Security

Unlike the first malware authors who wrote viruses seeking fame through destruction, their motivation has changed to financial gain. Nevertheless, there are still the ones out there who share the first authors’ intent. I was analysing a simple Trojan today and saw the following message: It is not uncommon for malware authors to leave messages in their code for Researchers to read. This one did bring a smile to my face, so he was rewarded by it being named BackDoor-EKD which is an increment of one from BackDoor-EKC 😉

As any reader of this blog knows, cybercriminals can steal your money not just by putting malware on your machine, but by phishing attacks too. Phishing attacks don’t just target online banking and e-payment systems, but almost any site which asks the user to input sensitive data. Sites run by national government agencies are a prime example as they often demand a wealth of personal information which goes far beyond a simple user name or account number + PIN. While filling in a tax return online might seem like a great way to save time and paper, it gives cybercriminals a great opportunity to scoop all your details at once – data which could then be used to steal your identity and/or commit further crimes in your name. ...

SysProtector and ApcDefender are two new rogue antispyware programs released in the past 48 hours. SysProtector and APCDefender are potentially very dangerous PC infections. These rogues use fake security alerts and warnings to trick people into thinking their PC is under attack, all the while they drop fake files on the system. These rogues will also prevent other programs from opening, hijack the web browsers and render the PC nearly useless. Below is a screenshot of a hijacked browser, showing fake threat warnings. ...

PCProtectar is the latest rogue security software infecting PC’s across the interwebs. PCProtecter uses false security warnings and system scan results to trick people into buying the software. If your PC has been infected with PCProtectar, don’t fall for the scam. Do not buy this software, it is completely useless and an infection in itself. PCProtectar is a potentially dangerous infection that may cause programs to stop working, web browsers to not open, making it impossible to access the internet. PCProtectar should be removed from infected computer systems immediately. ...

We have a tool available to do just that. Click Here. How to use dd2010_decrypter.exe to do batch processing: Place the encrypted files in a directory (i.e. c:\encrypted_files\) Copy dd2010_decrypter.exe into another directory and FROM THAT DIRECTORY, run the following command: for %f in (“c:\encrypted_files\.”) do dd2010_decrypter.exe %f %f.decrypted All files in the encrypted_files folder will be processed and the new decrypted files will have the same name but their extension will be “.decrypted.” ...

Koobface is still going strong despite not making the headlines so much anymore. Well, the Koobface gang took the time to send a Christmas card and wish security researchers a happy new year. Very nice of them… For a couple of days now I’ve been looking at their infection method and trying to see any interesting patterns. The bad guys use bogus blogpost.com blog pages to redirect users to the actual Koobface malware. The redirection consists of several attempts to connect to compromised PCs, through their IP address. Below is a Fiddler log showing those attempted connections (in red are failed connections). Once a host has successfully responded, the users are redirected to a fake page prompting them to install a video codec. ...

I recently received a suspicious Gmail chat message from a friend (shown below). I was immediately suspicious about the message because this friend has never used chat to talk with me previously, and also he appeared to be offline and the content of the message was similar to messages that other instant messaging worms use. I expected that when I clicked on the link I would be asked to download an executable thinly disguised as a photo (for example, coolpic.jpg.exe) like W32.Scrimge.E or that some drive-by exploits would be used on the page such as the ones Koobface uses. Instead I was brought to the following page that asked me to log in to my choice of MSN, Yahoo, Gtalk, or AIM accounts to view the “private album.” ...

No Malware is a rogue security program, or a phony. NoMalware is designed to trick people into purchasing the software, which is actually useless, a PC infection in itself. NoMalware will use security scans to alert the user that their PC is infected. These security scans are not real, the infections reported are false. NoMalware will show these falsified scan results and refuse to remove the supposed infections unless the user buys the software. Do not fall for this scam. Victims that purchase NoMalware quickly lean that the software does not prevent infections or remove infections form their PC’s. ...

The massive growth of gold farming – the exchange of real money for virtual goods – might result in an increase in gaming Trojans and other malware aimed at gamers in the future. A well-respected researcher has described the incredible growth of “gold farming,” an significant industry and source of employment in China and other parts of Asia. He estimates there are 400,000 people, working for gold farming companies. They spend as much as 12 hours per day playing online games in order to accumulate virtual goods which can be sold to some of the 50 million on-line game players world wide for real cash. ...

The creators of WiniGuard rogue security software have released their first clone of 2010. This new rogue is called PcsProtector.