work

You are currently browsing the archive for the work category.

Second day of Internetdagarna ‘08

October 27, 2008 in personal, privacy, security, work by Daniel Nyström | No comments

ID08

The second day of Internetdagarna (22/10-08) was spent in the Security track as well, except for the last seminar where I switched to the society track.

The first seminar was “Pålitlig e-post / Anti-spam” which translates to “Reliable e-mail / Anti-spam”. The moderator for this seminar was Jörgen Eriksson from .SE.

First speaker out was Amar Andersson from TeliaSonera and he spoke about “Spam-protection that undermine their own goals”. I can honestly say that I did not follow this good enough as I was very tired this first seminar and I kind of regret it now. However, the main problem presented by him was the lack of coordination and standards in anti-spam prevention methods. He mentioned blacklisting in general and the DUL-blacklist in particular, hostname “naming” (reverse lookups which results in a name conatining either “static” or “dynamic”) and how to make sure your e-mails got delivered in this day and age where the requirements for delivery can vary quite much from server to server (correct HELO/EHLO messages, correct reverse lookups, SPF and other DNS related issues).

Next speaker up was Bengt Carlsson from Blekinge Tekniska Högskola that just announced a new project between .SE and BTH. The project name was “säker e-post hantering bland illsinnad programvara” which translates to “Secure e-mail management amongst bad software”.

After this Rickard Bondesson from Linköpings Universitet took the stage to present his research on DKIM, DKIM-milter and DNSSEC implementations. This was a quite long and very informative presentation which stepped through his research in a comprehensive way under the following bullets; Forged e-mail, Prevention of forged e-mail, DKIM, Reliability within DNS, Implementation, Tests, Statistics, Experiences.

After this there was a small moderated panel debate on the topic of Reliable e-mail.

The next seminar was “Parasitekonomin på Internet” which (roughly) translates to “The parasitic economy on the internet”. Stefan Görling from KTH moderated and had one presentation, and the other speakers were two representatives from Lavasoft (you know, the guys behind Ad-Aware) and Martin Boldt (IT-security researcher from BTH).

Görling started out by picking at affiliate systems and the easy of exploiting these services for profit and he worked out from a site that supposedly uses this format in a legit way. He did not go into the malware point-of-view very much but he touched the subject when talking about “mis-spelled domain names default pages” which contain only affiliate links.

The guys (they were two) from Lavasoft then held their presentation which more or less detailed the different types of spyware they had included during the year, and also gave a strange remark saying the TeliaSonera was gaining money from the malware circulating on the internet (as they’re an ISP, they supposedly make profit when having their bandwidth used… hrrm…). This little remark came back to bite them in the ass when a (quite upset) TeliaSonera security employee demanded that they would take that statement back during the Q & A at the end of the session.

Following this Martin Boldt from BTH that discussed reputation systems and automatic EULA analysis. He had researched these areas and they were at this moment involved in creating web browser plugins and applications to enable users to share their thoughts and score on specific applications (binary files). See their project website at www.softwareputation.com for more information. He also noted that this project is still in Alpha stage. The ideas they’re having kind of looks like Panda Security’s Collective Intelligence, except it is user generated not automatic.

When it came to EULA analyzing they’ve taken a harder route than SpywareGuide’s EULA analyzer and they used many different bayesian and similar algorithms in order to define if an EULA is “good” or “bad” with a high level of success. Ideas for the future was to make this automatically integrated into system so that any EULA boxes could be automatically read and scored.

After this there was a Q&A session and Lavasoft’s statements was quite heavily scrutinized both by the TeliaSonera employee and Netnod‘s CEO Kurt-Erik Lindqvist (I think it was him but I only heard the voice, so don’t quote me on this). It seems like Lavasoft’s statement was just illustrating and that they based their assumptions on an US ISP that had misbehaved and in some ways had profited on bad software.

Here I switched room and joined the “Infrastructure and society”-line of seminars. The one I was interested in was “Integritet och övervakning” which translates to “Integrity and surveillance”.

This seminar was moderated by Johan Hallsenius (editor for Computer Sweden) and the debate panel was only populated by pro-Integrity people as none of the invited politicians and FRA-people had turned up even though they were invited. The panel members was Oscar Swartz (debater, writer and blogger), Patrik Fältström (Cisco), Fredrik von Essen (Swedish IT and Telecom Industries) and Daniel Westman (Juridicum, Stockholms University)

The focus of the debate was of course the FRA-law but also dangerous EU-directives and other laws that affect impede personal integrity. It was an interesting debate, but as “the other side” was missing no hard questions could be discussed. I talked briefly to Oscar Swartz before the seminar and he described it as a “non-debate”, as there was only one point of view from all participants (with small diversions). He wrote a post on “Internetdagarna” on his blog in which he breifly mentions this debate.

It was also to hear what Fredrik von Essen from the Swedish IT and Telecom Industries had to say on this issue.

Unfortunately I had to leave before the Q&A session that followed, so I’m looking forward to the sound recording that are to be released here.

Some pictures from this day:

Integrity debate:
ID08
ID08
Martin Boldt (from BTH):
ID08

Tags: , , , , ,

First day of Internetdagarna ’08

October 22, 2008 in security, work by Daniel Nyström | 1 comment

Internetdagarna, the internet days, 2008

Back from the first day of Internetdagarna ’08 (The Internet Days) where I followed the IT-security line of seminars.

So what did I get home with me, apart from the orange swag-bag above, from the different seminars?

The first seminar was “Hotbilden – organiserad brottslighet, cyberterrorism och industrispionage” which translates to something like “The threat landscape – organized crime, cyberterrorism and industrial espionage” and was moderated by security interested journalist Tomas Gilså from Techworld. The participants were Tomas Djurling (DSI), Vesa Virta (FRA), Svante Nygren (KBM) and Stefan B Grinneby (SITIC).

First a presentation was held by Tomas Djurling which discussed the different threats against swedish companies and organizations and where those were coming from. Tomas is a former FRA employee and as such the seminar was a bit colored by international military and paramilitary threats. He also said that Islamistic terrorists are getting funding through internet crimes such as CC stealing botnets and so on. No references were given during the presentation and this was new to me (!) so it’ll be interesting to see if this is going to be discussed further in the industry (and if its true). Of course, if FRA is his source we will never know as their business are classified.

After his presentation there was a moderator lead debate in which the audience could submit questions on paper notes. I’m not going to comment on what was said here at this time but there was some interesting things discussed. The sound recording of this debate will be published later and I need to get some facts straight before commenting on what was said here.

The next seminar was “Incidenthantering i praktiken” which in english is “Practical Incident management” and was moderated by Anne-Marie Eklund Löwinder from .SE. Three speakers participated and those were Stefan B Grinneby (SITIC), Annica Bergman (Dataföreningen) and Michael Anderberg (Microsoft).

Stefan from SITIC talked about practical incident management under the theme “Incident management, firefighting or oil sanitation” and it actually worked ;) It was a good introduction to the process of both preparing for incidents and practical hints on what to do in case of an emergency. His presentation was very clear and it made me want to steal parts for my seminars ;) We’ll see about that though ;)

Annica Bergman from Dataföreningen talked about a large scale incident that took place in the beginning of 2008, when the hacker group “Vuxna Förbannade hackare” broke in to their member services using SQL injection attacks and stole their whole member list (26000 members) including e-mail addresses and passwords. These details were later published on Flashback with a huge media storm as a result. She described the 90 days following the incident and discussed what her experience had been like and it was interesting listening to it. I wrote about another intrusion made by this group in this post.

Michael Anderberg from Microsoft talked about SDL (Secure Development Lifecycle) and how it’s applicable not only to software development, but also to incident preparation and management with CodeRed/Nimda as examples. For those interested he also gave a reference to this book as a source of additional information.

Last but not least were “Debattt: Utmaningarna” which translates to “Debate: The challenges” which was a debate about what the internet would look like in the year 2020 policy- and security-wise. The participants were Jan Kallberg (legal expert, also debate moderator), Nicklas Lundblad (Policy Manager, Google Europe) and Kurt-Erik Lindqvist (CEO Netnod).

This seminars started out with all speakers takign turns to present their primary views on how the internet would look like and what implications that might have in the year 2020 (12 years from now).

After this there was a moderator lead debate in which the audience also got to pose questions or statements that the panel commented on. The debate was both entertaining, informative and extremely straightforward. A lot of the discussions were either directly or indirectly relating to the surveillance debate we are seeing all over the world and it was great to see the panel tackle both the philosophic angle and the practical angle of this. This was, for me, the most intellectually stimulating seminar of all. Great perspectives presented by great thinkers.

Tomorrow Internetdagarna ’08 continues and I’ll be back with more information.

Here are a few of the photo’s I took during the day (didn’t take many, focused on listening;) ):

Internetdagarna ’08 posters
ID08
My colleague Rickard Uddenberg (Marketing Manager, Panda Security)
ID08
A Free Software Foundation rep. that also gave me a tip of gNewsense (the really free (as in freedom) Linux distribution)
ID08
The Free Software Foundation poster behind him…
ID08
The World Internet Institute (The Swedish part of World Internet Project) poster.
ID08

Tags: , , ,

My comments on Secunia’s exploit testing

October 20, 2008 in security, work by Daniel Nyström | No comments

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things may realte to my employer. Read “About this blog”.

EricGjerde on Flickr - http://flickr.com/photos/origomi/
Photo: EricGjerde on Flickr.

Weren’t going to comment on this really, but after reading up on all the different posts on the issue I’m feeling that some things are being missed. Specially if looking at Secunias CTOs (Thomas Kristensen) last blog post.

What I’m reacting to are these comments:

Our point is not that Internet Security Suites are useless (they are quite useful for most users). Instead, our point is that they protect insufficiently against hackers and that it is better to prevent attacks by patching rather than relying on other security measures alone.

When have we (the anti-malware vendors) said that our users do not need to patch? Sure we have protections that will catch things pro-actively, but that is meant for 0-day exploits etc. and is not meant as replacement for patches.

Also, our products (Panda Securitys) for home-users will scream bloody murder with annoying (but configurable) pop-ups if you do not have all MS patches installed. And I know that other vendors do this as well. Our corporate products also contain MalwareRadar which by default (not configurable) does inventory of installed patches and includes it in the report.

Next comment from Secunias CTO:

In my opinion it would serve the security industry well if AV-vendors would admit that the security provided by their products rely on a reasonably updated and well administrated system. If they really could protect systems without patches, then I’m quite confident that software vendors would stop making patches and instead provide these fabulous security solutions themselves.

Again, who said we do not need patches? Let me translate this to what I’m actually reading (my parody below):

In my opinion it would serve you guys in the anti-malware business good if you could tone down the “we take all proactively”-attitude so that we could make some money out of helping people see what needs to be patched. Also, plz be quick or Microsoft will start pushing this attitude as well and then I’m pretty much screwed.

But a bit more seriously. This is a publicity stunt and there’s no point in discussing it further. A company that publishes a report promoting their solution to a problem that has been incorrectly researched.

And when it comes to the test itself I think the other commentators have been too nice.

The methods used for testing illustrates great lack of knowledge on how to test client security solutions these days, and the worst thing is that I think they knew it. I can’t imagine the testers at Secunia being so stupid, when they’ve shown such skill before, that they didn’t realise that their methodology was flawed.

I mean, testing by scanning a bunch of exploit files? What are they after? That we detect their specific exploits by signature? Who would have anything to gain from that?

They then move on to say that we should detect exploits in a more generic way… Alright, how do you want us to do that? Look for shellcode in the files? Look for format exploit strings in the files? This is a false positive waiting to happen.

If we were to look for exploits (still, KNOWN EXPLOITS) we would have to first include a lot of new crap in the signature (as if it were not enough) and then implement detection routines that span whole files as we do not know where the crap might be. Good-bye CPU and memory, I’ll see you when your done…

The report really shows a total lack of understanding on how AV’s work today and the problems that we face with signatures.

What we and other has done INSTEAD is to create protections that “see” when an application does something it shouldn’t do or if it does something suspicious. These protections also monitor network traffic and can pro-actively detect and block traffic that shouldn’t bee there.

This is why a test against 300 files lying on your hard-drive do not give any accurate results whatsoever. Our protection stops genuinely active malicious code or applications that are being actively exploited by looking at the system and stopping things that does not look normal.

Ah well… Long story short this kinda ruins Secunia for me as an information resource.

For several years I’ve been using their web-based resources for unbiased information, but I guess that’s over now.

PS. Tired as hell now, so please excuse any linguistic or grammatical errors in the text above. ;) .DS

Tags: , , , , ,

Next weeks schedule is tight…

October 14, 2008 in personal, work by Daniel Nyström | No comments

…and only leaves me one day in the office (Monday).

First we have;

Internetdagarna

Tuesday and Wednesday I’m attending InternetDagarna (“The Internet Days”) in Stockholm. These will be packed with interesting seminars ranging between DNSSEC, youths on the internet to IT in the politics. It’ll be a very interesting two days and I promise to take a lot of photos. Probably going to do some posts from the event if wireless is available. From their site:

All in all the conference will feature close to 100 national and international speakers in more than 30 sessions, organized in five parallel tracks:

1. IP and networking
2. Security
3. Public Internet policy
4. Web / Mobile web
5. Domain names

The central theme for Internetdagarna 2008 is the transition to IP version 6. We dedicate a full day on the IP and networking track to various aspects of IPv6, from a basic tutorial to experiences from those who have taken the leap.

And then there’s…

Panda

…Thursday, when I’m going up to Luleå in the north of Sweden to have a seminar on evolving malware threats and how our solutions tackle these threats. I’ll do a post on this later on.

And on Friday I travel to Umeå (also in the north) to have the same seminar.

I’m going to be tired Friday night ;)

Tags: , , ,

Panda Security Days: Photos from Stockholm

October 1, 2008 in work by Daniel Nyström | 1 comment

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things about my employer. Read “About this blog” for details.

The Stockholm event was a success which was visited by both old, new and possible customers. Met some people that’s been with us for quite a while and it’s also always nice to meet new faces.

The day started out with some nice laptop-vs-projector problems, which of course attracted a crowd of willing engineers.

PSD 2008 Stockholm

Even our CEO wanted in ;)

PSD 2008 Stockholm

Corporate and retail support in perfect symbiosis as they handled the clothing things. Yep, it’s starting to get cold again in Sweden. And yep, you gotta love the assignment.

PSD 2008 Stockholm

The seminars started out with our CEO speaking,

PSD 2008 Stockholm

Then Sebastian Zabala,

PSD 2008 Stockholm

And then we had a break. I talked to customers with product questions or suggestions,

PSD 2008 Stockholm

And then it was time for Pedro’s quite long (but informative) presentation…

PSD 2008 Stockholm

.. in which he talked about some interesting things that might have been a bit over the audiences heads. But I think they got the ideas and understood the main picture of what he was talking about. Not sure about the deep technical details though.

PSD 2008 Stockholm
PSD 2008 Stockholm

PSD 2008 Stockholm
PSD 2008 Stockholm
PSD 2008 Stockholm
PSD 2008 Stockholm
PSD 2008 Stockholm

All-in-all a great event.

