By Jonathan San Jose and Alan Lee

Another Adobe 0 day vulnerability has been discovered on 28th October 2010.
Version 10.1 of Adobe Flash and Version 9.x of Acrobat and Acrobat Reader are vulnerable to this attack.
Exploits taking advantage of this vulnerability has been known to surface in the wild.
Cybercriminals may host the malicious exploit PDF files on malicious websites and use social engineering techniques to entice unsuspecting victims to visit these websites and download the PDF files.

Once executed, the threat will open the PDF file in Adobe Acrobat Reader.

adobe zero day threat

Continue reading

Posted in Malware Alerts | Tagged , , | Leave a comment

Cybercriminals: What Will They Think of Next?

Cybercriminals are nothing if not entrepreneurial. One way that they can make money outside of their usual schemes is to sell Do-It-Yourself crime kits, fostering a new crop of hackers and earning a few hundred dollars in the process.

Continue reading

Posted in Online Fraud | Tagged , | Leave a comment

By Crescencio Reyes – PC Tools Malware Research Division

A new rogue antivirus was recently reported which is part of the fake Security Essential rogue malware. When the binary is executed, it will show a splash screen which is displayed on top of all application windows.
Thinkpoint Virus
Figure 1: ThinkPoint splash screen
Continue reading

Posted in Malware Alerts | Tagged , | 2 Comments

As cybersecurity concerns increasingly become front-page news, there is a burgeoning effort to combat cyberattacks with the same defensive tactics employed in traditional warfare. There is, however, a novel complication—finding the attackers in the first place—but should security efforts concentrate on naming names or taking immediate action?

Continue reading

Posted in Hackers | Tagged , , , | Leave a comment

In the wake of Gmail cyber attacks by Chinese hackers, the prevalence of cybercrime has been thrust into the international spotlight. The question should be, though, why wasn’t it a hot topic before?

Cybercrime encompasses any sort of crime having to do with computers. Vague, right?

Continue reading

Posted in Hackers | Tagged , , | 1 Comment

Author: Marianne Layador – PC Tools Malware Research Team

Installation Method

System Defragmenter is scam-ware that imitates a legitimate utility tool that will scan the system for hard drive and memory problems. It is installed through the typical method and uses the same techniques as antivirus rogue applications. It persuades the user to buy the fake program by warning of critical system errors that will surely alarm and grab his/her attention.

After scanning, it reports the following, which are hard coded fake errors:

Continue reading

Posted in Malware Alerts | Tagged , , , , , | Leave a comment

Cybercrime is a growing problem in our technologically dependent society, costing the loss of hundreds of millions of dollars through scams and phishing schemes and exacting a heavy mental and emotional toll on those affected by instances of identity theft, which falls under the same umbrella. The crimes, ranging from the spreading of malicious code to cyber stalking, are serious, but do the punishments fit the crime? In certain cases, not at all; in fact, the punishments sometimes reward the cybercriminals.

Continue reading

Posted in Hackers | Tagged , , | Leave a comment

The art world, no stranger to scandal, has seen its share of polarizing projects. The following theme, computer viruses as art, is a bit dated, as the oldest reference hails from 2001. Judging, however, from instances still occurring in late 2009, the topic remains touchy, particularly as it shifts from theory to practice.

Continue reading

Posted in Virus News | Tagged | Leave a comment

Combine the social nature of chat rooms with the whims of fate in Roulette and you have Chatroulette, the recent brainchild of 17-year old Andrew Ternovskiy. Tapping into the public’s love of novelty, exhibitionism, and quick fixes of entertainment, Chatroulette allows users to video-chat with strangers, clicking over to the next, possibly more attractive or willing, stranger with impunity. The camera can be disabled, but this act would largely defeat the purpose of the illicit thrills.

Continue reading

Posted in Online Fraud | Tagged , | Leave a comment

Black hat hackers (or crackers, or sometimes just hackers if you don’t care to differentiate) are individuals with extensive computer knowledge whose purpose is to breach or bypass internet security. The general view is that, while hackers build things, black hat hackers break things. Their numbers are plentiful online, their services are easily for hire, and their are ethics dubious.

Continue reading

Posted in Hackers | Tagged , | Leave a comment

Don’t let cybercriminals steal your hard-earned cash!

Anyone with an email account is aware of the common dangers and general annoyance factor associated with spam emails, so we all know to avoid obvious tricks, such as messages touting extreme product discounts or too-good-to-be-true sweepstakes opportunities. Statistics show that most users are well versed in ignoring these common ploys; people purchase the advertised goods in spam messages less than .01% of the time. But what do you do when you receive an email from a trusted friend who pleads for help?

Continue reading

Posted in Spam | Tagged , , | 2 Comments

Earlier this week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were seeing. That post set off some interest in the worm again. The last spike in the worm coincided with Dancho Danchev’s post in November, following the first report in July of high worm prevalence.

Continue reading

Posted in Virus News | Tagged , , , | Leave a comment

By Steve Espino – PCTools Malware Research Team

Windows Defence is a fake antivirus program that displays fake malware alerts on PCs in order to make unsuspecting users think that their computer has been infected by malware. Windows Defence is part of a massive number of clones of fake antivirus programs with names like WinAntiVirus, UltimateAntiVirus, AntiVirus2008, and AntivirusPlus, to name a few.

Like most other fake antivirus programs, Windows Defence could be distributed via numerous fake My Computer online scans and could also be downloaded and installed by other malware on the affected computer.

Installation

Upon execution Windows Defence goes on to perform fake scans on the affected machine.

Continue reading

Posted in Malware Alerts | Tagged , , , , , | 1 Comment

This post describes a technique that allows building a domain name generator for Murofet.

The pseudo-random domain generators are not new – these were previously used by Sober, Kraken, or Conficker worms. The important thing about reproducing a particular domain generator is an ability to predict what domains the worm will query in the future. Once known, these domain registrations can potentially be blocked, “sinkholed” or at least monitored.

Now, domain generator reproduction is a tricky task. It can basically be done in 2 ways.

First, the original algorithm can be studied in its disassembled form, and then its logic reproduced in a higher programming language. The second method assumes that the original algorithm studying can take longer than expected, so it offers a shortcut solution – a “hack” – to take the original code “as is” and then either replicate it in a standalone tool written in Assembly from scratch (e.g. by using MASM) or use it in inline Assembler of a higher level language such as C++ or Delphi.

Another approach is to patch the malicious binary in order to force it looping the way you need and then hook and log some particular APIs it is calling (such as UrlDownloadToFile()) in order to obtain the output.

We’ll take the route of ripping the original code apart. This is a no brainer exercise – it shouldn’t take long time as we don’t have to understand how exactly the domain generator works – we only need to understand where the code is located, what it does functionally, and most importantly, how to interface it properly with our higher level code. That is, we need to “glue” or attach it correctly to our code.

Murofet is a file infector. It appends 1,771 bytes to a host executable.

The APIs it calls are dynamically retrieved from shlwapi.dll, urlmon.dll, kernel32.dll, advapi32.dll DLLs by matching their ASCII name hashes – it is a very common technique.

The domain generator routine requires 4 parameters:

  • a base address of the adavapi32.dll module – the domain generator needs it to dynamically retrieve the APIs CryptAcquireContectW(), CryptCreateHash(), CryptHashData(), CryptGetHashParam(), CryptDestroyHash(), CryptReleaseContext(). It calls these APIs during the domain name generation.
  • a seed value – it starts from a fixed number 119 (current year mod 256, multiplied by 17, that is 7 * 17)
  • current date (GMT)
  • a pointer to a buffer that will store the result – the generated domain name

Once the domain is generated, the sample attempts to download an executable from that domain. Next, it increments the seed value (119 -> 120), and repeats the same loop – that is, generates a new domain name, then attempts to download from there. The loop repeats 800 times.

Thus, Murofet, generates 800 domains a day.

The domain generation routine is called by Murofet the following way:

As seen in the listing, the routine takes 4 parameters on stack – base address of adavapi32.dll, the seed value, a pointer to the SYSTEMTIME structure filled with the current time and data (Murofet calls GetSystemTime() for that), and a pointer to a buffer that will receive the result.

In order to reproduce this algorithm, this is what has can be done.

