Secure Science Blog

Anti-Virus Brand used for Distributing Malware

asdfasdfasdf

GPCode Evolution

This report contains a description of the more obscure, previously undocumented traits belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family which was detailed in depth during our Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility.

De-RansomWare

As some of you may have read in our blog, we wrote an article regarding encrypted malware analysis back in November of 2006. Well, it's reared it's ugly head again, this time with the tune of "give us your money or we delete your files". Well have no fear for we have released a decoder that will release your files for you.

Please Forward Your Number to Skype!

Phishing scams for banks aren’t really new, but one received last night came with a new twist. The spam e-mail stated:

Bank of America Warning

Dear Bank of America Customer,

During our regular update and verification we could not verify your current
phone number.
Either your information has been changed or it is incomplete.
Please update your phone number by
CLICKING HERE [http://www.xxxxxxx.de/gallery/albums/userpics/boa/] or on the link: http://www.xxxxxxx.de/gallery/albums/userpics/boa/ [http://www.bankofamerica.com/updatephone]

If this is not completed by April 24 , 2007, we will be forced to suspend
your account indefinitely.

1 of 10 Fortune 1000's Vulnerable

However, this is not always the case. Recent research into the matter by Secure Science's External Threat Assessment Team (ETAT) revealed that 10% of systems polled still allow unauthenticated zone transfers.

1 out of 10 could be Vulnerable!

Nowadays it seems like old-school insecurities like the phf exploit
and public DNS Zone Transfers are a thing of the past. When asked
about Zone transfers, many security researches admitted to not
checking for them anymore, waiving them off as a waste of time.

However, this is not always the case. Recent research into the matter
by Secure Science's External Threat Assessment Team (ETAT) revealed
that 10% of systems polled still allow unauthenticated zone transfers.

test

test short descr

10% of 100 companies have a problem!

Encrypted Malware Analysis

Secure Science Corporation (www.securescience.net) and Michael Ligh of http://mnin.org put together a paper on an interesting piece of malware. We include a removal kit, snort signatures. Source code and decryptor are available by request.

The paper can be found at:

http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf

Enjoy.

Emerging Threat Analysis

This is an announcement that Secure Science Corporation's Chief Scientist has participated in a recently published book. This is Lance's second book (Phishing Exposed).

No other book on the market today provides the breadth of coverage found in Syngress Force Emerging Threat Analysis: From Mischief to Malicious. As the title suggests, the book deals with the full spectrum of threats while profiling the likely perpetrators. Coverage includes securing Voice over IP, malware prevention and detection, e-mail threats such as phishing and spamming, RFID attacks, and social engineering. With the ever increasing demand for highly skilled IT security professionals, this book fills an immediate need.

Authors:
David Maynor, Lance James, Spammer-X, Tony Bradley, Frank Thornton, Brad
Haines, Brian Baskin, Anand Das, Hersh Bhargava, Jeremy Faircloth, Craig
Edwards, Michael Gregg, Ron Bandes

More information on this book can be found here:
http://www.syngress.com/catalog/?pid=3670

Myths on Key-Logging (Virtual Keyboards)

We've been dealing with phishing malware since 2003, and within the lifespan of phishing malware, the main method for collecting data is through what's dubbed "form-grabbing". This technique steals the submissions (POST) from the web client (IE or FireFox) when signing into a financial institution website.

virtualkeyboards.pdf

Here is a powerpoint we put together focusing on why authentication systems such as Virtual Keyboards and Scramble Pads do not protect from almost all the phishing malware on the Internet today.

VML Exploit Patched

Microsoft has finally released the VML patch for the recent Internet Explorer 0-day that's been plaguing the Internet.

http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx

Update your windows systems immediately.

Data Loss increasing

Blog Entry 2

short descr