Category: Malware

AV-Test says they expect to see five million new malware samples each month – about double the rate from last year.

“This dramatic development is also forcing the manufacturers of anti-virus software to adopt different strategies, for example whitelisting, an approach that has now been popular for a number of years.” “Instead of sending 100,000 users the identical malware sample, a malware writer generates 10,000 unique samples for 10 users each or even 100,000 completely unique samples.” “In the majority of cases, the malware writers are using the same executable and then, it will automatically be encrypted, packed and scrambled in different ways,” said Marx.

In the back and forth between the bad guys and security companies, attackers must constantly change their strategies if they hope to reach any ripe targets.

Perhaps 60 million new pieces of malware might just be the sign of a job well done, but nonetheless, it’s a scary number.

Link: http://www.itproportal.com/2013/05/24/2013-will-see-an-explosion-in-malware/

So he created Simseer, a free online service that performs automated analysis on submitted malware samples and tells and shows you just how similar they are to other submitted specimens.

According to the website, Simseer detects malware’s control flow, which changes much less than string signatures or similar features, and polymorphic and metamorphic malware variant usually share the same control flow.

It runs on an Amazon EC2 cluster with a dozen or so virtual servers, and is “fed” by Cesare every night with gigabytes of malware code downloaded from other free sources such as VirusShare.

As said before, it works on any kind of software, and can be used for plagiarism and software theft detection, as well as incident response.

Link: http://www.net-security.org/malware_news.php?id=2505&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

“The Payza transaction PIN is used every time a user wants to send funds, add funds, withdraw funds or make a payment,” Trusteer researcher Etay Maor said Tuesday in a blog post.

These stem from the wide use of public computers in locations such as Internet cafes and the generally low level of online security awareness, he said.

“Public computers are typically at higher risk for malware infections and when used by an unsuspecting user, the chances of a successful fraudulent transfer are much higher.”

Link: http://www.pcworld.com/article/2039502/new-citadel-malware-variant-targets-payza-online-payment-platform.html

The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks. This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

Link: http://blog.trendmicro.com/trendlabs-security-intelligence/keeping-up-with-the-andromeda-botnet/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar.

Managing this malware for now involves simply checking one’s log-in items (select your username in the Users & Groups system preferences and click the Login Items tab) and removing the macs.app program if present to prevent it from being launched when you log in. Locating and removing the macs.app program file from your computer is also advised; this could be in the Downloads folder, the home directory, or in the Applications folder at the root of the drive.

Link: http://reviews.cnet.com/8301-13727_7-57584804-263/new-mac-spyware-found-in-the-oslo-freedom-forum/

“This latest version has a fall-back C&C mechanism that is based upon a domain name generation algorithm (DGA),” wrote Manos Antonakakis, Damballa’s Chief Scientist and lead researcher on the report, issued Wednesday. “If the malware cannot successfully resolve any of the domains that are hard coded into it, it will start using the DGA in an effort to connect to the currently active DGA C&C.”

Researchers at antibotnet vendor Damballa Labs performed malware analysis on the new Pushdo variant and monitored several of the domains generated by the new domain algorithm to measure the scope of the new threat.

The latest domain generation algorithm technique is a backup, only used if the malware on an infected machine fails to connect with the primary command-and-control server.

“This is a very smart way to defeat generic network signature and sandboxing systems that simply block the network communication observed during the dynamic analysis of the malicious binary,” the researchers said

Link: http://www.crn.com/news/security/240154963/malware-behind-oldest-most-active-spam-botnet-gets-refresh.htm