YARA is open-source multi-platorm tool that allows you to create your own signatures to identify malware families based on text or hex strings presents on samples of those families. The signatures are written in a special-purpose language looking like this:

rule silent_banker : banker
{
    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

Complex signatures can be created by using boolean operators, wild-cards, regular expressions and much more. You can find more information on the project site:

http://code.google.com/p/yara-project/

Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.

The output generated by wine (using the debug environment variable WINEDEBUG) are the API calls used by the malware (and the values used by it, of course). With this information, analyzing malware's behavior turns out to be very easy.

Hello guys!

Wepawet is a new service for detecting and analyzing web-based malware. It currently handles Flash and JavaScript files.

http://wepawet.iseclab.org

Things you can do with Wepawet:
- Determine if a page or file is malicious
- wepawet runs various analyses on the URLs or files that you submit. At the end of the analysis phase, it tells you whether the resource is malicious or benign and provides you with information that helps you understand why it was classified in a way or the other.
- wepawet displays various pieces of information that greatly simplify the manual analysis and understanding of the behavior of malicious samples. For example, it gives access to the unobfuscated malicious code used in an attack. It also collects the URLs accessed by a sample.
- wepawet does not just tell you that a resource is malicious, it also shows you the exact vulnerability (or, more likely, the vulnerabilities) that are exploited during an attack.

DNS Changer 2.0 (Trojan.Flush.M) is the next –in the wild- variant of this famous malware. Now the strategy has been changed, no need to modify the DNS settings on ADSL routers. Instead it will install a network driver (NDISProt.sys) which allows the malware to send/receive raw Ethernet packets. Such approach will help it bypass Windows TCP/IP, FW and HIPS.

It installs a rogue DHCP server on the infected machine and listens for DHCP requests and responds with its own crafted DHCP offer packets. The reply contains malicious DNS servers, which will redirect hosts to infected websites that include everything from phishing to exploit-and-infect pages.

The question is how to protect and prevent such attacks.

Continue Reading at the Extreme Security Blog

Peter Silberman from Mandiant has written an article at OpenRCE about the new tool Memoryze.

Introduction:

The goal of this article is to demonstrate how simple malware analysis can be using Memoryze and some good old fashion common sense. Readers should have some knowledge of how malware works, and be somewhat familiar with Memoryze. A good place to familiarize yourself with Memoryze is the user guide included in the installer.

Memoryze is designed to aid in memory analysis in incident response scenarios. However, it has many useful features that can be utilized when doing malware analysis. Memoryze is special in that it does not rely on API calls. Instead Memoryze parses the operating systems' internal structures to determine for itself what the operating system and its running processes and drivers are doing.

Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys

NY Times: A Sneaky Security Problem

I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.

Virtual memory continues to be one of the things that people have a lot of problems understanding. There are lots of misconceptions about how this fundamental part of the operating system works. Mark Russinovich has done an excellent job, as usual, distilling this information into a very readable form. I suggest you read his blog post titled Pushing the Limits of Windows: Virtual Memory on the technet site.

Almost everyday our viewers ask us about Rogue anti-malware software. Out of all of the questions we receive, the most common is “When will these attacks stop?” The sad truth is that we cannot see an end to this problem in near sight. As long as the malicious individuals are able to trick or force users into downloading, installing, and eventually paying for their fake “Rogue” anti-malware products, they will continue to develop and push the envelope.

More information here...

751f86d2e478387fe0a507a1e6fd7b2d

Here is the Gimmiv worm that was created for the latest Microsoft patch. Kudos to Microsoft for patching the flaw out of band and not sitting on it.

d65df633dc2700d521ae4dff8c393bff

Please comment if you upload other samples and I will update this post.

Thanks to Dobby for these additional samples:

dc3fdfde66fffb6cfbec946a237787d8
f173007fbd8e2190af3be7837acd70a4
3ee354cc8b63b8849b28e6f376f2b263
6c3e53864541bb13fa7853f7b580b807
24cd978da62cff8370b83c26e134ff4c

Today I came across a new Antivirus 2009 binary with a 1 out of 36 detection ratio on VirusTotal. The session starts at antivirus-best.com and that page is reduced to a pop-up message, as usual. Then we are briefly taken to voodoorevenue.com where the affilliate information for the malware creators is sent and then redirected to the point of download, protection-overview.com.

more info here...
b0674e8e6c99de286a62b2fde5358110