Category Archives: In the Wild

Storm Worm variant now using Kittycard.exe as filename

Kittycard.exe is now of one the filename use by this Storm Worm.


Email received today:


kitty1028


The new filename is Kittycard.exe:


kitty1028a


Half of malware scanners via VirusTotal.com will detect it while half did not:


kitty1028b kitty1028c


For you… to read:


The Storm Worm: http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html


Just How Bad Is the Storm Worm:


http://blog.washingtonpost.com/securityfix/2007/10/the_storm_worm_maelstrom_or_te.html


My previous blog entries on Kitty (Storm Worm) :


2 more Kitty, Kitty Detection Improving, Norton blocked Kitty, Kitty Kitty

What’s with the malicious PDF file?

Symantec wrote: 

the PDF file will download ldr.exe file

F-Secure reports:

The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more components.

So I grab both .exe files (ms2.exe and ldr.exe) and uploaded it to Virustotal.com.  The AVs should protect and detect users from it if it failed to detect and block the malicious PDF file.

Scan results:

Only 50% of malware scanners will detect the ms2.exe as malicious.

71.88% of malware scanners will detect the ldr.exe as malicious.

Screenshots of the result at http://www.dozleng.com/updates/index.php?showtopic=16119

In the wild: Malicious PDF files; Which AV will detect it?

If you haven’t update your Adobe Reader to v8.1.1, you better to do it NOW.

The vulnerability is being exploited now and yup, it’s in the wild because I received copies already.  Screenshots at http://www.dozleng.com/updates/index.php?showtopic=16119 

Adobe fixed the security issue by releasing v8.1.1.  See their advisory here and please update NOW.

Microsoft updated their security advisory on the above due to increased of threat level.

Read the write-up of Symantec on what they detected and blocked in the email I received : Bloodhound.Exploit.163 – Bloodhound.Exploit.163 is a heuristic detection for PDF files attempting to exploit the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability

See also: http://blogs.technet.com/robert_hensing/archive/2007/10/26/it-begins-pdf-spam-run.aspx (Thanks to MVP Susan Bradley for the link)

Update:  Go to http://www.dozleng.com/updates/index.php?showtopic=16119 to see the VirusTotal.com scan result to find out which malware scanners is FAST in detecting malicious files that is IN THE WILD.

Spammer’s trick: Redirection. Can’t Google, Yahoo and AOL kill the false one?

This is not new since this is ‘common’ issue with redirection and being use by spammer but geez, can’t this company do something to stop the redirection to succeed?

Same SPAM emails received today:

spamredirection spamredirection2

That’s AOL, Yahoo and Google.  Guys, you should do something to kill this “False redirection” and it will sure help in killing one method of spammers is using.

I know we can disable the automatic redirection in the browser but that will kill the features that many are using.  Example:

1.  Search function in the browser

2. Downloading a file that is redirected by good site will not be serve automatically unless a user will click the link to proceed with the download

3. Viewing a page that is redirected by good site e.g. http://www.microsoft.com/technet/security/bulletin/ms07-oct.mspx, if you will click on any bulletin title and if the redirection is disable, you won’t see the http://www.microsoft.com/technet/security/bulletin/ms07-055.mspx unless you will click again to proceed to the bulletin. That’s because Microsoft also use redirection: http://go.microsoft.com/fwlink/?LinkId=94668

4. Using any services that take advantage of redirection e.g. shorturl services, forum software with redirection feature etc.

The advise to delete spam emails from the server and/or view the email in plain text are of course the first thins to remember but we KNOW that many DO NOT do that.  That’s why there are many victims of phishing and pharming, scam etc.  If the developers at Google, AOL and Yahoo and other search engines will kill the “false redirection” then many’s butt will be save .. that’s for sure!

2 more kitty (storm worm) gone undetected by many scanner

I received similar email last week where 15 out of 32 malware scanners will detect or trigger an alert if found or being downloaded in the system.

Today, I got 2 more kitty greetings.  Result is 10 out of 32 scanners will detect or trigger an alert:

kitty1021vt 

kitty1021vta

kitty1021vtb

kitty1021vtc

Preview of emails:

previewkitty1

previewkitty2

Whenever I send file to VirusTotal.com I always let them distribute the sample to AV companies so they can add it to their detection.  Let’s hope those will be detected soon as it is out-there.

