Malware

Toy Story 3 is romping across cinemas Worldwide, and rightly so – it’s the best of the series by far. I thought it might be worth pointing out that being a product aimed at children doesn’t exclude it from internet shenanigans. If you have young children online who are partial to searching for Toy Story material, you might want to warn them about some of the below scams. One of the most popular tactics is advertising the “full movie” on Youtube, but directing the end-user to a bunch of surveys instead: ...

There is a well-respected and very useful site that everyone in the anti-virus industry uses – sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate: What it tries to download is detected as FraudTool.Win32.FakeRean (fs). Here’s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections. ...

A Facebook malware attack is on the loose this weekend, enticing users to click a “Distracting Beach Babes” video on their Facebook Walls. The Wall message reads: “this is hilarious! lol 😛 😛 😛 Distracting Beach Babes [HQ] Length: 5:32″. If you see this video on Facebook today, do not click the link: Doing so, and downloading a linked file, will result in malware being installed on your computer. ...

There’s a new Facebook worm out there. However, it doesn’t seem to be doing anything else than posting a message to people’s Facebook walls. The message that the worm posts is “try not to laugh xD http://www.fbhole. com/omg/allow.php?s=a&r=[random number]“ If you follow the link, you end up to a page looking like this: The page shows a fake error message. If you click anywhere on the page, you will trigger a script that will try to post the same message to your Facebook wall. This is done with an invisible iframe that follows your mouse around – causing you to click on an invisible “publish” button. In addition of the wall message post, nothing else happens. ...

Russian-based PROXIEZ-NET, which was known to allegedly host 13 Zbot command-and-control servers has been shut down by its upstream provider DIGERNET, according to the site The New New Internet (News story on Web Host Review here: “Alleged Russian Malware Host Cut Off By Upstream Provider”) Legitimate web sites hosted by PROXIEZ-NET many have been caught in the takedown, the Review said. Brick House Security said the Zbot-related servers on PROXIEZ-NET were used to collect PayPal, EBay and online banking passwords stolen by key logging malware. ...

You might avoid looking for photos of Miss USA Rima Fakih for a while. There is a controversy about a certain pole-dancing incident in her past that is stirring up the talk show circuits and the adolescent inside every male on the planet. It also has stirred up a massive number of SEO poisoned links to photos. In 2007, Fakih won a “Stripper 101” contest sponsored by a Detroit radio show “Mojo in the Morning.” And, of course, she was no sooner crowned Miss USA than somebody resurrected the “Stripper 101” video. And, of course, everybody is searching for “Rima Fakih pole dancing.” ...

Late last week, the wires were buzzing over news that the official site of PHP-Nuke “Professional Content Management System“ was serving malware. I am frankly amazed to see the site still infected 4 days later. We see hacked sites everyday and the majority are running PHP-driven applications such as Content Management Systems (CMS). The PHP-Nuke site is currently running PHP v. 5.2.9. Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.9 ...

Spam emails such as the one below have been doing the rounds on the Internet hoping to lure recipients into downloading a Facebook toolbar. If you download the file by clicking on “Download Here”, you’ll see a file with the icon shown below: If you take a closer look at the icon, “darkSector” is shown inside of it. How strange. Is this actually a Facebook toolbar? Let’s take a look at the property of the file since the file looks a bit fishy. In the file properties, you’ll see the following in the Details tab. ...

We want to warn you of an email message in Spanish we’ve received with the subject ( Urgente ) Posible Terremoto y Tsunami con un 89 % de efectividad and that is of course false. The message consists of different images and informs users about an alert of earthquake and tsunami in Chile. Besides, it passes itself off as a warning of National Geographic, in order to make it more credible. ...

Backdoor.Rohimafo is a Trojan that has several back door functions. It not only opens a back door and performs the usual functions but it also can perform some decidedly unusual functions. It attempts to block users from connecting to remote servers; not only specific servers but also specific network segments by using PersistentRoutes in Windows. PersistentRoutes can be used to add a routing entry to a routing table persistently. The route.exe command can be used to add an entry like the following: ...