TechBlog

Koobface is still going strong despite not making the headlines so much anymore. Well, the Koobface gang took the time to send a Christmas card and wish security researchers a happy new year. Very nice of them… For a couple of days now I’ve been looking at their infection method and trying to see any interesting patterns. The bad guys use bogus blogpost.com blog pages to redirect users to the actual Koobface malware. The redirection consists of several attempts to connect to compromised PCs, through their IP address. Below is a Fiddler log showing those attempted connections (in red are failed connections). Once a host has successfully responded, the users are redirected to a fake page prompting them to install a video codec. ...

There has been extensive news coverage this week of Adobe’s plans for ramped-up security in its popular Reader, Acrobat and Flash Player applications, especially the Reader and Acrobat updates promised next week. A vulnerability that was publicized in December in Reader and Acrobat allows an attacker to execute arbitrary code with a specially crafted PDF file using ZLib compressed streams. In a short time, proof-of-concept code was made public. In the past week, anti-virus companies began intercepting malicious .pdf files that exploit the vulnerability to install a back door on victims’ machines. ...

Seal Shield, a Jacksonville, Fla., company that makes washable computer keyboards and mice, said it will introduce the world’s first washable cell phone at the Consumer Electronics Show in Las Vegas this week. The company’s washable mice, keyboards and TV remotes can be cleaned in a dishwasher. This might be good. I have three 20-something step children who have discovered that cell phones as we have come to know them do not survive being dropped in toilets. ...

I recently received a suspicious Gmail chat message from a friend (shown below). I was immediately suspicious about the message because this friend has never used chat to talk with me previously, and also he appeared to be offline and the content of the message was similar to messages that other instant messaging worms use. I expected that when I clicked on the link I would be asked to download an executable thinly disguised as a photo (for example, coolpic.jpg.exe) like W32.Scrimge.E or that some drive-by exploits would be used on the page such as the ones Koobface uses. Instead I was brought to the following page that asked me to log in to my choice of MSN, Yahoo, Gtalk, or AIM accounts to view the “private album.” ...

No Malware is a rogue security program, or a phony. NoMalware is designed to trick people into purchasing the software, which is actually useless, a PC infection in itself. NoMalware will use security scans to alert the user that their PC is infected. These security scans are not real, the infections reported are false. NoMalware will show these falsified scan results and refuse to remove the supposed infections unless the user buys the software. Do not fall for this scam. Victims that purchase NoMalware quickly lean that the software does not prevent infections or remove infections form their PC’s. ...

The massive growth of gold farming – the exchange of real money for virtual goods – might result in an increase in gaming Trojans and other malware aimed at gamers in the future. A well-respected researcher has described the incredible growth of “gold farming,” an significant industry and source of employment in China and other parts of Asia. He estimates there are 400,000 people, working for gold farming companies. They spend as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash. ...

The creators of WiniGuard rogue security software have released their first clone of 2010. This new rogue is called PcsProtector.

Mike Cardwell, an IT consultant in Nottingham, UK, reported on his blog finding a Y2010 bug in Spam Assassin. He found an error in a rule that Spam Assassin folks thought they fixed. “I think a lot of systems will be experiencing false positives on their ham because of this at the moment. It is a particularly high scoring rule considering that the default threshold is 5.0,” he wrote. For further information see: SpamAssassin Rule: FH_DATE_PAST_20XX

We see spam all the time. One of the most dependable things spammers do is to try and exploit various newsworthy events and holidays. Recently, we have seen spammers spreading malware using a combination of either or both flash updates andchristmas scams. Add one more to that list. Take for example, a spam I received today. The following email wishes the recipient a Merry Christmas and a Happy New Year, and then displays the following screen in an attempt to entice the user to click on the message. ...

The one subset of malware which does not immediately seem motivated by financial incentives is the autorun worm. In fact the raison d’etre for this class of malware seems lodged in the annals of yesteryear; summarised in three words it could be “naive script-kiddy kudos”. Unlike the propagators of other classes of malware, ie professional criminals, the writers of autorun worms are amateurish upstarts. Ample evidence for this assertion may be found in a recent sample of Sohana, a family of autorun worms, which was cloaked in three layers of known virus infections: the ancient W32/Flcss over W32/Scribble-B over W32/Impair-A. ...