Monday, February 2, 2009

Drive-by Update for spreading malware

To say that nothing is new malicious codes are now becoming more aggressive capabilities of which are worth not only to achieve the classic action of infection, but also perform other activities such as unloading, the victim of a malware battery.

The Drive-by Update allows the malware to make a connection to a clandestine remote server in which a plain text file, it directs the maneuver of propagation, quoting the head of the primary infection, which files (malware), and where new download.

In this way, from the time of infection, and with all the disadvantages that entails, the team is subjected to the manipulation of a real nest of malicious code that exploit the system with a variety of activities for which it's designed malware present, turning the machine into an active part of a botnet or part of a Fast-Flux network, using it as a "bridge" to carry out targeted attacks and distributed to other objectives.

In the following case, used as an example, the following malicious code downloaded from the list pre-set on the server. The following report ThreatExpert giving more detailed information on the analysis of malware.

http://m.wuc8 .com/dd/1 .exe >> 28/39 (71.79%)
http://m.wuc8 .com/dd/2 .exe >>
25/39 (64.11%)
http://m.wuc8 .com/dd/6 .exe >>
24/39 (61.54%)
http://m.wuc8 .com/dd/9 .exe >>
31/38 (81.58%)

In general, these servers respond to farms, or cells of different volumes from which each of the hosted sites are mirrored copies, and therefore discharged the same amount and variety of malware.

b.wuc7 .com
d.wuc7 .com

x.wuc7 .com

m.d5x8 .com

m.wuc8 .com

w.c66f .cn

w.c66k .cn


However, in other cases the amount of malware referenced in the text file is often more like the variety between each of them.

Malware is becoming increasingly dangerous and growing in volume and evolve in their complexity. Techniques such as these are the true evidence of this, giving us a real idea of its capabilities and how important it's for the health of our security best practices to respond adequately to mitigate the harmful actions.

# Jorge Mieres

No comments: