A malware network has been discovered siphoning profits from Google, Yahoo, and Bing by spoofing the search engines and their DNS addresses.

Dubbed the “Bahama Botnet,” it hijacks search engine results with doctored links that run a user through a chain of sponsored ad sites. After clicking his or her way through the ads, the user eventually ends up on the requested page.

A traceroute of the connection shows that although the DNS name of the server appears to be legitimate, users are actually connected to 64.86.17.56, an unknown IP address in Canada.

It will be interesting to see how the major search engine corporations respond to this threat.

Security outfit Panda is offering free copies of its beta anti-virus program that they’ve dubbed Cloud Antivirus. Rather than caching definitions from a single remote server (like most AV programs), Cloud AV uses infection telemetry gathered from every other PC running the application. The end result is that virus identification and removal should happen much faster than with traditional anti-virus.

This sort of technology first reared its head when the University of Michigan developed a technology called CloudAV in August of last year. During our initial interview with the UM researchers, they outlined several reasons why cloud virus detection is a superior approach:

• The cloud aggregates the detection results of many anti-virus engines; a feat that would be improbable, if not impossible, on a client system.
• The cloud offers enough resources to provide virtual behavioral analysis.
• The client buys reduced disk and CPU usage at the cost of increased network utilization.
• The burden of application maintenance is completely removed from the client side.

While not all of these goals have been realized with Panda’s implementation, their Cloud Antivirus touches on the important final three.

The best part? It only uses 16 megs of RAM.

After skipping out on its April 1 debutante ball, the Conficker worm has returned with a smile and a new payload. The worm has begun to update infected clients with a strain researchers are calling Conficker.E, and this process has revealed some interesting insight into just what may be the worm’s origins.

In a post on Trend Micro’s Countermeasures blog, Rik Ferguson explains what’s going on:

As well as reactivating the original propogation (sic) functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Conficker’s original method of propagation exploits a hole that Microsoft fixed in October, and this has returned after being removed from March’s -C variant. More interestingly, the new variant is set to delete itself without a trace on May 3.

(more…)

Go – it’s worth it just for the legend. :D

Conficker is basically a gigantic pain in the ass that has exited hibernation to the annoyance of administrators everywhere. The latest variant, Conficker.C, has been viewed as a particularly genius step in an altogether brilliant case study in worm authoring. Capable of evading heuristic detection, IPS filters, blocking AV applications, preventing access to Windows Update and just generally being an asshole to a whole host of solutions, it was believed that tagging and evicting Conficker would be an arduous task.

Enter the breakthrough: Researchers have discovered a misstep in Conficker.C’s design that makes it detectable with the traditional network tool known as nmap. Originally designed as a security tool, nmap is capable of scanning and listing network devices, parameters and services. Unfortunately for Conficker’s author(s), Conficker.C happens to be just such a service that nmap can detect with this string:

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

The discovery comes just in the nick of time, as this is the auspicious day in which the newest variant emerges from its beauty sleep to do whatever bogus things it was designed to do.

Companies like McAfee have been quick to piggyback on the discovery by releasing detection tools that sniff for the presence of the worm in a convenient GUI. As the Conficker.C worm prevents access to a whole host of security sites — including all the vendors currently offering a tool — we’ve done you a favor and attached a detection tool to our little update here.

Happy April Fools day.

Download: McAfee Conficker Test

Conficker is a nasty and enterprising worm that has spawned a $250k bounty for the author’s capture and at least one variant that has evaded the efforts of security firms. The race to defeat Conficker may be at an end, however, as Romanian anti-virus vendor BitDefender has announced a tool that will identify and remove any known variant of the worm.

BitDefender is the first to offer a free tool which disinfects all versions of Downadup and is available for all infected users at: http://bdtools.net This domain is the first to serve a removal tool without being blocked by the e-threat.

The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.

Microsoft has been hot to extinguish the potentially devastating worm known as Conficker. After posting a $250k bounty and assembling a cabal of security researchers, the merry band of nerds set out to block the code before it rocked the net. Unfortunately for our friendly fellowship, the new variant of Conficker can automatically retrieve and execute code without using the mechanism that researchers have been feverishly working to block.

In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker’s authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

Oops.

Microsoft has announced today that it will award $250 grand large to anyone who provides a tip that successfully identifies the author of the industrious Conficker worm.

Potentially the most crippling malware thus far conceived, the Conficker worm has infected some 10 million PCs to date. Each PC polls 250 random domains a day in search of a malware payload that has yet to appear. Should a payload be released to one of the domains, the PCs will download and install the package to create the biggest bot or spam net in history.

While services like OpenDNS are using information gleaned from reverse engineering to proactively prevent the worm’s spread, it still represents a tremendous threat. Knowing the gravity of the situation, Microsoft has resurrected its Anti-Virus Reward Program which has been virtually dormant since a $250k payout in 2003 that brought the authors of the SoBig and Sasser worms to justice.

Potentially the most crippling malware thus far conceived, the Conficker worm has infected 10 million PCs to date. Each PC polls 250 random domains each day in search of a malware payload that has yet to appear. Should a payload be released to one of the domains, the PCs will download and install the package to create the biggest bot or spam net in history. OpenDNS and Kaspersky hope to stem the tide before it forms.

The OpenDNS service is using a growing list of domains that security firm Kaspersky has developed after reverse engineering the worm. Administrators running OpenDNS on their network will be alerted to infected PCs and partially protected against infected clients connecting to one of the domains that may contain a payload.

The service will also help network admins to quickly pinpoint any infected machines by checking their OpenDNS Dashboard. Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin’s private statistics page. The service is available for free to both businesses and home users.

“The idea of blocking things on the network and doing it for consumers is a big change,” said OpenDNS CTO David Ulevitch. “Overall, we think we’re uniquely positioned to do this.”

Let’s hope that preventative maintenance can make a difference, because Conficker could have devastating consequences if activated.

We just received a tip informing us that Kaspersky has made a preview version of their popular anti-virus application available to you Windows 7 guinea pigs.

At the heart of the new technical prototype is Kaspersky Lab’s new antivirus engine which is even more effective at detecting malicious programs than its predecessor. The new engine dramatically increases system scanning speed thanks to improved processing of objects and optimized use of system resources, particularly on dual- and quad-core processor platforms. The unique product architecture ensures high productivity and one of the lowest uses of system resources in the industry.

The installed app uses a very respectable 40MB of memory, and stunned us with fast scanning times. So if your interest lies in curiosity or security, you can pop over here and give it a go.

Do you like it? What are your thoughts? Sound off in our comments section!

The author of the infamous Trojan.Zlob has left a message for Microsoft in a new strain of malware’s most long-lived and irritating clade of spyware.

For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say ‘Hello’ from Russia.
You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast.
I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;)
Happy New Year, guys, and good luck!
P.S. BTW, we are closing soon. Not because of your work. :-))
So, you will not see some of my great ;) ideas in that family of software.
Try to search in exploits/shellcodes and rootkits.
Also, it is funny (probably for you), but Microsoft offered me a job to help
improve some of Vista’s protection. It’s not interesting for me, just a life’s irony.

Did I mention that Icrontic has a world-class team of malware fighters that can help you thwart the efforts of asshats like this?

The popular internet security site CastleCops has suspended operations as of December 23rd, 2008. Visitors were greeted with the message below:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

(more…)