Tag Archives: malware

Looking for malware? Search for porn

Many sites that are better to avoid…

Symantec detected more than three billion malware attacks from 286 million malware variants last year, according to the 2010 edition of its annual Internet Security Threat Report, published today. Web-based attacks were up 93 percent on 2009, and you were most likely to come across a malicious Web site if you were on the hunt for pornography; 49 percent of malicious sites found through Web searches were pornographic.

Overall, the report paints a grim picture of the Internet threat landscape. Software flaws are abundant. In 2010, 6,253 software vulnerabilities were reported, higher than in any previous edition of the report. 14 vulnerabilities were used in zero-day attacks, including four different Windows zero-days used in the Stuxnet attack.

The bad guys also demonstrated a firm grasp of new technology. Social networking sites are a huge target, both due to their wide use and their enormous susceptibility to social engineering. In mass, untargeted attacks, the social networking sites give malicious links a veneer of integrity—if a friend of yours posts a link it’s surely going to be safe, right? For spear-phishing and other targeted attacks, the social networks give valuable insight into individual habits and interests, not to mention the ability for hackers to strike up friendships with their would-be victims and to gain their trust that way.

And just because it came from someone you know doesn’t make it automatically trustworthy.  And if one of your friends sends you a porn link, watch out!

via Looking for malware? Search for porn.

Logic bomb in “Whac-A-Mole” Games

Only the government can get away with creating problems and then charging to fix them.

It wasn’t a club but a computer virus that shut down the Whac-A-Mole and more than 400 other games built by Bob’s Space Racers in Holly Hill. The company traced the problem back to computer programmer Marvin Wimberly.

Faced with a pay cut, police believe Wimberly programmed games to fail, ensuring he would be needed and keep making money.

Each game, after turning on and off a certain number of times, sometimes 50, sometimes 500, would fail. Wimberly would be paid to fix it, and police reports say, he would insert a new virus with a new countdown.

via Cops: Orlando Man Sabotaged “Whac-A-Mole” Games – News Story – WFTV Orlando.

Interesting comments at Schneier on Security: Malware as Job Security.

Botnet, Trojan Activity Increased in February

Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren’t far behind, according to several security reports.

About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec’s February 2011 MessageLabs Intelligence Report. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report.

Remember – just because the email says it’s from someone you know, doesn’t mean he or she sent  you OMG PICS FROM YOUR’RE LAST SUMMER VACATION!!!!

via Botnet, Trojan Activity Increased in February – Security – News & Reviews – eWeek.com.

Facebook, Google Chat Used as Control Sites for Malware Attackers

While it isn’t exactly groundbreaking news that malware attackers are using social media to control their botnets, certain aspects are notable:

In each of these cases, the attackers’ remote activity looked like normal SSL-encrypted traffic to popular Internet sites, making it nearly impossible for packet inspection and netflow anomaly analysis tools to differentiate the malicious from benign activity.

If you can’t read the packet because it’s encrypted, it is very difficult to detect what it is doing.

Prevention efforts will typically not work against APT, Mandiant said. Instead of trying to stop APT intruders from using legitimate sites to compromise their networks, organizations should make it difficult for the APT intruders to stay in the breached network, ultimately making them “too expensive” to attack, according to Mandiant.

This is achieved when the security team can determine what the attacker is doing and to anticipate what the attacker will do next, Mandiant said. Organizations need to increase visibility across the enterprise by incorporating specialized monitoring systems that provide host- and network-based visibility, increased logging, and log aggregation, Mandiant said.

Host-based detection tools look for indicators that the host had been compromised as well as signs of the tools, tactics and procedures used by the attacker. These tools can find unknown malware because they aren’t looking for actual signatures like a traditional anti-virus, the researchers said. Network-based tools do the same search on network traffic. Mandiant researchers listed nine different logs security managers should be looking at regularly, including internal DNS server logs, DHCP logs, internal Web proxy logs, firewall logs with ingress/egress TCP header information, and external Webmail access logs. Log aggregation tools help managers correlate information from numerous sources, highlight critical information and indexes all information for easy searching. The security team can use all the information to effectively detect and remove the compromised host, repeatedly forcing the attacker to start over to regain control, Mandiant said.

Anton Chuvakin was right about logs all along!

via Facebook, Google Chat Used as Control Sites for Malware Attackers – Security – News & Reviews – eWeek.com.

Twitter Worm Pushing Rogue Anti-Virus Scam

The scam is spreading through malicious links abusing the goo.gl URL shortening service. According to Kaspersky Lab, the malicious links redirect users to different domains with a ‘m28sx.html’ page. That HTML page redirects users to a static domain with a Ukrainian top-level domain. From there, blogged Kaspersky Lab Senior Malware Researcher Nicolas Brulez, the domain redirects the user to an IP address pushing fake anti-virus.

“Once you are on this website,” Brulez blogged, “you will get [a] warning that your machine is running suspicious applications and you are encouraged to scan it…The user is invited to remove all the threats from their computer, and will download a fake Anti Virus [sic] application called “Security Shield”.”

