Virus Bulletin - July 2012

Editor: Helen Martin

Technical Consultant: John Hawes

Technical Editor: Morton Swimmer

Consulting Editors: Ian Whalley, Nick FitzGerald, Richard Ford, Edward Wilding

2012-07-01

Abstract

Where should security reside? (comment); Noteven close (malware analysis); Tiny modularity (malware analysis); Malicious PDFs served by exploit kits (feature); Unpacking x64 PE+ binaries: introduction part 1 (tutorial); Quick reference for manual unpacking II (tutorial)


Comment

Where should security reside?

‘It seems logical that, in the future, security must move closer to the information.' Greg Day, Symantec.

Greg Day - Symantec, UK


News

Largest international carding crimes operation: 26 arrests

US Justice Dept. releases details of two-year operation involving undercover carding forum.

Helen Martin - Virus Bulletin, UK


Hotel group fined

FTC says data breaches occurred as a result of group failing to maintain reasonable security on its networks.

Helen Martin - Virus Bulletin, UK


VB welcomes

VB welcomes newest member of the team.

Helen Martin - Virus Bulletin, UK


Malware prevalence report

May 2012

The Virus Bulletin prevalence table is compiled monthly from virus reports received by Virus Bulletin; both directly, and from other companies who pass on their statistics.



Malware analyses

Noteven close

Code virtualization is a popular technique for making malware difficult to reverse engineer and analyse. W32/Noteven uses the technique, but has such a buggy interpreter that it's a wonder the code works at all. Peter Ferrie has the details.

Peter Ferrie - Microsoft, USA


Tiny modularity

Researchers have found a small piece of malware capable of doing just as much as its bigger brothers. Raul Alvarez looks at the structure of the malware, its code injections and modular execution and describes how the tiny ‘Tinba’is capable of doing so much.

Raul Alvarez - Fortinet, Canada


Feature

Malicious PDFs served by exploit kits

Although the PDF language was not designed to allow arbitrary code execution, implementation and design flaws in popular reader applications make it possible for criminals to infect machines via PDF documents. Didier Stevens explains how this is possible.

Didier Stevens - Contraste Europe, Belgium


Tutorials

Unpacking x64 PE+ binaries: introduction part 1

Aleksander Czarnowski describes some of the main differences between the PE and PE+ file formats from the perspective of the binary unpacking process.

Aleksander P. Czarnowski - AVET INS, Poland


Quick reference for manual unpacking II

By packing their malicious executables, malware authors can be sure that when they are opened in a disassembler they will not show the correct sequence of instructions, thus making malware analysis a more lengthy and difficult process. Continuing on from his earlier article on the subject, Abhishek Singh provides a quick reference guide for unpacking malware from some more of the most commonly used packers.

Abhishek Singh - FireEye, USA


Comparative review

VBSpam comparative review July 2012

Despite a haul of 20 VBSpam awards and a VBSpam+ award, most of the products on test this month saw another increase in the percentage of spam they missed. Martijn Grooten has the details.

Martijn Grooten - Virus Bulletin, UK


Calendar

Anti-malware industry events

Must-attend events in the anti-malware industry - dates, locations and further details.



Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Jobs
In Virus Bulletin's jobs pages among others:

Virus Bulletin currently has 231,312 registered users.