[SecurityRatty] tag: panda

Malware authors get busy in down economy

Wed, 29 Oct 2008 21:00:00 +0000

What do malware authors do when the stock market is down? Increase their rate of malware distribution in an effort to capitalize on economic fears. And to do so, they're having to revert to some older tactics as the number of financial institutions dwindle, taking with them the number of phishing opportunities. This week, I talked with Ryan Sherstobitoff, chief corporate evangelist for Panda Security, about his findings on how stock and malware market activities mimic each other and other eyebrow-raising malware trends.

Who says innovation in security is dead?

Mon, 23 Jun 2008 20:56:30 +0000

Was reading Amrit Williams blog today on the AV market and followed a bunch of links back to read more. I have to say reading the articles left me with just a bad taste in my mouth for where is the innovation in security, especially the AV market. As Amrit points out, the first article has Eva Chen CEO of Trend proclaiming "the AV industry sucks". She says with 5.5 million new viruses, how can anyone claim they are doing a good job. I don't disagree with her but unlike Amrit, I don't think the Trend response is such an innovative response. In fact I think it is exactly what the folks at Panda Security in Spain have been talking bout doing for some time now.

A couple of other things that Eva says I found disturbing as well. Most of all was her analogy of open source software and proprietary software to capitalism and Communism. I don't buy into the whole open source - socialist/communist thing. I think it once again shows that Eva Chen doesn't get open source at all.

The other interesting article that Amrit pointed out was one announcing the new Symantec endpoint management suite. This represents Symantec integrating endpoint security suite with the Altiris management platform. I think Amrit is right about it takes more than slapping it all in a yellow box and putting a portal interface on it. Often times that amounts to little more than seeing how high you can make that pile.

Who says innovation in security is dead?

Mon, 23 Jun 2008 19:57:04 +0000

Yet Another DIY Proprietary Malware Builder

Wed, 21 May 2008 05:18:09 +0000

Following the most recent proprietary web malware exploitation kits, and DIY malware tools found in the wild, this is among the latest malware builders with a special emphasis on spreading from PCs to USB mass storage devices, and from USB mass storage devices to PCs. On 2008/04/28 when a sample generated binary was checked with multiple antivirus scanners, the detection was 2/32 with Panda Security and F-Secure detecting it, according to the seller of the builder.

For the time being, malware authors continue emphasizing on the product concept, namely they build a malware based on their perception of what a malware should constitute of, then start offering it for sale as well as it's source code. In the long-term however, based on the increasing number of malware and spyware coding on demand, malware authors would undoubtedly embrace the customerization concept and start putting more efforts into figuring out what the customer really want compared to their current "built it, price, advertise it" and they'll come mentality.

Moreover, despite the generated buzz over the Zeus banker malware and its copyright notice, Zeus remains publicly available, and so is its source code, placing it under the open-source malware segment. So emphasizing on how malware authors are trying to protect their work is exactly what's not happening right now. Releasing it in open-source form increases its life cycle, and both, the original authors, and the community build around the malware benefit from the new features introduced within.

And now that the most popular web malware exploitation kits are already localized to Chinese due to their open-source nature, making it harder to maintain a decent situational awareness on the new features introduced courtesy of third-party coders, we may that easily see Zeus localized to Chinese as well. It's a trend, not a fad.

Panda announces antimalware service

Sun, 18 May 2008 20:00:00 +0000

Panda Security Monday announced Panda Managed Office Protection, its security-as-a-service for antimalware defense offered as an alternative to in-house software distribution through dedicated equipment.

iFrame attacks surge, security firm says

Wed, 23 Apr 2008 20:00:00 +0000

A flood of SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious iFrames in them, and Panda Security is urging network managers to make sure their Web pages haven't been infected.

Quality and Assurance in Malware Attacks

Wed, 02 Apr 2008 07:49:20 +0000

The rise of multiple antivirus scanners and sandboxes as a web service, did not only increase the productivity level of researchers and utilized the wisdom of crowds concept by sharing the infected samples among all the participants courstesy of the crowds submitting them, it also logically contributed to the use of these freely available services by malware authors themselves. In fact, the low detection rate is often pointed out as the quality of the crypting service by the authors themselves while advertising their malware or crypting services. And when a popular piece of malware known as Shark introduced a built-in VirusTotal submission to verify the low detecting rate of the newly generated server, something really had to change - like it did.

