blog dds

2007.02.16

Malware on the Fly

Apparently, rogue servers listening on the p2p Kad network intercept the search terms of queries and generate on the fly appropriate file names linking to files that contain malware.

For a example, a random search term, like "give me malware", will return the following file names.

give me malware_fastest_BitTorrent_downloader.exe
give me malware_Web_Hottest_Videos_Personal_Player.exe
give me malware_ShareAccelerator.exe
give me malware_using_emule_multimedia_toolbar.zip
As the image below demonstrates, the availability of these files is also doctored to look artificially high. (Yes, I know that one shouldn't use unknown servers.) malware search results

Two virus scanners didn't find anything suspicious in the files. Specifically, I run Clamwin and Vasilis Prevelakis Symantec antivirus without obtaining any warnings. However, Panagiotis Louridas running Avira AntiVir suceeded in identifying two of the four malware programs:

viri/give me malware_ShareAccelerator.exe
[DETECTION] Is the Trojan horse TR/Drop.HotWebBar.C

viri/give me malware_Web_Hottest_Videos_Personal_Player.exe
[DETECTION] Contains signature of the dropper DR/WhenU.A.9
According to Avira, the two malware programs were added to the definition file on February 5th, 2007.

Moral: malware writers are getting increasingly sophisticated; antivirus programs are trailing behind.

Read and post comments, or share through   


Creative Commons License Last modified: Friday, February 16, 2007 1:40 pm
Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-Share Alike 3.0 Greece License.