November 2008 - Posts

Bogus ‘HouseCall’ Search Results Lead to Adware - TrendLabs Malware Blog

Nov23
by Jonathan Leopando (Technical Communications)

Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit.

Advanced Threats Researcher Ivan Macalintal found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google:

Figure 1. Fake HouseCall search result.

Clicking on this link brings up the fake scanner:


Figure 2. The software supposedly performs a system scan.

Figure 3. It warns users of bogus malware infection.

Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat.

ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats.

The sites hosting this adware are already blocked by the Trend Micro Smart Protection Network.

Solutions for the cleanup and removal of ADW_FAKEAV and ADW_FAKEAV.O are also provided by this technology.

This would not be the first time our products’ names were used in malicious operations. The following blog entries are about other threats that did that:

Trend Micro advises all users to go to our website for information on the products and services we offer.

Posted Tuesday, November 25, 2008 4:32 PM by cmosby | with no comments
Filed under: ,

Being too helpful - F-Secure Weblog

Being too helpful Posted by Mikko @ 18:41 GMT | postCount('00001547'); Comments

Here's a screenshot of a site:

g

It's a phishing site using Google AdWords as the lure.

What it really tries to do is to steal your Google AdWords account username and password.

And your credit card number.

Now look again. Look at what the browser is offering.

g

No thanks, I'd rather not save my password for this site, thank you very much.

Posted Tuesday, November 25, 2008 3:50 PM by cmosby | with no comments
Filed under: ,

Windows Vista "CreateIpForwardEntry2()" Memory Corruption Vulnerability - Secunia

Windows Vista "CreateIpForwardEntry2()" Memory Corruption Vulnerability

Secunia Advisory: SA32791

Release Date: 2008-11-24

Popularity: 902 views
Critical:
Not critical Impact: DoS
Where: Local system Solution Status: Unpatched
OS:Microsoft Windows Vista

Subscribe: Instant alerts on relevant vulnerabilities

Description:
A vulnerability has been reported in Microsoft Windows Vista, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the "CreateIpForwardEntry2()" function not properly limiting the length of the IP address prefix of the destination IP address passed via the "MIB_IPFORWARD_ROW2" structure. This can be exploited to cause a buffer overflow and e.g. crash a vulnerable system.

Successful exploitation requires that the attacker is a member of the "Network Configuration Operators Group".

The vulnerability is reported in Microsoft Windows Vista Enterprise (32 bit and 64 bit) and Microsoft Windows Vista Ultimate (32 bit and 64 bit). Other versions may also be affected.

Solution:
Only add trusted users to the "Network Configuration Operators Group".

Provided and/or discovered by:
Marius Wachtler, Michael Burgbacher, Carson Hounshell, Michael Craggs, and Thomas Unterleitner of phion AG

Original Advisory:
http://marc.info/?l=bugtraq&m=122711627932563&w=2

Posted Tuesday, November 25, 2008 9:32 AM by cmosby | with no comments
Filed under: , ,

Bogus Wal-Mart Survey Leads to Phishing Page - TrendLabs Malware Blog

Nov22
by Florabel Baetiong (Anti-spam Research Engineer)

Email messages supposedly sent by the popular department stores chain Wal-Mart promises recipients a rather large amount of money by simply participating in a survey. The messages also state that the money will be credited to the respondent’s account once the survey has been completed. Here’s what the spammed message contains:

Congratulations!

You have been selected to take part in our quick and easy 9 questions survey
In turn we will credit $90.00 to your account - Just for your time!

The survey has been sent only to a few people from our random generator !

Please spare two minutes of your time and take part in our online survey
so we can improve our services.

Don’t miss this chance to change something.

To participate in this survey, Click Here

With the information collected we can decide to direct a number of changes to improve and expand our online services

Note:
-If you received this message in your SPAM BULK folder, that is because of the restrictions implemented by your ISP
-For security reasons, we will record your ip address, the date and time.
-Deliberate wrong imputs are criminally pursued and indicted

Copyright 2008 Wal-Mart Stores, Inc. All Rights Reserved.

Survey ID

WWLEKFTSYXDYVLUOSDMVCBRJEXCXCIRWTTFHDQ

A link to the “survey” is provided in the message. This is definitely a scam as Wal-Mart has no such survey, and is not paying potential victims of this scam $90 to answer nine questions. Spammers added some notes to make the email message more believable though. Warnings are written at the bottom of the mail such as the recording of the respondent’s IP address “for security reasons” and the more threatening “deliberate wrong inputs are criminally pursued and indicted.” Email messages are also marked High Priority.

Clicking on the link leads users to the phishing site

Scammers again seem to be exploiting the shopping frenzy that comes with the holidays. Christmas and Thanksgiving related Web threats often prey on users’ enthusiasm for purchasing products whether online or not. Several Trend Micro blog entries also document other spamming operations that have similar social engineering techniques:

The Trend Micro Smart Protection Network already blocks this email message, keeping users away from the phishing website. Non-Trend Micro users are advised to not participate in surveys that come from unsolicited messages. Not clicking links in unwanted messages, or those from suspicious senders also keeps systems safe from threats.

Posted Tuesday, November 25, 2008 9:30 AM by cmosby | with no comments
Filed under: ,

WinCE Malware Blackens Phone Wallpapers - TrendLabs Malware Blog

Nov22

WinCE Malware Blackens Phone Wallpapers

by Jake Soriano (Technical Communications)

Making its way back in the wild is a WinCE malware that infects Windows mobile phones. Detected by Trend Micro as WINCE_CRYPTIC.A, this new variant uses the same old routines that made WinCE malware notorious before.

Advanced Threats Researcher Jamz Yaneza says it works as a typical companion virus because it stores the infection code in another file. Typical viruses infect files themselves but WINCE_CRYPTIC.A does not. Instead, it creates “companion” files using the same file names as the infected mobile phone’s storage card. These companion files contain the infection code, and when users run the storage card, the malicious files run first.

So in essence it does not infect files themselves, and changes are made from the polymorphic engine of the malware. Yaneza adds that the file could actually be considered a Trojan with some polymorphic functionality. Companion viruses do this to avoid detection. Users are tricked into thinking they are still running a legitimate application when in fact they are already executing the malware.

Users however, will notice changes in their infected mobile phones as WINCE_CRYPTIC.A changes the text and background colors of the affected device. Here are some screenshots:


WinCe malware changes a mobile phone’s display colors.

The malware may be distributed through memory cards. It may also be hosted on malicious websites and may arrive in mobile phones through downloads. Yaneza believes that document-sharing via infrared or Bluetooth could also be a possible avenue for infection, as remote malicious users could easily pass on documents when these said devices are left on.

With more users using mobile devices that are Web-enabled, malware authors are also quick to adapt. From spam to ransomware, cybercriminals are exploiting mobile phone usage as a new avenue for profit. Interestingly, this malicious software deviates from the usual scheming operations that use Symbian malware to extort money from affected users for example. Symbian malware are notorious for locking phones and then asking users for money so affected phones could be fixed.

WinCE malware in the past did not have this routine. Our researchers believe that creators of this new WinCE malware are testing the waters for a bigger threat on mobile devices.

The following mobile phone models may be affected by WINCE_CRYPTIC.A:

  • Windows Mobile 5.0 Smartphone
  • Windows Mobile 5.0 PocketPC/PocketPC Phone Edition
  • Windows Mobile 6.0/6.1 Classic
  • Windows Mobile 6.0/6.1 Standard
  • Windows Mobile 6.0/6.1 Professional

The Trend Micro Smart Protection Network already detects WINCE_CRYPTIC.A and provides solutions for its cleanup and removal. Trend Micro meanwhile advises users to not download phone applications from unknown locations on the Web. WINCE_CRYPTIC.A itself does not run on PCs but files may be downloaded from there to mobile phones. Beamed applications and documents should also be handled with caution. The US National Institute of Standards and Technology also provides guidelines on mobile phone security.

