IT is worried: More than half of IT leaders say malware sophistication is outpacing their ability to analyze it.

A new study conducted by Forrest Anderson Research and commissioned by Norman ASA found that 62 percent of IT pros have this concern, while 58 percent say their biggest worry is the growing number of threats.

Problems like this are going to make whitelisting a nearly mandatory strategy.

via Malware Advancing Faster Than Companies Can Analyze It – Dark Reading.

Bruce Schneier has some interesting info on Official Malware from the German Police.

Something to watch out for:

The German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen until the errant payment is transferred back.

When the unwitting user views his account balance, the malware modifies the amounts displayed in his browser; it appears that he has recently received a large transfer into his account. The victim is told to immediately make a transfer to return the funds and unlock his account. The malicious software presents an already filled-in online transfer form — with the account and routing numbers for a bank account the attacker controls.

via Trojan Tricks Victims Into Transferring Funds — Krebs on Security.

Within hours of the announcement of Osama Bin Laden’s death, we are already seeing malicious sites emerge to capitalize on the news. One Spanish language site displays a purported photo of a murdered Osama Bin Laden and includes a story about the US led operation. Farther down the page, the reader is presented with a Flash Player window with a message indicating that the user must first update a VLC plugin, which is a popular media player, in order to view the video. When the user clicks on the link, they will download a file titled XvidSetup.exe. This file is actually a popular adware tool known as hotbar. At present, 19 of 41 antivirus engines are blocking the file.

It’s amazing how quickly malware providers respond to current events to spread their wares.  Use a secure browser, and keep your virus definitions up to date.

via Zscaler Research: Malware sites already capitalizing on announcement of Osama Bin Laden’s Death.

Many sites that are better to avoid…

Symantec detected more than three billion malware attacks from 286 million malware variants last year, according to the 2010 edition of its annual Internet Security Threat Report, published today. Web-based attacks were up 93 percent on 2009, and you were most likely to come across a malicious Web site if you were on the hunt for pornography; 49 percent of malicious sites found through Web searches were pornographic.

Overall, the report paints a grim picture of the Internet threat landscape. Software flaws are abundant. In 2010, 6,253 software vulnerabilities were reported, higher than in any previous edition of the report. 14 vulnerabilities were used in zero-day attacks, including four different Windows zero-days used in the Stuxnet attack.

…

The bad guys also demonstrated a firm grasp of new technology. Social networking sites are a huge target, both due to their wide use and their enormous susceptibility to social engineering. In mass, untargeted attacks, the social networking sites give malicious links a veneer of integrity—if a friend of yours posts a link it’s surely going to be safe, right? For spear-phishing and other targeted attacks, the social networks give valuable insight into individual habits and interests, not to mention the ability for hackers to strike up friendships with their would-be victims and to gain their trust that way.

And just because it came from someone you know doesn’t make it automatically trustworthy.  And if one of your friends sends you a porn link, watch out!

via Looking for malware? Search for porn.

Only the government can get away with creating problems and then charging to fix them.

It wasn’t a club but a computer virus that shut down the Whac-A-Mole and more than 400 other games built by Bob’s Space Racers in Holly Hill. The company traced the problem back to computer programmer Marvin Wimberly.

Faced with a pay cut, police believe Wimberly programmed games to fail, ensuring he would be needed and keep making money.

Each game, after turning on and off a certain number of times, sometimes 50, sometimes 500, would fail. Wimberly would be paid to fix it, and police reports say, he would insert a new virus with a new countdown.

via Cops: Orlando Man Sabotaged “Whac-A-Mole” Games – News Story – WFTV Orlando.

Interesting comments at Schneier on Security: Malware as Job Security.

Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports.

About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report.

Remember – just because the email says it’s from someone you know, doesn’t mean he or she sent  you OMG PICS FROM YOUR’RE LAST SUMMER VACATION!!!!

via Botnet, Trojan Activity Increased in February – Security – News & Reviews – eWeek.com.

