When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is...
Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully Email Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...
An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...
Yes folks, the Bredolab crew is at it once again. Today we saw a moderate wave of spam email, numbering a few thousand per hour. Not to be drawn to the depth of exploiting the death of Patrick Swayze to deliver their malware, the Bredolab gang is still adapting old reliable—spam email messages with promises of undelivered parcels and cash for collection. Depending on whether the delivery is for cash or for a parcel you will get a slightly different message, although the attachment names are much the same as one another, following a distinct pattern.
For parcel deliveries you might see something like the following example:
Subject:
= ?koi8-r?B?REhMIERlbGl2ZXJ5IHByb2JsZW0guT[UP TO 6 RANDOM CHARACTERS]?=
Body:
Dear customer!
Unfortunately we were not able to deliver the postal package sent on the 24th of June in time
because the recipients address is inexact.
Please...
Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as "Serena Williams Outburst".
One of the sites returned from the search goes to a domain named pixnat.com. This looks like another case of hacked web site used to host fake AV scanners...
Not content to let the Dozer and Koobface guys have all the fun, the Ackannta crew has unleashed another new variant on the unsuspecting masses. Today we saw in our spam traps a new variant of Ackannta that we have added detection for as W32.Ackannta.G@mm. Ackannta is a family of mass-mailing worm that also copies itself to removable drives. It has been noted to use well-known brand names and big news items (such as the recent Michael Jackson story) in email campaigns in the past in order to trick users into opening it.
At this time we are seeing this worm being sent out through emails in low numbers. The emails have the following characteristics:
Subject: Jessica would like to be your friend on hi5!
Body: The email body is written in HTML and is a poorly made copy of the...
Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter. This Trojan performs a search in the My Documents folders of your hard drive for files with the following extensions:
The emails are short and to the point, containing a brief message,followed by a URL. Should the user click on the URL, they will bedirected to a site that looks like this:
The subjects and bodies we have seen so far include the following(many are recycled from the Storm worm's 2007 Valentine's Day campaign):
Personal threats have been used in various guises over the years toentice people to perform different actions such as opening and runningemail attachments for some time now. We have seen before the infamous Assassin emails that purported to come from a hired hit man who offers you a last chance to save your life, at a price.
Now we see another variation on this theme, the trick used this timeis that of a hired sleuth who is watching and listening in on yourpersonal activities. The email sender claims to be hired to watch youand just like the hired assassin we have seen before, this super sleuthturncoat is offering you a chance to know who hire him and perhaps achance to stop the spying. To prove his bona fides he offers you proofof his detective work in the form of a recording of your phone calls.The alleged recording is supplied in a password protected RAR file. Asit turns out, the RAR file...
Ever since the first Trojan.Peacomm, samples literally blew in from nowhere back in January 2007.Since then, the gang responsible have been constantly evolving theirTrojan with new features, new packers, and new techniques for spreadingit.
The thing that can be noted about the Peacomm gang is that they arevery much adept at the art of social engineering. The original Trojanwas propagated widely on the back of a story about a violent storm thatblew across Europe and hence the moniker. Since then the gang behindthe Trojan have explored all different manners of social engineeringavenues and subjects.
In particular they had a knack for latching on to the latestnews-worthy events and capitalizing on the public...
Following the arrest of Jun Li (creator ofthe W32.Fujacks or "Panda" worm) by the Hubei Police on February 3rd,the police promised to make an example of the virus author. To thatend, the police announced in early February that they were going tohave the virus creator write a program to remove this virus and repairthe damage done by it.
On March 27th we obtained a copy of the removal tool created by Li.Naturally we were curious about the effectiveness of the tool againstthe variants of the threat that were found in the wild.
When the tool is executed, the user is presented with a message from Li himself:
The message contains an apology and an explanation that he createdthe worm for research. He ends with a warning to beware of futurethreats (from others), and to take the necessary...
Today we received samples of a Japanese Trojan called Trojan.Pirlames, which masquerades as a Windows screen saver file. This Trojan is likely to be spread through file-sharing networks such as Winny, which is highly popular in Japan. We have seen the following file name being used so far:
Master of epic the animation age OP∩+ Miracle Episode I (MP3 128kbps ⌠-⌠TΓWΓΓΓPΓbΓg≥t).zip[MANY SPACE CHARACTERS].SCR
When executed, the Trojan will display an image that warns the user against the use of Winny. One example contains a message that roughly says: "Even though Mr Kaneko (Creator of Winny) was found guilty, you are still using Winny. I really hate these kinds of people."
In a recent blog, I mentioned that Office documents were a great place to hide malware in order to maximize its chances of distribution. This time I want to draw attention to the fact that the Windows Registry is also another handy reference tool for some Trojans, too.
A Trojan will usually drop another copy of itself or a components as part of the installation process to try and throw users off track. So, typically a Trojan would run and as part of its installation process, it would drop a copy of itself using another filename in, say, the Windows System folder and modify the registry to run itself at every restart of the computer.
The goal of any effective profit-making malware is to get installed and run undetected for as long as possible to try and maximize the profit-making window. Many angles of attack and stealth have been explored by malware authors over the years. Some are high tech, as we see with rootkits. Some are low tech, such as in...
Software engineers, just like any other professionals, are always on the lookout for a faster, better, and cheaper way of getting the job done. In the construction industry you can use pre-cast concrete and timber frames to speed up production. Likewise, in the systems engineering world you can use code generators and CASE tools (and the like) to make things easier. So, it comes as no surprise that malicious software creators have also been building tools and aids to help them become faster and better.
Many years ago, building a useful and profitable piece of malware required a fair amount of skill and knowledge of the systems being targeted for attack. The lack of handy tools, together with a limited target group for the malicious code, made it difficult to make any easy money out of writing malicious code. Unfortunately, those days are long gone. Today, it doesn’t take much skill to produce, distribute, and maintain a large collection of deployed...
Currently, exploits are the flavor of the month as far as malicious code authors are concerned. However, in recent days we have seen a few variants of a new mass-mailing worm called W32.Stration@mm successfully spreading on a moderate scale over the Internet. For some time now we have observed fewer and fewer new instances of mass-mailing worms, so it has now become a bit of a novelty to see that somebody is still willing to invest time and effort into creating a worm that uses this method as the primary means of propagation.
Mass-mailing worms have been around for a long time and people have, by and large, learnt to defend themselves more effectively against them. In the fight back, many administrators now block certain attachments on the gateway; some may apply email filtering such as...
...