TechBlog

In the month of January, we reported a drop in .cn spam. This was due to changes in the domain registration process introduced by CNNIC. In the first week of February, the .cn spam volume fell further and fluctuated between 0 and 4 percent of total URL spam. Another interesting trend was observed during this period. On January 21 the volume of spam containing the .ru top-level domain (TLD) spiked up to 9 percent, and rose further up to close to 40 percent on February 8. Upon closer analysis, it was observed that the .cn domains used in the health spam attacks had been replaced with .ru domains. ...

The popularity of online auctions paves way for the development of online auction marketing tools. These tools are software applications that are intended to facilitate the sellers’ side of popular online auction websites. Some of the tools that help sellers in auctions are: image hosting to display galleries of their products, listing of best bidders in a single template, automatic inventory systems to notify sellers during low stocks, etc. With the help of these tools, online auctions are easier and time saving. ...

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas Card.zip. It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day: The email message itself was a run-of-the-mill electronic greeting card with an HTML body containing a nice Flash animation—the Flash animation actually comes from a legitimate source (123greetings.com). The email body contains a message asking the user to open the attachment to see who sent the email. Of course, opening the attachment yields a malicious file. The name of the file inside is _**Christmas Card.htm[MANY SPACES].exe **_and it is already detected by Symantec as W32.Ackantta.G@mm. ...

In the last two days our lab has detected a flood of email messages that seem to have been sent by the Facebook team urging users to submit a new account agreement. We’ve seen around 16,000 since yesterday. The subject of the message is UPDATED ACCOUNT AGREEMENT and the attached file is called AGREEMENT.ZIP. The message is like the following: Users are required to submit a new account agreement before a certain date. If not, their Facebook account will be restricted. The message also contains detailed instructions on how to do it. ...

It’s Fat Tuesday — time for an Adobe Update. Adobe plans to release a security update for Adobe Reader and Acrobat later today. Read Security Advisory APSB10-07 for additional details.

While most sane people around the world are enjoying a romantic Valentine’s Day today, we at SophosLabs remain vigilant on the front line of the war against malware. This year, Valentines Day coincides with the Chinese New Year as well as the start of the Winter Olympics in Vancouver, and many malware attacks have centred around SEO poisoning of these and other topical search terms. The Chinese New Year of the Tiger is proving a popular target, especially as this ties in with any Tiger Woods related searches: ...

While everyone is searching the web for the unusual gift on Valentine’s Day, Cybercriminals take this opportunity to propagate Rouge Antivirus. I have searched for the keywords “unusual-valentines-day-gifts”, gives the following results: Clicking the highlighted link above will lead to fake message such as “Alert! Your system is exposed to risk of virus attack. It’s highly recommended to check your PC immediately. Press OK to start the scan right now”. ...

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren’t easily detectable by security software. Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system. ...

VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software. Some of the features of VirtualBox are: Modularity. VirtualBox has an extremely modular design with well-defined internal programming interfaces and a client/server design. This makes it easy to control it from several interfaces at once: for example, you can start a virtual machine in a typical virtual machine GUI and then control that machine from the command line, or possibly remotely. VirtualBox also comes with a full Software Development Kit: even though it is Open Source Software, you don’t have to hack the source to write a new interface for VirtualBox. Virtual machine descriptions in XML. The configuration settings of virtual machines are stored entirely in XML and are independent of the local machines. Virtual machine definitions can therefore easily be ported to other computers. ...

The Google Chrome dev channel has been updated to 5.0.322.2 for Windows, Mac and Linux platforms All [r38242] Don’t crash when a theme specifies a nonexistent image. (Issue: 31719) Mac [r38319] Honor modifiers for clicks on home button – cmd-clicking the home button now opens your home page in a new tab. (Issue: 34900) [r38204] Implemented writing direction context menu in text input fields. [r38504] Add local storage nodes to the cookie manager (Issue: 33068) Linux ...