Category: Malware

The Andromeda spam botnet is a good example of this trend, this time with aid of the Blackhole Exploit kits (BHEK) and some new neat tricks. This threat arrives as a spammed message containing a malicious attachment (GAMARUE variants) or links leading to certain sites, which now include those compromised by the notorious Blackhole Exploit kit. Some of the commands the malware can execute include downloading other malware onto the system, most notably info-stealing threats like ZeuS/ZBOT variants.

Because some Andromeda-related spam messages eerily looks like legitimate email notification from commercial services (flight, hotel, courier services etc.), the usual criteria for determining a spam are not sufficient. Since BHEK is known to exploit software vulnerabilities like Java, you must always update your system with the latest security patch or re-consider your use of Java. For better protection, install antimalware software like Trend Micro, which protects your system from spam, malicious URLs, and malware.

Link: http://blog.trendmicro.com/trendlabs-security-intelligence/keeping-up-with-the-andromeda-botnet/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar.

Managing this malware for now involves simply checking one’s log-in items (select your username in the Users & Groups system preferences and click the Login Items tab) and removing the macs.app program if present to prevent it from being launched when you log in. Locating and removing the macs.app program file from your computer is also advised; this could be in the Downloads folder, the home directory, or in the Applications folder at the root of the drive.

Link: http://reviews.cnet.com/8301-13727_7-57584804-263/new-mac-spyware-found-in-the-oslo-freedom-forum/

“This latest version has a fall-back C&C mechanism that is based upon a domain name generation algorithm (DGA),” wrote Manos Antonakakis, Damballa’s Chief Scientist and lead researcher on the report, issued Wednesday. “If the malware cannot successfully resolve any of the domains that are hard coded into it, it will start using the DGA in an effort to connect to the currently active DGA C&C.”

Researchers at antibotnet vendor Damballa Labs performed malware analysis on the new Pushdo variant and monitored several of the domains generated by the new domain algorithm to measure the scope of the new threat.

The latest domain generation algorithm technique is a backup, only used if the malware on an infected machine fails to connect with the primary command-and-control server.

“This is a very smart way to defeat generic network signature and sandboxing systems that simply block the network communication observed during the dynamic analysis of the malicious binary,” the researchers said

Link: http://www.crn.com/news/security/240154963/malware-behind-oldest-most-active-spam-botnet-gets-refresh.htm

In a move to significantly close the gap between discovery and mitigation of targeted attacks, HBGary, a subsidiary of ManTech International Corporation, unveiled the next-generation version of Responder™ Pro, the de facto industry standard in automated Windows® physical memory analysis. By leveraging Digital DNA™ 3.0, HBGary’s flagship technology, Responder™ Pro…