Sorry for lousy quality… had to peak to ISO settings for the camera to even perform without a flash in the low light…

Cheers,

Tags: , , ,

“Panda Security Day”-seminars this week

September 30, 2008 in work by Daniel Nyström | No comments

Warning: Panda Security/work related post. This is a personal blog but from time to time I’m posting things about my employer. Read “About this blog” for details.

Panda Security Days 2008

For those interested. Kinda late notice, but anyways. The dates are:

1 October: Stockholm, Skandiabiografen, Drottninggatan 82
2 oktober: Gothenburg, Biopalatset Salon 5, Kungstorget 2
3 oktober: Malmö, Filmstaden 2, Storgatan 22

I’m not speaking, but if someone wants to meet me I’ll be there answering questions before, during breaks and after. I’ll also be demonstrating TruPrevent policy creation with practical examples for those interested.

The schedule for the day is:

09.00 Breakfast and registration
09.30 Introduction Bo Hasse Gustafsson, CEO, PCM International AB
09.45 Sebastian Zabala, Security Expert, PCM International AB
10.30 Break (Coffee etc.)
10.45 Pedro Bustamante, Senior Research Advisor, Panda Security International
11.45 End notes
12.00 Lunch until 13.00.

Almost all material is going to be in Swedish, but Pedro’s presentation is in english as always.

Bringing my camera and will post photos of the event later on (CC Attribution).

Tags: , , , , ,

Panda AdminSecure version 4.03 to be released…

September 8, 2008 in malware, security, work by Daniel Nyström | No comments

Panda Security - From Press graphics kit
Warning: Panda Security/work related post. ;)

… this week.

The main news in the 4.03 release is:

* Optimized console performance
* Reduced installation package size
* More auto-uninstallers for competitor products
* Improved update features for mobile users
* Full support for XP SP3 and Vista SP1
* Full support for Exchange 2007 SP1
* Full NAP support in our desktop protections

A lot of other news and bugfixes also included.

Ask you local Panda office for the complete document of changes.

If you’re a client you can download the upgrade here.

Cheers,

Tags: , , , , ,

PCI DSS and Anti-Malware solutions

August 28, 2008 in security, standards, work by Daniel Nyström | No comments

Today is a good day on Flickr - http://flickr.com/photos/good_day/
Photo: Today is a good day on Flickr.

I’m sitting here preparing for a meeting at which I will discuss our role in a clients PCI DSS project, and I thought it might do others good if I post what I’m thinking also.

First off, remember that all of this is from a perspective of a Panda AdminSecure/MalwareRadar point of view and it might not apply for other solutions.

Alright then. Which control objective’s and sub-objectives are we even directly responsible for when helping the client achieve compliance? By my thinking it should be:

Requirement 5: Use and regularly update anti-virus software or programs (all subs)

Even though the term anti-virus doesn’t really apply anymore, we can help with this ;)

Those that we might be affected by/can help with are:

Requirement 6: Develop and maintain secure systems and applications
— 6.1 Ensure that all system components and software have the latest vendor supplied security patches installed. [...continued]

Requirement 11: Regularly test security systems and processes
— 11.2 Run internal and external network vulnerability scans at least quarterly [...continued]
— 11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems [...continued]
— 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files [...continued]

and how can we do that? My notes on all mentioned subcomponents below…

The main ones:

5.1: This point discusses deployment of anti-virus protections. With Panda solutions, there’s no problem here. Deployment can be done by pushing (RPC) or setting login scripts from within the console and there is also .exe’s and .msi’s available for those that have bigger deployment solutions.

5.1.1: This point discusses verifying correct operation in the solution at hand and seeing to it that it also detects and removes other threats such as spyware or adware. The function verification is really up to the client, but of course we’ll help ‘em if they need help ;) heh… And spyware/adware has been a part of our signature since 2004.

5.2: This point discusses the monitoring of the chosen solution to ensure that it is working, it is updated and capable of generating logs. All of this can be monitored from within the AdminSecure console and scheduled reports can be set up to inform admins of the current status. There is also the possibility of using other logging and notification services such as syslog and snmp, but one should be aware that these units need to be reachable from the client computers as the warnings will originate from them.

and then the others that we might be able to help with:

6.1: This point discusses the need to ensure that all computers have all security related patches applied. We can help with this by offering scans with MalwareRadar (distributed by pushing (RPC), .exe’s or .msi’s) which does both low-level scanning with a huge (too huge for on-access scanners) signature and patch inventory on scanned machines. MalwareRadar is a part of AdminSecure as of version 4.02.01 (beginning of 2008 I think).

11.2: This point discusses running vulnerability scans periodically or after significant network changes. MalwareRadar might be applicable here, but I would not really classify it as a vulnerability scanner. From marketing they will however probably say that it applies ;)

11.4: This point discusses and encourages the use of NIDS, NIPS, HIDS and HIPS. In this section we can help with the HIPS part via TruPrevent. Truprevent is more than just a HIPS but it has all feature’s of one. This component was released in late 2004 and has been optimized since for both capabilities and performance. Installs by default on both clients and servers. Read more here, here and here.

11.5: This point discusses the use of file integrity monitoring software. This is being done in part by our client protection with TruPrevent (see point above) on some critical system files and behaviours. It could however be locked down even further by customizing the ruleset. For a simple example, one may not modify the “hosts” file in certain ways. TruPrevent is not the answer to this point 100% though, as what they are really after is a checksum monitor like Tripwire.

Ok, that’s about it.

If anyone think I’m totally of target or if they have other ways of looking at this, please let me know!

Tags: , , ,

The most disregarded aspect of AV testing,

April 1, 2008 in networking, security, work by Daniel Nyström | No comments

is without doubt the hands-on management aspects of the whole suites.

Every month I read news, blogs and press releases from both vendors and independents on detection effectiveness. Sometimes these news are about the accuracy of the vendors signatures, sometimes about the files the sig’s missed, sometimes it’s about the vendors brand new and shining behavioural analysis engines. But it is almost never about the technical management features of the products. What eventually makes the news in this aspect is either the new administration consoles that pop up every two to three years or if something fail in a spectacular fashion.

That kind of information is not really as newsworthy as a remedy to the latest threat, but one thing is for sure and that is that it doesn’t matter how good the detection ratios are if the client protections remain unmanaged, defunct or unlicensed.

Most of the time this is not a problem in larger networks where the appropriate funds and technical resources has been allocated, but if reviewing smaller companies or organizations (<500, sometimes larger) without dedicated security management you will often find problems.

The problems range from client communication malfunctions to management servers dropping dead for no particular reason. Often, these issues requires human interaction to resolve and this in turn increases the IT-services overhead. Sometimes this happens with our (Panda Security's) solutions and sometimes some other vendors (I consult for another company in the PCM Group and meet a lot of different environments).

I’m not saying this is the AV vendors fault, as it often turns out to be erroneous customer configurations and/or secondary system malfunctions (thank you Microsoft for your most excellent AD/DHCP/DNS solutions, thank you).

My point is that these problems, from a software point of view, should be a calculable risk.

People will make mistakes. People will be incompetent. People will be lazy. People will “install and forget”. People will be People. And we should be better at understanding and counteracting these factors.

The latest versions of Panda AdminSecure has some of this in functions that repair failing client protections automatically, but it surely is not enough. People should not be able to set permissions or deactivate polices that might be a danger to the protection functioning without some serious alarm bells going off. People should not be able to setup firewall policies that cripple the communication required and by that degrading the level of protection without the central management consoles showing large red flashing screens. If something is done by a Microsoft patch which might or do disrupt the correct functioning of any server components, the management tools should be able to tell the administrators this in a reliable fashion.

Surely there are those that think that this is complete bullshit and have the “if they’re morons and fail, plz let them burn” attitude. These people are ignorant of the overall picture and do not understand the underlying problem.

If there were no unprotected (not installed or malfunctioning protection) clients, there is a much smaller market for “corporate” malware creation. One effect of this is less money for the bad guys. Less money for the bad guys means they have less money to spend on maintaining developing new malware.

And of course, Less malware development => good for all.

In conclusion,

Security systems is all about reliability. How come AV’s are lagging on this particular point?

Users and less experienced technicians are unpredictable, but how hard can it be? We have built engines that can detect hostile code based on behavior, why not do the same to the admins ;)

Tags: , , , ,

Wireless communication vendor Kirisun hacked …

November 22, 2007 in exploit, malware, work by Daniel Nyström | 1 comment

… and now have their pages full of malware infecting and object dumping <iframe>’s.

Tracking the iframe’s I found a series of different servers hosting the malware and exploits, the flow is as follows:

  • hxxp://boc.sbb22.com/home/index.htm (This is the inserted Iframe)
    • hxxp://boc.sbb22.com/
      • hxxp://aa.llsging.com/ww/new82.htm
        • hxxp://aa.llsging.com/a2/haha.htm
        • hxxp://aa.llsging.com/a2/pps.htm
        • hxxp://js.users.51.la/1299644.js
          • hxxp://vip2.51.la/go.asp
        • hxxp://ww4.tongji123.com/g1.aspx?id=42916235
          • hxxp://ww4.tongji123.com/s.aspx
    • hxxp://nn.mm5208.com/nn.htm
      • Not reachable at the time
    • hxxp://xx.9365.org/
      • hxxp://5.xqhgm.com/sha1.htm
        • hxxp://5.xqhgm.com/new/1.gif (ANI exploit, loads on page).
          • Downloads and runs hxxp://1.xqhgm.com/x.exe
        • hxxp://5.xqhgm.com/new/1.htm (other exploit, not investigated)
          • References hxxp://1.xqhgm.com/x.exe
        • hxxp://5.xqhgm.com/new/2.htm
          • Not reachable at the time
        • hxxp://5.xqhgm.com/new/3.htm
          • Returns empty page
        • hxxp://5.xqhgm.com/new/4.htm
          • Tries to load hxxp://3.xqhgm.com/zs.exe as an object
        • hxxp://s30.cnzz.com/stat.php?id=658703&web_id=658703
          • Seems to be a statistics engine
        • hxxp://js.users.51.la/1402795.js
          • Not reachable at the time
    • hxxp://a.2008yi.com/hu.htm
      • Not reachable at the time
    • hxxp://acc.jqxx.org/ac.htm
      • hxxp://dfs.jfkdlirjnfirpocr.com/web/6619038.htm
        • Not reachable at the time

The primary payload of these iframed pages seems to be “x.exe” and “zs.exe”. When dumping the strings from these executables (no obfuscation used) it becomes apparent that both are droppers for a whole bunch of malware files (possibly the same files, just recompiled/packed/encrypted for AV evasion). The downloads referenced in the files were:

  • hxxp://1.xqhgm.com/1.exe
  • hxxp://1.xqhgm.com/2.exe
  • hxxp://1.xqhgm.com/3.exe
  • hxxp://1.xqhgm.com/4.exe
  • and so on up to…
  • hxxp://1.xqhgm.com/24.exe

File number “1″ and “16″ resulted in a 404 not found.

“23.exe” seems to be the same malware that I found some time back (see this post). As said in that post, the main infector do not want to run in my sandbox. As a cause of that I have not yet been able to get the pcihdd.sys rootkit component as I do not have a computer to “waste time restoring” atm. If someone would like to infect themselves, contact me for a sample ;)

Another thing linking this infection to the other that I found is the use of the same stats engine, hxxp://s30.cnzz.com/.

Cheers and stay safe !

« Older entries § Newer entries »