Thursday, July 24, 2008

ThreatExpert on VirusTotal

Our colleagues at Hispasec Sistemas have integrated ThreatExpert report URLs into VirusTotal - a free multi-AV online scanner.

Thanks Julio! ¡Gracias Alejandro!

Now, if submit a sample to VirusTotal and that sample has already been processed by ThreatExpert, the VirusTotal results will display a link to an existing ThreatExpert report, as shown below:

Tuesday, July 22, 2008

“Testimaniac Testimanials”

As reported by Larry Seltzer from PC Magazine, one rogue anti-spyware product claims to have won a number of awards, including the PC Magazine Editors' Choice and Best of 2005. Of course, it did not win any such awards.

Factually, rogue anti-spyware employs typical biological mimicry, that "occurs when a group of organisms, the mimics, have evolved to share common perceived characteristics with another group, the models.." [source: Wikipedia]

An interesting research on mimicry has recently been published by ScienceDaily. According to the article [Hannah Rowlands, UK], "Previous studies have suggested that the relationship between two look-alike species is parasitic, whereby a 'tastier' insect reaps all the benefits of resembling a more unpalatable species. Scientists have argued that predators may get confused as to which species is most edible and which is not, resulting in them eating more of the unpalatable species than they normally would have done."

Applicable to rogue anti-spyware, it means that legitimate software vendors were believed to be the only ones to suffer from the declined sales as the customers would feel "confused as to which species is most edible and which is not" and thus resulting in them consuming more of the "unpalatable" (rogue) anti-spyware products.

Please note that when this mimicry analogy is applied in our case, the logic needs to be inversed - i.e. when the 'tastier' insect reaps the benefit of staying alive (not being eaten), the software company suffers as its product is not purchased by the end customer, and vice versa.

The recent study, however, suggests that "the two species .. do not undermine each other and benefit mutually from looking like each other" [Hannah Rowlands].

This translates to the fact that both rogue anti-spyware and legitimate software will inevitably suffer.

The researcher claims: "We coated some of the almonds in a non-toxic chemical which gave them a nasty taste, while others were moderately distasteful and some were left to taste simply of almonds. The birds in our aviary learnt to avoid the highly distasteful species quicker than the moderately distasteful ones. The 'tastier' species still benefited, however, in that the birds eventually learnt that in order to stop mistakenly eating the distasteful prey, they must stop eating both species altogether."

The new study sends a clear message to the authors of rogue anti-spyware: legitimate software will inevitably suffer, but not at the cost of the product consumption distracted by rogue anti-spyware (what they hope to achieve). It will suffer because the customer, who buys anti-spyware software, will stop buying both rogue and legitimate software, "in order to stop mistakenly eating the distasteful prey".

In simple terms, rogue anti-spyware is not a winner in a "win-lose" situation, as it clearly creates a "lose-lose" condition with no winner at all.

Unfortunately, these simple facts must still be too difficult to understand for so many, who could easily achieve much more by building real and demanded software solutions.

Sunday, July 20, 2008

Hacker Attack Follows Military Fighter Jets

As reported by Reuters, NATO Secretary-General Jaap de Hoop Scheffer expressed his concern with the “Russia's statement that its military aircraft deliberately overflew Georgian territory in violation of its territorial integrity."

Russian officials have admitted that they ordered the air force to fly over Georgia's rebel region of South Ossetia in a maneuver aimed "to cool hot heads in Tbilisi (Georgia's capital)."

Now, the political tension in South Ossetia region has spread into the cyber space with the new distributed denial of service attack against the website of the Georgian President Mikhail Saakashvili (

As indicated by Steven Adair from the Shadowserver Foundation, who was the first to report about this DoS attack, the C&C server used in it has the IP address

The domain name of this C&C server - - is already known to ThreatExpert from this threat that was intercepted "in-the-wild" about one month ago with our behavioral antivirus ThreatFire.

As seen from the report, the bot hooks itself into the system by loading as a BHO into Internet Explorer, and injecting its code into the address space of the legitimate system process svchost.exe. Then, it contacts its command-and-control server at

Another C&C contacted by the same bot resides at Searching this domain at ThreatExpert returns reports on several threats.

All of the reported threats (that contact C&C at share common characteristics: they all try different memory injection techniques such as injecting into system processes lsass.exe, svchost.exe, winlogon.exe (by installing itself as a Winlogon notification package), or iexplore.exe (by installing itself as a BHO). All of them belong to the Pinch family of trojans.

Another valid guess about the origin of this attack's C&C can be made by searching for IPs from the same range as the reported IP The new search returns reports on threats that belong to a different family.

One striking similarity however is that they all rely on a bogus HTTPS protocol in order to communicate with the C&C located at

The problem with the bogus HTTPS protocol (used by this bot to be remotely controlled and as in this case, being instructed to initiate the DoS attack), is that it relies on a "universal firewall port" 443.

Almost all firewalls allow outbound access to TCP port 443 to any location and any content, as they can't scan traffic that flows over the encrypted SSL channel.

Thus, what was initially invented to protect the sensitive information from praying eyes, is now used by hackers to coordinate their own activity.

The situation with the bogus HTTPS rather reminds infamous Jeff Goldblum's "They're using our own satellites against us!" in Independence Day: