• 9000 Spam Comments
• 1000 Ham Comments
• 100 Reports

On the internet you will find many case studies among those from Ontrack or the Ponemon Institute estimating the value of your data. And it is quite amazing that they say that 1 MB of data is worth about 10000 USD and it would take a long time to reconstruct – if possible. But even if the virus does not harm your files, it is causing costs.

From my own experience it can take some hours to really get rid of a virus and repair the broken files. Sure, sometimes it is even better to wipe the hard disk and do a fresh install. Fact is, that the average IT hour costs about 150 USD which leads us to the huge sum of 750 USD for a cleanup session without huge efforts of data rescue.

Looking at those numbers you might understand that 200 USD for a backup- and antivirus solution are not expensive at all.

Microsoft Outlook Notification for the xxxx@xxxx.xx

Support [xxxx@xxxx.xx]

Sent :Thu 15/10/2009 06:38

To xxxx@xxxx.xx

Attachment install.zip (12kb)

You have (6) New Message from Outlook Microsoft

- Please re-configure your Microsoft Outlook Again.

- Download attached setup file and install.

True, this mail usually is a bad one, but nevertheless it made me grin due to the fact that I was using Thunderbird and KMail for managing my personal mail flood. So I checked the mail headers and found out that it came from a spamhost somewhere in the net.

Just as I decided to ignore that message and train my spamfilter, I noticed the ZIP file attached. Sadly it came without a brief description of what it really does – so that part of work is left to me. But I am sure it is definitively not the new software for photo books by CeWe. Unpacking the ZIP File was an easy thing:

Listing archive: install.zip
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2009-10-15 11:38:42 ....A        28672        21167  install.exe
------------------- ----- ------------ ------------  ------------------------
                                 28672        21167  1 files, 0 folders

The contents is just a plain EXE file, which is getting a little more interesting as you can scan it for malware, but for now, ClamAV doesn’t report a positive match. So I have to take a closer look if I want to know.

Digging in that binary, I noticed, that it is just another container that does SFX – and as I got my Swiss Army Archive tool 7-Zip with me, it is an easy thing to unpack it:

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2006-01-21 22:17:57               2606         3072  .text
2006-01-21 22:17:57               5293         5632  .rdata
2006-01-21 22:17:57              53248            0  .data
2006-01-21 22:17:57                592          512  .tls
2006-01-21 22:17:57              18138        18432  .edata
------------------- ----- ------------ ------------  ------------------------
                                 79877        27648  5 files, 0 folders

And here we go – but who is who? I am using the magic numbers of the files to get an idea of what’s their purpose.

data: empty
edata: data
rdata: data
text: VISX image file
tls: data

Skimming through the files with a HEX Editor, the string “FuC1.FuC1.FuC1″ showed up quite often, which clearly indicates that the file is made from a script kiddie and won’t do anything good on our system…

So the best thing is just ignoring those messages and deleting them immediately.

It really is just a small number of god dammed hosts hammering our blogsphere. So it is just the blacklisting that keeps off most of the buggers making the other checks quite obsolete saving ressources.

At the moment of this writing the blacklist lists 215 IP Addresses which are hitting me and the other users regularly – But how many blogs do use the plugin? I cannot tell an exact number but it can’t be more than 25 sites by now…

But I have to admit that it was a time full of learning and gaining knowledge about that bad software rumbling the network and about analyzing its behavior. But there was hardly anyone saying thanks for the work.

So I decided to stop my malware analysis project as it was just work, stress expenses which I had to pay for by myself. So here it ends after three years now.

But however, I have to say that I’m quite satisfied with my little defense tricks I did back in June 2007 that kept my moderation queue clean until now. New year, new luck and the next round against those dirtbags. But there’s one thing for sure: I won’t run out of ideas that soon!

But what about reliability? I have checked the scanner for you and got the results right here: My complete malware collection got wiped out. The reason for that fantastic result is the scan engine of ikarus targeting the common malware.

Regarding new and unknown programs, you’re never left alone due to the central database of binaries which are getting whitelisted if found.

So now all that’s left to say is Happy Birthday, a-squared. Good work.

Before we disconnect the network and run around in panic, let’s have a look at the facts. In my opinion it’s just a matter of time if that theory comes true. But first of all, let’s do some theoretical brainwork about that topic:

A patch gets published – let’s say it’s published at the common microsoft patch day. Our attacker is one of the first ones, grabbing it. The patch modifies some files on our box to fix some things. Our attacker could backup his test windows, apply the patches and check for modified files.

As the attacker now knows the changed files, it is possible to do some more analysis work on them, like reverse engineering. In fact it would narrow the search and maybe save some time.

It’s nothing new that malware is around. It’s not even new, that some people will always try to break in our PCs. It’s just a matter of timing as it can take quite some time until a patch really gets applied. Imagine a bigger company where you cannot just reboot a machine – in other words, there are plenty of vulnerable victims around./lang_en]