Category Archives: Stupid malware tricks

Most malware in circulation are Trojans, and resort to some form of trickery in order to get themselves executed. Sometimes these tricks are, well, dumb, don’t work, or otherwise find themselves worthy of derision and mockery. These are their stories. (DUM DUM!)

How not to install Adobe Flash Player

Posted on by

By Dan Para

It seems simple enough, I want to install Adobe Flash Player so I search for “flash player download and click on the first result, right?

search1

Ignoring the second link which doesn’t have a five star rating and 37 reviews, I’m brought to a page called downloadinfo.com.

downloadinfo

I click the download button, click through the download dialog box and run dialog box, come to the Optimum Download screen for my Free Flash Player. Click.

optimum downloaderLet’s see what this installs. First up is RealPlayer. Click.

realplayerNext up is some program called Solid Savings. Click.

Solid Savings

Then something called Unit Layers. Click.

Unit Layers

That seems like a lot of software to install in order to get my Adobe Flash Player, but we’re not done yet, here’s something called Optimizer Pro. Click.

Optimizer Pro

Okay, now we’re finally installing…

Installing

Now RealPlayer, which was bundled with Flash Player wants to install the Google Toolbar? A bundle within a bundle? Okay… Click.

Google Toolbar

I should have my Flash Player any moment now… Wait a minute. VLC media player? Where’s the Adobe Flash Player I started out downloading?

VLC Player - what

Okay, VLC media player will play flash files, but I really expected to be getting Adobe Flash Player (Seriously, while I was doing this I was hoping this was one of the “download managers” that actually downloads and installs the actual Adobe Flash Player along with all of this other software. I was surprised and disappointed to get VLC media player instead.) The link I had clicked on initially displayed it’s URL as adobe-flash-player.downloadinfo.co/ and included the text “Install AdobeFlash Player Now” so you would think that link would get you Adobe Flash Player, but no, it was just a misleading ad that appeared as the top result on the search page that led to a “download manager” which bundled a bunch of additional software along with VLC media player, which can be downloaded for free. The downloadinfo.com website even had fine print stating that “This software may be available free elsewhere” which was hyperlinked to the download page for VLC media player!

optional software included

So how should you install Adobe Flash Player? Or any other software for that matter? In this case I could have clicked on the second link which would have brought me directly to the download page for Adobe Flash Player (and unchecked the box to opt-out of installing McAfee Security Scan Plus of course.) In general we recommend downloading software directly from the software company’s website whenever possible, otherwise you could end up installing all sorts of additional, potentially unwanted software along with the free software that you wanted to download – or even a completely different program like I just did.

Webroot’s Threat Blog Most Popular Posts for 2012

Posted on by

By Dancho Danchev

It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.

Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?

Let’s find out.

Continue reading

Cybercriminals generate malicious Java applets using DIY tools

Posted on by

By Dancho Danchev

Who said there’s such a thing as a trusted Java applet?

In situations where malicious attackers cannot directly exploit client-side vulnerabilities on the targeted host, they will turn to social engineering tricks, like legitimate-looking Java Applets, which will on the other hand silently download the malicious payload of the attacker, once the user confirms he trusts the Applet.

Let’s profile a DIY (do-it-yourself) malicious Java Applet generator currently available for download at selected cybercrime-friendly online communities:

Continue reading

Morto Worm Annoyances Outstrip Functionality

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The past couple of days have been very busy for a lot of people, following the announcement by Microsoft that they had discovered a new network worm called Morto. After reading the refreshingly thorough writeup about Morto from both Microsoft and our partner Sophos, we were surprised to find that a few of our customers had been infected — and cleaned up — beginning with some poor schlub in South Africa as early as July 23rd, but the worm kicked into high gear last Thursday and began to propagate rapidly.

But, as much as the technical details in these posts are useful for researchers and analysts, they don’t really get to the heart of how a user of an infected computer would be affected by the worm. So, after spending a bit of time infecting some of my own machines these past couple days, I wanted to share my hands-on experience with you.

Bottom line, the worm was written to spread to (and infect) the computers run by people who don’t take security seriously: It copies itself to other computers by trying to Remote Desktop into those computers using a list of what can only be described as completely moronic passwords (the full list is on Microsoft’s technical writeup about the worm). The repurcussions are that people (or companies) who use poor quality, easily guessed passwords have been (or are going to get) spanked by Morto, and then they’ll be really irritated at the (reversible but obnoxious) changes the worm makes to the behavior of the infected computer.

Continue reading

Trojans Employ Misdirection Instead of Obfuscation

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

An unusual family of Trojans, apparently of Chinese origin, engages in rootkit-like behavior which seems designed not to hide the presence of the malware on an infected system, but to misdirect or confuse a technical person who might be using system analysis tools on an infected computer.

The Trojans all originated from a server operated by a free Web host in China, and each sample we tested sent profiling data about the infected system to a command-and-control server located on yet another free Web host, also located in China. It appears to have capabilities to receive instructions to download other components, and it scans the system for antivirus products commonly available in China, including products made by Qihoo 360, China’s largest homegrown antivirus company.

But the most interesting aspect of the Trojans was how it managed to fool most of the free tools someone might use to monitor running programs. The Trojan shows up in the list of active programs, but when that list includes a full path to the running executable, that path points at a nonexistent file supposedly in another location. Continue reading

Black Hat Redux: Botnet Takedown Mistakes to Avoid

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

FireEye's Lanstein and Wolf speak at Black Hat

I’ve worked in the security industry for nearly five years, and it was apparent early on that the most successful people in this field bring to their work a passion and a commitment to protecting not only one’s customers, but to providing a certain level of information about security threats to the world at-large, so even your non-customers can help or protect themselves.

It can be hard to know where to stop once you get on a roll. Malware infections frequently lead to unexplored, interesting backwaters on the Internet. And, sometimes, those backwaters are where the criminals run those operations. When I stumble upon a criminal network or a botnet controller, it simply doesn’t feel like I’ve done enough when I merely add signatures which block or remediate infections and communications with a command-and-control server from Webroot customers. If malicious behavior depends on one or more Internet sites that send instructions, my (and many others’) initial reaction is we need to shut that down, permanently. But sometimes, a too-rapid reaction can blow back in your face.

Obviously, that was also the case when Alex Lanstein and Julia Wolf of internet security firm FireEye stumbled upon the Rustock botnet. At one time, before law enforcement in several countries swooped in on the data centers hosting the botnet’s command-and-control (CnC) infrastructure in a coordinated raid earlier this year, the massive network of Rustock-infected computers was responsible for about half of spam flooding the ‘net. The researchers’ instincts to engineer a takedown of the botnet sounded very familiar, but their initial attempts to do so backfired, and may have even spurred the malware developers to change their game, and may have made it more difficult, eventually, to eliminate the CnC altogether.

Continue reading

New Tool Released: Kiss (or Kick) ZeroAccess Goodbye

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

There are fewer types of malware infections more frustrating and annoying than a rootkit with backdoor capabilities. Over the past couple of years, we’ve seen the emergence of this new, tough-to-fight infectious code, and its transformation from nuisance to severe threat.

With the hard work and perseverance of Threat Research Analyst and master reverse-engineer Marco Giuliani, we’re proud to release the latest build of a tool we’ve used internally to clean the infections from the notable ZeroAccess rootkit off of victims’ computers. AntiZeroAccess exploits many of the vulnerabilities that Marco discovered in the rootkit to cleanly remove the rootkit code from infected machines.

The free tool removes the rootkit but does not restore the Access Control Lists (ACLs) that have been modified by the rootkit. For that, you’ll probably want to use a free tool like SetACL, which can make software functional that ZeroAccess disabled by modifying its ACL.

This Week: Black Hat Coverage

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As I do every year, I’ve deliberately traveled to the most inhospitable climate zone in the continental US — that is, the city of Las Vegas — to attend the elite technical conference known as the Black Hat Briefings.

Black Hat is not just a technical conference, but a kind of calling for its attendees, which brings together experts in computer security, privacy, and attacks with high level officials in government and industry. In this rarefied environment, the security industry and its benefactors share information, tools, and techniques that help the entire industry coordinate their work against the interests of criminals, spies, and the vast numbers of Internet ne’er-do-wells.

I’ll be reporting from the conference about cool tools, new information about attacks, and deep analysis of malware all week. On Friday, the conference switches gears to become Defcon, which is a little less formal, a little less businesslike, and a lot more chaotic and interesting. Stay with us this week as we cover the most interesting conference in the security world.

Brazilian “Winehouse” Trojan Sends Hotmail, Bank Passwords to China

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Amy Winehouse malware steals bank & Microsoft passwords and sends them to ChinaLate Monday, after news about the death of troubled pop singer Amy Winehouse had been circling the globe for a little more than 48 hours, we saw the first malware appear that used the singer’s name as a social engineering trick to entice victims to run the malicious file. Abusing celebrity names, news, or even deaths isn’t a new (or even particularly interesting) social engineering tactic, but there was one unique aspect to this particular malware’s behavior that raised some eyebrows around here: It appears that Brazilian phisher-Trojan writers seem to be working more closely with their Chinese counterparts, using servers in China as dead drops for their stolen goods.

The widely-reported case of the malware campaign continues to distribute new, randomized files via a download link managed through a dynamic DNS service, more than a week on. The file’s name, in Portugese, (“103684policia-inglesa-divulga-fotos-do-corpo-da-cantora-amy-winehouse-WVA.exe“) translates roughly to English police divulge photos of singer Amy Winehouse’s corpse, but victims who open this file are only going to see their computer become compromised.

The malware modifies the Hosts file in Windows to redirect traffic from 78 different Web sites — the vast majority of which are Brazilian banks and finance sites such as e-gold, with the rest being American Express, and Microsoft‘s Brazilian and US domains for Hotmail, Live, and MSN — to one of 9 IP addresses, almost all of which point to servers hosted in Chinese networks. One oddball outlier IP address in the modified Hosts file list points to an IP address belonging to the network operated by the Ford Motor Company, but that IP address was not allocated to an operational server when I did some tests.

Continue reading

Criminals Abuse Amazon Hosting with Rogues, Ransomware

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

The criminals who push rogues at the world don’t really care about the reputations of the ISPs or Web hosting services they abuse. They leap from free service to free service until they’ve thoroughly worn out their welcome and, in some cases, destroyed the reputation of the service they abused. But they have behaved in one predictable way over the years: They’re stingy, and won’t pay for anything unless it’s absolutely necessary, despite the fact that they’re raking in cash by the boatload.

But that seemed to change this week when we saw a number of Web sites pop up on the radar. The sites employ the now well-worn scam of pretending to be some sort of video streaming service. In this case, they pretended to be a porn site, but the most surprising part was not what was hosted, but where: Amazon’s Cloudfront hosting service ended up, temporarily for a few hours, serving up malicious Web pages. Amazingly, it seems they actually paid for hosting instead of just stealing it.

Amazon shut the sites down quickly, but before they did, we visited one site called xrvid-porno.com. The page isn’t exactly family friendly, but the gist of the scam is that that page eventually redirected the browser to a server inside of Amazon’s cloud hosting service, and that’s where the trouble began.

Continue reading