TechBlog

New rogue borrows massively from AV company sites Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25. It seems they also have recruited the entire management team from AVG anti-virus company as well. Right! Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php ...

Don’t go there. There are a lot of rogue downloaders hiding in those links. Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

The third generation of WiniGuard gets a new clone every 48 hours A new rogue security product called IGuardPC, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever. The WiniGuard family began in September of 2008. Operators behind it have added variants that has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. ...

Case in point: findproper[dot]org These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue. For more information Click Here.

What’s the best way to distract an online gamer while you drop some undesirable files onto their system? We saw what’s probably a pretty effective method today in Troj/Lneage-A. This particular Trojan leaves the user viewing a slideshow of topless elves while it drops a file designed to steal their gaming info. Given that the vast majority of MMORPG’ers are male, and bless them they’re often a little bit lonely, dazzling them with a variety of images of well endowed half naked elves (I think they’ve had some work done to be honest) should be enough to keep them entertained while the malware authors do whatever they fancy in the background. ...

Adobe is currently investigating a new security hole in Reader and Acrobat. Cybercriminals are currently spamming emails with prepared documents which lead to an infection of the computer with malware. The PDF document abuses a buffer overflow in a new place within the Adobe programs. There is a JavaScript object included in the PDF which checks the Reader Version – the exploit works with Adobe Reader starting at version 8. The code it injects downloads malware which it stores in the file “winver32.exe” in the Windows directory. This file drops 3 further files which Avira detects as BDS/Ientlcp.A, TR/Agent.faa and TR/Agent.HO. ...

Following on from the latest Captcha techniques used by the W32/Koobface worm, it seems that the malware authors have turned to Santa for help to deliver it’s nasty surprise which awaits Facebook users. The infection drops other trojans such as FakeAlert and leaves the user renderless. It all begins with a post on a user’s Facebook Wall. If the user clicks on the link, they are presented with a fake video player with a Christmas greeting as shown below ...

Despite talk of Tiger Woods’ sponsors “limiting his role” in their advertising campaigns, he is still very much hot stuff when it comes to search engine queries which means he’s still a viable target for the malware writers. We can see that Tiger Woods related searches are still being poisoned with malicious results using Search Engine Optimisation techiques: This leads to the familiar: Which when downloaded installs fake AV branded as “Security Tool”. ...

Reports have reached us of a fresh SQL injection attack that has compromised many websites – a google search of the malicious iframe nets over 100000 hits. As is typical, the iframes lead to more html pages that load yet more iframes that contain obfuscated Javascript that attempt to exploit the unfortunate visitor. A successful exploit leads to a download of a malware of the Buzus family. Please take care about the sites you visit, try to visit sites using Sandboxed browsers and also keep your antivirus/antivirus updated.

Internet Security 2010, It’s a rebranded clone of Advanced Virus Remover, a rogue security product. It’s one of your run-of-the mill rogues, using run-of-the mill scare tactics, except its payment screen contains a static graphic that imitates the McAfee Secure certification. A real “McAfee Secure” certification is a DAILY certification, it contains the date and its logo should look like this: When you click on it, it should take you to the McAfee Secure rating verification page: https://www.mcafeesecure.com/RatingVerify that gives the name of the certified web site and the “Status”. ...