  • Create a VC++ MFC project that generates a day, a month, and a year value, then creates a log file to dump there the generated domains.
  • Create a stub in your executable that declares a buffer filled with 0×90 values. The stub can take a few Kb in size.
  • Create an inline assembler code in your code that wraps the domain generation routine calling, that is, pushes 4 required parameters on stack – we’ll need this code to “glue in” the native Murofet domain name generator. The call to the routine itself should now consist of 5 NOPs – we’ll patch this call later as now we don’t know where in the code the routine will be located. This step is best outlined with the code below:

  • // get the base address of advapi32.dll - it will be needed by Murofet to obtain Crypto-API hashes

    HMODULE  hAdvapi32;
    hAdvapi32 = LoadLibrary(“advapi32.dll”);

    // prepare a SYSTEMTIME structure

    LPSYSTEMTIME lpst;
    lpst = (LPSYSTEMTIME)malloc(sizeof(SYSTEMTIME));

    // prepare you year, month, and day values: wYear, wMonth, wDay
    // fill your SYSTEMTIME structure with these values

    lpst->wYear = wYear;
    lpst->wMonth = wMonth;
    lpst->wDay = wDay;

    // prepare a log file name

    char szLogFile[MAX_PATH];
    sprintf(szLogFile, ”c:\\logs\\log_%d_%02d_%02d.txt”, y, m, d);

    // prepare a buffer that will hold your domain name

    LPBYTE lpbyDomainName;
    lpbyDomainName = (LPBYTE)malloc(1024);

    // this is our ”glue” - prepare the initial seed value of 0×77

    _asm
    {
          push 77h
    }

    // start the loop - 800 domain will have to be generated for a given day (wYear, wMonth, wDay)

    for (int i = 0; i < 800; i++)
    {

          memset(lpbyDomainName, 1024, 0);

          _asm
          {
                pop eax
                push eax

                xor edx, edx
                mov ecx, 3fch
                div ecx        ; divide the seed value by 1024 - the reminder is the same

                NOP

                ;push 4 parameters on stack

                push hAdvapi32       ; 1st - base address of the advapi32.dll (retrieved earlier)
                push edx             ; 2nd - a reminder of division of the seed value by 1020, which is the same as the seed value
                push lpst            ; 3rd - a pointer to our SYSTEMTIME structure, where we’ve put a specific year, month and day
                push lpbyDomainName  ; 4th - a pointer to a buffer that will receive the result

                NOP                  ; these 5 NOPs will later by patched with a call to the routine
                NOP                  ; 1st NOP will be replaced with E8 (call)
                NOP                  ; other 4 NOPs with a distance between the following operand (see pop eax below)
                NOP                  ; and the routine itself
                NOP

                pop eax              ; increment the seed value that we store in eax
                inc eax
                push eax
          }

          // after the stub above is executed, we’ll have the generated domain name in our lpbyDomainName buffer
          // drop it into the log

          DropLog(szLogFile, (LPCSTR)lpbyDomainName);
    }

    _asm
    {
          pop eax
    }

  • Compile your executable in debug mode.
  • Patch the section with the stub in it to make it executable.
  • Open your compile in a HEX editor, find your stub, replace 1,771 bytes in it with the original Murofet code. This way, we are sort of “infecting” our executable with the Murofet, but we don’t give its code any control just yet.
  • Open your executable in the disassembler, find your “glue” code created in step 3, and find the domain generation routine. Find the difference between their addresses, that is, subtract the address where your 5 NOPs are located (incremented by 5 as your call will take 5 bytes) from the address of the domain generation routine, let’s say the distance between these calls is 0×010203. Then, patch your 5 NOPs with a call to the generator by replacing them with E8 03 02 01 00.
  • Run your executable.
Posted in Malware Alerts | Leave a comment

Over the past several years, Russia and China have been considered the world’s top cybercrime capitals, but a new haven for hackers and spammers might surpass these criminal cyber-hotspots in the near future. Statistics show that cybercrime is growing at a faster rate in Africa than it is on any other continent. In addition, according to recent estimates, 80 percent of PCs there are infected with malware.  With the installation of broadband internet cables (currently underway), one expert argues that the likelihood of cybercrime in Africa going global at a high rate is a legitimate concern.

Continue reading

Posted in Online Fraud | Tagged , | 1 Comment

By Marianne Layador - PC Tools Malware Research Team

Antivirus GT is another fake antivirus program originated from the same group of products as Personal Antivirus, Alpha Antivirus and Live Enterprise Suite, Live Security Suite. Like any other rogue, Antivirus GT could get onto a system after being unknowingly downloaded from a malicious site and installed without the user’s consent. It could also be manually installed by a user who mistakenly believed that the product was a legitimate program.

