IT svet: Spam rat u Evropi traje
IT svet
Evropski provajderi internet usluga se i dalje bore protiv spama, manje ili više uspešno, navodi se u evropskom izveštaju o prisutnosti spama. Suština izveštaja je da stvari nisu ni bolje ali ni gore. Sudeći prema izveštaju evropske agencije za sigurnost informacija i mreža (ENISA) iz 2009 godine, provajderi internet usluga ulažu značajne napore da spreče dolazak spam poruka do krajnjih korisnika, pre svega zato što žele da zadrže [...]
Vaš komentar
Naslovi ::
Naslovi
Povezani zapisi:
09-03-2010 8:50
PaPPy has discovered a vulnerability in www.bizrate.com, which could be exploited by malicious people to conduct Redirect attacks.
XSSed
09-03-2010 8:48
d3v1l has discovered a vulnerability in www.saintcorporation.com, which could be exploited by malicious people to conduct XSS attacks.
XSSed
09-02-2010 6:44
I recently came across a round of spammed instant messages that arrived via my Yahoo! Messenger account. These messages were supposedly sent from my cousin’s account, and used the following format and were sent to everyone on her friends list:
The familiar message format told me that I was chatting with a bot that wanted me to click the link in the message. Checking where the link went to led me to the following page:
The IQ test had 11 questions that eventually led to a “results” page that asked me to sign up and enter my mobile phone number to get the quiz results:
One may ask why the site would need a mobile phone number just to send IQ test results. Will they use this information to spam me through my mobile phone? Nor is it clear if the answers to the questions actually matter to the IQ “score” given to the user, if they actually receive one.
That may well be the case but the cybercriminals have a more direct approach to earn money. The Summary of Terms at the bottom of the page says that by giving the quiz’s creators one’s mobile phone number means signing up for “mobile content subscription.” Of course, this is not free, as the subscription fee ranges from US$9.99–$19.99 a month. This is stated in the site’s terms and conditions, which are located at the bottom of the page:
This gave me enough reason to close the browser tab and leave the website. The URL of the said “IQ test” is now blocked by the Trend Micro Smart Protection Network™.
Post from: TrendLabs | Malware Blog - by Trend Micro
“IQ Test” Spam Proliferating via Instant Messages
trendmicro
08-31-2010 3:33
Most typical modern malware variants tend to hide critical parts of their functionality (strings, URLs/IPs of its dodgy servers, etc.) using some form of encryption. In most cases only trivial algorithms are used. However, these suffice as the intention is usually not to create unbreakable encryption, but merely to obscure their malicious intent from anti-virus engines.
Although some authors choose to cloak their malware in complete paranoia, such as the ZBot family that encrypts everything with an industry-standard RC4 implementation with enormously long keys, typically, you would not find anything more serious (such as AES, or BlowFish) even in the most complex of polymorphic viruses.
The most overwhelmingly-common method of string encryption is to use an XOR operation with a key. A big appeal of this technique is that the same simple operation can be used to perform both encryption and subsequently decryption of the data, ie: E[i] = (E[i] Xor Key) Xor Key.
But sometimes it is not just simple, its even more than simple - where there is no need for ANY decryption key to decrypt data!
While analyzing one of the recent samples, I found a very curious encrypted string (hexadecimal representation):
67 02 11 17 0C 01 08 0F 0E 49 5E 18 18
In the line above there is one single encrypted string. You don’t need any additional key to decrypt it - it is all available using a very simple algorithm. The decrypted string is:
67 65 74 63 6F 6E 66 69 67 2E 70 68 70 ; getconfig.php
To transform this string from the original, each byte is decoded by performing an xor operation with the previous byte (first one is not encrypted); so:
0×67 xor 0×02 = 0×65 (”e”), 0×65 xor 0×11 = 0×74 (”t”), …
Brilliantly simple although this will not hamper Sophos detecting it (Troj/Agent-OFC).
PS Other strings from this malware which uses this encryption technique include:
&hddsz=%I64x
ntd11.dll ; (sic)
htmlfile
Installer\Products
SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony\Providers
ROOT\CIMV2
Error setting admin rights
… and so on (about ~100 different strings)
Sophos
