2010
04.29
Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I did some work on how to take down Storm back then, so the rumors about a new version caught our interest. Mark, Tillmann, and me started to take the sample apart, and it looks very much like Storm indeed. It even uses the same configuration file, stored under C:\WINDOWS\herjek.config (the same filename as used by the last Storm version), but as the command-and-control channel has been replaced with an HTTP based version, there is no peer list included anymmore.
A Breeze of Storm | The Honeynet Project.
Good job guys!
2010
04.26
Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface bonnet, only to witness the system popping up in China.
via The Register.
2010
04.18
I’m attended to InBot’10 conference for presenting our researches on Dorothy.
My speech is planned for Wednesday 21th @ 16:00 , hope to see you there!
p.s. …hoping that my flight wont be deleted due to the volcanic ash :S
2010
04.07
SecureWorks has noted that the latest versions of Zeus include anti-piracy technology that uses a hardware-based licensing system that can only be run on one computer. “Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer,” SecureWorks wrote. “This is the first time we have seen this level of control for malware.”
Not to be outdone, the SpyEye author now claims his malware builder also includes a hardware lock, using VMProtect, a Russian commercial software protection package.
via SpyEye vs. ZeuS Rivalry — Krebs on Security.