Posting break

As you have probably noticed…my last post was in April. My fault really, but I have been very busy during the last few months. I hope to be back blogging soon about my malware discoveries.

Storm Worm/Zhelatin -A very dangerous April Fools joke that’s on you

With April fools fast approaching, the gang behind the storm worm/zhelatin malware has made a reappearance.

There is currently a large amount of spam doing the rounds, pointing to malicious domains hosting the storm worm malware, some of which has also made it into my spamtrap/honeypot.

Currently, the two files being touted (at least from the domain I visited) are kickme.exe and foolsday.exe and funny.exe, all incarnations of the storm worm/zhelatin trojan which are very badly detected by the major AV companies.

Users visiting the websites serving storm worm will probably be greeted with an image similar to the one below:

 Storm worm april fools website

 …..before the storm worm is downloaded to their computer.

AV detection results for the samples I recovered (kickme.exe and foolsday.exe) are not inspiring at the moment, although vendors should shortly be pushing signatures for this latest batch of storm worm in the very near future.

antivirus detection results

As one can expect, the April Fool is most definitely on you, as executing the files found on this website will lead to the zombification of your computer, and exclusive membership of the storm worm botnet, leaving your computer at the command of the storm worm gang…bad news for you and me, very good news for them :(

Advice at the moment is to be very cautious of emails offering some sort of april fools joke/card/download and bin these, especially if they are coming from an email address you do not recognise.

Once executed, Storm worm will drop the file C:\WINDOWS\aromis.exe , proceed to disable the built-in windows firewall with a simple command/key creation:

netsh firewall set allowedprogram “C:\WINDOWS\aromis.exe” enable 

HKLM\?SYSTEM\?CurrentControlSet\?Services\?SharedAccess\?Parameters\?FirewallPolicy\?StandardProfile\?AuthorizedApplications\?List  C:\?WINDOWS\?aromis.exe  C:\?WINDOWS\?aromis.exe:*:Enabled:enable 

and then it sits listening on a random port for instructions from the botnet master. Your computer is by this stage under their control.

Kaspersky Lab’s virus analysts have just confirmed the presence of malware in those two files, and will be pushing an update for it within the hour. If you are infected, I would advise a free trial download of Kaspersky Anti Virus from http://www.kaspersky.com/trials which will deal with the infection nicely after a My Computer scan :) (Consider buying it if it helps you to cure the infection, developers need support too!)

A sandbox analysis of the two samples I have tested can be found here:

http://analysis.seclab.tuwien.ac.at/result.php?taskid=1b30cd8f5c2fd554955af4f1f02e78ed&refresh=1

http://analysis.seclab.tuwien.ac.at/result.php?taskid=d32a8ddac8e00534611f130f6126bce4&refresh=1

(Credits to SECLAB @ Vienna University of Technology for their awesome tool)

Credits for heads up to Alex Eckelberry of Sunbelt Software and Jose Nazario from Arbor Networks

 

Wordpress 2.5 is go :)

The good folks at wordpress have released Version 2.5 of this awesome blogging software. To read the full details and download, please visit their blog here

 I will shortly be upgrading to WP 2.5 as soon as I have confirmed that all my plugins are ready to go.

Goodbye, HDTV :(

It’s just been “one of those days”…..and today I say goodbye to my two-month-old HDTV, who suffered a terrible fate which involved wall-mounting, a hammer left on the floor and a bit of imagination.

Please excuse the quality of the pictures, my cell isn’t up to the job anymore

My broken HDTV

image002.jpg

FlashGet download servers hacked, serving users malware.

 FlashGet

Kaspersky’s virus analysts have recently blogged on the popular download manager called “FlashGet” being hacked. Apparently the developer’s servers were hacked and files modified which mean FlashGet automatically downloaded a number of malicious files to users’ of FlashGet because it thought they were an update (inapp4.exe/inapp5.exe/inapp6.exe, within the container appA.cab). When executed, these files would initiate outbound communication and download additional malicious code.

 Worryingly, there has been no acknowledgment from the FlashGet developers or anything posted on their website about the breach/hack at the time of posting this.

 Currently, there are a number of postings on the FlashGet forums about the trojans, which were detected by fortunate users’s antivirus or firewall software.

 The malicious code seems to have been removed from the FlashGet servers for now, but Kaspersky Lab has been quoted as saying FlashGet is still vulnerable to attack:

“All you need to do is add a link (which can point to any file you want) to the FGUpdate3.ini file and it will be automatically downloaded to your computer every time you launch FlashGet. Even if you don’t press “Refresh”, FlashGet uses the information from the .ini file. This “vulnerability” is present in all versions of FlashGet 1.9.xx.”

Which means?

“In spite of the fact that the site is no longer “hacked”, users are still vulnerable. Any Trojan program could modify the local .ini FlashGet file, causing it to function like a Trojan-Downloader. And it’s worth noting here that FlashGet is usually treated as a trusted application, consequently, network activity caused by the application or requests to sites won’t be flagged as suspicious, and users won’t be alerted.”

Advice?

 Bin FlashGet until this vulnerability is sorted.

Read the full story here

Fake sennheiser cx300 headphones - How to spot

Fake sennheiser cx300 -How to spot

distinguish2.jpg

distinguish3.jpg

distinguish4.jpg

distinguish5.jpg

distinguish6.jpg

distinguish7.jpg

Kaspersky Lab releases first alpha version of Kaspersky Anti Virus for Mac OSX

Kaspersky Lab have announced development of a new antivirus product for the Mac OSX operating system platform, and have released a public alpha build which is available for discussion, testing and download via their forum.

 The Anti Virus for Mac OSX forum is located at: http://forum.kaspersky.com/index.php?showforum=78

 The system requirements and link to the alpha builds are at:

http://forum.kaspersky.com/index.php?showtopic=59920

Description and system requirements for testing:

Kaspersky® Anti-Virus 7.0 for Mac provides you with anti-virus protection for Mac based on the latest protection technologies. You can work, communicate, surf the Internet and play online games on your computer safely and easily.
Product Highlights
• Protection against threats based on signature database.
• Hourly automated database updates
• Protection from viruses, Trojans and worms
• Real-time and on-demand scanning for files
• Automatic signature database updates

System requirements:
• Mac computer with an Intel processor
• Mac OS X 10.4.11
• 512 MB of memory
• 100 Mb of available disk space

Inactivity

You may have noticed that there have been no new posts for quite a while now….. Unfortunately that is due to the wonder that is moving house. I am currently writing this on my laptop in between a mountain of boxes ready for the big move on Tuesday. I hope to keep the blog more up to date after that date. :)

Heur.Trojan.Generic - What is it and how to get rid of it? (Kaspersky detection)

Heur.Trojan.Generic- What is it?

Heur.Trojan.Generic

 If you are using Kaspersky Anti Virus 7, or Kaspersky Internet Security 7, you may have come across the detection “Heur.Trojan.Generic”, “Heur.Downloader” or similar. Kaspersky’s viruslist currently does not have a description for this detection.

 Heur.Trojan.Generic, Heur.Downloader, and other detections given by Kaspersky that begin with Heur. are files that are being flagged by the new heuristics engine that has been introduced in Version 7 of Kaspersky’s home user products. These detections encompass a wide range of malware, using special techniques developed by the engineers and virus analysts at Kaspersky Lab to flag suspicious files.

A file flagged by Kaspersky as “Heur.Trojan.Generic” is a file that is deemed to have the characteristics of malware after being analysed by the Heuristics engine, but one that has not yet been specifically analysed by the Kaspersky Viruslab.

This means three things:

 1) When you recieve such a detection, care should be taken not to open or launch the file in question, as it may be malicious.

2) Because this is a “generic” (so to speak) detection, the file has not been 100% confirmed to be malware by the virus analysts (e.g. it has not yet been given a name), so there is a chance that the file is being mistakenly detected and it is not actually malicious.

 3) The correct course of action would be to isolate the file and send it to the Kaspersky viruslab for analysis, as detailed below.

How to get rid of Heur.Trojan.Generic

When you first get the alert that Heur.Trojan.Generic has been detected, read the alert carefully to determine which file is being detected.

Look at the alert and see if there is an option to quarantine the file. Press “quarantine” if the option is given. The file will then be moved into a secure area where it can not do any damage.

If the “quarantine” option is not given, take a note of the location of the detected file, and “skip” the alert. Because you skipped the alert, you will have to manually add the file to quarantine. To do this, open Kaspersky, and click on the “Reports and data files” tab, then “Quarantine.

Kaspersky Main Window

Once you have clicked on “quarantine”, a new window will open. At the bottom of this window click “add” and browse to the file which is being detected.

Kaspersky Quarantine Window

 Once the file has been added, right click on the corresponding file in the quarantine window, and choose the option “send”

Sending a quarantined file via the Kaspersky interface

Your mail client should now open, and a message auto composed by Kaspersky to the Kaspersky Viruslab. All you have to do is send it off, and you should soon get an email response from one of the virus analysts to confirm wether or not the file is indeed malicious.

If they confirm it is malicious/infected, you can head back over to the quarantine tab and delete the file (right click it and delete). If they confirm that the file is clean, then they should fix the false detection and you can safely restore the file from the quarantine, by right clicking it and selecting “restore”

malwarecrawler has moved!

yey!

 malwarecrawler has made the jump to paid hosting, its taken a few hours to find out how the hell this thing works, but its been worth it :D

 Hopefully will get themes/plugins/etc sorted within the next few days :)