TechBlog

Spam mails claiming to be from Twitter that send you to pharmacy sites are a popular wheeze for spammers, and here we go again. It seems I have “two PR messages from Twitter”. If that wasn’t enough to get me clicking (it isn’t), I can also join in on sports conversations, argue with bloggers and tell the World when I stumble into some form of natural disaster. Hammering one of the many links will actually take me to 219(dot)84(dot)119(dot)56/afternoon(dot)html, which will send me to pharmacydrugstorehealthprofessionals(dot)net. ...

Avira TechBlog: The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! 🙂 ”, also adding random data behind the certificate. We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time. ...

Prevx Blog: In the last couple years there have been three major players who dominated the scene in the field of the kernel mode rootkit development. They are Rustock rootkit – with its latest build discovered in the wild in 2008 – MBR rootkit – firstly discovered in January 2007 – and TDL rootkit, which can be considered the most advanced kernel mode rootkit to date, able to infect both x86 and x64 versions of Windows operating system. ...

SophosLabs wrote: Do you want to know the total number of times that your Facebook wall has been viewed? Are you curious as to who may be stalking you on Facebook? If so, you’re a prime candidate for scammers who are exploiting that desire to put money into their own pockets. Here are the latest messages spreading virally between thousands of Facebook users who have fallen for the scam: ...

from Schneier on Security by Schneier: This isn’t good: The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com. The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes. ...

Thanks to my friend, Pondus! Ars Technica: Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000 (it’s over millions of site when you are reading this)—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file. ...

Google Operation System: Until recently, Google Bookmarks and Chrome Bookmarks were two separate features that didn’t speak the same language. Even if you could save your Chrome bookmarks to a Google account, they weren’t saved to Google Bookmarks. For some reason, your bookmarks are available in a special Google Docs folder. Chrome bookmarks have a web interface, but it’s likely that the obvious will happen: Chrome bookmarks could be saved to Google Bookmarks. Jérôme Flipo noticed that the Google Bookmarks OneBox already includes Chrome bookmarks. I’ve tried to find SmallNetBuilder.com and Google’s OneBox returned it even if it was starred in Chrome, not in Google Bookmarks. ...

Google Operation System: Google +1 is yet another attempt to make Google more social. It’s Google’s version of the Facebook “likes”, a simple feature that’s very powerful because it’s part of a social network. Google will show +1 buttons next to all search results and ads, while encouraging other sites to include the buttons. All +1’s are public and they’re tied to Google Profiles. The goal is to use this data to personalize search results and ads by recommending sites +1’d by your friends. Google Social Search already does this, but there’s no support for Facebook likes, so Google had to come up with a substitute. ...

Google Talk Guru is a new Google bot that lets you ask simple questions. It’s “an experimental service that allows people to get information like sports results, weather forecasts, definitions etc via chat. It works on many popular chat applications that support Google Talk.” Send an invitation to **guru**@googlelabs.com in Gmail Chat, Google Talk or any other Jabber client and find simple facts like “weather in London”, “amplitude definition”, “translate souris”, “2^8”, “web stanford” (which returns the top Google result for [stanford]). ...

Avira TechBlog: SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products. The Trojan is able to inject code in running processes and can perform the following functions: Capture network traffic Send and receive network packets in order to bypass application firewalls Hide and prevent access to the startup registry entry Hide and prevent access to the binary code Hide the own process on injected processes Steal information from Internet Explorer and Mozilla Firefox A detailed analysis of this malware by Liviu Serban, Virus Researcher at Avira. ...