Computer Security Articles

Antivirus Center is a rogue anti-spyware program from the same family as Internet Protection. This malware is installed onto your computer through the use of fake scanner pages and Trojans that pretend to be updates to Adobe Flash. When Antivirus Center is installed onto a computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan of your computer and then state that there are numerous infections present. If you attempt to remove any of these so-called infections with the program it will state that it is unable to do so until you purchase it. As none of the infection files actually exist on your computer, please disregard these scan results and do not purchase the program.

Antivirus Center screen shot
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.

While Antivirus Center is running it will also display numerous fake security alerts warnings that are designed to make you think that your computer has a severe security problem. The text of these messages are:

Antivirus Center
Your system has come under attack of harmful software. Click here to deactivate it.

Antivirus Center
External software tries to control variety of your system files. This may lead to breaking of some data in your system. Click here to protect remote access to your PC & delete these programs.

Antivirus Center
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Antivirus Center.

Antivirus Center Firewall Alert
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.

Antivirus Center Firewall Alert
Antivirus Center has prevent a program from accessing the Internet.
“iexplore.exe” is infected with Trojan. This worm has tried to use “iexplore.exe” to connect to remove host and send your credit card information.

Antivirus Center Firewall Alert
Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.
Attacker IP: <ip address>
Attack type: RCPT exploit

Antivirus Center
Your computer is under the infections threat. Run instant shield protection to safe your data and prevent internet access to your credit card information. Select this to run instant shield.

Antivirus Center Firewall Alert
Warning
Keylogger activity detected!
Your account in social network is under attack. Click here to block unauthorized modification by removing threats (Recommended)

Just like the scan results, all of these warnings are fake and should be ignored.

As you can see, Antivirus Center was created for one reason; to scare you into thinking your computer is infected so that you will then purchase the program. For no reason should you purchase Antivirus Center, and if you already have, you should contact your credit card company and dispute the charges stating that the program is a computer infection. Finally, to remove this infection, and related malware, please use the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus Center files.
View Antivirus Center Registry Information.

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [<random numbers and characters>] rundll32.exe “C:\Documents and Settings\All Users\Application Data\<random numbers and characters>.dat”, <random characters> 04/29/11 – Initial guide creation.

Guide Updates:

04/29/11 – Initial guide creation.

Automated Removal Instructions for Antivirus Center using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Center so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Center and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Center when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Center . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Center related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Center removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus Center program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated Antivirus Center Files:

%AllUsersProfile%\Application Data\<random numbers and characters>.dat
%AllUsersProfile%\Application Data\<random numbers and characters>.ico
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Center.lnk
%UserProfile%\Desktop\Antivirus Center.lnk
%Temp%\ins2.tmp
%Temp%\mv3.tmp
%Temp%\wrk4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

Associated Antivirus Center Windows Registry Information:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\rundll32.exe” = ‘C:\WINDOWS\system32\rundll32.exe:*:Enabled:Antivirus Center’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random numbers and characters>”

Malware distribution via email is far from dead.  While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.

Malicious spam on the increase again

After the bot herders took a brief Easter break, they are back to sending new waves of malicious spam. The first spam campaign was sent by the Cutwail botnet earlier this week. The email claims to be an invoice from Bobijou Inc. – an online jewellery brand. There is a chance that people might fall into this trap especially as it claims money on your credit card was involved. But take a closer look at the subject line: Successfull Order 3677718, that wrong spelling should easily alert you that this email is a scam.

Cutwail Spam Campaign

Another malicious spam campaign originating from the Donbot botnet that came in later this week. It uses a common, uncreative theme with subject line like, “my hot pic : )“, “my naked pic is attached“, etc.  The Donbot botnet’s spam output is on the rise and this is the first time we have seen it spreading malicious attachments.

Dontbot Spam Campaign

Both spam campaigns contain a zipped attachment which, once extracted, contains an executable file that downloads – surprise, surprise – Fake Antivirus:

In addition, this week we have been seeing more of the Asprox botnet’s “Spam from your Facebook account” campaign, that preys on peoples fears about the security of their Facebook accounts. This campaign first came out last year, illustrating that the bot herders behind Asprox often cycle their spam campaigns between UPS, DHL, FEDEX and iTunes Gift Certificate among others.

Recent Facebook spam campaign sent by Asprox

The attachment is a Trojan that aims to seed the Aprox bot executable in the infected host, which is then used for spamming purposes.

SMTP transaction of an Asprox’s process ASPIMGR.EXE

We have blogged about these types of threats many times before.  In a sense, it’s the same old stuff with slightly different social engineering. Be wary.

Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discovered by users or anti-virus companies.

As we known, at the beginning of last year, many Chinese users found they could not use certain language input method any more. This type of virus caused many inconveniences to the users. The first version of IME injection only substituted the IME file specified by the following registry:

HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0020804

Key:IME File

Value:*.ime

where E002 is a device identifier and 0804 is a language identifier in this case Simplify Chinese. If you want, you can get more information about this registry in MSDN.

If IME file is replaced by the malware dll, the original language input method can not work properly. This could by-pass many behaviour monitors, but this story didn’t last long, because this way could be easily discovered.

After that, the technology of the IME injection also updated, the next generation of IME injection was much more complicated, it needed three components. The first component was a management program, it dropped other two components:

1.Fake IME file, this fake IME file always export the following two functions:

IMESetPubString

IMEClearPubString

IMESetPubString – is used to load the malware dll specified by the management component.

2. Dll will be loaded, real payload of the malware.

The management component will register the fake IME file as the system default language input method, then it sends the WM_INPUTLANGCHANGEREQUEST message to the specified windows to activate the fake IME file to load the real malware. This type of injection will not replace any users’ normal IME file, and it’s a little bit more difficult to trace it, but it still has its weakness: users can easily find strange IME choice in the language bar and newly added Keyboard Layouts registry entries, and then fake IME file is left in the users’ system. This type of injection was popular during the second half of the last year, but now it nearly disappeared.

Now, we found the IME injection generation III. It’s smarter and difficult to be discovered. This injection does not change any registry or drop any fake IME file. Its mainly based on their study of functions: ImmLoadLayout and ImmGetImeInfoEx exported from imm32.dll.

ImmLoadLayout: This function opens the key: Keyboard Layouts, and gets the IME file name.

Before invoking this function, the malware has already hooked the function ZwQueryValueKey.

The Hook proc is like the following:

If the value query request is from registry key: IME File, it modifies the return value to the malware’s name: 04f30730.tmp, and then unhooks the function of ZwQueryValueKey.

After the above process, the malware posts a message to explorer.exe

Then explorer.exe calls ImmLoadIME, and this function calls Loadlibrary to load the dll returned by the ImmGetImeInfoEx. The following snapshot shows the call stack of the explorer.exe after it received the WM_INPUTLANGCHANGEREQUEST message:

Now the malware achieved its goal, the malicious dll was loaded by the explorer.exe.

Before the dll loading, Microsoft invokes ApphelpCheckIME to check the legality of dll, but it does not check whether this dll exports any IME functions.

Posting a language change message will cause the explorer to load arbitrary dll, even when this dll does not export any IME functions what is really dangerous!

Many functions of the imm32.dll are still un-documented, and this part becomes more and more attractive to malware writers. We don’t think this is an end, but be sure that we pay more attention to new IME injection methods.

Frank Zheng, Stanley Zhu & Hynek Blinka

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

• http://rnzrrljt.co.cc/[censored]
• http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011″.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
 

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

 
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info-created on January 14, 2011-before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
 

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <souvenir@yahveh.permissionalert.com>
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring” <royalring@yinstenarm.com>
From: “British Heirloom Ring” <royalring@yinstenarm.com>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
 

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos” and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

 
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

.    william and kate movie cast
.    prince charles age
.    princess diana death facts
.    prince harry last name
.    william and kate movie on lifetime
.    royal wedding guest list bush
.    royal wedding guest list snubs
.    prince charles siblings
.    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques-such as keyword stuffing, cloaking, and link farming-to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below-as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
            
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and-shockingly-that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

—————————————

Note: This blog has been researched and written by Symantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

It’s been almost one month since we reported about the huge increase of email-borne malware attachments.  The outbreaks have continued on an almost daily basis since then and we have noted a corresponding dramatic increase of over 70% in the number of zombies.

The traffic graph below shows the continued outbreaks (orange line).  As noted previously the levels shown below have not been seen for well over one year.  The outbreaks often reach levels of 20-40% of all email traffic.

Initially the attachments were “UPS package notifications”.  Then the subjects changed focus to “DHL package notifications”.  The zip attachment however, remained “UPS.exe” leading us to conclude that DHL were transporting UPS malware.

And now (the most logical step we suppose..) the subjects have changed to FedEx package notifications.  The attached “document.zip” file still extracts to “UPS.exe”.  The body text is actually an image served from a variety of fast changing domains.  The body of the email includes random text with a 1-point font size and white color.  In this example the text reads “fwa dp ud gn vbg we ayf zv ole” (yes – that’s quite random.)

There’s no such thing as a free lunch – or free Facebook credits.  As proof consider the attack described below which has several stages:

1)      Users get messages with offers of “free Facebook credits”

2)      These trick users into running a malicious JavaScript

3)      The infected user is lead to a website – which probably offers the malware distributor some pay per click revenue

4)      The malicious script sends out more “free Facebook credits” messages and the cycle starts again

The attack starts in several ways but always includes messages from a compromised friend account:

• A message with detailed instructions that require actively running a malicious JavaScript:

• A chat message with the text: “%firstname% just tried this and got 500 Facebook credits works great <bad link>”  (The link provides instructions similar to those above about loading the code into the address bar).
• A message is posted on the compromised user’s wall:  ”Did you guys hear about the Facebook glitch you can get 500 Facebook credits? check it out <bad link> “.

• An event invitation with similar free credit content and a link to the instructions website.

Once a user follows the instructions the JavaScript malware will do the following:

1.  Redirect the user to a “confirm your identity” page.

2.  Users clicking on “Continue” will then be directed to a verification dialog box with link to “Get the New iPhone 4 Right Here”.

3.   The final destination for those clicking on the iPhone 4 link will be the Smiley Central website.

A certain number of the compromised user’s friends will now receive the “500 free credits” messages.  Not all friends will receive the message – in one script sample I analyzed the message was sent to 15 friends.  In other scripts some of the details changed but the message and method basically remained the same.

Commtouch’s Command Antivirus detects the JavaScript as malware: JS/Agent.ON.

Be careful when trusting messages, even from your friends. Safe Browsing!

Some time ago, a security researcher, Alex Levinson, found out the iPhone was keeping a SQLite database of the iPhone’s location (wifi-based location, cell-based or GPS) and a few other information.

The file, located in /private/var/root/Library/Caches/locationd/consolidated.db, is easily accessible on jailbroken phones (ssh or any file transfer tool) and readable by any SQLite3 tool.

This issue has recently re-surfaced as two researchers, Pete Warden and Alasdair Allan, wrote a MacOS tool to generate maps from the locations recorded in that database, and are presented this at Where 2.0 in San Francisco today.

If you don’t have a Mac, then there is an online tool here (in French) or you can use Firefox4 SQLiteManager plugin + Google Fusion to do the trick (which actually the solution I used for the maps below).

I would also encourage you read Mikko Hypponen’s post. It offers an interesting explanation as to why Apple designed such a database. In short, Hypponen’s idea is that it reduces the costs of renting an external location database.

The few things I would like to add to the story are:

• the consolidated.db is a ‘standard’ SQLite3 database, so you can query it like any SQLite database, there is no need for sophisticated tools (but they are cool). Data is directly usable:

  sqlite> .dump CellLocation
  PRAGMA foreign_keys=OFF;
  BEGIN TRANSACTION;
  CREATE TABLE CellLocation (MCC INTEGER, MNC INTEGER,
  LAC INTEGER, CI INTEGER, Timestamp FLOAT,
  Latitude FLOAT, Longitude FLOAT, HorizontalAccuracy FLOAT,
  Altitude FLOAT, VerticalAccuracy FLOAT, Speed FLOAT, Course FLOAT,
  Confidence INTEGER, PRIMARY KEY (MCC, MNC, LAC, CI));
  INSERT INTO "CellLocation" VALUES(208,10,49802,21036492,314034125.866114,
  43.60604608,7.06016272,1211.0,0.0,-1.0,-1.0,-1.0,70);
  ...

• The WifiLocation table tries to make up your location based on the wifi access points your iPhone sees, and for which Apple knows the location. If your iPhone sees a wifi access point known to be located by the Eiffel Tower, well, you probably are located close to the Eiffel Tower. This is done without using GPS.
• The CellLocation table does basically the same, but based on the GSM access points your phone sees.

  Now, in my case, I noticed neither table mentioned I had gone to Poland with the iPhone. Why ? Well, obviously, when you restore an old image of your phone, you overwrite the database By the way, the iPhone also made a poor estimation of my altitude and thinks I work at seal level (which is not the case).

• Comparing the cell location with the wifi location (see maps below) may release interesting information. First of all, it shows that Apple does successfully associate our workplace wifi with its physical location (I believe the several locations in Sophia Antipolis – where we are located – are just various approximations). It also shows that our lab iPhone (well, the backup I restored) only accessed wifi from our office , that we did a trip to Toulon, but that we did not use wifi there.
  

  CellLocation

  WifiLocation

• On a security point of view, it should be noted [thanks Guillaume for raising the point] that consolidated.db’s integrity is not guaranteed at all. It is easy to modify it to say I was in Greenland last month. Or I could hack into someone’s else iPhone and alter it so as to show that this person was on a crime scene when the crime happened. Thus, this should be handled carefully by forensics experts.
• The ‘untrackerd‘ application cleans the database regularly.
• Finally, you might have noted the iPhone stores the MCC (Mobile Country Code) and MNC (Mobile Network Code) of the SIM. It is interesting to note it did notice I sometimes use a fake SIM (208/30). This is when I use a local OpenBTS replication jail I will talk about at VB 2011 – patience In that case, it is unable to locate my position as it is not aware of this fake operator (as it is only valid within the walls of our lab)

  INSERT INTO "CellLocation" VALUES(208,30,1000,10,314034365.532726,
  0.0,0.0,-1.0,0.0,-1.0,-1.0,-1.0,0);

On April 20, for the first time ever, gold rose above $1,500 an ounce as worries over the U.S. economic outlook boosted demand for the metal as a haven. Within hours, Symantec observed this spammer’s response: a hit-and-run spam attack with the Subject line “Subject: Is Gold Your Ticket To A Golden Future?”

Hit-and-run spam (or snow-shoe spam) is a threat known for its large volumes of spam messages in short bursts, where domains are quickly rotating and the sending IP hops within a certain /24 IP range.

Key characteristics include:

• The message is in HTML
• There is some type of word salad or word obfuscation injected between various tags and/or in the URL by means of multiple directories
• The message is typically sent within the same /24 IP range
• Domains are rotated quickly

The call to action for this particular attack is a URL in the message body which directs the recipient to a Web site where the recipient can request a “free” investor kit. In order to receive the investor kit, personal contact information is requested. Certain personalities are used in the image for this spam campaign including Glenn Beck. A Google search reveals an interesting angle about Glenn Beck promoting gold investments. It seems that the spammer did some research in order to know about the association before propagating this spam campaign.

Symantec has known for some time now that spammers stay on top of current events and adapt their economically focused pitches towards the news headlines. In the midst of the economic gloom, for example October 2007, Symantec reported several spam emails with subject lines such as “Looking to sell your house fast?” and “Get the dough out of your house.” This gold-rush spam attack of April 2011 adds more credence to the argument discussed in a blog post published April 2010, which was written to explore whether the focus of spam email could be used as an economic indicator.

Antivirus Protection is a rogue anti-spyware program from the same family as Antivirus Soft and AV Security Suite. This family of rogues is installed through the use of malware and exploit kits that download and install Antivirus Protection onto your computer without your permission. When this program is installed it will be configured to start automatically when Windows starts, and once started, will perform a scan of your computer and state that it has found numerous infections. It will not, though, tell you the files that are supposedly infected and will also state that you cannot remove anything until you first purchase the program. This is a complete scam, as the program is scripted to display infections every time it is run. That means if you reinstalled Windows and ran Antivirus Protection it would still say that you are infected. It does this to scare you into thinking that your computer has a security problem so that you will then purchase the program. When you purchase the program, though, all you do is waste your money as the program has no useful function for your computer.

