Jump to content


SWI Community News 1st Edition

  • This topic is locked This topic is locked
3 replies to this topic

#1 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,636 posts

Posted 05 May 2007 - 03:57 PM

Howdy everyone...

As many of you know, Mike, the owner and founder of SWI, used to published a regular newsletter that many people admired and waited for. A lot of people have asked when that would resume and we have not been able to answer. We decided to provide an alternative in the interim and publish a forum newsletter produced by the staff of SWI. I am currently playing the role of editor, but that job may move around over time. We have a few contributors and hope to have more over time as well. We plan to include some opinion, some facts and some references to other helpful information. Other topics will evolve as we have people interested in developing them and as you, the readers, let us know what you want to see.

We will publish in this forum using separate posts to complete an edition of the newsletter. That topic will be locked, but we urge you to post in this forum with comments about the newsletter and what you would like to see. We may decide to develop an email version of it if enough people show interest in that idea, so let us know.

One contributor suggested we include a disclaimer, so here it is:

Opinions and information expressed in this publication are not the responsibility of SpywareInfo.Com or it's owner, administrators or hosting services. Information and opinions posted here are the property of the respective author.

That also means that the material is subject to the copyright of the author and you need to cite the author if you quote any material from this publication elsewhere.

We know this is not an adequate substitute for Mike's newsletter, but we hope it is helpful to you all and that you will let us know what you think.

And... I almost forgot -- to get notification when a new SWI Community News is available, I am going to create a topic you can subscribe to and we will add notices of publishing to that topic so you will receive an email notice if you are set to receive notices of topics you are subscribed to.


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#2 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,636 posts

Posted 05 May 2007 - 03:59 PM

Budfred's Rant: Volunteers and Malware Criminals

An odd relationship exists on the web between the malware criminals and the volunteers who fight them. They (malware criminals) make millions of dollars by stealing from people. They use identity theft, keylogging, phishing and even just selling fake products at what look like a great price. They infest our computers to spy on us and push ads down our throats because they get paid for forcing us to look at their ads. They take over our computers to attack other computer systems and to use them to send out tons of SPAM to make them more money. They may have had morals at some point in their lives, but for whatever reason now, they have no problem with stealing everything you have and ruining your life.

Malware fighters are mostly volunteers who fight the criminals because they believe in justice. Many of them have been burned by malware criminals themselves and they want to protect others from the same purgatory they had to experience in recovering. Many fear that the criminals are going to bring down the web by overwhelming it with SPAM and filth. Think of the neighborhoods in many cities that are centers of drug dealing, prostitution, porn and other criminal behavior. Only the most desperate spend any time there and many never go there. This is what the internet could become if we didn't continue to fight. Others have other reasons, but the common theme is that they do it for free. Some malware fighters are talented and lucky enough to make it a career and actually get paid to continue the fight, but most do it only for the sake of contributing something positive to the world and the occasional thanks that they get from a computer user who is grateful for the help offered. Even that is not as common as you would think and we get people who are indignant that we don't immediately help them no matter how busy our limited pool of volunteers is.

So the scene is a small number of malware criminals collecting obscene amounts of stolen money as they infect millions of computers around the world and a small number of malware fighting volunteers who struggle to hold back the tide. We are aided by the commercial anti-malware companies, but sometimes they rely on us more than we rely on them. The malware we are fighting is becoming more difficult to find and kill each day, so the training of a malware fighter is getting more difficult as well.

If you get help from our volunteers, please keep in mind that we don't appreciate people trying to bribe us to help them more quickly by offering to contribute to the forum or pay us. We really don't appreciate people that complain about not getting help right away. Or people who post in multiple malware fighting forums to increase their chances of getting help more quickly, we all tend to draw from the same limited pool of trained volunteers, so you are wasting our most valuable resource if more than one volunteer takes the time to analyze your problem. We don't appreciate people who post in multiple subforums at SWI so that we waste time merging and deleting topics. We don't appreciate people who get help from us and then don't bother to follow recommendations to protect themselves and end up coming back for more help because they are infected again.

We understand how stressed you are by the problems on your computers, many of us have been there ourselves. We know that you want help immediately and many of you need your computers right now. We hope you understand that even if we did this full time and gave up the parts of our life that pay the bills and otherwise support us, we still wouldn't have enough volunteer hours to resolve all of the problems out there. And yes, we really do need to sleep at times.