While it isn’t exactly groundbreaking news that malware attackers are using social media to control their botnets, certain aspects are notable:

In each of these cases, the attackers’ remote activity looked like normal SSL-encrypted traffic to popular Internet sites, making it nearly impossible for packet inspection and netflow anomaly analysis tools to differentiate the malicious from benign activity.

If you can’t read the packet because it’s encrypted, it is very difficult to detect what it is doing.

Prevention efforts will typically not work against APT, Mandiant said. Instead of trying to stop APT intruders from using legitimate sites to compromise their networks, organizations should make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack, according to Mandiant.

This is achieved when the security team can determine what the attacker is doing and to anticipate what the attacker will do next, Mandiant said. Organizations need to increase visibility across the enterprise by incorporating specialized monitoring systems that provide host- and network-based visibility, increased logging, and log aggregation, Mandiant said.

Host-based detection tools look for indicators that the host had been compromised as well as signs of the tools, tactics and procedures used by the attacker. These tools can find unknown malware because they aren’t looking for actual signatures like a traditional anti-virus, the researchers said. Network-based tools do the same search on network traffic. Mandiant researchers listed nine different logs security managers should be looking at regularly, including internal DNS server logs, DHCP logs, internal Web proxy logs, firewall logs with ingress/egress TCP header information, and external Webmail access logs. Log aggregation tools help managers correlate information from numerous sources, highlight critical information and indexes all information for easy searching. The security team can use all the information to effectively detect and remove the compromised host, repeatedly forcing the attacker to start over to regain control, Mandiant said.

Anton Chuvakin was right about logs all along!

via Facebook, Google Chat Used as Control Sites for Malware Attackers – Security – News & Reviews – eWeek.com.

The scam is spreading through malicious links abusing the goo.gl URL shortening service. According to Kaspersky Lab, the malicious links redirect users to different domains with a ‘m28sx.html’ page. That HTML page redirects users to a static domain with a Ukrainian top-level domain. From there, blogged Kaspersky Lab Senior Malware Researcher Nicolas Brulez, the domain redirects the user to an IP address pushing fake anti-virus.

“Once you are on this website,” Brulez blogged, “you will get [a] warning that your machine is running suspicious applications and you are encouraged to scan it…The user is invited to remove all the threats from their computer, and will download a fake Anti Virus [sic] application called “Security Shield”.”

It can be trouble when you don’t know where the link you’re clicking will take you, but it’s even worse trouble to let any random website “scan” your computer and install software to help you “fix” whatever it found.

via Twitter Worm Pushing Rogue Anti-Virus Scam – Security – News & Reviews – eWeek.com.

In the antivirus cold-calling scam, call centers contacted users claiming to be support staff  from Microsoft calling to make sure “the system is okay,” Graham Cluley, a senior technology consultant at Sophos, told eWEEK. The scam has other variations, with the caller pretending to be from the user’s internet service provider or a “security consultant.”

Criminals are renting out cheap call centers in India to randomly cold-call users to make sure the latest malware wasn’t effecting their computers, said Cluley. The callers follow a script that has users look in the low-level “techy” areas within the Control Panel, Event Viewer, or the registry, with a number of scary-sounding errors, cryptic messages, and warnings, he said. As the user confirms seeing certain messages, or reads back various parts of the screen, the caller explains those are problems, and then springs the trap, he said.

Improved security products are making it harder for Web-based attacks and scams to succeed,  but “telephones bypass the technology and go straight to the weakest link in the chain, the user,” wrote Fraser Howard, a principal virus researcher in Sophos Labs, in a blog post.

Anytime anyone calls you about anything, verify their identity.  If they ask for money, re-verify their identity, and if it’s any place where you’d have an account, call them back on their public 800 line and get transferred back to whatever department supposedly called you.

via Cyber-Criminals Cold Calling Users to Distribute Fake Antivirus Services – Security – News & Reviews – eWeek.com.