Warnings and Alerts Archive

« Older Entries
Newer Entries »

new malware spam- order.zip

By derek | Filed in Exploits, Malware, Phishing, Rogue Software, scams, spam, Warnings and Alerts
There is a new spam bot out there sending a malware link. see  screenshot
screen shot of spam email

screenshot of typical spam email

all emails so far appear to originate from a Ukrainian server noc.maximuma.net  91.196.148.8  which may or may not have been hacked, but web searches suggest that lots of spam & malware is being distributed via that server hosting company
So far I have seen several different sites hosting the malware and the senders & recipient email addresses are all random or spoofed
At present antivirus detection is very sporadic but samples have been sent to all known AV companies  so I do expect a better detection rate very shortly
The current payload is always order.zip, which when extracted pretends to be order.doc  but has a lot of spaces then .exe so simply clicking on it will infect you
It appears to be a downloader or installer for one of the fake Antivirus programs, that currently plague us.
You can see a quick automatic  analysis on the Anubis website From previous experience of this sort of malware and the locations it installs itself to , I would not be at all surprised if the malware shown in the Anubis report also installs the TDL4 bootkit
Update: they have changed the email slightly to something that resembles a previous attack attempt and included a “your  credit card will be charged with xxxxx $
That always gets the unwary to follow the link, to check if it is their card that has been falsely charged

Revised updated email, showing alleged credit card charge

Results are coming in from many antivirus companies now, saying that it is a version of the spyeyes crimeware toolkit. Spyeyes is well described  in this Symantec blog

 

Share

Microsoft is aware of nine fraudulent digital certificates issued by Comodo

By derek | Filed in browser, Exploits, firefox, Malware, microsoft, mozilla, Phishing, Privacy, Rogue Software, scams, Skype, updates, Warnings and Alerts

The full advisory can be found on the Web at: http://www.microsoft.com/technet/security/advisory/2524375.mspx.

===========================
SUMMARY
===========================
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

Certificates for the following Web properties are affected:

• login.live.com
• mail.google.com
•www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375 (http://support.microsoft.com/kb/2524375).

Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.

===========================
RECOMMENDATIONS
===========================
Review Microsoft Security Advisory 2524375 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ), and links to additional resources. MSRA Security Partners who are experiencing issues believed to be related to the issues described in this advisory should contact us via e-mail or by calling 888-HELPSEC with your custom Access ID.

===========================
ADDITIONAL RESOURCES
===========================
• Microsoft Security Advisory 2524375 – Fraudulent Digital Certificates Could Allow Spoofing –http://www.microsoft.com/technet/security/advisory/2524375.mspx

• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc

More details on Comodo blog

RoboForm: Learn more...
Share

Microsoft update for Windows 7 KB2505438

By derek | Filed in microsoft, scams, typo squatting, updates, Warnings and Alerts

We are seeing on the forums and newsgroups several reports from users of “worries” about this update and following the links from the windows update page or the update history page on your computer doesn’t take you to the correct Microsoft support & information page about the update but to an advertising page

Ths is due to a mistype by Microsoft when inserting the link. You are NOT infected. Microsoft website is NOT infected. It is just a mistype by a Microsoft employee.
Microsoft have fixed the link on the windows update page and partially have on the history page on your computer. It looks like some of the regional Microsoft update servers are still giving a cached copy of the update with the bad link, but others are giving the correct link.
The correct link for support or information about this update is
http://support.microsoft.com/kb/2505438
The mistyped link was

http://support.micrososft.com/kb/2505438

Note the extra S in microsft
It is an easy typing error to make.
So Don’t panic about it. I repeat again you are not infected, Microsoft website is not infected, it was just a simple typing error that has been partially corrected and I expect to be fully corrected very soon.

We often see major problems with typo squatting. This is when unscrupulous people buy up every possible combination of mistypes for common domain names, in the hope that they will get money someone mistypes a URL ( web address) and lands on their site/landing page instead. This time it is only harmless advertising but in many cases the unscrupulous owner will either attempt to sell you a fake program or even worse install malware from the fake page.
Watch links you follow & make sure that they are spelled correctly
See the screenshots

Mistyped url on update history for KB2505438

Mistyped URL for KB2505438 from Windows update site

Share
Tags: , , , ,

The problem with the Prefetch function in Firefox and Chrome

By derek | Filed in browser, Chrome, Exploits, firefox, Privacy, Warnings and Alerts

Did you know that Firefox and Chrome both have a feature that fetches pages and links that it thinks you might be going to click on? This can slow down your computer and browsing dramatically. The majority of problems come up when using a search engine, particularly Google with its “preview function”.
The pre-fetch function in these browsers silently loads every link in the background and caches ( stores) the pages in your internet temporary files folder used by Firefox or Chrome. So far Internet Explorer has resisted the temptation to do this.
It also has another major problem when using security software that blocks dangerous or known malicious IP numbers or web addresses. You either get constant alerts about malicious pages attempting to infiltrate your computer or pop up warnings saying xxxx address or IP number has been blocked. Some security softwares will block you from the original page that you are attempting to visit because of the preloaded link to a potentially malicious site, that can lead to major problems with search engines. In 99% of the time, you have absolutely no intention of ever visisting that site, it is just Firefox or Chrome being helpful and preloading the pages for you Read the remainder of this entry »

Share
Tags: , , , ,

Beware of New year e-cards

By derek | Filed in browser, Exploits, Malware, microsoft, mozilla, Phishing, Rogue Software, scams, spam, Warnings and Alerts

Please avoid all untrusted Happy New Year e-card links. The Shadowserver Foundation is warning of a new malicious and advanced botnet that has just been discovered and ressembles the Storm Worm designs.

