Archive

Archive for June, 2008

Antivirus industry 10 years ago

June 20th, 2008 8 comments

From our friends at Ikarus. In the last Virus Bulletin I got a t-shirt from them with this picture on it, but forgot it at the G-Data Table Soccer Championship booth after the final match against BitDefender :(

I wonder what the 2009 picture will look like :) 

Categories: Fun Tags:

Panda Internet Security 2009 BETA

June 19th, 2008 65 comments

We've recently released the new Panda Internet Security 2009 to public beta. This is the first product to use "scanning from the cloud" technology based on Panda's Collective Intelligence [PDF] as the first line of defense against new malware.

This new approach to security allows us to detect new malware faster by not having to rely on traditional antivirus signatures, with a much lesser resource impact on each PC thanks to the use of white-listing technologies to improve scanning efficiency.

Users of Panda Internet Security 2009 become part of the Collective Intelligence community and act as "sensors" which provide telemetry to determine, thanks to correlation and statistical algorithms, which malware is really prevalent and affecting users worldwide.

In addition to this new layer of security, which encompasses all previous ones, our products continue having traditional signatures, advanced heuristics, TruPrevent behavioral analysis and blocking, intrusion prevention and other protection techniques found in previous versions.

You can sign up for the beta at http://www.pandasecurity.com/homeusers/downloads/beta/.

 UPDATE: The beta period has finished. You can now download your version of Panda 2009 from http://www.pandasecurity.com.

Categories: News Tags:

Malware Prevalence May 2008

June 16th, 2008 Comments off

During the month of May we've seen a 346% growth over April of unique samples
actively circulating and infecting users (23.550 samples in May vs. 6.809 in April). Out of the total seen
In-The-Wild only a portion are new and
not seen in previous months, of which 78% are
non-replicating while the rest are self-replicating viral/worm
code. We encourage you to visit our Virus Encyclopedia to get detailed descriptions of each one of these.
 
New Replicating Malware

The ranking of new replicating viruses and worms this month is led by the W32/Lineage and W32/Autorun families. This last one consists of worms which replicate via USB devices and is the newcomer to the top of the list. Who said worms are
dead? The rest as usual is made up of MSN worms, spammer bots and an old acquaintance W32/Bagle still making the rounds.

****     W32/Lineage
****     W32/Autorun
***      W32/Sdbot
***      W32/Nuwar
***      W32/Mandaph
***      W32/MSNWorm
**       W32/Spamta
**       W32/Socks
**       W32/Nahkos
**       W32/IRCBot
**       W32/Gaobot
**       W32/Bagle
**       VBS/Autorun
*        W32/Wow
*        W32/VB
*        W32/Rxbot
*        W32/ProxyServer
*        W32/Perwall
*        W32/Mailworm
*        VBS/Solow

New Non-Replicating Malware

On the Trojan front, we've seen a strong increase in infections by Identity Theft Trojans (Sinowal, Banker, Agent, Dadobra, Banbra, etc.) while the pay-per-install adware/spyware affiliates are having a hard time maintaining their number one position. I guess it pays more to steal directly from consumers' bank accounts. The rest of the list is made up by spammer bots, rogue anti-spyware and other creatures.

****     Trj/Lineage
****     Adware/Netproject
***      Trj/dmRandom
***      Trj/Sinowal
***      Trj/QQpass
***      Trj/Nabload
***      Trj/Downloader
***      Trj/Banker
***      Trj/Autorun
***      Trj/Agent
***      Spyware/Virtumonde
***      Bck/IRCBot
***      Adware/VapSup
***      Adware/NaviPromo
**       Trj/Spambot
**       Trj/Ranky
**       Trj/Qhost
**       Trj/Dadobra
**       Trj/Buzus
**       Trj/Banbra
**       Trj/Agysteo
**       Generic Malware
**       Bck/Sdbot
**       Bck/Hamweq
**       Bck/Agent
**       Adware/VideoPlugin
**       Adware/BHO
*        Trj/WmaDownloader
*        Trj/VBbot
*        Trj/Spy
*        Trj/Spammer
*        Trj/Passwordstealer
*        Trj/Multidropper
*        Trj/Mitglieder
*        Trj/Killfiles
*        Trj/Dropper
*        Trj/DNSChanger
*        Trj/Clicker
*        Trj/Busky
*        Trj/BedeTres
*        Generic Trojan
*        Dialer
*        Bck/VBBot
*        Bck/Turkojan
*        Bck/Tiny
*        Bck/Peacomm
*        Bck/Nepoe
*        Bck/Hupigon
*        Bck/Gaobot
*        Bck/Dbot
*        Application/WinSpywareProtect
*        Application/VirusHeat
*        Adware/Zenosearch
*        Adware/Yazzle
*        Adware/WinSpywareProtect
*        Adware/WinReanimator
*        Adware/WinIFixer
*        Adware/WinAntiVirus2007
*        Adware/VirusRanger
*        Adware/VirusHeat
*        Adware/VideoKeyCodec
*        Adware/VideoAccessCodec
*        Adware/UltimateDefender
*        Adware/SecurityError
*        Adware/SearchPorn
*        Adware/RussiaPorn
*        Adware/PCCleaner
*        Adware/MalwareAlarm
*        Adware/Lop
*        Adware/Ivideo
*        Adware/BraveSentry
*        Adware/AntiSpywareShield
*        Adware/Alexa
*        Adware/AdvancedXPFixer
*        Adware/4Porn
 

Categories: behavior analysis, Stats Tags:

Banking Trojans III

June 2nd, 2008 4 comments

In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan families and their simple characteristics (files and registry entries). Let's dig a little deeper now and take a look at their infection and hiding techniques.

Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file

Bancos
* Static process
* Process injected into other process
* Encrypted / packed file

Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files

Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file

Banpatch
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files

Briz
* Static process
* Process injected into other process
* Encrypted / packed file

Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file

Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file

Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit

Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file

PowerGrabber
* Static process
* Process injected into other process
* Encrypted / packed file

SilentBanker
* Static process
* Process injected into other process
* Encrypted / packed file

Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit

Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file

Spyforms
* Static process
* Process injected into other process
* Encrypted / packed file

Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit

Categories: Malware, Rootkits Tags: