Panda Research Blog

New Panda Antivirus Command Line 9.5.1

Pedro Bustamante — Fri, 04 Jul 2008 11:04:00 GMT

I'm happy to announce the availability of our new Panda Antivirus Command-Line scanner (PAVCL) version 9.5.1.00. This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];

As always we have a signature file available from the blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact us for a regular signature feed.

Download the new PAVCL 9.5.1.00 here.

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).

Antivirus industry 10 years ago

Pedro Bustamante — Fri, 20 Jun 2008 13:51:00 GMT

From our friends at Ikarus. In the last Virus Bulletin I got a t-shirt from them with this picture on it, but forgot it at the G-Data Table Soccer Championship booth after the final match against BitDefender :(

I wonder what the 2009 picture will look like :)

Panda Internet Security 2009 BETA

Pedro Bustamante — Thu, 19 Jun 2008 07:47:00 GMT

We've recently released the new Panda Internet Security 2009 to public beta. This is the first product to use "scanning from the cloud" technology based on Panda's Collective Intelligence [PDF] as the first line of defense against new malware.

This new approach to security allows us to detect new malware faster by not having to rely on traditional antivirus signatures, with a much lesser resource impact on each PC thanks to the use of white-listing technologies to improve scanning efficiency.

Users of Panda Internet Security 2009 become part of the Collective Intelligence community and act as "sensors" which provide telemetry to determine, thanks to correlation and statistical algorithms, which malware is really prevalent and affecting users worldwide.

In addition to this new layer of security, which encompasses all previous ones, our products continue having traditional signatures, advanced heuristics, TruPrevent behavioral analysis and blocking, intrusion prevention and other protection techniques found in previous versions.

You can sign up for the beta at http://www.pandasecurity.com/homeusers/downloads/beta/.

Malware Prevalence May 2008

Pedro Bustamante — Mon, 16 Jun 2008 10:40:00 GMT

During the month of May we've seen a 346% growth over April of unique samples actively circulating and infecting users (23.550 samples in May vs. 6.809 in April). Out of the total seen In-The-Wild only a portion are new and not seen in previous months, of which 78% are non-replicating while the rest are self-replicating viral/worm code. We encourage you to visit our Virus Encyclopedia to get detailed descriptions of each one of these.

New Replicating Malware

The ranking of new replicating viruses and worms this month is led by the W32/Lineage and W32/Autorun families. This last one consists of worms which replicate via USB devices and is the newcomer to the top of the list. Who said worms are dead? The rest as usual is made up of MSN worms, spammer bots and an old acquaintance W32/Bagle still making the rounds.

****   W32/Lineage
****   W32/Autorun
***      W32/Sdbot
***      W32/Nuwar
***      W32/Mandaph
***      W32/MSNWorm
**       W32/Spamta
**       W32/Socks
**       W32/Nahkos
**       W32/IRCBot
**       W32/Gaobot
**       W32/Bagle
**   VBS/Autorun
*      W32/Wow
*      W32/VB
*      W32/Rxbot
*      W32/ProxyServer
*      W32/Perwall
*      W32/Mailworm
*      VBS/Solow

New Non-Replicating Malware

On the Trojan front, we've seen a strong increase in infections by Identity Theft Trojans (Sinowal, Banker, Agent, Dadobra, Banbra, etc.) while the pay-per-install adware/spyware affiliates are having a hard time maintaining their number one position. I guess it pays more to steal directly from consumers' bank accounts. The rest of the list is made up by spammer bots, rogue anti-spyware and other creatures.