It can be trouble when you don’t know where the link you’re clicking will take you, but it’s even worse trouble to let any random website “scan” your computer and install software to help you “fix” whatever it found.

via Twitter Worm Pushing Rogue Anti-Virus Scam – Security – News & Reviews – eWeek.com.

Cyber-Criminals Cold Calling Users to Distribute Fake Antivirus Services

In the antivirus cold-calling scam, call centers contacted users claiming to be support staff  from Microsoft calling to make sure “the system is okay,” Graham Cluley, a senior technology consultant at Sophos, told eWEEK. The scam has other variations, with the caller pretending to be from the user’s internet service provider or a “security consultant.”

Criminals are renting out cheap call centers in India to randomly cold-call users to make sure the latest malware wasn’t effecting their computers, said Cluley. The callers follow a script that has users look in the low-level “techy” areas within the Control Panel, Event Viewer, or the registry, with a number of scary-sounding errors, cryptic messages, and warnings, he said. As the user confirms seeing certain messages, or reads back various parts of the screen, the caller explains those are problems, and then springs the trap, he said.

Improved security products are making it harder for Web-based attacks and scams to succeed,  but “telephones bypass the technology and go straight to the weakest link in the chain, the user,” wrote Fraser Howard, a principal virus researcher in Sophos Labs, in a blog post.

Anytime anyone calls you about anything, verify their identity.  If they ask for money, re-verify their identity, and if it’s any place where you’d have an account, call them back on their public 800 line and get transferred back to whatever department supposedly called you.

via Cyber-Criminals Cold Calling Users to Distribute Fake Antivirus Services – Security – News & Reviews – eWeek.com.

Malware Posing as Fake Desktop Utilities Instead of Phony Antivirus

It is best to avoid downloading and installing software from random Internet sites that have nothing to do with PC maintenance.

The rogue products initially looked like a generic security product, addressing a range of system issues with names like HDDDDiagnostic, PCoptomizer and Privacy Corrector, according to GFI. Since then, there’ve been a series of “defragger clones” with names like UltraDefragger and ScanDisk that claim to find read/write errors on the hard disk drive, according to the blog.

The fake disk defrag and scanning utilities started showing up in mid-October, according to Deepen Desai, senior researcher from SonicWALL’s threats team. He noted that new variants are often “A/V resistant” because legitimate security products may not be able to immediately identify the files as fake. Rand Abrams, director of technical education at ESET said these variants are “not yet as popular as they will become.”

Scareware refers to software that displays legitimate looking pop-up windows and dialog boxes claiming serious problems with the user’s computer. Often posing as anti-virus or anti-spyware software, the messages list several malware infections and scare the user into purchasing anti-virus software immediately to fix the problem. Some known variants mimic Microsoft Security Essentials or McAfee, while others have real-sounding names such as Security Tools or Pest Detector.

via Malware Posing as Fake Desktop Utilities Instead of Phony Antivirus – Security – News & Reviews – eWeek.com.

Malware Infects More than 1.2 Million Web Sites

Please keep your servers patched and public-facing code clean.

More than 1.2 million Web sites were infected by malware in the third quarter of 2010, according to security firm Dasient. This includes legitimiate sites belonging to government agencies and “malvertisements,” or malicious advertisements.

[…]

More than 1.5 million “malvertisements”—or ads and widgets whose sole purpose is to spread malware—were served online per day, according to Dasient’s data. This number includes both drive-by-downloads and fake anti-virus, said Daswani. These campaigns are also fairly long-lived in Internet time, lasting an average 11.1 days, according to the report.

via Malware Infects More than 1.2 Million Web Sites: Dasient – Security – News & Reviews.

McAfee: New computer virus threats reach all-time high

That’s a lotta malware!  Interesting that the Macs are now in the hackers’ crosshairs; no mention if those will target the FreeBSD/Linux/UNIX world at large, or if it is specifically Mac-oriented.

New data released by security vendor McAfee Inc. shows that the amount of malware in the wild has never been higher, and while a large portion of it is being thwarted successfully, Mac users may face an increased risk.

In its McAfee Threats Report: Second Quarter 2010, McAfee Inc. notes that the first half of 2010 has been McAfee’s most active six-month period for malware protection updates, and in this past quarter alone, malware in the wild reached its highest levels ever, with 10 million new pieces of malware discovered, up from 1 million in Q1.

Attackers’ desire for money and data are the two biggest reasons for this increase, according to Dave Marcus, security research and communications manager at Santa Clara, Calif.-based McAfee.

“Even though there’s more malware than ever before, we’re actually identifying more malware than ever before, so it’s a way of saying that we’re keeping up with the bad guys,” Marcus said.

Portable storage devices were the most popular targets for malware and related new computer virus threats. Everything from traditional storage keys to digital picture frames and cameras, Marcus said, is now being affected by malware.

The report also offered a warning for Mac users. Until now, Mac users have had little malware to deal with. But a new Trojan mentioned in the report specifically targeting Macs, HellRTS, may be a harbinger of what’s to come.

via McAfee: New computer virus threats reach all-time high.