Computer Security Articles

Many Facebook users have contacted the Naked Security team this weekend, reporting that they have fallen victim to a fast-spreading scam that claims you can find out who is stalking you on Facebook and viewing your profile.

Judging by the number of messages posted on the site, the scam spread hard and fast affecting many users. And although Facebook’s security team appears to have been mopping up the mess, and removing the rogue applications and messages, there’s always the chance that it will resurge in a slight different form before too long.

One of the most commonly seen scam messages read:

I just saw who STALKS me on Facebook! You can see who creeps around your profile too! [LINK]

Clicking on the link would take you to a rogue application, that claimed it would tell you who was viewing your Facebook page.

If you approved the subsequent request for the application to be able to access your profile, your own Facebook account would publish the scam link, passing it virally onto your Facebook friends.

The purpose of the scam and the reason why the bad guys wanted it to spam out so quickly? Every user is requested to fill in a survey, which generates money for the scammers behind the scheme.

So, here’s an important message for all Facebook users. There’s no way for you to find out who has been viewing your Facebook profile, or your total number of Facebook profile views, and Mark Zuckerberg isn’t asking you to verify your account either.

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 50,000 people regularly share information on threats and discuss the latest security news.

Hat tip: Thanks to all the Naked Security readers who informed us about this fast-spreading scam.

Full story: Naked Security – Sophos

Has Facebook CEO Mark Zuckerberg really announced that all accounts will be closed today unless users take action?

Of course not. But it’s exactly the type of message that would get many users to click on a link without thinking of the possible consequences – especially if the message appears to have been shared with them by one of their Facebook friends.

Facebook will close down all accounts today. The official announcement was made by Mark Zuckerberg - Facebook Owner.
This is a simple step to keep your account working.
If you want to have you account from now, please verify your account. [LINK]

Clicking on the link isn’t advisable. It takes you to a normal Facebook application permissions dialog, the kind you’re probably all too familiar with if you spend much time on Facebook. However, this dialog box is requesting permissions for a rogue application – clicking “allow” will permit the app to post the message to your wall as well, spreading the link virally to your Facebook contacts.

But if you are carefree enough about what gets posted to your Facebook page, and do decide to hand permission to the app to rummage through your profile, then you will be taken to what appears to be a (poorly punctuated) message from Mark Zuckerberg himself:

Facebook active account verification process.

Facebook is recently becoming very overpopulated, There have been many members complaining that Facebook is becoming very slow.Record shows that the reason is that there are too many non active Facebook members And on the other site too many new Facebook members. We need each and every user to verify their account with our new verification process to see if Members are active or not, Once you have visited this verification. You have 15 minutes to verify your account.If you are active please verify to show that you are active .On failing to do so, The user will be deleted without hesitation to create more space. Sorry for the trouble!

Regards
CEO,Founder of Facebook
Mark Zuckerberg

Here’s a larger version of the message if you want to see it.

But, as you can see, the message which claims to be from Facebook founder Mark Zuckerberg is overlaid with a pop-up which requests you take a quick survey to “verify your account”.

This is where the scammers make their money. Every time you complete a survey you are helping the scammers earn commission. They abuse your Facebook account by posting messages from it, and earn some cash each time a survey is completed by an unsuspecting user.

The message which claims to come from Mark Zuckerberg is bogus, and there is no need to verify your Facebook account to prevent its deletion.

Here’s an alternative version of the scam, which Naked Security reader Krista shared with us after she encountered it:

Mark Zuckerberg - Official Announcement.
The owner of Facebook announced that all the accounts will SHUT DOWN. In order to keep your account, you MUST verify your account TODAY link - [LINK]

If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 50,000 people regularly share information on threats and discuss the latest security news.

Full story: Naked Security – Sophos

Sure, I’ll buy Antivirus.Net.FakeSpyPro rogue.

Yesterday on the GFI Rogue Blog we reported finding the Antivirus.Net rogue security product (FakeSpyPro family).

 (Click on graphic to enlarge)

Today, researcher Patrick Jordan came across the browser hijacking mechanism that the rogue installs to trick a victim into making a purchase. After the “scan” is performed, this is the only page that a browser user will see:

 (Click on graphic to enlarge)

The fractured English – “There might be an active spyware running on your computer” is one giveaway that this isn’t genuine.

Thanks Patrick.

Tom K

Full story: GFI Labs blog

This morning Mark Zuckerberg's Facebook fan page is still down after having a rogue comment posted to the page yesterday.  The short post was seemingly from Mark Zuckerberg but was an unusual message with a political theme.

…(read more)

Full story: Security Labs

Last week I explained how scammers are spreading rogue applications virally over Facebook, pretending to offer you the ability to either see who has been viewing your profile, or count how many views your Facebook profile has received.

I’m afraid that the scams continue to affect Facebook users at a tremendous rate – and the security team at Facebook don’t appear to have been able to stamp it out. Here’s a YouTube video where I show the scam in action:

So, the onus is on Facebook users to be smarter about which links they click on. When I followed one of the links from a Facebook test account I created, it took me to a page which tried to lure me with the offer of a white iPhone. All I had to do was enter my mobile phone number (and thus sign myself up for an expensive premium rate service).

