Computer Security Articles

At McAfee Labs every day we monitor millions of intrusion prevention systems (IPS) alerts from our sensors around the world. From these alerts, we often see interesting global data and trends. Recently, ISC noticed a sudden decline of Slammer traffic in the wild, which we also noticed on our sensors.

The infamous Slammer was a rapid-spreading worm that started on January 25, 2003. It targeted Microsoft SQL Server, and the worm traveled over UDP on port 1434, which contributes to its rapid spread. It is incredibly noisy, and it really never went away, even though the worm is eight years old!

To our surprise, the amount of traffic that we detect dropped significantly in early March, and we do not yet know the reason for the decline. What we have noticed, however, was that alerts for Slammer started to reappear early this month.

I guess we will be seeing more Slammer alerts for a while.

Kaspersky Lab malware researcher Vicente Diaz joins the Lab Matters webcast to discuss the banking malware epidemic in Europe and offer suggestions for consumers doing business on the Web.

Antivirus Protection is a rogue anti-spyware program from the same family as Antivirus Soft and AV Security Suite. This family of rogues is installed through the use of malware and exploit kits that download and install Antivirus Protection onto your computer without your permission. When this program is installed it will be configured to start automatically when Windows starts, and once started, will perform a scan of your computer and state that it has found numerous infections. It will not, though, tell you the files that are supposedly infected and will also state that you cannot remove anything until you first purchase the program. This is a complete scam, as the program is scripted to display infections every time it is run. That means if you reinstalled Windows and ran Antivirus Protection it would still say that you are infected. It does this to scare you into thinking that your computer has a security problem so that you will then purchase the program. When you purchase the program, though, all you do is waste your money as the program has no useful function for your computer.

 

Antivirus Protection screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

 

When Antivirus Protection is running it will state that most programs are infected when you attempt to run them. The text of this fake infection alert is:

Virus Alert!
Application can’t be started. The file notepad.exe is damaged. Do you want to active your antivirus software now?

It does this for two reasons. The first is to make you think that your legitimate, and clean, programs are infected so that you will then purchase the rogue. The second reason is to block you from running any legitimate security programs that may help you remove this infection.

While Antivirus Protection is running it will also show you fake security alerts that attempt to further scare you into thinking you have a infection on your computer. These alerts will state that active malware has been detected or that your computer is under attack. The text of these alerts is:

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan your computer. Your system might be at risk now.

Antivirus Software Alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan – dropper or similar.

Just like the other false infections alerts, these warnings are all fake and should be ignored. Last, but not least, Antivirus Protection will also configure your computer to use a proxy server at 127.0.0.1:47392, which is actually the Antivirus Protection program itself. This makes it that when you browse the web using Internet Explorer, the rogue will intercept all your web browser requests and instead display a page that shows a security warning about the site you are visiting. This warning states:

Internet Explorer warning – visiting this site may harm your computer!
Most likely causes:

• The website contains exploits that can launch a malicious code on your computer
• Suspicious network activity
• There might be an active spyware running on your computer

These warnings should be ignored as they are false. If you use a browser other than Internet Explorer you will not see the warnings at all and can browse the Internet like normal.

Without a doubt, Antivirus Protection Trial was created solely to trick you into purchasing the program by convincing you that your computer has a security problem. Now that you know what this program does, it goes without saying that you should not purchase this program for any reason. If you already have purchased it, then we suggest you contact your credit card company and dispute the charges. To remove Antivirus Protection and any related malware, please follow the steps in the removal guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View Antivirus Protection files.
View Antivirus Protection Registry Information.

 

Entries for this program found in the Add or Remove Programs control panel:

Antivirus Protection 3.3.0

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Symptoms that may be in a HijackThis Log:

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:47392
O4 – HKLM\..\Run: [<random>] %Temp%\<random>\<random>.exe

 

Guide Updates:

09/18/08 – Initial guide creation.
04/20/11 – Updated for new rogue using the same name.

 

---

Automated Removal Instructions for Antivirus Protection using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:
   
   
   
   
   Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode
   
   Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
   
   
3. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
4. Before we can do anything we must first end the processes that belong to Antivirus Protection so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
5. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with Antivirus Protection and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antivirus Protection when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Antivirus Protection . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.
   
   If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. Both of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   
6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for Antivirus Protection related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Antivirus Protection Trial removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Antivirus Protection Trial program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated Antivirus Protection Files:

%UserProfile%\Local Settings\Application Data\<random>\
%UserProfile%\Local Settings\Application Data\<random>\<random>.exe

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

 

Associated Antivirus Protection Windows Registry Information:

HKEY_CURRENT_USER\Software\<random>
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = “<local>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1:5643″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = “1″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.exe’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’

 

BitDefender 2011 is a rogue anti-spyware
program from the same family as BitDefender 2011. This computer infection is named after, but should not be
confused with, the legitimate antivirus programs program from BitDefender.
This rogue is promoted through web sites that pretend to be online anti-malware
scanners, but are instead advertisements that when finished state your computer
is infected. This fake scanner will then prompt you to download and install
BitDefender 2011 on to your computer in order to protect it. It should be
noted that these fake online scanners are just an advertisement that have absolutely
no way of knowing what is running on your computer. In fact they will show the
same infection results to anyone who visits the page. Therefore, do not be concerned
by what these online scanners show you.

 

BitDefender 2011 screen shot
For more screen shots of this infection click on the image above.
There are a total of 6 images you can view.

 

When BitDefender 2011 is installed it will be configured to start automatically when
Windows starts. Once started it will perform a scan on your computer and when
finished state that it is infected with a variety of malware. If you attempt
to use the program to remove any of the malware it finds, though, it will state
that you first need to purchase the program before it will remove anything.
This is a complete scam as the scan results are all fake and many of the listed
files are actually legitimate files that if removed could cause problems for
your computer. Therefore, do not manually remove any of the items it displays
in its scan results.

While BitDefender 2011 is running it will also display alerts and warnings that attempt
to scare you into thinking your computer has a serious computer security problem.
These alerts will state that personal information is being stolen, active malware
has been found, or that you are using unlicensed software. The text of some
of these alerts are:

Warning!
Virtumonde is an adware program that tends to monitor your Internet browsing
habits and may display targeted advertisements onto your computer screen.
Virtumonde may also create a malicious DLL file in order to log your keystrokes
and send the recorded information to a third party website. Virtumonde is
an unwanted application and recommended to be removed.

Warning! Identity theft attempt detected!
Attacker IP: <random IP address>
Attack Target: Microsoft Corp. Keys
Description: Remote host tries to get access to your personal information.

Warning! New virus detected!
Threat Detected: Keylogger.iSnake.Pro
Infected File: C:\WINDOWS\system32\asr_ldm.exe

BitDefender 2011 also creates a new column in the Windows Task Manager that will display the word Infected next to various processes. It does this to further scare you into thinking that you have malicious processes running on your computer.

BitDefender 2011 will also attempt to protect itself by not allowing you to run
various programs that may assist in removing it. When you attempt to run these
types of programs, BitDefender 2011 will terminate it and then state that the file
is infected. The text of the infection alert is:

Warning! Active Virus Detected!
Threat Detected: Backdoor.Poison.BQA
Infected file: <random file name>
Action taken: Application Blocked
Description: This backdoor arrives as attachment to email messages spammed by another malware or malicious user. This is a backdoor component of the Darkmoon RAT (Remote Administration Tool), via this backdoor hackers attempt to control your PC.

Just like the fake scan results, all of the above security alerts are fake
and only being shown to scare you into purchasing the program.

Last, but not least, BitDefender 2011 will hijack Internet Explorer, FireFox,
Chrome, or Safari so that a different program is launched the displays a security
alert. The text of the alert is:

About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn’t be launched

You may use Internet Explorer in Emergency mode – internal
service browser of Microsoft Windows system with limited usability.

Notice: Some sites refuse connection
with Internet Explorer in Emergency Mode. In such case system warning page
will be showed to you.

Just like the fake infection warnings, alerts, and scan results, these browser
messages are all fake and your normal browsers will be restored when you follow
the steps in the guide below.

Without a doubt, BitDefender 2011 was created for one reason; to scare you into
thinking your computer has a security problem so that you will then purchase
the program. It goes without saying that you should not purchase this program,
and if you already have, please contact your credit card company to dispute
the charge because the program is a scam and a computer infection. Finally,
to remove BitDefender 2011 and any related malware, please you use the removal guide
below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View BitDefender 2011 files.
View BitDefender 2011 Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Symptoms that may be in a HijackThis Log:

O4 – HKCU\..\Run: [BitDefender 2011] C:\Program Files\BitDefender 2011\bitdefender.exe

 

Guide Updates:

04/20/11 – Initial guide creation.

 

---

Automated Removal Instructions for BitDefender 2011 using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is
   open later in the fix.

2. Reboot your computer into Safe Mode with Networking. To
   do this, turn your computer off and then back on and immediately when you
   see anything on the screen, start tapping the F8 key on your
   keyboard. Eventually you will be brought to a menu similar to the one below:

   

   Using the arrow keys on your keyboard, select Safe Mode with Networking
   and press Enter on your keyboard. If you are having trouble
   entering safe mode, then please use the following tutorial: How
   to start Windows in Safe Mode

   Windows will now boot into safe mode with networking and prompt you to login
   as a user. Please login as the same user you were previously logged in with
   in the normal Windows mode. Then proceed with the rest of the steps.

3. It is possible that the infection you are trying to remove will not allow
   you to download files on the infected computer. If this is the case, then
   you will need to download the files requested in this guide on another computer
   and then transfer them to the infected computer. You can transfer the files
   via a CD/DVD, external drive, or USB flash drive.

4. Before we can do anything we must first end the processes that belong to
   BitDefender 2011
   so that it does not interfere with the cleaning procedure. To do this, please
   download RKill to your desktop from the following link.

   RKill
   Download Link – (Download page will open in a new tab or browser window.)

   When at the download page, click on the Download Now button
   labeled iExplore.exe download link. When you are prompted
   where to save it, please save it on your desktop.

5. Once it is downloaded, double-click on the iExplore.exe
   icon in order to automatically attempt to stop any processes associated with
   BitDefender 2011
   and other Rogue programs. Please be patient while the program looks for various
   malware programs and ends them. When it has finished, the black window will
   automatically close and you can continue with the next step. If you get a
   message that RKill is an infection, do not be concerned. This message is just
   a fake warning given by
   BitDefender 2011
   when it terminates programs that may potentially remove it. If you run into
   these infections warnings that close RKill, a trick is to leave the warning
   on the screen and then run RKill again. By not closing the warning, this typically
   will allow you to bypass the malware trying to protect itself so that RKill
   can terminate
   BitDefender 2011
   . So, please try running RKill until the malware is no longer running. You
   will then be able to proceed with the rest of the guide. Do not reboot
   your computer after running RKill as the malware programs will start again.

   If you continue having problems running RKill, you can download the other
   renamed versions of RKill from the RKill
   download page. Both of these files are renamed copies of RKill, which
   you can try instead. Please note that the download page will open in a new
   browser window or tab.
   

6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following
   location and save it to your desktop:

   Malwarebytes’ Anti-Malware Download Link
   (Download page will open in a new window)

7. Once downloaded, close all programs and Windows on your computer, including
   this one.

8. Double-click on the icon on your desktop named mbam-setup.exe.
   This will start the installation of MBAM onto your computer.

9. When the installation begins, keep following the prompts in order to continue
   with the installation process. Do not make any changes to default settings
   and when the program has finished installing, make sure you leave both the
   Update Malwarebytes’ Anti-Malware and Launch
   Malwarebytes’ Anti-Malware checked. Then click on the Finish
   button. If MalwareBytes’ prompts you to reboot, please do not do so.

10. MBAM will now automatically start and you will see a message stating that
    you should update the program before performing a scan. As MBAM will automatically
    update itself after the install, you can press the OK button
    to close that box and you will now be at the main program as shown below.

    

11. On the Scanner tab, make sure the the Perform
    full scan option is selected and then click on the Scan
    button to start scanning your computer for
    BitDefender 2011
    related files.

12. MBAM will now start scanning your computer for malware. This process can
    take quite a while, so we suggest you go and do something else and periodically
    check on the status of the scan. When MBAM is scanning it will look like the
    image below.

    

13. When the scan is finished a message box will appear as shown in the image
    below.

    

    You should click on the OK button to close the message box and continue with
    the
    BitDefender 2011
    removal process.

14. You will now be back at the main Scanner screen. At this point you should
    click on the Show Results button.

15. A screen displaying all the malware that the program found will be shown
    as seen in the image below. Please note that the infections found may be different
    than what is shown in the image.

    

    You should now click on the Remove Selected button to remove
    all the listed malware. MBAM will now delete all of the files and registry
    keys and add them to the programs quarantine. When removing the files, MBAM
    may require a reboot in order to remove some of them. If it displays a message
    stating that it needs to reboot, please allow it to do so. Once your computer
    has rebooted, and you are logged in, please continue with the rest of the
    steps.

16. When MBAM has finished removing the malware, it will open the scan log and
    display it in Notepad. Review the log as desired, and then close the Notepad
    window.

17. You can now exit the MBAM program.
18. As many rogues and other malware are installed through vulnerabilities found
    in out-dated and insecure programs, it is strongly suggested that you use
    Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
    how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to
    detect vulnerable and out-dated programs using Secunia Personal Software Inspector
    

 

Your computer should now be free of the
BitDefender 2011
program. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
PRO version of Malwarebytes’ Anti-Malware to protect against these types
of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated BitDefender 2011 Files:

c:\Program Files\BitDefender 2011\
c:\Program Files\BitDefender 2011\bitdefender.exe
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
%AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
%UserProfile%\Desktop\BitDefender 2011.lnk
%Temp%\srvED4.ini
%Temp%\srvED4.tmp

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\ProfileName\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\ProfileName\AppData\Local\Temp for Windows Vista and Windows 7.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

 

Associated BitDefender 2011 Windows Registry Information:

HKEY_CURRENT_USER\Software\EVAEC2
HKEY_CURRENT_USER\Software\MonEC2
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “BitDefender 2011″ = ‘C:\Program Files\BitDefender 2011\bitdefender.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 21.04.2011″

 

The ParetoLogic URL Clearing House has moved to a new domain: malwareblacklist.com

For a while now, I had been thinking of creating a name that can be remembered and googled easily. After jotting down a bunch of ideas I looked up what was available, and surprisingly malwareblacklist.com was there for the taking.

We’ve been running this project for 2 years now and are still going through some growing pains. At the same time, our goal is always to try to provide the most relevant data for security researchers.

Some people ask how we run this thing, so here is a brief explanation:

I build machines that are likely to be hacked through software vulnerabilities. There are hundreds of different combinations based on the OS, browser, and plugins.

I start by installing the OS and work my way up adding other programs carefully picked for their exploit potential.

