Do They Know it’s (not) Christmas Time at All?

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas Card.zip. It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day: ...

February 21, 2010 Â· 1 min Â· 207 words Â· Omid Farhang

The Facebook Team informs you


In the last two days our lab has detected a flood of email messages that seem to have been sent by the Facebook team urging users to submit a new account agreement. We’ve seen around 16,000 since yesterday. The subject of the message is UPDATED ACCOUNT AGREEMENT and the attached file is called AGREEMENT.ZIP. The message is like the following: ...

February 16, 2010 Â· 2 min Â· 250 words Â· Omid Farhang

Unusual Valentine’s Gift Unwraps FakeAV

While everyone is searching the web for the unusual gift on Valentine’s Day, Cybercriminals take this opportunity to propagate Rouge Antivirus. I have searched for the keywords “unusual-valentines-day-gifts”, gives the following results: Clicking the highlighted link above will lead to fake message such as “Alert! Your system is exposed to risk of virus attack. It’s highly recommended to check your PC immediately. Press OK to start the scan right now”. ...

February 14, 2010 Â· 1 min Â· 117 words Â· Omid Farhang

Tidserv and MS10-015

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren’t easily detectable by security software. Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system. ...

February 13, 2010 Â· 3 min Â· 536 words Â· Omid Farhang

Escort service infected with Troj/JSRedir-AR

Clients of escorts and call girls are usually aware of the the risks presented from STIs. However, SophosLabs has been monitoring a different type of infection risk for clients of escorts in Indian cities. The Troj/JSRedir-AR infection has morphed slightly: If you look at the variable ‘o[e]‘ (two-thirds of the way down) you will see the beginnings of an obfuscated string ‘http://’. Previous versions of Troj/JSRedir-AK and Troj/JSRedir-AR have used non-alphanumeric characters to disguise the strings. ...

February 12, 2010 Â· 1 min Â· 76 words Â· Omid Farhang

New Rogue: SecurePcAv

SecurePcAv is a phony antivirus program that has been infecting PC’s across the interwebs in recent days. If your PC is infected with SecurePcAv you will most likely experience the following: Fake system scans that report numerous infections and refuses to remove the supposed infections until you buy the phony software. Alerts and warnings stating the PC is under attack or unprotected and recommends you buy the phony software. Other software will not work, when attempting to open programs a warning stating the program is infected appears and the software is closed. Web browser hijacking, redirecting the user to malicious websites or showing false security warnings on sites like Google.com.

February 12, 2010 Â· 1 min Â· 110 words Â· Omid Farhang

Zeus – Exploiting Spear Phishing to Spear Phish

The Zeus crimeware family has moved into new territory with its latest spam campaign – purporting to be a warning about targeted phishing attacks on “.gov” and “.mil” domains, by Zeus Trojans no less! In fact, one of the latest spam samples we’ve seen, duplicates the title and first three paragraphs of a blog entry by well-known security expert Brian Krebs, which discusses a previous iteration of this Zeus attack. As seen below, the spam sample starts off with the same three lines of the blog post, before starting into the phony KB content and links that lead to Zeus malware. ...

February 12, 2010 Â· 1 min Â· 129 words Â· Omid Farhang

New Rogue: Paladin Antivirus

Paladin Antivirus is a phony security program, designed to rip people off. Paladin Antivirus tricks people into thinking they are downloading a legit antivirus software, then continually displays false security alerts and warnings followed up with a requests for users to buy or register the software. Once a computer becomes infected with Paladin Antivirus it will instantly begin a system scan and will report multiple infections. Paladin Antivirus will refuse to remove any of these supposed infections until the user buys or “registers” the software. Do not fall for this scam. ...

February 12, 2010 Â· 1 min Â· 180 words Â· Omid Farhang

The Buzz is getting LOUDER

It has been barely two days since Google announced their new social integration and messaging tool called Google Buzz. Today we saw the first example of malware, W32/Zuggie-A, pretending to be Google Buzz. Analysis of W32/Zuggie-A gives the impression of a hastily assembled worm, really a modification of the W32/SillyFDC family of worms but with a twist. When W32/Zuggie-A is installed, it creates the following files: Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf System\googlebuzz.exe – copy of W32/Zuggie-A System\GoogleUpte.exe – copy of W32/Zuggie-A W32/Zuggie-A modifies the registry to autostart GoogleUpte.exe and googlebuzz.exe. A quick search shows that the CLSID: 9CE11043-9A15-4207-A565-0C94C42D590D has previously been seen in multiple worms. This supports my theory that this is a hastily assembled worm built from recycled malware. I fired up a copy of Firefox on the infected machine and, as determined from analysis, found an installed Firefox extension called Firefox security 2.0 – Internal security options editor under the extensions tab of Firefox Add-ons. This “security extension” has added a JavaScript (timer.xul), which is triggered when the browser queries: yahoo.com, bing.com, google.com, aol.com/aol/search, ask.com and executes JavaScript hosted on: searchrequest1 . com / request . php ? aid = blackout which will silently click all Google or Yahoo Ads. displayed on the search results page (hey why not make a few bucks while infecting eh?). Google Buzz is new and is garnering quite a bit of interest and adoption among Internet users including myself. Clearly the malware authors view Google Buzz as the fresh big lucrative social fruit to exploit much like they have done with Facebook, MySpace, Hi5 and others. So in the coming weeks and months I predict we will see a host of new malware exploiting or attempting to exploit Google Buzz as the malware authors figure out its internals. This may have only been an exploratory attempt or a quick response to the latest craze – only time will tell. ...

February 12, 2010 Â· 2 min Â· 321 words Â· Omid Farhang

Between a PoC and a Hard Place

Several reports have been published detailing a Blackberry proof of concept (PoC) exploit called txsBBSpy that was recently presented at a security conference. Although it may not have been the aim of the original presenter, some reports have framed the PoC as being able to exploit so-called vulnerabilities that the writers believe to be present in the Blackberry platform. The “vulnerabilities” involve secretly forwarding incoming emails, locating devices by way of their GPS capabilities, eavesdropping on conversations by surreptitiously turning on microphones, and other such nefarious behavior. ...

February 12, 2010 Â· 3 min Â· 491 words Â· Omid Farhang