When trawling the Web today we came across a website that has been compromised and rigged so that it is returned in search engine results for many different search terms. The site in question belongs to a UK-based company that specializes in hiring out holiday homes and is a legitimate business. However, the site has been compromised and is being used in a major ongoing SEO-based misleading applications attack, and has been for some time now. As you can see in the sample search results below, you may wonder what college football, a Ukraine vs. Greece soccer match, Penn State basketball, and Robin Williams have to do with renting a holiday home—and with good reason, too.
The key to identifying malicious pages in the search results is...
Over the past few days a sustained email spam campaign has been running to distribute new Zeusbot variants. Initially the campaign kicked off with a story from “your administrator” about some server upgrade that requires you to download and execute a patch to ensure that your computer continues to work properly:
Subject: Important - Read Carefully Email Body:
Attention!
On October 16, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour.
The changes will concern security, reliability and performance of mail service and the system as a whole.
For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure.
This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file
and then to run it from your computer...
An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web...
Yes folks, the Bredolab crew is at it once again. Today we saw a moderate wave of spam email, numbering a few thousand per hour. Not to be drawn to the depth of exploiting the death of Patrick Swayze to deliver their malware, the Bredolab gang is still adapting old reliable—spam email messages with promises of undelivered parcels and cash for collection. Depending on whether the delivery is for cash or for a parcel you will get a slightly different message, although the attachment names are much the same as one another, following a distinct pattern.
For parcel deliveries you might see something like the following example:
Subject:
= ?koi8-r?B?REhMIERlbGl2ZXJ5IHByb2JsZW0guT[UP TO 6 RANDOM CHARACTERS]?=
Body:
Dear customer!
Unfortunately we were not able to deliver the postal package sent on the 24th of June in time
because the recipients address is inexact.
Please...
Tennis is a huge sport worldwide and yesterday was the women's semi final of the US Open in which Serena Williams lost out to her rival due to a foot fault. To cut to the chase, Ms Williams went on to deliver a verbal volley against the line judge, something about shoving tennis balls … somewhere. The exchange was caught on live video footage and many copies are currently doing the rounds on the Internet. The interest that this incident has stirred, provided the spark needed to ignite yet another SEO campaign to spread malware. In the case of this incident, the malware is encountered when you search for terms such as "Serena Williams Outburst".
One of the sites returned from the search goes to a domain named pixnat.com. This looks like another case of hacked web site used to host fake AV scanners...
Web browsers have been having a real torrid time of late, it seems the only people showing them any great attention these days are those looking for new 0-day vulnerabilities. Two weeks ago we blogged about the Microsoft Video Streaming ActiveX control vulnerability (Microsoft Windows 'MPEG2TuneRequest' ActiveX Control Remote Code Execution Vulnerability – BID 35558) that can be exploited through mostly the older but still widely used versions of Internet Explorer 6 and 7. That vulnerability was quite widely used by malware in the attack involving a Trojan named Downloader.Fostrem. The Trojan In turn downloads various other bits and pieces of malware that we detected as Backdoor.Trojan and...
This is now getting a bit tedious but the Twitter and Koobface bandwagon just keeps on tumbling down the slippery slopes. Today there are many reports of yet another variant of Koobface doing the rounds through Twitter. The tweets doing the rounds contain the following messages:
My home video :)
Watch my new private video! LOL :)
michaeljackson' testament on youtube
I had a look for some of the hacked twitter accounts myself and found a few unfortunate souls whose accounts have been hijacked to spread this malware. Here's one example I have found below. Some of the TinyURLs are pointing to the AdultFriendFinder Web site; the one below is not responding but appears to be active.
Other URLs are directing users to a fake video Web site that contains the usual Codec-type social engineering trick to...
Not content to let the Dozer and Koobface guys have all the fun, the Ackannta crew has unleashed another new variant on the unsuspecting masses. Today we saw in our spam traps a new variant of Ackannta that we have added detection for as W32.Ackannta.G@mm. Ackannta is a family of mass-mailing worm that also copies itself to removable drives. It has been noted to use well-known brand names and big news items (such as the recent Michael Jackson story) in email campaigns in the past in order to trick users into opening it.
