Category: Malware Analysis

C’e’ una Cartolina per te! = Backdoor.IRC.Zapchast

We have noticed new waves of spam messages, this time in Italian language only, that promote the message “Happy Easter” and contain malicious links that redirect the users to download a file named BuonaPasqua.gif.exe, detected as Backdoor.IRC.Zapchast and it looks like to be an ircbot. Email headers: Sender: Cartolin...
Continue reading...

A new DDoS bot named RussKill is in the wild

RussKill is another DDoS bot that is controlled by a web panel, where users can send commands to their bots and start to attack a specified website using two methods of DDoS: HTTP-Flood: Generates threaded queries to the index page of the website and try to make the attacked web page inaccessible from regular users, […]
Continue reading...

Welcome to the jungle: Zeus + Pinch + Rogue Software

This second part of our part 1 analysis, will show you what the files we collected did once live. From the main loader we can extract the following useful strings: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 msxslt3.exe MsXSLT SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ntdll.dll wininet.dll Content-Type: application/x-www-form-ur...
Continue reading...

Unpacking Mystic Compressor used to pack Rogue Software

Today we will analyze a sample of a rogue security software that is packed by an unknown packer named Mystic Compressor, and that has been identified to be used mostly to pack rogue security software executables. Steve has successfully unpacked the sample and this is his analysis: Call to VirtualProtect to make the data in [&hel...
Continue reading...

TDSS Trojan spreading through social networks

Users have reported to us another case of a massive blackhat SEO strategy used to redirect traffic to infected websites with the objective to infect users with the popular and very dangerous TDSS Trojan. Blackhat SEO strategy targeted most popular video streaming websites such as youtube, metacafe, etc. and the malicious files t...
Continue reading...

PluginVideo a false Codec that installs Trojan.DNSChanger

In the last few days, while browsing the Internet I was redirected to a file named VideoCodec.exe, and another file named PluginCodec.exe. Both files are false video codecs, and are actually infected with Trojan.DNSChanger! Trojan DNSChanger is a trojan that will modify the DNS settings on the compromised computer to point to a ...
Continue reading...

Worm.Win32.Koobface

A user sent us another false video codec downloaded from a false movie website, that was using fake flash movies to push the user to download the false codec. Once executed the program, it generates the following Internet traffic: 1 2 3 4 5 6 7 8 9 10 11 12 POST /achcheck.php HTTP/1.1 Host: […]
Continue reading...

Small overview of Conficker Worm (PDF)

I wrote this small PDF to make a small overview of the famous worm named Conficker (aka Downadup). The “history” starts when was discovered the vulnerability in Microsoft Windows Operating Systems named as MS08-067. Italian Version Size: 100 kb English Version Size: 99 kb
Continue reading...

Worm.Win32.Sohanad – The Yahoo Messenger Worm

Worm.IM.Sohanad is a worm that spreads itself via Yahoo Messenger and can infect all the contacts present in your Yahoo Messenger Contacts List, by sending them a text message that can contain a malicious HTTP link pushing the users to download the worm. Its also possible for the worm to send a HTTP link that […]
Continue reading...

Analysis of a website infected with a hidden iframe

A user submitted a suspicious link that was present in his website as a hidden iframe. Malicious hidden iframes are mainly inserted into HTML pages of legitimate websites, by hackers that want to spread their malware with the objective of infecting all the users that visit the compromised website and in most of the cases, [&hell...
Continue reading...