TechBlog

It’s not a huge surprise that we are seeing some malware spam runs where the malicious attachment attempts to portray itself as a Christmas Greeting of some sort. Here’s an example from today (md5: C670165AE6DFA8318F0EA795B1D3AD55). This one is actually a Zapchast (IRC bot variant). The “Christmas Card” requires it’s own “special version” of Flash to be installed — flashplayer2009.exe — which is the malware itself. Once ready, it will display this friendly message written in Universal Gibberish. ...

I blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right. Monday they found GuardPCS and today they found TheDefender. Its associated web site was registered Dec. 4. Fraudulent operators behind the rogues seem to be doing two things to confuse Internet users and lure them into purchasing this worthless scare ware: ...

New rogue borrows massively from AV company sites Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25. It seems they also have recruited the entire management team from AVG anti-virus company as well. Right! Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php ...

Don’t go there. There are a lot of rogue downloaders hiding in those links. Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

The third generation of WiniGuard gets a new clone every 48 hours A new rogue security product called IGuardPC, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever. The WiniGuard family began in September of 2008. Operators behind it have added variants that has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. ...

Case in point: findproper[dot]org These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue. For more information Click Here.

What’s the best way to distract an online gamer while you drop some undesirable files onto their system? We saw what’s probably a pretty effective method today in Troj/Lneage-A. This particular Trojan leaves the user viewing a slideshow of topless elves while it drops a file designed to steal their gaming info. Given that the vast majority of MMORPG’ers are male, and bless them they’re often a little bit lonely, dazzling them with a variety of images of well endowed half naked elves (I think they’ve had some work done to be honest) should be enough to keep them entertained while the malware authors do whatever they fancy in the background. ...

Adobe is currently investigating a new security hole in Reader and Acrobat. Cybercriminals are currently spamming emails with prepared documents which lead to an infection of the computer with malware. The PDF document abuses a buffer overflow in a new place within the Adobe programs. There is a JavaScript object included in the PDF which checks the Reader Version – the exploit works with Adobe Reader starting at version 8. The code it injects downloads malware which it stores in the file “winver32.exe” in the Windows directory. This file drops 3 further files which Avira detects as BDS/Ientlcp.A, TR/Agent.faa and TR/Agent.HO. ...

Following on from the latest Captcha techniques used by the W32/Koobface worm, it seems that the malware authors have turned to Santa for help to deliver it’s nasty surprise which awaits Facebook users. The infection drops other trojans such as FakeAlert and leaves the user renderless. It all begins with a post on a user’s Facebook Wall. If the user clicks on the link, they are presented with a fake video player with a Christmas greeting as shown below ...

Despite talk of Tiger Woods’ sponsors “limiting his role” in their advertising campaigns, he is still very much hot stuff when it comes to search engine queries which means he’s still a viable target for the malware writers. We can see that Tiger Woods related searches are still being poisoned with malicious results using Search Engine Optimisation techiques: This leads to the familiar: Which when downloaded installs fake AV branded as “Security Tool”. ...