Since yesterday I've been attending the annual Hack-in-the-Box Quad-Track Security Conference in Amsterdam/NL. There's a very nice and open atmosphere here at the conference, besides the beautiful city of Amsterdam.

First, Joe Sullivan (CSO at facebook), held a very interesting keynote about the development of security innovations at facebook. For him innovation is „these hacking culture, we think about each day at facebook“. After explaining some of the newer security innovations (https-only, login notifications, login approvals [if e.g. geo-location of a user is suspicious], recognized devices, recent activity) he talked about the recent fb-scams with malicious scripts. „No one would do that, copying and pasting a script into the browser! - Yes, they do...“, he said.

Also a remarkable talk I attended was about binary planting, given by Mitja Kolsek (CTO at ACROS Security). In "Binary Planting: First Overlooked, Then Downplayed, Now Ignored" Mitja also showed a new method he called "advanced binary planting", which uses a feature from Windows' special folders (like control panel, printers, etc.) and clickjacking to make it possible to own the users' computer.

In the winter garden of the conference hotel there's a technology showcase area. Hackerspaces from all over Europe and the Netherlands are showcasing their projects here. There also is a capture-the-flag competition happening, a lock-picking and (sponsor) companies-showcase.

For more informations please see the conference website.

    There have been several reports about malware hosted on Mozilla and Google code servers. Now we also found malware hosted on My Opera community servers. The screenshot below shows an example of this:

It’s a PHP based IRC botnet. Analyzing the code I found some evidences that it comes from Brazil.

We can see that criminals appreciate and actively use any and all available free web space. Based on the statistics from one of our proactive web crawlers, I took a look at which free web hosts are most popular among criminals for uploading and spreading malware. The following graph shows the top 10 free web hosts used by criminals during the last 8 months:

Fileave is a really well known server for hosting tons of different kinds of malware. I noticed that some secure DNS providers block access to the domains listed above and show an alert message stating that these sites are known sources of phishing and malware. So, what does that tell us? The usual - when you browse the internet always check links before clicking, and if the domain is suspicious, don't. Just don't click. And if you’re owner of a web site, make sure to secure your server properly to prevent the criminals from compromising it easily.

    Some months ago I wrote a blog post called “Rogue AV raising the stakes” which mentioned a new trend in the graphical user interfaces of Fake Anti-viruses. Our predictions were correct, as today my colleague Fabio Assolini found a Web site with an interface very similar to Kaspersky Anti-Virus. See for yourself:

This isn’t the first time we’ve found this kind of fake imitation of our solutions. The interesting part is that during our research we found fake versions of other Anti-Virus solutions on the same malicious host. Can you spot the difference?

These are just some of the examples. Since some Internet users know what the most popular Anti-Virus solutions look like they can be confused and pay for a Rogue AV solution. This is the main goal of the criminals; to confuse as many people they can, and to get as much money as possible.

On this same malicious server we found 256 different malicious rogue domains with different content but with the same intention: to cheat people by making them pay money for nothing.
Please be careful and always check the domain of the page you're visiting. Don't be a victim of criminals!

• Greediest Trojan targeting banks
  Trojan.Win32.Qhost.gn wins this category, by redirecting clients of 39 different banks to phishing sites.
  
• Greediest Trojan targeting payment systems and payment cards
  Just like last month, a single piece of malware comes out top in these two categories. This time, it’s Trojan.Win32.Agent.eii, which targets users of three payment systems and 4 payment cards simultaneously.
  
• Stealthiest malicious program
  Trojan-PSW.Win32.LdPinch.auv is packed with 10 different packers.
  
• Smallest malicious program
  Trojan.BAT.Shutdown.g is a mere 20 bytes, but it’s still able to reboot the infected computer in spite of its minute size.
  
• Largest malicious program
  Trojan-Banker.Win32.Banbra.bby is 27 MB in size.
  
• Most common malicious code which exploits a vulnerability
  In December, exploits for an SWF vulnerability made up 12% of all malicious content.
  
• Most common malicious code on the Internet
  Trojan-Downloader.HTML.IFrame.wf accounted for nearly 8% of all malicious traffic this month.
  
• Most common Trojan family
  1499 previously unknown modifications make Backdoor.Win32.Hupigon the winner of this category in December.
  
• Most common virus/ worm family
  Worm.Win32.AutoRun came up with 312 new modifications this month, putting it at the top of this class.
  

• Greediest Trojan targeting banks
  Trojan-Spy.Win32.Egoldan.az targets the users of 20 banking systems (a relatively low number when compared to previous winners of this category.)
  
• Greediest Trojan targeting payment systems and payment cards
  Trojan.Win32.Obfuscated.gen wins both categories in November by targeting 4 payments systems and 3 payment card systems simultaneously.
  
• Stealthiest malicious program
  Trojan-PSW.Win32.LdPinch.beo is packed with 9 different utilities.
  
• Smallest malicious program
  The 22 bytes of Trojan.BAT.Shutdown.g enable it to automatically launched and then force the victim machine into constantly rebooting.
  
• Largest malicious program
  Trojan-Banker.Win32.Banker.kum is 19MБ in size, which is very small in comparison with previous winners of this category.
  
• Most widespread malicious code which exploits a vulnerability
  Exploit.JS.RealPlr.nn made up more than 8% of all malicious content in December.

• Most common malicious program on the Internet
  Trojan-Downloader.JS.Iframe.yv was responsible for 4% of all malicious content detected on the web during November 2008.
  
• Most common Trojan program
  There were 1723 new modifications of Trojan.Win32.Agent this month.
  
• Most common virus/ worm family
  Again, Worm.Win32.AutoRun wins this category, but with only 337 new modifications – a significant increase on October’s 75 new modifications.
  

1. Greediest Trojan targeting banks
   Now that autumn is into its stride, there’s been a change in this category; October’s winner is Trojan-Spy.Win32.Bzub.cqz, rather than a member of the Banker family. Bzub.cqz targets clients of 34 different banks.
   
2. Greediest Trojan targeting payment systems
   Trojan.Win32.Agent.afhy comes out top, attacking 4 different epayment systems at once.
   
3. Greediest Trojan targeting payment cards
   The Agent family wins again in this category, with Trojan.Win32.Agent.agyz searching out users of 5 card systems.
   
4. Stealthiest malicious program
   The Hupigon family, which makes frequent appearances in this category, takes the lead in October; one modification of Backdoor.Win32.Hupigon.btlis packed with 8 different packers.
   
5. Smallest malicious program
   In spite of being a mere 20 bytes in size, Trojan.BAT.KillAll.an is able to delete all files from disk.
   
6. Largest malicious program
   Trojan.Win32.Haradong makes a return this month – modification .ga weighs in at more than 200MB.
   
7. Most common vulnerability on the Internet
   In October, Exploit.SWF.Downloader.hn accounted for 2.3% of all malicious content detected on the Internet.
   
8. Most common malicious program on the Internet
   Trojan-Downloader.Win32.IstBar.cx was the most common malicious program on the Internet in October, accounting for a “modest” 2.1% of all malicious content detected.
   
9. Most common Trojan family
   Backdoor.Win32.Hupigon puts in yet another appearance in this category, this time with 3891new modifications.
   
10. Most common virus/ worm family
    There are no changes in this category either this month, with Worm.Win32.AutoRun taking the crown again. And its numbers are similar to those of last month – 651 new modifications in October as against September’s 655.

1. Greediest Trojan targeting banks
   This month, the nomination goes to Trojan-Banker.Win32.Banker.xkz, from the same family that won this category last month. This particular sample targets the users of 28 banks at once.
   
2. Greediest Trojan targeting payment systems
   September's winner is Trojan.Win32.Agent.adtp which has its sights set on four e-payment systems simultaneously.
   
3. Greediest Trojan targeting payment cards
   It's been a long time since we've seen a malicious program which wins out in more than one category. Autumn has brought a surprise entrant, with Trojan-Banker.Win32.Banker.xkz making an appearance in this category as well - in addition to going after 28 banks, it also targets five different payment cards.
4. Stealthiest malicious program
   Autumn has brought about a change in this category - instead of the customary Hupigon, September features a modification of Backdoor.Win32.Netbus.160.e, which is packed with nine different packers.
   
5. Smallest malicious program
   September's winner, just like August's, is 31 bytes in size, but has a different payload - it's a new modification of Trojan.BAT.MouseDisable.c. And its name tells you everything you need to know - this Trojan will block the mouse.
   
6. Largest malicious program
   Yet another Trojan-Banker wins the crown in this category: Trojan-Banker.Win32.Banbra.dkj weighs in at 34MB.
   
7. Most common vulnerability on the Internet
   In September, this category was taken by Exploit.Win32.PowerPlay.a - it made up 6% of all vulnerabilities identified on web pages that were used to deliver malicious code to victim machines.
   
8. Most common malicious program on the Internet
   Trojan-Downloader.Win32.Small.aacq, which won this category last month as well, still triumphs here; it's involved in 20% of all cases, which is a pretty high number!
   
9. Most common Trojan family
   Once again, this category is taken by an old familiar: Backdoor.Win32.Hupigon.c, which came over the finish line in September with 3072 new modifications.
   
10. Most common virus/ worm family
    There's also been no change in this category - as we move into autumn, Worm.Win32.AutoRun continues to reign, with 655 new modifications.

1. Greediest Trojan targeting banks
   Trojan-Banker.Win32.Banker.rqk leads this month, even though it only attacks 26 banks, a relatively low number.
   
2. Greediest Trojan targeting payment systems
   In August, a new modification of Backdoor.Win32.Agobot.gen won this category by targeting four payment systems simultaneously.
   
3. Greediest Trojan targeting payment cards
   Trojan-Banker.Win32.Banbra.vf targets four payment card systems.
   
4. Stealthiest malicious program
   Following last month's victory, the Hupigon family makes another appearance with Backdoor.Win32.Hupigon.nqr – a program packed with seven different packers.
   
5. Smallest malicious program
   Trojan.BAR.Tiny.a is a mere 31 bytes in size; it searches the system for applications and runs any it finds.
   
6. Largest malicious program
   Trojan-Banker.Win32.Banker.qwp is only 27 MB in size – not particularly large for this category, but it still manages to take the prize.
   
7. Most widespread malicious code which exploits a web vulnerability
   Trojan-Clicker.HTML.IFrame.uu.
   
8. Most common malicious program on the Internet
   Trojan-Downloader.Win32.Small.aacq, the winner of this category which was introduced last month, is responsible for every 20th infection.
   
9. Most common Trojan program
   Backdoor.Win32.Hupigon makes another appearance in this miscellany with 1044 modifications this month.
   
10. Most common virus/ worm family
    August brought 75 modifications of Worm.Win32.AutoRun, a relatively small number for the winner of this category.
    

1. Greediest Trojan targeting banks
   This month, the winner is a modification of Trojan-Spy.Win32.Bzub.bvq – it's quite modest in its ambitions, targeting a mere 36 banks, a relatively low number for malware in this category.
   
2. Greediest Trojan targeting payment systems
   Trojan-Banker.Win32.Banker.qhq targets three payment systems simulaneously
   
3. Greediest Trojan targeting payment cards
   Trojan-Spy.Win32.Banker.qdo targets three payment card systems – exactly the same number as its close relative in the previous category
   
4. Stealthiest malicious program
   July's nomination in this category was taken by Backdoor.Win32.Hupigon.cqzq – notwithstanding the program being packed seven times, it still got added to our antivirus databases
   
5. Smallest malicious program
   In July, Trojan.BAT.KillWin.vx demonstrated its dislike of Windows by using its 36 bytes to delete winlogon.exe, a system file.
   
6. Largest malicious program
   The 203MB of Trojan-Win32.Haradon.ga, this month's winner, were spread in the guise of a screensaver.
   
7. Most common vulnerability on the Internet
   The category 'Most malicious program', a fixture in previous Miscellanies, is no longer particularly indicative of the malware landscape. So this month we've introduct a new category – 'Most cmmon vulnerability on the Internet', i.e. the one most exploited by malicious users. This month the victory goes to Trojan.Clicker.HTML.Iframe.sy, which makes up more than 12% of all vulnerabilites found on web pages used by malicious users to infect victim machines.
   
8. Most common malicious program on the Internet
   The category 'Most common malicious program in email traffic' has also changed. Readers of this column may remember that the winner of that nomination remained unchanged over several months. In order to give a more representative picture, this cateogory is now called 'Most common malicious program on the Internet. Trojan.Win32.Agent.sav wins out in July, as it was involved in 5.52% of all attempts to infect users.
   
9. Most common Trojan family
   Trojan-Downloader.Win32.Zlob makes an appearance this month, with a relatively low 1217 modifications.
   
10. Most common virus/ worm family
    This category again features Worm.Win32.AutoRun with another 126 new modifications in July.
    

1. Greediest Trojan targeting banks
   As we move into summer, Trojan-Banker.Win32.Banker.ohq takes the crown in this category, by targeting customers of 56 banks.
   
2. Greediest Trojan targeting e-payment systems
   Trojan-Banker.Win32.Banker.olr wins this category in June, targeting three payment systems.
   
3. Greediest malicious program targeting payment cards
   Here, naturally enough, there's another password stealing Trojan: Trojan PSW.Win32.Agent.apl has its sights sent on four payment card systems
   
4. Stealthiest malicious program
   Trojan-PSW.Win32.Delf.jj wins this month, as it's packed with eight different packers.
   
5. Smallest malicious program
   Trojan.BAT.KillFiles.hx is rather larger than last month's winner in this category but is still only 26 bytes in size. It's capable of wiping the contents of C:.
   
6. Largest malicious program
   June's winner, Trojan Banker.Win32.Bancos.mk, at 31MB in size, is by no means the largest program we've seen in this category.
   
7. Most malicious program
   Once again Agobot makes an appearance, with a modification of Backdoor.Win32.Agobot.gen victorious this month. Its payload holds no surprises: it deletes a wide range of security products both from memory and from disk.
   
8. Most common malicious program in email traffic
   This category doesn't seem to change much from month to month: our old friend, Email-Worm.Win32.Netsky.q again takes the prize, having made up 34.15% of infected mail traffic in June.
   
9. Most common Trojan family
   3295 different modifications of Trojan-GameThief.Win32.OnlineGames were detected this month.
   
10. Most common virus/ worm family
    Worm.Win32.Autorun is back after an absence last month, with 152 new modifications: not a huge number for this category.