This article is a translation of the "AntiMalware Project from malekal.com"
Thanks to Val51, johnyjohn, MarcAurele and Shimik_Root for the translation.
More information : https://www.malekal.com/ProjetAntiMalwares_en.php
Over the last few years, infections have become a real cash machine with the expansion of the Internet.
There are many ways of making money.
Those who make money are not only the groups that create on-line infections.
Some groups develop and send Trojans with an after-sales service.
Others sell WebMalwareKits etc.
Thus a whole ecosystem exists around infections.
Here are a few examples used to make money via infections:
- Turning your machine into a Zombi PC /Botnet (see also : http://www.answers.com/topic/botnet ).
Hackers build a network of infected PCs that they control and can rent for money in order to carry out several tasks. You can read this page for more information: http://www.securelist.com/en/analysis?pubid=204792095
As a rule, these tasks consist in:
- Using infected computers to launch attacks toward a specific website. Imagine 10,000 PCs carrying out continuous requests through a broadband connection towards one website !
- Using infected computers to relay spam e-mails for commercial products.
- Making money via ads, infecting web users' computers with adwares. Hackers create adwares which display advertising popups or infections which cause redirections during Google searches. The hacker then earns a certain sum of money every time an ad popup is opened so the higher the number of PCs opening popups, the more money the hacker will make.
- Deceiving web users by selling fake antispyware called Rogues/Scareware
- Rogues single-handedly generate millions of dollars see:
http://www.secureworks.com/research/thr ... us-part-1/ & http://www.secureworks.com/research/thr ... us-part-2/
- They are just hollow and empty shells... A simple graphical interface looking like a classic antispyware, yet without any update or cleaning process. The aim is very simple. The authors of these fake antispywares flood the web via advertising sales agencies (these are companies which display advertisements on websites, basically within a few seconds, several million websites can display the same ad for the same product). They generally use fake security alerts showing that your computer is infected and proposing to download those fake antispywares as a solution.
- Hackers create infections which display alerts showing that your computer is infected (modified wallpaper with flashing red messages, bottom right icon next to the clock warning about an infection) while proposing to download a rogue. If the user is naive enough, on seeing these alerts he will download and buy this fake product which will not clean anything on his computer.
- Retrieving information for reselling such as e-mail, credit card number etc. either via infections (Zbot / Zeus, Banker etc), or via phishing.
- Retrieving on-line gaming account IDs in order to resell them see : http://www.securelist.com/en/analysis?pubid=204791963
- Various other e-mail scams like Scam 419 / Scam nigérian...
- Creating fake security blogs to sell real antispywares and earn a percentage on sales. You must figure out that rogue creators open blogs featuring alleged disinfection processes via antispyware and that they earn money in the meantime,,,
In order to infect web users, malware creators use various ploys making good use of web users' gullibility and taking advantage of their lack of computer skills.
This article aims at giving you guidelines and examples of the methods used to infect large numbers of computers, the purpose of these examples being to better understand how infections spread in order to avoid them.
Infection throught Web Sites
Infection on the website easy in surfing.
Authors of Malwares hack are permenatly hacking a lot of websites to infect internet user.
If possible big websites or themes which possibly bring a maximum of people, so for example hack sites or crack sites or pornsites.
These websites have 1 pixel wide iframe with a link to one or more websites which have the task and the files.
It's in easy that creating a website or a forum something easy to do.
Unfortunately these budding webmasters don't necessarily always have the computing knowledge or the minimal security not to be hacked.
So, Malware authors add an inutsible iframe to the website home/page browsers.
The visitors are going to carry out automatically the content of the iframe and are going to be homed an another address contraining one or more exploits if a failure on the OS or an other softwares = You are infected !
There is an example of a exploit of vulnerability on Acrobat Reader.
The visit of a website with Internet Explorer 7 which carries out elvish PDF,IE loads Acrobat Reader (AcroRd32.exe) to read this file.
Then, Acrobat Reader wish to connect to an address (195....100) to download the elvish code.
This elvish code is download and Acrobat Reader tries to carry it out on the file name ~.exe
If the file is carried out it settles the infection/the virus (Au choix) in the system.
In this example, there's only one exploit on Acrobat Reader but when visiting an hacked website, series of exploits are tested to have a chance that one of them works, it can be as much as twenty targeting different softwares : Quicktime ... ... ... and often Flash, ... via elvish PDF.
You have to understand that to have better chances to infect your computer a series of exploits targeting windows or other softwares are tested.
The aim for the authors of malwares being to rise the chances of infections attacking as many different softwares as possible since it is highly possible that there are not updated softwares on the targeted system.
Since mid-2008, are mainly targeted other softwares and in particular the plugins of your web browser.
The simple fact not to update these programs allows your PC to be infected.
You'll find further examples and explanation on the following page :
You must understand that it is important to update one's system but also one's softwares.
One non updated software is enough for your computer to be infected.
I respect : the simple presence of one non updated software is dangerous, ever if you don't use it.
In this case you should uninstall it to gain in safety because you can forget to update it.
Conclusion : instead of asking what's the best anti-virus, start by keeping your system and softwares updated, scaning the vulnerabilities and updating softwares.
Be updated with Secunia Personal Software Inspector (PSI)
Cracks Keygens et P2P
Not lecturing you about hacking, let us consider some facts so as to size up the risks of it…
In order to use paying softwares without spending a penny, many are who remove the barriers thanks to a program usually called crack or type a registration number generated by a keygen. ]All of these programs which make hacking easier are not necessarily infected, but malwares’ designers take advantage of the growing interest of them so as to spread their malignant creations.
Thus, the too-much confident user, thinking that he might cancel the protection, runs a malicious program instead, with his administrator’s rights, which will bring about the infection of the system.
The following infection Bagle
that deactivates Antivirus softwares and cleaning programs…
Scan extract realized by Virus Total:
File keygen.exe received on 10.21.2008 12:41:09 (CET)
Current status: finished
Result: 10/36 (27.78%)
AntiVir 22.214.171.124 2008.10.21 -
Avast 4.8.1248.0 2008.10.15 -
AVG 126.96.36.199 2008.10.20 Win32/Themida
BitDefender 7.2 2008.10.21 -
CAT-QuickHeal 9.50 2008.10.21 (Suspicious) - DNAScan
F-Secure 8.0.14332.0 2008.10.21 -
Kaspersky 188.8.131.52 2008.10.21 Trojan-Downloader.Win32.Bagle.aed
McAfee 5409 2008.10.21 -
Microsoft 1.4005 2008.10.21 -
NOD32 3541 2008.10.21 Win32/Bagle.QA
Panda 184.108.40.206 2008.10.21 -
PCTools 220.127.116.11 2008.10.20 -
Symantec 10 2008.10.21 -
TheHacker 18.104.22.168.121 2008.10.21 W32/Behav-Heuristic-064
TrendMicro 8.700.0.1004 2008.10.21 -
We can notice that many antivirus softwares let the infection pass by. Here, Avast or Panda user (for instance) would have let the infection get into his computer without seeing anything.
And the palm goes to virut.
Scan extract realized by Virus Total:
Fichier Rising_Star_188846661_svchost.exe received on 2009.02.13 11:18:51 (CET)
Antivirus Version Last Update Result
a-squared 22.214.171.124 2009.02.13 Virus.Win32.Virut.q!IK
AntiVir 126.96.36.199 2009.02.13 W32/Virut.Gen
Avast 4.8.1335.0 2009.02.12 -
AVG 188.8.131.52 2009.02.13 Win32/Virut
BitDefender 7.2 2009.02.13 -
DrWeb 4.44.0.09170 2009.02.13 Win32.Virut.56
GData 19 2009.02.13 -
K7AntiVirus 7.10.628 2009.02.12 Virus.Win32.Virut.CF1
Kaspersky 184.108.40.206 2009.02.13 Virus.Win32.Virut.ce
McAfee 5524 2009.02.12 W32/Virut.n.gen
Microsoft 1.4306 2009.02.13 Virus:Win32/Virut.BM
NOD32 3850 2009.02.13 Win32/Virut.NBK
Norman 6.00.02 2009.02.12 W32/Virut.BS
Panda 10.0.0.10 2009.02.12 Suspicious file
Sophos 4.38.0 2009.02.13 W32/Scribble-A
Symantec 10 2009.02.13 W32.Virut.CF
TrendMicro 8.700.0.1004 2009.02.13 PE_VIRUX.A-4
That virus is able to infect hundreds of legitimate files in few hours. No way out but reformatting.
This video show how fake crack website lead to malwares : http://www.youtube.com/watch?v=sHIAf2QfYxc
Be aware that malwares’ creators make fake cracks websites where all the cracks are infected, other websites contain exploits, and if your browser is not up-to-date, then you are undoubtedly infected.
Moreover, some infections coming from cracks proposed through P2P networks, once installed, convey corrupted cracks through P2P network so other internet users download them and be infected : http://www.youtube.com/watch?v=Sqf9Oocv2U0
How to avoid this kind of misfortune…
1- By favoring Free Softwares
2- Concerning cracks-hooked people, a mere file scan here Virus Total
should be enough for most of them.
Except in the case of an infection still unknown by antivirus softwares.
Scareware : Fake Antivirus
Scareware are fake antispyware or programs detecting errors in Windows registry, on hard drives, etc... and asking you to fix them.
Those detections are imaginary and are created to suggest a paid version to you for disinfecting the false detections.
They are thus swindles
. With a price of ~ 40 Euros per scareware, these swindles generate several thousand Euros a year.
Scareware example showing fake detected threats:
Scareware can install automatically with an infection kit.
These infections show constant alerts to persuade the Internet user that he is infected. These alerts use some Windows elements to deceive the Internet user and persuade him that these alerts come from Windows, making these alerts justifiable.
These alerts are bubbles coming from a lower right icon next to the dock:
Infections can modify wallpaper too with bright colors to frighten the Internet user:
Finally these infections show uncountable alert popup very often and redirect the Internet user to scareware download webpages:
To better deceive the Internet user some windows use Windows elements as for example the Security Center.
For many Internet users, it is difficult to make the difference, as far as some scareware names are "Antivirus Windows" and use some Windows / Microsoft colors (blue, etc...).
The novice Internet user can then believe that the antivirus is simply edited by Microsoft.
Fake security center webpage :
Fake Internet Explorer alert webpage :
Some infections can redirect the user when searching on Google to show fake antivirus scan webpages.
These fake scan webpages are only animations but for a novice Internet user, he can believe that HIS hard disk is scanned and that fatal elements are detected.
At the conclusion of these fake scans, a rogue is suggested for download to disinfect your PC.
Since 2008, new methods are used by malwares authors to hit more Internet users.
- generate uncountable "fake websites" containing keywords liable to be typed in search engines by Internet users.
By clicking one of these "fake websites" in search results, the Internet user will be redirected to a fake scan webpage (Principle of the SEO poisoning).
- generate fake advertisement banners (malvertizement), which can end up on legitimate and often very busy websites. An Internet user who visits these websites can be then redirected to fake scan webpage. For example malvertizement on jeuxvideo.com
These infections use social engineering
excessively to deceive the Internet users.
For many Internet users, the confusion can be made between knowing if his PC is really infected by a malware which opens fake alert popup or redirects during Google searches.
Beyond it, an inexperienced Internet user who does not know the existence of these threats and who not master the IT tool can have difficulty in making the difference between true and the fake alarms.
Once again, inform you before purchasing a program.
Some blogs about rogues/Scamware :
MS Malware Protection Center - Some Rogues Screenshots from the encyclopedia :
http://www.microsoft.com/security/porta ... fWinwebsec
http://www.microsoft.com/security/porta ... 2fFakeRean
http://www.microsoft.com/security/porta ... 32/FakeXPA
http://www.microsoft.com/security/porta ... tAntivirus
http://www.microsoft.com/security/porta ... FakeSpypro
Removable disks infections (USB flash drive/external hard drive)
Removable disks infections are those which spread via USB flash drives, digital photography devices, external hard drives, etc.
USB flash drives now represent indispensable tools for sharing files; we connect them to friends or schools’ computers or in cybercafés… but the thing is that these removable disks are more and more used to develop infections.
The mere use of these peripherals within any infected computer leads to the infection of your peripheral and therefore to the infection of any computer in which you might connect it. Back home, if you connect it to your computer, that will be infected too.
In turn, every device connected to your recently-infected computer will be infected as well: a way to infect your friends, family and so on.
You must not only be careful with which computers you connect your USB flash drives to, but also USB flash drives used on your computer (pay attention when you let your friends connect them). There are breeding grounds for getting these infections, like schools, cybercafés, etc… in short, places where many USB flash drives might be connected.
It is possible to secure your computer and peripherals in order to avoid these infections; you may also find detailed explanations about the good habits to get, and about the functioning of these kinds of infection.
Once you understand how these infections work, you might be able to avoid them:
Mail : Infections / Hoax / Scam / Phishing
Like many people, you may be receiving some e-mails from recipients you don’t know
that incite you to click on a link or open an e-mail attachment. The rule is rather simple: if you don’t know the recipient, then delete the e-mail. Even though the e-mail seems to come from Microsoft or your best friend, you must be careful, because the address
might have been faked
or your best friend may be infected without knowing it. Remember that, for instance, if the e-mail is typed in English or in ill-translated French, then that can be a hint regarding the degree of danger the infection has.
Indeed, some of these e-mails from which the recipient is unknown
might contain, either in its attachment or in a link, an infection
Therefore, you must be very careful
when you choose to open an attachment
or to click on a link
proposed in the e-mail.
are e-mails spreading fake news.
More informations about hoax.
- These rumors try most of the time to wound the recipient’s feelings with nasty news, so as to get him to pass the mail to his close relatives. The main subjects that are mainly tackled are: virus notifications, children disappearances, happiness promises, petitions, etc…
- Contrarily, some hoaxes intend to convey fake news by the means of a strong argumentation, mixing truth and lies, giving true and false figures… Most of the time, these hoaxes do not reveal the source of their figures.
- Hoaxes are generally ended by a sentence inciting the recipient to spread the rumor himself by sending it to his close relatives: “Passing on the news could save a life! ]"
- The « scam
», is a trickery that are usually sent by e-mails.
The 419 Scam / Nigerian Scam
, coming from Africa, is one of the most active and consists of shaking internet users down by holding out a sum of money from which they could receive a commission. This scam’s trickery comes from Nigeria and is also called “419” referring to a Nigerian penal code article that represses this kind of practice.
This trickery always looks like a mail (also called Spam today) in which, for instance, a young African, member of a rich family explains his need to transfer money quickly abroad for any reason (mainly because of the civil war raging in is country). He asks for your help regarding this transfer, and consequently offers you a commission concerning the sum to be transferred.
Another variant is making you believe that you are the fortunate winner of a lottery… that you never even took part of.
These trickeries promise
a big sum of money
under various pretexts (transfer of money, lottery) so as to eventually shake money down.
How to detect a scam?
More informations about Scam
- The e-mail is full of spelling mistakes . (Automatic translator)
- The domain of the address of the sender and its filename extension (@domain.com) are often illogical. (An e-mail from an alleged Nigerian with a .sk, Slovakia filename extension; an e-mail from some Microsoft lottery with a Yahoo.com extension…)
- Etc ...
», is a fraudulent technique used by hackers so to get personal information.
Most of the time, the purpose of this technique is to get banking information
to use them ill-advisedly. Phishing
can be mainly realized either by e-mail or via forged websites.
The technique is simple: get the internet user to believe that the e-mail or the forged
website in which he is currently on is the real one of his bank.
Fortunately, one detail can make you identify this kind of e-mail or website: the address is never the same, even though it looks like it.
Moreover, you must remember that your bank would NEVER ask you by mail, for your banking information because they know the risk of Phishing.
Also keep in mind that Phishing is not always used to steal banking information but also to steal your Paypal
identity or your videogames account
Recognize phishing scams and fraudulent e-mails
More informations about Phishing
IM (instant messaging) worms spread via appropriate software (MSN, Yahoo Messenger, ICQ etc) and appear as a message from a supposed contact (It can happen even though the contact is off-line),
Here are a few examples :
- my hots pics
- haha this should be your default pic on Myspace
- Check out my nice photo album.
- wanna see the pics from my vacation? :>
- OMG YOU HAVE TO SEE THIS PICTURE!!!!
- IS THIS REALLY YOU ??? i cant remember who sent it to me...
- My friend took nice photos of me.you Should see em loL!
- I found these old school pictures... LOL
- Here are my private pictures for you
Here is the report from Virus Total*
about one of the downloaded files,
Fichier viewimage.php reçu le 2009.02.08 21:57:53 (CET)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 17/39 (43.59%)
Antivirus Version Dernière mise à jour Résultat
a-squared 220.127.116.11 2009.02.08 Backdoor.Rbot!IK
AhnLab-V3 18.104.22.168 2009.02.07 -
AntiVir 22.214.171.124 2009.02.08 DR/Agent2.dfj
Authentium 126.96.36.199 2009.02.08 -
Avast 4.8.1335.0 2009.02.08 -
AVG 188.8.131.52 2009.02.08 -
BitDefender 7.2 2009.02.08 MemScan:Backdoor.RBot.YBJ
CAT-QuickHeal 10.00 2009.02.07 TrojanDropper.Agent.yyg
ClamAV 0.94.1 2009.02.08 -
Comodo 971 2009.02.08 -
DrWeb 4.44.0.09170 2009.02.08 BackDoor.IRC.Sdbot.3762
eSafe 184.108.40.206 2009.02.08 Win32.VirToolCeeInje
eTrust-Vet 31.6.6346 2009.02.07 -
F-Prot 220.127.116.11 2009.02.08 -
F-Secure 8.0.14470.0 2009.02.08 -
Fortinet 18.104.22.168 2009.02.08 -
GData 19 2009.02.08 MemScan:Backdoor.RBot.YBJ
Ikarus T22.214.171.124.0 2009.02.08 Backdoor.Rbot
K7AntiVirus 7.10.623 2009.02.07 -
Kaspersky 126.96.36.199 2009.02.08 Trojan.Win32.Agent2.dfj
McAfee 5520 2009.02.08 -
McAfee+Artemis 5520 2009.02.08 Generic!Artemis
Microsoft 1.4306 2009.02.08 VirTool:Win32/CeeInject.gen!J
NOD32 3836 2009.02.07 -
Norman 6.00.02 2009.02.06 Ircbot.AMAM.dropper
nProtect 2009.1.8.0 2009.02.08 MemScan:Backdoor.RBot.YBJ
Panda 188.8.131.52 2009.02.08 -
PCTools 184.108.40.206 2009.02.08 -
Prevx1 V2 2009.02.08 -
Rising 21.15.50.00 2009.02.07 -
SecureWeb-Gateway 6.7.6 2009.02.08 Trojan.Dropper.Agent2.dfj
Sophos 4.38.0 2009.02.08 Mal/Behav-243
Sunbelt 3.2.1847.2 2009.02.07 -
Symantec 10 2009.02.08 Backdoor.IRC.Bot
TheHacker 220.127.116.11.249 2009.02.08 -
TrendMicro 8.700.0.1004 2009.02.06 -
VBA32 18.104.22.168 2009.02.08 -
ViRobot 2009.2.6.1594 2009.02.06 -
VirusBuster 22.214.171.124 2009.02.08 Trojan.DR.Agent.Gen.15
File size: 102913 bytes
*VirusTotal is a website where you can upload a file and have it analyzed by various antivirus software. It allows for a better appraisal of suspicious files.
To conclude: never download a file from a link sent by a contact especially if the contact is off-line.
Within the last year, a new form of attack has appeared,
Some websites offer you to check if your contacts have blocked you. To do this, you must enter your MSN connexion information (user name and password). Once they get hold of your ID, these services will log on to your account and advertise themselves.
To sum up:
- Never ever give your connexion ID and especially your password.
We hope this article will raise your awareness on Internet threats.
If your protection software is your ally, it does not do everything... A minimum of knowledge about computing and about the spread of threats as well as good surfing habits will enable you not to infect your PC anymore.
You will find more information on Internet threats in the pages below:
and remember PC security is not limited to the sofware installed.
If you want to take part in the AntiMalware Project, you can publish this document on your site or forum, you can send the PDF version to your friends by Email or simply use the banner as a link,
Html code :
Code : Tout sélectionner
<a href="https://www.malekal.com/ProjetAntiMalwares_en.php"><img style="border: 0px solid" alt="Projet AntiMalware"
If you are simply a forum member, you can use this banner as a signature.
AntiMalware Project bbcode for forum signature:
Code : Tout sélectionner
For further information: https://www.malekal.com/ProjetAntiMalwares_en.php