For example, our oldest honeypot looks like this:

The combination above is likely to be a highly dangerous mix that we do NOT recommend! However, there are computers like that out there – just like trash cars polluting the environment – which are just asking for trouble.

Each machine is sent to browse a list of sites which we update daily. Some sites are known to be bad, while others are harvested from spam emails, malware payloads etc… We also crawl regular sites, but with a lower priority of course.

If a site triggers an exploit, we capture the payload and the originating URL. We do this by injecting a DLL into each running process on the system.

Our HoneyPots are able to cycle through URL lists in relative short periods of time as there are multiple copies (Virtual Images) of each configuration type. Even if one machine crashes, there are others that will pick up the load.

If you are interested in us validating you data, feel free to contact me. We provide custom APIs to query our Database as well as various feeds (full Database, hourly updates, etc.).

Finally, I want to thank everyone involved in this project and users that have contributed to the site. This helps us make it a better service for everyone.

Jerome Segura

A stranger emails you out of the blue, offering you a digital photo of themselves.

What do you do?

Don’t risk it – and chuck the email straight in the trashcan?

or

Take a careful look at the email, to try to weigh up the chances of it being a malicious attack?

or

Open the attachment straight away – after all, the chances of peeking at a salacious photograph outweigh the consequences of a malware infection?

Here are the details of just such an email which has been spammed around the world:

Subject: I'm going to send you the Photos in
Attached file: DSC0173519.zip

Message body:
Hello Man,

I don't know how to say it, but I've tryed before a long time to send you some photos, but I've thought that you aren't interested to see me.
But now I'm going to send you the Photos in the Attachment.
Download the pictures and extract they, I'm sure that you will like they.
The password is: 123456

Have a great day.

The messages have one attachment, called DSC0173519.zip. The ZIP file is encrypted (presumably in an attempt to defeat anti-virus products running at the email gateway – sorry Mr Cybercriminal, that didn’t stop Sophos) with the password mentioned in the body of the email.

Within the ZIP is an executable file, DSC0173519.exe, which Sophos proactively detects as Mal/Behav-043.

If you’re not protected by Sophos, and make the mistake of running the program it will drop another file onto your hard drive, which Sophos detects as Troj/Agent-REX spyware Trojan horse.

In other words, your Windows computer is now infected with malware and a remote hacker could be stealing information from your PC, all because you were tricked into thinking a complete stranger had sent you their digital photograph.

It may be the 21st century, but with social engineering tricks so easily fooling users into making poor decisions maybe we’re kidding ourselves in believing we live in an enlightened world.

The days leading up to major religious holidays are when you should be more careful with the contents of your inbox.

One malicious spam run recently spotted by McAfee consists of a cute image of bunnies, chicks and colored eggs, complete with the offer to download the animated greeting by clicking on the offered link:

The subject line reads “Easter Greeting From Alex”, and people who actually do know an Alex might be forgiven if they clicked through, since the e-mail address from which the message was supposedly sent and the domain name embossed in the image lead to what seems like a legitimate greeting service.

But, the link and the image don’t take the unfortunate user to that website, but to one that triggers the download of a piece of malware that most likely steals personal and financial information from the victim’s computer.

I must admit that this spam message does seem rather legitimate at first glance – there are no spelling mistakes and the aforementioned domain from which the message has supposedly been sent doesn’t trigger any alarm bells.

But in any case, if you do know an Alex (or any other person from which the greeting is seemingly from), it is a good idea to contact him or her independently of that e-mail and ask them if they did, indeed, sent it.

 

Cybercriminals are adopting a new disguise, following last week’s “Facebook password changed” malware attack.

Computer users are discovering malicious code has been sent to their email inboxes, pretending to be a notification from Facebook that their social networking account has been used to send out spam.

A typical message reads:

Dear client

Spam is sent from your FaceBook account.

Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Please do not reply to this email, it's automatic mail notification!

Thank you.
FaceBook Service.

The attack would, perhaps, be a little more successful at fooling more people if it had gone through a grammar check and if the perpetrators had paid more attention to the fact that it’s spelt “Facebook” not “FaceBook”.

Nevertheless, there are doubtless some computer users who might be tempted to open the attached ZIP file and infect their computers with malware.

We’ve seen similar attacks before, of course – and I imagine that cybercriminals will continue to use ruses like this when spreading their malware. Plenty of people are hooked on Facebook, and a message telling them that their password has been reset is likely to send them into palpitations and they may open the unsolicited attachment without thinking.

After all, it’s not as though spam being sent from Facebook accounts is unusual.

If only more people realised that they cannot trust the “from:” address in an email, as it is so easily forged. In this case it presents itself as being from "Facebook Help" <official@facebook.com>, but in reality it could just as easily be a Hungarian hacker, a Finnish fraudster or a Serbian scammer who initiated the widespread spam attack.

Sophos products intercept the attack as Mal/BredoZp-B.

If you are one of those many people who can’t get enough of Facebook in their lives, can stay informed about the latest scams by joining the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

Our ThreatSeekerR Network is constantly on the lookout to protect our customers from malicious attacks.  Recently it has detected a new injection attack which leads to an obscure Web attack kit.  The injection has three phases which will be covered in this blog post. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

The first phase of the attack is a typical vector for exploit kits to drive traffic to their sites: script injections.  Script HTML code is put on legitimate Web sites meant to drive traffic to the attack kits without the victim’s knowledge.  In this case, legitimate sites are injected with malicious JavaScript.

Screen shot of malicious script injection (Phase 1):

In the second phase, this script injection then pulls obfuscated content from another site.  The obfuscated content creates an iframe that is used to pull content from the exploit kit site. 

Screen shot of the obfuscated redirect site used in the above injection (Phase 2):

Screen shot of the deobfuscated redirection site:

The exploit kit can basically be described as a drive-by download site used in the third and final phase of this attack.  Its intent is to scan, attack, and run malicious code on the visitor’s computer.  If one of the exploit kit’s Web attacks is successful, it could put malware on a victim’s computer that is meant to remotely control the computer.  The binary that this kit tries to run on target computers has low detection as a Rogue AV installation.  As is typical, the exploit kit’s Web attack code is obfuscated.

Screen shot of obfuscated exploit kit code (Phase 3):

It’s in cases like this that we can really harness the power of our ThreatSeekerR Network, not only to better protect our customers but also to perform further research into attacks!  With all of the scanning that ThreatSeekerR does, we get a large amount of data which we can correlate.  In this example, I can see all of the URLs associated with the IP address that this exploit kit was hosted on. 

Screen shot of URL report from hosting IP:

In the screen shot above, I’ve highlighted that there are a number of URLs with an “/admin/” directory.  Assuming that these are the same attack kits hosted on this IP, I can try to see if our attack host has the same page.  Sure enough, the attack site discussed in this blog follows the convention of other sites hosted on this IP.

Screen shot of the attack kit admin page:

Notice the title on the admin page: it has an email address for a group known as the Iranian Cyber Army.  This is a known attribute of a kit called g01pack malware tool.  We were able to access the admin panel and confirm that this site is hosting an installation of g01pack malware tool. 

Screen shot for g01pack admin statistics for this attack:

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

More Attacks Targeting Facebook Users

It seems like cybercriminals have their eyes particularly set on Facebook users these days, as this is not the only attack we’ve seen in the past couple of days.

In another spam run, recipients were told that their Facebook passwords were unsafe and that they should open an attached document, which contains their new passwords and information on how they can further secure their accounts. Ironically, the said document was actually a malware detected as TROJ_DOFOIL.VI.

We’ve also seen similar attacks to previously reported ones, which exploit the Facebook Events feature. This time, however, the social engineering lure used was yet another popular Facebook feature-Credits.

Users were notified of a supposed glitch in Facebook’s system that could be fixed by simply following a set of given instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users were told to copy a piece of code and to paste it into their Web browser. Executing the said script results in the creation of an event and in the invitation of the affected users’ contacts to the said event. The “event” contains spammy information such as links to the Canadian Pharmacy.

The script used to create the spam event is now detected as JS_OBFUS.PB.

Trend Micro product users are already protected from the above-mentioned threats through the Trend MicroT Smart Protection NetworkT. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams, and Other Social Media Threats for more information.

Additional text and further analysis by Dhan Praga and Harry Reynoso

Dear Facebook,

As you know, for some years we have been discussing with your security team our concerns about safety and privacy on Facebook.

Every day, victims report to us numerous incidents of crime and fraud on Facebook. They have been personally affected and are desperate for advice on how to deal with the consequences.

A frequent refrain from users who contact us is, ‘Why doesn’t Facebook do more to protect us?’

We have identified three simple steps you can take to better protect your users:

1) PRIVACY BY DEFAULT

No more sharing of information without your users’ express agreement (OPT-IN). Whenever you add a new feature to share additional information about your users, you should not assume that they want this feature turned on.

2) VETTED APP DEVELOPERS

It is far too easy to become a developer on Facebook. With over one million app developers already registered on the Facebook platform, it is hardly surprising that your service is riddled with rogue applications and viral scams. Only vetted and approved third-party developers should be allowed to publish apps on your platform.

3) HTTPS FOR EVERYTHING

We welcome you recently introducing an HTTPS option, but you left it turned off by default. Worse, you only commit to provide a secure connection “whenever possible”. Facebook should enforce a secure connection all the time, by default. Without this protection, your users are at risk of losing personal information to hackers.

Why wait until regulators force your hand on privacy? Act now for the greater good of all.

Your users tell us that these are issues they want resolved. So our question is simple: when do you plan to act?

Sincerely,

Naked Security

For all its positive aspects, there are some pretty ugly things which happen on the internet too.

Take this extraordinary tale, for instance, of how two men falling out with each other, ignited into an attack which involved sadistic revenge, 100,000 compromised computers around the world, divorce and one of the men being sent to jail.

Yesterday, a New Jersey judge sentenced 48-year-old Bruce Raisley to two years in prison for launching a distributed denial-of-service (DDoS) attack against websites that had published humiliating stories about his adulterous “affair” with a fictitious online lover.

In the mid-2000s, computer programmer Raisley became uncomfortable with the techniques used by “Perverted Justice”, a controversial group who posed as minors on internet chatrooms in an attempt to ensnare paedophiles, and questioned the legality of their activities.

This put Raisley at odds with the group’s leader Xavier Von Erck, questioning the legality of the activities of “Perverted Justice”, which collaborated with a US TV news program on a controversial feature called “To Catch a Predator”.

As the men’s conflict ignited, neither party showed themselves in the best light, and in 2005 Von Erck posed as a woman called “Holly” and began an erotic online relationship with Raisley.

You may think that’s a mean but harmless prank, which doesn’t do serious harm to anyone. But you’re wrong.

Raisley told his wife that he was in love with “Holly” and flew to meet his fictitious lover at Little Rock airport in Arkansas. A photographer hired by Van Erck took pictures of Raisley carrying flowers, waiting for an internet lover who – of course – never appeared.

Transcripts of Raisley’s erotic email exchanges with “Holly” and photos of him waiting for his non-existent lover at the airport were posted on the internet to add to his humiliation. Raisley ended up losing his job and wife, and no longer had any contact with his son.

Stories of about Von Erck and his Perverted Justice organisation were published in Radar Magazine and Rolling Stone, and republished on the website of the Rick Ross Institute.

The published stories also included details of how Van Erck had humiliated Raisley.

Perhaps understandably, Raisley wasn’t happy with the embarrassing story being published on the internet. His solution? To infect 100,000 computers around the world with malware and launch a distributed denial-of-service (DDoS) attack against websites hosting the tale of his humiliation.

The New Jersey court heard evidence that Raisley’s internet attack targeted a number of websites, including Rolling Stone, Radar, Nettica, Corrupted Justice, and the Rick Ross Institute. In total it was claimed that the attacks cost the websites more than $100,000.

Raisley has now been sentenced to 24 months in prison for launching the malware that infected computers across the globe, and attacked the websites.

In addition to the prison term, Judge Robert B Kugler sentenced Raisley to three years of supervised release and ordered him to pay damages of $90,386.34.

Things could, actually, have turned out even worse for Raisley. When found guilty last year, he was told he could expect a sentence of up to 10 years in jail, and a maximum fine of $250,000.

It’s a truly tragic story, with neither Raisley or Von Erck demonstrating the best of characters, in my opinion.

But there is one clear moral – taking the law into your own hands is never a good idea.

When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.

This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.

The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.

“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.

“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”

The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.

“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.

The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.

This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.

From last few days we have seen a significant increase in the activity related to spam E-mail messages. One of cause of rise is due to malware being heavily distributed by emails as an attachment. The package delivery mails have increased.

The email claims itsels to be from UPS or Postal Expres courier service companies and inform users about delivery failure of postal package.

The message instructs the user to open the attached file. The attachment may contain following files.

Invoice_Copy.zip
Post_Express_Label.zip
UPS.zip

when the zip file extracted the user will get a exe file with an icon of a word document.
When you open the exe file, it will probably installs a Trojan and may download other malwares too.

We have observed that all the infected emails comes with below subject lines:

UPS Delivery Problem NR56378
UPS INVOICE NR9094991
Post Express Service. Get the parcel NR 45556
Post Express Delivery. You need to get a parcel NR 70536

If you come across such E-mails do not open the attachment. Instead delete them and keep your Antivirus updated.
Quick Heal detects the malicious attached file as TrojanDownloader.Dofoil.d

Thanks Santosh for the analysis report.

One after another malware family trying to panic user to install fake security application. Now the Chepvil malware which comes via email as an attachment. The email as shown below:

The attachment comes with the names doc.zip, details.zip, document.zip. On extracting user gets an executable file with the pdf file icon.

If user open this execuable it then downloads files pusk.exe/pusk2.exe/pusk3.exe. As we can see from the http traffic:

The file pusk*.exe works as a rogueware application “XP Anti-Virus 2011″ as shown below:

As usual it displays fake threat messages on the screen and forces the user to register the product
in order to remove these fake threats.

We recommends the user do not open the attachments which comes from unknown sources.
Quick Heal detects the malicious attached file as TrojanDownloader.Chepvil.J.

WindowsFixDisk is a fake computer analysis and optimization program that displays fake information in order to scare you into believing that there is an issue with your computer. WindowsFixDisk is installed via Trojans that display false error messages and security warnings on the infected computer. These messages will state that there is something wrong with your computer’s hard drive and then suggests that you download and install a program that can fix the problem. When you click on of these alerts, WindowsFixDisk will automatically be downloaded and installed onto your computer.

Once installed, WindowsFixDisk will be configured to start automatically when you login to Windows. Once started, it will display numerous error messages when you attempt to launch programs or delete files. WindowsFixDisk will then prompt you to scan your computer, which will then find a variety of errors that it states it cannot fix until you purchase the program. When you use the so-called defragment tool it will state that it needs to run in Safe Mode and then show a fake Safe Mode background that pretends to defrag your computer. As this program is a scam do not be scared into purchasing the program when you see its alerts.

