Write once, cash everywhere

12, Sep, 2011

We happened to bump into a fancy piece of malware which is probably targeted to Russian mobile subscribers.
While malware running on Android platform has rapidly become the most common malware threat for mobile,
Java ME is stiff going strong too. The malware in question has a Virustotal score of 6/42.
[Read More…]

Tool Release: A Banking Trojan Detection Tool

15, Aug, 2011

As many of our readers know, banking trojans have become extremely widespread over the course of last few years. There are hundreds of thousands, if not millions, of computers on the internet that are infected by these malicious programs.

We created an experimental tool that can detect almost all variants from the TOP 5 of banking trojan families: Zeus, SpyEye, Carberp, Gozi and Patcher, if they are active and running on the infected computer. The tool works by scanning the memory of each running process, looking for telltale signs of these malwares. If any signs are detected, the tool will report the malware name and the affected process name.

The advantage of the tool is that it doesn’t use a conventional signature database, where a detection can be usually avoided by re-packing the malware with a new obfuscation layer. Instead it looks for pieces of code that belong to the actual malware itself.

We’d love to hear any improvement suggestions and comments, feel free to contact us at info(at)fitsec.com

The tool can be downloaded here: http://www.fitsec.com/tools/DeBank.exe

By downloading and/or using the tool you agree to the license terms that are described here: http://www.fitsec.com/tools/license.txt

Palevo Tracker has been launched

1, Mar, 2011

Roman Huessy, the owner and upkeeper of Zeus Tracker has launched a new project called Palevo Tracker.

Palevo is a highly polymorphic bot that has been around for a few years, usually with low AV detection rates.
Below are few AV engines and their detections for this threat:

F-Secure: W32/Palevo
McAfee: W32/Palevo
Microsoft: Win32/Rimecud
Symantec: W32.Pilleuz

We warmly suggest visiting abuse.ch, either on their blog here or the AMaDa project, where you can access the blocklist service abuse.ch is producing.

Interesting news about Stuxnet

15, Feb, 2011

We noticed that Symanted had updated their whitepaper on Stuxnet. Stuxnet is a completely new breed of malware designed to be used as a cyber warfare weapon.

It appears that Stuxnet was a targeted attack against 5 institutions, all of which have presence in Iran. You can read more about it in the Symantec blog entry