****    Trj/Lineage
****    Adware/Netproject
***    Trj/dmRandom
***    Trj/Sinowal
***    Trj/QQpass
***    Trj/Nabload
***    Trj/Downloader
***    Trj/Banker
***    Trj/Autorun
***    Trj/Agent
***    Spyware/Virtumonde
***    Bck/IRCBot
***    Adware/VapSup
***    Adware/NaviPromo
**       Trj/Spambot
**       Trj/Ranky
**       Trj/Qhost
**       Trj/Dadobra
**       Trj/Buzus
**       Trj/Banbra
**       Trj/Agysteo
**       Generic Malware
**       Bck/Sdbot
**       Bck/Hamweq
**       Bck/Agent
**       Adware/VideoPlugin
**       Adware/BHO
*        Trj/WmaDownloader
*        Trj/VBbot
*        Trj/Spy
*        Trj/Spammer
*        Trj/Passwordstealer
*        Trj/Multidropper
*        Trj/Mitglieder
*        Trj/Killfiles
*        Trj/Dropper
*        Trj/DNSChanger
*        Trj/Clicker
*        Trj/Busky
*        Trj/BedeTres
*        Generic Trojan
*        Dialer
*        Bck/VBBot
*        Bck/Turkojan
*        Bck/Tiny
*        Bck/Peacomm
*        Bck/Nepoe
*        Bck/Hupigon
*        Bck/Gaobot
*        Bck/Dbot
*        Application/WinSpywareProtect
*        Application/VirusHeat
*        Adware/Zenosearch
*        Adware/Yazzle
*        Adware/WinSpywareProtect
*        Adware/WinReanimator
*        Adware/WinIFixer
*        Adware/WinAntiVirus2007
*        Adware/VirusRanger
*        Adware/VirusHeat
*        Adware/VideoKeyCodec
*        Adware/VideoAccessCodec
*        Adware/UltimateDefender
*        Adware/SecurityError
*        Adware/SearchPorn
*        Adware/RussiaPorn
*        Adware/PCCleaner
*        Adware/MalwareAlarm
*        Adware/Lop
*        Adware/Ivideo
*        Adware/BraveSentry
*        Adware/AntiSpywareShield
*        Adware/Alexa
*        Adware/AdvancedXPFixer
*        Adware/4Porn

Banking Trojans III

Pedro Bustamante — Mon, 02 Jun 2008 10:24:00 GMT

In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan families and their simple characteristics (files and registry entries). Let's dig a little deeper now and take a look at their infection and hiding techniques.

Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file

Bancos
* Static process
* Process injected into other process
* Encrypted / packed file

Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files

Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file

Banpatch
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files

Briz
* Static process
* Process injected into other process
* Encrypted / packed file

Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file

Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file

Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit

Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file

PowerGrabber
* Static process
* Process injected into other process
* Encrypted / packed file

SilentBanker
* Static process
* Process injected into other process
* Encrypted / packed file

Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit

Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file

Spyforms
* Static process
* Process injected into other process
* Encrypted / packed file

Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit

Debian OpenSSL

Pedro Bustamante — Tue, 27 May 2008 15:45:00 GMT

From HDMoore, too good to pass out:

Fenomen(al) False Positives

Pedro Bustamante — Mon, 19 May 2008 16:22:00 GMT

One of the problems with automation of antivirus signature creation is that if a few AV vendors start detecting something as malicious, even with heuristics, "automagically" soon afterwards other AV vendors start doing the same without even checking if the file in question is in fact malicious or not, even going as far as creating specific signatures for it via automated systems.

An example of such a False Positive (FP) problem with automatic AV signature creation is the case of Fenomen Games (aka Gamecentersolution), by Legacy Interactive. Fenomen is a company that creates and distributes games. They do so via a bunch of "Game Downloaders" which basically allow users to choose and download different games on-the-fly. The problem is that these "Game Downloaders" have very similar characteristics to known "Trojan Downloaders", such as the runtime-packing and their behaviour (connecting to the Internet, downloading something, executing it and then exiting), so they naturally set off heuristic alarms like a christmas tree.

After manual analysis the only thing I found truly suspicious about it is the fact that we have over 200.000 different unique "Game Downloaders" from Fenomen Games in our Collective Intelligence database. The ones I checked are not malicious in any way nor do they do anything different than what they advertise (if you have evidence of the contrary please let me know). Fenomen seems pretty active from a partner/affiliate perspective and this could be the reason for the multitude of unique MD5's.

So let's look at detections by different AV engines. Most of the Fenomen Game Downloaders out of the 200.000 we have checked are detected by anywhere from 4 to almost 20 different AV engines:

The problem with these detections are not the "heuristic" detections but the signature detections. Normally (traditionally that is) a signature detection signifies a "100% known malicious" program. However in today's world where signatures are created automatically based on other criteria, False Positives are amplified and rolled-over to other engines freely.

Some statistics of detections per engine based on the 200.000 Fenomen Games Download samples we have (names have been omitted to protect the "innocent"):
Scanner A 137.465 detections
Scanner B 101.061 detections
Scanner C 96.472 detections
Scanner D 68.264 detections
Scanner E 45.602 detections
Scanner F 38.027 detections
Scanner G 31.603 detections
Scanner H 28.152 detections
And so on...

These include both heuristic and signature detections. All of the latter are false positives by very well known AV engines!

The other problem created by these "FPs generated by automated signature systems" is that, once considered malicious, samples of these FPs are included in regular "collection sharing packages" amongst different AV labs and, more importantly, independent research and testing organizations. These type of organizations, which rely on multi-scanners to classify their testbeds, should take good care of not falling into the same mistake. So the next time you see detection rates based on AV signatures published in a magazine or website, you should be asking yourselves "what" is truly being tested.

All in all, automation at the lab is an absolute must for any AV vendor that wants to keep up with the large volume of new incoming malware. However it is critical that these systems are well supervised, finetuned and backed by engineers who oversee the signatures generated automatically to avoid creating "fenomenal" false positive problems.

Anti-Rootkit Testing

Pedro Bustamante — Fri, 16 May 2008 10:02:00 GMT

DarkReading issued a note a few days ago titled "New Tests Show Rootkits Still Evade AV". These tests, originally performed by AV-Test.org, are becoming more important every day as malware is making use of advanced rootkit and hiding techniques to evade detection by security solutions. This, of course, is not news to anyone.

What is news is the effectiveness of rootkit-based malware. It really doesn't make much of a difference if solution XYZ detects the most amount of malware using traditional AV signatures if it can't even "see" the malware which is hidden by a rootkit. Modern security solutions need not only count with advanced heuristics and behavioral analysis and blocking but must also be able to dig deeper into the Operating System or else fail to protect users correctly.

The results of the test are very satisfactory for Panda products, thanks mostly to the technology incorporated into our products which has been tested thoroughly by Panda Anti-Rootkit, specially by regular readers of this blog.

In the online-scanner portion of the anti-rootkit test we did pretty well, with the highest scores in both detection and removal of malware hidden by rootkits:

Detection Removal

Panda Security ActiveScan 5.54.01 26 26

F-Secure Online Virus Scanner 3.2 Beta (1.0.64) 26 23

Microsoft Windows Live Safety Scanner 25 8

Kaspersky Online Scanner 21 0

Trend Micro HouseCall 5 1

BitDefender Online Scanner 3 0

In the Windows Vista test we did pretty good as well:

Three AV tools had perfect scores, catching all active and inactive rootkits as well as removing all of them: Norton Antivirus 2008 15.0.0.58; Panda Security Antivirus 2008 3.00.00; and F-Secure Anti-Virus 2008 6.80.2610.0.

The test is available here for those who want to take a deeper look (look for "Anti-Stealth Fighters: Testing for Rootkit Detection and Removal", Virus Bulletin 04/2008). Again many thanks to the people who've helped us test and improve our anti-rootkit technology.

EDIT: Updated link to Papers section of AV-Test Website and F-Secure detection and removal rations (26/23 vs. 23/26).

New Malware Prevalence April 2008

Pedro Bustamante — Thu, 08 May 2008 22:51:00 GMT

Even though we get thousands of new malware samples in the lab every day, only a fraction of these make it in-the-wild actively infecting users. These are the most interesting samples for us as they're the ones we need to concentrate on the most. The vast majority of the times we catch these either by generic signatures, heuristics or TruPrevent behavioral analysis and blocking and through a variety of sensors such as our own products installed at users' PCs, online scanners or through correlation by our Collective Intelligence.

During the month of April we've seen a total of 6.809 unique samples actively circulating and infecting users. Out of the total malware seen in-the-wild, approximately 10% of the samples are completely new and not seen in previous months. Of this new malware 81% are non-replicating Trojans while the rest are self-replicating viral/worm code.

Following below is an overview of the prevalence statistics and family details broken down by type (non-replicating and self-replicating) and use of runtime packer or obfuscator.

New Non-Replicating Trojans

Let's take a look first at the new Trojans sighted this month. As usual adware/spyware leads the list with the largest number of variants being distributed. It's obvious that the return on investment is greatest with this type of malware as there are plenty of "marketing companies" out there that offer pay-per-install affiliate programs of their malware.

An interesting trends we're seeing lately is the increase in Banking Trojan activity. These are mostly distributed via Web Exploitation Kits and Trj/Downloaders. They are best represented this month by the Banker and Sinowal families.

The following table details the new non-replicating Trojans found in-the-wild with an indication of their prevalence, from * (seen on at least two unique computers) to ***** (massive distribution).