At the beginning of 2008, VirusTotal which is among the most widely known and used such multiple antivirus scanner as a web service, decided to remove the "Do not distribute the sample" option, directly undermining the malware authors' logical option not to share their malware with anti virus vendors, but continue using the service. The multiple antivirus scanner as a web service is such a popular model, that there're several other such services available for free, with many other underground alternatives for internal Q&A purposes. But now that each and every possible service that comes with the malware product is starting to get commercialized, it is logical to question how would quality and assurance obsessed malware authors disintermediate the intermediary to actually break-even out of their investment in a malware campaign? Would they continue porting malware services to the Web, or would they take some of their Q&A activities offline?

In the past, there've been numerous underground initiatives to come up with an offline multiple virus scanners, and here are some examples courtesy of PandaSecurity's Xabier Francisco, and as you can see in the attached screenshot, development in this area is continuing, with the following anti virus scanners included within this all-in-one offline malware scanner :

"A-Squared, AntiVir, Avast; AVG Anti-Virus Free Edition, BitDefender, Clam Win, Dr.Web, eTrust; F-Prot, Kaspersky Antivirus 7, McAfee, Nod32; Norman, Norton, Panda, QuickHeal, Sophos, TrendMicro, VBA32"

Talking about reactive security, the concept of doing this has always been there, and will continue to evolve despite that the most popular online multiple anti virus scanning services started sharing all the infected samples between the anti virus vendors themselves. And now that malware authors are also starting to understand what behavior-based malware detection is, and how a host based firewall can prevent their malware from phoning back home, even though the host is already infected, the success rates of their malware campaigns is prone to improve even before they've launched the campaign.

When malware authors start embracing the OODA loop concept -- Observation, Orientation, Decision, Action -- things can get really ugly. Why haven't they done this yet? They Keep it Simple, and it seems to work just fine in terms of the ROI out of their actions. One thing's for sure - malware will start getting benchmarked against each and every antivirus solution and firewall before the campaign gets launched, in a much more efficient and Q&A structured approach than it is for the time being.

Cybersquatting Security Vendors for Fraudulent Purposes

Thu, 20 Mar 2008 17:03:30 +0000

Just like the creative typosquatting coming up with domain names spoofing the structure of PayPal and Ebay's web applications I covered in a previous post, this most recent example of cybersquatting is yet another example of how impersonating known and trusted brands can not only damage their reputation if the campaign's not taken care of fast enough, but can also result in actual adware infection. Who's getting targeted in this campaign? PandaSecurity, McAfee, Adobe Acrobat, and several other third party applications. It seems that IBSOFTWARE CYPRUS is keeping the entire domains portfolio undercover for the time being, with a great deal of these domains returning 403 forbidden messages. However, there are several domains that are actually serving the fake E-shops. This minimalistic approach on behalf of the malicious parties may have proved valuable if the domains were hosted on different IPs, however, they're all hosted on a single IP. The type of "pay us and we'll point you to the download location" scheme applied here is a bit moronic, in fact the template nature of the E-shop does not know what healthy competition means as you can see in the screenshot above. Here are the domains themselves :

PandaSecurity -

pandaantivirus2008.com

panda-antivirus-2008.com

pandasecurity2008.com

pandaantivirus-2008.com

panda-anti-virus.com

panda-2008.com

antivirus-panda-suite.com

panda-ib.com

panda-2008.com

panda-anti-virus.com

panda-antivirus-2007.com

panda-antivirus-2008.net

panda-bdl.com

panda-ib.com

panda-suite.com

pandaantivirus-2007.com

pandaantivirus-2008.com

pandaantivirus-ib.com

pandaantivirus2008.com

pandasecurity2008.com

pandashield.com

pandasuite2007.com

panda-bundle.com

pandabundle.com

pandasecuritysoftware.com

pandasecuritysoftware.net

McAfee -

mcafeepack.com

download-mcafee.com

mcafeebundle.com

mcafee-antivirus-2007.com

mcafee-internetsecurity.com

mcafee-suite.com

mcafee-suite2007.com

mcafeeantivirus2007.com

mcafeesuite-2007.com

mcafeesuite2007.com

Adobe Acrobat -

adobeacrobatreader-8.com

adobe-reader-it.com

acrobatdownload-ib.com

adobeacrobatpack.com

acrobat8download.com

Misc Cybersquatted software -

virusscan2007.com

virusscan2k7.com

virusscan2k8.com

virusscanxp.com

xp-secure.com

netdetectiveservices.info

download-ad-aware.com

antispyware-2007.com

antivirus-2007.com

netspyprotector.com

adwarepro.com

antispyware007.com

anti-virus-free.net

antivirus2k7.com

antivirus2k8.com

avastantivirus-pro.com

avg-antivirus-ib.com

What is Interactive Brands Inc?

"Interactive Brands is a privately held corporation formed by a team of experienced professionals who strive to offer the “ultimate” interactive shopping experience to internet users around the world. In partnership with the best software publishers, Interactive Brands develops unique and high value offers for the benefit of all computer users. In the spirit of giving the best shopping experience possible, Interactive Brands offers their clients access to a customer support center available by toll free number, email and live chat that covers any inquiry including: downloading, installing, using and any other questions regarding our products."

Interactive Brands Inc.

PO Box 178, St-Laurent, Quebec

H4L 4V5, Canada

Phone: : +1 (514) 733-2549

Fax: +1 514 733 2533

The billing center is located at panda-ib.com which loads b-softwares.com and bundlesmembersarea.com. 90% of the domains are hosted on a single IP - 63.243.188.82, however, the entire netblock is a scammy system by itself with several hundred more such cybersquatted domains.

Don't be cheap, if you're to buy any kind of software, do so through the official site, and cut the fraudulent intermediaries like the ones in this case. Read more about Interactive Brands at the Ripoff Report : Interactive Brands, Adaware-ib.com Rip-off; Report: Interactive Brands; Report: Interactive Brands. Lavasoft's and Avira's comments on the case as well.

Rogue RBN Software Pushed Through Blackhat SEO

Wed, 05 Mar 2008 05:19:46 +0000

On numerous occasions in the past, I emphasized on the malicious attacker Keep it Simple Stupid (KISS) approach for anything starting from Rock Phishing, to maintaining a huge live exploits domains portfolio hosted on a single IP. This is yet another example of the KISS strategy uncovering another huge IFRAME campaign, again taking advantage of locally cached pages generated upon searching for a particular word, and the IFRAME itself. In the previous example for instance, we had an second ongoing IFRAME campaign with just 4 pages injected with 89.149.243.201, however, what Keep it Simple Stupid really means in this case is that the next IP in their netblock 89.149.243.202 is currently getting injected at many other sites as well. The difference between the previous campaign and this one, is that the previous one was targeting just two high page rank-ed sites, while in the second one, the malicious parties pushing RBN's rogue XP AntiVirus are relying on a much more diverse set of domains loading the IFRAME. One factor remains the same, both campaigns continue pushing the rogue XP AntiVirus. XP AntiVirus's pitch, note the downloads success rate mentioned and how they forgot to change the template used in the campaign by putting the rogue's name :

"XP antivirus has been downloaded over 4 Million times; with a 20,000 more downloads every week. Millions of people worldwide use Spyware Doctor to protect their identity and PC security. XP antivirus has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Germany and Australia. All current versions of XP antivirus have won Editors' Choice awards from Secure Home PC Magazine in United States. XP antivirus is advanced technology designed specially for people, not experts. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection. XP antivirus's advanced RealOnGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings."

Upon visiting 89.149.243.202/t and 89.149.243.202/a we get forwarded to bestsexworld.info/soft.php?aid=0064&d=3&product=XPA (72.232.224.154) and from there to xpantivirus2008.com (69.50.173.10). There're in fact several other domains currently promoting this as well : xpantiviruspro.com (69.50.183.50); xpdownloadings.com (69.50.183.50); xpantivirus.com (216.255.180.58), as well as the following : hotantivirus.info (74.86.81.80); easyantivirus.info (74.86.81.80); a2zantivirus.com (74.86.81.80). The downloader's detection rate :

Scanner results : 17% Scanner(6/36) found malware!
Time : 2008/03/05 13:57:48 (EET)
File Size : 47104 byte
MD5 : 2102cb53606f535ca8132c3324953596
SHA1 : 0756f530e782c3d2e85a8186e052b722b017f1ea
AntiVir - TR/Crypt.ULPM.Gen
Fortinet - Suspicious
Microsoft - Trojan:Win32/Vxidl.gen!B(Suspicious)
Panda - Suspicious file
Prevx - TROJAN.DOWNLOADER.GEN
Sophos - Mal/HckPk-A

Smells like RBN's used InterCage and ATRIVO netblocks from routers away.

