XP Antivirus: Rogue AV with a custom packer

05.30.2008 - 5:40 PM
Nowadays, most unwanted software, such as malware and rogue products, uses packers to obfuscate itself. In addition to the known packers, some of them use custom packers, using polymorphic techniques to prevent detection. Every two weeks, I will write a little blog about one of those custom packers, and explain some of the tricks they use.
Read more »

Attacking Banks - Encrypted Strings and Local Content Injection

05.19.2008 -
We have been noticing quite a few binaries lately that target Brazilian banks. While most tend to have the same behavior, we found a particular piece that actually encrypted most of its strings to slow down analysis. In this blog we analyze the decryption routine and write a decryption algorithm, as well as note some other general ways to automate dumping of encrypted strings and their associated plaintext. In addition to this technical dive, we also touch on other interesting behaviors of this particular malware, including its ability to detect the presence of G-Buster Browser Defense, a security solution offered by some Brazilian banks, such as Caixa Economica Federal.
Read more »

Spammer Anti-CAPTCHA operations and Mass-Mailing Strategy

05.15.2008 - 7:00 PM
Websense® Security Labs™ Threatseeker™ technology has been continually monitoring spammer strategy and related tactics following the streamlined Anti-CAPTCHA operations on Microsoft’s Live Mail, Google’s Gmail, Microsoft’s Live Hotmail, Google’s Blogger, and Yahoo Mail (as reported by InformationWeek). Websense has observed that these spammer accounts increasingly represent several execution stages of a sophisticated strategy adopted by spammers.
Read more »

Analysis of Recent Storm Worm Packer

05.08.2008 - 10:22 AM
Websense Security Labs has been tracing the storm worm since early 2007, when the first wave of storm worm erupted in the wild. Storm worm is one of the most notorious malware programs seen during the years 2007 and 2008. Websense Security Labs has published many research results on it, such as Storm Worm Chronology, which was written by my colleague Nick Verenini.

Most variants of storm worms are packed with the custom packer "Tibs". Tibs packer is a polymorphic packer, which also has the capability of anti-emulation. Recently we encountered a wave of stormcodec8.exe. When we carried on an analysis for this variant, we found some interesting features in it. Below are some highlights of our analysis.

Meeting Reminder: It's Spam O'Clock!

05.02.2008 - 3:45 PM
Recently, Websense Security Labs has become aware of an increasing trend in the number of spam emails being sent that are viewed by many mail clients as meeting invitations. This is not necessarily a new thing, but it's been becoming more and more common, as has been reported by others like The Washington Post and ISC. Some noticeable problems with the way many mail clients handle these requests are becoming more apparent and easier to identify as the trend increases, and the purpose of this blog is to go over some of these problems in finer detail.
Read more »