Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Seasonal Malwares and other trends

Published: 2006-01-24
Last Updated: 2006-01-24 18:55:00 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
Seasonal Malwares and other trends...    

Seasonal Malwares are not a new thing, remember Bin Landenīs emails "see the pictures of Bin Landen
being arrested"...:) but recently I started to see some really intresting ones...

- In the end of 2005, the most common malwares were named <something>2006.exe/scr...like greeting
cards wishing a very happy 2006...:)

Some examples:
felizanonovo2006.UOL.scr-9ac416ab6f2da444c4dcba8750ff31d4      BehavesLike:Trojan.Downloader
terra2006.scr-81cab96a398d4399c8dd444d107a03e2          Win32.Worm.VB.AR
cartao2006.scr-112785080ab88f639ed77ef7c963355e         Trojan.Downloader.Delf.QZ
Cartoes2006.exe-0fd8e5dc41e6b6a74046fb2a34045d90         Trojan.Banker.Delf.8B54173E
fefe2006.exe-e6791a1c8525c778ccb2eabb53423ed4             Win32.Parite.B
feliz2006.exe-a25f1cca2ae0d210eb28600403c1a894             Trojan.Downloader.Banload.V
feliz2006.scr-96ba8bfefe94baf8eaa533921715cf06             Trojan.Banker.VB.4616C390

Sometimes, if you check the md5 hash, you will notice that some that appears to be a new one, was in fact an old one, that was renamed to something more current...

Another example: A new version of reality show Big Brother was about to start in Brazil on January 2006, it was called BigBrotherBrazil 6. So, we started to see some emails telling that if you fill the 'form'  you would get a chance to be part of the show:

BBB6.exe  suspected: GenPack:Generic.Malware.Sdld.91FA0809

One more? Ok, today is January 23, and here in Brazil, we are about 1 month before our Carnival, which is a big
party here...So, guess what:

carnaval-previnido.scr-3f1476def1dadd57f54658aae6710acc suspected: BehavesLike:Trojan.Downloader

Another interesting trend that I am observing is the use of .cmd extensions.

www.convitedoorkutpravoce.cmd-2924df691a9fe38ec1bdfd1bfabf1ad5         Trojan.Downloader.Banload.AL
www.fernandapaesleme.com.br.cmd-a3aedc0d95549e086e5c4a89956923f7     Trojan.Downloader.Delf.CI

But what is a .cmd extension? Thats a question that I asked on my Malware Analysis Quiz 3 :
"On windows OSs, files with the "cmd" extension are generally scripts passed to the cmd.exe command interpreter for execution. They are very similar to the (older) ".bat" files,used since the days of DOS for scripting and interpreted by command.com, but the different extension indicates slightly updated syntax/capabilities associated with cmd.exe"

And to finish our update on malware world, hacking websites or using free hosting sites to host malware is   happening yet, but I am seeing more and more malwares hosted on file-sharing websites , like i.e., rapidupload.com, zupload.com...which is kind more difficult to take down...

For example: http://z13.zupload.com/file.php?filepath=<removed>

If you want to take a look at my personal zoo, you can check it here. On this zoo I try to keep malwares with unique md5 hashes.

Btw, did you update your AV for  Nyxem.E??  Check it twice...you dont want to lose your .doc,.xls,.ppts...right?

------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org )
Keywords:
0 comment(s)
Diary Archives