Hijack on Omid Farhang

Windows Vista & Windows 7 Kernel Bug Can Bypass UAC

Tue, 30 Nov 2010 22:38:00 +0000

Now this is not the first time Windows UAC has hit the news for being flawed, back in February 2009 it was discovered that Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control and after that in November 2009 it was demonstrated that Windows 7 UAC (User Access Control) Ineffective Against Malware.

A zero-day for Windows 7 back in July of this year also bypassed Windows UAC.

Fake Trojan Removal Kit serves up ThinkPoint Rogue

Tue, 30 Nov 2010 17:24:00 +0000

You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue with a mixed (24/43) detection rate.

The file is currently being offered up by your typical “fake security scan” pages, such as microsoftwindowssecurity152(dot)com. Those familiar with this particular rogue will be aware that it tends to stick with domains similar to the one above.

Firesheep author takes backhanded pot-shot at free speech

Sun, 07 Nov 2010 15:23:00 +0000

Sophos Labs: Two weeks ago, an automatic session-hijacking plugin was released for Firefox. It was named Firesheep, and it’s been downloaded over 600,000 times so far.

The decision to release Firesheep publicly is a controversial one. On the good side, it’s reminded people that some of their common web surfing habits are dangerously insecure.

Many websites use HTTPS (secure HTTP) for login, which protects your password. But they revert to insecure HTTP for the rest of the session. After you have logged in, security relies on the browser sending a session cookie – a secret authentication token – in every request.

No p*rn for you, naughty boy!

Sat, 06 Nov 2010 14:12:00 +0000

There are always peculiar things malware researchers discover while analyzing new samples.

VirusTotal 24/43

Let’s remember the filename as HD Porn TV for later

Our victim runs it thinking they will see the latest porno in HD quality. Instead they get a new browser ‘theme’ with a Turkish flavor:

Internet Explorer:

Firefox:

The bad guys hijack Winsock:

And filter traffic through:

PCWorld links to scareware

Thu, 21 Oct 2010 21:37:00 +0000

I was reading an article on PCWorld’s website about the upcoming Google Chrome OS:

So far so good. Except that I inadvertently clicked on one of their sponsored links:

which ironically states “Here is all about spyware removal and even more.”

After a few redirects, my browser is hijacked by one of those FakeAV scanners:

Here is the HTTP traffic capture screenshot and log:

Help keep your account safe with the Gmail security checklist

Sat, 16 Oct 2010 21:25:00 +0000

Posted by Diana Phan, Gmail Support Team

October is National Cyber Security Awareness month and a good time for a reminder about why hijackers do what they do and how you can protect your account. Check out the Online Security blog to learn about common hijacking techniques and security practices that will help you stay one step ahead of the bad guys. To help ensure your Gmail account is safe, take a minute to visit the Gmail help center and complete their new security checklist.

Facebook Introduces Disposable Passwords

Fri, 15 Oct 2010 16:18:00 +0000

Accessing Facebook from a public computer or Internet cafe can now be done more securely.

Moving to enhance online security, Facebook on Tuesday said that it will soon offer users the ability to receive one-time passwords on their mobile phones and that it has already enabled the ability to sign out of Facebook remotely.

“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” said Facebook product manager Jake Brill in a blog post. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.”

DLL Hijacking Evolved

Fri, 27 Aug 2010 09:00:00 +0000

Back in November 2007, I’ve seen this technique used by one of the variant of Worm called W32/Drom. The technique was not to execute the malicious file or component of the worm but to prevent Antivirus Program from running. The Worm queries the following Antivirus registries to get the Installation Path, once acquired, it creates a folder named “ws2_32.dll” with Hidden and System attributes on that location.

As I test this technique, it prevented the program from running as it first loads the “ws2_32.dll” folder in the current directory.

Brand new 0-day Exploit. The world is going to end! Yet again…

Fri, 27 Aug 2010 08:54:00 +0000

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days.

In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect.

A HijackThis Toolbar from Facebook?

Mon, 03 May 2010 19:37:00 +0000

Spam emails such as the one below have been doing the rounds on the Internet hoping to lure recipients into downloading a Facebook toolbar.

If you download the file by clicking on “Download Here”, you’ll see a file with the icon shown below:

If you take a closer look at the icon, “darkSector” is shown inside of it. How strange. Is this actually a Facebook toolbar? Let’s take a look at the property of the file since the file looks a bit fishy. In the file properties, you’ll see the following in the Details tab.

There is a Lot of Spam Out There…

Sat, 10 Apr 2010 10:58:00 +0000

…and some of it masquerades as “marketing” and “newsletter” emails.

In March 2010, spam continued to account for a high percentage of all email traffic, peaking at 93.6% of all messages. The majority of this spam email was sent using certain tactics that were deployed to hijack unsecured computers and hide the senders’ identity. Recently, however, there has been an uptick in spam “marketing” and “newsletter” emails. These spam marketing and newsletter emails share one significant commonality with “regular” spam emails, which is that they are unwanted email messages sent to individuals who have no formal relationship with the message sender.

Hacking the Matrix

Wed, 07 Apr 2010 22:33:00 +0000

I could talk about how The Matrix was a pretty big deal for me back in the day, or how The Matrix Online is (to date) the only MMORPG I ever liked enough to pay a monthly subscription for, or how I think people doing Kung Fu in bullet time is still the best thing ever.

Mostly, I’ll just show you this:

And this:

Is there a glitch in the Matrix? You bet. Unfortunately it seems the website of one of the actors from Reloaded / Revolutions (Harry Lennix, who played Commander Lock) has been hacked and is now, bizarrely, the scene of some Cyber Kung-Fu gone wrong as two warring factions go to, er, war.

Consoles for old games come with new malcode

Fri, 12 Mar 2010 14:44:00 +0000

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)com

If you like videogame consoles, you may be a fan of emulators (programs that ape long dead consoles, allowing you to play old games on your PC – we’ll avoid the murky legal minefield that comes with this practice and instead focus on the malware).

Below is a Playstation 2 emulator – no really, it is. Would they lie to you?

Cute (and malicious)

Mon, 08 Mar 2010 22:33:00 +0000

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can’t say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

New Rogue: SecurePcAv

Fri, 12 Feb 2010 22:13:00 +0000

SecurePcAv is a phony antivirus program that has been infecting PC’s across the interwebs in recent days.

If your PC is infected with SecurePcAv you will most likely experience the following:

Fake system scans that report numerous infections and refuses to remove the supposed infections until you buy the phony software.
Alerts and warnings stating the PC is under attack or unprotected and recommends you buy the phony software.
Other software will not work, when attempting to open programs a warning stating the program is infected appears and the software is closed.
Web browser hijacking, redirecting the user to malicious websites or showing false security warnings on sites like Google.com.

SysProtector

Tue, 12 Jan 2010 22:32:00 +0000

SysProtector and ApcDefender are two new rogue antispyware programs released in the past 48 hours.

SysProtector and APCDefender are potentially very dangerous PC infections. These rogues use fake security alerts and warnings to trick people into thinking their PC is under attack, all the while they drop fake files on the system. These rogues will also prevent other programs from opening, hijack the web browsers and render the PC nearly useless. Below is a screenshot of a hijacked browser, showing fake threat warnings.

Glike NOT

Wed, 06 Jan 2010 13:50:00 +0000

This is an interesting sample, caught by our honeypots.

The file comes as a zip archive from qtpom{removed}.tripod.com/codec.zip, which once extracted looks like this:

It is almost undetected. Virus Total report here. Truth be told, no blatant sign of malware activity is noticed at first until this:

What the heck? This is not my Google home page. And what are those tabs up there: “Pharmacy”, “Casino”?

The malware modifies the Windows hosts file to redirect popular sites to glike.net (IP: 92.241.164.9, Russian Federation).

Crime time

Tue, 22 Dec 2009 13:00:00 +0000

Crime traditionally increases during the holiday season, and cybercrime is no different. The malware writers, spammers and scammers are out in force. They’ve recently hit “Odnoklassniki” with this message:

“Hi! I’ve got a New year surprise for you [emoticon] send 2133 279 (must be with a space) to 4460 and you’ll be pleasantly surprised! If you don’t take a look, I’ll be very grouchy with you [emoticon]”

This message is clearly designed to make the bad guys a bit of holiday cash: an SMS sent to the number given in the message costs between $5 and $12 dollars, depending on the mobile service provider.

Last minute shopping – keep safe!

Sun, 20 Dec 2009 00:12:00 +0000

The holidays are nearly here! If you’re still searching for the final perfect present, and are thinking of buying online, here’s a few practical tips to help keep your last-minute purchases secure:

Keep your Internet Security solution updated, not just to the day but to the hour! They release frequent updates to make sure you’re protected from the very newest malware. Scan your system before you start shopping.
Don’t shop from public WiFi networks which aren’t secured using WPA2. These networks can be easily hijacked by cybercriminals, and your sensitive financial data could be compromised.