Malware Archive

« Older Entries
Newer Entries »

Beware of New year e-cards

By derek | Filed in browser, Exploits, Malware, microsoft, mozilla, Phishing, Rogue Software, scams, spam, Warnings and Alerts

Please avoid all untrusted Happy New Year e-card links. The Shadowserver Foundation is warning of a new malicious and advanced botnet that has just been discovered and ressembles the Storm Worm designs.

New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230
Those of us here at Shadowserver hope you’re having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years.

However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don’t have anything else to call it yet. What’s it involve you ask?

CHARACTERISTICS OF NEW BOTNET

Well here’s the list of what we’ve seen so far:

* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that’s been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries

AVOID THESE E-CARD MESSAGES:

Let’s start with the Spam Campaign. We’ve seen a multitude of subject lines and bodies. Below you’ll find a list of subjects we’ve seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.

Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You’ve got a Happy New Year Greeting Card!

Share
Tags: , , , , , ,

Another Microsoft Security Essentials scam

By derek | Filed in Antivirus, Malware, microsoft, Phishing, Privacy, Rogue Software, scams, Warnings and Alerts

Once again we need to warn you about a scam involving Microsoft Security Essentials
Security Essentials is a free Antivirus program from Microsoft available to any windows user with a validated copy of a supported desktop version of windows ( XP SP3, Vista SP2 Windows 7 ) You should only download it from the Microsoft Security Essentials website
The scammers have created a look a like site with links to download Security Essentials BUT following the links you have to create a membership with them & pay for the privilege of downloading free software. It is the same scam that I told you about in this post about Adobe Reader
This one appears to be a different bunch of scammers but with the same result. They will clear your credit card & sell all your details to anyone they can.
One malware researcher used their links to download Security Essentials & got a nasty trojan instead of the genuine program

Fake Microsoft Security Essentials site

If you read carefully, you see they do say in the tiny small print that MSE is a free program and you are paying for the benefit and convenience of downloading it from them instead of the approved free Microsoft site

We stress again that http://securityessentials-2011.com is a scam site that is trying to steal your money and is not to be trusted . Only download Microsoft Security Essentials direct from Microsoft

Share
Tags: , , , ,

Skype Update scam

By derek | Filed in Exploits, Malware, Phishing, Privacy, Rogue Software, scams, Skype, spam, Warnings and Alerts


Following on from my previous post, the scammers are also using Skype

Fake Skype website


The fake website looks like this and the membership page is exactly the same as shown previously

Skype email scam

Once again Don’t fall for it only only use the genuine Skype site to download skype & update it

Share
Tags: , , , ,

Adobe Reader Update Scam

By derek | Filed in adobe, Exploits, Malware, Phishing, Privacy, Rogue Software, scams, spam, Warnings and Alerts


There are about to be updates issued for Adobe reader to plug security holes and vulnerabilities. The scammers have jumped in on the act and are sending emails pretending to be from an Adobe update service.

Adobe PDF scam email

If you are foolish enough to follow the links then you end up on a scam site trying to sell you an unknown PDF reader, BUT the sting is that you don’t just download & try it or even buy it outright. Oh no ! you have to create a membership and give all your details before you even find out how much is being taken from your bank or credit card.


Don’t fall for it and only update Adobe reader from the official Adobe site, when the actual Update is released ( It is expected in Early October 2010)
Or of course use an alternative PDF reader of your choice, Just be aware that PDF vulnerabilities do affect all PDF readers and some might not get updated as quickly as others. Just because you use an alternative doesn’t mean that you are immune or safe from vulnerabilities in Adobe products

Share
Tags: , , , ,

List of public DNS services

By derek | Filed in browser, Malware, Phishing, Privacy, Uncategorized

Until fairly recently, nobody bothered with changing their DNS server. Everybody used the ones provided by their ISP. Today, there are several providers worldwide that provide free public DNS service with additional features like  blocking known malware sites,  blocking known phishing sites, parental controls and some even say that their services are quicker and more  reliable.

Here are a  few of the  better known and more reliable ones . It's up to you to choose the one that has the  features or protection that you want.

You will  find instructions on  how to change DNS addresses on their webpages.

OpenDNS
208.67.222.222
208.67.220.220

Google Public DNS
8.8.8.8
8.8.4.4

Norton DNS (Symantec Corporation)
198.153.192.1
198.153.194.1

ScrubIT (ScrubDNS Inc.)
67.138.54.100
207.225.209.66

DNS Advantage (Neustar Inc)
156.154.70.1
156.154.71.1

Comodo Secure DNS (Comodo Security Solutions Inc.)
156.154.70.22
156.154.71.22

Share
Tags: , , , ,

Fake Microsoft Malicious Software Removal tool

By derek | Filed in Antivirus, Malware, microsoft, Rogue Software, scams, Warnings and Alerts

It was brought to my attention by sUBs, a malware researcher who developed Combofix ( a tool to help remove persistant malware threats & rogue scamware from infected computers) that a fake Microsoft malicious software removal tool is spreading
This total piece of scamware is designed to imitate the genuine MMSRT & has the usual fake detections & then entices you buy the latest rogue scamware Shield EC Antivirus which our good friends Sunbelt Software have blogged about.
The last screen clearly shows that they want you to buy this useless scamware

The installer for this piece of malware is detected by several Antiviruses currently as shown on this Virus Total report page

If you are unfortunate to be infected by this piece of scamware, it can be difficult to remove. Don’t fall for all the other scams on the net saying you need to buy other software to remove it. Ask for help on our malware cleaning forum http://thespykiller.co.uk

RoboForm: Learn more...
Share

The Microsoft Security Response Center (MSRC) : Investigating a new win32hlp and Internet Explorer issue:

By derek | Filed in browser, Exploits, Malware, microsoft, Warnings and Alerts

The Microsoft Security Response Center (MSRC) : Investigating a new win32hlp and Internet Explorer issue:

http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Hi everyone,
On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue. Read the remainder of this entry »

Share

Security Advisory 979682 Released

By derek | Filed in Exploits, Malware, microsoft, updates, Warnings and Alerts

Security Advisory 979682 Released

Today we released Security Advisory 979682 to address an Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows. 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability.

To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.

To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem. Information on this workaround can be found in the Advisory.

We are not currently aware of any active attacks against this vulnerability and believe risk to customers, at this time, is limited. We continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory.

We are also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers.

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

We will also keep customers apprised of any additional details and updates through the MSRC Blog.

Thanks,

Jerry Bryant

via http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx

Share

Warning IE 0 day exploit

By derek | Filed in browser, Exploits, Malware, microsoft, Warnings and Alerts

http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/

http://www.microsoft.com/technet/security/advisory/979352.mspx

I will  keep you posted when I hear more

best advice at this time is make sure antivirus is updated to protect, watch where you surf & consider an alternative browser or set IE protection to high

However bear in mind these have all been targeted attacks against specific companies & institutions so less likely to affect the average user, at least until the skiddies get their hands on the exploit

OK if you are still using IE 6 or 7 on any version of windows

use the fixit Microsoft have issued http://support.microsoft.com/kb/979352

You do not need this fix if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions ( including Windows 7 ) . This is because Internet Explorer 8 opts-in to DEP by default on these platforms.

Share

WOW wowmatrix keylogger

By derek | Filed in Exploits, games, Malware, Phishing, Privacy, Rogue Software, scams, Warnings and Alerts


I was notified of a google advert for a fake wowmatrix site. The original genuine wowmatrix is seen by many games players as not completely within the rules of the games
Wowmatrix is an addon that makes it easier to update and install other tweaks and addons to your game. Obviously using a fake version that downloads false addons & tweaks and installs them leaves you open to a lot of problems.

The advert on google looks like a search listing and it is only apparant that it is a sponsored listing or advert on close inspection

wowmatrix Read the remainder of this entry »

Share
Tags: , , , , , ,