http://xylibox.blogspot.com/2011/07/trojanfakeavlvt.html
once you get past the colourful language from the analyst, it is a very good read & shows what we are up against. Please forgive any errors in language as he doesn’t have English as a first language
This particular one has the ability to replace your existing antivirus with itself & make you think that you are still protected when you aren’t and it installs Zero access rootkit
This is definitely something to watch out for
Online criminals know there are enough gadget hounds out there to make a scam surrounding any shiny new Apple device a surefire moneymaker. To that end, they’ve already begun sending out phishing emails for the iPhone 5.
The phishing emails appear to be official emails from Apple.com, with the title “Finally. The amazing iPhone 5. Now available in black edition.” The body of the message shows a hand holding a transparent iPhone, followed by an enticing offer to “check it out,” according to MacRumors.
Although there’s been much speculation about the next generation iPhone, Apple has not set a release date for it. In fact, Apple hasn’t even announced it yet, but that isn’t stopping this cleverly crafted Mac-themed scam from spreading.
So what are you checking out when you click the link to see the new iPhone 5?
You won’t receive any info about the smartphone, but you will enable a rigged Windows file to run malicious code on your computer. And you’ll also be taken to a phony Apple Web page that asks for your Apple ID and other sensitive information.
Apple announces new products, especially ones of this magnitude, in highly publicized press conferences. So if you receive an unsolicited email purporting to have information about the new iPhone 5, ignore it, DELETE IT WITHOUT EVEN READING IT.
story from: http://www.securitynewsdaily.com/cybercriminals-hoping-youll-bite-iphone-5-bait-0813/
This malware is quite well detected by many antivirus companies, but not all. It is a fairly standard Zapchast IRC trojan that will attempt to download lots of other crap & malware to your computer.
It also appears to try to perform a DDOS flood attack against several other competing Mirc users and channels to block their channels, so no doubt will turn out to be connected to the typical fake AV scams and stealing your money
screenshot of typical spam email
Revised updated email, showing alleged credit card charge
Results are coming in from many antivirus companies now, saying that it is a version of the spyeyes crimeware toolkit. Spyeyes is well described in this Symantec blog
The full advisory can be found on the Web at: http://www.microsoft.com/technet/security/advisory/2524375.mspx.
===========================
SUMMARY
===========================
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.
Certificates for the following Web properties are affected:
• login.live.com
• mail.google.com
•www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”
Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.
An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375 (http://support.microsoft.com/kb/2524375).
Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.
===========================
RECOMMENDATIONS
===========================
Review Microsoft Security Advisory 2524375 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ), and links to additional resources. MSRA Security Partners who are experiencing issues believed to be related to the issues described in this advisory should contact us via e-mail or by calling 888-HELPSEC with your custom Access ID.
===========================
ADDITIONAL RESOURCES
===========================
• Microsoft Security Advisory 2524375 – Fraudulent Digital Certificates Could Allow Spoofing –http://www.microsoft.com/technet/security/advisory/2524375.mspx
• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc
More details on Comodo blog
Please avoid all untrusted Happy New Year e-card links. The Shadowserver Foundation is warning of a new malicious and advanced botnet that has just been discovered and ressembles the Storm Worm designs.
New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230
Those of us here at Shadowserver hope you’re having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years.
However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don’t have anything else to call it yet. What’s it involve you ask?
CHARACTERISTICS OF NEW BOTNET
Well here’s the list of what we’ve seen so far:
* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that’s been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries
AVOID THESE E-CARD MESSAGES:
Let’s start with the Spam Campaign. We’ve seen a multitude of subject lines and bodies. Below you’ll find a list of subjects we’ve seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.
Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You’ve got a Happy New Year Greeting Card!
Once again we need to warn you about a scam involving Microsoft Security Essentials
Security Essentials is a free Antivirus program from Microsoft available to any windows user with a validated copy of a supported desktop version of windows ( XP SP3, Vista SP2 Windows 7 ) You should only download it from the Microsoft Security Essentials website
The scammers have created a look a like site with links to download Security Essentials BUT following the links you have to create a membership with them & pay for the privilege of downloading free software. It is the same scam that I told you about in this post about Adobe Reader
This one appears to be a different bunch of scammers but with the same result. They will clear your credit card & sell all your details to anyone they can.
One malware researcher used their links to download Security Essentials & got a nasty trojan instead of the genuine program
Fake Microsoft Security Essentials site
If you read carefully, you see they do say in the tiny small print that MSE is a free program and you are paying for the benefit and convenience of downloading it from them instead of the approved free Microsoft site
We stress again that http://securityessentials-2011.com is a scam site that is trying to steal your money and is not to be trusted . Only download Microsoft Security Essentials direct from Microsoft
Following on from my previous post, the scammers are also using Skype
Fake Skype website
Skype email scam
Once again Don’t fall for it only only use the genuine Skype site to download skype & update it
There are about to be updates issued for Adobe reader to plug security holes and vulnerabilities. The scammers have jumped in on the act and are sending emails pretending to be from an Adobe update service.
Adobe PDF scam email
If you are foolish enough to follow the links then you end up on a scam site trying to sell you an unknown PDF reader, BUT the sting is that you don’t just download & try it or even buy it outright. Oh no ! you have to create a membership and give all your details before you even find out how much is being taken from your bank or credit card.
Don’t fall for it and only update Adobe reader from the official Adobe site, when the actual Update is released ( It is expected in Early October 2010)
Or of course use an alternative PDF reader of your choice, Just be aware that PDF vulnerabilities do affect all PDF readers and some might not get updated as quickly as others. Just because you use an alternative doesn’t mean that you are immune or safe from vulnerabilities in Adobe products
It was brought to my attention by sUBs, a malware researcher who developed Combofix ( a tool to help remove persistant malware threats & rogue scamware from infected computers) that a fake Microsoft malicious software removal tool is spreading
This total piece of scamware is designed to imitate the genuine MMSRT & has the usual fake detections & then entices you buy the latest rogue scamware Shield EC Antivirus which our good friends Sunbelt Software have blogged about.
The last screen clearly shows that they want you to buy this useless scamware
The installer for this piece of malware is detected by several Antiviruses currently as shown on this Virus Total report page
If you are unfortunate to be infected by this piece of scamware, it can be difficult to remove. Don’t fall for all the other scams on the net saying you need to buy other software to remove it. Ask for help on our malware cleaning forum http://thespykiller.co.uk
I was notified of a google advert for a fake wowmatrix site. The original genuine wowmatrix is seen by many games players as not completely within the rules of the games
Wowmatrix is an addon that makes it easier to update and install other tweaks and addons to your game. Obviously using a fake version that downloads false addons & tweaks and installs them leaves you open to a lot of problems.
The advert on google looks like a search listing and it is only apparant that it is a sponsored listing or advert on close inspection
Read the remainder of this entry »
You are currently browsing the archives for the Rogue Software category.
This blog will help keep you up to date with windows updates, security warnings and my general thoughts about the online world today and how to keep yourself safe online
For help with these and any other malware related computer problems visit Thespykiller
There are several affiliate links to programs or companies throughout the site. I only link to programs I use and trust myself and to companies that I use personally. Any money raised through these affiliate links goes towards keeping the Hedgehog Rescue centre running
