The Latest in IT Security

Somebody Doesn’t Like Krebs on Security

23
Jun
2011

At F-Secure Labs, we design, build, and use numerous systems that perform automated sample analysis.

Some of that automation monitors suspicious code for various keywords. And why do we monitor for keywords? Because some malware authors like to embed hidden messages in their code.

For example, Virus:W32/Divvi contains this string: “Mikko cut ur ponytail” — clearly a reference to our own Mikko Hypponen.

Many malware authors also sprinkle their code with references to pop culture, using words such as “Chuck Norris”.

We’ve even come across a David Hasselhoff themed Remote Administration Tool (RAT).

The Hoff

Fraud-News.com was recently hacked to post a false story that Mikko and Brian Krebs were arrested for credit card fraud.

Fraud-News

Naturally, we began monitoring incoming samples for the keyword “Krebs“.

And it didn’t take very long before something turned up.

Trojan-Downloader:W32/Agent.DTBM (SHA-1: 20dba9e7730094341f327194f67b43bd751dd9cf) creates the following mutex:

DANCHODANCHEV_AND_BRIANKREBS_GOT_MARRIED

Hmm, looks like analyst and ZDNet.com blogger Dancho Danchev should be added to our watch list…

This trojan is in the wild, but is not highly prevalent. Our antivirus blocked it based on behavioral heuristics even before we added a signature detection.

Additional analysis from our Threat Response team tells us that the trojan attempts to connect to fatgirlsloveme.com (Whois). The site/server was not online two days ago, but its proxy now appears to be active (hosted in Germany).

Our analysis continues.

As does our “watchful and intent” automation.

Leave a reply


Categories

SATURDAY, JULY 31, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments