Malware

Activities associated with Koobface have increased during the month of December. Often it is for the sending of traffic to compromised servers in order to obtain more servers. Other times the activity centers around using those same compromised servers to proxy users to malicious domains that are then used for further distribution of malware or command and control of the infected machines. I noticed a trend with some of the domain-based locations making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees” – these are domains that appear legitimate but are not. In fact, many of the domains that are being used were legitimate at one point and now are serving a different, more questionable purpose. ...

Well, it didn’t take long for the Christmas E-Card scams to start. Recently we have seen email messages pretending to be from Hallmark, suggesting that you have received an E-card from a friend. The complete email message looks like this:You have recieved a Hallmark E-Card from your friend. To see it, check the link below: http://www.hallmark.com/webapp/wcs/stores/Occasion/ChristmasE-CardsThere’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.Hope to see you soon, Your friends at Hallmark ...

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar “play video/need codec” screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates. ...

Data Doctor 2010, an encryption trojan via our old “friends” iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it. It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware. The victim receives a message that the system is shutting down due to “Unrecognized disk driver command.” His system is then re-booted to safe mode and a message is displayed: “Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended.” ...

Earlier on this morning I happened to notice a redirect page used in a meds spam campaign that just happened to also be compromised with a malicious script. You can see the META tag redirect that will instruct the browser to immediately load the page on the target site. And immediately below, it, the obfuscated JavaScript injected into the page. Deobfuscating this script, we can see its payload is also redirection, this time to a malware site. ...

Don’t go there. There are a lot of rogue downloaders hiding in those links. Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

The third generation of WiniGuard gets a new clone every 48 hours A new rogue security product called IGuardPC, is the 50th clone of the WiniGuard family of rogue security products. That makes WiniGuard the largest rogue family ever. The WiniGuard family began in September of 2008. Operators behind it have added variants that has sorted into three generations. The latest generation gets a new clone about every 48 hours to stay ahead of public awareness and anti-malware detections. ...

Case in point: findproper[dot]org These are the types of sites that are used to download from third party affiliate sites. If the setup.exe had run, it would have installed the AntiMalware rogue. For more information Click Here.

What’s the best way to distract an online gamer while you drop some undesirable files onto their system? We saw what’s probably a pretty effective method today in Troj/Lneage-A. This particular Trojan leaves the user viewing a slideshow of topless elves while it drops a file designed to steal their gaming info. Given that the vast majority of MMORPG’ers are male, and bless them they’re often a little bit lonely, dazzling them with a variety of images of well endowed half naked elves (I think they’ve had some work done to be honest) should be enough to keep them entertained while the malware authors do whatever they fancy in the background. ...

Following on from the latest Captcha techniques used by the W32/Koobface worm, it seems that the malware authors have turned to Santa for help to deliver it’s nasty surprise which awaits Facebook users. The infection drops other trojans such as FakeAlert and leaves the user renderless. It all begins with a post on a user’s Facebook Wall. If the user clicks on the link, they are presented with a fake video player with a Christmas greeting as shown below ...