Antivirus Protection screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

When Antivirus Protection is running it will state that most programs are infected when you attempt to run them. The text of this fake infection alert is:

Virus Alert!
Application can’t be started. The file notepad.exe is damaged. Do you want to active your antivirus software now?

It does this for two reasons. The first is to make you think that your legitimate, and clean, programs are infected so that you will then purchase the rogue. The second reason is to block you from running any legitimate security programs that may help you remove this infection.

While Antivirus Protection is running it will also show you fake security alerts that attempt to further scare you into thinking you have a infection on your computer. These alerts will state that active malware has been detected or that your computer is under attack. The text of these alerts is:

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan – dropper or similar.

Just like the other false infections alerts, these warnings are all fake and should be ignored. Last, but not least, Antivirus Protection will also configure your computer to use a proxy server at 127.0.0.1:47392, which is actually the Antivirus Protection program itself. This makes it that when you browse the web using Internet Explorer, the rogue will intercept all your web browser requests and instead display a page that shows a security warning about the site you are visiting. This warning states:

Internet Explorer warning – visiting this site may harm your computer!
Most likely causes:

• The website contains exploits that can launch a malicious code on your computer
• Suspicious network activity
• There might be an active spyware running on your computer

These warnings should be ignored as they are false. If you use a browser other than Internet Explorer you will not see the warnings at all and can browse the Internet like normal.

Without a doubt, Antivirus Protection Trial was created solely to trick you into purchasing the program by convincing you that your computer has a security problem. Now that you know what this program does, it goes without saying that you should not purchase this program for any reason. If you already have purchased it, then we suggest you contact your credit card company and dispute the charges. To remove Antivirus Protection and any related malware, please follow the steps in the removal guide below.

Threat Classification:

• Information on Rogue Programs & Scareware

Advanced information:

View Antivirus Protection files.
View Antivirus Protection Registry Information.

Entries for this program found in the Add or Remove Programs control panel:

Antivirus Protection 3.3.0

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

Symptoms that may be in a HijackThis Log:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:47392
O4 – HKLM\..\Run: [<random>] %Temp%\<random>\<random>.exe

Guide Updates:

09/18/08 – Initial guide creation.
04/20/11 – Updated for new rogue using the same name.

Automated Removal Instructions for Antivirus Protection using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Protection so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Protection and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Protection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Protection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Protection related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Protection Trial removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Antivirus Protection Trial program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Associated Antivirus Protection Files:

%UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>.exe

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

Associated Antivirus Protection Windows Registry Information:

HKEY_CURRENT_USER\Software\<random>
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “<local>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5643″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’

More than ever before, smartphones are keeping us connected both personally and professionally. Because most of us have a preference as to the ideal smartphone, IT departments are increasingly being tasked with managing a mix of business-liable and employee-liable devices. This trend has become known as the consumerization of IT.

Symantec has developed a short survey to get smartphone end users’ perspectives on this trend. We’d also like to learn more about how your employer is managing the growing use of smartphones, especially those being purchased and brought into the organization by employees. The quick five minute survey can be found here: http://bit.ly/gsdgmX

Once you’ve taken the survey, please stay tuned to the original post that resides in the Security Community Blog. We’ll be sharing the results once the survey is complete.

Statistics related to spam levels feature prominently in this Internet Threats Trend Report, as they did in the report about the fourth quarter of 2010. This is due to the wide variations observed during the first three months of 2011, and the takedown of the Rustock botnet – which we calculated as responsible for sending around 50 billion spam messages daily. We have also included zombie data which shows the effects of the takedown as well as the huge UPS outbreak at the end of March.

Some highlights from the report:

• Spam levels averaged 149 billion spam/phishing messages per day during Q1, compared to the 142 billion spam/phishing messages per day in Q4 2010 and 198 billion in Q3 2010.
• Approximately 258,000 zombies were activated daily during Q1, a decrease compared to the 288,000 zombies in Q4 2010 and 339,000 during Q3 2010.
• The most popular spam topic in Q1 was again pharmacy ads representing 28% of all spam, down from 42% in Q4 2010.
• India keeps its title for the third quarter in a row as the country with the most zombies – 17% of all zombies worldwide.
• Parked domains were the website category most likely to contain malware.
• Streaming media/downloads continues to be the most popular topic for blog creators in the Web 2.0 sphere of user-generated content, with 21% of the generated content.

A brief SlideShare presentation summarizing the report is available here

Easter is a Christian holiday centered on the death of Jesus Christ and His subsequent resurrection several days later. Hence Easter is an important holiday for Christians. But what gets associated with Easter is beautifully decorated Easter eggs found on every decorated shop window this season, and of course the Easter Bunny! To celebrate Easter, people exchange Easter eggs and, with the evolution of time, today we have personalized e-cards and personalized gifts. Spammers have begun to exploit the season by sending personalized e-cards, gift cards, and replica-spam emails.

Here is a screenshot of a personalized Easter e-card:

Here are some of the headers used in Easter e-card spam:

Subject: Give your child the gift of amazement A Package from The Easter Bunny.

Subject: The Most Popular Gift for Kids this Easter 2011

Subject: Send A Personalized Easter Bunny Letter

Subject: How To Make This Your Childs Best Easter Ever.

Subject: This is the secret to making your kids happy this Easter.

Subject: Personalized Easter Bunny Letters

From: “The Easter Bunny” <The.Easter.Bunny@removed.com>

From: “Easter Bunny” <Easter.Bunny@removed.com >

Where personalized Easter gifts are concerned, spammers have targeted replica products offers at unimaginable discounts (as shown in the image below). To create a frenzy, they have also suggested that they have limited stock and therefore one must “HURRY”! But do not get carried away with such false promises. This could be bait used by the spammers to get a hold of the user’s personal information.

Screenshot of the Web site selling fake replica watches:

As Symantec wishes all our readers a very happy Easter, we also advise you to be cautious when handling unsolicited or unexpected emails, especially during this Easter season. Updating antispam signatures regularly protects your personal information from being compromised.

Thanks to Anand Muralidharan for contributed content.

The Emsisoft malware research team has discovered a new outbreak of the Antivirus Clean 2011 adware. Emsisoft Anti-Malware detects this malware as Adware.Win32.AntivirusClean2011.

Antivirus Clean 2011 is a rogue application. A rogue application tries to trick you by displaying false positive/misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

• %ProgramFiles%\Antivirus Clean 2011\
• %ProgramFiles%\Antivirus Clean 2011\avservice.exe
• %ProgramFiles%\Antivirus Clean 2011\avsetup.exe
• %ProgramFiles%\Antivirus Clean 2011\avc2011.exe

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
  AntivirusClean = %ProgramFiles%\Antivirus Clean 2011\avc2011.exe
  avservice = %ProgramFiles%\Antivirus Clean 2011\avservice.exe

Screenshots:

How to remove the infection of Antivirus Clean 2011 (Adware.Win32.AntivirusClean2011)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:

The function names are self-explanatory. The script, when executed, performs the following actions:

• Create a visible instance of Internet Explorer.
• Navigate to facebook.com.
• Log in.
• Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
• Grant access to this application.
• Close the browser instance.

The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:

• Create an invisible instance of Internet Explorer.
• Go to google.com.
• Search for “auto insurance bids”.
• Close the browser instance.

This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.

One after another malware family trying to panic user to install fake security application. Now the Chepvil malware which comes via email as an attachment. The email as shown below:

Email Snip

The attachment comes with the names doc.zip, details.zip, document.zip. On extracting user gets an executable file with the pdf file icon.

If user open this execuable it then downloads files pusk.exe/pusk2.exe/pusk3.exe. As we can see from the http traffic:

The file pusk*.exe works as a rogueware application “XP Anti-Virus 2011″ as shown below:

As usual it displays fake threat messages on the screen and forces the user to register the product
in order to remove these fake threats.

We recommends the user do not open the attachments which comes from unknown sources.
Quick Heal detects the malicious attached file as TrojanDownloader.Chepvil.J.

The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:

The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns. As with other fake AV sites, when a victim visits the page, he is social engineered into downloading fake security software which in turns out to be malicious program. Interestingly, each time you visit this website the malicious binary changes, which results in a different MD5 hash. The size of those malicious binaries remains same. Here are the MD5 hashes for different binaries downloaded from the same website:

The Virustotal AV detection results remain very poor with only 8/43 antivirus vendors detecting the files as malicious. Here are the results for above binaries:

http://www.virustotal.com/file-scan/report.html?id=524b2ae5004d1e80628c7e69363e6a0d6357e5a01340bf0f1a9c406d9f38cd77-1300754240

http://www.virustotal.com/file-scan/report.html?id=00d2f5827712547c18e294123f7984268cc47cc2b225a9214873584178cdc058-1300754363

http://www.virustotal.com/file-scan/report.html?id=ee3c2057135d084ea8fdeba2e3f4b8c4501728ef40fcc62bec84da4cddca7352-1300754286

http://www.virustotal.com/file-scan/report.html?id=8d4ac1aeb83f18c401b0df447e5fba2a6a02a744de6f7404a76939bd4278da94-1300754302

The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code. Randomization of malicious binaries will also evade good antivirus engines.

Thanks

Umesh

Looking at the above images, you can see that the structure of code remains the same and only the variable names are randomized. Even the source of the page contains only a body tag and the malicious JavaScript. When this page loads, it starts creating animations that deliver security warnings to scare the victim. Here is one example:

As I mentioned in the earlier blog post, these are fake security attempting to coerce the victim into downloading fake antivirus software that will download additional malware onto the system. The code for doing these animations and initiating the download of malicious binaries is hidden inside the malicious script. Let’s decode the main script. The malicious JavaScript code has two functions defined and three lines of code to decode the content. Here is how they look:

The variable “euqbvulz” is passed in the first iteration to the decoding function “ikcmfynlzk()”. The decoded content is then stored in a variable called “wfuaydtmd”. The “wfuaydtmd” variable is again passed to in a second iteration to a second function called “fiyctdv()” with a “document.write()” function call. So the code will go through two iterations of the decoding. Let’s decode this code using Malzilla.

Malzilla successfully decoded the contents. But the decoded results contain another three heavily obfuscated JavaScript snippets and some HTML code. Let’s decode them one by one. Here is first one:

The first malicious JavaScript snippet decodes to the HTML “title” tag, which will be displayed as the title of the webpage, claiming it is a legitimate Windows security website. This means the HTML code displaying warnings and animation is hidden in the remaining malicious scripts. Here is second one:

The above script code will load the animated images with message “Initializing virus Protection System…”. Here is the third one:

If you look at the above image, you will notice some strings related to security, which suggests that this JavaScript code actually loads the animation. The first variable is declared as “strategy” so the strategy used by the attacker is to load the variable with JavaScript code in a CSS format. Here are some of the screenshots of that CSS code:

So, the code displaying the security warnings and messages are obfuscated multiple times by the attacker. You will notice the strings used by the attacker are displayed in warning images mentioned in the first few images. Due to the heavy obfuscation used, the detection rate remains very poor for legitimate antivirus vendors when scanning this HTML file.

Umesh

I have always been amused at people talking about the death of the antivirus industry. It has supposedly been dying for decades and it is still around and growing.

What amuses me even more is how people can sound so knowledgeable about how antivirus works and why it is doomed to fail. What is especially amusing is precisely how they get all their facts wrong.

I was busy reading about GPU (Graphics Processing Unit) based super-computers and its uses when I came across an interesting paper on how to use a GPU to speed up antivirus software. So I read it and had my un-epiphany.

The paper was describing how to use a GPU to speed up ClamAV. It used a lot of the same terminology that people use to say that antivirus is dead. So it occurred to me that people look at ClamAV and assume that is how all commercial antivirus products work.

I did not know whether I should laugh or cry.

When people ask me whether ClamAV is any good or not, I just have one answer: Does it detect the Wildlist? The answer is no. Virtually every commercial antivirus product out there detects the vast majority of the Wildlist most of the time.

Real antivirus products are significantly more complex and advanced than ClamAV can ever be. ClamAV probably represents the status of commercial products 15+ years ago. The technologies that can be seen in the real products are really very impressive, constantly changing and growing.

I have a hard time comparing our own technology with what you would find in ClamAV. It is like comparing a racing car to a grape. Modern scanning engines have different layers of detection, multiple heuristic engines and multiple emulators for both executable code and scripting languages.  The scalability and efficiency of modern antivirus engines given the massive volumes of data they are processing is astonishing.

Good technology can be beautiful. It can be art. It takes a geek to see and acknowledge it and it is an incredibly difficult concept to explain. Modern antivirus engines are art. Balancing flexibility, scalability and detection rates is an intricate dance that takes a group of extremely intelligent people years to perfect and tune.

Usually, if we talk about virus and antivirus, it is more or less connected with detections. So if I say a malware uses antivirus to do bad things, will that be interesting?

Recently, AVG caught a kind of StartPage malware which uses Kingsoft WebShield as part of itself to achieve its aim.

Kingsoft is one of the most popular antivirus companies in China. Its web shield is desgined to protect users from phishing and injected websites to surf on line safely. It has two well known functions, locking IE’s homepage and page redirection, which are just what the malware take advantage of.

This malware combines modules from Kingsoft:

It would be clearer if we have a look at the digital signatures:

And modified configuration files:

Where kws.ini contains homepage settings, of course filled with faked URLs as you can see in this detail:

And Spitesp.dat which contains the list of URLs that is used for homepage redirection. That means, if you try to access these URLs, you will be redirected to the homepage or a certain URL prior configured:

Just take a look at these URLs. We can see that some of the popular internet websites are also included.

So how does this malware uses Kingsoft WebShield to do bad things?

Actually, this malware is packed in NSIS package (Nullsoft Install System). Below is script decompiled from the package by AVG engine.

First of all, we can see that this malware will search the process named ‘KSWebShield.exe’ which means the Kingsoft WebShield is already running. If it finds out, it will stop and remove the Kingsoft WebShield service.

Second, the malware will drop the needed Kingsoft WebShield modules into directory below:

Third, it will drop the configuration files, mentioned previously, into folder from which Kingsoft WedShield will read the settings by default:

At last, this malware will run a batch file to install and run the Kingsoft Web Shield service:

So far, the Kingsoft WebShield which has been configured malicious took effect. That means, your browsers’ homepages are faked and you will be redirected to the faked homepage if you try to access the URLs listed in the configuration file.

Kingsoft WebShield is a powerful browser protector. Maybe because of its power, it attracts malwares’ interest. Unluckily, malwares can just change the configuration files to take advantage of this power to do bad things. Is this a warning to others?

Jason Zhou & Hynek Blinka

See what happens when I purposely infect my computer with Power AntiVirus (a rogue anti-virus known to be malicious.) Notice some of the patterns and learn how to protect your computer in our series of videos. Our Blog: www.e-geniuses.com

Video Rating:

A few tips on choosing an anti-virus!

Video Rating:

It’s 8:30am. You stumble into work half asleep and slouch at your desk. You boot up your computer.. tick tick tick. It runs its system diagnostics and you see the Windows logo lurch into view.

Umpteen programs (half of which you’ve forgotten what they do) start up in your system tray, and you automatically click on your email inbox. More whirring, wheezing and hissing..

Slowly your inbox comes into view and you find an email, from a young woman called Emily.

Subject: nake pics as you've requested

Message body:
I am hungry for sex. If you feel the same then take a look at my picture I am attaching to this email and reply back so we could hook up.

Attached file: pic.scr

Suddenly you perk up! Bonjour!

It’s a trick as old as time, of course. Unsolicited emails, arriving out of the blue, offering you pictures of the sender’s naked wife, a nude picture of Jennifer Lopez or a school sweetheart with pigtails, but really delivering a sting in the tail.

In this latest case, the attachment carries a Trojan horse – Troj/FakeAV-IU – which attempts to scare you into buying a fake anti-virus product.

Come on guys, it’s 2011. We should all be smart enough not to fall for tricks like this anymore. You should always be asking yourself why is someone sending this to me? Do I seriously imagine that a complete stranger is going to seek me out as a sexual partner over the internet, sending me photos of herself naked, despite never having communicated with me before?

Computer technology is becoming more sophisticated all the time, but it seems that their users are still neanderthals when it comes to being duped by simple social engineering tricks like the promise of naked pictures.

You know you whant it.

Video Rating: