Seasonal Malwares and other trends...
Seasonal Malwares are not a new thing, remember Bin Landenīs emails "see the pictures of Bin Landen
being arrested"...:) but recently I started to see some really intresting ones...
- In the end of 2005, the most common malwares were named <something>2006.exe/scr...like greeting
cards wishing a very happy 2006...:)
Sometimes, if you check the md5 hash, you will notice that some that appears to be a new one, was in fact an old one, that was renamed to something more current...
Another example: A new version of reality show Big Brother was about to start in Brazil on January 2006, it was called BigBrotherBrazil 6. So, we started to see some emails telling that if you fill the 'form' you would get a chance to be part of the show:
BBB6.exe suspected: GenPack:Generic.Malware.Sdld.91FA0809
One more? Ok, today is January 23, and here in Brazil, we are about 1 month before our Carnival, which is a big
party here...So, guess what:
carnaval-previnido.scr-3f1476def1dadd57f54658aae6710acc suspected: BehavesLike:Trojan.Downloader
Another interesting trend that I am observing is the use of .cmd extensions.
But what is a .cmd extension? Thats a question that I asked on my Malware Analysis Quiz 3 :
"On windows OSs, files with the "cmd" extension are generally scripts passed to the cmd.exe command interpreter for execution. They are very similar to the (older) ".bat" files,used since the days of DOS for scripting and interpreted by command.com, but the different extension indicates slightly updated syntax/capabilities associated with cmd.exe"
And to finish our update on malware world, hacking websites or using free hosting sites to host malware is happening yet, but I am seeing more and more malwares hosted on file-sharing websites , like i.e., rapidupload.com, zupload.com...which is kind more difficult to take down...
For example: http://z13.zupload.com/file.php?filepath=<removed>
If you want to take a look at my personal zoo, you can check it here. On this zoo I try to keep malwares with unique md5 hashes.
Btw, did you update your AV for Nyxem.E?? Check it twice...you dont want to lose your .doc,.xls,.ppts...right?
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org )
Jan 24th 2006
1 decade ago