ESET Threat Blog

As I already mentioned briefly in a blog about our October Threat Trends Report, researchers Christopher and Samir came up with an interesting idea at the First International Workshop on Aggressive Alternative Computing and Security, held under the auspices of ESIEA Laval (École Supérieure d'Informatique, Electronique et Automatique).

They took a handful of scanners (including NOD32), installed them, then logged as
administrator and tried to disable them as fast as possible. It's nice to know that NOD32 turned out to be more resistant than most to tampering like this, whereas some products can be disabled by simply manipulating support files on disk. Frankly, though, if I were using the product that was disabled in two minutes rather than thirty-three, I probably wouldn't change products on the basis of this test. The sad fact is that if you have direct access to a machine with administrator rights, it's usually game over. Essentially, it's all about context.

As Pierre-Marc has suggested, this isn't a very effective measure of a product's effectiveness.

“Malware has to execute code to disable the AV. If a piece of malware is detected, it will never execute and thus the process of the antivirus is safe. Our proactive detection of is our best defense
against disabling of ESET’s program by malware.”

You might be reminded of the infamous “Race to Zero” contest at Defcon 16, which essentially told no-one anything new but generated much heated discussion among our readers (http://www.eset.com/threat-center/blog/?s=race+to+zero).

In fact, useful research often comes out of ESIEA, and at least this exercise was apparently carried out without using real malware (unless you have a very prejudiced view of the EICAR test file) or reverse engineering. As Aryeh Goretsky, ESET Distinguished Researcher, has suggested we look forward to receiving more details, in order to see whether we can make use of them to strengthen the product. He also suggests that given the reliance in this exercise on physical access to systems, it would be quicker and easier to boot from removable media to carry out such an attack in the real world, and that strong passwords and disk encryption could be used to mitigate the risk.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Bonjour mes amis!

Well, I am in Switzerland, and very close to the French border, for the Virus Bulletin conference – perhaps the most eagerly anticipated event in the anti-malware researcher’s calendar. How sad is that?

I also thought you might like to further extend your French skills on an article here, about a presentation Pierre-Marc made at our offices in Bratislava: http://www.globalsecuritymag.fr/Voyage-au-coeur-du-Cyber-crime,20090918,12795.html.

I think that means "A voyage to the heart of cyber-crime", but my French is about forty years rusty. If you’re here (or will be when the conference proper starts tomorrow), come and say hello!

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

There’s been a certain amount of buzz in the past couple of days about messages claiming to link to Wire Transfer information, but actually related to a Trojan commonly called Delf or Doneltart. ESET is detecting the examples we’ve been seeing as a variant of Win32/TrojanDownloader.Delf.OZG.

The messages generally look something like this (at least, all the samples I’ve seen have). The subject field takes the form:

Wire Transfer Info for <1stname> <2ndname>

The message looks like this:

For more details please download the invoice found on this link:
[http://]<domain></folders>/transfer.php?name=<1stname><2ndname>

The link goes to a domain in Italy somewhat appropriately named after a region historically associated with violin making, or a subdomain thereof. The fiddle in this case, of course, is that the link is to a Trojan Downloader, this being a very common payload for this family of malware, though some members have been seen to redirect web traffic or mess about with applications.

These messages may look familiar: the gang behind this malware family seems rather fond of social engineering around wire transfers, as a report going back to June from the Internet Storm Center indicates. That’s because in this case at least, quite a few of the targeted domains are financial institutions, and on that occasion the message was along the lines of:

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Detection of this wave of malware seems to be reasonable, in general. Here’s a VirusTotal report Pierre-Marc has sent me relating to one of the samples he’s seen (23 detections out of 41 products):

http://www.virustotal.com/analisis/57b19e0a576be2d0493a00893cbd35e0cb4c278af106e06d9c906ab7028ab73a-1249334843

The hit rate varies between samples, though: I’ve seen reports as low as 16 for some, but NOD32 hasn’t failed to detect any of the samples I’ve tried subsequently (half a dozen or so, so far). That doesn’t, of course, mean I can guarantee we have 100% detection!

The really encouraging thing about this issue has been the generous exchange of information between researchers on certain specialist lists. Because of the nature of those lists, it’s best if I don’t name names (apart from Pierre-Marc of course!), but you guys know who you are.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Over the weekend our colleagues at ESET Latin America found that Slideshare was being used to spread malware. As they haven’t found much information on the web about this, Sebastián Bortnik blogged today about what they found. (Errors in translation and interpretation should be attributed to David Harley!) I’ve added some thoughts and some content based on discussions I’ve had subsequently with Pierre-Marc.

When monitoring known sources of rogue antimalware, it’s common to find sites used for the active spread of malware. ESET Latin America have already reported in their blog a number of highly effective attacks, directed at the many users looking for free security products.

This weekend, they found a new platform used to spread malware: Slideshare.net. This website is very widely used for sharing presentations, but now it is being exploited by attackers, creating fake slide decks and using social engineering techniques to pass them off as having themes that will appeal to potential victims.

A case in point is a file they found to be passed off as a cracked download of ESET’s NOD32 scanner. The presentation includes a slide that has a single link, and adds in the SourceForge.Net logo  to give more credibility to the download. (Though you may wonder, as I did, since when has SourceForge been distributing cracked commercial software?!?)

If the user clicks on the link, he or she will be directed to a website that looks like SourceForge.Net, but is actually a spoofed site set up for malicious purposes. Subsequently, the window opens a file for download which has an .EXE extension.

In the case investigated by ESET Latin America, if the user downloads the file, it does not, of course, install any antivirus software. On the contrary, his system gets infected with a malware variant detected proactively by ESET NOD32 heuristics as Win32/Kryptik.YT. However, Pierre-Marc tells me that he’s subsequently been seeing files with a different filename downloaded from a URL suggesting a Chinese origin. This file is detected as Win32/TrojanDownloader.FakeAlert.ADB, which is used to download fake anti-virus software, and a sample submitted to VirusTotal indicated good antivirus detection (31/41). The problem, however, is that these attacks are not aimed at people who already have competent anti-malware, but at people who are looking for a (preferably free) solution, even if it’s pirated.

More than ever, you need to be careful in carrying out downloads from the Internet, as any platform may suddenly be found to be used or misused to propagate malicious code. Particularly in a case like this: it only makes sense to download security applications from their official websites: after all, if a site is prepared to offer pirated software, why would you assume that it has honest and benevolent intentions towards people who take up that offer? In fact, attackers are constantly seeking new platforms by which to propagate their threats, and they are not slow to seize the opportunity to misuse any new means of propagating malware. In fact, malware that passes itself off as antivirus is almost as old as antivirus.

The situation may be exacerbated by the fact that Powerpoint is generally regarded as a "safe" format, even though it can be misused in a number of ways to carry malicious code (macros, embedded files and so on). In this case, however, it’s not just  a question of whether the file is innocent: it’s also a matter of realizing that an uninfected document may carry a link to a dangerous site.

Sebastián Bortnik, Pierre-Marc Bureau, David Harley

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Pierre Marc just posted about “Win32/Waledac for Valentine’s Day”. The fake greeting cards are an ongoing scam. As Pierre Marc indicated, this one is using polymorphism, which is a fancy way to say the malicious software disguises itself to look different each time someone encounters it. This is done to break signature based detection, which is why heuristics are very important.

Even heuristics are not perfect, so it is important that users learn to make good decisions. When you receive an email purporting to be a greeting card, there are some precautions you should take. Legitimate greeting cards never download an executable file. Your egreeting should not prompt you to download a file. If you are prompted, then cancel and close your browser.

http://www1.yahoo.americangreetings.com/emailprotection/ has some tips for identifying real versus fake greeting cards. I recommend you read the tips there. Education is really your best defense, security software, as I have said before, it like a seatbelt. It can’t prevent all accidents and it can’t prevent all injury when there is an accident, but it’s still a good idea to have it. Good judgment can’t be replaced by software and the more you educate yourself, the better your judgment will be.

A valid greeting card will be sent to you personally and come from someone you know, not “a friend”, or “your sweetheart”, etc. If someone wants to send you an anonymous card, then either know how to read the URL that the link to the card is pointing to, or just delete it.

For this Valentine’s Day, if you get an ecard and are not sure if it is legit, feel free to send it to me at askeset@eset.com and I’ll let you know what the signs are that it is fake or valid.

Randy Abrams
Director of Technical Education

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs in specific countries.

Yesterday, we started to receive reports of emails pretending to carry links to holiday cards.  These emails contain a link that points to a file named ecard.exe.  Of course, this executable is not a seasonal holiday card but malware.  The reason this wave of malware has attracted our attention is that it is very similar to the Storm Worm attacks we were seeing last year.

Although this attack uses fast-flux to make it harder to trace its web servers and a redirection page very similar to those used by Storm last year, this is not the resurrection of the Storm botnet.  Analysis of the binary proves it to be different to Storm.  It was programmed using a different programming language and includes different functionalities.  This malware, detected as a variant of Win32/Waledac by ESET Antivirus, has no peer-to-peer capabilities and uses an open-source packer instead of the custom packers used by Storm.  Also, the Waledac threat has cryptographic capabilities that were not present in Storm.

What we are observing today is proof that malware authors are learning from each other’s errors and successes.  After seeing that Storm was able to infect thousands of systems last year with Christmas-related social engineering, the criminals behind other malware families are now trying to emulate that success.

Pierre-Marc Bureau

Researcher