CWSandbox vs. Banking Spyware

Monday, December 18. 2006
Something we see quite often are malware binaries that are used to steal sensitive information used for online banking. This kind of malware is pretty popular especially in Brasil, but we see it also coming from other countries. Today we take a quick look at one of those Brasilian spyware programs...
The complete infection process is split up into several stages: the first stage creates two new files on the hard disk and then executes one of them. The second stage opens a web page (http://www.humortadela.com.br) and downloads additional malware from the Internet (http://210.58.101.241/modules/xfsection/html/msmm.exe) in the background. The last stage is then used to find windows which contain a specific title and the list is rather large - the malware binary tries to detect whether the victim has opened a specific window:
Evite que outras pessoas vejam você digitar sua senha
Evite que outras pessoas te vejam digitar a sua -senha-
A senha de oito dígitos é usada somente para o login
Não abra e-mail de origem desconhecida
Verifique um pequeno cadeado fechado na parte inferior do navegador
Verifique um pequeno cadeado na parte inferior de seu navegador
Evite que outras pessoas vejam você digitar a sua -senha-
Mantenha atualizado o sistema operacional, o navegador e o anti-vírus/trojan
Troque sua senha caso ela possa ser descoberta facilmente
Sempre consulte esta página para novas informações sobre a segurança
Sempre consulte esta página para novas informações sobre segurança
Evite realizar operações em equipamentos de uso público
Não permita que outras pessoas conheçam os seus dados de acesso
Escolha "senhas" diferentes do seu nascimento, CPF e n° seqüenciais
Note se no incio do campo "endereço" surgem as letras "https"
Não use atalhos em e-mail para acessar o site. Digite o endereço direto no navegador
Não abra arquivos de origem desconhecida
Evite abrir arquivos executáveis anexados às suas mensagens
Não faça alteração cadastral por e-mail
Não enviamos e-mail sem a sua permissão
Cuidado com links e downloads contidos em mensagens promocionais
Nunca digite seus dados de acesso em e-mail
Memorize suas senhas sem anotá-las
A senha de oito números somente é usada para o login

I don't speak Portuguese, but a quick search at Google reveals that these titles are commonly used by Banco do Brasil, so this bank is the target of these attacks...

The complete report is also available as HTML analysis and XML analysis.

Update: Fixed "Portuguese" - thanks to Bjoern Weiland

Continue reading "CWSandbox vs. Banking Spyware"

Posted by Thorsten Holz in malware at 10:07 | Comments (2) | Trackbacks (0)

3322.org

Sunday, December 17. 2006
The Internet Storm Center had recently an article about a botnet that uses the SAV remote exploit ("sav worm and its cc"). The botnet uses ftpd.3322.org to download the binary to the infected machines. 3322.org seems to be a rather gray domain, I saw it a couple of times used this year in different malware binaries. At least the following subdomains of 3322.org were used for either botnet C&C traffic or to download additional malware to compromised machines:
NameLess.3322.org
viviandan.go.3322.org
googlehk.3322.org
applehu.3322.org
cnjacks.3322.org
myth998.3322.org
yxrgaa.3322.org
a1860.3322.org
qinqin1.3322.org
shanben.3322.org
panguwy.3322.org
et47.3322.org

So watching your borders and taking a look at whether machines from within your network access these domains could be a good opportuntity to detect infected machines...
Posted by Thorsten Holz in malware at 07:37 | Comment (1) | Trackbacks (0)

Monkey Spider: Monitoring of Malicious Websites

Wednesday, December 13. 2006
Yesterday, another student of mine gave a talk about his ongoing diploma thesis. Ali Ikinci presented his project "Monkey Spider", which tries to find malicious web sites in the World Wide Web. The project is some kind of low-interaction honeyclient that crawls the Web and then examines the downloaded content. Similar to "A Crawler-based Study of Spyware on the Web", we try to find malicious content on the Internet. We also use Heritrix, but instead of only using malware scanners, we also use CWSandbox to detect latest threats. In addition, we do not only scan executables, but all other files in order to find - for example - malicious WMF files or images...

The presentation on Monkey Spider is available.
Posted by Thorsten Holz in honeynets, malware at 09:04 | Comments (0) | Trackbacks (0)

Botspy - Efficient Observation of Botnets

Tuesday, December 12. 2006
With nepenthes and CWSandbox, we have two tools to automatically capture and analyze malware. If we find a botnet, it would be nice to also have an automated way to observe the corresponding botnet. This is where botspy comes into play: this tool is designed to observe botnets by connecting to them, entering the channel used for command & control, and then monitoring what is happening. Currently, the channel can either be IRC or HTTP, but due to the modular architecture, more communication protocols can be added.

Botspy is implemented by Claus Overbeck as part of his thesis and he gave a presentation about the current status today. The thesis is not finished yet, so more features will be integrated and - most important - statistics will be generated.
Posted by Thorsten Holz in honeynets, malware at 19:08 | Comments (3) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)