2072 replies to this topic

[AplusWebMaster]

FYI...

ID theft malware rates...
- http://preview.tinyurl.com/dn8vkj
March 9, 2009 PandaLabs blog - "Today we're announcing results of a study that analyzed 67 million computers in 2008 and revealed that 1.1 percent of the worldwide population of Internet users have been actively exposed to identity theft malware. We predict that the infection rate will increase by an additional 336 percent per month throughout 2009, based on the trend of the previous 14 months. Here are the highlights from our study on the evolution of online identity theft:
• Over three million of the audited users in the U.S. and more than 10 million users worldwide were infected with active identity theft-based malware last year.
• 1.07% of all PCs scanned in 2008 were infected with active malware (resident in memory during the scan) related to identity theft, such as banker Trojans.
• 35% of the infected PCs had up-to-date antivirus software installed.
• The number of PCs infected with identify theft malware increased by 800 percent from the first half of 2008 to the second half.
• Arizona, California and Florida continue to be the states with the highest per-capita incidence of reported identity theft.
Active malware means malware that is loaded into the PC's memory and actively running as a process. For example, users of PCs infected with this type of identity theft malware who utilize online services such as shopping, banking, and social networking, have had their identities stolen in some fashion. According to the Federal Trade Commission (FTC), the average time victims spend resolving identity theft issues is 30 hours per incident. The cumulative cost in hours alone from identity theft related malware based on Panda Security's projected infection rate could reach 90 million hours..."

[AplusWebMaster]

FYI...

TinyURL phishing...
- http://blog.trendmic...coming-popular/
Mar. 13, 2009 - "... We previously blogged about similar phishing operations that used this exact technique to trick users into thinking links are legitimate:
• http://blog.trendmic...-tiny-phishing/
• http://blog.trendmic...in-im-phishing/
...Substituting preview.tinyurl.com* for tinyurl.com also allows users to get a preview of the final link."

* http://tinyurl.com/preview.php
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature..."

[AplusWebMaster]

FYI...

Malicious SPAM run(s), again...
- http://www.f-secure....s/00001625.html
March 13, 2009 - "The type of spam runs we saw late last year (Obama and BofA) are starting to pick up again in volume. We've seen Classmates being used as a theme and two days ago it was fake Facebook messages. Today it's back to fake Bank of America certificates... As in all previous spam runs it leads to a site prompting you to download a fake Adobe Flash player. This malware steals confidential information and sends it to a web server. In previous attacks this server was in Ukraine but it has now been moved to Hong Kong. If you see network traffic to the IP address 58.65.232.17 it's a bad sign."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI... More rogues...

- http://sunbeltblog.b...y-products.html
March 14, 2009 - "General Antivirus and Personal Antivirus are the new clones of Internet Antivirus Pro rogue security product..."

- http://www.symantec...._...-99&tabid=2
March 13, 2009
Name: System Guard 2009
Publisher: System Guard
...The program reports false or exaggerated system security threats on the computer.

- http://www.symantec...._...-99&tabid=2
March 11, 2009
Name: Virus Melt
Publisher: iSystems Inc.
...The program reports false or exaggerated system security threats on the computer.

(Screenshots available at above URLs.)

[AplusWebMaster]

FYI...

Waledac - SPAM new variant theme in the wild...
- http://securitylabs....lerts/3321.aspx
03.16.2009 - "Websense... has detected yet another new Waledac campaign theme in the wild. The new variant uses a Reuters theme as a social engineering mechanism to report a bogus news item relating to a 'bomb explosion'. The malicious Web sites in the current attack are socially engineered to report the geolocation of the incident corresponding to the user's IP address. They encourage users to view a video supposedly related to the news report. When users click on the video or the link below the video, they are advised to download the latest version of Flash Player. This leads to the download of Waledac variants. The theme includes legitimate links corresponding to Wikipedia and Google which are presented in a 'Related Links' section of the attack Web sites. Those legitimate links are used to target unsuspecting users in order to increase chances of success with the attack..."

- http://blog.trendmic...al-engineering/
Mar. 16, 2009

- http://www.sophos.co...09/03/3541.html
15 March 2009

(Screenshots available at each URL above.)

Edited by AplusWebMaster, 17 March 2009 - 08:25 AM.
Added TrendMicro and Sophos links...

[AplusWebMaster]

FYI...

2000 percent increase in web threats - 2005-2008...
- http://blog.trendmic...a-down-economy/
Mar. 17, 2009 - "...TrendLabs reports more than a twenty-fold (2000 percent) increase in web threats between the beginning of 2005 and the end of 2008... for 2008 over 90 percent of all digital threats arrive at their targets via the Internet... from January until November 2008, a staggering 34.3 million PCs were infected with botnet-related malware..."

Trend Micro 2008 Annual Threat Roundup and 2009 Forecast
- http://us.trendmicro...eat_roundup.pdf
3.26MB PDF file

[AplusWebMaster]

FYI...

SPAM - fake Comcast, Facebook e-mails
- http://www.f-secure....s/00001630.html
March 19, 2009 - "...new SPAM run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday. Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing. Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong...
Update: The spam run was just changed to a Facebook scheme.
Some subjects are:
• FaceBook message: Magnificent girl dancing video clip (Last rated by Sal Velasquez)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Abe Bain)
• FaceBook message: Hot Girl Dancing At Striptease Dance Party (Last rated by Lowell Clay)
• FaceBook message: Dancing Girl Drunk In The Pub- facebook Video (Last rated by Shane Lucas)..."

YouTube e-mail link...
- http://www.f-secure....s/00001629.html
March 19, 2009 "YouTube is once again being used as a lure to spread malware. Some clown is sending out e-mails... if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines..."

Death exploited by hackers...
- http://www.sophos.co...death-exploited
March 19, 2009 - "Cybercriminals don't waste any time these days jumping on the coat-tails of breaking news stories in their attempt to infect as many computer users as possible. This time it's the tragic death of award-winning English actress Natasha Richardson, who died yesterday after suffering head injuries in a skiing accident earlier in the week. It appears that hackers are stuffing webpages with keywords - most likely scraping the content off legitimate news websites - in order to lure unwary surfers into visiting their dangerous sites and infecting their computers... of course, if you do visit the malicious web link a malicious script will run on your computer... that then runs a fake anti-virus product designed to scare you into making an unwise purchase. Fake anti-virus products, also known as scareware or rogueware, are one of the fastest growing threats on the internet, and attempt to frighten you into believing that your computer has a security problem and that you should purchase a solution from the very people who have tricked you..."

(Screenshots available at each URL above.)

Edited by AplusWebMaster, 20 March 2009 - 04:59 AM.

[AplusWebMaster]

FYI...

Antivirus2009 ransomware...
- http://preview.tinyurl.com/df8n2t
March 20, 2009 Security Fix/Brian Krebs - "... this version of Antivirus2009 encrypts or scrambles contents of documents... so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder... The good news is the nice folks over at BleepingComputer.com*, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back. But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service** where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder. This is the first time I've ever heard of scareware being bundled with so-called "ransomware"..."

* http://www.bleepingc...opic212357.html

** http://blog.fireeye....-scareware.html

- http://www.pcworld.c...virus_apps.html
Mar 20, 2009 - "...According to the Antiphishing Working Group*, the number of fake security programs skyrocketed from average of around 2,500 per month to 9,287 in December..."
* http://www.antiphish...ort_H2_2008.pdf

Edited by AplusWebMaster, 20 March 2009 - 02:28 PM.
Added PCWorld, APWG report links...

[LDTate]

Self Help Guide also found here.
http://forums.whatth...ro_t101208.html

[AplusWebMaster]

FYI...

Trafficconverter takedown...
- http://www.f-secure....s/00001631.html
March 20, 2009 - "One of the more notorious pay-per-install programs, Trafficconverter has been taken down today. These sites work like this:
1. Trafficconverter developes a "rogue" antivirus product
2. The product will find viruses even on clean systems
3. It won't "clean" those viruses unless you register the product
4. Trafficconverter does not market their software at all
5. Instead, all the marketing is done through affiliates
6. Affiliates have existing botnets of thousands of infected computers
7. They remotely install these rogue products to those computers
8. Confused end users see warning messages about viruses on their screens
9. ...and register the rogue product for $50 to "fix" their machine
10. Affiliates get $30 per customer, Trafficconverter get $20
11. ?? ...
12. PROFIT!
...So, it's good to see these guys going offline. Kudos to Brian Krebs*!"
* http://voices.washin..._rogue_ant.html
March 16, 2009
- http://voices.washin...rogue_anti.html
March 20, 2009

(Screenshots available at both URLs above.)

[AplusWebMaster]

FYI...

Trafficconverter takedown - Downadup motivations
- https://forums2.syma.../article-id/254
03-23-2009 - "As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes. The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp ://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines..."

//
- http://centralops.ne...ainDossier.aspx
Domain Name: TRAFFICCONVERTER.BIZ ...
Registrant Country Code: GB ...
Name Server: NS1.SUSPENDED-DOMAIN.COM
Name Server: NS2.SUSPENDED-DOMAIN.COM
Created by Registrar: ESTDOMAINS INC ...
//

Edited by AplusWebMaster, 24 March 2009 - 04:47 AM.

[AplusWebMaster]

FYI...

More Malicious SPAM from Pushdo...
- http://www.marshal.c...hesection=trace
March 18, 2009 "...
> Phishing - Pushdo is currently one of the major botnets responsible for sending Phishing spam. For the past few weeks, it has been targeting Paypal, USBank and Fifth Third Bank customers to lure users into opening links from spam and logging on to a legitimate looking websites... More recently, a Bank Of America spam attack was caught by our spam traps - again sent by Pushdo. The email tells you that the automatic installation of a Bank of America certificate failed and needs manual installation. Opening the link from the message body will open a website that provides an "instruction video" on how to install the "certificate". Of course, it needs "Adobeflashplayer.exe" to view it. But please be wary, the executable file is a password stealing Trojan horse...
> Social Networking website brands like Classmates and Facebook are also used by Pushdo. Its modus operandi is to send you a fake video invitation. Upon opening the URL link the website will require you to download a fake video codec or flash version which, again, is actually a Trojan Horse...
> Malicious Attachments - Pushdo is one of the few botnets that regularly distibutes spam with malicious attachments. Themes vary, but recent themes include fake invoices and airline ticket confirmations. The email usually asks you to open a ZIP-compressed attachment for you to print. The .ZIP attachment contains a password stealing Trojan Horse that hides its appearance by using a Microsoft Excel icon...
> Scams - Our spam traps also receive scam emails offering part-time and remote employment. Pushdo uses variations of subject lines like:
• Experience employment: Manager (Remote, part-time vacancy; 2500 USD/month)
• Experience long-term employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
• Part time Manager (Remote vacancy; 2500 USD/month)
• Newly opening Accountant (Remote, part-time vacancy; 2500 USD/month)
• Experience employment: Accountant (Remote, part-time vacancy; 2500 USD/month)
> Valentine's Day Theme - And lastly, approximately 20% of the spam Pushdo currently sends is still using a Valentine's Day theme. At least for this botnet, everyday is Valentine's day..."

(Screenshots available at the URL above.)

[AplusWebMaster]

Some references previous post in this thread:
- http://forums.whatth..._...st&p=540215

Xrupter -aka- Vundo ...
- https://forums2.syma.../article-id/255
03-24-2009 - "Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo(1). Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter(2). This Trojan performs a search in the My Documents folders of your hard drive... This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised. Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available... If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted... The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files... If you need this fix tool, you can download it here*."

(Screenshots available at the URL above.)

1) http://www.symantec....-112111-3912-99

2) http://www.symantec...._...-99&tabid=1

* http://www.symantec..../FixXrupter.exe

[AplusWebMaster]

FYI...

Ghostnet - targeted attacks
- http://www.f-secure....s/00001637.html
March 29, 2009 - "University of Toronto published today a great research paper on targeted attacks. We've talked about targeted attacks for years. These cases usually go like this:
1. You receive a spoofed email with an attachment
2. The email appears to come from someone you know
3. The contents make sense and talk about real things (and in your language)
4. The attachment is a PDF, DOC, PPT or XLS
5. When you open up the attachment, you get a document on your screen that makes sense
6. But you also get exploited at the same time
7. The exploit drops a hidden remote access trojan, typically Grey Pigeon or Gh0st Rat variant
8. No one else got the email but you
9. You work for a government, a defense contractor or an NGO ...
But the real news is that Greg Walton & co actually managed to get an inside view of some of the servers used in these spying attacks. This means they got to see what was being done with the infected machines and where in the world they were... The release of the paper was synchronized with the New York Times article*. University of Cambridge released a related research paper at the same time as well. The Cambridge paper goes all the way to point the finger directly at the Chinese Government. Most other parties, us included, have not done such direct accusations without concrete proof of government involment... here are selected blog posts on the topic:
• Several examples of what the attack documents looked like
- http://www.f-secure....s/00001406.html
• The mystery of Sergeant "nbsstt"
- http://www.f-secure....s/00001449.html
• How we found the PDF generator used in some of these attacks
- http://www.f-secure....s/00001450.html ..."

* http://www.nytimes.c...logy/29spy.html

(Original document - scribd.com )
- http://preview.tinyurl.com/d5q3cj
Mar, 28, 2009 - "This report documents the GhostNet - a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs..."

Edited by AplusWebMaster, 29 March 2009 - 07:11 PM.
Added link to original document...

[AplusWebMaster]

FYI...

Conficker hype used by rogue gangs
- http://www.f-secure....s/00001639.html
March 30, 2009 - "... We found out that rogue security software folks have picked up on this. For example, lets have a look at remove-conficker .org, a domain which was registered today... They advertise a tool called MalwareRemovalBot. It's fake. Interestingly, it doesn't always find non-existing malware infections on your PC - only sometimes. But one thing is for sure, it does not remove Conficker.C. We tried it and it didn't do a thing to remove it. When it did find something that it claimed to be malware... And then it asked us to register and pay $39.95 for the removal functionality... When following up on this we did a Google search for "remove conficker.c" and saw several purchased ads that lead to the same type of "security" software as well... Like AdwareAlert and AntiSpy2009 It's clear that it's an affiliate program going on..."

(Screenshots available at the F-secure URL above.)