TechBlog

The one subset of malware which does not immediately seem motivated by financial incentives is the autorun worm. In fact the raison d’etre for this class of malware seems lodged in the annals of yesteryear; summarised in three words it could be “naive script-kiddy kudos”. Unlike the propagators of other classes of malware, ie professional criminals, the writers of autorun worms are amateurish upstarts. Ample evidence for this assertion may be found in a recent sample of Sohana, a family of autorun worms, which was cloaked in three layers of known virus infections: the ancient W32/Flcss over W32/Scribble-B over W32/Impair-A. ...

This is an interesting sample, caught by our honeypots. The file comes as a zip archive from qtpom{removed}.tripod.com/codec.zip, which once extracted looks like this: It is almost undetected. Virus Total report here. Truth be told, no blatant sign of malware activity is noticed at first until this: What the heck? This is not my Google home page. And what are those tabs up there: “Pharmacy”, “Casino”? The malware modifies the Windows hosts file to redirect popular sites to glike.net (IP: 92.241.164.9, Russian Federation). ...

Antivirus PC 2009 is the latest rogue security software to hit the internet. Antivirus PC 2009 is a complete scam designed to harass PC users into buying the corrupt software. Antivirus PC 2009 will try to trick people into thinking that their PC is infected with malware and recommends purchase or registering the software to remove the malware. Antivirus PC 2009 will show false scan results that report numerous infections. Antivirus PC 2009 will also display annoying popups and system alerts that stat the PC is infected, under attack or not protected with antivirus software and recommends buying Antivirus PC 2009. Antivirus PC 2009 will also prevent other programs from opening, even the web browser making it impossible to use the internet, rendering the PC nearly useless. ...

Cybercriminals love to use social engineering techniques to trick users into installing their malware. One of the latest fake-alert variants attempts to trick users into believing the software is related to or hosted by McAfee:mcafeevirusremover.com. The script hosted by the domain can attack the Windows browsers Internet Explorer, Mozilla Seamonkey, and Chrome. The script also affects browsers on Linux platforms. This fake-alert variant is hosted on at least 13 other known domains. McAfee’s Trusted Source blocks the IP addresses and the domains (including DNS and mail servers) associated with this Trojan. For example: ...

With a dazzling laser show, the 26th Chaos Communication Congress (26c3) in Berlin, the last big security conference of 2009, has ended. If you haven’t been here, you might have missed fewer of the sessions than people on site, thanks to the worldwide availablility of live streams (and recordings). What you did miss was meeting all these people, though! 26c3 has simply outgrown the location it has occupied for the last few years, but this may be offset by a very successful experiment: allowing full remote access to the conference network via VPN for those who couldn’t attend. Other conferences should consider this (hey, Defcon team, are you reading this? 😉 ) as well, especially as air travel becomes less and less attractive. ...

From a site that is hacked and serving phishes: What’s mildly interesting is the types of phishes — “speciality phishes” that are not your typical banking/finance scam. These are phishes that are highly targeted, in this case at email systems of tiny Hamiltom College (not the first time I’ve seen this), the religious site cfaith.com, Saginaw Valley State University, and Villanova. cfaith: SVSU and Villanova ...

It’s the time of year to make predictions. I only have one: in 2010, governments around the world will BEGIN to increase their efforts to do something about the massive malware threat that every Internet user on the planet faces. It’s going to be controversial and difficult legally and technically. It’s going to cost serious tax money, political capital and diplomatic work to counter this crime wave that is like nothing the world has ever known. ...

GreatDefender is a great big scam. GreatDefender is the latest rogue antispyware software, or phony security program that rips people off. If GreatDefender has infected your computer, do not buy the software, you should remove it immediately. GreatDefender uses scare tactics to frighten people into buying this corrupt software. These scare tactics include: System scans that report numerous infections, yet requires purchase of GreatDefender before it will remove the infections (These are fictitious scan results) Alerts and Pop-Up system warnings stating the PC is infected and recommend purchase of GreatDefender (These warnings are fake) Web browser redirecting to random websites (these websites are owned by cyber thieves and will further infect your PC) GreatDefender will prevent other programs from opening, stating they are infected (The programs are not infected) If your windows is infected with this malware you should remove it as soon as possible, Click Here to learn how to remove it.

Jerome Segura, a Security Analyst at ParetoLogic of Victoria, B.C., Canada, just posted a nice piece on computer security practices with a different perspective in his “Malware Diaries” Blog. He begins his list of security tips by considering four classes of users: the pre-baby boomers: These folks rarely touched a computer in their lives and if they did, kudos! Typical use: Work, Solitaire, Printing stuff. the early and late baby boomers: They have been interacting with computers pre-Internet and have good notions but lack the ‘modern day stuff’. Typical use: Work, e-mail, Online searches. the 70’s – 80’s users: These guys are definitely into computers, maybe a bit more gaming and such. They possess quite a good sense of computing. Typical use: Games, Work, E-mail, Online Dating, Forums 90’s to present: Some of them were born with a computer or handheld device. Their lives would not be possible without the MSN, Skype and more recently all the social engineering glitter. Typical use: Twittering, Facebooking, Online shopping. then makes further distinctions by level of security knowledge and awareness: ...

I recently had an interesting message arrive in my system; after viewing the message, 100% of those polled agreed on what it was. What do you think? What do YOU see? If you answered spam, you’re on your way to having the mentality of a spam analyst. This message has many hallmarks of classic unsolicited commercial email: the middle of the message says “Click Here” in big prominent text there’s an “opt-out” banner, announcing that this is an ad the ad contains a “unique ID” despite the (intentionally obscured) address, the message does not say who it is actually from the “call to action” link is http :/fefcbdacggbfg.[redacted].info/alphaville/4754-1b416/ — random sub-domain, published in the .info top level domain, with a directory name comprised of two random words, and a sub-directory that looks like yet another unique identifier. everything in this message except for the “unique ID” under the opt-out banner is actually an image. Those of you who are actually interested in psychology will also note that the inkblot is not actually part of either the Rorsach or the Holtzman Inkblot Test. It seems to me that this message is more designed to take advantage of those who are willing to try anything to get a job. In the long run, an accredited educational institution will likely be much more beneficial.