http://www.trustedsource.org The latest threats and security trends Copyright 2008 by Secure Computing Corporation en-us http://www.trustedsource.org/blog/261/FakeAlerts-Uncovered Thu, 02 Jul 2009 17:32:26 UT It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering. Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to [...] http://www.trustedsource.org/blog/260/Generic-Rootkitd-Strikes-Again-in-New-Variant Mon, 29 Jun 2009 13:32:04 UT A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection [...] http://www.trustedsource.org/blog/259/Michael-Jackson-News-Affects-Web-Traffic Fri, 26 Jun 2009 21:58:39 UT The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing. Within hours the percentage of “long-tail” URL traffic associated with [...] http://www.trustedsource.org/blog/258/Bad-News-Offers-Opportunity-to-Spread-Malware Thu, 25 Jun 2009 23:26:23 UT With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.   Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. [...] http://www.trustedsource.org/blog/257/Sex-the-Bait-in-Mass-Orkut-Compromise Tue, 23 Jun 2009 17:38:18 UT With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams. With more than 15 percent of the traffic from India, Orkut is perhaps the most [...] http://www.trustedsource.org/blog/256/More-Password-Theft-Shenanigans Tue, 23 Jun 2009 07:53:51 UT Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de. When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It [...] http://www.trustedsource.org/blog/255/DDoS-Not-the-Most-Political-Way-to-Protest Tue, 16 Jun 2009 01:35:20 UT So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely: http://www.leader.ir/ http://president.ir/ http://www.irib.ir/ http://www.iribnews.ir/ and some specific URLs on those domains. No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create [...] http://www.trustedsource.org/blog/254/Worms-Dig-Further-Than-Thumb-Drives Thu, 11 Jun 2009 22:24:11 UT Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters. Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms [...] http://www.trustedsource.org/blog/253/Spammers-Take-Advantage-of-Air-France-Crash Thu, 11 Jun 2009 20:38:52 UT As we foresaw, spammers have used the Air France AF447 disaster to catch people’s attention and prompt them to open fake news emails related to this event. Less than two weeks after the crash, the firsts emails started to spread. We’ve seen the following subjects: A-330 blackbox record Another plane crushed Last seconds of plane When opened, all these [...] http://www.trustedsource.org/blog/252/Dumb-Malware-Authors-Cause-More-Damage-Than-Smart-Ones Thu, 11 Jun 2009 20:55:25 UT I don’t really know which is worse: a dumb or a smart malware writer. Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that. While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, [...] http://www.trustedsource.org/blog/251/Zero-Day-Exploit-Leads-to-Apparent-Suicide Wed, 10 Jun 2009 23:04:44 UT This is tragic news, indeed. We have heard of software flaws costing customers hefty amounts of money, man hours, bandwidth, disk space, etc. But now the cost has reached an unprecedented level–causing HyperVM’s creator to apparently commit suicide. The problem started earlier this week, when a large web host company that relied on HyperVM to [...] http://www.trustedsource.org/blog/250/ATM-Malware-Makes-Withdrawals-in-Russia Wed, 10 Jun 2009 16:55:30 UT We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data [...] http://www.trustedsource.org/blog/249/Avoid-Housecalls-From-Rogue-Malware-Doctor Fri, 05 Jun 2009 15:02:49 UT Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan  with our DAT 5635. The new variant comes from the following web pages: hxxp://internetware-sa{blocked}.com/ hxxp://mal-ware{blocked}.net As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to [...] http://www.trustedsource.org/blog/248/New-McAfee-Whitepaper-on-Browser-Attacks Thu, 04 Jun 2009 00:38:44 UT Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper: Web Browsers: An Emerging Platform Under Attack “The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration [...] http://www.trustedsource.org/blog/247/Social-Engineering-Aids-Malware-Delivery Tue, 02 Jun 2009 17:02:50 UT Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page: If you clicked on “Update Certificate,” a certifiably nasty piece of malware [...] http://www.trustedsource.org/blog/246/McAfee-Releases-June-Spam-Report Mon, 01 Jun 2009 08:04:56 UT Today we released our Spam Report for the month of June. In it we discuss two key findings: President Obama’s First 100 Days of Spam Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as [...] http://www.trustedsource.org/blog/245/Who-Digs-the-Elephant-Trap Thu, 28 May 2009 12:10:12 UT It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging [...] http://www.trustedsource.org/blog/244/Bad-Program-Logic-Amplifies-Baofeng-Attack Tue, 26 May 2009 11:25:40 UT A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week. Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts [...] http://www.trustedsource.org/blog/243/Urban-Attack-on-Infrastructure Fri, 22 May 2009 14:59:00 UT Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control. Stories about intruders who damage [...] http://www.trustedsource.org/blog/242/Double-Strike-by-AMTSO Thu, 21 May 2009 11:49:34 UT It was very encouraging to see that more than 40 people came to Budapest, Hungary, to discuss and agree on new industry standards as part of the effort undertaken by the Anti-Malware Standards Organization (www.amtso.org.) The awesome historic surroundings set the mood for our discussions.   Seeing such a great turnout in the current economic climate shows how much AMTSO [...]