Installation

Once a system is infected, Antivirus GT automatically scans, gives reports about infections and recommends getting full-time protection by purchasing the product. However, the reportedly “infected” files are actually just files randomly tagged as threats in the user’s system.

Continue reading

Posted in Malware Alerts | Tagged , , , , | 1 Comment

The infamous hacker Albert Gonzalez was recently sentenced to 20 years in prison for his role in stealing approximately 130 million credit and debit card numbers. This punishment, the harshest ever handed down in an American court for a computer crime, marks progress in the battle against cybercrime. In most cases, however, the penalty does not fit the cyberattack, sending a dangerous message to cyberthieves that the crime is, in fact, worth the risk.

Continue reading

Posted in Online Fraud | Tagged , | Leave a comment

By Mylene Villacorte – PCTools Malware Research Team

Pursuant to the classic rouge security application modus operandi, Antivirus IS takes advantage of computer users’ fear and paranoia of getting infected by a worm or Trojan in order to persuade them into buying a useless product or service. Considering the risks and hassles resulting from identity theft, data loss, and the like, this particular form of extortion has proven highly effective.

Infection Method

Antivirus IS arrives as a file downloaded from the internet or dropped by other Trojan files. Once running on the machine, it initiates a fake system scan and will display a fake list of detected threats:

After this attempt to shock with non-existent infections, it proceeds to entice the user to purchase the product in order to clean their system:

Once the user clicks on the purchase button, it redirects to a website which will trick the user into entering credit card details:

If the user delays buying Antivirus IS, the program continuously displays fake alert messages to convince the user that their machine is really infected and that no other antivirus products will be able to protect them from these recurring alerts:

While data security is of great importance and it is wise not to address threat alerts received while browsing, we also have to be wary of people who would take advantage of our legitimate concerns and scam us out of our hard earned money. Remember, always follow best security practices when using the internet to avoid these kinds of traps. And if all else fails, do not put your trust in suspicious or alarmist products. Instead, go for an antivirus product or service with a good reputation, one that doesn’t have to rely on scare mongering to market their products.

ThreatExpert report

Antivirus IS manual removal

Antivirus IS drops the following file:

“%Temp%\{random folder name}\{random file name.exe}”

Note: %Temp% is usually refers to C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

It also creates the following registry keys/entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

{random registry name} “%Temp%\{random folder name}\{random file name.exe}”

HKEY_CURRENT_USER\Software\{random alphabets}

HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings

JITDebug = “1″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download

RunInvalidSignatures = “1″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations

LowRiskFileTypes = “.exe”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments

SaveZoneInformation = “1″

To remove the threat, delete the above mentioned registry key values and files.

WARNING: Editing the registry incorrectly can cause serious problems that may require you to reinstall Windows. PC Tools cannot guarantee that problems resulting from the incorrect editing of the registry can be solved. Edit the registry at your own risk or refer to our malware removal forum for guidance.

Posted in Malware Alerts | Tagged , , , | 1 Comment

Cyberfraud, an all-too-common phenomenon these days, causes major headaches for any victim. But whereas banks provide protection for individuals who lose their money to cybercrooks, small businesses aren’t afforded a similar safety net.

Continue reading

Posted in Online Fraud | Tagged , , | Leave a comment

There are many dangers lurking online – from identity theft to malicious software. Yet, many might not immediately think about the threats that can come from one’s own peers. Cyberbullying is a problem that affects nearly half of American teenagers, causing many to argue that authorities should take a greater role in policing this type of online harassment.

Continue reading

Posted in Privacy | Tagged , | Leave a comment

By Crescencio Reyes – PC Tools Malware Research Team

There has been an update to the current widespread Security Essential rogue malware. Like the previous variant, it still exhibits the same behavior. Upon running the binary, it will present you with a fake warning window showing that your computer is infected.


Figure 1: Warning window

Clicking on “Scan Online” will show a list of other legitimate security vendors allegedly detecting the threat along with other rogue malwares offering free installation.
Continue reading

Posted in Malware Alerts | Tagged , | Leave a comment

Since the last post Rogue Warning: Antimalware Doctor,

there are some new discoveries in the samples that came our way.

ThreatExpert report:-

http://www.threatexpert.com/report.aspx?md5=299e2c761ef22b6871cf4e3311ec12c1

Antimalware Doctor installer has added a screen that attempts to trick unsuspecting victims that installing Antimalware Doctor is actually a System Security Pack Upgrade.

