|
Written by Dave Smith
|
|
Sunday, 30 May 2010 20:32 |
|
Two new offerings on the street, Panda's Cloud Antivirus [novcon.tv video link] and Immunet Protect function by sharing information between its users. When suspicious activity is determined on one machine, attributes or signatures can be shared very quickly to all other users of the product. But Immunet has a unique model. Rather than replacing your current antivirus, Immunet Protect supplements it with its cloud-based abilities. This echoes the multi-engine functionality found in some security suites, such as Trustport [novcon.tv videos]. According to my understanding, Immunet works primarily by watching the detections of another installed antivirus product, and adding those detections to its database. Since presumably there would be a representation of most of the main vendors within its users, Immunet Protect could fill the voids left by any one particular vendor.
The downside (apart from the question of intellectual property for signature sets, which you could argue should or shouldn't exist) is the current reviews. Novcon.tv has quite a few reviews of Immunet protect in the current video catalog:
Software Review: Immunet Protect Anti-Virus
Want A Free Cloud Antivirus? - Immunet
Immunet Protect Re-Test
Immunet Protect review 1
Immunet Protect review 2
Immunet Protect review 3
Immunet Protect review 4
Immunet Protect review 5
Immunet Protect review 6
Immunet Protect review 6+ (Verdict)
Immunet Protect review 7 (Rescue Rootkit & Rogue...
So, what gives? My thoughts are that the model is sound, but the database is weak. More data from more users using the software should produce better results. So do we use it? I have it on a couple machines and one of the test VMs here, watching to see what happens.
|
|
Written by Robert Robert
|
|
Friday, 26 March 2010 20:27 |
|
Evil Evil Facebook Messages... (3/26/2010)
Someone I know received a Facebook message from a friend, she thought it looked weird and sent it to me. This is the analysis I did on the link.
The message was just a link, but it didn't look like a link you are probably familiar with.
"hxxp://3569823810//cute.clips/?" (I've removed the string on the off chance they can trace it to the message :) )
This number, 3569823810 is actually an IP address in Decimal notation. Once you do the translation from Decimal to IP it's actually 212.199.48.66, which according to GeoIP is in Tel Aviv, Israel....
Once the original link is put into the browser (IE), the browser accepts the decimal ip value, and we are taken to a fake YouTube site. This site is humorous because it's called YuoTube (LOL). This site is hosted on a different ip than the first and seems to change on each call 88.186.204.57 and 99.92.176.9 were observed.
This site claims to have some great video but you are unable to view the video because you don't have the latest "Adobe Flash Player 10.37", and you have to click here to upgrade.
Once clicked, the site pushes a file called setup.exe (aren't they always..)
Size: 64,512 bytes
This program then starts talking out alot.
DNS: www.signyourweb.com = 81.223.238.227
DNS: norrbotten.adventkyrka.se = 212.112.177.130
DNS: saratogasteakhouse.com = 70.35.30.26
DNS: xboxfreegames.com = 195.5.161.128
DNS: wt-egypt.com = 67.228.194.20
DNS: brevard-fl.com = 209.114.220.8
DNS: www.shg-fibromyalgie.com = 81.223.238.227
And of course:
DNS: Facebook.com
DNS: www.Facebook.com
DNS: fbcdn.net
Some of the more interesting GET requests made.
GET /.sys/?Action=ldgen&
GET /.sys/?getexe=p.exe
GET /.sys/?getexe=hosts2.exe
GET /.sys/?getexe=go.exe
GET /.sys/?getexe=v2webserver.exe
More security people would automatically recognise this as Koobface, a program used to gather information about users and spread other malicious programs.
The sole purpose of this setup.exe is to go out and communicate with multiple Koobface infections across the globe and pull down whatever programs it's currently attempting to push, this could be keyloggers, fakeAV, or anything else.
This is very profitable for the groups running Koobface, because they can get paid to push a certain program to X amount of computers.
In short, if something looks suspicious on social networking, it probably is... 
|
|
Written by Robert Robert
|
|
Thursday, 18 March 2010 21:14 |
|
2010-03-19: Fake Anti-virus (Security Guard)
Fake AV has many motives, some to push other malware while others just to make money. Many different variants exist. Today we will be analyzing "Security Guard".
I pulled the following file from a malicious domain.
File Name: load.exe
File MD5: 0e2b01e710bb9ef161fedb2786279296
File Size: 167,936 bytes
The analysis is split into three areas File activity, Network activity, AV scanning.
File Activity:
Drops:
C:\Documents and Settings\\Local Settings\Temp\Setup.exe
MD5: 25ee5ae0cf86d2c90fff091be922c488
Size: 2,327,552 bytes
C:\Documents and Settings\\Local Settings\Temp\del.bat
MD5: 260933afc70a1925a748d0256280b98a
Size: 151 bytes
C:\Documents and Settings\\Application Data\Security Guard\Instructions.ini
MD5: 6ed0cfa4e125d2f64574404831820dab
Size: 1,265 bytes
C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Guard.lnk
MD5: 10a83fa8c813026cbb83bc8c34960390
Size: 1,795 bytes
C:\Documents and Settings\\Desktop\Security Guard.lnk
MD5: 51a7c9b7bf3e4c7c517c00066090d7c2
Size: 1,777 bytes
C:\Documents and Settings\\Start Menu\Programs\Security Guard.lnk
MD5: 157144740d450f496fe0a6b28ad9c563
Size: 1,783 bytes
Modified:
C:\Windows\system32\drivers\etc\hosts
Network Activity:
DNS:
Update1.safeantivirus.net (94.228.209.221)
update2.safeantivirus.net (94.228.209.222)
save-secure.com (188.124.7.158)
secures-guard.com (94.102.63.64)
pmsoftware.us (95.211.89.138)
Direct IP call:
93.186.119.129
GET:
update1.safeantivirus.net/index.php?controller=hash
update1.safeantivirus.net/index.php?controller=microinstaller&abbr=SGD&setupType=xp&ttl=2114783582
save-secure.com/Reports/get_software_data.php?abbr=SGD&pid=3 (user agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
save-secure.com/Reports/install-report.php/?abbr=SGD&uid=1002&cnt=UN&lng=en&big=b_Unknown&ls=1&wv=wvXP&sid=11110 (user agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
pmsoftware.us/daemon/watcher.php?action_id=asdad3kj3zxcbrfd221&code=1002 (user agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
save-secure.com/Reports/SoftServiceReport.php?verint=645&uid=1002&wv=wvXP&report=025200100100000&abbr=SGD&pid=3 (user agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
93.186.119.129/chrome/report.html?uid=1002&wv=wvXP&res=00210010011300000000&mid=91e69b3afb31a6ec01abc84b02761923 (user agent: Mozilla/3.0 (compatible; TALWinInetHTTPClient)
*Note this sample uses a non-standard user agent string for some contact with websites.
Anti-virus scanning:
Sample was detected by 16/42 (38.1%) different types of anti-virus software. (Courtesy of www.virustotal.com)
My personal top 6 scored...
Symantec: Packed.Generic.277
McAfee: Clean
Avast: Win32.Jifas-EI
F-Secure: Clean
Microsoft: TrojanDownloader:Win32/FakeVimes
Kaspersky: Trojan-Downloader.Win32.FraudLoad.wzrx
This information is provided as an as-is, preliminary pass at the analysis of these files and is not meant as a final determination of harm or potential for harm. The data is early and raw and will not be thoroughly reviewed so please use the data at your own risk.
|
|
Last Updated on Friday, 19 March 2010 05:10 |
|
Written by Robert Robert
|
|
Thursday, 18 March 2010 21:12 |
|
With an exponentially increasing number of samples to process, malware analysis has become a very exciting, fast paced and, at times, confusing pastime. NovCon handlers rip through new samples every day looking for new threats, new treads, and new methods in use by malware authors. Unfortunately, much of that information never gets to other people in the community that can use it. To this end, NovCon will be posting regular analysis of malware samples we find interesting or exemplary to our blog beginning Friday, March 19th, 2010. These reports will take a sample and dissect it to determine who it talks to, what modifications it makes to its host system, what files it drops, and other behaviors and attributes that can be used to identify the sample and its purpose. We hope you will find this information useful, and feel free to send comments and suggestions our way.
This information is provided as an as-is, preliminary pass at the analysis of these files and is not meant as a final determination of harm or potential for harm. The data is early and raw and will not be thoroughly reviewed so please use the data at your own risk.
|
|
Last Updated on Thursday, 18 March 2010 21:13 |
|
Written by Dave Smith
|
|
Sunday, 14 February 2010 20:11 |
|
In continuation of our summary and recap of Shmoocon, here is a link to the mobile security talk that we referenced in the previous blog posting:
http://www.vimeo.com/9303379
And of course, on novcon.TV here
It is a fascinating talk that will make you think twice about a lot of your habits and behaviors and how you think about mobile security and your phone. Shmoocon had a lot of eye-opening information this year, and this talk is certainly worth checking out.
|
|
Last Updated on Sunday, 14 February 2010 20:28 |
|
Written by Dave Smith
|
|
Thursday, 11 February 2010 21:01 |
|
We're back from Shmoocon 2010, with much learned. The nature of the threats to our security is a constantly changing dynamic, and the conferences are a great way to link up with great minds in the field to get a better understanding of that dynamic. It has always been my view that security is relative. A lock's purpose is not to keep something protected against any possible thief, but rather to slow the thief down and disrupt their cost/benefit ratios. The same applies in information security. There is no absolute security, but there are certainly precautions and behaviors that make you a harder target than the next guy.
P2P and Social Networks are two major risks to the average user when not properly used. For P2P, see George's article on the dangers of default sharing settings. For social networks, it's far too easy and too tempting to hit that "allow/accept" button for a person who wants to be your friend that you are not sure you know, or for the latest game that all of your friends are playing.
At the conference we heard about the dangers of both. From pulling personal information from profiles that accept you, to applications and games, even social iphone games that allow you to be tracked everywhere you go in the real world. The scary part is that these are the exploits we hear about, not the countless ones we haven't yet heard about.
We heard that windows servers using certain web services, in an attempt to be helpful, will pass windows filename pseudonyms from a request through to the OS. This effectively bypasses access control, mime-type parsing definitions, and other protections.
We heard that it's not just the bugs and vulnerabilities of an application that make it dangerous, but sometimes the application's features themselves are the biggest threat. Features designed without fully understanding their impact on the security of the application, its data, or its users allows for new vectors of attack.
So how do you protect yourself against vulnerabilities that cannot be patched?
The basics cannot be stressed enough.
P2P networks
George summed it up pretty well in his article. Also see the article in CSO Online about the talk from Shmoocon.
Social Networks
For all your social networking activities, be very careful who you share your information with. Do not friend people you do not know, if you plan on sharing personal information, photos, etc.
Security vendor Sophos did a study a couple years ago on users and identity information. For the study they created a fictitious facebook profile with the profile picture of a plastic frog and requested 200 users to friend them. 87 friended the plastic frog, many of whom exposed personal information such as birthdate, address, phone numbers and employment/education histories.
Unfortunately it's not just about vetting your friends. Applications and games can access your profile information, and not all developers are angels. Many game developers' revenues are based on getting you to click on ads, give your personal information to survey and marketing firms, etc. And some are more malicious than that.
Also see our article on basic computer security for more information on the dangers of social networks.
Location Based Games and Services
I think this one should be fairly obvious. If you play a location based game on your iphone or other smart/connected device, you are handing over your real-time location to people you have not met. The implications of this were made very clear at a talk at Shmoocon where users' daily lives could be seen as mapped out data on Google Earth.
For the Admins
It is very, very important to stay on top of what the current attack trends are. As is the case in the windows file pseudonyms vulnerabilities discussed at Shmoocon this year, the attacks do not have to be extremely high tech, and the exploited vulnerability does not have to be some brand new bug. Some of our biggest vulnerabilities are bigs that have existed since the beginning of an application or platform. Keeping on top of patches is not enough. Knowing how to quickly detect and respond to the very latest threats requires knowing about and understanding those threats. Be active in the community.
Security takes all of us.
|
|
Last Updated on Saturday, 13 February 2010 20:12 |
|
Feed Entries 
