Friday, May 23, 2008

Will summer break bring the normal malware influx?

Summer break is just around the corner and I started to ask myself if we would notice the normal influx of malware we used to see from students out on break in the not too distant past.

With large crime-ware groups operating most of the malware we see and hear about daily, it seems like we forgot about the so called “script kiddies” who used to bring so much burden to the anti-malware world at this time of year.

Last summer it seems like the script kiddies had dropped off the face of the planet, but maybe they were just over shadowed by all the hype and media attention that the RBN and Storm were drawing last year. I personally think that this was the case, they weren’t gone we just didn’t hear anything about them because they weren’t the huge impact they had been in the past. With thousands of new malwares being seen daily would the few extra hundred a week (or month) be really that noticeable in the overall picture.

I guess only time will tell, but look out for new malware to come out this summer!

Sunday, May 11, 2008

Mass File Injection - Redirecting to DNSChanger Download

Mike from UploadMalware.com's team has discovered a mass file injection attack going around injecting the 2 urls below into sites running any version of phpbb forum software

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js

The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.

At the time of this writing over 400,000 hits are shown in Google when you search for the urls.

If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)uploadmalware.com
Antivirus Version Last Update Result
AntiVir 7.8.0.17 2008.05.11 DR/Dldr.DNSChanger.Gen
AVG 7.5.0.516 2008.05.11 DNSChanger.AE
ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806
F-Secure 6.70.13260.0 2008.05.12
Trojan.Win32.DNSChanger.clm
Ikarus T3.1.1.26.0 2008.05.12
Virus.Trojan.Win32.DNSChanger.chg
Kaspersky 7.0.0.125 2008.05.12
Trojan.Win32.DNSChanger.clm
Norman 5.80.02 2008.05.09 Vundo.gen171.dropper
Prevx1 V2 2008.05.12 Cloaked Malware
Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam
TheHacker 6.2.92.307 2008.05.11 Trojan/DNSChanger.chg
Webwasher-Gateway 6.6.2 2008.05.11
Trojan.Dropper.Dldr.DNSChanger.Gen

Sunday, May 4, 2008

New Storm Moving In – Presumably for Mother’s Day

One of our researchers at UploadMalware.com has found indications of a new storm worm variant moving in.

At the time of this posting we have not had any reports of spam from the botnet using the 3 domains that were found in the research, but the files are definitely there and the domains are fast fluxing as per the normal method. We can only presume they are gearing up for a mother’s day storm campaign to raise their numbers.

The three domains we have found to this point are: (visit at your own risk)

stateandfed.cn, apartment-mall.cn and centerprop.cn

The file load.exe on execution copies itself to %windir%\libor.exe and drops the standard peers.ini as gogora.config. Libor.exe is then added to the run key in the registry to allow execution every reboot.

So not to add to the problem I personally only ran the exe with an internet connection for about 1 minute and it contacted ~1700 other infected boxes. Other research done by members of UploadMalware.com indicates approximately 100,000 or more which are still infected (number was taken by methods other than running the file).

This proves contrary to computerword.com’s article that Microsoft had killed the storm worm.

The article had already been strongly disputed by researchers.

Storm worm is alive and well, it may be smaller then when it first came onto the scene, but it seems when their numbers dwindle they come back with another holiday targeted mail campaign and boost the numbers back up. The storm group isn’t going anywhere as far as I can tell.

Jeremy over at sudosecure.net has posted some more info here.