New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?
http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101230
Those of us here at Shadowserver hope you’re having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years.

However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don’t have anything else to call it yet. What’s it involve you ask?

CHARACTERISTICS OF NEW BOTNET

Well here’s the list of what we’ve seen so far:

* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that’s been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries

AVOID THESE E-CARD MESSAGES:

Let’s start with the Spam Campaign. We’ve seen a multitude of subject lines and bodies. Below you’ll find a list of subjects we’ve seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.

Greeting for you!
Greeting you with heartiest New Year wishes
Greetings to You
Happy New Year greetings e-card is waiting for you
Happy New Year greetings for you
Happy New Year greetings from your friend
Have a happy and colorful New Year!
l want to share Greeting with you
New Year 2011 greetings for you
You have a greeting card
You have a New Year Greeting!
You have received a greetings card
You’ve got a Happy New Year Greeting Card!

Share
Tags: , , , , , ,

Another Microsoft Security Essentials scam

By derek | Filed in Antivirus, Malware, microsoft, Phishing, Privacy, Rogue Software, scams, Warnings and Alerts

Once again we need to warn you about a scam involving Microsoft Security Essentials
Security Essentials is a free Antivirus program from Microsoft available to any windows user with a validated copy of a supported desktop version of windows ( XP SP3, Vista SP2 Windows 7 ) You should only download it from the Microsoft Security Essentials website
The scammers have created a look a like site with links to download Security Essentials BUT following the links you have to create a membership with them & pay for the privilege of downloading free software. It is the same scam that I told you about in this post about Adobe Reader
This one appears to be a different bunch of scammers but with the same result. They will clear your credit card & sell all your details to anyone they can.
One malware researcher used their links to download Security Essentials & got a nasty trojan instead of the genuine program

Fake Microsoft Security Essentials site

If you read carefully, you see they do say in the tiny small print that MSE is a free program and you are paying for the benefit and convenience of downloading it from them instead of the approved free Microsoft site

We stress again that http://securityessentials-2011.com is a scam site that is trying to steal your money and is not to be trusted . Only download Microsoft Security Essentials direct from Microsoft

Share
Tags: , , , ,

Skype Update scam

By derek | Filed in Exploits, Malware, Phishing, Privacy, Rogue Software, scams, Skype, spam, Warnings and Alerts


Following on from my previous post, the scammers are also using Skype

Fake Skype website


The fake website looks like this and the membership page is exactly the same as shown previously

Skype email scam

Once again Don’t fall for it only only use the genuine Skype site to download skype & update it

Share
Tags: , , , ,

Adobe Reader Update Scam

By derek | Filed in adobe, Exploits, Malware, Phishing, Privacy, Rogue Software, scams, spam, Warnings and Alerts


There are about to be updates issued for Adobe reader to plug security holes and vulnerabilities. The scammers have jumped in on the act and are sending emails pretending to be from an Adobe update service.

Adobe PDF scam email

If you are foolish enough to follow the links then you end up on a scam site trying to sell you an unknown PDF reader, BUT the sting is that you don’t just download & try it or even buy it outright. Oh no ! you have to create a membership and give all your details before you even find out how much is being taken from your bank or credit card.


Don’t fall for it and only update Adobe reader from the official Adobe site, when the actual Update is released ( It is expected in Early October 2010)
Or of course use an alternative PDF reader of your choice, Just be aware that PDF vulnerabilities do affect all PDF readers and some might not get updated as quickly as others. Just because you use an alternative doesn’t mean that you are immune or safe from vulnerabilities in Adobe products

Share
Tags: , , , ,

Animal Protection Agency scam

By derek | Filed in Phishing, scams, spam, Warnings and Alerts

Warning: Animal Protection Agency Website and email scam Sep 2010

If you have received an email proporting to be from the APA asking for your card details, please be warned this a scam. Please report it to the national police fraud unit on 0300 123 2040 or online at actionfraud.org.uk/report_fraud. Note that the website at animal-protection-agency.co.uk (currently offline on 28th September 2010) is a fake clone of the real website http://www.apa.org.uk
Now live is animal-protection-agency.com & has taken over this phishing scam
A currently spreading email reads

Dear pet owner,

The Animal Protection Agency (APA) proudly announce that we managed to raise a fund worthing GBP 1.000.000 and will be donated to 10.000 pet owners.

If you own a pet and you would like to receive this payment of GBP 100 please click the link bellow.

www.animal-protection-agency.co.uk

Sincerely,
Andrew Morrison
Senior Manager

RoboForm: Learn more...
Share
Tags: ,

The dangers of Freenet

By derek | Filed in Privacy, Uncategorized, Warnings and Alerts

I have had this bought to my attention & I feel it should be widely spread because I am very concerned that users might not understand what they are getting themselves into. Too many people think they can use Freenet in place of other P2P programs to share copyright files, music, movies etc and by using the anonymous behaviour of freenet they won’t or can’t be caught and punished for it.

Read the remainder of this entry »

Share