The Webmoner is a malware family that's been targeting the WebMoney service for the last couple of years, a service which is mostly used in Russia from both legitimate and malicious parties -- three out of five transfers by malicious parties use WebMoney and the other two use Yandex. What's interesting about this trojan, or we can perhaps even define it as a module given its 2kb packed size and compatibility with popular malware C&C platforms in respect to stats, is that it doesn't log the accounting details of Web Money customers, instead, the attacker is feeding the trojan with up to four of his Web Purses, so that at a later stage when the infected party is initiating transfer, the malware will hijack the process and intercept the payments and direct them to the attacker's web money accounts. See how various AVs are performing when detecting a sample of it.
The disturbing part is a recently made public builder, the type of DIY a.k.a the revenge of the script kiddies with a push of a button malware generation with a built in fsg packing to further obfuscate it and have it reach the 1.5kb size. See attached screenshot. This attack puts the service in a awkward situation, as the transfers are actually hijacked on the fly, and the responsibility is forwarded to the infected party, compared to a situation where the details have been keylogged and transfers made with stolen IDs. How have things evolved from 2001 until 2007? Keylogging may seem logical but is the worst enemy of efficiency compared to techniques that automatically, collect, hijack and intercept the desired accounting data. The screen capturing banking trojan Hispasec came across to is a good example presenting the trade off here. The irony? The author of the builder is anticipating malware on demand requests and charging 10 WMZ in virtual money for undetected pieces of the malware.
There's an ongoing debate on the usefulness and lack of such of popular anti virus software. In January 2007, the Yankee Group released a 4 pages report starting at $599 -- try a 26 pages free alternative released in January 2006 debunking lots of myths -- entitled "Anti-Virus is Dead: Long Live Anti-Malware" in an effort to not only generate lazy revenues on their insights, but to emphasize on the false feeling of security many AVs provide you with. As a consultant you often get the plain simple question on which is the best anti virus out there, to which you either reply based on lead generation relationship with vendors, or do them a favour and answer the question with a question - the best anti virus in respect to what? Detecting rootkits? Removing detected malware and restoring the infected files to their previous condition? Log event management compatibility with existing security events management software? Fastest response times to major outbreaks? -- psst zero day malware ruins the effect here. Or which anti virus solution has the largest dataset for detecting known malware? Anti virus is just a part of your overal security strategy, and given the anti virus market is perhaps the one with the highest liquidity, thus most $ still go to perimeter defense solutions, too much expectations and lack of understanding of the threatscape mean customer dissatisfaction which shouldn't always be the case. If anti virus software the way we use it today is dead, then John Doe from the U.S or Ivan Ivanov from Russia woud still be 31337-ing the world, the Sub7 world I mean.
Some AVs however perform better than others on given tasks. The recently released AV comparatives speak for themselves. If you're going to use an anti virus software, use one from a company who's core competency relies in anti virus software, and not from a company that entered the space through acquisition during the last couple of years, or from one where anti virus is just part of huge solutions portfolio. Boutique anti virus vendors logically outperform the market leaders -- exactly the type of advice I've been giving out for quite a while.
Related posts :
Security Threats to Consider when Doing E-banking
No Anti-Virus, No E-banking for You
The Underground Economy's Supply of Goods
Previous "virtual shots" :
Shots from the Malicious Wild West - Sample Six
Shots from the Malicious Wild West - Sample Five
Shots from the Malicious Wild West - Sample Four
Shots from the Malicious Wild West - Sample Three
Shots from the Malicious Wild West - Sample Two
Shots from the Malicious Wild West - Sample One
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Wednesday, April 25, 2007
Shots from the Malicious Wild West - Sample Seven
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment