" pandalabs "

Q1 saw 10% increase of new spyware

Panda Security’s new quarterly malware report has revealed that Trojans have accounted for 73% of all new malware created during the first few months of 2009 while the distribution of spyware has grown rapidly to 13.15%, up from a mere 2.5% in the previous quarter.

“We have seen a dramatic increase in the amount of spyware in circulation aimed, in all likelihood, at saturating laboratories and consequently infecting more users,” says Jeremy Matthews, head of Panda Security’s sub-Saharan operations.

In some cases, cyber-crooks have been successful, as in the case of the Virtumonde spyware, which infected more computers than any other malicious code in the first quarter of 2009. This malware combines aspects of adware and spyware, monitoring users’ Internet movements, rigging search engine results and displaying advertising banners, pop-ups, etc. for some products. Despite the notable growth of spyware, though, it is still way behind Trojans (31.51%) and adware (21.13%), in terms of the number of infections caused overall during this period.

The region with the highest percentage of active malware continues to be Taiwan (31.7%). Brazil and Turkey are also noteworthy. They occupy second and third place respectively, overtaking Spain and the United States. Mexico, nevertheless, has witnessed a decrease in the amount of active malware (17.95%), dropping almost 10% compared to the 24.87% active malware average recorded for the whole of 2008.

Conficker: the major threat

Although it first appeared at the end of 2008, the Conficker worm has been the malicious code that has kept security companies busiest during the past few months, due to the large number of infections caused between December 2008 and January 2009. Moreover, there was considerable concern about its supposed reactivation on April 1. However, until now, no new versions or additional infections have been detected other than those already associated to the previously active variants.

“It is still possible that at any moment one of the URLs created by Conficker on April 1 could be activated and the worm could download an update to its code or new malware. In any event, this would only affect users who are unprotected against Conficker,’ says Matthews.

The Panda report also includes information about other issues such as the Waledac worm, which had an impact around St. Valentine’s Day, malware on social networks and the most important vulnerabilities detected during the first three months of the year. You can download it here.

“Don’t get taken in by the Conficker panic”

By Luis Corrons, head of PandaLabs

Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st.  It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious of the threats they face.  But I also want to say that perhaps it does more harm than good.

Let’s go back over the issues that are flying around the world. Regarding the damn date: will Conficker be activated on the first of April? No. But it will do something that day, won’t it? Yes. Conficker is a malware variant that creates random URLs every day. The PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then on the first of April?

The last variant creates 50,000 new URLs. And although we can’t know if any of them will host an update of the malware, its author could quite easily host a new version or even some other type of malware. If any URL contains an update of the worm, which actions will the new variant carry out? We don’t know — no one, in fact, has been able to figure out the final aim of Conficker. What we do remember from previous infections is that the author’s motive is to become famous, but we doubt very much that it all ends there. If we think about the different business models that there are currently behind malware (mentioned in the PandaLabs blog many times before), it is obvious that its author – or authors will be looking to make money in some way. But, in which way? One possibility is that it could harness the net of infected PCs to send spam, by installing on the infected PCs some type of rogue antimalware that warns users that their computer is infected, and enticing them to buy a fake antivirus, which will result in them  downloading password stealing Trojans.

Another question posed is whether Conficker really is more dangerous than other types of malware. The answer is no, it’s not more dangerous, although its update functionality do leave a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent Microsoft vulnerability to distribute itself, and that’s why it has reached so many PCs. In this way, its author has been smart and has adopted the model of classic viruses. The author has also rather cleverly used several different means of infection — such as through USB keys and MP3 players. From version to version Conficker has made its detection increasingly difficult by obfuscating code. Although it’s not strictly speaking a polymorphic virus, it follows this direction.

The spreading of the virus through USB devices illustrates Conficker’s attempt to reach the maximum number of PCs. Despite this, the infection rate of the previous weeks has dropped significantly.  There are probably still variants infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:

a) create a new variant which exploits another zero day vulnerability
b) Keep alive  the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…

We bet on option “a”. Not necessarily for the first of April, but definitely on its way. It would be pity for the author to go to so much trouble without getting anything. It’s becuase of this that we think that Conficker won’t be going away so easily.

Above all, don’t get taken in by the panic.  What do users do on the first?  If you have your PCs protected by a good and updated antivirus, nothing.  If you don’t have one, we recommend you install one; you can also use Panda ActiveScan to be sure you are not infected.  And we suggest you to install the free tool we have created to avoid contamination through USB drives.

Blackhat SEO fuels rogue security campaign

In our previous post, we looked at SEO being used by cyber-crooks to distribute malware – especially fake antivirus. In this post we look at a specific example of this happening: Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here. Below is an example of one of hijacked searches:

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software like below:

Sample hijacked search terms include the following:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

Post by Sean-Paul Correll, PandaLabs.

Cyber-crooks manipulate Google searches to sell fake antivirus products

Panda Security has revealed that cyber-criminals are manipulating search engine results to distribute malware, in particular, fake antivirus products.

‘The reasons for this is simple – the criminals need to attract users to malicious sites in order to infect them,’ says Jeremy Matthews, head of Panda’s sub-Saharan operations. ‘What’s new, however, is the inventive ways they are drawing users to these Web pages.’

In the past, users were lured to compromised websites by means of massive sending of spam. Targeted users read emails, clicked on the links they included and were unwittingly directed to a malicious Web page. Now, there’s a change in strategy: due to the fact that users are more wary of messages received from unknown senders, criminals are using more effective ways of ensnaring new victims. They are using a Google tool called Google Trends which, among other things, lists the most popular searches of the day – anything from Obama’s inaugural address to the Oscar nominations).

Once they know the top searches and hot topics of the day, they create a blog full of the most searched for words (e.g. Obama, Penelope Cruz etc.) and videos supposedly related to these topics. This way, they increase the blog’s ranking to place it among users’ first search results.

“Users who trust these results will end up on a Web page where they will be asked to download a codec or plug-in, etc. in order to watch the video. If they do so, they will be downloading malware – in most cases a fake antivirus,” explains Matthews.

Fake antiviruses try to pass themselves off as real antivirus products to convince targeted users they have been infected by malicious codes. Victims are then prompted to buy the rogue antivirus to remove these bogus infections. Cyber-crooks are currently profiting substantially from this type of fraud.

SEO techniques

This type of attack is benefiting from advanced SEO (Search Engine Optimization) techniques. These are legitimate Web programming techniques aimed at increasing the volume and quality of traffic to a website and improving its ranking in search engine results lists. This is the case of the webpage selling the Malwaredoctor fake antivirus, designed specifically to achieve a high ranking in search engines (for more info about this phenomenon click here).

In addition to standard SEO techniques, attackers are also using techniques known as “Black Hat SEO”, which could be described as illegal search engine positioning techniques used to by-pass search engine policies, present alternative content or affect the user’s experience. Occasionally, it can be difficult to determine which techniques are legitimate or not, as this can depend on the policies of the search engine.

Attack obfuscation

Attackers are always keen to make malicious site identification for anti-malware vendors harder.  In order to do this they are starting to use a more advanced way of launching these attacks. Some of the malicious pages they handle behave differently and show different content depending on the origin of the user that visits them.

In order to hide the attack, a script is inserted that determines the origin of the visitor. If a user types the URL they want to visit in the browser bar, the legitimate, correct content is displayed. However, if the user has come from a manipulated Google search, they will be taken to the malicious Web page.

MSAntispyware 2009: A different example

PandaLabs recently detected a Web page that appeared to establish a new model. While generally pages selling fake antiviruses either do not contain specific tags or those they contain are designed to improve indexing in search engines, the page from which MSAntispyware 2009 was distributed represented a significant change. Here, all the tags and processes were designed to prevent the page from being indexed in search engines.

The reason for this was to make it more difficult for malware analysts and security companies to prevent infections by techniques such as the blocking URLs through search engine queries with specific parameters.