Prevalence	Name
****	 Adware_Netproject
***	 Spyware_Virtumonde
***	 Adware_VideoAccessCodec
***	 Adware_Netproject
***	 Adware_NaviPromo
**	 Trj_Nabload.DEX
**	 Trj_Mitglieder.TJ
**	 Trj_Lineage.IGA
**	 Trj_Lineage.IDJ
**	 Trj_Lineage.IDE
**	 Trj_Lineage.HZI
**	 Trj_Downloader.TIN
**	 Trj_Downloader.THP
**	 Trj_Downloader.TCC
**	 Trj_dmRandom.TW
**	 Trj_Banker.KWQ
**	 Trj_Banker.KWP
**	 Trj_Banker.KWO
**	 Trj_Banker.KWH
**	 Malicious Packer
**	 Adware_WinReanimator
**	 Adware_VirusHeat
**	 Adware_VideoPlugin
**	 Adware_VideoAccessCodec
**	 Adware_VapSup
**	 Adware_UltimateDefender
**	 Adware_Suurch
*	 W32_Lineage.ICJ.worm
*	 Trj_Zlob.IF
*	 Trj_SysW.G
*	 Trj_Spammer.AHH
*	 Trj_Spammer.AHD
*	 Trj_Spamine.G
*	 Trj_Sinowal.VKF
*	 Trj_Sinowal.VKE
*	 Trj_Sinowal.VKB
*	 Trj_Sinowal.VJZ
*	 Trj_QQPass.BGT
*	 Trj_QQPass.BGN
*	 Trj_QQPass.BGM
*	 Trj_QQPass.BGL
*	 Trj_Nabload.DEU
*	 Trj_Nabload.DET
*	 Trj_Multidropper.RMN
*	 Trj_Mitglieder.TI
*	 Trj_Lineage.IFH
*	 Trj_Lineage.IFG
*	 Trj_Lineage.IFF
*	 Trj_Lineage.IFE
*	 Trj_Lineage.IFC
*	 Trj_Lineage.IFB
*	 Trj_Lineage.IEY
*	 Trj_Lineage.IEW
*	 Trj_Lineage.IEU
*	 Trj_Lineage.IEM
*	 Trj_Lineage.IDV
*	 Trj_Lineage.IDE
*	 Trj_Lineage.ICA
*	 Trj_Lineage.IAN
*	 Trj_Lineage.IAL
*	 Trj_Lineage.HTK
*	 Trj_Lineage.HNA
*	 Trj_Hosts.V
*	 Trj_Hosts.U
*	 Trj_Gamania.GS
*	 Trj_FireByPass.BP
*	 Trj_Exchanger.D
*	 Trj_Downloader.TME
*	 Trj_Downloader.TLU
*	 Trj_Downloader.TLL
*	 Trj_Downloader.TJR
*	 Trj_Downloader.TJF
*	 Trj_Downloader.TJE
*	 Trj_Downloader.TJA
*	 Trj_Downloader.TIL
*	 Trj_Downloader.TIK
*	 Trj_Downloader.THZ
*	 Trj_Downloader.THI
*	 Trj_Downloader.TEG
*	 Trj_Downloader.TDA
*	 Trj_Downloader.TCQ
*	 Trj_Downloader.TAU
*	 Trj_dmRandom.UB
*	 Trj_Dadobra.AOR
*	 Trj_Busky.DE
*	 Trj_BHO.AT
*	 Trj_Banker.KXI
*	 Trj_Banker.KWX
*	 Trj_Banker.KWV
*	 Trj_Banker.KWR
*	 Trj_Banker.KTU
*	 Trj_Banbra.FQI
*	 Trj_Banbra.FQB
*	 Trj_Banbra.FON
*	 Trj_Autorun.TS
*	 Trj_Autorun.JN
*	 Trj_Agent.IPR
*	 Trj_Agent.IPI
*	 Trj_Agent.IOH
*	 Trj_Agent.IOD
*	 Trj_Agent.IOB
*	 Spyware_Virtumonde
*	 Generic Malware
*	 Bck_Sdbot.LUN
*	 Bck_SDBot.LUF
*	 Bck_SDBot.LTW
*	 Bck_Sdbot.LTR
*	 Bck_PoisonIvy.U
*	 Bck_Oderoor.Q
*	 Bck_Oderoor.P
*	 Bck_LanMan.CN
*	 Bck_IRCBot.BYY
*	 Bck_IRCBot.BYO
*	 Bck_IRCBot.BYI
*	 Bck_IRCBot.BYH
*	 Bck_IRCBot.BXW
*	 Bck_IRCBot.BXU
*	 Bck_IrcBot.BXT
*	 Bck_IRCBot.BXL
*	 Bck_Hupigon.LAB
*	 Bck_Agent.IPD
*	 Bck_Agent.IOG
*	 Application_VirusHeat
*	 Application_SpyShredder
*	 Application_PCCleaner
*	 Adware_Zenosearch
*	 Adware_XXXHoliday
*	 Adware_WinSecureDisc
*	 Adware_WinReanimator
*	 Adware_WinIFixer
*	 Adware_WebHancer
*	 Adware_VirusIsolator
*	 Adware_VirusHeat
*	 Adware_VideoPorn
*	 Adware_VideoKeyCodec
*	 Adware_VapSup
*	 Adware_TopSpyware
*	 Adware_SpywareSoftStop
*	 Adware_SpyAway
*	 Adware_SecuritySystem
*	 Adware_SecurityError
*	 Adware_SearchVideo
*	 Adware_PCCleaner
*	 Adware_MalwareAlarm
*	 Adware_Lop
*	 Adware_ChristmasPorn
*	 Adware_BaiduBar
*	 Adware_AntiSpywareReview
*	 Adware_Alexa

New Self-Replicating Virus & Worms

Even though some security experts out there maintain that 'viruses are a thing of the past', the fact is that almost 20% of the new malware we see every month are self-replicating viruses and worms. This figure is not as high as it used to be years ago but it comes to prove that viruses are definitely not dead.

As with previous months, worms spreading through Instant Messaging such as the W32/MSN.worm and W32/MSNWorm lead the list by propagating via vulnerabilities and sending links to copies of itself to all IM contacts.

The prevalence, especially in corporate networks, of the particularly nasty W32/Virutas, is probably due to its effectiveness as a cavity, polymorphic, entry point obscuring and memory resident infector virus.

The remainder of the list is mostly made up by spam-spewing bots and game password stealers for World of Warcraft and Lineage.

As above, the following table details the new self-replicating viruses and worms found in-the-wild with an indication of their prevalence (* for low and ***** for massive distribution).

Prevalence	Name
***	 W32_MSN.J.worm
***	 W32_Lineage.HXI.worm
**	 W32_Nuwar.SS.worm
**	 W32_MSNWorm.EJ.worm
**	 W32_Lineage.IFX.worm
**	 W32_Lineage.IEN
**	 W32_Lineage.ICM.worm
**	 W32_Lineage.IBW.worm
**	 W32_Lineage.HZE.worm
**	 W32_Bagle.SR.worm
*	 W32_Wow.SI.worm
*	 W32_Virutas.AB
*	 W32_VBS.H.worm
*	 W32_VanBot.AE.worm
*	 W32_UsbStorm.K.worm
*	 W32_Thanks.B.worm
*	 W32_SundMan.A.worm
*	 W32_Spamta.AGD.worm
*	 W32_Sohanat.EX.worm
*	 W32_Sohanat.AS.worm
*	 W32_Socks.C.worm
*	 W32_Socks.B.worm
*	 W32_SDBot.LUI.worm
*	 W32_Sdbot.LUB.worm
*	 W32_SdBot.LTV.worm
*	 W32_Sdbot.LTT.worm
*	 W32_Sality.AA
*	 W32_QQRob.OS
*	 W32_Oscarbot.TK.worm
*	 W32_Nuwar.TC.worm
*	 W32_Nuwar.SV.worm
*	 W32_Nuwar.SR.worm
*	 W32_MSNworm.EK.worm
*	 W32_MSNworm.EI.worm
*	 W32_Mabezat.C
*	 W32_Lineage.IFI.worm
*	 W32_Lineage.IEZ.worm
*	 W32_Lineage.IEN.worm
*	 W32_Lineage.IEG.worm
*	 W32_Lineage.IDS
*	 W32_Lineage.IDR.worm
*	 W32_Lineage.IDI.worm
*	 W32_Lineage.ICT.worm
*	 W32_Lineage.ICO.worm
*	 W32_Lineage.ICL.worm
*	 W32_Lineage.ICJ.worm
*	 W32_Lineage.ICB
*	 W32_Lineage.IBZ.worm
*	 W32_Lineage.IBX.worm
*	 W32_IRCBot.BYQ.worm
*	 W32_IRCBot.BYL.worm
*	 W32_IRCBot.BYC.worm
*	 W32_IRCBot.BYB.worm
*	 W32_IRCBot.BYA.worm
*	 W32_Gaobot.QGN.worm
*	 W32_DengDun.A.worm
*	 W32_Brontok.JL.worm
*	 W32_Bagle.SN.worm
*	 W32_Autorun.TU.worm
*	 W32_Autorun.TK.worm
*	 W32_Agent.INI.worm
*	 W32_Agent.ILD.worm
*	 VBS_Sasan.A.worm

By Runtime Packers & Obfuscators

I've blogged quite a bit in previous occasions about the use of packers and obfuscators, especially in money-driven Trojans, in order to avoid detection by AV signature and emulator-driven heuristics.