 

WindowsFixDisk screen shot
For more screen shots of this infection click on the image above.
There are a total of 4 images you can view.

 

To further make it seem like your computer is not operating correctly, WindowsFixDisk will also make it so that certain folders on your computer display no contents. When opening these folders, such as C:\Windows\System32\ or various drive letters, instead of seeing the normal list of files it will instead display a different folder’s contents or make it appear as if the folder is empty. This is done to make it seem like there is corruption on your hard drive that is causing your files to not be displayed. It does this by adding the +H, or hidden, attribute to all of your files, which causes your files to become hidden. It will then change your Windows settings so that you cannot view hidden and system files. Once the rogue’s processes are terminated you can enable the setting to view hidden files, and thus be able to see your files and folders again, by following the instructions in this tutorial:

How to see hidden files in Windows

WindowsFixDisk also attempts to make it so you cannot run any programs on your computer. If you attempt to launch a program it will terminate it and state that the program or hard drive is corrupted. It does this to protect itself from anti-virus programs you may attempt to run and to make your computer unusable so that you will be further tempted to purchase the rogue. The messages that you will see when you attempt run a program are:

Hard Drive Failure
The system has detected a problem with one or more installed IDE / SATA hard disks. It is recommended that you restart the system.

Or

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Or

Critical Error
Hard drive critical error. Run a system diagnostic utility to check your hard disk drive for errors. Windows can’t find hard disk space. Hard drive error.

After you close this alert you will be presented with another alert that pretends to be for a program that will attempt to fix your hard drive.

Fix Disk
WindowsFixDisk Diagnostics will scan the system to identify performance problems.
Start or Cancel

If you press the Start button, it will pretend to scan your computer and then state that there is something wrong with it. This message is:

WindowsFixDisk Diagnostics
Windows detected a hard disk error.
A problem with the hard drive sectors has been detected. It is recommended to download the following sertified <sic> software to fix the detected hard drive problems. Do you want to download recommended software?

These are just further alerts trying to make you think your computer has a serious hard drive problem. It should be noted that if you attempt to run a program enough times it will eventually work.

When you perform the scan or use the fake WindowsFixDisk it will state that there are numerous problems on your computer, but that you first need to purchase it before it can fix any of them. Some examples of the fake problems it detects on your computer are:

Requested registry access is not allowed. Registry defragmentation required
Read time of hard drive clusters less than 500 ms
32% of HDD space is unreadable
Bad sectors on hard drive or damaged file allocation table
GPU RAM temperature is critically high. Urgent RAM memory optimization is required to prevent system crash
Drive C initializing error
Ram Temperature is 83 C. Optimization is required for normal operation.
Hard drive doesn’t respond to system commands
Data Safety Problem. System integrity is at risk.
Registry Error – Critical Error

While Windows Fix Disk is running it will also display fake alerts from your Windows taskbar. These alerts are designed to further scare you into thinking that your computer has an imminent hardware failure. The text of some of the alerts you may see include:

Critical Error!
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
Hard Drive not found. Missing hard drive.

Critical Error
RAM memory usage is critically high. RAM memory failure.

Critical Error
Windows can’t find hard disk space. Hard drive error

Critical Error!
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
A critical error has occurred while indexing data stored on hard drive. System restart required.

System Restore
The system has been restored after a critical error. Data integrity and hard drive integrity verification required.

Activation Reminder
WindowsFixDisk Activation
Advanced module activation required to fix detected errors and performance issues. Please purchase Advanced Module license to activate this software and enable all features.

Low Disk Space
You are running very low disk space on Local Disk (C:).

Windows – No Disk
Exception Processing Message 0×0000013

Just like the fake corruption messages and fake scan results, these alerts are only designed to scare you into purchasing the program.

To make matters worse, recent variants of this family have been installing the TDSS rootkit as well. This rootkit will perform redirects when visiting search links in Google, play strange audio advertisements, and make it so that you are unable to update your security programs. If you are infected with Windows Fix Disk and are unable to update your Malwarebytes’s Anti-Malware definitions then you most likely have this rootkit installed. If this is the case, this guide will not be able to help you and you should instead follow the instructions in this topic in order to receive one-on-one help in removing this infection.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Without a doubt, the tactics utilized by this program are fraudulent and criminal. Therefore, do not purchase Windows Fix Disk for any reason, and if you already have, please contact your credit card company and state that the program is a computer infection and a scam and that you would like to dispute the charge. To remove this infection and related malware, please follow the steps in the guide below.

 

Threat Classification:

• Information on Rogue Programs & Scareware

 

Advanced information:

View WindowsFixDisk files.
View WindowsFixDisk Registry Information.

 

Tools Needed for this fix:

• Malwarebytes’ Anti-Malware

 

Symptoms that may be in a HijackThis Log:

Windows Vista & 7:

O4 – HKCU\..\Run: [<random>.exe] %AllUsersProfile%\<random>.exe
O4 – HKCU\..\Run: [<random>] %AllUsersProfile%\<random>.exe

Windows XP:

O4 – HKCU\..\Run: [<random>.exe] %AllUsersProfile%\Application Data\<random>.exe
O4 – HKCU\..\Run: [<random>] %AllUsersProfile%\AppData\<random>.exe

 

Guide Updates:

04/13/11 – Initial guide creation.

 

---

Automated Removal Instructions for WindowsFixDisk using Malwarebytes’ Anti-Malware:

 

1. Print out these instructions as we may need to close every window that is open later in the fix.
   
   
2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
   
   
3. Before we can do anything we must first end the processes that belong to WindowsFixDisk so that it does not interfere with the cleaning procedure. To do this, please download RKill to your desktop from the following link.
   
   RKill Download Link – (Download page will open in a new tab or browser window.)
   
   When at the download page, click on the Download Now button labeled iExplore.exe download link. When you are prompted where to save it, please save it on your desktop.
   
   
4. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with WindowsFixDisk and other Rogue programs. If you cannot find the iExplore.exe icon that you downloaded, you can also execute the program by doing the following steps based on your version of Windows:
   
   For Windows 7 and Windows Vista, click on the Start button and then in the search field enter %userprofile%\desktop\iexplore.exe and then press the Enter key on your keyboard. If you Windows prompts you to allow it to run, please allow it to do so.
   
   For Windows XP, click on the Start button and then click on the Run menu option. In the Open: field enter %userprofile%\desktop\iexplore.exe and press the OK button. If you Windows prompts you to allow it to run, please allow it to do so.
   
   Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by WindowsFixDisk when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate WindowsFixDisk . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
   
   Do not reboot your computer after running RKill as the malware programs will start again.
   
   
   
5. As this infection is known to be bundled with the TDSS rootkit infection, you should also run a program that can be used to scan for this infection. Please follow the steps in the following guide:
   

   How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

   If after running TDSSKiller, you are still unable to update Malwarebytes’ Anti-malware or continue to have Google search result redirects, then you should post a virus removal request using the steps in the following topic rather than continuing with this guide:
   

   Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help Topic
   

6. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)
   
   
   
7. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
8. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
9. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.
   
   
10. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
    
    
    
    
    
11. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for WindowsFixDisk related files.
    
    
12. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
    
    
    
    
    
13. When the scan is finished a message box will appear as shown in the image below.
    
    
    
    
    You should click on the OK button to close the message box and continue with the Windows Fix Disk removal process.
    
