Some MySpace profiles hit with a Web attack
Posted by Robert Vamosi
At some point within the last week, some MySpace user pages were seeded with malicious computer code. The malicious code seeks to exploit Microsoft Windows and Internet Explorer using recently patched security holes. The hope is that you haven't patched your computer yet. If you're a MySpace visitor and you visit one of the infected pages, you'll be redirected to a fake MySpace log-in page aiming to steal the visitor's MySpace user name and password. The attack employs phishing and drive-by download techniques.
Found 2 chinese malware FTP servers.
happy malware hunting.
Didn't do a detailed analysis of this but it seems to be using BITS to download other malware. (which was reported last month iirc)
The new version of our malware processing back end is coming along well. We're deep into testing it and are going to start with an expanded private beta test for all invited users. Hopefully the interface will make it even easier to upload files and content to our system. Here is a small feature list that will be included in our new release:
- We will accept non-PE files. This has been a big request.
- Better submission system. Now you can zip, rar, and tar files to be submitted to our scanning system.
- Email submissions with automatic scanning
- Better antivirus scans
- Tagging system so you can add notes to specific samples
- Improved packer detection
- More modular code framework for future growth
- 3x as many samples
Bear with us as we make the transition to the new system and as always let us know about bugs.
Tom Liston and Ed Skoudis has written a clean paper about how to detect a Virtual Machine and some possible method for prevent it against detection .
i just think this was requested on some page sometime ago ... and if this is not the one, sorry :P
Uploaded , no password, nothing else to say ...
Here is an example of the new Mpack malware that has been gaining momentum recently. Mpack gained notoriety as it is a commercial tool being distributed for pay. It is purported to attack the MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow overflows. SANS ISC and Verisign/iDefense have an email that has been circulating about this. The further commercialization of malware is continuing on both sides of the confrontation.
Tavis Ormandy of Google has written a paper on the effect of running hostile code on virtual machines. This is a good paper, and shows that even with VMs you can't be sure that code will be safe.
"As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security exposure to the hosts of hostile virtualized environments."
This small IDAPython script scans an idb file for class and interfaces UUIDs and creates the matching structure and its name. Unfortunately IDA doesn't do this automatically, thus this little helper. It personally helped me alot, while reversing several malwares using the COM interface, e.g. for browser or outlook manipulation, BITS file transfer or dumping the protected storage. The script was tested with IDAPython v0.9.0 and Python 2.4. Make sure to copy interfaces.txt + classes.txt + ClassAndInterfaceToNames.py to IDADIR, e.g. C:\Program Files\IDA
Just watch the howto movie for usage.
I need a sample of Perlovga, a file infector of flash memory and others, to test a new removal tool.