .

Although the data is astonishing, we are not very much surprised, as we carried out a small study about MPack, and in 2 months (April & May 2007) we discovered 41 different servers, and the statistics were frightening: more than 1 million users infected (1217741), and the iframe code was present in 366717 web pages.

We don’t think that those 366717 websites had been hacked and infected manually one by one.

Although we haven’t already found it, it seems that they are provided with a program that looks for vulnerable web servers, where it accesses the main file that loads the web page and adds an iframe reference to Mpack, so that the users who visit these websites are infected too.

The version 0.90 of Mpack has recently come out. Among the last changes of this version, there are the following:

- The capability to infect only in certain countries.

- The stats.php has been replaced by the admin.php. Now not only a password is required but also a username. As a result, it is much safer.

- Update in the encryption module. This way, the exploits it uses are more difficult to detect.

- And several small changes in the interface, bugs correction, etc.

- Its price has increased from $700 to $1000.

Up to the moment, we have located 4 active servers with this new version.

Botnet controller via web

Vicente Martinez — Wed, 13 Jun 2007 09:00:00 GMT

Today, when I was tracking the server to which a variant of Trj/LdPinch sends information, I have come across, among the files in the server, some .php files that are used to control a botnet via web.

The image below would be the initial screen from which the infected systems can be viewed for geographical area:

And the option “Botnet controller” allows different actions to be carried out in the affected systems:

Critical Bugs Discovered In Yahoo Messenger and Microsoft GDI+

Ismael Briones — Fri, 08 Jun 2007 08:05:00 GMT

Three new vulnerabilites have been make publicly this week. Two for Yahoo Messenger Webcam ActiveX and one for Microsoft GDI+

Yahoo! Messenger Webcam Upload ActiveX Control Buffer Overflow

Security company eEye Digital Security has discovered two vulnerabilities for Yahoo's instant messenger client software that were reported to Yahoo. The bugs are critical because allow remote [code] execution. Yahoo gave them its highest security threat rating.
The vulnerable control is part of the code for Webcam image upload and viewing (ywcupl.dll). Yahoo is working in a patch, nevertheless two publicly available exploits have been submited to Bugtraq and Full-Disclousre mailing lists. We think it willl be actively exploited by malware in a few days.
The PoC's are inoffensive (execution of calc.exe) but it would be very easy to add a more dangerous shellcodes.
Yahoo! Messenger version 8.1.0.249, incorporating ywcupl.dll version 2.0.1.4 is vulnerable. This vulnerability is currently unpatched.

Microsoft GDI+ Integer division by zero flaw handling .ICO files

CSIS Security group has found an "integer division by zero" flaw in GDI+ when parsing .ICO files. The vulnerability doesn't allow remote code execution but it allow to crash Windows Explorer and other components like "Windows Picture and Fax Viewer". The flaw was reported to Microsof and MSRC confirmed the vulnerability. It will be fixed in next Service Pack. The full advisory can be downloaded at the following link: http://www.csis.dk/dk/forside/GdiPlus.pdf

May spyware list

Vicente Martinez — Fri, 01 Jun 2007 11:38:00 GMT

This month there have been changes in the first two positions. Adware/Lop occupies the first position and 47 detections below, the seconds position is occupied by Application/MyWebSearch. Meanwhile, Adware/Gator goes down to the third position of the ranking.

1: Adware/Lop
2: Application/MyWebSearch
3: Adware/Gator
4: Application/Winantivirus2006
5: Spyware/Virtumonde
6: Adware/SaveNow

Adware/SpyLocked goes up from the 23rd to 17th position. This adware promotes the rogue antipysware called SpyLocked and is mainly distributed by the fakecodecs.

Trj/Abwiz.A is in the 34th position, which is a Trojan that registers itself as a BHO and steals passwords from the computer.

Exploit/LoadImage joins the ranking in the 44th position. It is a generic detection of an exploit we had already mentioned that affects ANI files. Moreover, this exploit is one of the most used by kits for installing malware using exploits, such as Mpack.

The Cimuz uninstaller

Vicente Martinez — Wed, 30 May 2007 13:50:00 GMT

Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:

After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.

I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.