Archive for January 10th, 2008

A Tangled Web…of Malware

January 10th, 2008 by Paul Ferguson (Advanced Threats Researcher)

Following up on some new ZLOB domains and malware, I continue to be amazed at the efforts of cybercriminals to social engineer the Web, poison Web search engines, pollute news and blogging Web sites, register bogon domains, and obtain hosting in their ongoing efforts to reach their ultimate goal — to separate more and more unsuspecting users from their money.

My esteemed colleagues over at Sunbelt Software blogged earlier tonight about a new spam, SEO, and social engineering campaign to lure unsuspecting users to a bogus video website which tries to entice an unwitting user to download a piece of malware disguised as an ActiveX control, which purports to allow them to view some arbitrary video.

One of the things that stood out for me in the Sunbelt blog posting was an an image of the results of a Google search, which returned a hit for this topic (Barbara Moratek) on the popular news-rating Web site, Digg.com, as seen in the screen shot below.

digg_moratek-ivete.JPG

Click for larger image.

 

Following the “bouncing malware” breadcrumbs (as my colleague Ivan Macalintal likes to say) illustrates an extraordinarily complex set of redirects and an effort to mask the entanglements, which eventually lead to the landing Web site, and yet then again, it will “ask” the user to install the malware — in the guise of an ActiveX control.

tangled_web_zlob.JPG

Click for larger image.

The methodology of jumping from one host to another, and then to another, ad nauseam, is an old-school method to thwart efforts pinpoint the flow of criminal activity.

The last hop in the traffic redirection flow above asks the user to download a ZLOB binary disguised as an “ActiveX control” from yet another host located in The Ukraine.

All of this illustrates the ongoing level of sophistication that cybercriminals are achieving, and the lengths that they will go to to engineer a method to perpetrate their crimes.

And please, folks — don’t visit any of these IP addresses or Web sites — many of these are still real, live, and dangerous. We provide this information as a service — we want you to stay informed — but we don’t want you to put your security at risk.

We are actively monitoring these developments, blocking these domains, and adding protection for our customers as we discover these activities.

Let’s be careful out there!

Paul “Fergie” Ferguson
Internet Security Intelligence
Advanced Threats Reasearch

A Port-Hiding Rootkit

January 10th, 2008 by Edgardo Diaz, Jr. (Threats Analyst)

Aside from the MBR rootkit, TrendLabs researchers have come across another rootkit that hides ports.

We’ve discovered a rootkit file that is able to hook TCPIP.SYS and related functions inside.

It is able to hide the following ports:

DestinationPort>3000 OR (DestinationPort<1000 AND DestinationPort!=80 AND DestinationPort!=25)

These are being used in the infect machine. The said malware, TROJ_ROOTKIT.DU, was indirectly included in the TROJ_PUSHDO.AD, TROJ_PUSHDO.AR (eCard), and WORM_NUWAR.EN (spam mail) package. Upon executing the aforementioned package, the malware downloads the said TROJ_ROOTKIT.DU as a rootkit component to add stealth to the said malware families.

Here are screenshots:

Subscribe in a reader

Most Recent Posts

Calendar

January 2008
M T W T F S S
« Dec   Feb »
 123456
78910111213
14151617181920
21222324252627
28293031  

Posts by Month


Scan for free!