Home PHP Scripts Contact News RSS Readers Donations

Malware

 
Main

Security

Anti-Malware
Malware
MSNBC Security
Security Fix
Security World News
Random Feeds

Archives

| Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |

Sat, 5 Dec 09
Google Work At Home Scam
http://pandalabs.pandasecurity.com/archive/Google-Work-At-Home-Scam.aspx


Lately, a Google work at home scam has been plastering its way throughout the Internet.   The scam site is designed to look like a convincing news paper article and is currently circulating heavily through social networks (hacked and spam accounts) and ad networks.  

Example of the scam wall post on Facebook from a hacked account:

df

The scam site:

ff

To "cash in on the opportunity” all you have to do is fork up a measly $1.95 for the “Easy Google Profit” kit.  Unfortunately, if you fall for the scam, you’re going to be taken for more than what you bargained for. Ripoff Report shows one victims struggle with these scam artists. Aparently they automatically started charging the victim $39.98 per month on top of an additional $129.95 fee.  On top of that, they enrolled him in a 14 day trial for another site, which charges $29.95 a month if not canceled in time. 

A helpful tip for avoiding these types of scams would be to question all links before clicking on them, especially in Social Networks. Nothing should be outrightly trusted.  Ask yourself,  “Would my friend/parent/sibling really post this link?” The chances are that the link will stick out like a sore thumb and you’ll be able to avoid a nasty situation.   We also advise the use of safe browsing technology, such as the community driven browser plugin offered by our partners, Web of Trust

Thu, 3 Dec 09
CDC H1N1 Malspam Campaign
http://pandalabs.pandasecurity.com/archive/CDC-H1N1-Malspam-Campaign.aspx


Our spam traps have been receiving thousands of malspam e-mails related to a new Sinowal (zbot) campaign over the past 24 hours. The e-mail attempts to trick users into creating a profile for H1N1 (Swine Flu) vaccination at the Centers for Disease Control website.



The email reads:

You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

create personal profile
----
Centers for Disease Control and Prevention (CDC) - 1600 Clifton Rd - Atlanta GA 30333 - 800-CDC-INFO (800-232-4636)


The (several) websites used in this malspam campaign all start with online.cdc.gov.(malicious domain) and could easily convince the most suspicious users of its validity.



The site reads:

"Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug).  All instructions you need are included in the archive below:

Your Temporary ID (valid for 48 hours) H1N1-1574377270
H1N1 Vaccination Profile - Download Archive (130Kb)"


The campaign uses 6 different subject lines for its e-mails. The most common subject lines are Governmental registration program and Creation of personal Vaccination Profile.





Infection information:

 
Sinowal.WRN creates a copy of itself with the name SDRA64.EXE, in the Windows system directory.

Additionally, it creates the following files, where it stores the information it has obtained:



Sinowal.WRN modifies the following entry from the Windows Registry:

 

 

Wed, 2 Dec 09
Phishing targeting Google AdWords
http://pandalabs.pandasecurity.com/archive/Phishing-targeting-Google-AdWords.aspx


We've seen this phishing going around in the latest hours:



When you click on the link you are redirected to the following site:



Taking a look at the URL you can realize that it is not the real Google AdWords site. As always, companies never send you a message with a link to change your credentials. And if they did, they wouldn't deserve to do it, so please always dismiss these kind of messages. If you need to change your password -something everyone should do from time to time- go directly to the site and then do it.

Tue, 24 Nov 09
Rogue Antivirus Optimized for Windows 7
http://pandalabs.pandasecurity.com/archive/Rogue-Antivirus-Optimized-for-Windows-7.aspx
I came across an interesting Rogueware campaign while researching the ongoing Black(hat) Friday SEO campaign. Unlike the typical Rogueware attack, the cyber criminals behind this one have already optimized the campaign to take advantage of users of the brand new Microsoft Windows 7 operating system by emulating its look and feel. 

 Rogue Antivirus Optimized for Windows 7



As you can see from the screenshot above, the website creates an exact replica of the Windows 7 explorer shell.  In addition to the popup, the site is configured with a white background in order to create the illusion that the “Windows 7 popup” is not in the foreground of the website, but rather a separate process running on the computer itself.  Both techniques are devilishly deceiving and might even fool an expertly trained eye.

Sat, 21 Nov 09
Black(hat) Friday
http://pandalabs.pandasecurity.com/archive/Black_2800_hat_2900_-Friday.aspx

If you plan on shopping online for "Black Friday", or "Cyber Monday", you might be in for more than you bargained for.  Cyber criminals behind the Rogueware epidemic have their blackhat SEO campaigns optimized to take advantage of deal seekers looking for advertisements online.  One misstep and you just might find yourself staring at a scareware site designed to trick you into believing that your computer is infected. 

Google Search:

Fake Antivirus Page:

 Black Friday - Rogueware Page

We are constantly monitoring this and other Blackhat SEO campaigns to protect our customers against the latest malware attacks on the Internet.  If you are not a customer yet, we recommend at least installing our free Cloud Antivirus protection. We also recommend adding an extra layer of browsing protection with safer browsing technology, such as the community driven system provided by our partner, Web Of Trust.

Fri, 13 Nov 09
See how the Rick Astley iPhone hack attack works
http://pandalabs.pandasecurity.com/archive/This-way-works-the-worm-for-iPhone.aspx


We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:

/var/lock/bbot.lock

This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:

IPs

Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist

to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.

WallPaper 

“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.

Sat, 10 Oct 09
Blackhat SEO Campaign Targets 2009 Nobel Prize Winner
http://pandalabs.pandasecurity.com/archive/Blackhat-SEO-Campaign-Targets-2009-Nobel-Prize-Winner.aspx


 We’ve identified a new Blackhat SEO campaign today which targets President Obama as the 2009 Nobel Peace Prize winner among a thousand or so other search terms.   Clicking on a malicious search result yields the typical Rogueware campaign. 

Search result:
Nobel Peace Prize Winner 2009 - Obama Blackhat SEO

Rogueware site:
Windows Performance Center Rogueware

The complete list of targeted search terms can be found here.   

Fri, 9 Oct 09
Rogueware with new Ransomware Technologyâ„¢
http://pandalabs.pandasecurity.com/archive/Rogueware-with-new-Ransomware-Technology_2221_.aspx


The criminals behind Rogueware attacks are becoming increasingly aggressive in their approach to make money. We recently stumbled across a sample (Adware/TotalSecurity2009) which uses a ransomware technique to improve its sales. Once the computer becomes infected, Total Security forces the victim to purchase it before it will allow any files from being accessed on the system.  When attempting to open a file, a message pops up in the notification area claiming that the application was blocked due to infection.  The pop up recommends activating the "antivirus" software, which costs $79.95. 

Notification Area - Notepad.exe blocked

This would be a devistating blow to any user and would likely force the victim to purchase it, so we went ahead and cracked the sample to reveal all of the valid serial numbers. We're hoping that  victims can find this blog post before shelling out any hard earned cash to these criminals.



Watch the video to see it in action: 





Valid serials for Adware/TotalSecurity2009:

WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD

You can download a free trial to completely remove the infection once the ransomware feature is removed.

Special thanks to Sherab Giovannini for extracting the serials. 

Tue, 6 Oct 09
Rogueware distributors use Skype
http://pandalabs.pandasecurity.com/archive/Rogueware-distributors-use-Skype.aspx


Rogueware distributors are like the cockroaches of the Internet; they’re everywhere.   Malicious search results, online advertisements, and iframe hijacked sites are the typical distribution methods, but every once in a while we come across an interesting approach.

Recently, a colleague alerted me of a spam message coming through to his personal Skype account.  The message appeared out of nowhere from an account labeled “Online Notification” and made the typical claims of a found infection.  Once the victim navigates to the site, the usual fake antivirus trickery takes place.

Skype Spam



Skype isn’t the most reliable or innovative distribution method, but we’ll go ahead and give them an "A" for effort. 

Fri, 2 Oct 09
Q3 report released
http://pandalabs.pandasecurity.com/archive/Q3-report-released.aspx


We've just published our latest quarterly report. We'll show the different figures about malware in Q3, and some interesting articles.  If you want to know what has happened in the last 3 months, which have been the most important Blakhat SEO attackes or the latest movements of the Koobface worm, just download it and enjoy!

 English: 





Spanish:   

       

 

© amigura.co.uk All Rights Reserved.