I had recently to deal with a compromised computer. It was though supposed to be protected by a up to date antivirus with real policies.

The file has been detected using Spybot S&D: ZBot. It's been a long time ago since I did not find a malware which is not a spyware/adware/rogue AV, with Spybot. Anyway...

The computer was also protected by Clam for Windows, the 'in the cloud' version of Clam AV. See: http://www.clamav.net/lang/en/about/win32/ But it did not detect anything however.

Since I like to contribute to OpenSource projects, I thought of submitting this sample that Clam was not supposed to detect. Then I was astonished to see that the online form to submit samples to Clam was complaining the sample was 'already detected' and that I should check my own Clam updates...!

Here is the screenshot:

What's going on with Clam In The Cloud? is it less efficient than the regular ClamAV?  I still do not have any answer...

By the way, I was kindda disappointed to see at first that McAfee was not planning to publish an extrat.dat:

Fortunately, they did publish an extra.dat later on. Why did the WebImmune portal say 'inconclusive' and 'no Extra', so?

To finish about Clam, I'm gonna try to check if there are real differences between the regular ClamAV version and the 'Clam in the cloud, for Windows'.

First, let's see what VT says about the sample:

So, VT already scanned the sample on the 23rd... the day I submitted the sample to McAfee.

And the detections summary array confirms that Clam was supposed to detect the sample:

Let me remind you that, as other people like T. Zoller said, VT uses command line versions of AV engines. I know quite well ClamAV, and yes, it is the command line version that is available by default on Linux!

Thus, ClamScan most probably detected the sample, but not the Clam 'in the cloud' version... wheras the 'in the cloud' technology was said to offer better protection in real time... (I even tried to move the sample on the HDD to see if Clam in the could would detect it, but nothing happened).

According to that example, I would say that the 'in the cloud' version may offer better protection in real time, but can also miss samples that the regular version of Clam would just detect...

Just for once (again?), I'm gonna deal with linux / Unix system administration., and in particular, migration.

This may be related to scurity, as you may say that integrity does concern system configuration, when it's about renewing a server or transfering a whole system configuration from a machine to another.

First of all, let's say that you have an old server, and you want to migrate it to a new one, with new hardware. If you create an image of the whole system and restores it on the new server, it may just not work because of hardware differences and/or special configuration elements.

To insure a transfert with integroty check, I'll suggest you to use RSync. Here is what could the command line look like:

rsync -avchz --bwlimit=150 --stats /etc remote_host:/sync_etc

The way of synchronizing is source - > destination (last argument).

The bwlimit limits the bandwidth, so that you would not pay extra money for this (huge) transfer, depending on your hosting contract.

The folders that you would at least need to synchronize between the two servers are:

- /etc

- /var

Special thanks: Roro, Duckx, Fredy, and Lucky ;)  the guys who helped me meeting Linux ;)

Just after the Adobe and French CERTA advisories, I wanted to talk a lil bit about the website that is said to host the Adobe 0day.

Here is Adobe's advisory:

http://www.adobe.com/support/security/advisories/apsa10-01.html

According to Symantec (see: http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-060601-3020-99, the suscpicious website is:

google-analytics. dynalias.org.

It quite clearly seems to be a fake Google Analytics portal. Not sure that it does steal user's credentials anyway...

Please note that :

- Netcraft did not warn about it (at the time of writing)

- IronPort does not detect it

- Secure Computing (trustedsource.org) does not detect it

- Firefox 3.6 does not tell anything

- internet Explorer 8 neither

and a very few AV vendors are said to be able to detect the PDF...

Here is what the website looks like:

The IP address 180.149.252.136 is apparently located in Hong Kong... see:

http://www.robtex.com/dns/google-analytics.dynalias.org.html

and blacklisted at least once!

So I strongly recommend to remain prudent with that domain.

I'm not gonna deal here with the real McAfee DAT 5958 issue by itself. What I find interesting is what's coming around this incident.

Some other AV vendors warned that users attempts t download the DAT that fixes the 5958 failure may be used to infect their computers.

I was honestly thinking about fake DAT packages: malware linked to a real exefile DAT from McAfee, or even just malwares called 'SDAT5959'...

But what I discovered is actually worse, to me.

Consider the following Google request: download mcafee DAT 5959. Quite natural and obvious, isn't it?

Here is the URL of the 5th page: 

 http://www.google.fr/search?hl=fr&safe=off&q=download+mcafee+DAT+5959&start=40&sa=N

But this is where the danger shows up. Let's have a look at the first link of the Google's page of results:

The website domain name is: tolstiy.co.cc.

The Google preview of its content even includes the Google logo.. This should not be dangerous, right?

You may notice all the relevant keywords the website may need to be well indexed and appear at a good place in Google's results: 'sdat 5959 free download license mcafee superdat failure SDAT5959 EM. exe mcafee8.5i, McAfee®: 5960 Update '

This could help SEO hijacking (or poisonning) for sure!

Nonetheless the point is that the user will immediately be redirected to another website: endroiturlredirect.com

Then the malicious part shows up. This pages hosts an exploit!

Avira prompted then a warning:

A PDF exploit for a DAT update rescue... that's probably funny (or weird).

Therefore I strongly recommend to any users and admins to really pay attention to where they download updates (including antivirus ones), at any time, especially in case of emergencies.

More about the website: http://tolstiy.co.cc/

You have to pay attention to notice something quite strange.

I said that the thumbnail of it seems to include a Google's logo... yes but guess what, the Google logo, buttons and request bar are all a simple picture in fact!

And here is the URL of it: http://www.webopedia.com/quick_ref/img/google_screen001.jpg

And what about the WhoIs of it? http://www.domaincrawler.com/domains/view/tolstiy.co.cc

Hey, more interesting: the IP address seems to be a Brazilian one, and the rest of the WhoIS info appears to be protected by an anonymization system. Quite obscure, but a kindda habit in VX methods.

But what if I use Internet Explorer 8?

Surprinsingly (or not?) the page redirected me to: malware-checker-free.com. And I.E. 8 screamed about a phishing risk while accessing this website.

Here is a screenshot of what I saw:

And what about other browsers? (PoC: Win 7, 64 bits, full patched).

- Safari (last version) did not alert me in anayway

- Firefox 32 & 64 bits (last versions): no alert

- Opera 10 (last version): no alert.

- Chrome (last version) : no alert.

So here is what an user could see if he does not use I.E.:

And the (funny but) annoying part of it is an endless loop behind this popup:

Whatever an user will do ('cancel', or 'OK'), the popup will come back, and furthermore will try to download an exefile on the computer.

This file is called: 'win_protection_update.exe'

Here is the VT results for it (let me remind that VT is a list of command line AV scanners, not the realtime protection they could offer in a regular installation):

http://www.virustotal.com/fr/analisis/415af935f5ce82f68f15ad133af4542813e34c40a7c5825fed9cdf0d2a46d304-1272584528

Ok so that's 20 out of 41 engines, not bad.

About the malicious URL by itself: http://malware -checker -free.com/secure1/?id=ololo

If you try to access it with only the FQDN, let's say malware-checker -free.com  you may be redirected to... Google. A bit funny.

But if you try to change subdolder and/or page, such like: http://malware -checker-free.com/test   here is what shows up: 

Apache/2.2.3 (CentOS) Server at malware-checker-free.com Port 80

Either the bad guys forgot to update (and secure) their web server, or they hacked a third party one to host their malicious page and files...

Last, if you look at the source code of the webpage http://malware -checker-free.com/secure1/?id=ololo   (thanks to Opera!), you may have an idea about how the bad guys tried to obfuscate their source code:

<!--

Page protected by ionCube - HTML/JavaScript Encoder

Copyright (c) 2003 RWJD.Com and ionCube Ltd.  All Rights Reserved.

Any analysis of this  source code,  embedded data  or file by any means and by any entity whether human or otherwise  to including but without  limitation to discover details  of internal operation, to  reverse  engineer, to  de-compile object code, or to modify  for the purposes  of modifying behavior or scope of their usage is forbidden.

-->

To finish with, a Google request will suggest that ionCube is a proprietary solution to "protect and license" the PHP pages... well, I'm not sure the bad guys did pay for the ionCube license (just guessing).

As you probably read on te web, at the same time people welcome new URL services such as goo.gl, others warn about new threats that come with them: bypassing URL filters using URL shorteners...

Here is a kindda new sample. Once again, over the MSN Network. 

If you click on te URL, the tinyURL system will automatically redirect you to: http://www.camstranger.com/

Once again, I strongly warn any people to click on that link, unless you know what you do.

The website seems to be a kindda public chat, with webcam. AFAIK there is no viral component on it. But I would say anyway that this looks strange.

My guess: some guys rented a BotNet and/or a stolen MSN accounts database to send a massive communication in order to promote that new public chat... 

I'll try to check that out later on :)