New worm targeting weak passwords on Remote Desktop connections (port 3389)

Microsoft Malware Protection Center: We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A. Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process. ...

August 29, 2011 Â· 2 min Â· 327 words Â· Omid Farhang

Fake Firefox update includes password-stealing trojan

H-Online: Security specialist Sophos reports that it has discovered new spam email messages that claim to be an advisory related to an update to the open source Firefox web browser. The fake advisory asks users to update their Firefox installations, “for security reasons”, and includes a download link to the supposed update. According to Graham Cluley of Sophos, the download leads to an executable file that bundles an installer for the Windows version of Firefox 5.0.1 and a password-stealing trojan (Troj/PWS-BSF). As noted by Cluley, users should always exercise caution when clicking on links in emails. ...

August 9, 2011 Â· 1 min Â· 137 words Â· Omid Farhang

Using data to protect people from malware

This is an article posted in Google Online Security Blog, it’s about unusual traffics being sent from infected computers during search or web surfing, if you think this story applies to you too, try to clean your computers from malwares by following my manual here in my website: Malware Removal (Cross-posted from the Official Google Blog) The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks. ...

July 20, 2011 Â· 2 min Â· 285 words Â· Omid Farhang

Facebook password changed? Malware attack poses as message from Facebook support

Sophos Labs: Repeat after me: It’s “Facebook”, not “FaceBook”. Learn that lesson and it can be one of the tricks you can use to protect yourself against a spammed-out malware campaign, which tries to trick you into believing that Facebook support has changed your password. Computer users are receiving emails claiming that the popular social network has automatically changed their password to secure their account. Here’s a typical message: ...

April 14, 2011 Â· 2 min Â· 309 words Â· Omid Farhang

My naked pic is attached – malware spammed out

SophosLabs: Are you in the habit of having complete strangers email you naked pictures of themselves? That’s the only reason I can think of that you can legitimately explain why your computer has been infected by the latest malware attack that has been spammed out around the world. Users are seeing messages in their inbox, which attempt to trick recipients into opening the attached file with the promise of a nude photo. ...

April 13, 2011 Â· 2 min Â· 217 words Â· Omid Farhang

BBC News/Dad walks in on daughter Facebook scams

SophosLabs: Criminals and scammers on Facebook aren’t resting on their laurels… in fact, they are branching out and using multiple techniques all rolled into one scam. Tonight’s blockbuster spam is taking on several guises. One version is a likejacking attack that spams your wall with the message “Dad walks in on daughter… EMBARRASING!!!” and “This really has to be an awkward moment.” ...

April 12, 2011 Â· 2 min Â· 257 words Â· Omid Farhang

Fake Certificate in Malware – with Message

Avira TechBlog: The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! 🙂 ”, also adding random data behind the certificate. ...

April 11, 2011 Â· 1 min Â· 131 words Â· Omid Farhang

ZeroAccess, an advanced kernel mode rootkit

Prevx Blog: In the last couple years there have been three major players who dominated the scene in the field of the kernel mode rootkit development. They are Rustock rootkit – with its latest build discovered in the wild in 2008 – MBR rootkit – firstly discovered in January 2007 – and TDL rootkit, which can be considered the most advanced kernel mode rootkit to date, able to infect both x86 and x64 versions of Windows operating system. ...

April 11, 2011 Â· 2 min Â· 322 words Â· Omid Farhang

Analysis of TR/Spy.SpyEye

Avira TechBlog: SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products. The Trojan is able to inject code in running processes and can perform the following functions: Capture network traffic Send and receive network packets in order to bypass application firewalls Hide and prevent access to the startup registry entry Hide and prevent access to the binary code Hide the own process on injected processes Steal information from Internet Explorer and Mozilla Firefox A detailed analysis of this malware by Liviu Serban, Virus Researcher at Avira. ...

March 30, 2011 Â· 1 min Â· 120 words Â· Omid Farhang

Spammers Exploit Japan’s Catastrophic State

Symantec: Only a few days ago, Japan experienced one of the worst earthquakes in its history. The earthquake registered 8.9 on the Richter scale and triggered an enormous tsunami. The heart-wrenching images on television have left the world shaken. It was the worst earthquake and tsunami in the past century and at least 50 countries have since received related tsunami warnings. As the death and injury tolls continue to rise, one must not forget those who awake to exploit such delicate situations—spammers continue to maintain the guise of charitable institutions and governmental organizations! Don’t be surprised to suddenly see an email message in your inbox marked as URGENT and pleading with you for “monitory help” [sic] or a phishing mail urging you to donate to the rehabilitation of those affected by the quake and tsunami. Use prudence in finding out the genuine intent of email senders before you reach out or respond. ...

March 14, 2011 Â· 2 min Â· 394 words Â· Omid Farhang