We’ve recieved a lot of positive feedback for our three part paper on Koobface (I, II, III) from all parts of the IT industry, but how the malware authors themselves have chimed in.
The Koobface gang (who are attempting to make people believe that they are a legitimate company) have left a Christmas message on each [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

From Koobface with Love

Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will [...]

Post from: TrendLabs | Malware Blog - by Trend Micro

Malicious JavaScript Infects Websites

SpyEraser is a rogue anti-spyware application, fake  scanner that tries to trick the user of the compromised computer by showing fake security alerts and fake infections into believing that his computer is badly infected. This fraud tool then asks to pay for a full version of the program to remove the infections which of course [...]

Malware: JS_AGENT.AOEQ

This blog posting is a New Year gift for advanced Outpost users. We heard and read some complaints concerning lack of information about the firewall improvements. Indeed, we may have overlooked the firewall development announcements in the past as they usually refer to something “not visible” and intangible. Now we’d like to correct this mistake and tell you more about Outpost firewall technology 2010.

Warning! Watch out! Gobbledygook

1. Windows 7-related activity

Agnitum’s R&D has implemented a new mechanism of network activity and content filtration using Windows Filtering Platform (WFP) technology. This has helped to resolve compatibility issues with Windows 7 and – potentially – with future Microsoft OS’s, because WFP is positioned as the major platform for future Windows releases. As a result this new mechanism brings more stability to Outpost solutions (including the aspect of interaction with other network filters).

2. Windows Filtering Platform on Vista

Due to successful and stable operation of WFP-based filter on Windows 7 we decided to use the same technology for Vista (from SP 1) instead of TLI filter built on the principle of intercepting OS’s undocumented interfaces. As WFP interfaces on Vista and Windows 7 significantly differ in a number of critical aspects, our team performed the integration of WFP-filter into Vista. This helped resolve critical errors which may have led to a BSOD when using TLI.

3. Using the new filtration mechanism on receipt of packets for Vista/Windows 7. Optimized performance in high-speed channels.

The packet filter underwent deep remodeling in the aspect of processing incoming packets on increased IRQLs. The workaround was to organize delayed processing of such packets with an aid of worker thread pool. This enabled lower burden on CPU during filtration and improved system “responsiveness” within intensive network operation.

4. Channel load between the driver and managing service was dramatically decreased. Increased system stability and lower CPU load as a result.

Special rules for packet sniffer were introduced in order to precisely configure the packet sniffer for receiving only essential information about filtered packets, for example, blocked packets and packets related to installation/connection termination. Minimizing packet notification between the driver and service led to decreased system load.

5. Content filtration improvements (loopback, no binary flow filtration)

The mechanism of rules creation and behavior control for content filtration that helped limit the volume of filtered data at the expense of the data transmitted via loopback channel as well as binary data irrelevant in terms of content control. At that the mechanism of detection and non-filtration of binary streams has been fully realized in the driver, which minimizes the number of messages between the driver and service, facilitates content filtering and ensures less impact on system performance.

Besides, critical errors in TDI/TLI filters applied in Windows 2000/XP/Vista RTM, which enabled advanced system stability.

6. SPI for UDP implemented (regards to old good Outpost 4.0)

We introduced a mechanism that can be used for blocking attempts of using non-TCP endpoints in server regime. In other words, incoming datagrams for endpoints are allowed only for those remote hosts from which at least one datagram was sent from the current endpoint. The mechanism allows to limit datagram endpoint usage only to the model of client behavior in the client-server scheme. This adds flexibility in terms of network security settings.

7. Filtration of invalid TCP flags

The packet filter checks TCP flags and classifies a packet as unwanted in case of incorrect combination of TCP flags. This mechanism decreases the firewall and network stack load in case of host-focused bombarding by such packets, as the packets are blocked on initial stages.

That’s it for now. Hope you’ll find enough food for reflection in this article Looking forward to your feedback!

Last but not least we’d like to wish you a Happy New Year! Best luck, happiness and health in 2010!

Maxim Korobtsev, CTO, Agnitum

GreatDefender is a rogue anti-spyware application, fake spyware remove tool that has only one goal – to rip people off. If you have seen at least couple of  rogue programs from the WiniSoft family then you will easily recognize that this one is just a rename of the previous programs from that family: SysDefence, TheDefend, [...]

Antivirus PC 2009 is a rogue anti-virus program that is promoted and installed through the use of Trojans or other malicious software. It’s classified as a rogue application because it uses misleading methods to trick the user of the compromised computer into believing that his computer has many serious security problems/threats. The rogue program also [...]

SystemCleanerPRO is a rogue antivirus application, a clone of WinSpywareProtect malware. It deliberately displays false scan results to make you think that your computer has many security threats. This fake application is configured to start automatically when Windows starts, so it will show up every time you log on into Windows. SystemCleanerPRO will then display [...]