Computer Security Articles

February 1, 2010

In January 2010 a large number of user requests regarding neutralization of active infections related to Trojan.Winlock programs while the vast majority of fraud schemes employed by cyber-criminals in January were based on paid short messages. The last month also saw introduction of new malware spreading techniques and more sophisticated monetizing methods employed by cyber-criminals for money-laundering.

Windows blockers

The wide spreading of a variety of Trojan.Winlock programs became the most noticeable event of January. In a compromised system this malicious program displays its own window on top of all other windows and won’t close it unless an unlock code is entered. It also disrupts operation of some programs installed on the machine. Criminals offer a victim to retrieve an unlock code by means of a paid SMS. In January the SMS charge varied between EURO 7-14 per each computer.

The statistics server of Doctor Web registered over 850 000 instances of detection of Trojan.Winlock in systems protected by Dr.Web software (Dr.Web Enterprise Suite and Dr.Web anti-virus service included). This figure is 2.15 times larger than the number registered in December 2009 and 23.4 higher than in November 2009 thus indicating the ongoing epidemics in Russia and Ukraine. In the last month several millions of users got infected by this malicious program.

The epidemic caused a stir in the Russian-speaking internet community with providers of short numbers offering unlocking codes free of charge and anti-virus vendors supplying users with free tools to counter Trojan.Winlock programs.

On January 22 Doctor Web set up a special web-page for generation of unlocking codes (over one million visits to the page were registered in a week). Doctor Web also released several versions of Dr.Web CureIt! designed specifically to neutralize such Trojans.

SMS-fraud

Easy monetizing of profits generated by paid SMS served as a good incentive for many cyber criminals. Along with blockers of Windows numerous web-sites were created to promote non-existing services and software with incredible features.

Users were offered online fake anti-viruses that found the same viruses in the same files on all machines, ICQ and SMS sniffers, remote mobile phone control, see-through scanners allowing to see people nude and other similar programs.

Typically users paid for such services and software with short messages. However, as telecom operators and police started to monitor SMS payment systems closely in the face of the winlock epidemic, using such systems has become troublesome for criminals. That’s why they reintroduced means of payments they used before (e.g. WebMoney) and invented new fraud schemes.

New ways for monetizing illegal money

Another scheme that has been gaining popularity among fraudsters in January allows criminals to withdraw funds from accounts of users of mobile phones. Users enter their phone numbers on a web-site that promoted a service and receive short messages with a link for activation of their subscriptions. Once activated, the service charge is withdrawn from an account automatically.

The malicious design allows a person to submit someone else’s number on the web-site while messages with an activation link don’t explain to a user what the service is about, instead, they provide misleading information to encourage the user to click on the link even if he doesn’t mean to subscribe for a service. For example, a message can say that the link will lead the user to an image or a video clip.

In recent weeks criminals have also offered users to pay for services with a paid call that has a minimum duration limit.

New ways to spread malware and spam

In January virus makers used new means to deliver malicious programs to user machines. In particular, Doctor Web virus analysts registered a spam mailing with messages containing attached torrent-files for downloading supposed e-cards that in truth were malicious programs. Mail servers do not block such messages since attached torrent-files do not contain malicious code.

Spammers also adopted new ways to transfer large amounts of data. Spam mailings were registered where e-mails contained attached mp3 files providing around 60 minutes of playback. Users also received messages with links to video clips located on web-sites of cyber-criminals and available on YouTube.

Below you can find a few tips that may help you prevent infection of your system by Trojan.Winlock programs or by other similar pieces of malware

1. Install a licenses anti-virus application and updated as recommended by the vendor.
2. Use alternative web-browsers (Mozilla Firefox, Opera or Google Chrome) and install corresponding security updates as they released by developers.
3. Install latest security updates for your operating system as soon as they are released.
4. Do not use services promoted by web-sites displayed as ad pop-ups – such pop-ups are at risk.
5. If you are offered to download a codec or any other software to view content of the web-site, decline the offer and search for the official web-site of the codec’s developer, download it and install on your computer. In many cases Trojan.Winlock programs are downloaded as software required for viewing content of web-sites.

Trojan.Winlock curing recommendations

If a window with a message demanding to send an SMS at a short number is displayed on top of other windows, won’t close and appears even when the system is started in the safe mode, your system has been infected by one of the modifications of Trojan.Winlock.

1. Under no circumstances should you send messages as demanded by criminals. Every sent message provides criminals with financial support to develop new modifications of the malware.
2. Go to the unlocking page.
3. Download the special version of Dr.Web CureIt! and use the utility to cure your system of Trojan.Winlock.
4. Go to http://www.freedrweb.com/ и скачайте Dr.Web LiveCD and download Dr.Web LiveCD. Once the system is cured with Dr.Web LiveCD it is recommended to scan it again using Dr.Web CureIt!
5. Ask for assistance on the official forum of Doctor Web.
6. Contact the provider of the specified short number and ask for the unlocking code to be given to you free of charge since you have become a victim of cyber crime.

The number of malicious programs in e-mail traffic in January decreased by 30% compared with December 2009. The share of malicious files in the total number of files scanned on user machines dropped by 35%. Most probably this decline is a correction following two times increase of malicious traffic among scanned objects.

Viruses detected in e-mail traffic in January

Viruses detected on user machines in January

March 1, 2010

Though short, February saw quite a number of viral threats. Along with traditional and online fake anti-viruses in the spotlight, new extortion schemes involving mobile devices appeared, while the proportions of the Windows blockers epidemic declined.

Windows blockers

Joint efforts of Doctor Web, law enforcement organizations, telecom operators, short number aggregators and wide public awareness of the Trojan.Winlock problem allowed reducing the number of infected machines to figures comparable to the number registered when the epidemics began in November 2009. While in January the number of detections of Trojan.Winlock registeredper day could exceed 100 000, in February the figure dropped to several thousands per twenty-four hours.

In spite of the sharp decline, dozens of thousands of users in Russia and Ukraine fall victims of the Trojan on a daily basis.

In the last two weeks of February a new browser blocking extortion scheme became widely popular. Going to a malicious web-page brought up a pop-up window that wouldn’t close unless an “activation code” was entered. The code is provided for a paid SMS. Even though this problem can be solved quite easily (stop the browser process using the task manager or force a system reboot), the number of people fallen victims of this scheme still increases among users of Windows as well as among people that use Mac OS.

Fake anti-viruses

In February cyber-criminals more often resorted to fraud schemes involving sites promoting fake anti-viruses to Internet users from Russian and other CIS countries. Links to such sites are spread over e-mail, compromised ICQ accounts and using contextual advertising on web search results pages and in social networks. Access to such web-sites is blocked by the Dr.Web Parental control.

Along with online fake anti-viruses Russian users were sometimes offered a customary Trojan.Fakealert. In such cases they were persuaded to download and install a fake anti-virus that imitated a scanning procedure and after that offered a user to send a paid short message.

Even though Trojan.Fakealert target group included Russian-speaking users, the highest number of victims of the fraud was found among speakers of English. Trojan.Fakealert offers a victim to pay 50 U.S. dollars for the fake anti-virus with a credit card. The offer to purchase a full version of the supposed anti-virus can be displayed in a browser window as well as using the fake anti-virus’s interface. Statistics regarding Trojan.Fakealert for the last six months shows a rapid growth in number of samples of the malware found in the wild started in October 2009. Doctor Web’s statistics server registers a huge number of detections of fake anti-viruses by Dr.Web solutions every 24 hours. And the top 20 of most widely spread malicious programs in February included 8 modifications of Trojan.Fakealert.

New Internet fraud scheme

A new fraud scheme used for money laundering lures users into giving away their mobile phone numbers in order to subscribe to a certain service. An SMS reply provides a would-be subscriber with an activation code where the contents usually have nothing to do with the topic to which the web-site is related. By entering the code a user signs up for a service. The service fee is debited from the user’s account on a daily basis without any warning. The withdrawn amount is small, so a user may fail to notice that something is wrong right away. Besides, terminating such a subscription may be difficult and require a paid SMS to be sent.

The number of malicious programs in e-mail traffic increased four times in February compared to the previous month. This dramatic surge was mainly caused by a growing number of fake anti-viruses and their downloaders in e-mail attachments. The number of malicious files among all files scanned on user machines increased by 24% in February thus reaching the figure registered in December 2009.

Malicious programs detected in mail traffic in February

Malicious programs detected on user machines in February

April 1, 2010

March 2010 saw a smaller number of Windows blockers and banners in Internet browsers. Fake anti-viruses with constantly changing look and feel mainly targeted English-speaking users. Discovery of several new modifications of Trojan.Encoder became a significant event of the past month.

Windows blockers and banners in web browsers

If you look at the graph showing how browser blockers (Trojan.BrowseBan) and blockers of Windows (Trojan.Winlock) spread in March, you will see that they got to where they were in mid October and November 2009. However, the weekly graph shows the number of detections remaining around 10 000 on a daily bases which roughly amounts to 100 000 infected systems per week.

In March Doctor Web received over 100 unique screenshots of blockers via its user technical support system. Since cases when a user can take a screenshot in the infected systems are very rare, the total number of processed support requests related to the subject is much higher.

Blockers remain one of the most common issues in user support requests for several reasons. First of all, it is quite difficult to get rid of such species of malware since they hamper any user activity in the system and secondly these are malicious programs whose activities are meant to be noticed. While most malicious programs operate covertly, Doctor Web strongly recommends all users of Dr.Web products contact the technical support service immediately if they think that they have even an indirect evidence of an active infection in the system.

Botnet communicates over Microsoft Word

Trojan.Oficla is a malware underworld specimen that allows owners of botnets created by means of this program to hide in a system as a Microsoft Word process if the latter is installed on the computer.

Authors of Trojan.Oficla sell new modifications of the program to other criminals so that they create new botnets that operate all over the world.

As zombies in any other botnet, machines compromised by Trojan.Oficla are fully controlled by the botnet’s owner and can download other malicious programs from a server belonging to criminals, install and launch downloaded malware.

Doctor Web’s statistics server registered around 100 000 detections of this malicious program in one week of March 2010. Trojan.Oficla spreads with e-mail messages and exploits vulnerabilities of web browsers. It can also take advantage of other spreading channels. The choice here is determined by imagination of the botnet’s owner.

Invisible banker

Trojan.PWS.Ibank is another piece of malware that doesn’t attract users’ attention while at work. Its numerous modifications retrieve account details of customers of large banks in Russia. Trojans exploit vulnerabilities of banking software used by clients to carry out transactions over the Internet.

Retrieved account information is sent to criminals. Trojan.PWS.Ibank also operates as a key logger.

Trojan.PWS.Ibank spreads in surges. A rapid growth of the number of its detections that dropped again within 24 hours was registered several times in March.

Fake anti-viruse

By the end of March an inflow of support requests regarding fake Russian online anti-viruses has practically stopped. However, traditional representatives of this malware family (Trojan.Fakealert) infect user systems with the number of detections of such programs remaining steady 30 millions per month.

Methods used to spread fake anti-viruses have been honed through years and remain the same. Yet appearance of such malware does change. Fake anti-viruses tend to look more and more like popular IT security solutions spread using social engineering techniques.

Trojan.Fakealert screenshots

File encoder

The March was also marked by discovery of several new modifications of Trojan encoders that demanded over USD 50 from a user willing to get his data back.

Trojan.Encoder.67 encrypted all files except for files located in certain system directories that sometimes might render a system non-operational and even itself from actually displaying a ransom demand message.

Trojan.Encoder.68 compromised only files of certain types. It placed target files in password-protected ZIP archives. The password consisted of 47 symbols and was unique for each infected system. Doctor Web offered users free access to a web-form where they could generate passwords to extract their files.

Tools required to counter an.Encoder.68 programs can be found on the special web-page of Doctor Web’s site devoted to free anti-virus tools.

In March the share of malicious code in mail traffic increased by 22% compared with February while the share of malicious code among files scanned on users machines reduced by 24%. These fluctuations are insignificant since the overall share of malware from the total number of scanned objects remained the same as in February.

Malicious programs detected in mail traffic in March

Malicious programs detected on user machines in March

May 1, 2010

In April 2010 cyber-criminals focused on new SMS fraud schemes. This time they targeted users of torrent trackers and file sharing resources whom they tried to lure to fake web-sites supposedly providing such services. April also saw discovery of new malicious programs targeting smart phones while fake anti-viruses maintained their leadership among malware found in e-mail traffic.

Fake torrent-trackers and file sharing sites

Doctor Web’s virus analysts uncovered an entire network of fake torrent-trackers and file sharing resources located in different parts of the globe and yet targeting Russian-speaking users. Criminals exploited wide popularity of such resources and carelessness of many people who search for necessary information using search engines and posted links to music, books, moves and other contents on such web-sites.

Fake torrent-trackers and file sharing resources appeared at the top of search results lists returned to users by search engines. Apparently criminals performed search engine optimization and perform other preliminary activities to improve efficiency of their schemes.

A user obtaining a download link on such a web-site downloaded a 16 megabyte executable file instead of a supposed archive with desired content. Dr.Web detects such files as Tool.SMSSend.2.

Launching the file brings up a window prompting the user to send several paid short messages that will allow him to gain access to a downloaded archive. In truth such malicious files do not contain any useful data. Similar schemes are known to target users from other countries where instead of an SMS would-be victims are offered to use their credit cards to pay for their downloads before they actually download anything.

Currently Doctor Web’s statistics server registers around 6 000 instances of detection of Tool.SMSSend.2 per 24 hours.

Copyright protection virus

Apart from techniques listed above criminals also attempted to intimidate torrent users.Trojan.Fakealert.14886 (as classified by Doctor Web) spread in quite large numbers over the Internet in April. In an infected system the Trojan displayed a message warning a victim that illegally obtained content protected by copyright was detected on the computer which would result in prosecution.

Trojan.Fakealert.14886 spreads as a software installer. If a user doesn’t remove the program using standard Windows tools for adding and removing software and simply reboots the system, the Trojan will block access to the system similarly to Trojan.Winlock malware. The highest number of detections of this program was registered in Europe.

A new modification of Trojan.Winlock that warned a user of his violation of copyright law also emerged in April. It offered users to send a paid SMS-message in order to continue downloading files via torrent through a backup communication channel.

Fake anti-viruses

Fake anti-viruses enhanced with new or updated look and feel continued there broad-scale offensive in English-speaking countries. Their spreading techniques didn’t change while the number of their detections registered by Doctor Web’s statistics server declined and reached 750 000 against an approximate 1 000 000 in March.

Trojan.Fakealert gallery

Windows blockers

The rate of spreading of Trojan.Winlock in Russia also went down in April and reached 720 instances of detection per 24 hours compared with 1 300 registered in March. However, the number of new modifications of Trojan.Winlock increased. Doctor Web’s technical support received requests related to such Trojans on a daily basis.

Trojan.Winlock gallery

Dialler for smart phones

Virus analysts registered spreading of the WinCE.Dialer.1 malicious program, that targeted pocket PCs running Windows Mobile. Once installed, it started making calls at paid phone numbers registered in different countries.

The program springs into action in 48 hours following a successful infection of the system. WinCE.Dialer.1 spreads as a supposed game for pocket PCs.

The share of malicious programs in e-mail traffic scanned by Dr.Web software in April 2010 increased by 28 %. The share of malicious files among all files scanned on user machines increased by 2.12. The figures show that in April criminals mainly focused on spreading malware over infected web-sites, using PDF, Flash and browser exploits and other techniques rather than e-mail.

Malware detected in mail traffic in April

Malicious files detected on user machines in April

July 2, 2010

Windows blockers remain a major virus threat in Russia. In June, malicious programs demanding that users refill cell phone account balances belonging to criminals constituted 30 percent of Windows blockers incidences. Regular visitors to social networking web sites were also targeted. Visitors who attempted to log on to favourite sites received messages informing them that their accounts had been suspended, and that to unfreeze them, they needed to send paid text messages. Meanwhile, banking Trojans attacked European bank customers, forcing them to surrender their TAN codes to cyber criminals. Such codes are used by some banks for one-time transaction authorizations. However, sometimes even such extreme precautions on the part of banks can’t prevent cyber criminals from inflicting damage.

Windows blockers countermeasures

While Windows blockers continued to terrorize users, Doctor Web did its best to help those whose systems were compromised by malicious programs of this type.

In January 2010, Doctor Web launched its Dr.Web Unlocker web site. The site includes web forms offering unblocking codes for certain phone numbers and text messages displayed by Trojans. Later an unlock code generator was also introduced. The site is updated on a regular basis to address the latest trends in the development of system blocking malware.

In addition, since June 23, 2010, Doctor Web has made its support service available free of charge to every user (regardless of the anti-virus involved) whose system has been blocked by a Windows blocker program and who can’t get help at the unlocker site. To further fight the outbreak, Doctor Web cooperates with law enforcement agencies and provides up-to-date information to the widest audience possible about the current status of the epidemic, including prevention and curing techniques.

During June, Doctor Web’s statistics server registered over 420,000 instances of detection of Windows blockers, down from the previous month’s figure of 940,000+. Most of these programs were detected by Dr.Web anti-viruses as Trojan.Winlock, Trojan.Adultban, and Trojan.Packed.20343.

By the end of June, Trojans demanding cell phone balance refills as ransom amounted to 30 percent of all blockers. Doctor Web’s analysts studied numerous cases of systems being infected by such programs and concluded that, in most cases, users wouldn’t receive unlock codes even if they paid the ransom. Once again the facts confirm this rule: no matter how desperate you are, never give money to criminals!.

Below is a gallery of screenshots showing June’s most common Windows blockers.

Social networking web sites – an attraction for criminals

Many users contacting Doctor Web’s technical support service in June were unable to visit social networking and free e-mail service web sites. When trying to load web pages, users got messages informing them that their accounts had been suspended for spamming, and that to continue they would have to send paid text messages. Dr.Web software detected the malicious programs responsible for such messages as Trojan.Hosts.

Reports received at the end of June indicated new modifications to Trojan.Hosts’ demand to refill cell phone balances, demands similar to those made by Windows blockers.

Because Trojan.Hosts and Trojan.Winlock are parts of schemes with similar mechanisms for converting acquired funds into actual money, Doctor Web also helps those whose support requests concern such viruses.

Internet banking users in danger

European bank customers who make wide use of Internet banking, particularly those of Volksbank Austria and German Postbank, became the primary targets of malware in Europe. Banks use TAN codes to achieve better security for online transactions. Each transaction has its own unique TAN code which allows customers to carry out transactions without disclosing their individual PIN codes. But cyber criminals have found a loophole: Users whose computers were infected by malicious programs like Trojan.PWS.Banker or Trojan.PWS.Bancos are prompted to enter TAN codes whenever they try to use an Internet banking system. Codes submitted by users get into the hands of criminals.

The Trojans were able to detect a browser used to access an Internet-banking web site and sprang into action only if the browser was Internet Explorer, demonstrating once again that users of other browsers are better protected from threats lurking on the Internet.

ПGeneral trends of June include the still active Oficla botnet, with four modifications of Trojan.Oficla found among the top 20 malware threats most frequently detected in e-mail. Intruders also often resorted to malicious scripts detected by Dr.Web anti-viruses as JS.Redirector.based.3. Embedded in HTML documents attached to spam messages, they redirect users to web sites that spread malware or to advertisements that typically promote pharmaceutical products.

Malicious files detected in mail traffic in June

Malicious files detected on user machines in June

August 3, 2010

July 2010 saw the discovery of a large population of Trojan.Stuxnet programs in the wild. These malicious programs take advantage of an alternative autorun mechanism to start from removable media and also make use of digital signatures stolen from popular software developers. It’s also become the norm for malware to use bootkit technologies. Meanwhile, in the face of effective countermeasures, Windows blockers are on the decline, and now criminals are searching for alternatives to paid short messages.

Trojan.Stuxnet gets in through the shortcut loophole

The new malicious program classified by Dr.Web as Trojan.Stuxnet was the summer “blockbuster” that forced anti-virus vendors to mobilize their resources once again. The new Trojan exploits a newly discovered Windows vulnerability and has at its disposal a few novel techniques that allow it to evade Windows defences. It has already proven to pose a real threat; industrial espionage was the first application of Trojan.Stuxnet.1.

The malware installs two drivers into the system. One of them—a file system driver-filter—hides Trojan components on removable media. The second driver injects an encrypted dynamic library into system processes and the programs needed to perform its main task.

Makers of the new Trojan prepared some unpleasant surprises for users. The first one is the aforementioned vulnerability where the malware takes advantage of the flaw in the shortcut handling mechanism of Windows. However, it should be noted that Microsoft responded to the new threat in a timely manner. According to the maker of Windows, 32- and 64-bit versions of Windows beginning with Windows XP and up to Windows 7 and Windows Server 2008 R2 are vulnerable. Criminals can exploit the vulnerability of these MS versions to launch malicious programs on a target machine remotely. In addition, malicious code can be integrated into documents with embedded shortcuts and can be spread by exploiting the vulnerability.

On August 2, 2010, Microsoft issued a critical security update for all affected versions of Windows. If automatic updating is enabled in the system, the update is installed automatically. However, a system must be restarted for changes to take effect.

But the above was not the only surprise; the malicious drivers have digital signatures stolen from developers of legal software. In July, the drivers were fitted with signatures belonging to such companies as Realtek Semiconductor Corporation and JMicron Technology Corporation. Digital signatures allow criminals to install the drivers into the target system in the silent mode.

It’s worth noting that the drivers are not the only things bearing digital signatures; the malicious file that launches from removable media with the exploitation of Windows Shell’s vulnerability also has a digital signature. However, it becomes invalid almost immediately after the Trojan’s initial launch as the embedded counter routine modifies the executable file.

Trojan.Stuxnet.1 quickly attracted copy-cats who exploited the same vulnerability. Such programs are detected by Dr.Web anti-viruses as Exploit.Cpllnk. Within just a few days, these programs ranked at the top of the Top 20 Viruses detected on user machines in July, while Trojan.Stuxnet.1 was the sixth most frequently detected malicious program.

Programs exploiting the vulnerability are found in large numbers in the wild. The trend will probably persist until the security patch is installed on most computers. Doctor Web also promptly added routines for curing the Trojan to its virus database.

Mass use of bootkits

Bootkits are malicious programs that modify the boot sector of a disk, and they are becoming default components of malware. Standard tools for detection of malicious code are unable to reveal if the boot sector has been modified and can only find malicious files on a disk. In such cases, a virus will get into the system again even if it has been cured. The only way to completely neutralize the threat is to restore the boot sector to its original state.

There are few comprehensive anti-virus solutions capable of uncovering boot sector modifications and completely curing the compromised system. In most cases anti-virus developers advise users to solve the problem by means of special utilities. However, a user often doesn’t start searching for another solution since he doesn’t realize that his anti-virus is simply unable to detect that the boot sector of the system disk has been modified.

Trojan.Hashish was among the bootkits that disturbed users in July. In the previous month it had mainly targeted Europeans. The Trojan opened multiple Internet Explorer windows that displayed advertisements even if a different default browser was set in the system. Another perceivable effect of the presence of Trojan.Hashish in the system is the repeated playing of the application launch sound if such a sound is present in the system.

Blockers back off

In July, the blocker epidemics continued on a smaller scale with Doctor Web’s statistics server registering over 280,000 instances of detection of Windows blockers—down from June’s figure of 420,000. The decline is largely the result of the successful implementation of joint countermeasures by users and anti-virus developers, including Doctor Web. As law enforcement agencies and telecom operators cracked down on SMS fraudsters, makers of blockers had to devise other schemes for converting their profit into actual money. They make use of various online payment systems and often provide users with several payment options.

Support requests related to the blocking of social-networking, mail, and search-engine sites increased. By the end of July, the number of these requests exceeded the number of calls related to the blocking of the Windows desktop.

In upcoming months, the number of blockers is expected to shrink even further as payment schemes that don’t involve short messages are now far less effective and law enforcement agencies are paying more attention to the problem. The number of users, who are informed about alternative, free ways to unblock their systems, is also growing steadily.

Other notable species of malware

Various modifications of Trojan.Oficla are being spread over e-mail on a large scale. Messages with attached HTML-files (JS.Redirector) are also being found in mail traffic. Such messages redirect users to advertising and malicious web sites. Increased activity of polymorphic file viruses of the Win32.Sector family has also been registered. Dr.Web has long been known for its ability to cure systems of complex polymorphic viruses. Nonetheless, in June, Doctor Web’s developers optimized routines for better detection of malicious programs of this type. European users are still being plagued by banking Trojans that prompt them to reveal their single-use TAN codes (see the June review for more details) as well as by new variations of fake anti-viruses that inherit the look and feel of their predecessors.

In conclusion, it can be said that anti-virus developers and users didn’t face any insurmountable challenges in July. The prompt release of the security patch by Microsoft will most likely result in a rapid decline in the numbers of shortcut vulnerability exploiters detected by Dr.Web as Exploit.Cpllnk. Since bootkits are now a common feature of malicious programs, anti-virus developers will have to incorporate capabilities for detecting boot-sector modifications into their comprehensive solutions rather than rely on single-purpose utilities. As for blockers and their makers, the figures show that comprehensive countermeasures do yield results

Malicious files detected in mail traffic in July

Malicious files detected on user machines in July

September 3, 2010

The last month of summer abounded with virus news. It saw the forecast for a 64-bit Windows rootkit come true, the emergence of new modifications of malware for Android, and a surge of criminal activity involving the use of social engineering techniques designed to lure users into malicious schemes on web sites and via instant messengers. Countermeasures taken against Windows blockers yielded long-awaited results, as a first criminal investigation regarding the use of blockers was officially launched in Russia.

Rootkit for 64-bit systems

As our 2009 virus activity review predicted, the first rootkit for 64-bit systems made its debut. The new version of BackDoor.Tdss brought new challenges to security software developers.

Windows operating systems for the 64-bit platform feature defence mechanisms that prevent the installation of malicious drivers — the system checks whether the driver has a digital signature while the PatchGuard technology doesn’t allow malware to modify the OS kernel. However, the new BackDoor.Tdss successfully bypasses the obstacles by means of a bootkit, which, once installed, allows the backdoor to modify the MBR and take control of the operating system loading process. It allows the rootkit driver to be installed in the system before the defence mechanisms are activated.

Currently the Dr.Web virus database contains entries that allow the anti-virus to detect various modifications of the new BackDoor.Tdss. On September 1, 2010, Doctor Web released its updated GUI Scanner for 32-bit systems. Development of a 64-bit version of the Dr.Web Shield anti-rootkit is underway; it will be made available to all Dr.Web users shortly.

Malicious programs for Android

On August 26, Doctor Web released a new product — Dr.Web for Android. It came out at just the right moment, with entries for several modifications of Android.MobileSpy programs and Android.SMSSend.2 added into the Dr.Web virus database. Android.SMSSend.2 is a malicious program that sends paid short messages from a compromised device without its owner’s consent.

None of the known malicious programs for Android is capable of self-replication. This means that users must be lured into installing such programs into their systems. Yet all of them pose a threat to personal information stored on devices as well as to users’ cell phone accounts.

Despite the fact that prior to installation a user is informed about which Android features the application is going to use, criminals resort to various social engineering techniques to make a victim disregard such messages. Malicious programs are offered to users as games, screen savers, and applications that disguise their malicious intentions behind harmless features. Spyware can also be installed if an intruder gets access to a device belonging to a careless user.

Pay to extract

In August, a large number of malicious sites with the same look and feel as popular web sites specializing in film, song and e-book archives were discovered.

These malicious sites allow a user to download an 8-16 megabyte executable file, the likes of which are detected as Trojan.SMSSend modifications by Dr.Web. The files look like self-extracting archives, and launching such files brings up a window supposedly displaying how the extraction is progressing. However, at a certain moment, the progress bar stops and the user is prompted to send a paid short message from his mobile phone in order to complete the process. Ultimately the user is deceived twice –several hundred roubles are debited from the mobile account and no useful information is found in the archive.

Criminals resorting to such fraud create sites featuring design elements resembling known Internet services (Google, Yandex) or popular software products (WinRAR) which violates the copyright of the owners of these brands.

Trust, but verify!

In August, two intrusion schemes showed how easily a user can be tricked into launching a malicious program. In both cases victims received messages supposedly from their trusted contacts, who in turn were also victims of the malicious schemes.

On August 16, Win32.HLLW.Natchswas spread over ICQ. The program ends operation of popular ICQ clients, retrieves an ICQ account password, connects to a server using the account information and sends itself to contacts on the list of the compromised account. Win32.HLLW.Natchs can also maintain a simple conversation with a potential victim and transfer its files via the ICQ protocol instead of offering a download link. These abilities added credibility to malicious messages.

On August 30, spam messages were reportedly being distributed among Facebook users. Messages contained a link to a specifically designed application available on the social networking web site. The application exploited a Facebook vulnerability that allows messages to be sent to everyone on the “friends list” of the user who clicks on the link. With this act, criminals demonstrated the great malicious potential of applications uploaded onto social networking sites.

Doctor Web recommends that you exercise caution whenever you get a message with an attached executable file or containing a link to an unfamiliar web site even if such a message is from a trusted contact. If you’ve received such a message, you should contact the supposed sender by another means to make sure that he indeed sent the message.

Crime and punishment

In August, Moscow law enforcement agencies–for the first time in history–launched an official criminal investigation against extortionists who used Windows blockers (Trojan.Winlock programs as classified by Dr.Web). The criminals had been in operation for the previous 12 months. Law enforcement agencies hope that the investigation will be supported by the entire telecom community. For its part, Doctor Web thanks all users who provided information about the latest modifications of blocker programs.

Also last month, the number of detections of Trojan.Winlock dropped by 50 percent and reached 140,000 instances of detections per month. However, roughly 100 people a day are applying to Doctor Web for support in cases related to Internet fraud.

The top spots on this month’s rankings list of the most prolific blockers went to two modifications of Windows blockers, neither of which involved demanding payment via short messages. Instead users were offered to either have their money credited to a mobile phone account or transferred by means of electronic payment systems.

Other news

Exploit.Cpllnk–the program that exploits a Windows vulnerability to launch malware from removable data-storage devices–was the most frequently detected malicious program on user machines in August. However, incidences of its detection dropped in the last days of the month.

Users in Europe remained the targets of banking Trojans that resulted in tougher security measures being introduced. This involved entering a large number of single-use codes on Internet banking web sites to safeguard transactions. The number of such codes has increased from 20 to 40.

Fake anti-viruses (Trojan.Fakealert) spread in Europe as well as in Russia. European users were prompted to pay for a bogus anti-virus with their credit cards, while Russians were typically pushed into sending paid short messages. To compel Russian users into paying for the fake, images from adult-content web sites would be displayed, leading them to believe that malicious programs had entered their systems. It was claimed that the bogus anti-virus would help users eliminate such “infections”.

Client software for the Oficla botent (Trojan.Oficla) and Trojan.PWS.Panda password stealers were spread via e-mail.

September will most likely see more revelations regarding the 64-bit rootkit. Some anti-virus vendors will probably enhance their products with features that will allow them to cure systems of the rootkit. The number of ransomware species appears to be on the decline, while e-mail will most likely remain one of the basic means of spreading malware in the months to come.

Malicious files detected in mail traffic in August

Malicious files detected on user machines in August

October 4, 2010

September saw an overwhelming number of news posts proclaiming the start to a cyber war sparked by Trojan.Stuxnet and providing suggestions as to what the virus maker’s goals might be. Meanwhile, cyber fraudsters were busy testing atypical extortion techniques, botnet owners took advantage of network system administrator carelessness, and makers of malware for Android carried out “surgical strikes.”

Trojan.Stuxnet and politics

In September, news headlines screamed about Trojan.Stuxnet whose appearance attracted tremendous publicity due to the geographical extent of its impact. Many news posts related to the Trojan dealt mainly with politics and proposed that the makers of Trojan.Stuxnet aimed to disrupt the launch of a nuclear power plant in Iran. In the last days of September, media reports claimed that the Trojan had spread widely in China and was targeting Chinese companies. Amid such speculations little attention was paid to ethnological innovations employed by the virus makers. Yet some experts resorted to a linguistic analysis of the comments found in the Trojan’s code to discern what the goals of its makers really were

Trojan.Stuxnet is indeed a technologically advanced piece of malware that exploits several previously unknown Windows vulnerabilities. Politics aside, Doctor Web’s analysts consider the Trojan to be merely another piece of malware from which Dr.Web users must be protected. Currently there are a number of no less technologically advanced viruses in the wild, for example, the 64-bit version of Trojan.Tdss (a.k.a. TDL) for which curing routines are also diligently being developed.

Internet fraud

In September Doctor Web’s support service registered 124 requests concerning the inability to access Windows UI, web sites, or popular software. This was up from 107 such requests in the previous month of August.

At the same time, Windows blockers were being superseded by other fraudware. In particular, several Trojans discovered in September used new redirection techniques for browsers. Some Trojans made it impossible to use instant messaging applications.

As for converting their illegal income into actual money, in September cyber fraudsters preferred to receive money via cell phone account refills (around 25%) and paid short messages (around 70%).

As before Doctor Web offers free technical support to users who have fallen victim to cyber fraud.

Redirection

In the last month criminals adopted two new techniques for directing users to fake web pages. As always the techniques involved modifying the hosts file, but new technologies were also applied.

Trojan.Hosts.1581 made the browser display fake pages of a Russian bank’s web site, allowing criminals to receive remote account access parameters submitted by duped victims. It has also been discovered that this modification of Trojan.Hosts features a rootkit component that allows it to filter file operations and operations performed with the Windows Registry.

Trojan.HttpBlock programs used another tactic: they launched their own web server in an infected system and used it to display pages that mimicked popular web sites–particularly search engine pages. Here criminals demanded a ransom from users in exchange for allowing them to regain access to the sites.

IM blocker

Trojan.IMLock, which blocks the launch of popular instant messaging clients such as ICQ and Skype, was discovered at the end of September. Instead of launching a program, the Trojan displayed a message, mimicking the design of the blocked messenger and informing the user that he had to send a paid short message in order to regain access to his IM account. To neutralize the Trojan, simply check your system with the Dr.Web scanner.

Malicious web site for Android only

A new malicious program for Android (Android.SmsSend.2) was discovered in September. Its functionality differed little from that of its predecessors (e.g. it sent paid short messages from infected mobile devices), with the exception of one significant difference: The downloading of the Trojan was initiated only if a potential victim loaded a bogus web page onto a device that was running Android. Perhaps, criminals believed that such a selective approach would make it more difficult to discover the malicious site.

New botnet trends

At the end of September, Doctor Web’s analysts discovered a botnet comprised of computers on which the server side of Radmin software was installed and running. This software is the most widely used for remote administration. The malicious program that infects computers and connects them to the botnet was classified by Dr.Web as Win32.HLLW.RAhack.

However, a system would only get infected if an administrator password used to access Radmin was found on the worm’s list. It turned out that many administrators were using weak passwords.

As for trends that could develop in October 2010, they will most likely be related to fraudware and new malicious programs that substitute fake web pages for real ones when certain sites are accessed. This is because criminals have found such programs to be the most profitable. Owners of botnets, which are often used to spread malware, will keep trying to create such networks using non-standard software and hardware solutions since such approaches ensure that infection remains undetected.

Viruses detected in e-mail traffic in September

Viruses detected on user machines in September

November 3, 2010

In October, cyber criminals developed new twists on old familiar schemes to redirect users from popular web sites to bogus resources, z`and thus demonstrated that the number of Internet fraud techniques is infinite. Virus makers also exploited the popularity of some of the most notorious malicious programs to spread their malware under the guise of a vaccine that protects against them. Meanwhile, the battle between viruses and anti-viruses is gradually moving onto a new field: the x64 platform.

Anti-rootkit x64

On October 26, 2010, Doctor Web released a beta-version of its free utility Dr.Web CureIt! featuring two versions of the anti-rootkit module Dr.Web Shield which are designed to be used under the 32- and 64-bit versions of Windows. The improvedDr.Web CureIt! detects the 64-bit version of BackDoor.Tdss and can cure it.

A distinguishing feature of this malicious program is its bootkit components which allow it to load before an operating system is started, thus controlling an OS’s loading process and bypassing protection mechanisms that prevent the installation of unsigned drivers. Once the malicious driver is installed, the rootkit can covertly perform its malicious tasks in the system. When testing of the Dr.Web CureIt! beta is over, the scanner will be incorporated in all Dr.Web anti-viruses for Windows.

Ill fame for ill intentions

At the same time anti-virus companies are studying new malicious programs and making their findings available to the media, who in turn alert users to the dangers, criminals are also using this knowledge to spread their malicious programs, disguising them as tools that will neutralize other, more notorious ones.

