Of Spam & Men

To content | To menu | To search

Tag - virus

Entries feed - Comments feed

Monday 28 January 2008

Studying Malware Analysis In College

F-secure is about to start a course called "Malware Analysis and Antivirus Technologies" at the Helsinki University of Technology. I really wish we had that kind of classes when I was attending college!

And since F-secure is full of cool people, they provide the slides from the courses that were already done!

On the menu:

  • General introduction of the course [slides]
  • Fighting Online Crime [slides]
  • Windows operating system: Antivirus perspective.
  • Legal aspects of reverse engineering. Reverse engineering I
  • Reverse engineering II
  • Reverse engineering tools hands on classes
  • Mobile malware.
  • Using debuggers to analyze malware
  • Emulators and disassemblers. Behavioral analysis of malware.
  • Reverse engineering III
  • Unpacking and decrypting malware
  • Antivirus engine design.

from F-secure

Saturday 10 March 2007

virus watch: warezov domains

Warezov, Spamthru... Virus used by spammers. They are pretty easy to detect if you can monitor http connections. Indeed more and more viruses will try to fetch data (spam templates or updates) from dedicaded domains. If you can monitor those domains, you can can detect infected computers on your networks.

Continue reading...

Friday 9 February 2007

Yay! More Virus Wars!

Remember in 2004 the war between Mydoom, Netsky & Bagle? Each new variant would uninstall and destroy previously installed variants of the two others? Looks like there is a new war starting out there.

Continue reading...

Monday 5 February 2007

Online System Security Scanners

Claus Valca posted a long list of online scanners:

  • Primarily virus/trojan related online scanners
  • Single-File Upload Scanners
  • Malware (spyware/adware/etc.) Online Scanners
  • Online "single-file" Multi-Scan Test Websites
  • Software or System Security Vulnerability Scanners
  • Not Quite "Fully-Online" Based Software or System Security Vulnerability Scanners

Continue reading...

Wednesday 10 January 2007

IM worm on Yahoo!

Trend Micro has a report of a new worm using Yahoo (which has unfortunately nothing common with my ICQ mystery). The worm sends links looking like pictures for some of them (but they are not):

    1. http://{blocked}.info/who.jpg
    2. http://{blocked}.info/friendpic1.jpg
    3. http://{blocked}.com/Gallery/albums/album/index.php
    4. http://{blocked}.com/Gallery/albums/album/index2.php
    5. http://{blocked}.com/Gallery/albums/album/YMworm.exe
    6. http://{blocked}.com/Gallery/albums/album/worm2007.exe

Continue reading...

Thursday 21 December 2006

What's going on with Warezov on ICQ?

A few weeks ago our network provider reported that they caught a few HTTP requests (a few GET for map.src and picture.pif) to a known warezov domain coming from one of our ip. Warezov and its variants are easily trackable since once activated they will try to update themself by fetching an update on several domains created for this purpose. So, a computer was suspected to be infected on our networks. I investigated and discovered that the actual IP involved was a linux box. No, not even a dual boot box.

After asking the lady who used to computer that day, i understood that she certainly didn't go fetch the warezov update on purpose and that she only used meebo.com (webmesenger service) and yahoo mail. She reported a few weird messages from people she didn't know on ICQ, though. A few days later, another user reported the same kind of messages on ICQ, but this time from an unknown warezov domain! No antivirus vendors are actually linking Warezov and ICQ. So what's going with Warezov on ICQ?

Continue reading...

Thursday 7 December 2006

Bypassing Virus Scanners Using MIME Encoding Tricks

Hendrick Weimer talks about how you can fool some virus scanners by unvalidating the base64 encoded data by inserting random characters not in the alphabet:

Base64 encoding for MIME is defined in RFC 2045, which lists such an alphabet and clearly states: All line breaks or other characters not found in the alphabet must be ignored by decoding software. So it shouldn't make any difference if we insert some random characters not in the alphabet into a Base64 encoded version of our good old EICAR string, right? Wrong. Some virus scanners will happily pass viruses once they come in an unusual but still RFC-compliant encoding. This is even more astonishing given such attacks have already been discussed before.

Continue reading...

Monday 4 December 2006

Bagle Returns

Several Antivirus and Security companies are reporting that Bagle's back on business.

Indeed F-Secure reports that some of the old Bagle update urls were activated on Nov. 30th.

Continue reading...