Posted Tuesday, November 25, 2008 9:15 AM by cmosby | with no comments
Filed under: ,

Increase in Exploit Attempts Against MS08-067 - Symantec Security Response Blog

Increase in Exploit Attempts Against MS08-067

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows XP, and Windows 2003. But, it is not exploitable on default configurations of Windows XP because the Windows Firewall blocks connect attempts to the required RPC interface. However, if the firewall is disabled, or the firewall is enabled but file/printer sharing is also enabled, then the issue is remotely exploitable on Windows XP. An attacker would need to authenticate to Windows Vista and Windows Server 2008 in order to exploit this issue.

Several public exploits are currently available that leverage this issue. Typically an exploit needs to be reliable for a worm to incorporate the exploit into its propagation routines. The nature of this vulnerability made it difficult for exploit authors to construct a single exploit that would successfully leverage the issue for all versions of Microsoft Windows at once. So, exploits were released that targeted specific versions of Microsoft Windows first, and the first public exploit to surface that wasn't a simple crash proof-of-concept leveraged the issue on Microsoft Windows platforms that were localized for traditional Chinese markets. Over the past month, exploit authors have discovered far more reliable methods to exploit this vulnerability and have released more stable exploits. The most reliable public exploit is incorporated into the Metasploit Framework—it contains many configurations that can be used to leverage this issue for a large array of Windows versions.

When we first noticed worm-like malicious applications exploiting this vulnerability they were using the primitive exploits that were available at the time. In other words, exploits that targeted Chinese Windows systems. However, over the last 24 hours we are observing a new worm. It exploits MS08-067, but it uses the routine from the Metasploit Framework to universally exploit computers that are running Microsoft Windows 2000. The worm targets TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:

 

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]


The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

We are currently observing an increase in IPs generating activity over TCP port 445 and we believe that this activity is at least in part related to the propagation of this malicious code:

 


 

 

SANs are also reporting a spike in activity on TCP port 445. However, this was not the main reason behind our ThreatCon update. The aggressive propagation of this malicious threat in our honeypot network was the main reason behind the update. We decided that the activity was significant enough to remind our customers of the importance of installing the MS08-067 updates. Symantec antivirus currently detects this threat as W32.Downadup, so please make sure that your antivirus software is up to date.

We also recommend that the following mitigating strategies are applied:

•    Block access to TCP port 139 and 445 at network perimeters.
•    Ensure that computers that are connected to the network have host-based firewall software installed.
•    Ensure that antivirus software is installed on all clients connected to the network and that the software is up to date.

And, please install the update from MS08-067 as soon as possible. Microsoft has suggested a number of additional workarounds in the security bulletin, such as disabling the browser service. We advise customers to review their suggestions as well.

 

* Update

 

Symantec IPS will detect and block this attack with the following signatures:

 

•    MSRPC Server Service Buffer Overflow
•    RPC Server Service BO2

Message Edited by SR Blog Moderator on 11-25-2008 04:37 AM
Posted Tuesday, November 25, 2008 8:42 AM by cmosby | with no comments
Filed under: ,

Malware in Lenovo - Viruslist Analyst's Diary

Malware in Lenovo


  Costin       November 21, 2008 | 21:37  GMT

comment  

Some of you might have seen the blogpost that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers.

Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message.

Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work.

Naturally, we've notified IBM immediately – and IBM took the file offline.

We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis!

Posted Monday, November 24, 2008 11:18 AM by cmosby | with no comments
Filed under: ,

More on Autorun-Based Malware - McAfee Avert Labs Blog

More on Autorun-Based Malware

Friday November 21, 2008 at 11:54 am CST
Posted by Lokesh Kumar


Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.

I briefly want to add a couple of points to this:

The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.

Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key: NoDriveTypeAutoRun

Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.

Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?

I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.

Of course, the default value enables the autoplay feature to function in all its glory.

All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.

REGEDIT4
[HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.

If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.

Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:

Ubuntu Autorun

When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!

Posted Monday, November 24, 2008 11:13 AM by cmosby | with no comments
Filed under: ,

Search-and-Destroy - F-Secure Weblog

Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck.

As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other.

Then there are some "rogues" that are just kind of sad… we're tempted to call them lame-ware rather than scareware.

Last week, someone calling himself "Mirando" submitted this to our moderated comment system:

Search-and-Destroy Antispyware

What are the odds that such a comment, promoting a dubious application, will be approved by us? Not likely.

This is how the search-and-destroy .com site appears:

Search-and-Destroy

The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name.

This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application.

We downloaded and tested the Search-and-Destroy Antispyware application.

First it prompted a warning that there were zero risks.

Startup Risk

Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version.

Scan Finished

Within the "malicious threats" that were discovered, were invalid shortcuts.

Threat Details

True, the links were invalid, but that's hardly a threat.

So we uninstalled the application, and it left behind a registry key:

After Uninstall

Typical. The scan warned us about invalid shorts, and then leaves behind an invalid registry key.

Mirando has posted to other forums as well.

Comments

Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program.

We hope that he'll consider quiting while he's ahead, and doesn't move on to the hard-rogues.
Posted Monday, November 24, 2008 10:22 AM by cmosby | with no comments
Filed under: , ,

The Rise in Autorun-Based Malware - McAfee Avert Labs Blog

The Rise in Autorun-Based Malware

Thursday November 20, 2008 at 10:24 am CST
Posted by Vinoo Thomas


Most folks associate computer viruses and other prevalent malware with the Internet. Not quite. The earliest computer threats came from the era of floppy disks and removable media. However, with the arrival of the Internet, email and network based attacks became the preferred vector for hackers to spread malicious code and the issues with removable media took a back seat.

Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.

Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “Autorun” that exists to automagically launch the content in a removable disk without any user interaction.

McAfee Avert Labs has observed an alarming increase in malware using autorun as an infection vector. In addition to traditional autorun worms that used this feature, pure-play backdoors, password stealers, common Trojans and even parasitic viruses that previously required a user to double click an executable file in order to infect a system have started incorporating the autoplay technique to spread.

To give an example of how rampant the problem of autorun malware in the real world is, shown below is the McAfee global virus map which tracks statistics of infections observed by McAfee users world wide.

McAfee Virus Map

Generic!atr is a McAfee antivirus detection the for the configuration file (autorun.inf) where the path to the malware executable that needs to autoplay is specified. This detection is observed on over two million files in the last 24 hours and has always been in the top five detections globally ever since the signature was added to the McAfee DAT files. What is shown above are detections seen only on computers installed with McAfee antivirus, where those users have opted into reporting their detections. When you take in to account the millions of computers on the Internet and other vendor detections of autorun based threats, one understands how rampant the problem is.

Why is autorun as an infection vector so popular especially with machines running the Windows operating system? The fact is autorun is enabled by default on all flavors of Microsoft Windows including the latest versions of Windows Vista and Windows Server 2008. A user only has to insert a removable disk into an infected machine running Microsoft Windows and the malware would autocopy itself and infect the disk without any additional user interaction. And this self sustained cycle continues unabated every time the disk is inserted into a new machine.

So what can a user do to protect themselves against autorun based malware? The autorun feature can easily be disabled via the Windows group policy editor. If you’re a system administrator, it makes sense to disable autoplay via Active Directory and push this policy to the entire enterprise. Prevention is always better than drastic bans of USB disks & drives, although it makes you wonder why Microsoft can’t *fix* this ill-used feature in their next Windows update ;-)

Posted Monday, November 24, 2008 9:41 AM by cmosby | with no comments
Filed under:

Increase in USB-Based Malware Attacks - Symantec Security Response Blog

Increase in USB-Based Malware Attacks

 

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.
The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.
At the moment, there are two popular methods that malicious applications use to infect USB flash drives:
Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.
AutoRun.inf modification method

Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.
On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.
With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.
Increasing trend of drive-infecting malicious code
Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:


This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):

"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector.
This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”

How to mitigate this threat
There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

•    Ensure that antivirus software is up to date.
•    Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
•    If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
•    User education should be a priority to educate network users about these threats.

Message Edited by SR Blog Moderator on 11-20-2008 04:03 PM

Posted Monday, November 24, 2008 9:33 AM by cmosby | with no comments
Filed under:

PayPal Spam Warns of Fraud, Installs Worm Instead - TrendLabs Malware B

Nov18
by Adrian Labiano (Anti-spam Research Engineer)

A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment.

Here’s a sample email:

Figure 1. This supposed PayPal email message warns users that their accounts may have been compromised.

It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered.

The attachment that arrives with this spam, however, does not contain a report or any similar information.

Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution.

Figure 2. Users expecting a document may be surprised to see that file contains an executable.

Detected by Trend Micro as WORM_POISON.LA, this malicious executable has routines that are related to the (now infamous) peer-to-peer file-sharing application Kazaa.

Other PayPal-related spam runs include the following:

The Trend Micro Smart Protection Network already blocks the spammed PayPal message, keeping users’ PCs away from its malicious attachment. It also detects WORM_POISON.LA and provides solutions for its cleanup and removal. Users are strongly advised to refrain from downloading and executing files found in unsolicited email messages.

Posted Wednesday, November 19, 2008 9:53 AM by cmosby | with no comments
Filed under: ,

Phishers Take Aim at Slingshot - TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov18
by Sarah Calaunan (Fraud Analyst)

The Trend Micro Content Security Team just discovered a phishing attack targeting Slingshot Communications, Inc. A phishing email pretends to update a customer’s existing account. It also includes the legitimate contact number of the company to make it seem authentic.

Figure 1. Phishing email sent to users

Figure 2. The Slingshot phishing site

Slingshot Communications, Inc. is the company that pioneered the business of prepaid Internet service. It is best known for its unique, stored value pay-as-you-go format of giving high-speed wireless Internet service to its customers. With these kind of services, unknowing users who might think that this is a legitimate notification from Slingshot, may volunteer their credentials and by that, phishers can now take advantage by using their accounts.

The malicious URLs used in this phishing attack are now blocked by the Trend Micro Smart Protection Network.

Posted Wednesday, November 19, 2008 9:37 AM by cmosby | with no comments
Filed under: ,

VirusResponse Lab 2009 - F-Secure Weblog

VirusResponse Lab 2009 Posted by Sean @ 16:24 GMT | postCount('00001542'); Comments

Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.

Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.

404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:

FraudTool.Win32.Agent.eh 404dnswebsite.com

If the victim fell for the trick, they would have downloaded what we detect as FraudTool.Win32.Agent.eh.

As you can see from the screenshot above, the fraud page is not at all dynamic. Even though we opened the page with Firefox on a Linux based system, the page displays the text "Internet Explorer".

The 404dnswebsite account is now suspended.

FraudTool.Win32.Agent.eh

Posted Tuesday, November 18, 2008 9:27 AM by cmosby | with no comments
Filed under: , ,

Adobe AIR Multiple Vulnerabilities -

Adobe AIR Multiple Vulnerabilities

Secunia Advisory: SA32772

Release Date: 2008-11-18

Popularity: 186 views
Critical:
Highly critical

Impact: System access
Where: From remote Solution Status: Vendor Patch
Software:Adobe AIR 1.x

Subscribe: Instant alerts on relevant vulnerabilities
CVE reference:CVE-2008-4824
CVE-2008-5108


Description:
Some vulnerabilities have been reported in Adobe AIR, which can be exploited by malicious people to compromise a user's system.

1) Multiple unspecified input validation errors in the parsing of SWF files can be exploited to potentially execute arbitrary code.

2) An unspecified error may allow execution of untrusted JavaScript with escalated privileges if data is loaded from a malicious source.

The vulnerabilities are reported in version 1.1 and prior.

Solution:
Update to version 1.5.
http://get.adobe.com/air

Provided and/or discovered by:
The vendor credits:
1) Riley Hassell and Josh Zelonis, iSEC Partners.
2) Chris Weber, Casaba Security.

Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb08-22.html
http://www.adobe.com/support/security/bulletins/apsb08-23.html

Posted Tuesday, November 18, 2008 8:34 AM by cmosby | with no comments
Filed under: , , ,
More Posts Next page »