Category Archives: Thoughts
Backdoor Buterat, a multipurpose trojan
The backdoor trojans from Buterat(Butirat according to Dr.Web security vendor) family appear two years ago on the scene and was improved by its creators with each version. The latest version added new features as self modifying the data in the PE header(the executable file first bytes) in order to modify its hash. This renders unusable or better said ineffective the identification based on file hashes and antivirus detection based on files signature is deceived packing the malware with modified version of UPX. More, it was added the capability to intercept the traffic generated by the main browsers(Internet Explorer, Mozilla Firefox, Opera) especially the requests sent to search engines like Google, …
Tsunami – The new backdoor trojan transform your Mac in a zombie
In computing terms, a “zombie” is a compromised computer used to perform different nefarious tasks, being controlled remotely by the attacker. Exactly this is a Mac OS X system infected by OSX/Tsunami-A backdoor trojan. It seems to be the same trojan as Troj/Kaiten which infected in the past Linux based systems, only this time ported to Mac OS X operating system. The attackers control the compromised systems via IRC channels and one of the main commands the attacker can gives to it remotely is to launch DDos attacks against websites at the attacker choice. Practically a botnet of compromised computers is created and if at a certain moment choosed by …
What is a malicious software(malware) and how to detect it
Let’s take a look at the next scenario: in a morning when you check your emails, you find one with the subject “Top Ten jokes about wives” or … “Eva Mendes naked in the pool” but the sender is unknown to you. The email has a PDF file as attachment or maybe contains a link, what are you gonna do? Perhaps you think: if the attachment is not an executable then it can not be a virus and it’s safe to open it or if it’s about a website, it’s safe to visit it as long as I don’t download anything. Then you open and view the attachment which indeed …
ZeroAccess malware served via Google Alerts
Now, this story is crazy. Because I am a subscriber for Google Alerts service (among the keywords there are trojan and virus) this evening I have received an email from Google Alerts looking like this : You can see under Web section this URL address : http://www.google.com/url?sa=X&q=http://wcbi.com/photos/img/free-download-anti-virus-trojan.php&ct=ga&cad=CAcQAhgAIAEoBDACOABArYfZ8wRIAVgAYgVlbi1VUw&cd=lbdH6A8 Qsxo&usg=AFQjCNG25qrHqtnmCKmhjW5UVTmn4X-xIw which is intended to redirect to : http://wcbi.com/photos/img/free-download-anti-virus-trojan.php But instead the expected redirection, a malicious one take the place and users are redirected to a fake Megaupload website with this URL address: http://download-upload2.com/index.php?key=anti%20virus%20trojan Here an executable file is offered for downloading with the name 2_setup.exe, MD5: 26FF3373E2CB859DBE18E393797EB9B4 and size 231KB. It’s enough to submit this file to virustotal.com to understand what …
BIOS-MBR-Windows(BMW) or Mebromi, a new virus targeting the computer BIOS
A new virus targeting the computer BIOS was discovered by the chinese security company 360 Safety Center and it was reported that already several thousand of computers in the Chinese space were infected. The BMW virus attacks the computers running 32 bits systems and containing Award BIOS and it tries to infect users posing as a well-known game plug-in offered by malicious websites. The infection strategy is to trick the visitors to turn off first the antivirus software to avoid a possible conflict with the plug-in installation and finally to install it. Award BIOS is not at first attack against itself, the first attempts were made in 2007 year with …
About fake porn video websites and malware
Due to their alluring character, the porn websites have a magnetic effect upon people, these are the places where the people let the guard down easiest, clicking blindly on links and buttons, downloading, running, updating all what is requested or offered by these websites in an attempt to achieve more quickly their unique goal in that moment: to watch a porn video clip. It’s not a problem to view a porn video clip as far as the website visitor is +18 and the website is clean of malware, the problems starts to appear when the visitor is landing on a fake porn video website because on the other side of …
Ice – IX, the Zeus banking trojan succesor ?
As expected, the leaked Zeus banking trojan source pushed its development further. For who does not know a banking trojan is a piece of malware specialized in stealing the online banking credentials, sniffing the traffic, hooking the main Windows dll functions imported by the browsers as wininet.dll or injecting fake forms in legit web pages. Ice IX is a banking trojan derived from Zeus with a major improvement added : the config file is now retrieved from the server via proxy.php file using the encryption key as a request parameter. The same encryption key is used to encrypt the data transferred between bot and Command and control server. Not using the …