0

June spyware list

Posted by
July 4, 2007


This month, Application/MyWebSearch joins the list in the first position, with only 36 detections less than Adware/Lop, which goes down to the second position.


 


1.- Application/MyWebSearch


2.- Adware/Lop


3.- Adware/Gator


4.- Dialer.XD


5.- Spyware/Virtumonde


6.- Application/SystemDoctor2006


 


Application/SystemDoctor2006 goes up from the 11th to the 6th position. It is a fake error-repairing program that is usually installed by Adware/SystemDoctor. There are also many websites or advertisements that simulate an analysis of the machine so that users install the program. Then, they are requested to purchase, for a modest price, a program to remove them.


 


Adware/Navipromo goes up from the 21st to 19th position. It is an adware that promotes dialers and uses rootkit techniques in order to go unnoticed. It usually comes with other programs such as MailSkinner, WebMediaplayer  or InternetGameBox .


 


Trj/Torpig, which is a banker Trojan, keeps the 37th position as in the previous month. The families belonging to Trj/Torpig and Trj/Sinowal are very similar. We explained the techniques used by Trj/Sinowal in the eCrime Congress. You can take a look at the paper here.

0

MPack: how to infect thousands of websites

Posted by
June 20, 2007

We’ve been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack. Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ‘IFRAME Manager tool’. We’re familiar with this tool since about 4 months. It’s real name is ‘FTP-Toolz pack’ and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale:



And the tool itself:




When we found MPack at the end of last year we also found also a similar tool named ‘RooT [iFrame]’ in one of the hacked servers. There is a funny thing about this one; if you buy it through the Russian version of the hacker’s website, it is just $25. In case you go to the English version of this hacker’s site, the price doubles, it’s $50. Finally we found yet another one named FTPCheckIframe, this time only in Russian and for $25.


 


Even though we are still wondering how they gain access to those servers, it seems that they make use of tools such as the ones mentioned and feed them a list of usernames and passwords, probably stolen by the same Trojans and keyloggers they have previously gathered or purchased. But… how to work with all that mess? I mean, they can have hundreds of thousands of ftp addresses with usernames and passwords, but they don’t know which ones are working, which ones have write access, etc.


 


Then we run into yet another tool, this time a PHP script that validates ftp accounts. The hacker loads the stolen account lists in a file called acc.txt, and by means of the script (ftp_check.php) he gets dumped the valid ones into a file called valid.txt.


 


So he can use that information with any of the previous programs: FTP-Toolz pack, RooT [iFrame] or FTPCheckIframe and automatically infect hundreds of thousands of web pages with the MPack IFRAME.

Comments Off

May spyware list

Posted by
June 1, 2007

This month there have been changes in the first two positions. Adware/Lop occupies the first position and 47 detections below, the seconds position is occupied by Application/MyWebSearch. Meanwhile, Adware/Gator goes down to the third position of the ranking.


1: Adware/Lop
2: Application/MyWebSearch
3: Adware/Gator
4: Application/Winantivirus2006
5: Spyware/Virtumonde
6: Adware/SaveNow


Adware/SpyLocked goes up from the 23rd to 17th position. This adware promotes the rogue antipysware called SpyLocked and is mainly distributed by the fakecodecs.


Trj/Abwiz.A is in the 34th position, which is a Trojan that registers itself as a BHO and steals passwords from the computer.


Exploit/LoadImage joins the ranking in the 44th position. It is a generic detection of an exploit we had already mentioned that affects ANI files. Moreover, this exploit is one of the most used by kits for installing malware using exploits, such as Mpack.

Comments Off

The Cimuz uninstaller

Posted by
May 30, 2007

Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:
 


After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.


I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.

Comments Off

New Alanchun wave

Posted by
May 9, 2007

Our large malware honeynet also known as TruPrevent© is detecting a new Alanchun wave. In a few hours we have received some hundreds of reports about this one, named Trj/Alanchun.VT. It is just another Trojan with rootkit capabilities and prepared to flood the Internet with spam.


In case you have TruPrevent© don’t worry, otherwise update your AV software right now!

Previous Page