Pwstealers - evolution

Published: 2005-10-05
Last Updated: 2005-10-05 21:45:43 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

While reading Mike's great story from yesterday's diary I thought about post this little story about my observations of Password Stealers, also known as PWstealers.

I have been watching this kind of malware for some time. I dont have exactly numbers but I am pretty sure that Brazil is one of the most targeted countries for this kind of scam...

I currently can distinguish four kinds of the pwstealers:

    - The keyloggers/screenloggers
    - The fake bank windows
    - Fake Bank webservers
    - The downloaders

The keyloggers/screenloggers will detect the bank urls and then try to get most of the information available and then send it to and email. I already found a compromised machine that was hosting hundreds of directories, and each one was from a machine and inside it, hundreds of small images from the user clicking, to find his/her passwords...

The fake bank windows is a funny one...whenever it detects the bank urls, it would call IE with a fake website of the bank that you typed.:) The funny was that not rare, the fake websites were outdated and with some strange graphics...The user was suppose to fill all fields and then the windows would close with an (also fake) error message...:)

The fake bank webservers are quite interesting. This malware would install a webserver on the machine, change the hosts file to redirect a specific bank domain to his localhost, which would be running the Bank homepage, right?:)

The fourth one is quite obvious and sometimes even I am not sure if I would put in the same category (pw stealers). But I am putting because these ones are specific for pwstealers. These downloaders usually will contact a free hosting site and download a piece of one of the three kinds above...!

Another thing that I am also observing is that they are changing the way the code is packed...recently they are changing the king of packer used, to some more powerful ones...more difficult to reverse...

Well...that's it!

Ah, if you are following my malware analysis quiz, I posted the results of the first one last friday and already put the new one, which the answers should be sent no longer than Oct 15. :) I hope that you are having as much fun as I am!:) I am already getting some really great answers!

signing off...
Handler on Duty: Pedro Bueno - pbueno $$ ( isc. sans. org )
0 comment(s)

CME was officially lauched

Published: 2005-10-05
Last Updated: 2005-10-05 17:54:11 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Some days ago, our handler Donald Smith wrote about how "US-CERT, the U.S. Computer Emergency Readiness Team, will begin issuing uniform names for computer viruses, worms and other malicious code next month, as part of a program called the Common Malware Enumeration initiative."

Today the US-CERT and Mitre released the CME, the Common Malware Enumeration, in a document called "Common Malware Enumeration Initiative Now Available" . As it is supported by a board of Anti-Virus vendors, I believe that this initiative is really great and hope that it could be adopted by all the vendors as well, so we could also have more accurante numbers about virus variants.

This initiative seeks (according the document):
  • Reduce the public's confusion in referencing threats during malware incidents
  • Enhance communication between anti-virus vendors
  • Improve communication and information sharing between anti-virus vendors and the rest of the information security community
Handler on Duty: Pedro Bueno - pbueno $ ( isc . sans. org)
0 comment(s)

Big Business surrounding Internet Fraud

Published: 2005-10-05
Last Updated: 2005-10-05 14:04:40 UTC
by Mike Poor (Version: 1)
0 comment(s)
In yesterdays diary, William Salusky posted information about his battle (and beef) with a very well organized Mitglieder proxynet.  One of our avid readers posted the question of "How big is the Internet Fraud Business, and how organized is it?"

I highly recommend reading Spam Kings ( ) on the specific topic of how the Spam business works.  On the other hand, we have marginal businesses and organized crime participating in the electronic boom as well.

DDoS for Hire:  These are the hired guns of the internet.  They will offer to knock competitors off the internet for a sum of money.  The most famous of these cases revolves around Jay Echouafni, who was the CEO of TV retailer Orbit Communications.  He paid a group of underground computer criminals to DoS his competitors offline.  The series of outages cost an estimated $2 million dollars in damages.  There is a great read on this at Security Focus ( )

DDoS for Ransom: This is the online version of an extortion racket.  Ive seen this up close and personal when clients receive an email requesting that payment be made or they will be knocked off the internet.  One of the most famous cases here was of an online casino based out of Costa Rica.  When they were first contacted, the sum of money being requested seemed reasonable to the site owner.  He paid it.  Never, ever, ever, ever, ever... give in to these people.  First he paid approximately $500 for protection.  The following week, the request was a tad higher... $40K.  The site owner requested help from the Costa Rican Police, from the FBI and other law enforcement agencies.  He did not recieve the help (perhaps the feds did not like the idea of offshore gaming).  He finally enlisted the help of a security consultant who analyzed the data, traced the attacks back to an RCM (Russian Cyber Mafia, for those in the know).

Phishing Phraud:  No dont worry, Im not going to go on a long tyrade of words with PH's.  We are all familiar with this field of online crime.  Jacomo Piccollini, from the Brazilian Research Network, gave a fantastic talk at a conference I recently attended.  His topic was about the brazilian underground.  One of the points he made was that Brazilian web defacement groups (of which Brazil happens to be world champion) were being hired by phishing groups to provide hosting of the phishing support sites on the defaced web servers.  Some of these programmers that were working for the BCM (yes, Brazilian Cyber Mafia) were making $3K a month.  The sad point here is that 4 of these programmers ended up dead last year, execution style. 

The internet has reinvented business as we know it, both for good and evil.  I would like to extend a big thank you to all the Internet Storm Center readers that submit information to us, and continue to battle evil one bit at a time.

Mike Poor    mike   at    intelguardians   d0t  com
Handler on Duty

0 comment(s)

Symantec Antivirus Scan Engine: Web Service Administrative Interface Buffer Overflow

Published: 2005-10-05
Last Updated: 2005-10-05 11:20:04 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
iDEFENSE Labs has notified Symantec about a remotely exploitable buffer overflow vulnerability in the Symantec AntiVirus Scan Engine that can allow remote attackers to execute arbitrary code. The iDEFENSE Advisory says "A remote attacker can send a specially crafted HTTP request to the administrative Scan Engine Web Wervice on port 8004 to crash the service or execute arbitrary code."

Patch today folks.

Symantec's Advisory, (with patch and mitigation information) states the "Risk Impact" is High. Affected versions listed are;

Product Version Build Solution

Symantec AntiVirus Scan Engine 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for ISA 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Netapp Filer 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Messaging 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Netapp NetCache 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Network Attached Storage 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Bluecoat 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Caching 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Microsoft SharePoint 4.3 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.0 All SAVSE 4.3.12
Symantec AntiVirus Scan Engine for Clearswift 4.3 All SAVSE 4.3.12

Non-Affected Product(s)

Product Version Build
Symantec AntiVirus Scan Engine 4.1 All

0 comment(s)
Diary Archives