One of the latest key trends to watch out for is the rapidly increasing use of 'private' purpose-made packers and multi-layered packers. Also especially worrying is the ever-increasing use of "virtualization obfuscators" such as EXECryptor and Themida. Our colleague from Sophos Boris Lau gave a very good speech last week at the CARO Workshop about promising strategies for dealing with these.

UPX		581
Upack		302
'Private'	150
FSG		101
PECompact	94
AS-Pack		88
EXECryptor	62
Themida		53
Multi-layer	38
Nspack		38
ASProtect	37
nPack		22
Adware_Lop	17
RLPack		16
PKLite32	14
tElock		14
UPolyX		13
Wsnpoem		11
Armadillo	8
MEW 11 SE	7
Thinstall	7
Expressor	6
Cexe		4
PolyCryptA	4
PUSH/RET	4
PE Crypt	3
Virtumonde	3
YodaProtect	3
DalKrypt	2
Molebox		2
PESpin		2
Petite		2
CryptFF.b	1
NiceProtect	1
DragonArmor	1
EPProt		1
Exe32pack	1
Kkrunchy	1
MaskPE		1
Morphine	1
NTKrnl		1
PCShrink	1
PEncrypt	1
PEP		1
RCryptor	1
RPCrypt		1
SDProtect	1
SimplePack	1
UltraProtect	1
WWPack32	1
yzpack		1

Banking Trojans II

Pedro Bustamante — Mon, 21 Apr 2008 15:21:00 GMT

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.

Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:
%SystemRoot%\appwiz.dll
%SystemRoot%\ipv6mmo??.dll
We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
HKEY_LOCAL_MACHINE\Software\Helper
Others create the following one:
HKEY_LOCAL_MACHINE\Software\MRSoft

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:
    %SystemRoot%\ieschedule.exe
    %SystemRoot%\dsrss.exe
    %SystemRoot%\ieserver.exe
    %SystemRoot%\websvr.exe
    %SystemRoot%\ieredir.exe
    %SystemRoot%\smss.exe
    %SystemRoot%\ib?.dll
Folders:
    %SystemRoot%\drv32dta
    %WindowsRoot%\websvr
Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\InitRegKey
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:
    %SystemRoot%\IEGrabber.dll
    %SystemRoot%\CertGrabber.dll
    %SystemRoot%\FFGrabber.dll
    %SystemRoot%\IECookieKiller.dll
    %SystemRoot%\IEFaker.dll
    %SystemRoot%\IEMod.dll
    %SystemRoot%\IEScrGrabber.dll
    %SystemRoot%\IETanGrabber.dll
    %SystemRoot%\NetLocker.dll
    %SystemRoot%\ProxyMod.dll
    %SystemRoot%\PSGrabber.dll

BankDiv, Banker.BWB
Creates the following files:
    %SystemRoot%\xvid.dll
    %SystemRoot%\xvid.ini
    %SystemRoot%\divx.ini
    %System%\drivers\ip.sys

Snatch, Gozi
It usually installs a driver with rootkit functionalities:
%WindowsRoot%\driver new_drv.sys

Spyforms
Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    “ttool” = %WindowsRoot%\svcs.exe
    HKEY_CURRENT_USER\Software\Microsoft\InetData

BankPatch
It modifies the following system files:
    wininet.dll
    kernel32.dll
And creates the files:
    %SystemRoot%\ldshfr.old
    %SystemRoot%\mentid.dmp
    %SystemRoot%\nwkr.ini
    %SystemRoot%\nwwnt.ini
Usually targets banks from the Netherlands.

Silentbanker
Drops file in %SystemRoot% with random names, for example:
    %SystemRoot%\appmgmt14.dll
    %SystemRoot%\dbgen47.dll
    %SystemRoot%\drmsto34.dll
    %SystemRoot%\faultre66.dll
    %SystemRoot%\kbddiv55.dll
    %SystemRoot%\kbddiv79.dll
    %SystemRoot%\msisi83.dll
    %SystemRoot%\msvcp793.dll
    %SystemRoot%\msvcr25.dll
    %SystemRoot%\nweven2.dll
    %SystemRoot%\pngfil51.dll
    %SystemRoot%\pschdpr89.dll
    %SystemRoot%\versio40.dll
    %SystemRoot%\wifema85.dll
    %SystemRoot%\winstr21.dll
    %SystemRoot%\wzcsv64.dll
Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Banking Trojans I

Pedro Bustamante — Fri, 18 Apr 2008 10:40:00 GMT

Some of the most dangerous types of threats out there today are banking trojans. These malicious trojans are very specialized and focused at stealing banking credentials. They use advanced techniques to fool users, such as injecting HTML code to ask for additional confidential information such as SSN, PINs, coordinate cards, intercept Transaction Account Numbers (TAN) and replace them with bogus ones, and many more dirty tricks. There's no real solution to the problem in place and certainly no banking customer is safe from this threat today.

These are normally developed by real cyber-criminal mafias such as the Russian Business Network (RBN) and go through great lenghts in order to avoid being detected by traditional antivirus techniques. Not only do they go through QA testing prior to being released but they are also packed with advanced techniques and purpose-made packers that make signature detection less efficient. Specialized heuristics is the most interesting area of research to counter these attacks.

In order to familiarize yourselves with this new type of threats it is important to understand how they work on how they install themselves in your system. In this post I'll show you basic characteristics of some banking trojan families. Watch out for some more details in future posts.

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Bancos
Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
    %SystemRoot%\winldra.exe
    %WindowsRoot%\netdx.dat
    %WindowsRoot%\dvpd.dll
    %Temp%\fe43e701.htm
It also creates the following registry entries:
    HKEY_CURRENT_USER\Software\SARS
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = "%SystemRoot%\userinit.exe"
    Modified = "%SystemRoot%\userinit.exe", "%SystemRoot%\ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
    %WindowsRoot%\Temp\$_2341234.TMP
    %WindowsRoot%\Temp\$_2341233.TMP
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        “Shell” = "%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.

Recent variants of Torpig, Xorpig and Mebroot:
The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:
    %WindowsRoot%\temp\fa56d7ec.$$$
    %WindowsRoot%\temp\bca4e2da.$$$

Thanks to Vicen from PandaLabs for the info.

Panda ActiveScan 2.0

Pedro Bustamante — Mon, 31 Mar 2008 15:08:00 GMT

We've been working very hard over the last few months to integrate all our online scanners (ActiveScan 1.0, NanoScan & TotalScan) into a single new scanner that rules them all. The result is the new Panda ActiveScan 2.0 (www.pandasecurity.com/activescan) which we're about ready to publish between today and tomorrow.

In addition to detecting and disinfecting all types of malware (virus, worms, trojans, ad/spyware, rootkits, etc.), it also integrates some of our latest detection technologies which we have been playing with:

Genetic Heuristics Engine to detect unknown malware and new variants.
Specialized heuristics for cybercrime and identity theft trojans.
Anti-rootkit technology for detecting acitvely running rootkits.
Scanning from the cloud uses Collective Intelligence community detections of malware & goodware processes loaded in memory.

One of the new and interesting things we're doing with ActiveScan 2.0 is tracking the infection rates of PCs that are infected even though they are using an up-to-date antivirus. And we're also tracking this on a per-vendor basis. Therefore we are able to see the percentage of Symantec users who are infected even though they are up-to-date, McAfee users, Trend users, Panda users, Kaspersky users, etc.

Last year I published a research study about infection rates on protected systems where we saw that a whopping 23% of the PCs that had up-to-date antivirus products were actually infected with malware.

Packer (r)evolution

Pedro Bustamante — Wed, 19 Mar 2008 17:21:00 GMT

We know for sure that cyber-criminals use private tools to check AV detection prior to releasing new malware in the wild, making sure it goes undetected by AV signatures at the time of release. As AV companies identify new packers and are able to inspect inside them (or simply identify the malicious packer itself), the bad guys are releasing those which are not detected by most AV.

This has transformed the packer world significantly. The "big name packers" are decreasingly being used by malware. By contrast new packers types are surging which have two main characteristics: (a) they are not widely used in order to stay below the radar and (b) they use obfuscation or anti-debugging techniques.

What we're seeing is that:

Increasingly, malware families use their own 'customized' or ‘private’ packers, which are not recognized by most AV engines.
There's a large variety of packers, each with its own little variations, being used by a reduced number of malware variants.

The strategy these criminals are following is to quickly develop customized variants of packers and use them in very few samples. By the time the AV companies identify the samples and add the unpacking routine to their engines, they already have a new batch of packing variations in store which is being applied to the next batch of samples.