Continue reading

Posted in Malware Alerts | Tagged | Leave a comment

With each new cybersecurity report and study, it appears that every variety of cybercrime is increasing at an unstoppable rate – from a surge in banking trojans to an increase in the production of malware. Yet, despite these grim statistics, one report claims that the overall internet security risk is expected to be reduced in the next 10 years. According to Verizon’s top internet security expert, Peter Tippett, the cyberthreat landscape will change how businesses and consumers operate, leading to more effective security protection as organizations work together to combat cybercrime.

Continue reading

Posted in Virus News | Tagged , , | Leave a comment

Ever since it first hit the news in June, the story behind the Stuxnet worm has continued to evolve, gaining importance as new bits of information have come to light.  Some researchers call the malware “groundbreaking” and say that it’s the most sophisticated piece of malware to date.  Because of its level of complexity and sophistication, many have concluded that the Stuxnet worm is a state-backed attack on another government’s infrastructure—and some now report that Iran is the intended target.

Continue reading

Posted in Virus News | Tagged , , | Leave a comment

Expressing oneself in 140 words or less is a popular phenomenon; in fact, Twitter was the fastest growing social network in 2009. A recent report by Barracuda Labs links this increase in public interest to a key rise in celebrity sign-ups at the beginning of last year. Alas, the report also details that as a result of this surge in popularity, Twitter was plagued with a rising number of cyberattacks. Preying upon the vulnerabilities of the microblogging platform, cybercriminals have conducted a host of illegal activities on the site, including identity theft, spam campaigns, and phishing scams.

Continue reading

Posted in Online Fraud | Tagged , , , | Leave a comment

As the economy slowly begins to recover from the recession of the last few years, businesses are reprioritizing and looking for key positions to face current challenges. One main focus, according to a recent article in the San Francisco Chronicle, is cybersecurity. The rising tide of cybercrime is a threat that no business can ignore. The amount of malware doubled last year, and cyberfraud and other online scams are increasing at a frightening rate. Cybercriminals are attacking businesses of all sizes through sophisticated ploys – from targeted strikes on employees to money mule schemes. Continue reading

Posted in Hackers | Tagged , , | Leave a comment

By Alan Lee – PC Tools Malware Research Center

Security Essential is a rogue security application that attempts to falsely detect malware on victim’s computer and prompts victim to pay for removal of those false detections. What is interesting about Security Essentials is the way they entice users to install their rogue application. Security Essential when execute will first pop up a window which looks similar to Microsoft Security Essential (this is legitimate application from Microsoft), informing the user that the computer is infected with malware.

security essentials virus screenshot
Figure. 1 Fake Security Essential alert

Continue reading

Posted in Malware Alerts | Tagged | 1 Comment

In the most controversial information leak in recent history, international whistleblower website WikiLeaks recently released 75,000 formerly unavailable U.S. military reports detailing the war in Afghanistan. Most of the posted information consists of reports radioed in from the front line.

Based in Sweden, WikiLeaks is a mysterious organization, founded by Chinese dissidents, as well as international journalists, mathematicians and technology experts. They claim to function as a “multi-jurisdictional public service designed to protect whistleblowers, journalists and activists who have sensitive materials to communicate to the public.”

Continue reading

Posted in Hackers | Tagged , | Leave a comment

In the post-9/11 United States, terrorism is one threat of which every American is all too aware. As the internet becomes more important to every aspect of our lives, a new danger might soon replace the fear of traditional attacks: cyberterrorism. The term “cyberterrorism” is a controversial one as some experts use a narrow definition, referring specifically to attacks on information technologies by terrorist organizations in order to create panic.  Other authorities, on the other hand, define the term more generally, identifying cyberterrorism as any type of premeditated activity that disrupts the workings of computer networks in order to do harm or to promote political or ideological objectives.

Continue reading

Posted in Hackers | Tagged , , | Leave a comment

Author: Alan  Lee – PC Tools malware research team

Antimalware Doctor is a rogue security application that attempts to entice victims to pay for malware removal by falsely detecting malware on infected computers.

Antimalware Doctor belongs to a family of rogue security application which includes the following:

Continue reading

Posted in Malware Alerts | Tagged , , , , , | Leave a comment