It seems the latest development is the accidental development of new super-malware strains created by viruses infecting executable files of worms. Worms are generally executable files and well, viruses infect executables – so you can imagine what happens.

Now the franken-worm has both the characteristics of the original worm and it also carries the virus – so when it spreads, the virus also spreads.

Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties.

The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers.

A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 per cent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the Romanian antivirus firm warns.

“If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said Loredana Botezatu, the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.”

BitDefender doesn’t have historical data to go on. Even so it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 per cent year on year.

There’s really unlimited possibilities with this, and the great thing (to me anyway) is that it occurred by complete accident. I guess the next step up would be virus authors purposely hunting down worm files and infecting them with additional capabilities.

There’s always been cases of malware in the past that hunt down other malware and remove them from the host machine.

All of the malware hybrids analysed by BitDefender so far have been created accidentally. However, the risk posed by these combos could increase dramatically as crooks latch onto the idea of deliberately splicing malware strains together to see what sticks. This is on top of efforts by blackhat coders to add extra features to others’ viruses and unleash the updated builds onto the unsuspecting public.

BitDefender carried out its study after finding a sample of the Rimecud worm that was infected by the Virtob file infector. Rimecud is designed to steal online passwords for e-banking or e-mail accounts, among other functions. Virtob creates a hacker-controlled backdoor on infected systems.

“Imagine these two pieces of malware working together – willingly or not – on the same compromised system,” Botezatu explains. “That PC faces a twofold malware with twice as many command and control servers to query for instructions; moreover, there are two backdoors open, two attack techniques active and various spreading methods put in place. Where one fails, the other succeeds.”

I wonder what will happen in the future with this and if the bad guys will really jump on this already sailing ship and use it to their advantage.

If you are interested you can read more on BitDefender’s Malware city blog here:

Virus infects worm by mistake

Source: The Register

It’s mostly targeted at the UK though, worms of these type usually are geographically limited as they are targeting bank information – it’s better to go after a certain niche of users.

45,000 isn’t a huge number though considering the latest stats say there are over 30 millions Facebook users from the UK alone.

A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed.

Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and associated email addresses. Experts from Seculert, who found the controller node, have supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the UK or France.

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it relies on multiple infection techniques and has only recently extended onto social networks. Koobface, by contrast, only uses Facebook or Twitter to spread.

“Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” Aviv Raff, CTO at Seculert, told El Reg.

“We suspect that they use the Facebook logins to post on a victim’s friends’ wall links to malicious websites which download Ramnit,” he added.

There was indeed Koobface some time back, but that was purely on Facebook – the danger with worms like Ramnit is that Facebook is only 1 of the vectors they are using to spread.

It’s a good job researchers got hold of one the command and control nodes – or this could have gotten a whole lot messier. Facebook has been pretty good lately blocking malicious strings and clamping down on worms as soon as they show up.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities – technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.

The move onto Facebook by the miscreants behind Ramnit seems designed primarily to expand the malware’s distribution network and infect more victims.

“We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach,” Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination.

“The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks,” it said.

The Ramnit outbreak on Facebook follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.

The scary part is that the latest version of Ramnit can bypass two factor authentication! I’m not exactly sure how it does that, but it seems to have snagged a lot of features from the source code leak of ZeuS.

I would agree with the article though, people do tend to re-use passwords, they trust things shared on Facebook and it’s a good platform to spread malware rapidly.

Source: The Register

It’s a pretty bumper crop of patches though with 13 bulletins and 19 vulnerabilities fixed, the highest profile one being a patch for the zero-day vulnerability exploited by Duqu.

The pulling of the BEAST patch is good in a way though I guess, it shows that Microsoft are doing comprehensive compatibility testing to ensure the patches don’t cause any problems (including with 3rd party software).

Microsoft released 13 security bulletins addressing 19 vulnerabilities overnight, as part of a bumper final Patch Tuesday of the year.

Highlight of the baker’s dozen is a patch for the the zero-day vulnerability exploited by Duqu (sibling of Stuxnet) worm back in October. Fixing the underlying flaw exploited by Duqu involves the resolution of a problem in how Windows kernel mode driver handles TrueType font files.