We do appreciate people who are patient and wait for help. We appreciate people who follow the instructions we give them and who report what is happening on their computers in detail so we don't have to guess. We appreciate people who follow our suggestions for protecting themselves and don't have to come back for help. We greatly appreciate people who say: "Thanks".


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#3 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,636 posts

Posted 05 May 2007 - 04:10 PM

Good and Bad News from TheJoker

In the seemingly constant war that must be waged against malware and malware criminals, there is always good news and bad news. Since it's a constant catch-up game to try to block and disinfect new malware after it is identified, it seems like the good news is often drowned out by all the bad news, but there is good news to report at times. Sometimes the good news is as simple as a criminals being caught and stopped, so they can't continue to hurt others. The bad news is still good to know though, as in this case, what you don't know CAN hurt you. The more you know about the criminals that write it and try to make money from it; whether it be by stealing your personal information or your banking information, pay-per-click fraud or simple "old-fashioned" scams like the so-called "Nigerian" scam; the more you can protect yourself.

The Good News:

419 (Advance fee fraud) Cell Arrested
Amsterdam police this week arrested another 419 cell and confiscated computers, fake travel documents, and bogus banking documents.The five suspects are being held pending extradition to the US, where they could face up to 20 years in prison.

Former LA Social Security Employee Charged in ID Theft Scheme
A former Social Security Administration employee faces federal charges of allegedly passing along confidential information mined from a government computer to identity thieves who racked up some $2.5 million in illegal credit card purchases, prosecutors said.

The Bad News:

Google sponsored links not safe?
Since at least 10 April criminals have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau, and cars.com, but are actually coming from a place called smarttrack.org masquerading as one of the legit sites.

First iPod Virus Discovered
Kaspersky Lab announced on April 5 that it has discovered the first virus affecting iPod.
While the proof-of-concept discovery carries no payload and cannot spread – thus posing no real threat – researchers said the virus is proof that specific platforms, such as the ubiquitous digital music player, can be infected with malware.

New Image Spam Tactic
Spammers and hackers are taking a new tack in their evolving e-mail assault.
Dmitri Alperovitch, principal research scientist at Secure Computing, said that instead of embedding image spam inside of e-mail messages, cybercriminals are starting to embed only a link to a photo or image they've put up on a photo-sharing site. Alperovitch said in an interview that this makes it a lot easier and more cost effective for the spammers, who no longer have to embed a bandwidth-sucking image in every message spammed out.

Malware Spikes In 1Q As Hackers Increasingly Infect Web Sites
According to a study from Sophos, an antivirus and anti-spam company, researchers discovered 23,864 new threats in the first three months of 2007. That's more than double the number of new malware identified in the same period last year, when Sophos discovered 9,450.

Trojan Horse Uses Virginia Tragedy as Bait
Spammers and hackers are using the slayings at Virginia Tech as a gory lure to infect computers with malicious software, security experts noted. After emergencies and disasters, fraudulent Web sites purporting to collect charity money also tend to emerge. So far, more than 450 domain names related to the Virginia Tech shooting have been registered that look questionable, wrote Johannes Ullrich, chief technical officer for the Internet Storm Center, part of the SANS Institute, which monitors the health of the Internet.

Hackers debut malware loaded USB ruse
Malware purveyors deliberately left USB sticks loaded with a Trojan in a London car park in a bid to trick users into getting infected. The attack was designed to propagate Trojan banking software that swiped users' login credentials from compromised machines.

Rootkits Challenge Security Community
McAfee reported that rootkits, including malware such as Trojans, worms and viruses that actively conceal their existence at a low level within operating systems, are becoming more prevalent and more sophisticated. The security firm warned that rootkit techniques will continue to challenge the security community as hackers create more potent and more virulent strains.

New worm wriggles around on Skype
A worm targeting Skype's VOIP (voice over Internet protocol) application is harvesting e-mail addresses and directing users to a range of sites hosting other malicious software, security vendors said Monday. Once a machine is infected, the worm sends a malicious link via instant messages to other users in person's Skype contact list, according to F-Secure's blog.


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#4 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,636 posts

Posted 05 May 2007 - 04:23 PM

Facts from Acsell

Viruses – How they try to avoid detection

It has become a ‘cat and mouse’ game between the virus writers and those who write the software that tries to detect and remove the viruses they create. As viruses have become more advanced in order to avoid detection and removal, so have the anti-virus detection and removal techniques.

The longer that a virus can exist in the wild before it is detected, the greater chance it has to spread. The various techniques that virus writers use to try and protect their virus from being detected on a system will now be discussed.

Stealth viruses

As the name suggests, stealth viruses attempt to go undiscovered on a system. They do this by attempting to hide their tracks in order to make sure that there is nothing on the system that could lead to them being identified. A common method they use to hide their activities is by interrupting the system interrupts / calls made by antivirus software.

For example, a virus could interrupt requests made by antivirus software so that the information that the antivirus software tries to obtain from the file isn’t the ‘true’ information. To do this, stealth virus may interrupt file read requests made by the antivirus software and then send back false information to the antivirus software making the file looks like it was before it was infected by the virus. By doing this, the stealth virus can try to prevent the antivirus application from reading the virus code within the file and therefore avoid detection.

The antivirus software can use behaviour checkers in order to try and combat this by bypassing the vector table (the vector table is used by the processor in order to determine the correct responses to the interrupts made.) and redirecting any interrupt request through itself. The virus could defeat the antivirus behaviour checkers that do this by also tunneling past the interrupts (this will not be looked at in any detail here).

The only option left to the antivirus in combating this is to become more hardware dependent by directly access the hardware instead. This increases the complexity of the antivirus software. Due to this, the antivirus software may cause some systems to freeze when used with certain hardware, for example.

Another way that a stealth virus may try to protect itself from being discovered is by removing the virus code from any infected file that that is manually copied from the system. The idea behind this is so that if the file were to be analyzed by an expert or antivirus company then it would not show up as having suspicious behaviour.

Antivirus companies get large numbers of potentially infected file samples sent in to them in order for them to be identified. If the virus code has been removed by a stealth virus beforehand then they have no chance of detecting and identifying the virus.


The signatures that a virus scanner uses rely on a certain unique pattern being found in a file that allows the scanner to identify it as a virus. This, of course, relies on the virus code being the same each time a virus reproduces itself. This is where polymorphic viruses come in.

The idea behind polymorphic viruses is that they change themselves each time they write their code to a file. A typical way of doing this is by using basic encryption with a different key each time the code is encrypted.

The decryption part of the virus code would also need to avoid detection from heuristic scanners. This could be done by inserting useless code at various points in the code in order to try and disguise its activities from the heuristic scanners (which check for suspicious program characteristics) by making it look like a normal piece of software.


Retroviruses are ones that try and target the actual antivirus application. One way of doing this is by modifying the antivirus software or its signature database in some way. If it succeeds in doing this it can avoid detection.

Virus scanners usually use integrity checking on its signature database, as well as on its code, in order to make sure that it has not been modified. One way for it to do this is by using a cryptographic hash function. A hash function is used to make sure that a piece of data has not changed. If it has changed then the antivirus software will know that it has been tampered with.

A retrovirus may try and change the virus signatures (to remove the virus it is trying to infect the system with from them) and/or modify the actual antivirus program so that the antivirus program does not detect any malicious changes that are made.

The virus writer would need to know the hash function that has been used and be able to find the key used by the hash function (which will be stored somewhere on the computer) in order to do this.


This type of virus tries to trick antivirus code emulation into believing that it is a legitimate program. Code emulation involves running the first several thousand or so instructions of the program before allowing it to run. If suspicious behaviour is detected then the program is prevented from continuing.

The virus may try and bypass the emulation by waiting until after so many instructions have been sent before it executes the virus code. It could also try and crash the emulator or disguising the activity by sending legitimate instructions along with the malicious ones, as well as many other methods.

Armoured Viruses

This type of virus will try and prevent itself from being analyzed. For example, when virus samples are sent to antivirus labs, the antivirus companies often execute or examine these samples in controlled environments in order to identify them and build virus signatures or heuristic algorithms in order to detect them.

The environments used to execute viruses in order to examine their behaviour are often very ‘clean’ in that they don’t tend to have many programs installed or random files scattered over the hard drive (like with a typical users PC). The virus could look at the environment it is running in and if the environment looked too ‘clean’ then it might be seen as suspicious and therefore could decide not to execute the virus code.

The virus could also check to see if it is being run inside a debugger (a debugger is used to step through the code in order to examine it). If it is then it can take appropriate action such as trying to disable the debugger.

This type of virus makes it very difficult and time-consuming for someone trying to analyze it.


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

Member of UNITE
Support SpywareInfo Forum - click the button