Archive for January, 2008

A Stormy Valentines Day ahead of us…

Tuesday, January 15th, 2008

It looks like the Storm Worm is with us once again.

Emails have been spammed out with a Subject Line that contains one of the following,

loveheart.jpgFalling In Love with You
Special Romance
You’re In My Thoughts
Sent with Love
Our Love Will Last
Our Love is Strong
Your Love Has Opened
You’re the One
A Toast My Love
Heavenly Love

If a user clicks on the link in the email then they are brought to a website that gets unsuspecting users to download their Love ecard. If run, the “ecard” will turn the users PC into a bot. The PC will then join the many others in the Storm Worm Botnet.

It seems a bit early for Valentines Day though! Maybe the authors mistakenly released it?

If not, then we could be in for a long run in to Valentines Day.

Keep Safe

Steo – www.antirootkit.com

 

Self help credit repair
Credit repair attorney
Understanding credit report
A credit report
Commercial mortgage refinance
Auto loan interest rates
Consumer debt settlement
Credit repair after bankruptcy
Uk credit card offer
Debt consolidation loan denver
Health insurance premium
Online credit report
California best refinance mortgage rate california home loan
For credit reporting
Card credit debt free
Free equifax credit report
Online credit scores
Discover business credit card
Instant experian credit report
Auto home insurance
Credit score of
Student loans without credit check
Application aspen card credit
Consumer credit report
Free credit rating report
Life insurance uk
Disability insurance canada
Of fair credit reporting
Credit free instant report
Auto loans for people with bad credit
Home equity loan rate
Home equity loans online
New home loans
0 credit card offers
Creditscore
Accept credit card services
Fax payday loan
Cash til payday loan
College student loan consolidation
Credit card processing terminals
California health insurance quote
Mbna credit card application
Credit score management
Free instant credit reports
Missouri payday loan
Lower payment debt consolidation ma
Refinance home mortgage interest rates
Instant payday loan
Home loan mortgage rates com refinance
Insurance sexual health clinics
Lincoln long term care insurance
Insurance barts sexual health
Florida repay teacher student loans title i
Credit plus score
Bad credit debt consolidation
Your credit score in
Credit counseling debt consolidation
Credit card debt counseling
Credit card application canada
By credit score
Nj disability insurance
Equifax credit reporting agency
Obtain free credit report
Debt negotiation credit card
Illinois auto insurance
Home insurance quote
Quick cash payday loan
Deal on credit card
Mortgage loan home mortgage rates mortgage refinance rates
Types of home loans
Just credit score
Credit reporting burea
Debt consolidation loan
Commercial construction loans
Credit report repair services
Chase secured credit card
When is the right time to refinance your mortgage

Posted in Analysis, Debate, E-Cards, News, Other Malware, Storm Worm | Comments Off

Anti Rootkit Software Scanners for Vista

Friday, January 11th, 2008

We are often asked what Anti Rootkit Scanners are available for Windows Vista. There are currently only 7, out of the 20 or so scanners available, that will work with Vista. These scanners will also only work with 32 Bit versions of Vista.

Here is a list of the 7 in alphabetical order. Please click on the scanner name or screenshot to bring you to a more detailed page where you can download the software.

F-Secure Blacklight

blacklight-frontend

 

GMER

gmer-frontend

 

Icesword

Icesword Frontend

 

Rootkit Hook Analyser

rootkit-hook-analyser-frontend

 

Rootkit Revealer

 

Rootkit Unhooker

Rootkit Unhooker

 

Unhackme

Unhackme

Keep Safe,

Steo – www.antirootkit.com

Posted in Analysis, Blacklight, Debate, GMER, Icesword, News, Rootkit Hook Analyser, Rootkit Revealer, Rootkit Scanners, Rootkit Unhooker, Unhackme, Vista | 7 Comments »

Security Flaw in Vista and XP – Rootkit exploit in the wild

Thursday, January 3rd, 2008

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

 gmer-finds-mbr-rootkit.jpg

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo – www.antirootkit.com

 

Posted in Analysis, Debate, GMER, MBR Rootkit, Master Boot Record Rootkit, Microsoft, NT, New Rootkits, News, Other Malware, Rootkit Scanners, Underground, Vista, XP | 11 Comments »

New Storm Worm Rootkit Domain happy2008toyou.com appears on the stroke of Midnight

Tuesday, January 1st, 2008

Another Storm Worm domain as popped up on the radar,

happy2008toyou.com

The whois…

Domain name:             HAPPY2008TOYOU.COM
Name Server:             ns.happy2008toyou.com 68.251.106.142
Name Server:             ns10.happy2008toyou.com 89.35.121.187
Name Server:             ns11.happy2008toyou.com 58.9.65.61
Name Server:             ns12.happy2008toyou.com 222.209.139.28
Name Server:             ns13.happy2008toyou.com 82.59.136.43
Name Server:             ns2.happy2008toyou.com 68.36.252.81
Name Server:             ns3.happy2008toyou.com 71.230.66.163
Name Server:             ns4.happy2008toyou.com 68.61.185.117
Name Server:             ns5.happy2008toyou.com 70.232.142.1
Name Server:             ns6.happy2008toyou.com 66.75.86.71
Name Server:             ns7.happy2008toyou.com 85.29.202.180
Name Server:             ns8.happy2008toyou.com 86.139.75.35
Name Server:             ns9.happy2008toyou.com 86.130.251.39
Creation Date:           2007.12.29
Updated Date:            2007.12.29
Expiration Date:         2008.12.29
Status:                  DELEGATED
Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus
Registrant Organization: Larry Claus
Registrant Street1:      1874 str.  office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  320784
Registrant Country:      US
Administrative  Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str.  office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           1 320 5216723
Contact E-mail:          larryknower931@yahoo.com

Registrar:               ANO Regional Network Information Center dba RU-CENTER
Last updated on 2008.01.01 03: 36: 27 MSK/MSD

The full list of domains we currently have is:

familypostcards2008.com
freshcards2008.com
happy2008toyou.com
happycards2008.com
happysantacards.com
hellosanta2008.com
hohoho2008.com
newyearcards2008.com
newyearwithlove.com
parentscards.com
postcards-2008.com
Santapcards.com
Santawishes2008.com

The filename downloaded is happy_2008.exe

Most Virus Scanners find it,

Have a happy New Year,

Keep Safe,

regards,

Steo

Posted in Analysis, E-Cards, McAfee, Microsoft, New Rootkits, News, Nuwar, Other Malware, Rootkit Scanners, Rootkit Unhooker, Storm Worm, peacomm, wincom32 | 2 Comments »