Aside from this critical update the batch includes an update to address a critical flaw n Windows Media Player. A cumulative security update of ActiveX kill bits is covered by the third, and final, critical update this month. The other ten bulletins address less severe (important) flaws in Windows, IE and Office. Altogether its a desktop-heavy patch batch, as you can see from Microsoft’s summary here.

Microsoft originally promised 14 bulletins for the December edition of Patch Tuesday but one has been pulled, probably for quality control reasons. The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing, security services firm Qualys reports. The absence of this fix means that Microsoft has issued a grand total of 99 bulletins this year, one less than the ton up that might have resulted in adverse headlines.

Both BEAST and Duqu are pretty nasty malware, I’d guess seen as though they’ve already fixed the BEAST problem – they just need to work on compatibility issues – that we’ll definitely be seeing the patch rolled out in the January Patch Tuesday.

It’s good to see a bunch of important patches rolled out pre Christmas though as there’s always an influx of malware, scams, spams and phishing attempts around this period (trying to leverage on people’s good will I guess).

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Although a patch will have to wait until January, at least, Microsoft has already published a workaround, which involves using the non affected RC4 cipher in SSL setups.

The Internet Storm Centre has produced a helpful graphical overview of the Black Tuesday updates from Microsoft here. It reckons that some of the flaws are more severe than Redmond’s rating. By the ISC’s count there are EIGHT critical updates. Either way you look at it, this is a lot of patching work even before we think about other security updates doing the rounds.

Google and Adobe are also joining in on the season of giving by releasing updates of their own. Adobe last week issued a critical updates for Adobe Reader and Acrobat. The latest version of Adobe PDF-reading software, Adobe Reader X, is not affected by this vulnerability thanks to the use of sand-boxing technology. So users have the option to either upgrade or apply a patch to the earlier version of the software.

In addition, Google published an update to its Chrome browser that addresses 15 security flaws, including six high-risk vulnerabilities, on Tuesday. More details of what’s fixed inside Chrome 16.0.912.63, the latest cross-platform version of the browser (yes Mac and Linux fans you ought to update too), can be found here.

There has been some other nasty bugs around too with a zero-day for Adobe Reader last week and Google just released a massive update of Chrome including 6 high risk vulnerabilities.

SANS ISC as always gives a great summary of the patches and classifies some of them more seriously than Microsoft does – you can check out the details here:

December 2011 Microsoft Black Tuesday Summary

Source: The Register

Perhaps that incident and spate of attacks and intrusions had something to do with this most recent story, the story of a stolen certificate.

The story is that a ‘missing’ certificate which has been legitimately signed by the Malaysian government was stolen and has been used to sign malware, enabling it to bypass OS protection which prevents the installation of untrusted applications.

Researchers have discovered malware circulating in the wild that uses a private signing certificate belonging to the Malaysian government to bypass warnings many operating systems and security software display when end users attempt to run untrusted applications.

The stolen certificate belongs to the Malaysian Agricultural Research and Development Institute, according to Mikko Hypponen, chief research officer of F-Secure, the Finnish security firm that found it was being used to sign malware spread using booby-trapped PDF files. By using the official credential to vouch for the trustworthiness of the malicious application, the attackers were able to suppress warnings Microsoft Windows issues when users attempt to install unsigned applications.

“The malware itself has been spread via malicious PDF files that drop it after exploiting Adobe Reader 8,” Hypponen wrote in a blog post published on Monday. “The malware downloads additional malicious components from a server called worldnewsmagazines.org. Some of those components are also signed, although this time by an entity called www.esuplychain.com.tw.”

The discovery is the latest reminder of the challenges posed in securing the PKI, or public key infrastructure, used to digitally ensure the authenticity and integrity of websites and applications. With more than 600 entities entrusted to issue the certificates, all it takes is the compromise of one of them for an impostor to obtain the private key needed to issue counterfeit credentials for Google, eBay, the Internal Revenue Service or virtually any other service.

The certificate came from the Malaysian Agricultural Research and Development Institute, known locally as MARDI – http://www.mardi.my.

Please also note the fantastic aesthetics of Malaysian government web design, I’d estimate a few million USD was spent to create such a glorious website – it shows doesn’t it.

The security of Malaysian governmental website is also extremely suspect, any half decent attacker seems to be able to hack into them without much effort. Probably because most of them aren’t maintained and they are running outdated, vulnerable versions of the CMS Joomla!.

Over the past couple years, a growing number of private keys have been abused. One of the best known examples was the Stuxnet worm that sabotaged Iran’s nuclear program. It used pilfered digital keys belonging to two companies from Taiwan. The Duqu malware, which some researchers say has significant similarities to Stuxnet, also used private certificates.

Hackers recently compromised the systems of Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for half a dozen sites, including Mozilla’s addons website and Skype. A bogus certificate for Gmail was used to spy on about 300,000 people accessing the service from Iran.

Two weeks ago, credentials issued by intermediate certificate authority Digicert Malaysia were banished from major browsers following revelations the company issued secure sockets layer certificates that could be used to attack people visiting Malaysian government websites. A day later, Netherlands-based KPN Corporate Market said it suspended the issuance of new certificates after discovering a security breach that allowed hackers to store attack tools on one of its servers.

The compromised certificate discovered by F-Secure shows the signer as anjungnet.mardi.gov.my. It expired at the end of September. Hypponen said Malaysian authorities have indicated the certificate was stolen “quite some time ago.”

It just goes to show how weak the whole PKI type infrastructure is, especially with the recent case – Hackers Get Hold Of Wildcard Google SSL Certificate – Could Hijack Gmail Accounts.

Of course before that we had the huge RSA SecurID case too, some quiet hacking, some stolen certificates (which are basically just text files) and bingo – you have yourself some real power there.

Sadly this kind of occurrence seems to be getting more and more common, I hope things get secured because people have been told for years that “If it’s https it’s safe!” – when clearly…that is not always the case.

Source: The Register

Well this time the private messaging function has been compromised, you can attach an executable and send it to anyone as long as you put a space after the filename.

It’s not the first time I’ve seen a mime/file/etc parser be owned by a space, but I expected better from Facebook to be honest.

A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications.

Nathan Power, a senior security penetration tester at technology consultancy CDW, discovered the vulnerability and publicly disclosed it Thursday on his blog. The flaw was reported to Facebook on Sept. 30, which acknowledged the issue on Wednesday, he wrote.

Power, who could not immediately be reached, wrote that Facebook does not normally allow a person to send an executable attachment using the “Message” tab. If you try to do that, it returns the message “Error Uploading: You cannot attach files of that type.”

Facebook has acknowledged the bug (which is a pretty serious one) but it’s unknown if they’ve actually fixed it yet or not.

You can see the original blog post outlining the vulnerability here:

Facebook Attach EXE Vulnerability

Good job Nathan Power!

Power wrote that an analysis of the browser’s “POST” request sent to Facebook’s servers showed that a variable called “filename” is parsed to see if a file should be allowed. But by simply by modifying the POST request with a space just after the file name, an executable could be attached to the message.

“This was enough to trick the parser and allow our executable file to be attached and sent in a message,” Power wrote.

A person would not have to be an approved friend of the sender, as Facebook allows people to send those who are not their friends messages. The danger is that a hacker could use social engineering techniques to coax someone to launched the attachment, which could potentially infect their computer with malicious software.

Facebook representatives contacted in London did not have an immediate response on Thursday afternoon.

The dangerous part I can see here is that Facebook allows users to send messages to anyone (with attachments) even if they are not friends. Which makes me wonder, how many random guys are sending girls they don’t know pictures of their junk as attachments on Faceobok messages…

I don’t want to know really.

Anyway this should be a fairly simple fix for Facebook and I’d imagine they have probably already fixed this or will be doing so fairly soon.

Source: Network World

Now whilst we wouldn’t quite expect that kind of oppressive behaviour from a country like Germany, they do seem to have a law enforcement monitoring trojan which is pretty nasty.

The trojan was initially examined by the infamous hacking group from Germany itself – Chaos Computer Club (CCC) and was apparently first discovered by Kaspersky Lab.

A Trojan used by German law enforcement authorities to intercept Internet phone calls is capable of monitoring traffic from 15 programs, including browsers and instant messaging applications.

The discovery was made by malware analysts from antivirus vendor Kaspersky Lab, who took apart the so-called lawful surveillance software, dubbed 0zapftis, Bundestrojaner or R2D2 by the security community. The Trojan was initially analyzed by famous German hacker collective the Chaos Computer Club (CCC), which determined that Skype is one of its targets.

The Trojan’s installer deploys five components, each with a different purpose, and Kaspersky has analyzed all of them, said Tillmann Werner, a security researcher with Kaspersky in Germany.

“Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,” he said. “Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.”

The trojan seems quite complex and technically quite adept – it had the capability to deploy various components in both 32-bit and 64-bit Windows operating systems.

It can infect 15 different applications, most of which are quite commonly found and prevalent on the majority of Windows based machines. Instant messaging (IM) software such as MSN Messenger, Yahoo! Messenger, Skype are covered and the major browsers (IE, Firefox and Opera).

It’s surprising to see Chrome is not in the list, it could be an editorial exclusion or it could just be the fact that Chrome is in fact pretty secure and they weren’t able to hijack it successfully.

The list of targeted applications includes major browsers, including Internet Explorer, Firefox and Opera, as well programs with VoIP and data encryption functionality, including ICQ, MSN Messenger, Yahoo Messenger, Skype, Low-Rate VoIP, CounterPath X-Lite and Paltalk.

On 32-bit Windows systems the Trojan uses a kernel-mode rootkit that monitors targeted processes and injects rogue libraries into them. However, on 64-bit platforms, the system driver is much more basic and only serves as an interface to modify registry entries or the file system.

Furthermore, it is signed with a certificate that isn’t trusted under Windows by default. This means that deploying the Trojan requires user confirmation, which might not necessarily be a problem for authorities, because they reportedly install it during border searches or similar interventions.

Kaspersky said its products detected the Trojan installer heuristically even before a sample was analyzed and signatures were added for it. However, those tools may not help if outsiders can manually add an exception in the program. Computer users can prevent outsiders from doing this by using a password to protect their antivirus configurations, and most products offer this option.

It seems though the trojan isn’t intended to be spread over the Internet or via networks, or in fact any self-propagating method. Which is good…

The law enforcement agency would plant the trojan during a raid/border search or so on. It certainly does seem effective, but then again Kaspersky detected it as malware before they even added a signature for it – which makes me suspect it could well be using components from other pre-existing malware.

We did report on what probably became this project back in 2008 when it first started – German Police Creating Law Enforcement Trojan.

Source: Network World

It’s basically a HTTP referer detection system for the Facebook URL scanner (the thing that generates the preview/thumbnail etc for links posted to Facebook). By detecting it, you can feed it something benign – but when a normal user comes – feed them some malware.

So be careful what you click in Facebook, or Google+ or anything else that gives you a preview but doesn’t really show you the URL or what is on the page.

Members of a hacking think-tank called Blackhat Academy claim that Facebook’s URL scanning systems can be tricked into thinking malicious pages are clean by using simple content cloaking techniques.

Such attacks involve Web pages filtering out requests that come from specific clients and feeding them content that is different from what is displayed to regular users.

Attackers have been using this method to poison search results on Google for years now by serving keyword-filled pages to its indexing robot, but redirecting visitors to malware when they click on the links. However, it turns out that Facebook is also vulnerable to this type of content forging. “Hatter,” one of the Blackhat Academy members, provided a live demonstration, which involved posting the URL to a JPEG file on a wall.

Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook’s original request and served a JPEG file.

“While most major sites that allow link submission are vulnerable to this method, sites including Websense, Google+ and Facebook make the requests easily identifiable,” the Blackhat Academy hackers said.

This kind of technique is VERY popular in the Blackhat SEO world, or at least it was back in the day – you could feed pages to the search engines that weren’t really human readable, but they were perfect in terms of link density, keywords and so on for Google and other search engines.

When humans visited, they’d get the normal page – when search bots visited they’d get a specially tailored version to hike the page up in the rankings. I’m not sure if it goes on (Google is a hell of a lot smarter now) – but I’d be surprised if it’s totally gone.

Websense of course are claiming that it doesn’t really effect them due to the all the l33t techniques they use to filter URLs…cool story bro.

“These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistent domain name,” they explained.

Earlier this week, Facebook signed a partnership with Websense to use the security vendor’s cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.

Websense doesn’t believe that to be the case. “This is nothing new. We use numerous methodologies and systems to ensure that our analysis of content (in real time) is not manipulated by malware authors, including using IP addresses not attributable to Websense so that malware authors are unaware that it is Websense analyzing the content,” the company said.