In October, Doctor Web’s virus analysts discovered three incidents of such fake utilities being spread. The most well-known of these involved the mailing of a utility that was supposedly being offered by a renowned anti-virus vendor to neutralize the notorious Trojan.Stuxnet. Dr.Web detects the fake utility as Trojan.KillAll.94. Reports about this Trojan were received from European users.

Distributors of fake self-extracting archives (Trojan.SMSSend) realized that certain types of their “products” (e.g. WinRARC) were gaining in popularity and that some users were failing to notice that such “archives” didn’t contain any useful information. This encouraged criminals to go further: they began spreading other fake archives as utilities for extracting files compressed with WinRARC. No doubt, a user had to send a certain amount of money to criminals in order to use the “utility”.

A new modification of Trojan.Hosts, appeared in the wild at the end of October. The malware targeted Russian users, informing them that their respective systems were infected by a variation of Zbot (Trojan.PWS.Panda under the Dr.Web classification), and prompted them to send a paid short message to get their systems cured.

Internet fraud in October

The number of requests for support (available free of charge to victims of cyber fraud) in October didn’t differ much from that of September: 118 requests per every 24 hours vs. the September figure of 124.

Most requests were received in the first two weeks of the month when Trojan.HttpBlock. was found in large numbers in the wild. In the peak period, the number of requests related to the Trojan per day could reach several hundred (up to 80% of all requests).

This program redirects a web browser to pages received from a web server installed by Trojan.HttpBlock in the compromised system. Criminals demand a ransom from victims to regain access to web sites.

When, on October 14, Doctor Web issued a warning about the wide spreading of Trojan.HttpBlock, short code aggregators promptly blocked criminals’ accounts, cutting the number of support requests related to Internet fraud to 50–70 per 24 hours.

With the number of Trojan.HttpBlock incidences diminishing, top spots for the most widely spreading malware once again went to Windows blockers (Trojan.Winlock), that demand cell phone account balance refills and Trojans that modify the hosts file to redirect users, who frequently visit social networking sites and other web resources, to bogus sites.

It should be noted that towards the end of October, criminals were tending to use schemes that lured victims into providing their cell phone numbers and replying to a free short message. These users subsequently wound up as subscribers to a paid service. This scheme, which has been around for a long time, has become popular again. But while previously it was used mainly on fraudulent web sites, it is now employed to spread malware like Trojan.SMSSend and Trojan.Hosts.

In addition, a slightly modified ransom scheme that involves mobile phones has been discovered. Here a user doesn’t need to search for an ATM, but can pay criminals instantly by dialing a service command or by sending a special short message.

Internet swindlers kid around too

An insignificant number of Trojan.Winlock modifications discovered in October didn’t demand any unlocking codes from users. On the contrary, the text displayed in the blocking window warned users about the dangers of frittering their lives away on a popular social networking site, ultimately asking them to reflect on whether they are persons or puppets.

Other events worth mentioning here include the discovery of several modifications of Android.SmsSend that covertly send paid short messages from a compromised device. Fake anti-viruses, malware featuring bootkit technologies, and Trojans targeting Internet banking users are still being found in large numbers in Europe.

Viruses detected in e-mail traffic in October

Viruses detected on user machines in October

December 3, 2010

In November cyber-criminals demonstrated even greater creativity than before. As a result, anti-virus vendors and users were confronted with new fraud techniques involving bootkit technologies. New modifications of encoder Trojans targeted European users. Criminals seeking the biggest gains attacked online banking systems.

Windows boot blocker

As soon as Trojan.MBRlock.1 appeared in the wild in November, it was employed by cyber-fraudsters. This malicious program is unlike any other malware used to implement fraud schemes.

It bypasses the UAC protection mechanism, so its installation goes unnoticed by users. Once installed, the Trojan writes its code into the MBR and into other nearby disk sectors.

The code, written to the MBR, loads information from the neighbouring disk sectors. The result is a message to users demanding that they pay $ 100 to unlock their systems.

The message also informs a user that all of the files located on all of the computer’s disks are encrypted. This is not true.

In any event curing the Trojan-compromised system can’t be done from inside the system since it wouldn’t boot.

Entering a correct password restores the MBR after which the installed operating system boots normally.

Currently several modifications of Trojan.MBRlock.1 are known, but Dr.Web detects them as the same piece of malware.

To cure the system, enter an ekol or jail unlock code. If neither works, contact the free Doctor Web technical support service for victims of cyber-fraud.

Certain modifications of Trojan.MBRlock.1 had been detected by the Dr.Web heuristic analyzer as MULDROP.Trojan before a corresponding entry was added to the Dr.Web virus database. Dr.Web users were protected from the Trojan even when no virus definitions for this malicious program were available.

New Trojan encoder

Encoder Trojans drew the public’s attention once again in November. This time criminals targeted European users.

Trojan.Encoder.88 uses the AES-256 encryption algorithm to encrypt documents in many popular formats which complicates decryption. To search all possible decryption keys for one that would help restore files on a single computer, 2^256 operations are required. The resulting number exceeds the number that ends in 77 zeros.

A unique encryption key is generated for each compromised machine. It is encrypted using the RSA algorithm and saved to a disk as a text file.

Origins Tracing technology enabled Dr.Web to detect Trojan.Encoder.88 as Trojan.Encoder.origin even before an entry for this program was added to the database.

Fraud in November: winlocks returned

In November the free technical support service received around 4,700 requests from cyber-fraud victims which constituted 42% of all requests. The daily average of requests amounted to 146 which exceeded the October figure by one third.

Trojan.Winlock became the most widely spread malicious program used for fraud (73% of all requests). A significant number of fraud incidents were related to Trojan.Hosts that blocked access to popular web resources.

Criminals also changed routines for converting their profit into actual money. Malicious programs demanding that users send paid short messages were less popular in November, and the number of requests related to such programs reached only 31% of the total. Meanwhile the option that involves paying criminals via terminals became more appealing to fraudsters (60% of all requests).

Banking Trojans on the offensive

November saw the emergence of new Trojans targeting users of online banking systems, both individuals and businesses.

In particular, several modifications of Trojan.PWS.Ibank.213 were added to the Dr.Web virus database.

Variations of the Trojan serve as containers of malicious payloads. Their most harmful feature is their ability to disable security software components. The Trojan can detect whether it is being launched in a virtual environment where it can be safely analyzed. Disabling the system restore service is also among its malicious capabilities.

To collect the information required to access bank accounts online, the Trojan intercepts certain system routines as well as functions of online banking systems, and stores information entered by a user with a keyboard. The fact that Trojan.PWS.Ibank.213 can communicate with a remote server, and download and launch executable files, shows that systems compromised by this program become nodes of a botnet.

November 2010 showed that criminals can make use of various malicious programs to accomplish a wide variety of tasks. When it comes to neutralizing them, anti-viruses capable of protecting a system from all kinds of malware and of curing it proved to be the most efficient. Yet, it is users who still remain the weakest element of the computer defense system. Doctor Web would like to emphasize once again that following basic information security rules dramatically reduces the probability of system infection.

Viruses detected in e-mail traffic in November

Viruses detected on user machines in November

<

January 11, 2010

Last year could be called “the year of cyber fraud.” Today there are few users who’ve never heard of it. While developers of security software keep working to improve their products, and law enforcement agencies keep cracking down on fraudsters, new fraud schemes continue to surface. The only solution to the problem is comprehensive countermeasures on the part of anti-virus vendors, the financial institutions through which victims are making payments to cyber criminals, law enforcement agencies, and the victims of cyber fraud themselves. Valuable information about new fraud techniques received by vendors from users may contribute significantly to the anti-fraud campaign.

Fraud techniques—2010’s “Top Ten”

Below you can find information about the malicious programs used in fraud schemes during 2010. Following the long-standing tradition of top ten charts, we’ll start from the bottom. Next to the name of each scheme or malware type involved, you’ll see the corresponding name given to it by Dr.Web.

10. Pseudo-services

Offering interesting and often illegally acquired information for a small fee is a common fraud scheme. Users pay for such services with short messages that cost around 10 USD. Promised secrets range from private information about social network users to intelligence information from top-secret archives The quality of such services is questionable. Moreover, promises of this sort are often no more than bluffs — the criminals provide nothing in exchange for the money they receive. Links to bogus sites where such services are offered are usually spread over banner networks on sites providing access to free content.

9. Fake archives. Trojan.SMSSend

Criminals set up fake torrent trackers and file storages that supposedly contain popular music, movies, and e-books. As a consequence, such bogus resources top the results returned by search engines for popular queries. Victims believe that the files they download when using such resources are archives containing information they need, while, in fact, the files are executables that look like self-extracting archives. As the user tries to decompress the archive contents, they are informed at a certain point in the data extracting process that a payment must be made to complete the process. Ultimately users are deceived twice — they send money to criminals and never obtain any useful information. The archives contain nothing but the graphic shell and junk data, while their large size (apparently aiming to put users off guard) may exceed 70 MB.

8. Boot blockers. Trojan.MBRlock

In November 2010 virus analysts registered a blocker in the wild that rewrote the MBR code to prevent the installed operating system from loading. When victims turned on their computers, ransom demands appeared on their screens.

7. IM-client blockers. Trojan.IMLock

Over the course of several months in 2010, criminals spread a malicious program that blocked the launch of popular instant-messaging clients. The malware targeted users of ICQ and Skype. Instead of the messenger window, the Trojan displayed a window that mimicked the design of the blocked software. The user was offered the opportunity to regain access to the instant-messaging service by sending a paid short message.

6. Fake anti-viruses. Trojan.Fakealert

Fake anti-viruses have a look and feel similar to those of popular anti-virus software, and their design often combines the UI features of several anti-virus programs. However, such malicious programs and anti-viruses have nothing in common. Once installed, the fakes immediately notify users that the system is infected (and to some extent, this is true) and prompt users to purchase a commercial version of the product to cure the infection.

5. Redirection to malicious websites. Trojan.Hosts

Such malicious programs modify the host file, thus a user attempting to go to a popular website (e.g. a popular social networking site) gets redirected to a fake site that copies the design of the legitimate web resource. A user may be ordered to pay the criminals to re-gain full access to the original site.

4. Redirection to a local web server. Trojan.HttpBlock

Unlike Trojan.Hosts, these programs redirect a user to web pages generated by the web server installed on the compromised machine. With this approach, criminals save themselves the trouble of finding a hoster that wouldn’t take down their bogus site as soon as its malicious nature is exposed.

3. Data encryption. Trojan.Encoder

Last year saw the appearance of a multitude of new modifications of encryption Trojans targeting user documents. Once files are encrypted, these Trojans notify users that they have to pay criminals to decrypt the documents. In most cases Doctor Web releases corresponding decryption utilities in a timely manner, but since sometimes no quick decryption is possible and the ransom can be rather large, Trojan.Encoder comes in at No. 3 in the chart.

2. Windows blockers. Trojan.Winlock

Most common Windows blockers have had users and virus analysts on guard since late 2009, and so they rightfully take the second position. Blockers are malicious programs that display a window containing the criminals’ demands on top of all other windows, making those windows inaccessible until the victim pays a ransom. In 2010, Doctor Web virus analysts registered several surges of Winlock, and yet many new modifications of such programs are found in the wild at present.

1. Banking Trojans. Trojan.PWS.Ibank, Trojan.PWS.Banker, Trojan.PWS.Multi

The top spot in Doctor Web’s 2010 Malware Hit Parade goes to banking Trojans. These are malicious programs that help criminals gain unauthorized access to bank accounts over online banking systems. In 2011, we are likely to witness a shift in the criminals’ attention away from home users and towards companies which keep far greater sums of money in their accounts.

Statistics on user requests

Below you can see several graphs showing the history of user requests related to cyber fraud in 2010.

The first graph shows how the number of requests made to Doctor Web technical support, which is free for victims of cyber-fraud, varied throughout 2010. You can see that in June, when free support became available to users, the number of requests reached 400. By August when fewer variations of fraud malware were found in the wild, the number went down too. However, by the end of the year it increased again as criminals adopted more reliable methods to convert their virtual income into actual money.

The second graph shows the percentage ratio between the numbers of requests related to fraud schemes incorporating different methods for converting criminal income into money. The blue line represents requests related to malware that demanded paid short messages from users, while the red line represents fraudware that demanded a balance refill. You can see that after a breaking point in November 2010, criminals shifted their preferences towards the second scheme.

The third graph shows the percentage ratio between the total number of requests and the number of incidents when criminals demanded a balance refill over a payment terminal. The red and blue lines stand for different mobile operators. By December, fraudsters had adopted a new variant of the balance refill scheme which is represented on the graph by the green line. In the latter case, users refill balances for criminals by sending paid short messages. This scheme is as convenient as the standard short message scheme, but here criminals don’t need to deal with short code aggregators.

Other notable events in 2010

Other significant events of the last year include the emergence of the first 64-bit BackDoor.Tdss rootkit for Windows featuring bootkit technologies used to infect systems. The number of multi-component malicious programs incorporating bootkit technologies is growing.

It is also worth mentioning that the number of viruses for Android and other mobile platforms has increased as well. Doctor Web responds to emerging threats with prompt releases of new anti-viruses for most popular mobile OSs.

A standing recommendation for users is to follow the basic rules of information security: Ensure that your operating system and frequently used applications are updated regularly, install an anti-virus that is updated automatically, use alternative web-browsers, and do not use a system, especially one connected to the Internet, with administrator rights.

Blackhat spam SEO was very prevalent in 2010 and it is not likely to disappear in 2011. I’ve compiled a few statistics on Blackhat spam SEO pages found in Google search results during December 2010:

• Number of spam pages:  4,814
• Number of spam domains: 428
• Number of malicious sites: 483

I usually limit my Google scans to the first 10 pages of results, so there are likely many more spam pages in Google’s full index.

Malicious sites

Fake AV pages are still the most popular type of attack, accounting for 85% of all malicious sites. Next in line are fake software stores, with 6% of the sites. I’ll give more details about this type of attack in a future blog post.

5% of the malicious sites were unreachable, and could not be classified.

Types of malicious sites: mostly fake AV

44% of the malicious sites use a .IN domain name. 25% use a .COM extension, and 16% use an IP address without a domain name. .CC domains represent only 4% of all malicious domains. .CO.CC used to be the most popular TLD for fake AV pages, but it is now .IN

Malicious sites by domain extension

Spam pages

I found 428 legitimate sites hosting 4,814 spam pages in Google search results. That’s an average of 11 spam links per domain within the top ranks for popular searches.

The spam sites are found all over the world: 31 different TLDs were found amongst spam sites. The international .COM extension was found in 58% of the sites, .ORG in 8% and .NET in 6%. The .EDU TLD represents 10% of the total. HJacked college websites were mostly to lead to fake software stores.

