Media Malware - A Look Inside

07.30.2008 - 5:35 PM
A piece of malware has been discovered that modifies a user's music files so they are vulnerable to further infection. The infection can also spread if such files are shared with others. The malware searches the user's drive for music files and injects (after necessary conversions) a malicious URL, which is loaded upon music playback.

Hit Tracing in OllyDbg

07.30.2008 - 3:00 PM
The DvLabs posting demonstrates how to dynamically analyze a 32-bit Windows binary file in WinDbg using hit tracing. Hit tracing is the process of dynamically tracking execution flow in order to narrow your field of focus when reverse engineering a binary file. This saves you from wasting time looking at uninteresting parts of the code. While Cody Pierce focused on using WinDbg for hit tracing, we're going to show you how to use OllyDbg.
Read more »

Spammers' Innovations Throughout a Spam Campaign

07.22.2008 - 1:50 PM
We have been tracking the development of a constantly evolving spam campaign that started back in June. We alerted on this when commenting upon the PornTube template spam. To recap: it was a big wave of spam messages enticing users to watch a video. The messages contained links to compromised sites, and those links always ended with r.html, leading to the Trojan file video.exe. It seems that this campaign keeps constantly re-emerging to spam different page names on newly compromised sites.
Read more »

Spammers Switching Tactics: "Table Painting" Spam

07.21.2008 - 11:32 AM
Spammers' efforts to reach their prospective customers continue today with increased creativity and complexity in constructing and generating different arts, styles, images, and other elements trying to bypass anti-spam filters. We have been monitoring recent spammer tactics that use cleverly arranged tables in HTML for spamming purposes. It is interesting to observe how spammers improve their tactics every time by switching, combining, and tweaking or enhancing these tactics to send out mass mailings. The entire strategy can be seen as a continuous cycle where every stage is an emerging trend or an execution phase inherited from the previous cycle(s).
Read more »

Reversing malware with oSpy

07.18.2008 - 4:45 PM
Today's blog will be about a tool called oSpy, written by Andre Vadla Ravnas. oSpy is a tool which helps in reverse-engineering windows software. To demonstrate the uses of this tool and how it helps with network traffic monitoring, I have used a random malware sample from our repository.

Banker Analysis

07.10.2008 - 3:47 PM
Today's blog is an analysis of a banking trojan, currently in the wild, that targets banks in Brazil. During our research, we found out that it updates regularly and uses various social engineering tricks to spread and infect computers. Various executable components are downloaded, each of them having specific actions, such as spreading the malware, stealing bank information, etc.
Read more »

Spammers Ramp Up Siege on Bebo

07.01.2008 - 5:15 PM
SPAM 2.0 Update. Websense Security Labs® has been monitoring the recent spammer tactics that use Bebo services for spamming purposes. In the past, we blogged about similar spammer trends where Google services were increasingly used in spam runs. Google Blogger and Google Docs have been under attack, as has Gmail; and mass mailing campaigns are not confined to Gmail. Live mail, Hotmail, and Yahoo Mail have all been under siege as well. We detected this trend through the ThreatSeeker™ Network.
Read more »

Unpacking Storm Worm : Code and Import Address Table onto the heap

07.01.2008 - 10:25 AM
As part of my series of blogs about custom packers, this blog presents techniques to quickly unpack the Storm Worm packer, even if the unpacked code is executed onto the heap, the code is relocated, and the Import Address Table is also on allocated memory. Storm Worm attackers have been using many different packers, and even if their primary goal isn't to protect against reverse engineering, they have introduced various techniques to slow down analysis. Today's main trick is the execution of code onto the heap. This prevents process dumpers from working, because they dump to disk only the code loader (the actual process you are executing), and not the malicious code.
Read more »