Users need to make sure they are patched, they have the security tool configured to get the updates automatically and most important do not click on anything.

Skype Worm Breaks Out in APAC

Symantec and Websense have warned Skype users of a new worm that spreads itself via Skype text messages.


Dubbed Chatosky by Symantec, the cycle starts with a Skype user receiving a message offering a file called sp.exe. According to Websense’s preliminary analysis, when that file is run it installs a password-stealing Trojan and propagates itself via Skype.


The malware also tries to connect to a now-disabled remote server to collect additional code.


Websense says the original infections appear to be in the Asia Pacific region, especially Korea.


CA’s, Sophos’ and McAfee’s security sites had no information about this worm at the time of writing.


http://www.itwire.com.au/content/view/8198/53/


Websense Alert:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=101


Websense Security Labs has had reports of a new worm that uses Skype to propagate. We are still investigating the issue but here are the details so far:


* users receive messages via Skype Chat to download and run a file
* the filename is called sp.exe
* assuming the file is run it appears to drop and run a password stealing Trojan Horse
* the file also appears to run another set of code that uses Skype to propagate the original file
* the file is packed and has anti-debugging routines (NTKrnl Secure Suite packer)
* the file connects to a remote server for additional code
* the original site has been black holed and is not serving the code anymore
* the number of victims is still TBD
* the original infections appear to be in APAC region (Korea in particular)

Worm Alert: Big Yellow; Worm hits computers via Symantec Corp.’s antivirus program

Date:  December 15, 2006


Severity: High


Systems Affected:
Symantec AntiVirus 10.0.x for Windows (all versions)
Symantec AntiVirus 10.1.x for Windows (all versions)
Symantec Client Security 3.0.x for Windows (all versions)
Symantec Client Security 3.1.x for Windows (all versions)


Overview:
The eEye Research honeypot network has recently detected a new worm that is actively exploiting a remote Symantec vulnerability originally discovered by eEye Research on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first example of a worm leveraging this vulnerability for self-propagation. Generally, patch processes are not in place for non-Microsoft applications such as Symantec AntiVirus/Client Security, so many Symantec users may be at risk for this vulnerability throughout their networks. All enterprises running such software should assess their posture against this worm as soon as possible by validating that they have the latest version of Symantec AntiVirus/Client Security as well as blocking port tcp/2967 at the gateway to minimize attackable surface area.


More at http://research.eeye.com/html/alerts/AL20061215.html via CoU


Related News: Worm hits computers via Symantec Corp.’s antivirus program

Rustock: Deep Dive

Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight.


To obtain a “deep dive” on how Rustock works and why it is currently able to defeat so many security vendors, please visit Symantec’s Handling Today’s Tough Security Threats Web site. Once on the site, please look for the Rustock High Level Overview and Rustock Technical Overview Webcasts and click on their links to listen to the Webcasts.


http://www.symantec.com/enterprise/security_response/weblog/2006/12/handling_todays_tough_security_3.html

Argh! 2nd instance of fake Windows Genuine Advantage Notification

One earlier and now there’s 2nd … it’s at Daniweb‘s forum (Thanks to Microsoft MVP Robear Dyer for the link).  The bad file is faking Microsoft’s Windows Genuine Advantage Notification and Validation Tools.


As you can see on earlier (the first report).. there is a service name called “Windows Genuine Advantage Validation Notification” and the offending filename is wgavn.exe.  Again, there is no Windows services for the legitimate Windows Genuine Advantage (WGA) tool by Microsoft.  Also, the names of the legitimate tools are:


  • Windows Genuine Advantage Validation Tool
  • Windows Genuine Advantage Notification Tool

Note that the Validation Tool don’t have Notification on it’s name.. the malware service has!


The Windows Genuine Advantage Validation Notification is a disguise Windows Services and was created by a malware.  BTW, the offending file isn’t detected yet by many antivirus program (yup, those antivirus program that are widely-used don’t detect it yet) [:(] But let’s not worry much because our malware-fighters are doing their job to.. you know.. fixing the infected systems, advise the community and notify the security vendors.  You should help too by being careful on anything you do online.