04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
03 Dec PasswordsCon in Bergen Marco
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
18 Nov A typhoon worth millions Tatyana Shcherbakova
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
I was reading a blog post from a fellow researcher at Symantec about the Nintendo Wii being vulnerable to the recently published flash vulnerability.
As explained in the post it's the Opera browser with its flash functionality that is vulnerable. I found the fact that the Wii crashed very strange and decided that I wanted to reproduce the issue. Why?
Because when you use your up-to-date Wii and surf to Adobe's Flash player version checker it says that version 22.214.171.124 is installed.
Now when we take a look at Adobe's security bulletin we can see that 126.96.36.199 and earlier is vulnerable to this FLV exploit.
Some further looking around says that 188.8.131.52 fixes the FLV security issue.
The Wii's 184.108.40.206 Flash Player version predates the same version number on other platforms, although I don't know by how much. Clearly the Wii's 220.127.116.11 version is not equal to that on the other platforms.
Looking at Adobe's web pages the Wii is never mentioned. So I think that it was more or less forgotten. If it hadn't been the new build would probably have been called 18.104.22.168 and not 22.214.171.124 to make sure there was no mix-up.
Even though there may be no malware for the Wii at present, it's still vulnerable to a denial of service when browsing the web.
I can only hope that Adobe releases an update for the Wii as well. Although that may actually be in Opera's and/or Nintendo's hands.
On Monday we were among the first to announce the appearance of Gpcode.ai, the latest variant of the notorious ransomware Trojan.
All major antivirus vendors are now aware of this nasty program, covering it in news items and providing detailed descriptions. This can only be good.
However, reading the information issued by the different vendors is more entertaining than usual. My attention was piqued by the fact that av companies, in an effort not to disclose potentially dangerous information, ended up doing themselves and others a disservice. The industry is lacking a unified standard on what information should be published.
Let's take a look at some examples.
Symantec's description includes information about a certain site that Gpcode uses for data exchange.
Why isn't the complete URL shown? There's a good reason for this. Av companies never give full links to sites which might contain malicious programs or which might include confidential data. This is why links in descriptions are partial, with [REMOVED] being used as a substitute for the deleted part of the link.
Now let's take a look at Trend Micro's description.
Trend analysts decided not to publish the full URL, which is great. But unfortunately they deleted one part of the link, and Symantec deleted another.
So - two different companies wanted to ensure this information was withheld, for the very best of reasons. But working together, they managed to make the information public…
A case, no doubt, of the road to hell being paved with good intentions, caused by the lack of a single, industry wide standard.
If we take a look at other examples, we'll see what sort of data some antivirus companies try to mask, while others, apparently, aren't bothered.
Here's Trend again, with text from Gpcode's "read_me.txt" file, which the Trojan drops to the victim machine. The author's email address and victim's personal code were replaced with %s and %d.
This is exactly what we did when we compiled our description of Gpcode.ai:
Clearly, in this case, Trend Micro and Kaspersky Lab were thinking along the same lines: not to publish this data.
So what did Panda Software decide to do?
Not only did this company decide not to delete the crucial data, but actually highlighted it!
Symantec, having decided to mask data by substituting [MAIL ADDRESS] and [PERSONAL CODE] then decides to publish this information further down: 4 email addresses given for victims to contact…
In other words, it's a real mess. And the crowning moment is also shown in the screenshot above, where Symantec analysts decided, for some reason, that the link to the Wikipedia article on RSA should be snipped!
The middle of the month means it's time for our miscellany, so let's take a look at what the first month of summer brought us.
With so many Trojan variants, virus writers are showing no signs of taking off for the beach. Which means, of course, that we won't either. Drop by the blog this time next month for an update.
I'm sure regular readers of this blog remember the story of GpCode, which used RSA algorithms to encrypt user data. 'Blackmailer', an article over in the Analysis section of the site, covered this malicious program in detail.
Some of you may have been wondering why we haven't blogged about any similar programs recently – after all, 'Blackmailer' concluded with the idea that we were likely to see more of these programs in the future. But there's been a curious lull of more than a year…
So you can imagine our feelings this weekend, when some of our non-Russian users told us their documents, photos, archive files etc had turned into a bunch of junk data, and a file called read_me.txt had appeared on their systems. Sadly, the contents of this file were all too familiar:
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: firstname.lastname@example.org and provide us
your personal code -xxxxxxxxx. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Does this signal the return of the unknown shake-down artist? This text is clearly not written by a native speaker of English. And the email address is one that we've seen before in LdPinch and Banker variants, programs which were clearly of Russian origin.
Of course, we've analyzed the files, and in spite of the text above, there's no sign of RSA-4096. Interestingly, this nasty little piece of work, which we detect as Virus.Win32.Gpcode.ai, has a very limited shelf life, from 10th to 15th July 2007. Why? We can only guess.
Kaspersky Anti-Virus 6.0 detects this Trojan proactively – once as Trojan-Generic and once as Invader:
Of course, we're also working on a decryption routine for encrypted user files to add to our antivirus databases.
But in the meantime, we'd just like to remind you – if you've fallen victim to Gpcode or any other type of ransomware, you should never pay up under any circumstances. Always contact your antivirus provider and make sure you back up your data on a regular basis.
Nkem Owoh, who played a 419 scammer in the Nigerian comedy The Master, was among 111 alleged 419 scammers arrested in The Netherlands recently. Owoh sang the title song from the film, 'I go chop your dollar'.
By our calculation, this brings the total number of arrests so far this year to 301, with 21 convictions.
We're seeing a lot of reports about a new version of Backdoor.Win32.IRCBot.acd. This backdoor is a fairly limited IRCBot with spy capabilities combined with MSN-Worm functionality.
Depending on the locality of the machine the backdoor sends out messages in different languages. This functionality is similar to that seen in the recent widespread AutoIT MSN-Worms, which is mostly downloaded by Backdoor.Win32.MSNMaker variants.
The interesting touch in this case is that the backdoor tries to transfer a ZIP file called "myalbum2007.zip" instead of sending out an URL to a malicious file.
This is not entirely new, for instance the IM-Worm.Win32.Sumom family back from 2005 did the same. However it's been quite a while since we last saw this type of propagation routine.
There are pros and cons to each type of propagation. Perhaps some cyber criminals think that websites containing malicious code get taken offline too fast for their liking. It'll be interesting to see if sending files instead of URLs will become a proven method for MSN-Worms to spread.
For many of you, once again it's vacation time. While you are sitting on the beach and enjoying the sun in Ibiza or Sorrento, your friends at home may be receiving infected e-cards from you.
During the past days, we've intercepted a number of fake mailings which purportedly come from various e-card systems, such as Hallmark. Few examples:
They all seem to be following the same pattern - an URL is included which leads to a malicious file, usually a downloader. Once you get to run it on your system, it brings more malware which will eventually turn your computer into a spam sending zombie.
So if you send a greeting to your friends at home, consider using an old fashioned postcard. Besides being a lot safer, I think it's also more personal!
Wishing you happy and malware free vacations!