Security Response: Showing posts tagged with Security Response: Showing posts by Hon Lau

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas Card.zip. It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day:

The email message itself was a run-of-the-mill electronic greeting card with an HTML body containing a nice Flash animation—the Flash animation actually comes from a legitimate source (123greetings.com). The email body contains a message asking the user to open the attachment to see who sent the email. Of course, opening the attachment yields a malicious file. The name of the file inside is Christmas Card.htm[MANY SPACES].exe and it is already detected by Symantec as...

Those looking to see the latest 3D blockbuster movie, The Avatar, on the cheap will have to take great care in what they search for. We have become aware of at least one site that has been rigged to redirect users to a page that presents the now-familiar "play video/need codec" screen. In an unusual twist, this time it is offering a new ActiveX update rather than the usual codec or Flash player updates.

Clicking on the play button or icon will send a request to update-activex.com, which will then eventually offer you a file named along the lines of Activex_Setup[1].45158.exe from the standardmultimedia.com domain. This is now detected as Trojan.FakeAV.

In addition to this malware page...

The Koobface gang has been keeping themselves busy of late. Like Santa's little elves, they’re beavering away, creating and checking their fake Facebook and YouTube video sites and packin' it (the worm, that is) twice. The latest campaign involves posting messages on Facebook profiles, which link to either to fake video pages or a fake Facebook page. Either way you will be offered a file named setup.exe, which may be presented as a Flash Player upgrade or some kind of free antivirus to protect you from Koobface.

The lure is put forth in compromised or bogus Facebook postings. The text is largely the same, though the messages appear with duplicate letters in various parts of the posts. For example:

•    I caan't ffall asleepp affter viewwing thiss videeo. I haven'tt seenn aanything liike this
•    I can''t falll aslleep aftter viiewing thhis vvideo. I havven't seeen aanything likee thhis
• ...

When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.

The key to identifying malicious pages in the search results is...

An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...

Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as  "Serena Williams Outburst".

One of the sites returned from the search goes to a domain named pixnat.com. This looks like another case of hacked web site used to host fake AV scanners...

This is now getting a bit tedious but the Twitter and Koobface bandwagon just keeps on tumbling down the slippery slopes. Today there are many reports of yet another variant of Koobface doing the rounds through Twitter. The tweets doing the rounds contain the following messages:

• My home video :)
• Watch my new private video! LOL :)
• michaeljackson' testament on youtube

I had a look for some of the hacked twitter accounts myself and found a few unfortunate souls whose accounts have been hijacked to spread this malware. Here's one example I have found below. Some of the TinyURLs are pointing to the AdultFriendFinder Web site; the one below is not responding but appears to be active.

Other URLs are directing users to a fake video Web site that contains the usual Codec-type social engineering trick to...