As an exercise we’ve analyzed all the samples Panda has seen in-the-wild (actively infecting two or more different sites) since August 2007 to March 2008 and looked at the ‘big name packers’ used by these:

It’s interesting to see how the ‘big name packers’ such as UPX, PECompact, Themida, PEtite and NSPack are dropping in use, while smaller packers such as nPack, PolyEnE and EXECryptor have increased in a significant way.

But what’s most interesting is what is not seen in the above summary chart, and that is the ‘customized’ or ‘private’ packers. We know for a fact that approximately 90% of malware uses some sort of packing or obfuscation technique, yet the proportion of private, non ‘big name packers’ is increasing rapidly.

Could this be the start of the long-tail of packers?

But when we try to analyze the true reasons behind this evolution in packer use that’s when it starts getting really interesting. Other than the obvious reason which is that bad guys are trying to make our jobs harder at the lab, how come they started creating customized and private packer versions on a very regular basis?

As this is a cat and mouse game, the mice’s next move is directly determined by the cat’s strategy for catching the mice. If we apply this example to the packer/malware world, there are two main events in the AV industry which I believe have driven malware authors to go into ‘packer-craze’:

The addition of many unpacking routines in AV engines as new packers emerged.
Starting to detect malware based on its packing properties without unpacking it (multi-packed files, packers used exclusively for malicious purposes, etc.).

Now I’m not saying the above actions are wrong. They were necessary at the time in order to correctly protect customers and continue being necessary today if we want to keep the pace.

I remember a conversation with my colleague Mark from Symantec last year where we talked about precisely this issue. If we start detecting all packers proactively, what will the bad guys do next? I guess we’re about to see as the packer problematic has completely blown out of proportion.

29A Labs has left the building

Pedro Bustamante — Wed, 27 Feb 2008 15:03:00 GMT

One of the most famous international VX groups, 29A Labs, announced yesterday they are closing shop. Following is a note that VirusBuster, the last standing member of the now defunct 29A, posted on the group's website yesterday:

I tried to contact ValleZ for some time in order to take a decission together about the future of 29A with no luck therefore I decided to take the decission alone. And my decission is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node, my BBS, and I am the last active member of the group. My last words as 29A member are for all the people that worked hard to make of this group the best one: Thank you very much! Regards, VirusBuster/29A.

Creators of infamous viruses (such as W32/Marburg, W32/HPS and WinCE/Dust, the first virus for PocketPC and Smartphones), this spanish born group has been known for researching leading edge techniques, such as per-process residency, metamorphism, entry-point obscuring, and protected-mode viruses.

Goodbye to you all, wherever you may roam!

2007 WildList Proactive Detection

Pedro Bustamante — Mon, 18 Feb 2008 08:19:00 GMT

Andreas Marx from AV-Test has just finished WildList Proactive Detection and Response Time Testing for Q4 2007. You might remember I published the Q3 2007 results, where we achieved a 94% detection rate of the new malware included in the WildList proactively (meaning that Panda customers were protected from the moment the malware appeared for the first time). I'm happy to report that our proactive detection rate of WildList malware has improved to 98% during Q4-2007, which means that we detected 60 out of 61 new additions to the WildList proactively, without requiring any signature updates.

So if we take the WildList Proactive Detection Rates from April to December 2007 this is what the results look like:

Some disclaimers about the data:

The testbed consists of new additions to the WildList, which is a collection of "in-the-wild" self-replicating viruses, worms and some trojans. The WildList does not include non-replicating malware such as spyware, adware, trojans, rootkits, etc. but that's another discussion we'll have someday.
As you can see there's a difference in the proactive detections of our BETA signatures and our REGULAR signatures. All our commercial products automatically download and use BETA signatures transparently between regular daily update intervals, so the protection rate shown as BETA is the one that actually applies to all our customers alike. EDIT: this applies only to certain products and BETA signatures.
The table does not show other AV vendors' BETA signatures as per request from AV-Test.
I've also separated results from endpoint engines and gateway engines as these are not comparable.

UPDATE:
A couple of very important clarifications from AV-Test on how to read this data:
"Please note that term "proactive" doesn't necessarily indicate a heuristic or generic detection, but it will just say that a malware was detected *before* it was reported to the WildList of the specific month."

"A WildList malware could already be spreading in April 2007, for example, but when it was first added to the June 2007 WildList, we just checked for the proactive detections on June 1, 2007. So the values doesn't show the proactive detections from the time the malware first appeared "in the wild", but from the time the malware first appeared on the WildList. That's a big difference."