2072 replies to this topic

[AplusWebMaster]

FYI...

Search Engine Poisoning: Chile Earthquake
- http://isc.sans.org/...ml?storyid=8317
Last Updated: 2010-02-27 14:23:30 UTC - "You probably heard about the major earthquake in Chile happening last night. So have the malware writers engaged in search engine poisoning. Search Google for "Chile Earthquake" and you will find a number of malware sites like "Qooglesearch .com" on the first page. As regular charities start to use these keywords, the poisoned results may be pushed back a bit and show up under other related keywords. As usual, let us know if you find any odd sites related to this. So far the only thing I am seeing is the fake AV / malware push via search engine poisoning."

- http://www.symantec....rogue-antivirus
February 27, 2010 17:31

Edited by AplusWebMaster, 27 February 2010 - 09:22 PM.

[AplusWebMaster]

FYI...

Blackhat SEO PDF - Chile and Hawaii disasters
- http://securitylabs....lerts/3568.aspx?
02.28.2010 - "Over 13% of all searches on Google* looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products. Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file... Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India. By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link... The Rogue AV file itself is currently detected by 26.20%** of the antivirus engines used by VirusTotal..."
* http://preview.tinyurl.com/yzv4nze

(Screenshots available at the Websense URL aabove.)

** http://www.virustota...60c8-1267321093
File packupdate_build6_287.exe received on 2010.02.28 01:38:13 (UTC)
Result: 11/41 (26.83%)

[AplusWebMaster]

FYI...

New Domains - fastflux, rogue, koobface...
- http://www.malwaredo...ordpress/?p=859
March 1st, 2010 - "Upload was delayed by a few days due to weather issues from the latest storm..."

- http://www.malwaredo...ress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware... available in AdBlock and ISA Format..."

[AplusWebMaster]

FYI...

ESET statistics on infections
- http://www.eset.com/...s-on-infections
March 2, 2010 - "... the statistics we are seeing in through our online scanner logs are consistent with our observation from last September. We are seeing an average of 3 different malware families per infected computers. This means that on average, when a computer is infected, we find three different malware families installed on it... The average of different malware families per infected hosts in the United States is close to the global average. On the other hand, this number reaches 4.5 in China where it has one of the highest values. This indicates that malware operations are not conducted the same way around the world. We usually see less bank information stealers in Asia but more online game password stealers. Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States. On a daily basis, ESET is collecting more than 200,000 new and unique binary malicious files..."
___
... which translates to over 73 million new malware items for 2010, a record rate by any standard.

Edited by AplusWebMaster, 03 March 2010 - 05:17 AM.

[AplusWebMaster]

FYI...

Huge update: malicious advertising domains...
- http://www.malwaredo...ordpress/?p=870
March 5, 2010 - "We are adding the malicious domains being served up at ad banner networks based on the listings at malwaredomainlist and trojaned binaries. Most of these malicious ad banners serve up fake antivirus scareware. There are also few phishing and zeus domains in this update..."

- http://www.malwaredo...ordpress/?p=864
March 4, 2010 - "From SANS*: Block google-analitics (dot) net and salefale (dot) com ASAP. Sites will be added on the next update..."
* http://isc.sans.org/...ml?storyid=8350

- http://www.malwaredo...ress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. This list is also available in AdBlock and ISA Format..."

Edited by AplusWebMaster, 05 March 2010 - 01:55 AM.

[AplusWebMaster]

FYI...

Energizer DUO USB Battery Charger Software Allows Remote System Access
- http://www.us-cert.g...battery_charger
March 8, 2010 - "US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system... US-CERT encourages users and administrators to review Vulnerability Note VU#154421* and apply the recommended solutions."
* http://www.kb.cert.org/vuls/id/154421

- http://www.symantec....harger-software
March 5, 2010

- http://secunia.com/advisories/38894/
Release Date: 2010-03-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Uninstall the software and remove "Arucer.dll" from the Windows system32 directory.
Original Advisory: VU#154421:
http://www.kb.cert.org/vuls/id/154421

- http://phx.corporate...?...&highlight=
March 5, 2010 - "... Energizer has discontinued sale of this product and has removed the site to download the software..."

Edited by AplusWebMaster, 09 March 2010 - 05:10 AM.

[AplusWebMaster]

FYI...

Hacks steal $120M+ in 3 months: FDIC
- http://www.computerw...in_three_months?
March 8, 2010 - "Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the (FDIC). Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said. Almost all of the incidents reported to the FDIC "related to malware on online banking customers' PCs," he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions. Even though banks now force customers to use several forms of authentication, hackers are still stealing money. "Online banking customers are getting too reliant on authentication and on practicing layers of controls," Nelson said... Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses," Nelson said. "In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud." That's led to some nasty legal disputes, where customers say the banks should have stopped payments, and the banks argue that the customers should have protected their own computers from infection. Often small businesses do not have the controls in place to prevent unauthorized ACH payments, even when their banks make them available, Nelson said. "Hackers are definitely targeting higher-balance accounts and they're looking for small businesses where controls might not be very good." The FDIC's estimates are "reasonable," but they illustrate a problem that is becoming too expensive for banks and businesses, said Avivah Litan, an analyst with Gartner. She said that attacks that install a password-stealing botnet program, known as Zeus, have increased so far in 2010, so those losses may be even higher this year."

Edited by AplusWebMaster, 09 March 2010 - 04:16 AM.

[AplusWebMaster]

FYI...

Vodafone Android Phone: Complete with Mariposa Malware
- http://isc.sans.org/...ml?storyid=8389
Last Updated: 2010-03-09 14:20:25 UTC - "Panda Security has a post up on one of their employees buying a brand -new- Android phone from Vodafone and discovering it was spreading Mariposa*. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article** discusses how to disable the "Autoplay" functionality that leads to this problem..."
* http://research.pand...butes-mariposa/
March 8, 2010

** http://support.microsoft.com/kb/967715

- http://www.internetn... Smartphone.htm
March 10, 2010 - "... Confiker, Mariposa -and- Lineage password stealing malware samples installed on a recently purchased Vodafone HTC Magic smartphone..."

- http://news.cnet.com...000676-245.html
March 17, 2010 - "... an employee at -another- Spanish security company, S21Sec, checked his recently-acquired HTC Magic and found the Mariposa malware lurking on it, according to a PandaLabs blog post* on Wednesday..."
* http://research.pand...ariposa-part-2/
___

- http://www.pcworld.c...ne_mobiles.html
March 19, 2010 - "Malware-tainted memory cards may have ended up on as many as 3,000 HTC Magic phones, a greater number than first suspected, Vodafone said Friday..."
- http://www.theregist...ariposa_latest/
19 March 2010 - "... suggesting 3,000 users were exposed to the malware make it one of the biggest incidents of an IT supplier shipping pre-pwned mobile kit."

Edited by AplusWebMaster, 20 March 2010 - 11:38 AM.

[AplusWebMaster]

FYI...

iPad giveaway gives users identities away
- http://blog.trendmic...dentities-away/
Mar 9, 2010 - "... spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities... The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities... This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks... Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 11 March 2010 - 02:13 PM.

[AplusWebMaster]

FYI...

ZeuS detection on your PC...
- http://www.securewor...h/threats/zeus/
March 11, 2010 - "... How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection...
sdra64.exe (malware)
user.ds (encrypted stolen data file)
user.ds.lll (temporary file for stolen data)
local.ds (encrypted configuration file)
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities..."

(More detail available at the URL above.)

[AplusWebMaster]

FYI...

Online stock trading is risky
- http://www.f-secure....s/00001909.html
March 17, 2010 - "Buying and selling stock online is big business. It also carries it's own risks. And we don't mean the risk of doing bad investments; we mean loosing access to your trading account because your computer got infected by a keylogger. Take a case of Mr. Valery Maltsev from St. Petersburg. Maltsev runs an investment company called Broco Investments... Unfortunately (to him), Maltsev was yesterday charged by US Securities & Exchange commission. They claim that Maltsev's extraordinary gains in thinly traded NASDAQ and NYSE stocks were not a co-incidence. Apparently Maltsev used malware with keyloggers to gain access to other people's online trading accounts. With such accounts, he could buy stocks at inflated prices, and use his real account to sell the same stock, for instant gains. Quoting from the SEC Complaint:
On December 21,2009, at 13:37, BroCo bought shares of Ameriserv Financial, Inc (ASRV) at a price of $1.51 per share. Approximately one minute later, three accounts at Scottrade were illegally accessed and used to purchase shares of ASRV at prices ranging from $1.545 to $1.828 per share. While this was happening, BroCo sold shares of ASRV at prices ranging from $1.70 to $1.80 per share, finishing at 13:52. By trading shares of ASRV within minutes of unauthorized trading through the compromised accounts, Maltsev and BroCo grossed $141,500 in approximately fifteen minutes, realizing a net profit of $17,760 ..."

- http://www.theregist...d_dump_hacking/
16 March 2010 - "... The scheme earned at least $255,532 from August to December at a cost of $603,000 to broker-dealers, which had to reimburse customers... The lawsuit seeks an order freezing the Genesis accounts and requiring Maltsev to repay the lost funds..."

[AplusWebMaster]

FYI...

Battery recharger software trojan - more...
- http://www.theregist...trojan_returns/
18 March 2010 - "... the file that spreads the infection was -still- being distributed Wednesday evening on a European site operated by the consumer-products company. According to this VirusTotal analysis*, UsbCharger_setup_V1_1_1.exe is flagged as malicious by 24 of the 42 leading anti-virus firms. To make sure it wasn't a false positive, The Register checked with anti-virus firms Immunet and Trend Micro, both of which said the infection is real. Contrary to the VirusTotal results, the threat is also flagged by Symantec's Norton AV app, Immunet added. Trend Micro Senior Threat Researcher Paul Ferguson said his company's AV product also protects against it by flagging a key dll file, rather than the executable file. Microsoft labels the trojan as Arurizer.A and warns that it installs a backdoor on user machines that allows attackers to upload, download, and delete files at will, install additional malware and carry out other nefarious deeds. Twelve days ago, Energizer pledged to mount an investigation into how such a gaffe could have happened. The company has yet to release the results of that probe... Sometimes, the low-tech - or no-tech - solution is the way to go."
* http://www.virustota...b1d7-1268871703
File UsbCharger_setup_V1_1_1.exe received on 2010.03.18 00:21:43 (UTC)
Result: 24/42 (57.14%)

[AplusWebMaster]

FYI...

Zeus trojan campaign Warning - SPAM
- http://www.us-cert.g...ns_against_zeus
March 17, 2010 - "US-CERT is aware of public reports of malicious code circulating via spam email messages impersonating the Department of Homeland Security (DHS). The attacks arrive via unsolicited email messages that may contain subject lines related to DHS or other government activity. These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan..."

[AplusWebMaster]

FYI...

Twitter phishing attack...
- http://www.f-secure....s/00001911.html
March 21, 2010 - "Today there's a phishing run underway in Twitter, using Direct Messages ("DMs"). These are private one-to-one Tweets inside Twitter... If you mistakenly give out your credentials, the attackers will start sending similar Direct Messages to your contacts, posing as you. The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these accounts to post Tweets with URLs pointing to malicious websites which will take over users computers when clicked... The good news is that Twitter is already filtering these from being posted, although it's unclear if they are also removing already-delivered DMs. Also, the Twitter built-in link shorteners (twt.tl and bit.ly) already detect the URLs as malicious."

(Screenshots available at the URL above.)

Edited by AplusWebMaster, 21 March 2010 - 06:43 PM.

[AplusWebMaster]

FYI...

Malicious medical ads flood users’ Inboxes
- http://blog.trendmic...
Mar. 21, 2010 - "TrendLabs observed an increase in malicious medical advertisements spammed to users’ e-mail inboxes. Two of the samples our engineers obtained looked legitimate, even had professional-looking graphics... Another was just the normal, everyday, plain-text spam... The spammed messages enticed recipients to purchase the medicines the scammers were selling. These lured recipients with supposed huge discounts, ranging from 70–80% off of all products. The messages also sported links that when clicked redirected users to a spoofed online store that sold male organ-enhancing pills. More recently, a spam run that uses a new feature was discovered. Instead of asking recipients to click an embedded link or an image, it asked them to open the .JPG file attachment—an image of Viagra and Cialis—along with the line, “DO NOT CLICK, JUST ENTER (a particular URL) IN YOUR BROWSER.” The spammed messages also contained a series of salad words to avoid being filtered..."

(Screenshots available at the URL above.)