At this time we are seeing this worm being sent out through emails in low numbers. The emails have the following characteristics:
Subject: Jessica would like to be your friend on hi5!
Body: The email body is written in HTML and is a poorly made copy of the...
Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter. This Trojan performs a search in the My Documents folders of your hard drive for files with the following extensions:
Back in the 90's, Jamiroquai had a hit album named "Travelling without Moving." The title gives an apt description of some of the fantastic things that you can now do on the Internet. For example, we can now literally travel the world without moving beyond the comfort of the armchair. Applications such as Google Earth and Google Maps (with its Street View feature) enable anybody with a decent Internet connection to literally drop in to virtually any location on this planet.
These applications are great for planning visits-you can see exactly how far your hotel is from the train station, where there is parking, or even plot your full itinerary. You can also use these applications to get a feel for an area before you go there; for example, if you were visiting an unfamiliar area it's really useful to see what the building or location you are going to actually looks like before you get there. Addresses are sometimes hard to recognize and as the saying goes, a...
A timely warning to those wishing to purchase last minute tickets for the Beijing Olympic Games of 2008 to beware of scams and rip offs. There are some fake but very well crafted ticketing Web sites that have been duping unsuspecting members of the public out of their hard earned cash by posing as legitimate suppliers for Olympic events. In particular, one such scam site (beijingticketing.com and its mirror site beijingticketing2008.com) has, according to media reports, already ripped off many individuals, some to the tune of US $57,000.
This scam site claims to be able to source tickets for sold out sporting events, playing on the fact that many Olympic event tickets are already sold out due to huge demand. I checked out the site today and found that tickets for the opening ceremony...
Most people are well aware of the potential problem posed by software vulnerabilities that are publicly announced, but many of these vulnerabilities can remain unpatched by the relevant vendors. Dealing effectively with security problems posed by software vulnerabilities is a two-way street. You count on your software vendors to quickly bring out reliable patches and once they are available, your end of the bargain is to apply them as quickly as possible. Many software vendors are attempting to address their share of the issues in relation to patch development and distribution. The problem is, many users are still slow to apply new software patches, for various reasons. It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.
To add fuel to the fire, an interesting research report was recently published...
Today, Adobe officially launched their newinfrastructure for delivering rich Internet applications to yourdesktop- Adobe Integrated Runtime, or "AIR" for short. At first glance,Adobe AIR looks like a mash up of many of the existing Web and Adobetechnologies such as HTML, AJAX, ActionScript, Flash, and Flex. Bycombining rich media and user interface features, and leveraging theexisting expertise in these technologies, Adobe hopes to bring highlyinteractive and engaging Web applications to the desktop.
Technologies provided by Adobe, such as Flash, enable a multimediadeveloper to easily create fantastic-looking and engaging applicationsand deploy them across various platforms by operating within a browserenvironment. Adobe AIR takes it a step further by liberating thesetechnologies and placing them within their own desktop-basedenvironment in a similar fashion to Java or .NET. Using this approach,it can achieve a number of aims:
There has been a recent report from SANSabout PDF files (1.pdf and b.pdf) containing a newly patched AdobeReader/Acrobat exploit being widely distributed. The PDF files inquestion we are detecting as Trojan.Pidief.C is believed to be spreading new variants of Trojan.Zonebacby downloading from the IP of 85.17.221.2 (At time of writing theaddress is no longer reachable). Trojan.Zonebac is an old Trojan familythat was discovered back in 2006; the Trojan attempts to disablesecurity software and backed up certain executable files beforereplacing it with a copy of the Trojan as...
The emails are short and to the point, containing a brief message,followed by a URL. Should the user click on the URL, they will bedirected to a site that looks like this:
The subjects and bodies we have seen so far include the following(many are recycled from the Storm worm's 2007 Valentine's Day campaign):