    
14. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
15. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
    
    
16. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
17. You can now exit the MBAM program.
    
    
18. This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:
    
    Unhide.exe
    
    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
    
    
19. Finally, as many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:
    
    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

 

Your computer should now be free of the Windows Fix Disk program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

 

---

 

Associated WindowsFixDisk Files:

Windows Vista & 7:

%AllUsersProfile%\~<random>
%AllUsersProfile%\~<random>r
%AllUsersProfile%\<random>.dll
%AllUsersProfile%\<random>.exe
%AllUsersProfile%\<random>
%AllUsersProfile%\<random>.exe
%UserProfile%\Desktop\Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Uninstall Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Windows Fix Disk.lnk

Windows XP:

%AllUsersProfile%\Application Data\~<random>
%AllUsersProfile%\Application Data\~<random>r
%AllUsersProfile%\Application Data\<random>.dll
%AllUsersProfile%\Application Data\<random>.exe
%AllUsersProfile%\Application Data\<random>
%AllUsersProfile%\Application Data\<random>.exe
%UserProfile%\Desktop\Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Uninstall Windows Fix Disk.lnk
%UserProfile%\Start Menu\Programs\Windows Fix Disk\Windows Fix Disk.lnk

File Location Notes:

%UserProfile% refers to the current user’s profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.

%AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.

 

Associated WindowsFixDisk Windows Registry Information:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<random>”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnonBadCertRecving” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = ’1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = ’1′
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main “Use FormSuggest” = ‘yes’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “Hidden” = ’0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0′

 

A currently spamvertised scareware-serving campaign is enticing end users into downloading and executing a malicious binary, which drops a scareware variant.

Sample subject: Reqest rejected
Sample message: “Dear Sirs, Thank you for your letter! Unfortunately we can not confirm your request! More information attached in document below. Thank you Best regards.“
Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe

Detection rate:
EX-38463.pdf.exe – TrojanDownloader:Win32/Chepvil.J – Result: 11/41 (26.8%)
MD5   : 5085794e6c283ebcfa3878805b9e7be7
SHA1  : 1fbd8d3b0a3479274d8f09543452bf724bcb245c
SHA256: c03711dbafae9b296daed8720f997d84caa5e5a5407a689926050a061d67b932

Upon execution downloads hdjfskh.net/ pusk.exe – 208.43.90.48 – Email: admin@firtryt.biz

Detection rate:
pusk.exe – FakeAlert-CN.gen.aa – Result: 13/42 (31.0%)
MD5   : a50a91176b5aeb96b8b77b99d587c485
SHA1  : c56b7ab2123dbd49902446ffcc0cf59d6a865857
SHA256: c912a975e3c2fc911d6550d86e8fd89dbd30e3d1e07d788b45aac0d6cf61e83c

Upon execution phones back to the following domains and ASs:


Phones back to : AS19875; AS8001; AS24940; AS32475; AS32097; AS19875
2bemojewedowigo.com – 78.46.105.205
bemolaqijicy.com – 99.198.114.206 – Email: vista@free-id.ru
celisesuho.com – 99.198.114.202 – Email: hush@bz3.ru
cixovatywo.com – 78.46.105.205 – Email: frenzy@ca4.ru
fytypoqywu.com – 64.46.38.94 – Email: fy4371215910301@domainidshield.com
gicyxepomer.com – 78.46.105.205 – Email: tabs@yourisp.ru
gopilezavyxiro.com – 78.46.105.205 – Email: hush@bz3.ru
hivanedak.com – 188.95.54.242 – Email: steps@ppmail.ru
hotilosire.com – 208.110.67.122 – Email: lathe@maillife.ru
jerakidukojoz.com – 78.46.105.205 – Email: wrap@cheapbox.ru
kupeqobujohaq.com – 64.46.38.145 – Email: soup@fastermail.ru
kytevaviqopoci.com – 78.46.105.205 – Email: fs@free-id.ru
pikilokykizanu.com – 65.254.54.77 – Email: dawn@free-id.ru
punajytapaci.com – 209.97.213.105 – Email: mire@maillife.ru
qisacugugu.com – 64.46.38.129 – Email: as@free-id.ru
qupajubica.com – 78.46.105.205 – Email: heard@bz3.ru
reruravobosila.com – 67.196.13.96 – Email: mon@ppmail.ru
rorodarof.com – 99.198.114.204 – Email: hush@bz3.ru
ruqydahec.com – 67.196.13.97 – Email: mon@ppmail.ru
sakafiduzipame.com – 78.46.105.205 – Email: build@ca4.ru
sykobodyducib.com – 208.110.67.102 – Email: lathe@maillife.ru
tetagyjaj.com – 78.46.105.205 – Email: kilt@bz3.ru
tibehewuk.com – 209.97.213.102 – Email: mon@ppmail.ru
tisatosyhimidy.com – 188.95.54.243 – Email: jan@free-id.ru
tyhiqymiwufuj.com – 208.110.67.121 – Email: dawn@free-id.ru
vakyditefo.com – 99.198.114.203 – Email: vista@free-id.ru
wamojafadezy.com – 78.46.105.205 – Email: acts@free-id.ru
wetotyger.com – 78.46.105.205 – Email: acts@free-id.ru
wixecyhobovy.com – 64.46.38.130 – Email: soup@fastermail.ru
wolycunanoqe.com – 72.9.233.98 – Email: lathe@maillife.ru
zajatimibuj.com – 208.110.67.119 – Email: bark@cheapbox.ru
zequcitamado.com – 99.198.114.205 – Email: vista@free-id.ru
punajytapaci.com/1017000412 – 209.97.213.105 – Email: mire@maillife.ru
tibehewuk.com/1017000412 – 209.97.213.102 – Email: mon@ppmail.ru

Monitoring of the campaign is ongoing.

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! ”, also adding random data behind the certificate.

We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time.

In this special case, our heuristics already notice other suspicious properties of the file and Avira thus detects the malware as TR/Crypt.ULPM.Gen.

Stefan Kurtzhals
Engine R&D

Dirk Knop
Technical Editor

Earlier this week new Twitter malware spread very quickly in the Twitter community.

The malicious application tweeted two messages similar to the following to the infected users’ followers:

directly followed by:

Those who clicked the link and allowed the application to connect to their Twitter account were infected.

The point I want to make in this posting is:

Most of those who fell for the scam would not have been tricked if it were presented in another communication medium than Twitter.

 

We have learned to be on guard against malware scams in communication vehicles like email and – to some extent – instant messaging systems like Windows Live Messenger. However, whenever we are presented with quite unsophisticated scams like these Twitter messages in a new channel, we fall for them.

The lesson to learn from this is that we must be better to distinguish between the medium and the message. It is the message that should be scrutinized, regardless of the medium that is used to present the message.

If you were one of those infected by this Twitter worm, you should revoke Profile Spy’s access rights in your Twitter client (Settings -> Connections).

When analyzing malware discovered during a security incident, the investigator often formulates indicators of compromise (IOCs): the signs of infection that can help the enterprise determine what systems may may been compromised. The incident responder might create a signature for the malware sample he or she examined. How can the organization look for this malicious file across the file systems in its environment without waiting for its antivirus vendor to generate the signature?

Unfortunately, no traditional antivirus tools that I’ve encountered allow its users to use custom signatures. That’s a pity, since the enterprise could have used the AV engine already deployed across its IT infrastructure to scan the file system for IOCs. Fortunately, I’ve come across 3 free tools that an organization can use to scan files using a custom signature: ClamAV, YARA and Vscan.

ClamAV for Custom Malware Signatures

ClamAV is a free antivirus engine. Its Unix version allows the user to create custom signatures for files based not only on their cryptographic hash, but also to fingerprint file sections, match specific byte sequences, use wildcards, and combine signatures according to Boolean rules.

ClamAV seems well-suited for scanning file systems for signs of identified malware samples if you can run the scan from a Unix host. (In this use-case, you’d ignore the signatures that ClamAV comes with.) Maintainers of the ClamAV project created a manual to document the process of creating signatures for ClamAV.

YARA for Custom Malware Signatures

YARA is a free tool for “helping malware researchers to identify and classify malware samples.” Like ClamAV, it can scan files using custom signatures, looking for byte sequences and strings; its signature syntax also supports regular expressions and conditionals.

YARA can runs on most operating systems, and is also available as an extensible Python library. Its website includes a user manual that describes how to create custom malware signatures. The website also provides several sets of signatures that could be used as starting point to learn about creating your own.

Vscan for Custom Malware Signatures

Vscan is a free toolkit for “making fast but crude measurements of the prevalence of named textual features in algorithmically selected samples of large corpora.” In other words, it can scan files to identify those that match user-specified patterns. It’s designed to run on Unix systems.

Vscan is shipped with a custom signature file for identifying local web pages that match common malware signatures; this file can be a starting point for understanding the tool’s signature-creating syntax, along side the documentation that is available on the tool’s website. In addition to being able to identify the files that match custom signatures, the tool includes components that generate reports that can scale across a large number of findings.

Perhaps some day traditional antivirus vendors will allow the administrators to deploy custom signatures using the engines already installed on most systems in the enterprise. In the mean time, ClamAV, YARA and Vscan are free tools for identifying the files that match IOCs relevant to a particular security incident. These tools are an excellent addition to an incident responder’s toolkit.

— Lenny Zeltser

Malware attacks that exploit vulnerabilities in popular software in order to compromise specific target sets are becoming increasingly commonplace.  Prior to the highly publicized “Aurora” attack on Google and at least twenty other companies, targeted malware attacks had been taking place and they continue to affect government, military, corporate, educational and civil society networks. While such attacks against the US government and related networks are well known, other governments and an increasing number of companies are facing similar threats.

Earlier this year, the Canadian, South Korean and French governments have all had serious security breaches to sensitive networks. Recently, the European Commission and the External Action Service were also compromised. There have also been acknowledged security breaches at the security firms RSA and Comodo which—at least in the case of RSA—appear to be the result of targeted malware attacks.

Technically sophisticated or simply well-executed?

Such attacks are almost always described as sophisticated or targeted, adjectives which have basically become synonymous with successful. The statements issued after breaches often suggest that attackers knew exactly what to exploit and, in some cases, exactly what they were looking for. It is difficult to assess such claims based solely on the murky details that emerge publicly. Therefore I am not suggesting that such characterizations are necessarily incorrect. Rather, I am suggesting that the level of targeting and sophistication are results of prior knowledge gained by the attackers and not necessarily caused by some technical brilliance in the tools and methods used.

While most Internet users will never be victims of targeted attacks and are more likely to face common threats such as fake security software (FAKEAV) and banking Trojans (Zeus, SpyEye), there continues to be a steady stream of malware samples that are linked to targeted attacks. However, the actual level of targeting varies considerably. There are some malicious actors that generate more “noise” than others. While they do send out malicious documents, often leveraging specific themes and issues for social engineering, they are received by a relatively large number of potential targets. They are certainly not targeted to the level of an individual or even an organization. However, such attacks may simply be the precursor to much more specific, targeted attacks.

Laying the groundwork

A recent sample, which I received via contagiodump.blogspot.com, illustrates the level of reconnaissance that “noisy” attackers can generate. The malware sample was a .CHM file that exploits Microsoft HTML Help. The malware, which is detected by Trend Micro as CHM_CODEBASE.AG, drops BKDR_SALITY.A and proceeds to generate network traffic with well-known BKDR_SALITY.A servers.

However, the malware made another set of network connections to win{BLOCKED}.dyndns.info. The Web page accessed on this server contains JavaScript code that uses the res:// protocol to enumerate the specific software on the compromised computer and submits the listing to win{BLOCKED}.dyndns.info. This method of using the res:// protocol to enumerate installed software was documented by Billy Rios in 2007. Rios explains that the res:// protocol, which was built into Internet Explorer since version 4.0, can be used to remotely detect specific software present on a computer by simply getting a user to visit a Web page from a browser. As Rios notes, this technique can be used to identify specific applications in order to select an appropriate exploit. It can also be used to detect the presence of specific drives. Years later, this technique is still effective.

The script at win{BLOCKED}.dyndns.info detects an extensive list of software:

• Microsoft Office (Word and Outlook) from Windows 97 through to 2010
• Adobe Reader (7.0 to 9.3)
• Adobe Flash
• Java
• Instant messaging programs (Skype, Yahoo! Messenger, MSN, Google Talk, and QQ)
• Programming and graphics tools (Delphi, .net, Photoshop and Dreamweaver)

It also checks for file sharing programs, Web browsers, remote administration tools, email clients, download managers and media players. Security software are also detected including major antivirus products and personal firewalls, as well as the PGP encryption software. In addition, it checks for virtual machine software and tries to detect if it is within VMware. Finally, it checks for Microsoft updates from KB842773 through to KB981793.

This malware sample is admittedly odd because it conducts these checks after the user’s computer is already compromised. If this were being used for profiling, wouldn’t it have been done before the attack? One possible explanation is that the attackers are deliberately sending out “noisy” attacks with the hopes that administrators would simply clean compromised systems and move on. However, by then the attackers would have a profile of the machines in an organization that was compromised. They will know the preferred antivirus products, the specific versions of installed software and other information they can use to stage a targeted attack in the future. When the attackers are ready, they will stage an attack aimed at acquiring specific data. The attackers will know exactly what versions of what software to exploit in order to compromise the target. The attack will be characterized as sophisticated and targeted because prior information about the organization has helped make the attack successful.

Post from: TrendLabs | Malware Blog – by Trend Micro

How Sophisticated are Targeted Malware Attacks?

In an earlier post, I wrote about the use of the powerful Windows feature called mandatory integrity levels (MIC) to protect processes from spyware. In this follow-up note, I’d like to explore how integrity levels can offer additional safeguards for files of malware victims.

Windows Integrity Levels for Files

Windows integrity levels, such as Low, Medium, and High, take precedence over the traditional discretionary access controls, such as those that might prevent one user from accessing another user’s files. The idea of integrity levels is to restrict a less-trusted operating system objects to more-trusted objects.

To observe and manipulate some aspects of integrity level labels on the file system, Windows includes the icacls command-line tool. However, a tool called Chml—which is distributed for free by Mark Minasi—is a more powerful alternative.

Protecting Files from Malware Using Integrity Levels

Let’s say a user wishes to exercise extra care for protecting a particularly sensitive file. For our example, we’ll call it secret.txt:

By default, a file created by a Windows user, even if the person is logged in with administrative privileges, is assigned the Medium integrity level:

Integrity policies, shown by Chml, show that an object with a lower integrity level will be able to read and execute the file. That’s because “no read up” and “no execute up” policies are disabled by default. However, the object will be unable to write to the file, because the “no write up” policy is enabled.

To make it harder for malware to read the sensitive file, the user can set the integrity level of the file to High and also enable to “no read up” policy. Chml can do this with the parameters “-i:h” (sets the integrity level to high) and “-nr” (enabled the “no read up” policy).

Since by default Windows launches processes under the Medium integrity level, user-mode malware running on the victim’s host will be prevented from accessing the file that was assigned the High integrity level. (You can look at integrity levels of processes using Process Explorer.)

In the screenshot above, I used Notepad to simulate malware attempting to access the sensitive file

If the user wishes to access this file, he or she will need to run the program under the High integrity level. This can be accomplished by selecting “Run as administrator” when launching the program:

Using Windows integrity levels at the file system level provides another way of protecting victims from malware, in addition to the process-based integrity levels approach I discussed earlier. You can also use Windows integrity levels to limit capabilities of exploits.

If this topic interests you, consider the Combating Malware in the Enterprise course I co-authored, which discusses Windows integrity levels among numerous other relevant topics. Also, take a look at the Integrity Levels and DLL Injection write-up by Didier Stevens.

— Lenny Zeltser

TrendLabs^SM is currently taking a look at an interesting .ELF file that is actually an IRC backdoor program. We initially found some code suggesting that it performs brute-force attacks on router user name-password pairs.

This malware is predominantly found in Latin America but we are also checking the extent of infection in other regions. The attacks also work against D-LINK routers though we are also verifying if it works on others.

An infected system also connects to a botnet on IRC servers and is capable of receiving and executing commands. Trend Micro detects the offending code as ELF_TSUNAMI.R. Analysis is ongoing and we will be posting updates as new information is found.

There was an old attack in 2008 that targeted routers in Mexico, which we blogged about in the entry “Targeted Attack in Mexico: DNS Poisoning via Modems.”

Update as of March 11, 2011, 6:08 AM Pacific Time

• ELF_TSUNAMI.R is MIPS-based (Microprocessor without Interlocked Pipeline Stages)—a processor typically used in small devices such as routers. The means as to how an attacker would be able to drop the said file into a router is not yet determined, but it is possible that the .ELF file is just a component of a much bigger threat.
• It exploits a vulnerability that affects certain D-Link routers. Successful exploitation of the said vulnerability grants a remote attacker complete administrative access to the affected router.
• It is also capable if disabling the firewall of the affected router by executing the command /etc/firewall_stop

Post from: TrendLabs | Malware Blog – by Trend Micro

Router-Compromising Malware in Latin America

Most abused TLDs
For the phishing URLs, the ascending trend observed in January 2011 continued with even more entries in February. We observe again that more and more different TLDs are used to host phishing, this being an obvious sign that there are a lot of hacked websites and bots out there. The top of the Malware URLs remain almost unchanged, but surprisingly the trend is negative.

Phishing				Malware
#	Top level domain	%	Deviation from January in %	Top Level Domain	%	Deviation from January in %
1	.com	51.56	32.44	.com	38.35	6.80
2	Others	15.82	100.00	.info	28.01	93.30
3	.org	6.20	21.69	Others	8.78	100.00
4	.net	5.94	4.42	IP Address	4.91	99.31
5	.uk	3.69	37.41	.ru	3.94	-7.36
6	IP Address	3.22	99.67	.net	3.79	-27.93
7	.br	2.44	-3.66	.org	2.71	-11.32
8	.tk	2.18	7.45	.cc	2.69	25.32
9	.ru	2.01	15.40	.br	1.67	-41.84
10	.tl	1.23	10.21	.uk	1.30	50.00

Spam category statistics
We can only confirm again the trend which we observed at the end of 2010 that there is in general less spam out there.

Sorted by amount				Sorted by deviation
#	Category	%	Deviation from January in %	#	Category	Deviation from January in %
1	Other	77.95	-69.35	1	Malware	0.22
2	Nigerian	7.50	-1.10	2	Commercials	0.02
3	Lottery	5.43	-0.29	3	Fashion	-0.08
4	Pharmacy	3.06	-7.71	4	Jobs	-0.12
5	University	1.43	-2.36	5	Casino	-0.15
6	Software	1.41	-1.86	6	Lottery	-0.29
7	Phishing	1.15	-0.56	7	Phishing	-0.56
8	Loan	0.70	-0.56	8	Loan	-0.56
9	Malware	0.50	0.22	9	Nigerian	-1.10
10	Jobs	0.32	-0.12	10	Watch	-1.73

Extension statistics for malware URLs
This month we have seen the situation overturned by the .exe extension which took the lead because of a 67% increase. However, the most abused extension this month is not .exe but .html. This makes also sense considering the storm of updates for all browsers which took place in February and continues in March as well – the cyber criminals tried to abuse security vulnerabilities in the webbrowsers.

Sorted by amount				Sorted by deviation
#	Extension	%	Deviation from January in %	#	Extension	Deviation from January in %
1	exe	42.15	67.44	1	html	75.85
2	txt	24.93	-15.05	2	exe	67.44
3	none	13.16	-35.62	3	htm	65.90
4	jpg	4.11	-3.73	4	rar	58.89
5	htm	3.70	65.90	5	gif	50.00
6	html	3.53	75.85	6	png	11.54
7	php	2.37	-31.65	7	css	0.00
8	rar	1.53	58.89	8	com	0.00
9	gif	1.26	50.00	9	bat	0.00
10	zip	1.21	-36.62	10	jpg	-3.73

Most phished brands statistics
The most attacked brand remains Paypal. It has a big distance from the other entries in the top charts. The reason for this is that we have seen an increase in “other brands” category. It looks like the attempt to attack smaller brands with potentially more success is paying off for the phishers.
The biggest ascender this month is HSBC Bank with 85% increase, which actually made it enter in the top chart (it wasn’t present last month).

Sorted by amount				Sorted by deviation
#	Brand name	%	Deviation from January in %	#	Brand name	Deviation from January in %
1	Paypal	53.59	55.71	1	Others	100.00
2	Others	20.03	100.00	2	HSBC Bank	85.20
3	HSBC Bank	5.07	85.20	3	Bank of America	76.25
4	Chase Bank	4.43	64.75	4	Lloyds	65.50
5	Facebook	4.09	26.33	5	Chase Bank	64.75
6	Ebay	3.48	-402.44	6	Paypal	55.71
7	Bank of America	3.16	76.25	7	Banco Santander	50.97
8	Visa	2.19	46.41	8	Visa	46.41
9	Lloyds	2.07	65.50	9	Facebook	26.33
10	Banco Santander	1.88	50.97	10	Ebay	-402.44

URL Shorteners used in malicious activities
Tinyurl.com took the leadership of the most abused shorteners in February. While bit.ly lost in the phishing top, it gained almost the same amount in the malware area making it rule the top chart with more than 23% advantage over the following entries.

Phishing				Malware
#	Shortener	%	Deviation from January in %	Shortener	%	Deviation from January in %
1	tinyurl.com	23.88	10.45	bit.ly	30.00	17.50
2	tiny.cc	14.93	5.97	u.nu	7.50	7.50
3	bit.ly	10.45	-17.91	ow.ly	7.50	5.00
4	is.gd	5.97	4.48	tinyurl.com	5.00	0.00
5	snipurl.com	4.48	4.48	tiny.cc	5.00	5.00
6	ow.ly	4.48	4.48	zi.ma	2.50	2.50
7	goo.gl	4.48	-4.48	tr.im	2.50	2.50
8	doiop.com	4.48	2.99	snipurl.com	2.50	2.50
9	sn.im	2.99	2.99	sn.im	2.50	2.50
10	notlong.com	2.99	-2.99	shorl.com	2.50	2.50

Sorin Mustaca
Data Security Expert