When the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had ended. But a sample that we received on May 7th, a  month after the arrests, looked very suspicious. It connected to a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected to was registered on April 9th!

Taking a closer look into the PE header, it was observed that the TimeDateStamp (02 / 27 / 13 @ 12:19:29pm EST) displayed a bit earlier date than the date of the arrests of the cybercriminals, and the URL was a part of larger botnet where plenty of Russian bots are involved. So the case was closed as a lost sample within a distribution process.

After using our internal Malware Similarity Search  to catch as many malware samples as possible, a cluster appeared. It contained some well-known families like Zbot, Dofoil, Gamarue, and some fresh families like Win32/64:Viknok and Win32:Lyposit. The latter is a dynamic link library and it caught our attention by a quite sophisticated loader and a final payload. Read more…

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

Read more…

We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.

Download site

Read more…

Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.

We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.

Read more…

Dealing with file formats is not really enjoyed by us. Usually the format designers haven’t had the security and parsing by foreign applications in mind, sometimes the specifications are hard to get, but, what is worst is the specification which claims something and then the major implementation does not follow it, allowing the bad guys to evade easily our strict parsers (as strict as specified in docs). We’ve already blogged about such problem in the past.

As I dealt with Embedded Open Type (EOT) in the past I have received some undetected samples from my colleague. It was EOT sample mentioned in this blog and some other sample downloaded by her. EOT is a compact form of OpenType font – it uses some special compression based on this specific file format to decrease file size.

Read more…

The begining of spring seems to be an unsuccessful period of the year for cybercriminals in Eastern Europe. There is recent news referring to a neutralization of a group of hackers by joint cooperation between the Security Service of Ukraine with the Federal Security Service of the Russian Federation (FSB) on the web. These hackers are responsible for the infamous Trojan called Carberp.

Due to this recent information, we are allowed to say that Carberp was as a mainstream Trojan that monitored the environment of infected computers and exploited remote banking systems. It was a robust modular malware that improved its capabilities by drive-by-downloaded dynamic libraries – plugins. It was not only successfully grabbing money from victim’s bank accounts but also the attention of security experts both in an industrial and an academic sphere (an example of a paper). Therefore there are plenty of references on the web considering the methods of a system invasion, protection by polymorphic outer layers and a persistence of the Trojan. We will try to fill in some gaps in the picture.

Carberp started its progress approximately in autumn 2010. Later in spring 2011 it was split into two main branches regarding the form of HTTP requests.   Read more…

Another wave of Facebook phishing is spreading among Facebook users. Imagine you get a message from another Facebook user with a link to a new amazing Facebook app. Even if the sender is not your friend, you decide to go to the link. Instead of an application you see a fake Facebook login page. But here’s the catch – you don’t know it’s a fake!

Recently we have encountered a lot of Facebook apps which do nothing but redirect users to a fake Facebook login page. You cannot recognize from the link that the application has no real content. The URL of the application looks like http://apps.facebook.com/app_id where app_id is 15-digit identification number of the application. The application link usually contains its name (http://apps.facebook.com/app_name), but using the application ID in the link is also possible.

Read more…

Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.

This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.

Download full whitepaper in PDF format here.

In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.

The site, spc.or.kr, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC). After opening the site and showing its source code, we looked into the included script /js/common1.js. This script includes another two javascripts ( the third one is commented out ). When we opened both of these scripts, we noticed a suspicious iframe tag at the end of /js/screen1.js. This iframe tag led us to rootadmina2012.com, which is the main attack site.

Read more…