MoMusings

This blog will not always have articles or comments about specific malware related topics that grab my attention, or that I want to air [or get asked to comment on]. Today is a perfect example of what else I might blog about, as it is a mixture of snippets from malware related news stories and some technical ’stuff’ for those that ‘need’ their daily ‘fix’ of new or breaking ‘threats’.

Bulk of year’s PC infections pinned to one man (CNet)

“Sven Jaschan, self-confessed author of the Netsky and Sasser viruses, is responsible for 70 percent of virus infections in 2004, according to a six-month virus roundup published Wednesday by antivirus company Sophos.” - Link to Full Article

Related to this …

Sophos, a world leader in protecting businesses against viruses and spam, has released a report which reveals that the number of new viruses being written is increasing. In total, Sophos has detected and protected against 4 677 new viruses in the first six months of 2004, up 21% on the same period last year. - Link to Full Article

A single ’superworm’ attack could cost business as much as $50bn

Pete Simpson, ThreatLab manager at Clearswift, examines research that estimates the possible economic impact of a ‘worst-case worm’ attack.

Estimating the damage that serious worm infections cost businesses is a tough job, and in the past some puzzling figures have emerged.

That’s why a recent analysis by academics Nicholas Weaver and Vern Paxson, members of the International Computer Science Institute (ICSI), is worth attention. - Link to Full Article

The full Weaver and Paxson report is available here.

Details of Microsoft antivirus software leak out

An executive of Microsoft in France divulged on Wednesday some of the software maker’s plans for its highly anticipated entry into the antivirus software market.
A standalone antivirus product will be built from tools the company inherited through its 2003 acquisitions of GeCad and Pelican Software, -
Link to Full Article

More multi-component malware found.

I trapped yet another Ranky and SdBot RAR SFX dropper package yesterday. The file CAJUN.EXE gets dropped to the root of a Windows share and when launched it unpacks the two components [BNNBNBF.EXE and NNBBF.EXE] and installs them. The samples were duly sent to the AV vendors and researchers that I send samples of new malware to.

Details of the dropper and the extracted files appear below:

File name: cajun.exe
File Date/Time: 23/07/2004 13:54:42
File Size: 115767
MD5 Hash: 8322e9c935fbe4592e3b1e62ce0d03ee
CRC32: E67127AA
File Type: PE Executable, RAR SFX
Packer: UPX
Sample trapped by WormCharmer*.

Details of the two files in the RAR SFX detailed above:

File Name: bnnbnbf.exe
File Date/Time: 18/07/2004 23:35:26
File Size: 46592
MD5 Hash: 73bcf810ebebb140a814dfb55998a739
CRC32: 2154466B
File Type: PE Executable
Packer: UPX
	
File Name: nnbbf.exe
File date/Time: 18/07/2004 23:35:26
File Size: 19968
MD5 Hash: 531f05c2e2a97ffdc3a687dd721ae161
CRC32: 293411BA
File Type: PE Executable
Packer: UPX

These have now been identified and most AV products should now detect them:

bnnbnbf.exe infected: Backdoor.SdBot.np [Kaspersky]
nnbbf.exe infected: TrojanProxy.Win32.Ranky.an [Kaspersky]

Good news for those that use my SNORT signatures, the existing Ranky and SdBot Dropper signature identifies all variants of the droppers that I’ve so far trapped.

This bring my total up to 65 new ones so far this year.

Please drop me a line if you would like me to post future trapped sample data to this blog.

*If you want to find out more about WormCharmer, then see here.