We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

ZBot construction kit from end of August.

It works with simple text configuration files. Pre-configured are plenty of online banks and social networks. The generated trojan will attempt to steal login information for the configured targets. Also the data dump and the control server get configured in the configuration file.

The configuration file of the ZBot construction kit is text-based.

Also included is a file with search strings for different online sites. With this list, the trojan tries to collect the data which is worth some bucks on the black markets.

The ZBot variant searches within the web pages for certain strings which promise valuable data.

Many popular banks and social network sites are targeted, from different countries. The binary form of the configuration file which the drones on infected computers will download gets built by a simple mouse click. This way, the bot herder can update the targets for his drones very easily.

The configuration file for the drones is fetched from an online server and gets built with a simple mouse click.

The trojan binary has to be built accordingly to this configuration so it connects to the right servers and data dumps. This process needs yet another single mouse click, and the cyber criminal has his perfectly tuned trojan.

The trojan gets built with another mouse click.

Even for the data dumps and the control servers there is PHP software included, so you don’t need to know much about programming at all. Just upload those PHP files to a hacked, maybe even fast-flux’ed and/or bulletproof hosted control server and start the PHP install script and you’re done with everything.

Comfortable command & control of the botnet and the data dump is also included in the package.

In case this is all too complicated for the cyber criminal, a help file is included as well. It’s russian though instead of english, other than the rest of this malware construction kit.

If the kit is too complicated, a russian help file is of assistance.

It is amazing how sophisticated the malware and the malware construction kits in the underground are meanwhile. For very little money you get everything you need to start your own botnet and steal valuable information.

Luckily the ZBot construction kit and it’s generated trojans are detected by Avira products as TR/Spy.ZBot.dyy and as TR/Crypt.XPACK.Gen, respectively. But only 13 of 38 antivirus products from virustotal warn that there’s malware – some products from major players in the antivirus market still don’t detect these old ZBots.

Dirk Knop
Technical Editor