As you have probably noticed…my last post was in April. My fault really, but I have been very busy during the last few months. I hope to be back blogging soon about my malware discoveries.
With April fools fast approaching, the gang behind the storm worm/zhelatin malware has made a reappearance.
There is currently a large amount of spam doing the rounds, pointing to malicious domains hosting the storm worm malware, some of which has also made it into my spamtrap/honeypot.
Currently, the two files being touted (at least from the domain I visited) are kickme.exe and foolsday.exe and funny.exe, all incarnations of the storm worm/zhelatin trojan which are very badly detected by the major AV companies.
Users visiting the websites serving storm worm will probably be greeted with an image similar to the one below:
…..before the storm worm is downloaded to their computer.
AV detection results for the samples I recovered (kickme.exe and foolsday.exe) are not inspiring at the moment, although vendors should shortly be pushing signatures for this latest batch of storm worm in the very near future.
As one can expect, the April Fool is most definitely on you, as executing the files found on this website will lead to the zombification of your computer, and exclusive membership of the storm worm botnet, leaving your computer at the command of the storm worm gang…bad news for you and me, very good news for them 
Advice at the moment is to be very cautious of emails offering some sort of april fools joke/card/download and bin these, especially if they are coming from an email address you do not recognise.
Once executed, Storm worm will drop the file C:\WINDOWS\aromis.exe , proceed to disable the built-in windows firewall with a simple command/key creation:
netsh firewall set allowedprogram “C:\WINDOWS\aromis.exe” enable
HKLM\?SYSTEM\?CurrentControlSet\?Services\?SharedAccess\?Parameters\?FirewallPolicy\?StandardProfile\?AuthorizedApplications\?List  |
C:\?WINDOWS\?aromis.exe | C:\?WINDOWS\?aromis.exe:*:Enabled:enable |
and then it sits listening on a random port for instructions from the botnet master. Your computer is by this stage under their control.
Kaspersky Lab’s virus analysts have just confirmed the presence of malware in those two files, and will be pushing an update for it within the hour. If you are infected, I would advise a free trial download of Kaspersky Anti Virus from http://www.kaspersky.com/trials which will deal with the infection nicely after a My Computer scan 
(Consider buying it if it helps you to cure the infection, developers need support too!)
A sandbox analysis of the two samples I have tested can be found here:
http://analysis.seclab.tuwien.ac.at/result.php?taskid=1b30cd8f5c2fd554955af4f1f02e78ed&refresh=1
http://analysis.seclab.tuwien.ac.at/result.php?taskid=d32a8ddac8e00534611f130f6126bce4&refresh=1
(Credits to SECLAB @ Vienna University of Technology for their awesome tool)
Credits for heads up to Alex Eckelberry of Sunbelt Software and Jose Nazario from Arbor Networks
The good folks at wordpress have released Version 2.5 of this awesome blogging software. To read the full details and download, please visit their blog here
I will shortly be upgrading to WP 2.5 as soon as I have confirmed that all my plugins are ready to go.
Kaspersky’s virus analysts have recently blogged on the popular download manager called “FlashGet” being hacked. Apparently the developer’s servers were hacked and files modified which mean FlashGet automatically downloaded a number of malicious files to users’ of FlashGet because it thought they were an update (inapp4.exe/inapp5.exe/inapp6.exe, within the container appA.cab). When executed, these files would initiate outbound communication and download additional malicious code.
Worryingly, there has been no acknowledgment from the FlashGet developers or anything posted on their website about the breach/hack at the time of posting this.
Currently, there are a number of postings on the FlashGet forums about the trojans, which were detected by fortunate users’s antivirus or firewall software.
The malicious code seems to have been removed from the FlashGet servers for now, but Kaspersky Lab has been quoted as saying FlashGet is still vulnerable to attack:
“All you need to do is add a link (which can point to any file you want) to the FGUpdate3.ini file and it will be automatically downloaded to your computer every time you launch FlashGet. Even if you don’t press “Refresh”, FlashGet uses the information from the .ini file. This “vulnerability” is present in all versions of FlashGet 1.9.xx.”
Which means?
“In spite of the fact that the site is no longer “hacked”, users are still vulnerable. Any Trojan program could modify the local .ini FlashGet file, causing it to function like a Trojan-Downloader. And it’s worth noting here that FlashGet is usually treated as a trusted application, consequently, network activity caused by the application or requests to sites won’t be flagged as suspicious, and users won’t be alerted.”
Advice?
Bin FlashGet until this vulnerability is sorted.
Read the full story here
Kaspersky Lab have announced development of a new antivirus product for the Mac OSX operating system platform, and have released a public alpha build which is available for discussion, testing and download via their forum.
The Anti Virus for Mac OSX forum is located at: http://forum.kaspersky.com/index.php?showforum=78
The system requirements and link to the alpha builds are at:
http://forum.kaspersky.com/index.php?showtopic=59920
Description and system requirements for testing:
Kaspersky® Anti-Virus 7.0 for Mac provides you with anti-virus protection for Mac based on the latest protection technologies. You can work, communicate, surf the Internet and play online games on your computer safely and easily.
Product Highlights
• Protection against threats based on signature database.
• Hourly automated database updates
• Protection from viruses, Trojans and worms
• Real-time and on-demand scanning for files
• Automatic signature database updates
System requirements:
• Mac computer with an Intel processor
• Mac OS X 10.4.11
• 512 MB of memory
• 100 Mb of available disk space
You may have noticed that there have been no new posts for quite a while now….. Unfortunately that is due to the wonder that is moving house. I am currently writing this on my laptop in between a mountain of boxes ready for the big move on Tuesday. I hope to keep the blog more up to date after that date.
Heur.Trojan.Generic- What is it?
If you are using Kaspersky Anti Virus 7, or Kaspersky Internet Security 7, you may have come across the detection “Heur.Trojan.Generic”, “Heur.Downloader” or similar. Kaspersky’s viruslist currently does not have a description for this detection.
Heur.Trojan.Generic, Heur.Downloader, and other detections given by Kaspersky that begin with Heur. are files that are being flagged by the new heuristics engine that has been introduced in Version 7 of Kaspersky’s home user products. These detections encompass a wide range of malware, using special techniques developed by the engineers and virus analysts at Kaspersky Lab to flag suspicious files.
A file flagged by Kaspersky as “Heur.Trojan.Generic” is a file that is deemed to have the characteristics of malware after being analysed by the Heuristics engine, but one that has not yet been specifically analysed by the Kaspersky Viruslab.
This means three things:
1) When you recieve such a detection, care should be taken not to open or launch the file in question, as it may be malicious.
2) Because this is a “generic” (so to speak) detection, the file has not been 100% confirmed to be malware by the virus analysts (e.g. it has not yet been given a name), so there is a chance that the file is being mistakenly detected and it is not actually malicious.
3) The correct course of action would be to isolate the file and send it to the Kaspersky viruslab for analysis, as detailed below.
How to get rid of Heur.Trojan.Generic
When you first get the alert that Heur.Trojan.Generic has been detected, read the alert carefully to determine which file is being detected.
Look at the alert and see if there is an option to quarantine the file. Press “quarantine” if the option is given. The file will then be moved into a secure area where it can not do any damage.
If the “quarantine” option is not given, take a note of the location of the detected file, and “skip” the alert. Because you skipped the alert, you will have to manually add the file to quarantine. To do this, open Kaspersky, and click on the “Reports and data files” tab, then “Quarantine.
Once you have clicked on “quarantine”, a new window will open. At the bottom of this window click “add” and browse to the file which is being detected.
Once the file has been added, right click on the corresponding file in the quarantine window, and choose the option “send”
Your mail client should now open, and a message auto composed by Kaspersky to the Kaspersky Viruslab. All you have to do is send it off, and you should soon get an email response from one of the virus analysts to confirm wether or not the file is indeed malicious.
If they confirm it is malicious/infected, you can head back over to the quarantine tab and delete the file (right click it and delete). If they confirm that the file is clean, then they should fix the false detection and you can safely restore the file from the quarantine, by right clicking it and selecting “restore”
yey!
malwarecrawler has made the jump to paid hosting, its taken a few hours to find out how the hell this thing works, but its been worth it 
Hopefully will get themes/plugins/etc sorted within the next few days