| 

New worm targeting weak passwords on Remote Desktop connections (port 3389)

  • Post author: Omid Farhang
  • Post published: August 29, 2011
  • Reading Time: 2 min
  • Word Count: 327 words

Microsoft Malware Protection Center: We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A. Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process. ...

Continue Reading New worm targeting weak passwords on Remote Desktop connections (port 3389)

Fake Firefox update includes password-stealing trojan

  • Post author: Omid Farhang
  • Post published: August 9, 2011
  • Reading Time: 1 min
  • Word Count: 137 words

H-Online: Security specialist Sophos reports that it has discovered new spam email messages that claim to be an advisory related to an update to the open source Firefox web browser. The fake advisory asks users to update their Firefox installations, “for security reasons”, and includes a download link to the supposed update. According to Graham Cluley of Sophos, the download leads to an executable file that bundles an installer for the Windows version of Firefox 5.0.1 and a password-stealing trojan (Troj/PWS-BSF). As noted by Cluley, users should always exercise caution when clicking on links in emails. ...

Continue Reading Fake Firefox update includes password-stealing trojan

Using data to protect people from malware

  • Post author: Omid Farhang
  • Post published: July 20, 2011
  • Reading Time: 2 min
  • Word Count: 285 words

This is an article posted in Google Online Security Blog, it’s about unusual traffics being sent from infected computers during search or web surfing, if you think this story applies to you too, try to clean your computers from malwares by following my manual here in my website: Malware Removal (Cross-posted from the Official Google Blog) The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks. ...

Continue Reading Using data to protect people from malware

Facebook password changed? Malware attack poses as message from Facebook support

  • Post author: Omid Farhang
  • Post published: April 14, 2011
  • Reading Time: 2 min
  • Word Count: 309 words

Sophos Labs: Repeat after me: It’s “Facebook”, not “FaceBook”. Learn that lesson and it can be one of the tricks you can use to protect yourself against a spammed-out malware campaign, which tries to trick you into believing that Facebook support has changed your password. Computer users are receiving emails claiming that the popular social network has automatically changed their password to secure their account. Here’s a typical message: ...

Continue Reading Facebook password changed? Malware attack poses as message from Facebook support

My naked pic is attached – malware spammed out

  • Post author: Omid Farhang
  • Post published: April 13, 2011
  • Reading Time: 2 min
  • Word Count: 217 words

SophosLabs: Are you in the habit of having complete strangers email you naked pictures of themselves? That’s the only reason I can think of that you can legitimately explain why your computer has been infected by the latest malware attack that has been spammed out around the world. Users are seeing messages in their inbox, which attempt to trick recipients into opening the attached file with the promise of a nude photo. ...

Continue Reading My naked pic is attached – malware spammed out

BBC News/Dad walks in on daughter Facebook scams

  • Post author: Omid Farhang
  • Post published: April 12, 2011
  • Reading Time: 2 min
  • Word Count: 257 words

SophosLabs: Criminals and scammers on Facebook aren’t resting on their laurels
 in fact, they are branching out and using multiple techniques all rolled into one scam. Tonight’s blockbuster spam is taking on several guises. One version is a likejacking attack that spams your wall with the message “Dad walks in on daughter
 EMBARRASING!!!” and “This really has to be an awkward moment.” They seem to be quickly rotating through a long list of Google (goo.gl) short URLs to evade detection. ...

Continue Reading BBC News/Dad walks in on daughter Facebook scams

Fake Certificate in Malware – with Message

  • Post author: Omid Farhang
  • Post published: April 11, 2011
  • Reading Time: 1 min
  • Word Count: 131 words

Avira TechBlog: The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! 🙂 ”, also adding random data behind the certificate. We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time. ...

Continue Reading Fake Certificate in Malware – with Message

ZeroAccess, an advanced kernel mode rootkit

  • Post author: Omid Farhang
  • Post published: April 11, 2011
  • Reading Time: 2 min
  • Word Count: 322 words

Prevx Blog: In the last couple years there have been three major players who dominated the scene in the field of the kernel mode rootkit development. They are Rustock rootkit – with its latest build discovered in the wild in 2008 – MBR rootkit – firstly discovered in January 2007 – and TDL rootkit, which can be considered the most advanced kernel mode rootkit to date, able to infect both x86 and x64 versions of Windows operating system. ...

Continue Reading ZeroAccess, an advanced kernel mode rootkit

Analysis of TR/Spy.SpyEye

  • Post author: Omid Farhang
  • Post published: March 30, 2011
  • Reading Time: 1 min
  • Word Count: 120 words

Avira TechBlog: SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products. The Trojan is able to inject code in running processes and can perform the following functions: Capture network traffic Send and receive network packets in order to bypass application firewalls Hide and prevent access to the startup registry entry Hide and prevent access to the binary code Hide the own process on injected processes Steal information from Internet Explorer and Mozilla Firefox A detailed analysis of this malware by Liviu Serban, Virus Researcher at Avira. ...

Continue Reading Analysis of TR/Spy.SpyEye

Spammers Exploit Japan’s Catastrophic State

  • Post author: Omid Farhang
  • Post published: March 14, 2011
  • Reading Time: 2 min
  • Word Count: 394 words

Symantec: Only a few days ago, Japan experienced one of the worst earthquakes in its history. The earthquake registered 8.9 on the Richter scale and triggered an enormous tsunami. The heart-wrenching images on television have left the world shaken. It was the worst earthquake and tsunami in the past century and at least 50 countries have since received related tsunami warnings. As the death and injury tolls continue to rise, one must not forget those who awake to exploit such delicate situations—spammers continue to maintain the guise of charitable institutions and governmental organizations! Don’t be surprised to suddenly see an email message in your inbox marked as URGENT and pleading with you for “monitory help” [sic] or a phishing mail urging you to donate to the rehabilitation of those affected by the quake and tsunami. Use prudence in finding out the genuine intent of email senders before you reach out or respond. ...

Continue Reading Spammers Exploit Japan’s Catastrophic State