Bad bunny – first OpenOffice virus and it’s crossplatform!

It runs on Windows, Mac and Linux computers, acting differently for each OS. Anti-malware vendor Sophos admits it poses a low threat, especially as it’s only a proof-of-concept that hasn’t actually been discovered ‘in the wild’.

Read More

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Gozi Trojan analysis

SecureWorks have posted analysis of another Trojan that used to to steal SSL/TLS encrypted data transfered from the victimized PC.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

  • Steals SSL data using advanced Winsock2 functionality
  • State-of-the-art, modularized Trojan code
  • Spread through IE browser exploits
  • Undetected for weeks, months by many AV vendors
  • Customized server/database code to collect sensitive data
  • Customer interface for on-line purchases of stolen data
  • Accounts compromised by stealing data primarily from infected home PCs
  • Accounts at top financial, retail, health care, and government services affected
  • Data’s black market value at least $2 million

Full article is here.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Smarter and Smarter

Websense has posted a nice malware analysis showing how easy security software can be bypassed by malicious software.

Before performing it’s primary objective, this malware first disarms any antivirus or firewall it can:

The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis.

The protected application doesn’t run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth.

There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine.

One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name

It kills several antivirus products, if they are found in memory, as well as some firewall products.

Lowers the computer sound volume, in order to prevent the users from hearing a warning sound generated by antivirus programs.

Full analysis is here.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Google debug

I love Google’s web applications. They are cool and actually set a new standard for the Web we know today. It’s fun and educating to check out their JavaScript code. And as usual, when you dig into somebody’s code, you find surprises.

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Google Releases Code Search

Google released a code search engine to catch up with Krugle, Koders, and Codease.

Like most of the other Google’s tools it can be easily abused for hacking πŸ™‚

To find undisclosed vulnerabilities pass over this code:

http://www.google.com/codesearch?q=ugly%7Chack%7Cfixme

Or some other interesting combination (Use your favorite ugly code comment).

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.

Mini Mac running Os X got pwned in 30 minutes.

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer’s security and gain root control… – writes ZDNet

β€œThis sucks. Six hours later this poor little Mac was owned and this page got defaced. Good thing is it didn’t get rm’d!”

    SecuriTeam Secure Disclosure

    SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.