Seasonal Malwares and other trends
Seasonal Malwares and other trends...
Seasonal Malwares are not a new thing, remember Bin Landen´s emails "see the pictures of Bin Landen
being arrested"...:) but recently I started to see some really intresting ones...
- In the end of 2005, the most common malwares were named <something>2006.exe/scr...like greeting
cards wishing a very happy 2006...:)
Some examples:
felizanonovo2006.UOL.scr-9ac416ab6f2da444c4dcba8750ff31d4 BehavesLike:Trojan.Downloader
terra2006.scr-81cab96a398d4399c8dd444d107a03e2 Win32.Worm.VB.AR
cartao2006.scr-112785080ab88f639ed77ef7c963355e Trojan.Downloader.Delf.QZ
Cartoes2006.exe-0fd8e5dc41e6b6a74046fb2a34045d90 Trojan.Banker.Delf.8B54173E
fefe2006.exe-e6791a1c8525c778ccb2eabb53423ed4 Win32.Parite.B
feliz2006.exe-a25f1cca2ae0d210eb28600403c1a894 Trojan.Downloader.Banload.V
feliz2006.scr-96ba8bfefe94baf8eaa533921715cf06 Trojan.Banker.VB.4616C390
Sometimes, if you check the md5 hash, you will notice that some that appears to be a new one, was in fact an old one, that was renamed to something more current...
Another example: A new version of reality show Big Brother was about to start in Brazil on January 2006, it was called BigBrotherBrazil 6. So, we started to see some emails telling that if you fill the 'form' you would get a chance to be part of the show:
BBB6.exe suspected: GenPack:Generic.Malware.Sdld.91FA0809
One more? Ok, today is January 23, and here in Brazil, we are about 1 month before our Carnival, which is a big
party here...So, guess what:
carnaval-previnido.scr-3f1476def1dadd57f54658aae6710acc suspected: BehavesLike:Trojan.Downloader
Another interesting trend that I am observing is the use of .cmd extensions.
www.convitedoorkutpravoce.cmd-2924df691a9fe38ec1bdfd1bfabf1ad5 Trojan.Downloader.Banload.AL
www.fernandapaesleme.com.br.cmd-a3aedc0d95549e086e5c4a89956923f7 Trojan.Downloader.Delf.CI
But what is a .cmd extension? Thats a question that I asked on my Malware Analysis Quiz 3 :
"On windows OSs, files with the "cmd" extension are generally scripts passed to the cmd.exe command interpreter for execution. They are very similar to the (older) ".bat" files,used since the days of DOS for scripting and interpreted by command.com, but the different extension indicates slightly updated syntax/capabilities associated with cmd.exe"
And to finish our update on malware world, hacking websites or using free hosting sites to host malware is happening yet, but I am seeing more and more malwares hosted on file-sharing websites , like i.e., rapidupload.com, zupload.com...which is kind more difficult to take down...
For example: http://z13.zupload.com/file.php?filepath=<removed>
If you want to take a look at my personal zoo, you can check it here. On this zoo I try to keep malwares with unique md5 hashes.
Btw, did you update your AV for Nyxem.E?? Check it twice...you dont want to lose your .doc,.xls,.ppts...right?
------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org )
Seasonal Malwares are not a new thing, remember Bin Landen´s emails "see the pictures of Bin Landen
being arrested"...:) but recently I started to see some really intresting ones...
- In the end of 2005, the most common malwares were named <something>2006.exe/scr...like greeting
cards wishing a very happy 2006...:)
Some examples:
felizanonovo2006.UOL.scr-9ac416ab6f2da444c4dcba8750ff31d4 BehavesLike:Trojan.Downloader
terra2006.scr-81cab96a398d4399c8dd444d107a03e2 Win32.Worm.VB.AR
cartao2006.scr-112785080ab88f639ed77ef7c963355e Trojan.Downloader.Delf.QZ
Cartoes2006.exe-0fd8e5dc41e6b6a74046fb2a34045d90 Trojan.Banker.Delf.8B54173E
fefe2006.exe-e6791a1c8525c778ccb2eabb53423ed4 Win32.Parite.B
feliz2006.exe-a25f1cca2ae0d210eb28600403c1a894 Trojan.Downloader.Banload.V
feliz2006.scr-96ba8bfefe94baf8eaa533921715cf06 Trojan.Banker.VB.4616C390
Sometimes, if you check the md5 hash, you will notice that some that appears to be a new one, was in fact an old one, that was renamed to something more current...
Another example: A new version of reality show Big Brother was about to start in Brazil on January 2006, it was called BigBrotherBrazil 6. So, we started to see some emails telling that if you fill the 'form' you would get a chance to be part of the show:
BBB6.exe suspected: GenPack:Generic.Malware.Sdld.91FA0809
One more? Ok, today is January 23, and here in Brazil, we are about 1 month before our Carnival, which is a big
party here...So, guess what:
carnaval-previnido.scr-3f1476def1dadd57f54658aae6710acc suspected: BehavesLike:Trojan.Downloader
Another interesting trend that I am observing is the use of .cmd extensions.
www.convitedoorkutpravoce.cmd-2924df691a9fe38ec1bdfd1bfabf1ad5 Trojan.Downloader.Banload.AL
www.fernandapaesleme.com.br.cmd-a3aedc0d95549e086e5c4a89956923f7 Trojan.Downloader.Delf.CI
But what is a .cmd extension? Thats a question that I asked on my Malware Analysis Quiz 3 :
"On windows OSs, files with the "cmd" extension are generally scripts passed to the cmd.exe command interpreter for execution. They are very similar to the (older) ".bat" files,used since the days of DOS for scripting and interpreted by command.com, but the different extension indicates slightly updated syntax/capabilities associated with cmd.exe"
And to finish our update on malware world, hacking websites or using free hosting sites to host malware is happening yet, but I am seeing more and more malwares hosted on file-sharing websites , like i.e., rapidupload.com, zupload.com...which is kind more difficult to take down...
For example: http://z13.zupload.com/file.php?filepath=<removed>
If you want to take a look at my personal zoo, you can check it here. On this zoo I try to keep malwares with unique md5 hashes.
Btw, did you update your AV for Nyxem.E?? Check it twice...you dont want to lose your .doc,.xls,.ppts...right?
------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org )
Keywords:
0 comment(s)
×
Diary Archives
Comments