“Also, the Websense ThreatSeeker Network is fed via an opt-in feedback loop from tens of thousands of customers distributed globally. These IPs are also not attributable to Websense.com. It is because of technologies like this that Facebook chose Websense to provide protection for their growing user base of more than 750 million users,” it added.

That could well be true, but it’s worth keeping in mind that Websense primarily sells security solutions to businesses and Facebook is usually blocked on many corporate networks. It would be logical to assume that relying on its customers’ appliances to scan URLs on the social networking website might not have an immediate impact.

I know Facebook have signed the agreement, but have they started using Websense filtering yet? We did write something about their collaboration last year – Websense Offers Facebook Users Free ‘Firewall’ Service.

Well if it keeps Facebook users safe from malware, and stops us having to fix more computers for our friends and relatives – it’s good in my books.

We will have to wait and see though until it’s fully implemented if it stops the next round of Facebook malware from sprouting and running riot.

Source: Network World

The odd thing is the app can’t scan the filesystem of the device due to the iOS sandbox – but it can scan remotely hosted files (e-mail attachments, files in your Dropbox account and on on).

It’ll be interesting to see what kind of response this app gets and if people will be interested in purchasing it.

A French security company known for its Mac OS X antivirus software today released the first malware-scanning app for the iPhone and iPad and iPod Touch. Intego’s VirusBarrier for iOS has been approved by Apple, and debuted on the App Store Tuesday for $2.99.

Because iOS prevents the program from accessing the file system or conducting automatic or scheduled scans — as do virtually all Mac and Windows antivirus software — VirusBarrier must be manually engaged, and then scans only file attachments and files on remote servers, said Peter James, a spokesman for Intego.

“Because of the sandbox, you can’t scan the file system,” said James. “Since you don’t see the iOS file system, the only things you can scan are attachments sent by email or files in, say, your Dropbox folder.”

Unlike software written for Android — such as Lookout, from the San Francisco-based company by the same name — VirusBarrier cannot scan apps for possible infection. When an email attachment is received by the iPhone, iPad or iPod Touch, the user can intercede by calling on VirusBarrier, which then scans the file for possible infection before the file is opened or forwarded to others.

“We’ve had enterprise customers say that although they know you can’t do a full system scan of an iPhone, they don’t like the fact that files go through these devices and end up on a Mac or Windows PC,” said James. “They want their users to be able to check that an attachment is safe.”

It also can’t scan apps for possible infection, which is kind of weak – but I guess it’s supportive of the walled garden approach implemented by Apple. Seen as though all official apps are vetted by Apple there shouldn’t be any infections anyway (unless the user executed a JailBreak their device).

Symantec did make some kind of push into the iOS market in October 2010, but I’m not sure what came of it – Symantec Expands Security Products To Cover Android & iOS.

With the whole model Apple is running on the iOS platform – there honestly isn’t that many vectors for attack.

He characterized VirusBarrier for iOS as a way for iPhone and iPad users to prevent their hardware from spreading malware. “You don’t want your iPhone becoming a ‘Typhoid Mary,’” James said.

VirusBarrier for iOS can scan email attachments in a variety of formats, including Microsoft’s Word, Excel and PowerPoint; PDF documents; JavaScript files; and Windows executables, those files tagged with the .exe extension. It can also scan files in a Dropbox folder, those stored on MobileMe’s iDisk, or files downloaded via the iOS version of Safari. The scanning engine and signatures — the digital “fingerprints” used to detect malware — in VirusBarrier for iOS are identical to those used by Intego’s Mac OS X product line.

VirusBarrier for iOS lets iPhone and iPad users run on-demand scans of email attachments before those files are opened or forwarded.

“It’s important that people understand what [VirusBarrier] can and cannot do,” said James, pointing to the malware scanner’s limitations. “Although there is no malware written for iOS today, if attackers do try to exploit the [recent] PDF vulnerability, this is something we can scan for.”

James was referring to the still-unpatched vulnerability in iOS that can be exploited through a malicious PDF document, one of two bugs used last week to “jailbreak” an iPhone , iPad or iPod Touch. VirusBarrier for iOS can be downloaded to an iPhone, iPad or iPod Touch from Apple’s App Store. It requires iOS 4.0 or later.

