20 May Jumcar. From Peru with a focus on Latin America [First part] Jorge Mieres
18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Some months ago my colleague Roel Schouwenberg wrote a blog post about a money mule recruitment campaign through Facebook. We’ve been monitoring this activity and found new, quite active and successful campaigns of the same recruitment purpose and in the same social network but with a bit different approach: creating groups to follow.
An example of one of such groups:
I was surprised to see how many followers this money mule group had:
We’re talking about 224 thousand people! Who knows how many of them accepted the offer to be a money mule?= When I checked the list of members of the group I even found some people I had met personally in my life.
It’s always important to remember that the criminals behind online money stealing are in a better (safer) position than their mules. They also get the biggest part of the money. And what about mules…? The mules, instead of money, get to go to jail. If someday you receive an invitation by email, IM or some social network to be a part of such business, don’t let to be fooled by the criminals; odds are you’ll get prison time, not free money.
A user discovered potential malware on his computer the other day – the files “autorun.exe” and “autorun.inf” on the C: drive which, the user claims, reappear after being deleted.
After an initial analysis it was found that a number of files are downloaded, including .NET FrameWork, which is quietly installed in the background. That was quite a surprise – it’s been a while since I’ve seen malware cheeky enough to install .NET. So I decided to investigate this sample in full. It turned out to be very interesting both in terms of the malicious functionality and the method used to install its components.
The autorun.exe source file is an SFX archive created using WinRK, an archive utility that is not currently very widespread. After it is run a whole chain of various files are executed:
Autorun.exe -> .exe -> !.bat -> start.vbs -> .bat -> Hidden Start inst.bat -> evntstart.exe;
The interesting thing about this sequence is that it uses only standard, legitimate software:
Today was the opening day of the CARO 2010 Workshop, which is hosted by F-Secure in Helsinki.
Mikko Hypponen, the CRO of F-Secure opened the conference by announcing this year's theme, which is Big Numbers. With between 30,000-50,000 new malicious samples daily, this is a very hot topic in the industry.
One of the highlights of the conference was undoubtedly the keynote address by Dr Alan Solomon.
This can be considered new in Brazil especially because around 90% of all Brazilian malware are spread through e-mail, using spam techniques and many social engineering tricks. The malicious scheme started when users receive a direct message from another user:
If executed, the malware creates a file called hash.dll in the folder C:\Windows\HASH and register a BHO in the browser with random CLSID. This DLL has a really low rate of detection. After it is activated, the Trojan banker monitors all the user’s connections and steals credentials of Internet banking services of Brazilian banks.
What’s more interesting in this attack was the quick spread. In less than one hour the malicious link used on the message was visited more than 2,000 times, almost all by Brazilian users:
This malware is detected by Kaspersky as Trojan-Downloader.Win32.Homa.cgc.
The features of malicious programs for mobile devices continue to expand: the first malicious program for mobile phones has been detected that steals logins and passwords for the Russian-language social networking site VKontakte.
Account credentials for various social networking sites are in high demand on the black market. That’s why criminals are trying to steal as many logins and passwords as possible using phishing pages and a variety of malicious programs. An example of this kind of malware is a new Trojan for mobile devices.
The malicious program Trojan-PSW.J2ME.Vkonpass.a is a 17 KB JAR archive called vkmob.jar which masks itself as an application for accessing the popular VKontakte site from a mobile phone.
If the application vkmobile (the name of the Trojan when installed on phones) is launched, the following will be displayed on the screen:
If the user enters his/her login and password and presses "Go!", the Trojan will attempt to send the data via SMTP to the criminal’s e-mail. If the attempt is unsuccessful a "connection error" message is displayed; if the attempt is successful, "Error 401" appears on the screen.
Users need to be careful when using applications that pass themselves off as clients for various social networks, because in some cases those “clients” turn out to be malicious. Legitimate applications (if they exist) are usually available from the social networking sites themselves.
The initial Trojan is downloaded to the victim machine by a malicious Java archive file. It has several malicious features, for example: spreading through USB devices; it disables Windows task manager, the regedit application and also notifications from Windows Security Center. Also it creates a copy of itself in the system with the name of Live Messenger. The criminals even included an anti-virtualization feature. The worm checks if the hard drive of infected system is virtualized or not. If found to be in a virtual system, the malicious code won’t be executed.