A Blackberry application called PhoneSnoop was released recently, which resulted in an advisory from US-CERT. The application allows remote users to listen in on a Blackberry user’s surroundings.
The application as seen when installed on a Blackberry
The application is actually quite straightforward and uses standard Blackberry APIs that allow the interception of incoming phone calls. When a call is received from a preconfigured phone number, the call is automatically answered and the speakerphone is engaged. Someone who has had this application installed may not notice the incoming phone call and not realize someone can now listen in on the immediate surroundings.
We’d consider this application just a proof of concept for a variety of reasons, including the author himself...
Misleading application, rogue software, fake AV: call it what you will, it’s everywhere. The authors of these applications are pumping them out by the hundreds, fooling many Internet surfers, and in the process they’re making big bucks out of it. In fact, as many of our readers will be well aware by now, it is the focus of a white paper Symantec has just released entitled Symantec Report on Rogue Security Software.
So if there are so many of these things, why should one called Windows Enterprise Defender be any different from the rest? Firstly, it tries to pass itself off as Windows Defender, which is a legitimate security product released by Microsoft. Obviously the name is similar but so is the GUI:
I came across something interesting while chasing up a fake antivirus lead the other day. As we often do here when looking for new threats, I visited the malicious URL and ran through the standard steps to download and install the risk. (Video of the threat follows below.)
It was one of those run-of-the-mill fake codec sites. You go to a page to watch a video, only it tells you that you don’t have the correct codec to watch it. You’re prompted to install a “codec”, but then bam!—an unexpected antivirus scan starts running on your computer.
In this case, while I was presented with a typical installation routine, an error message appeared at the end. This is also not uncommon, often meant to make the user think the codec failed to install, which they might believe is why they still can’t watch the video afterwards.
What was interesting was that no fake security scan appeared afterwards. However, I noticed the all-too-familiar...
Misleading applications, also known as rogue applications, have always tried to lure users into their traps by using various techniques such as fake security scans, misleading task bar notifications, popup windows, etc. To take this to a new level, developers of these applications are now frequently changing the product name and its associated website name in order to mislead users and antivirus vendors. Clones of the same product—with different names—continue to appear almost every day. Earlier this week Symantec published its Report on Rogue Security Software, which discusses misleading apps in greater detail. A couple of examples of rogue security software are given below. We identify one such family of rogue or misleading applications as WiniGuard:
Rogue security software programs, also known as misleading applications or scareware, are programs that pretend to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provide the user with little or no protection whatsoever. Well known examples of rogue security software include AntiVirus 2009, Malware Defender 2009, and System Guard 2009.
The recently published Symantec Report on Rogue Security Software includes a discussion on a number of servers that Symantec observed hosting these misleading applications from July to August 2009....
The Symantec Report on Rogue Security Software includes an in-depth analysis of the methods scammers use to distribute rogue security applications. This blog presents some of the highlights of the research into the distribution of these scams.
In the report, the following distribution and advertising trends were observed:
• Ninety-three percent of the top 50 most prevalent rogue security applications were distributed as intentional downloads. This means that victims are tricked into believing they are downloading legitimate security software and subsequently installing the rogue application.
• Seventy-six percent of the top 50 most prevalent rogue security applications were classified as unintentional downloads. This means that the software may be installed unintentionally through drive-by downloads or...
Rogue security software scams are everywhere these days. The numbers are quite staggering—over 250 distinct programs racking up 43 million installation attempts, according to our new Report on Rogue Security Software.
Still, when it comes down to functionality and code base, it’s more akin to a few people with really large wardrobes. There might be dozens of variations of the same underlying program, each receiving minor updates and a new software skin. They even use the same fake threat names when attempting to scam you—stuff like “Spyware.Monster” or “Spyware.IEmonster”.
Ultimately what we’re looking at is variety in graphic design rather than functional design. We’ve put together a video to show just that. Our report calls these threats Antivirus200X—a “family” of rogue security...
Given their financial motivations, the distributors of rogue security software scams need to affect a broad number of potential victims. Getting the program onto a victim’s computer is a critical step in rogue security software scams and the scammers use a variety of techniques to do so. While some rogue security software programs rely on just a few specific techniques to achieve this, many of them incorporate multiple techniques to improve the odds of success. The distribution techniques for rogue security software programs can be simplified into two groups: installation methods and advertising methods.
The installation methods for rogue security software can either be intentional or unintentional. Scammers who persuade victims that they need the rogue software to address security concerns lure the victims into downloading the software intentionally. This is a common approach to rogue security software installation that was used by 93 percent of the top rogue security...
In the 80’s I lived in NYC. At the time, enterprising hustlers had re-introduced the old Three Card Monte con game to NYC streets. Like wide ties and frozen yogurt shops, Three Card Monte always seemed to come back into fashion. Before you knew it, the streets were full of grifters running games. Whole blocks would be lined with these low-rent con men, standing behind cardboard boxes, tossing cards and asking the suckers to put their money on the red queen.
How could there be that many bad guys running Three Card Monte scams at one time? Well, there was plenty of money to be made, and it drew the criminal element like flies to honey. Grifters were making a lot of money at the con and every two-bit chiseler wanted their own piece of the action. Plus, there was very little needed to get in on the scam. The barrier to entry was low. You only need three playing cards, a couple of cardboard boxes for a...
An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...
A lot can be said with 140 characters. It’s just enough to convey a point, but constricting enough to make things concise. No wonder microblogging sites such as Twitter have become so popular.
Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.
There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get...
Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as "Serena Williams Outburst".
One of the sites returned from the search goes to a domain named pixnat.com. This looks like another case of hacked web site used to host fake AV scanners...
Does the following screenshot look familiar to you? It sure does to us here at Symantec because it looks nearly identical to our Norton 2009 product. However, it is actually a misleading application we detect as Trojan.Fakeavalert.
The website that is used by the security risk to corral users to purchase rogue software looks suspiciously like our Norton site as well:
Besides using our brand name and Nortel's, there is another interesting trick that I thought would be worth a mention so no one gets fooled by this scam. Once infected with the security risk, the computer may suddenly explain that the user has a spyware infection and the following blue screen may appear:
In my previous post, I covered Waledac’s bootstrap mechanisms, armoring methods, and some parts of its communication protocol. Today, I will continue to discuss its communication protocol and how it implements its main functionalities through command-and-control (C&C) messages. I will describe its various tasks and commands, how it downloads components or updates, how it constructs its spam, and lastly how it acts as an infostealer.
Types of task messages
As I mentioned last time, W32.Waledac currently uses nine types of task messages. These messages are mainly used by the malware to distribute spam templates or word lists for its spam campaigns, to send reports,...
Misleading applications use various techniques such as fake security scans or exaggerated “malware found” reports to scare users to purchase their so-called solutions. To take this to next step, one such example of a misleading app—called “System Security”—is forcing users to purchase it because it can render a system nearly unusable. Once System Security is installed on a machine it terminates most of the active user processes such as Firefox, antivirus programs, Acrobat Reader, and others. Internet Explorer is spared from this list.
If the user tries to run Task Manager, antivirus software, or any other executable binary except Internet Explorer, this misleading application reports that the respective binary is infected and blocks...
...
