2072 replies to this topic

[AplusWebMaster]

FYI...

Click fraud trojan...
- http://secureworks.c...reat=ffsearcher
June 26, 2009 - "While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern... After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud. Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience. We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners* detecting it at all... As click-fraud trojans go, this is one of the more clever that we've seen, with an impressive feature set:
1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through is generated on purpose by a user in the course of normal web-surfing activity..."
(Screenshots available at the Secureworks URL above.)
* http://www.virustota...6c9b-1244830834
File nkavnxe.exe received on 2009.06.12 18:20:34 (UTC)
Result: 4/39 (10.26%)

[AplusWebMaster]

FYI...

Happy 4th from Waledac...
- http://securitylabs....lerts/3431.aspx
07.03.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The USA celebrates Independence Day on July 4 each year. The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows. The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine..."
(Screenshots available at the URL above.)

- http://www.eset.com/...er/blog/?p=1244
July 2, 2009
- http://www.eset.com/...er/blog/?p=1250
July 3, 2009

Edited by AplusWebMaster, 03 July 2009 - 11:16 PM.
Added ESET blog link...

[AplusWebMaster]

FYI...

More on Waledac for the 4th...
- http://blog.trendmic...ndence-day-too/
July 4, 2009 - "... These messages contain links to a site which appears to be from Youtube... The video supposedly shows a fabulous fireworks show, but in reality attempting to play the video results in downloading a copy of WORM_WALEDAC.DU..."

(Screenshot available at the URL above)

[AplusWebMaster]

FYI...

Waledac July 4th update - New domains added
- http://www.shadowser...lendar/20090704
4 July 2009 - "... quick update on Waledac. We have been keeping an eye on it for a bit and it's been actively spamming and updating clients to Fake Antivirus products for the last few months. However, we also saw it start spamming itself out again starting yesterday. Actually saw a quick first post of the from sudosecure.net:
http://www.sudosecure.net/archives/583
No real need to have tons of duplicate write-ups and screen shots. You can get the same basic information from the site. It's the standard spam to a link involving a fake YouTube video that wants you to download an executable... We have updated our Waledac domain lists that you can use to block/track Waledac domains. The first URL is to the list that is updated with timestamps, ugly comments, and newest domains at the bottom:
http://www.shadowser...dac_domains.txt
We also have the all-time Waledac domain list that contains just the domain listing since the start. It currently has 244 domains on it and can be reached via the following URL:
http://www.shadowser...aledac_list.txt
These are domains you definitely want to avoid visiting and consider blocking where possible."

[AplusWebMaster]

FYI...

Koobface worm infections exploding
- http://www.threatpos...tions-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com...fo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

Edited by AplusWebMaster, 06 July 2009 - 11:17 AM.

[AplusWebMaster]

FYI...

Twitter suspends Koobface infected computers
- http://blog.trendmic...itter-activity/
July 9, 2009 - "... Koobface has increased its Twitter activity, sending out tweets with different URL links pointing to Koobface malware. This is in contrast with previous Koobface Twitter activity wherein only three TinyURLs pointing to Koobface were used. As of writing, there are a couple of hunded Twitter users affected by Koobface in the past few hours, but dozens more are being infected as we speak. We advise Twitter users to (not click on) URLs on tweets, especially if the tweet advertises a home video.
Update: It seems this Koobface problem in Twitter is getting bigger and bigger, prompting Twitter itself to temporarily suspend* infected user accounts."
* http://status.twitte...-malware-attack
July 9, 2009 - "... If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC."

> http://www.sophos.co...-koobface-worm/
July 10, 2009

Preview a TinyURL
- http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

Edited by AplusWebMaster, 24 July 2009 - 08:24 AM.

[AplusWebMaster]

FYI...

H1N1 SPAM w/virus...
- http://www.f-secure....s/00001734.html
July 21, 2009 - "We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file. When the file was opened, it created several new files to the hard drive:
• %windir%\Temp\Novel H1N1 Flu Situation Update.doc
• %windir%\Temp\doc.exe
• %windir%\Temp\make.exe
• %windir%\system32\UsrClassEx.exe
• %windir%\system32\UsrClassEx.exe.reg
The executables contain backdoor functionality, including an elaborate keylogger. And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file..."

- http://www.sophos.co...abs/v/post/5517
July 22, 2009

(Screenshots available at both URLs above.)

Edited by AplusWebMaster, 22 July 2009 - 12:13 PM.
Added Sophos link...

[AplusWebMaster]

FYI...

Targeted malware calling home...
- http://www.f-secure....s/00001736.html
July 23, 2009 - "In targeted attacks, we see more and more attempts to obfuscate the hostname of the server where the backdoors are connecting to. IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity. The admins might spot a host that suddenly connects to known rogue locations like:
• weloveusa.3322.org
• boxy.3322.org
• jj2190067.3322.org
• hzone.no-ip.biz
• tempsys.8866.org
• zts7.8800.org
• shenyuan.9966.org
• xinxin20080628.gicp.net
However, we've now seen a shift in the hostnames. The attackers seem to be registering misleading domain names on purpose, and have now been seen using hosts with names like:
• ip2.kabsersky.com
• mapowr.symantecs.com.tw
• tethys1.symantecs.com.tw
• www.adobeupdating.com
• iran.msntv.org
• windows.redirect.hm
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates..." In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia."

Edited by AplusWebMaster, 23 July 2009 - 05:18 PM.

[AplusWebMaster]

FYI...

Rogue AV terminates EXE files
- http://blog.trendmic...ates-exe-files/
July 26, 2009 - "This weekend, we at TrendLabs came across a FAKEAV variant similar to the one peddled in the solar eclipse 2009 in America attack in this recent blog post. This one, however, introduces another new scare tactic (so far the latest new ploy we’ve seen is the ransomware/FAKEAV that encrypts files in the infected computer and offers a bogus fixtool for a price). This FAKEAV variant terminates any executed file with an .EXE file extension and displays a pop-up message saying that the .EXE file is infected and cannot execute... This way, users are left with no choice but to activate the antivirus product since no other application works. This Trojan is detected by Trend Micro as TROJ_FAKEAV.B. It avoids terminating critical processes to prevent system crashes. Unfortunately, cybercriminals work hard in creating so many gimmicks, that we can only guess what comes next in FAKEAV..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Malicious Twitter Posts Get More Personal
- http://blog.trendmic...-more-personal/
July 27, 2009 - "... malicious Twitter posts are getting dangerously more customized, increasing the possibility of users getting hooked into malicious schemes. A Twitter spambot is said to have been used in launching this recent attack. The spambot creates Twitter accounts and fashion them to appear as legitimate accounts by posting seemingly harmless posts like those sharing certain music they listen to, or websites they visit. The spambot accounts then posts tweets directed to unknowing users, sharing a link to a PC repair tool they allegedly came across and used... the spambot posting tweets directed to specific users is a noteworthy social engineering technique that was clearly not seen as suspicious by Twitter admins. The spambot accounts were apparently created prior to a spam cleanup recently conducted by Twitter. Additionally, the spambot uses the URL shortener Doiop.com to mask the original URL in the posts, and for a not so good reason. The URL directs to a URL that triggers a couple of redirections that ultimately lead to the download of the file RegistryEasy.exe, which is detected as TROJ_FAKEAV.DAP. TROJ_FAKEAV.DAP comes off as an application that repairs registry problems. However, in true FAKEAV style, it merely displays false results to convince the user into purchasing the product... in the root of one of the URLs the user is redirected to, an advertisement for an application dubbed as Bot Lite is posted. Bot Lite is, as the post describes, a light Twitter bot that virtually anyone can use... Bot Lite does function as a spambot for Twitter. Its file name is bot_lite_100.exe. Its detection name is HKTL_FAKEBOT. HTKL_ is the detection prefix used by Trend Micro for hacker-tools which are considered to be Grayware. Grayware refers to applications that have annoying, undesirable, or undisclosed behavior but do not fall into any of the major threat (ie. Virus or Trojan horse) categories..."

(Screenshots available at the URL above.)

- http://ddanchev.blog...ecurity_27.html
July 27, 2009

Edited by AplusWebMaster, 27 July 2009 - 03:14 PM.

[AplusWebMaster]

FYI...

Dilbert sends out 419 scams...
- http://www.sophos.co...abs/v/post/5633
July 29, 2009 - "... Advance Fee fraud scammers will abuse any free service they can get their hands on to send out their spam messages... In recent days, a group of Nigerian scammers have started abusing the “share-a-comic-strip” feature on Dilbert.com. The scammers do this by including their own fraud message inside the “personal message” portion of the sent messages. This is probably a money-making scheme that Dogbert would approve of..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Rogueware growth - 2009 ...
- http://www.darkreadi...cleID=218700073
July 29, 2009 - "All told, 374,000 new versions of rogueware samples were released in this year's second quarter - and that number is expected to nearly double to 637,000 in the third quarter. PandaLabs researchers, who have been tracking the spread of this latest trend in cybercrime, say rogueware is easier for the bad guys than traditional banking Trojan attacks... the numbers have been spiking during the past year:
In the fourth quarter of 2008, PandaLabs found more than 50,000 rogueware samples for a total of 92,000 for the year*. "And there were two times as many in Q2 versus Q1," PandaLabs' Carrons says. "Last year, they were using typical malware distribution channels, with links that were trying to distribute the fake AV. In the second quarter of 2009, we had predicted there would be 220,000 samples [of rogueware], but it turned out to be 374,000." But now social networks, such as Facebook, MySpace, and Twitter, are the latest vehicle for spreading rogueware. Attackers hijack user accounts and go after their friends with a video link... These fake antivirus programs alert victims that they are "infected" and lure them to click and clean their machines; when they do, they are prompted to purchase a license for the phony security application... So the bad guys are now automatically generating new, unique samples that AV engines can't recognize, according to the researchers. PandaLabs found in its research two main tiers in the rogueware business model: the creators, who develop the rogue applications and provide back-office services, such as payment gateways, and the affiliates, who distribute the fake AV. Affiliates are mostly Eastern Europeans..."
* http://www.pandasecu...orts#Monographs

Following the Money: Rogue Anti-virus Software
- http://voices.washin...trail_of_r.html
July 31, 2009

Edited by AplusWebMaster, 10 August 2009 - 06:59 AM.

[AplusWebMaster]

FYI...

Q2-2009 - $34m in Rogueware per month...
- http://www.theregist...areware_market/
7 August 2009 - "Fraudsters are making approximately $34m per month through scareware attacks, designed to trick surfers into purchasing rogue security packages supposedly needed to deal with non-existent threats. A new study, The Business of Rogueware*, by Panda Security researchers Luis Corrons and Sean-Paul Correll, found that scareware distributors are successfully infecting 35 million machines a month. Social engineering attacks, often featuring social networking sites, that attempt to trick computer users into sites hosting scareware software have become a frequently used technique for distributing scareware. Tactics include manipulating the search engine rank of pages hosting scareware. Panda reckons that there are 200 different families of rogueware, with more new variants coming on stream all the time... Luis Corrons, PandaLabs' technical director: "By taking advantage of the fear in malware attacks, they prey upon willing buyers of their fake anti-virus software, and are finding more and more ways to get to their victims, especially as popular social networking sites and tools like Facebook and Twitter have become mainstream." In Q2 2009, four times more new strains were created than in the whole of 2008, primarily in a bid to avoid signature-based detection by genuine security packages..."
* http://www.pandasecu...orts#Monographs
"... results:
• We predict that we will record more than 637,000 new rogueware samples by the end of Q3 2009, a tenfold increase in less than a year.
• Approximately 35 million computers are newly infected with rogueware each month (approximately 3.50 percent of all computers).
• Cybercriminals are earning approximately $34 million per month through rogueware attacks..."

[AplusWebMaster]

FYI...

PayPal fraud with CAPTCHA
- http://blog.trendmic...d-with-captcha/
Aug. 11, 2009 - "... CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore. Just like the traditional PayPal phish, the web page http ://{BLOCKED}www.security-paypal.citymax.com /paypal_security.html asks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password... After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to create bogus mail accounts, among other things..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Spam changes HOSTS file...
- http://blog.trendmic...g-a-hosts-file/
Aug. 14, 2009 - "We have recently detected a new spam attack that attempts to grab the bank data of Brazilian users. The mechanics of this attack are simple. Users receive this spam email... The mail claims that the user has received an e-card, and contains a link to “read” the said card. Click on the related link, a file is downloaded and executed... Apparently nothing happens, just an Internet Explorer is opened showing a related web card from this initial phishing. In the background, however, the HOSTS file is changed, and set to redirect certain Brazilian baking Web sites to a malicious web site. All information posted in any of the said pages will then be grabbed by the attacker..."

(Screenshots available at the URL above.)