Spam sites by domain extension

Most dangerous searches

356 Google searches contained at least one malicious spam link in December 2010.

The most dangerous searches relate to buying software online, and lead to a fake store. The most dangerous popular search (shown in Google Hot Trends) was for “sherwood blount” with 63 spam links amongst the first 100 search results!

Top-10 most dangerous Google searches in December 2010

I am still compiling the numbers and will do another post on the topic shortly. It looks like malicious Blackhat spam SEO will still be a major threat, if not the most significant threat to users in 2011.

– Julien

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Spam messages are spreading across Facebook claiming to be from users who have calculated the total hours they spent on the social network during 2010.

Would you be tempted to find out how long you had spent on Facebook in the last year? Well, I would be cautious if I were you as you could find yourself assisting scammers who are using rogue applications to make themselves a quick buck.

Typical messages read:

I was logged into facebook for XXXX hours in 2010!

Check yours @ [LINK]

or

I spent a total of XXXX Hrs on Facebook in 2010 WOW. What are your hours like? I found out from [LINK] ...Enjoy!

If you click on the links you will be taken to a third-party application permissions dialog. As with legitimate Facebook applications, this app needs your permission to access information on your profile. Unfortunately this rogue application is not interested in calculating the real number of hours you spent on Facebook, all it cares about is spreading its message virally between users.

Because as soon as you click “Approve” the rogue app takes the opportunity to post a message on your Facebook page, like the ones above, designed to fool your friends into believing you’ve found out how many hours you spent on the website during 2010.

And so the scam spreads virally.

What is the point of the scam? To make money by tricking you into taking a survey.

The webpage you are taken to after approving the rogue application tricks you into believing that you can find out how many hours you were logged into Facebook once you have completed a survey as a “security check”.

In reality, the scammers earn commission for each survey completed. And you’ve just helped them spread the survey onto your friends as well.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 50,000 people regularly share information on threats and discuss the latest security news.

Full story: Naked Security – Sophos

Posted by Blanca Carton, January 2011

Every year, PandaLabs, Panda Security’s anti-malware laboratory, publishes an annual malware report discussing the year’s most virulent threats. In 2010, this task was made all the more difficult as PandaLabs had to analyze and shift through no less than 20 million new viruses.

This report is also used as the basis for the company’s ‘Virus Yearbook’, which rather than a definitive list of threats that have infected most computers or caused more damage, is simply a summary of some of the viruses that, for one reason or another, have caught our eye.

Here are the Top Five:

1. The mischievous Mac lover: This title has been earned by a remote-control program with the worrying name of HellRaiser.A. It only affects Mac systems and needs user consent to install on a computer. Yet once installed, it can take remote control of the system and perform a whole host of functions… it can even open the DVD tray!
2. The Good Samaritan: Surely some of you will have guessed… Bredolab.Y comes disguised as a message from Microsoft Support claiming that a new security patch for Outlook has to be installed immediately… But watch out! If you download it you will have installed the SecurityTool rogueware, which will start telling you that your system is infected and that you should buy a certain solution to fix it. Of course, if you pay for the program, you will never receive it, it will not resolve the problem and that’s the last you will see of your money…
3. Linguist of the year: Our award for the linguist of the year goes to MSNWorm.IE. This virus, which in itself is nothing special, is distributed via Messenger with a link tempting the user into viewing a photo… in 18 languages!
4. The most annoying: Remember how viruses used to be? Or those ‘jokes’ that once installed would ask: “Are you sure you want to close the program? Yes – No?”. No matter what you clicked, the same screen would appear: “Are you sure you want to close the program?”, time and time again, enough to try the patience of a saint… Well that’s what this worm does: Oscarbot.YQ. Once it is installed, start praying, or doing yoga, or meditating… whatever you can think of, because it will drive you mad. Every time you close it, another screen opens asking another question, or opening a browser window, or… The most annoying, without a doubt.
5. Insect of the year: We would like to make special mention of the Mariposa (Butterfly) botnet, which was dismantled in March and led to the arrest of the creators thanks to the collaboration between Panda Security, the Spanish Civil Guard, FBI and Defense Intelligence… Like a true insect, it fed on the nectar of other people’s computers, flitting from one to another… and compromised a total of 13 million computers around the world.

How to protect yourself against attacks

The first rule is to use your common sense. If you receive an email message with attachments from a dubious source, delete it.

Be careful when surfing the Web. Avoid downloading programs from unknown websites. And even if you know the source, stay alert and take all necessary precautions before opening them.

Finally, to be completely protected it is essential that you have an antivirus installed and updated, regardless of whether your operating system is Windows or Mac.

Remember, if you have any questions about the operation of your product, you can always find the answers in the articles published on the Panda Security support website, in the videos posted on our YouTube Support Channel or by contacting our expert technicians through the Tech Support forum.

===============================================================================

This is an extract from the Post published by PandaLabs Recaps Year of Malware with its Virus Yearbook 2010

Can NIS 2010 protect your PC from current and emerging forms of malware. Find out! It’s NIS 2010 vs 10 malicious websites/downloads. Make sure you catch the last 10 min BTW.

The amount of spam in email traffic increased by 0.3 percentage points compared to November and averaged 77.1%.

Full story: Securelist / All Updates

It’s been the first time for Emsisoft Anti-Malware to participate at the Virus Bulletin VB100 comparative. They have tested Anti-Malware 5.0 Beta, which had some troubles during onAccess scan test, so VB decided to test only the scanner capabilities. Badly, it was not enough to get the VB100 award, but the detail test results are remarkable:

On demand scan:

• Wildlist: 99.95% (actually a bunch of virut replications were not detected)
• Worms & bots: 99.81% (rank 4 out of 60)
• Polymorphic viruses: 78.59%
• Trojans: 98.29%
• False positives: 1

Reactive and proactive (RAP) detection:

• week-3: 99.13%
• week-2: 99.42%
• week-1: 97.92%
• Reactive average: 98.72% (that’s the best score of all 60 tested products!)
• Proactive week+1: 71.30%
• Overall average: 91.87%

Full story: Anti-Malware Reviews

Download the software www.removevirus.org If you need advanced help go to www.onlinecomputerrepair.org

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

http://1.bp.blogspot.com/_wICHhTiQmrA/TToGr_6sPkI/AAAAAAAAE0Q/jNg4wu0tc_Y/s72-c/Dancho_Danchev_Blog_September_2010.png 01. How the Koobface Gang Monetizes Mac OS X Traffic
02.  AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181
03. The DNS Infrastructure of the Money Mule Recruitment Ecosystem
04. The Avalanche Botnet and the TROYAK-AS Connection
05. Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”
06. Sampling Malicious Activity Inside Cybercrime-Friendly

Full story: Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge

This Month In The Threat Webscape – Monthly roundup for December 2010

…(read more)

Full story: Security Labs

http://4.bp.blogspot.com/_wICHhTiQmrA/TTqr9ywCtXI/AAAAAAAAE0U/FYYWlBtww4k/s72-c/ZDNet_front_page.png 01. Seven myths about zero day vulnerabilities debunked
02. Should a targeted country strike back at the cyber attackers?
03. 5 reasons why the proposed ID scheme for Internet users is a bad idea
04. Hotmail’s new security features vs Gmail’s old security features
05. Attack of the Opt-In Botnets
06. From Russia with (objective) spam stats
07. The current state of the crimeware threat – Q&A
08.

Full story: Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge