Category: Virus


SpyPro Fake-Alert Malware Joins ‘Scareware’ Lineup

Filed under: Computers, Malware, Virus, Windows by Ryan Boese — Leave a comment
September 13, 2010

Social engineering is probably the most common technique for to enticing unsuspecting victims to reveal information or purchase something of no value. In the anti-virus world we often see malware authors use scare tactics to sell rogue anti-virus or “fake alert” anti-virus software.

Rogue malware authors use various methods to fool victims into purchasing their products. Some of the most common methods:

  • Creating links to malicious web pages in which common search terms in search engines bring these pages to the top of the list, a.k.a. search poisoning
  • Disguising themselves as legitimate applications, especially under peer-to-peer and IRC networks
  • Offering downloads as legitimate software using bit torrent protocol

Over the last couple of days McAfee Labs has seen an increase in submissions from customers with regards to one variant of the fake alert family classified as FakeAlert-SpyPro.gen.ai. We’ll describe the characteristic behavior of this variant in this blog. We also have a comprehensive description of this malware in our Virus Information Library.

Once this malware is run on the local machine, it displays a warning indicating that the computer is infected with various types of malware and that the user needs to click to clean the computer.

When the user clicks the warning, it pops up a window and initiates a fake scan on the computer. It shows a number of detections and warns the user that the system is infected. To “clean” the malware from the computer, users must purchase the software from the website “antiv[removed].com”

If left to run, this software attempts to use Internet Explorer to open websites with pornographic content.

The fake alert software also makes a number of changes to the Windows registry so that it can load itself at startup and disables phishing filters on Internet Explorer.
When users attempt to run a legitimate executable, this malware pops up and informs them that the file is infected and if users want to run the anti-virus software to clean the infection.

Here are a few cleaning and remediation steps you can take to remove or keep this malware at bay:

  • Ensure that you have a legitimate copy of anti-virus software installed on the machine
  • Ensure that software is updated regularly
  • Exercise caution when you click on links. Using software such as SiteAdvisor (www.siteadvisor.com) can help because it distinguishes between safe and risky sites.
  • Do not be enticed into downloading legitimate software for free, especially from P2P, IRC, or bit torrent networks
  • Exercise caution while clicking links in emails that look suspicious, even If they appear to come from a known contact

Source: TrustedSource

Tags: , , , ,
Comment

Primitive ‘Here you have’ e-mail worm spreading fast

Filed under: Malware, Microsoft, Security, Virus, Windows by Ryan Boese — 2 Comments
September 10, 2010

Anti-malware companies are tracking a new “download-and-run” e-mail worm squirming through inboxes around the world.

The worm, which uses the subject line “here you have” and random text like “This is The Free Dowload Sex Movies,you can find it Here,” includes a link to what purports to be a PDF document but is instead an executable file hosted on a Web site.

If a user clicks on the link and runs the file, the machine gets infected and continues the propagation routine.

McAfee explains:

When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).   Once infected the worm attempts to send the aforementioned message to email address book recipients.  It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

“In spite of this primitive propagation routine, the worm is pretty active, and currently sending out significant amounts of mail,” says Alexander Gostev, a security researcher at Kaspersky Lab (see disclosure).

UPDATE: I’ve confirmed that the website hosting all the malicious worm files has been deleted, meaning the worm has effectively been killed.  Keep in mind, however, that an infected computer will continue to spew e-mails until it is cleaned.

My colleagues have found evidence of this worm squirming since early August.  Here is a Microsoft malware alert dating back to August 4, 2010.  This Symantec virus description also shows the e-mail threat was in circulation last month.

Source: ZDNet

Tags: , , ,
Comment

Yellow alert over Windows shortcut flaw: ‘Wide-scale exploitation is only a matter of time’

Filed under: Exploit, Malware, Microsoft, Trojan, Virus, Windows by Ryan Boese — 4 Comments
July 20, 2010

Windows Shortcut’s zero-day attack code has gone public.

The development increases the risk that the attack vector, already used by the highly sophisticated Stuxnet Trojan to attack Scada control systems, will be applied against a wider range of vulnerable systems.

All versions of Windows are potentially vulnerable to the exploit.

Just viewing the contents of an infected USB stick is enough to get pwned, even on systems where Windows Autoplay is disabled. Maliciously-crafted Windows shortcut (.lnk) files might also to be able to push malicious code through other attack routes left open by the vulnerability, such as Windows shares.

The SANS Institute’s Internet Storm Centre has responded to the heightened threat by moving onto yellow alert status for the first time in years. “We believe wide-scale exploitation is only a matter of time,” writes ISC handler Lenny Zeltser.

“The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.”

Microsoft has acknowledged the problem – and published workarounds deigned to guard against attack – ahead of a possible patch. Going by previous form, and given the seriousness of the flaw and the amount of platforms affected, Microsoft’s security gnomes will have their work cut out to release a fix as part of August’s Patch Tuesday much less any sooner.

The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports.

Worse still, changing Siemens’ hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack.

An overview of the vulnerability and its implications can be found in a blog posting by Rik Ferguson of Trend Micro here.

Source: The Register

Tags: , , , , , ,
Comment

Computer Virus Strikes South Korea

Filed under: Computers, Exploit, Hackers, Security, Virus by Ryan Boese — Leave a comment
July 8, 2010

South Korean government and private websites have come under cyber-attack a year after a major attack briefly crippled sites domestically and in the United States, officials said on Thursday.

Five websites including those of the Presidential Blue House and the Foreign Ministry were attacked on Wednesday but little damage was done, the Korea Communications Commission (KCC) said.

On July 7, 2009, the so-called distributed denial-of-service (DDoS) attacks shut down 25 Internet sites for hours – 11 in South Korea and 14 in the United States.

‘The DDos attacks resumed exactly a year later as some contaminated PCs were left untreated,’ the KCC said in a statement.

‘However, no obstacles were created in getting access to those sites as the traffic from zombie computers was negligible,’ it said, referring to computers unknowingly contaminated with a virus.

The commission told Internet service providers to urge those using contaminated computers to erase the virus.

Source: AFP

Tags: , , , ,
Comment

Microsoft: 10,000 PCs Hit With New XP 0day Attack

Filed under: Computers, Exploit, Hackers, Internet, Security, Trojan, Virus, Windows by Ryan Boese — Leave a comment
June 30, 2010

Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug.

Microsoft reported Wednesday that it has now logged more than 10,000 attacks. “At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged,” Microsoft said in a blog posting. “Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up.”

The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.

PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks, Microsoft said.

According to security vendor Symantec, these attacks peaked late last week. “Symantec has seen increased activity around this vulnerability. The increased activity started around June 21 and peaked around June 26 and 27,” a company spokesman said via instant message Wednesday. Attacks have leveled out since then, he added.

Criminals are using the attack code to download different malicious programs, including viruses, Trojans and software called Obitel, which simply downloads more malware, Microsoft said.

The flaw that’s exploited in all of these attacks lies in the Windows Help and Support center software that comes with Windows XP. It was disclosed on June 10 by Google researcher Tavis Ormandy. This Help Center software also ships with Windows Server 2003, but that operating system is apparently not vulnerable to the attack, Microsoft said.

Ormandy was criticized by some in the security for not giving Microsoft more time to patch the flaw, which he disclosed to the software vendor on June 5. He released details of the bug five days later, apparently after failing to convince Microsoft to fix the issue within 60 days.

In a security advisory released June 10, Microsoft outlines several ways to turn off the Windows Help Center Protocol (HCP).

Microsoft’s next set of security are due July 13.

Source: Yahoo!

Tags: , , , , , ,
Comment

Hackers plant viruses in Windows smartphone games

Filed under: Apple, Blackberry, Hackers, Microsoft, Virus, Windows Phone 7 by Ryan Boese — Leave a comment
June 4, 2010

Hackers have planted viruses in video games for smartphones running on Microsoft Corp’s Windows operating system, according to a firm that specializes in securing mobile devices.

The games — 3D Anti-Terrorist and PDA Poker Art — are available on sites that provide legitimate software for mobile devices, according to John Hering, CEO of San Francisco-based security firm Lookout.

Those games are bundled with malicious software that automatically dials premium-rate telephone services in Somalia, Italy and other countries, sometimes ringing up hundreds of dollars in charges in a single month.

Those services are run by the programmers who built the tainted software, Hering said on Friday.

Victims generally do not realize they have been infected until they get their phone bill and see hundreds of dollars of unexpected charges for those premium-rate services, he said.

Hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc’s iPhone and Google Inc’s Android operating system.

Officials with Microsoft could not immediately be reached for comment.

Source: Yahoo! / Reuters (Boston)

Tags: , , , , , , ,
Comment

Facebook malware continuing its march

Filed under: Computers, Facebook, Internet, Malware, Virus by Ryan Boese — Leave a comment
June 3, 2010

Facebook users are being pounded by “clickjacking” attacks that have been affecting the site at unusually heavy levels for weeks.

The BBC notes that popular topics like the World Cup and Hayley Williams are driving the attacks, with users now regularly seeing posts claiming to offer “Justin Bieber’s phone number,” which have allegedly been “liked” by their friends. When a user clicks on one of these posts, the “like” spreads further on the user’s own Facebook wall — even if the user never actually clicked the “like” button at all.

Right now these attacks are seen as relatively benign, since they only propagate these likes (and get more people to visit the Web page) but don’t damage your computer. That could change, though, experts note: All an attacker needs to do is code malicious content on the landing page of one of these likes, and the world could be in for a major security headache.

In fact, other attacks with malicious intent are spreading on the site. As BioScholar notes, three new phishing attacks hit over the weekend, with malicious code attempting to steal log-in and password information from users after they were duped into downloading a video on the site.

The most recent of these attacks attempts to get users to click on a “hilarious video” on the site, then requests Facebook log-in information so the video can be watched, installing malware along the way under the guise of adding a media player application to the PC. The login information is stolen, of course, and the user’s account is compromised from that point on unless the password is changed. And the malware “media player” installed on the PC stays behind even if the account information is altered.

The bottom line on Facebook security appears to be becoming more and more plain: Don’t click on anything.

Source: BBC / Yahoo!

Tags: , , ,
Comment

Facebook’s Sexy Virus

Filed under: Computers, Facebook, Malware, Virus by Ryan Boese — Leave a comment
May 18, 2010

There is a new virus all over facebook that you want to watch out for and not get on your computer. Thousands of users have already been affected by this virus on their computer. It will come up on the news feed of your facebook. It has a video and the image shown is a woman who has on a short skirt. She appears to be riding a bicycle from what you can tell. If you happen to click on it, you will be taken to another site to download the correct software to watch this video.

The virus is then going to try and get you to download something.

Anytime you get taken to another site beware. If you do not know the site, it is probably not safe and you shouldn’t download anything for sure. If you download this, it will also automatically post it on your facebook which causes a chance for your friends to download it too.

If you have already been affected by this virus, you will want to use an anti-virus to scan your computer. Don’t take any chances with this one. It can get you before you know it.

Source: eCanadaNOW

Tags: , , ,
Comment

New Exploit Resists Windows Security Software

Filed under: Hackers, Malware, Security, Virus, Windows by Ryan Boese — Leave a comment
May 17, 2010

A just-published attack tactic that bypasses the security protections of most current antivirus software is a “very serious” problem, an executive at one unaffected company said.

Last week, researchers at Matousec.com outlined how attackers could exploit the kernel driver hooks that most security software use to reroute Windows system calls through their software to check for potential malicious code before it’s able to execute.

Calling the technique an “argument-switch attack,” a Matousec-written paper spelled out in relatively specific terms how an attacker could swap out benign code for malicious code between the moments when the security software issues a green light and the code actually executes.

“This is definitely very serious,” said Alfred Huger, vice president of engineering at Immunet, a Palo Alto, Calif.-based antivirus company. “Probably any security product running on Windows XP can be exploited this way.” Huger added that Immunet’s desktop client is not vulnerable to the argument-switch attacks because the company’s software uses a different method to hook into the Windows kernel.

Source: PC World

Tags: , , ,
Comment