You can check out the app on Apple’s App Store here:

VirusBarrier By Intego

Basically the purpose of the app seems to more towards halting malware application on the iPhone – rather than preventing the device itself getting infected. You can read a lot more about it on the App Store description.

Source: Network World

TDL itself has been around several years, but the new TDSS variant is really sophisticated and comes loaded with anti-virus capabilities to stop the Windows host PC getting infected by other malware or botmasters.

Development has been going on since TDL since 2008 (or perhaps even earlier) and now is on version 4 (TDL-4). You can see how these guys think as they only apportion a part of the CPU resources to their own malware so as to remain undercover.

A new strain of the TDSS malware has been pegged as “the most sophisticated threat” to computer security in the world today by a Kaspersky Labs researcher and is being used to slave more than 4.5 million PCs in a massive botnet that’s equipped with an “anti-virus” to prevent other bot-creating viruses from taking it over.

“TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” security expert Sergey Golovanov writes this week a research note in on the SecureList site.

Botnets are networks of malware-infected computers that can be commanded by cybercriminals and hacktivists to conduct such activities as delivering spam, launching distributed denial-of-service attacks to bring down targeted websites, manipulating search results and adware, and facilitating network intrusions to steal sensitive data.

Sophisticated bot-creating programs like TDSS, which according to Golovanov has been under development since 2008 and is now in its fourth version (TDL-4), can harness a portion of the computing power of each system it infects, leaving owners of infected computers with somewhat slower machines but none the wiser as to their participation in a botnet.

There a few distinctive improvements in TDL-4 over previous TDSS generations, the Kaspersky Labs researcher writes. One is that the latest edition of TDSS includes a kind of “anti-virus” that scans a slave bot’s registry for malicious programs that could interfere with a slaved computer’s efficiency or even try to take over the computer to make it part of a rival botnet.

Now this is a fairly huge operation with 4-5 million infected hosts within the botnet, it’s very difficult to remove and in most parts – because of it’s fairly intelligent design – it doesn’t even get spotted in the first place.

The downfall (if it really is) of such a complex piece of malware is that it’s more likely to have coding bugs/exploits contained in it’s own code – this is where security researchers can leverage their own hacking skills to gather more knowledge about the botnet.

“TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc.,” Golovanov writes. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

“This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.”

Another advance for TDL-4 is the extent to which it burrows into infected systems, making the botnets it creates “indestructible,” according to the researcher. Other improvements over the previous TDL-3 generation of TDSS malware include the encryption of communications between a botnet operator’s command-and-control servers and the botnet, and the ability to transmit commands to a botnet over the publicly accessible, peer-to-peer Kad network via TDL-4′s kad.dll module.

According to Golovanov, TDL “affiliates” can earn up to $200 when they manage 1,000 installations of the malware on victim computers.

“Affiliates can use any installation method they choose,” he writes. “Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.”

About a third of the TDL-4-infected computers are in the U.S., according to Golovanov, and about 60 TDL-4 command-and-control centers all around the world have been identified since the beginning of 2011.

Most of the motivation behind such large botnets is of course money, we’ve written before about the Digital Underground Offering Cheap Botnets For Hire and about people getting caught like – Texas Man Pleads Guilty To Bot Network For Hire.

It seems like the main infection vector is still via the browser, people who visit dodgy sites (porn/pirated software etc) with old browsers are getting infected with botnet laden malware like this.

I doubt anyone reading is any danger of infection, but still – it pays to know what is out there.

Source: PC Mag

This is a stepping release since for the first time the Dynamic Analysis has been included for file creations (will be improved for other network/registry indicators sooner) along with process dumping feature.

Features

• String based analysis for registry, API calls, IRC Commands, DLL’s called and VM Aware.
• Display detailed headers of PE with all its section details, import and export symbols etc.
• On Distro, can perform an ascii dump of the PE along with other options (check –help argument).
• For Windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
• ASCII dump on windows machine
• Code Analysis (disassembling)
• Online malware checking (http://www.virustotal.com)
• Check for Packer from the Database.
• Tracer functionality
• Signature Creation: Allows to create signature of malware
• CRC and Timestamp verification.
• Entropy based scan to identify malicious sections.
• Dump a process memory
• Dynamic Analysis (Still in beginning stage) for file creations.

You can download Malware Analyser v3.0 here:

malware_analyser 3.0.zip

Or read more here.