Related RBN coverage:
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

Embedding Malicious IFRAMEs Through Stolen FTP Accounts

Mon, 03 Mar 2008 07:14:01 +0000

Keywords for gaining attention from a marketing perspective for last week - embedded malware, IFRAMEs, stolen FTP accounts, Fortune 500 companies, Russia. Nothing's wrong with that unless of course you're interested in the whole story and the big picture, which wouldn't be excluding the possibility for having a Fortune 500 company's servers acting as C&Cs for a large botnet. Why are Fortune 500 servers excluded as impossible to get hacked at the first place, making it look like that the amount of money spent on security is proportional with the level of security reached? The more you spend does not mean the more secure it gets if you're not allocating the money where they have to be allocated at, in a particular moment of time, given the dynamic threatscape these days.

What's most important to point out about the recent incident of Fortune 500 companies stolen FTP accounts, is that it's "stolen accounting data for sale" as usual, as usual in the sense of the hundreds of other such propositions currently active online. And if we're to use an analogy on its importance as a event, it's like your smell receptors, namely the more you use a particular fragnance, the less you're capable of sensing it since you're getting used to the smell. In this line of thoughts, what's "stolen accounting data for sale as usual" for some, is exclusive event for others. Even worse, it's "slicing the threat on pieces" compared to discussing the "pie" itself. Moreover, the shift from products to services in the underground marketplace is something that's been happening for the past three years, and therefore making it sound like it's been happening as of yesterday, brings the discussion to the lowest possible level - right from the very beginning. Try the following malicious services on demand for instance, demostranting key business concepts such as consolidation, vertical integration, benchmarking -Q&A, and standartization :

Wild Wild Underground

DDoS on Demand VS DDoS Extortion

Malware as a Web Service

Multiple Firewalls Bypassing Verification on Demand

Managed Spamming Appliances - The Future of Spam

Botnet on Demand Service

DIY CAPTCHA Breaking Service

Managed Fast-Flux Provider

Which CAPTCHA Do You Want to Decode Today?

Localizing Cybercrime - Cultural Diversity on Demand

On the other side of the universe :

"The concept of Software-as-a-Service (SaaS) is nothing new, but this is the first time anyone has organized the purchase of FTP login credentials, with additional tools available to help a buyer confirm he's making a smart purchase."

on the other side of the universe on Neosploit's "purpose in life" :

"The information was available for blackmarket trade, along with the NeoSploit version 2 crimeware toolkit, a malicious application specifically designed to abuse and trade stolen FTP account credentials from numerous legitimate companies."

Robert Lemos is however, reasonably pointing out that :

"The tool, which is at least a year old, was described by antivirus firm Panda Software in June 2007."

Key summary points :

- the tool's been around since February, 2007, making it exactly one year old

- it has built-in accounting data validation, pagerank measurement of the sites whose FTP accounting data has been stolen as you can see in the third screenshot attached

- IP Geolocation for the now pagerank-ed sites is also included

- the tool's functions are relatively primitive compared to three other alternative ones that I'm aware of taking advantage of anything by stolen FTP accounts, a logical fad by itself

- the script is officially sold for $25, but as we've seen it in the past with MPack and IcePack, buyers unaware of other outlets for the tool would pay the high-profit margins offered by the seller

- FTP accounting data can be imported, and once verified, a statistical output for the automated process of logging in and embedding the IFRAME is provided

- IFRAMEs are automatically embedded within .php; .html; .asp; .htm extensions

- embedding iframes through stolen FTP accounts is a fad, purchasing and selling shells/web backdoors and huge domain portfolios controlled via Cpanels is a trend, as automatic injection of malicious IFRAMEs through remote file inclusion and remotely exploitable SQL injection vulnerabilities is

Your situational awareness about the emerging threatspace is as always up to the information sources that you use, or still haven't started using. My point is that exposing Pinch in the summer of 2007 despite that the tool's been around since 2004/2005, and exposing this malicious FTP account checker and IFRAMEs embedder in February, 2008, when it hasn't been updated since February, 2007, greatly contributes to the development of a twisted situational awareness. Realizing it or not, with the time, security researchers or intelligence analysts establish a very good sense of intuition about what's happening at a particular moment in time, or what will be happening anytime now. And using stolen FTP accounts for embedding IFRAMEs never picked up as a tactic, compared to using the stolen FTP accounts for hosting blackhat SEO content. Scenario building intelligence, or playing the devil's advocate, it's a mindset only a small crowd possess.