Messages used in the campaign include:

WOW My profile views are : 82629
Girls Views : 32981
Boys Views : 49648
Check yours at - [LINK]

My total facebook views are: 5126
Find out your total profile views @ [LINK]

Now You can see who is watching Your profile! Use this App and check !
[LINK]

OMG!! I didnt believe you could see whos been looking at your profile but it actually works, I now know exactly who has been looking at my pictures Check it out here: @ [LINK]

(Note that the view count numbers used in some of the above messages appear to be random – so you may encounter different examples)

If were hit by this scam and are struggling to clean-up your Facebook profile, here’s a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Make sure that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 50,000 people regularly share information on threats and discuss the latest security news.

Full story: Naked Security – Sophos

Normally I blog about new threats and issues that are popping up in cyberspace, but today I have some good news for you.

On the evening of the 11th of January, a Russian based ISP called Vline Telecom (AS39150) was de-peered from its upstream provider RUNNet.ru. As a result of the disconnect, 9 of the world wide worst Bulletproof Hosters got offline and the number of active Zeus Botnet Command&Control servers dropped from 61 to 41 on 12th of January.

Additionally, in January 2011 I was informed about another takedown of a Ukrainian based ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which resulted in another 5 bulletproof hosters disappearing from the global routing table.

We can say that January 2011 was a very bad start for cybercriminals, as a total of 14 bulletproof hosters have been disconnected from the internet this month.

*** What happened? ***
It all started in March 2010 when I came across the first few ZeuS C&Cs in the network of VLine Telecom:

In 2010, VLine Telecom hosted more than 140 ZeuS Botnet Command&Control Servers. Therefore they managed to get a position in the Worlds Top 10 Bad Hosts:

However, this was just the tip of the iceberg: In June 2010 Vline Telecom started to route a few networks we later came to consider as the worst criminal networks in the world. At the end of 2010 ZeuS Tracker saw a lot of new Command&Control Servers (C&C) popping up in the networks that VLine Telecom provides IP transit for:

As you can see in the list above, VLine Telecom not only hosted a lot of ZeuS C&C servers, they also provided internet access (IP transit) to a lot of different networks which are obviously controlled by cybercriminals.

However, at this time it was also clear that some movement in the situation was needed so Spamhaus issued two SBLs on VLine Telecom’s Upstream provider called GlobalNet Russia (see SBL98570 / SBL96680). As it turned out, this listing was one of the best things Spamhaus did in the last couple of weeks because GlobalNet Russia started to face the problem when nearly every mailserver in the world stopped accepting emails from GlobalNet and their customers.

Additionally, I reached out to GlobalNet on the 15th of December with a immediate de-peering request for VLine Telecom. GlobalNet denied to disconnect VLine Telecom by referring to the Russian Law and the contract that GlobalNet had with VLine Telecom. Fortunately, GlobalNet was very cooperative and my contact there agreed to null route the IP addresses where I had evidence that they actually were bad.

After my chat with GlobalNet the situation improved by the end of 2010. Unfortunately, VLine Telecom still didn’t care about any abuse that came from their networks or their IP transit customers. This resulted in new ZeuS C&C servers popped up there pretty quickly. I had to reach out again to GlobalNet on December 27 2010 with another request to de-peer VLine Telecom immediately.

GlobalNet (as the uptream provider) reached out to VLine Telecom with a request to solve these problems immediately. As a result of the pressure made by GlobalNet, VLine Telecom disconnected the first Bulletproof hoster from the internet:

On January 5th, I was pretty surprised when VLine Telecom suddenly changed their routes and started to route all their traffic over RUNNet.ru, which is the Russian Federal University Network. I guess that VLine Telecom just had enough of GlobalNet null routing all IPs that I reported to them, so they obviously decided to switch to a different upstream provider. At the same time I received an email from VLine Telecom asking me to send any information concerning abuse in their network directly to them instead of to their upstream provider. As VLine contacted me, I decided to give them a chance, so I replied with a long email that contained a list of abuse issues from their networks (you can imagine that the list of current issues was huge). A few minutes later, I received a response from VLine Telecom where they told me that they had blocked the mentioned IP addresses. I was pretty surprised that they had taken action. But unfortunately I made one big mistake: I believed what VLine Telecom told me…

A few hours after the reply from VLine Telecom that they had banned the mentioned IP addresses, I noticed that the hosts were still reachable, but NOT from my IP address. I did some research and I found out that all of the associated networks was blocking traffic which comes from ZeuS Tracker.

You can imagine that I got pretty angry about this, so I decided to reach out to RUNNet.ru with an immediate de-peering request for VLine Telecom. One hour later I got the following message from RUNNet.ru:

A short trace route from different locations just confirmed what RUNNet told me in their email: VLine Telecom was no longer being routed through RUNNet! After the disconnect, it took VLine Telecom just 4 minutes to tell RUNNet and me that they had disconnected all IP transit customers.

After some downtime of VLine Telecom (and of course all their customers) GlobalNet decided to start routing of VLine Telecom again through GlobalNet’s network. As soon as they were up and running again we checked that the before mentioned networks were no longer being routed by VLine Telecom.

*** Current status ***
As of January 22nd, VLine Telecom is routed through GlobalNet Russia and the mentioned 9 networks above are not being announced in the global routing table. It didn’t get so far as to get VLine Telecom permanently disconnected, but I think I made a pretty good arrangement with GlobalNet to monitor the situation of their downstreams for a while.

*** Further takedowns ***
On January 17th, I was informed about another takedown; this time it was an ISP called ONLINENET SPD Andreychuk Andrey Alekseevich (AS50722) which had been disconnected by its upstream provider called ISV4 (AS21379 – intersv.com). Because ONLINENET provided IP transit to another 5 bulletproof hosters, these also were forced offline in January 2011:

*** What we have learned from the VLine-case ***
While investigating the VLine-case I made a lot of new experiences. The first and most relevant one is: Not every Russian speaking guy is a cybercriminal

When I started my investigation at GlobalNet and RUNNet I was completely unsure whether I could trust them or not. Today I know that I can trust them and that they have done (and of course are still doing) a very good job to solve the issues within their responsibility.

With the knowledge that I gained in the VLine-case I’m now able to draw the following network map:

The second thing I learned is that there are often language problems. As you see in the chart above I (still) consider VLine as bad. However, I have to say that some times I had the feeling that they just didn’t know what they were doing (from a technical perspective) and that they didn’t understand what I wanted to tell them (language problem).

Anyway, I still have the opinion that VLine Telecom should be permanently disconnected, but I also know that they now are aware of the situation and that the whole world is now (at least after this blog post) watching their behaviour and actions closely.

Last but not least I would like to thank GlobalNet Russia and RUNNet for all their efforts and their help to get the problem with VLine Telecom solved.

Bookmark, tagg it or email it to a friend:

More »

Full story: abuse.ch

In a move that could herald a new level of danger for Facebook users, third party application developers are now able to access your home address and mobile phone number.

Facebook has announced that developers of Facebook apps can now gather the personal contact information from their users.

I realise that Facebook users will only have their personal information accessed if they “allow” the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this.

Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service.

Now, shady app developers will find it easier than ever before to gather even more personal information from users. You can imagine, for instance, that bad guys could set up a rogue app that collects mobile phone numbers and then uses that information for the purposes of SMS spamming or sells on the data to cold-calling companies.

The ability to access users’ home addresses will also open up more opportunities for identity theft, combined with the other data that can already be extracted from Facebook users’ profiles.

You have to ask yourself – is Facebook putting the safety of its 500+ million users as a top priority with this move?

Wouldn’t it better if only app developers who had been approved by Facebook were allowed to gather this information? Or – should the information be necessary for the application – wouldn’t it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?

It won’t take long for scammers to take advantage of this new facility, to use for their own criminal ends.

My advice to you is simple: Remove your home address and mobile phone number from your Facebook profile now. While you’re at it, go through our step-by-step guide for how to make your Facebook profile more private.

If you’re a Facebook user, you should also consider joining the Sophos Facebook page where we regularly discuss how you can use Facebook more safely, and warn of the latest scams and internet attacks.

Full story: Naked Security – Sophos

I thought I would make a quick post about rogue security software, something the AV industry really hates and that affects thousands of bystanders. First of all, I’d like to comment on the actual name: ROGUE. It irks me to see so many people spell it wrong… namely ROUGE. Now that this is out of [...]

Full story: Malware Diaries

Internet has come of age, and with it malicious software and related infections. Viruses, Trojans and advertising software and popups have been there and the numbers have increased with time. With the advent of new century, especially in last 5 years, there has been an introduction to newer types of malicious software, namely spywares and rogue security software.

Full story: a-squared – English

A brief history of sorts by Sunbelt/GFI of the recent phenomenon of rogue anti-malware programs indicates that the production of them has leveled off in recent years. In fact, GFI found exactly the same number of them in 2010 as they did in 2009.

The number of these programs, which mimic anti-malware programs, attempting to trick the user into believing they have some sort of infection and need to pay to have it removed, jumped up rapidly in 2007 and 2008. GFI suggests that this proliferation of variants was largely to counter improvements in detection in genuine security software.

The story also describes a more recent development, the impersonation of other utilities, such as defragger software.

Full story: Security Watch

Once again, a rogue application is spreading virally between Facebook users pretending to offer you a way of seeing who has viewed your profile.

As we’ve described a couple of times before, plenty of Facebook users would *love* to know who has been checking them out online.. but unfortunately scammers are aware of this, and use the lure of such functionality as a way to trick you into making bad decisions.

Messages spreading rapidly across the Facebook social network right now say:

OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile! on [LINK]

If you’re tempted to click on the link you’re taken to a webpage which encourages you to go a little deeper and permit an application to have access to your Facebook profile.

But do you really want complete strangers to be able to email you, access your personal data and even post messages to any Facebook pages you may administer?

If you’ve got this far then you really shouldn’t go any further. Scams like this have been used to earn commission for the mischief makers behind them, who have no qualms about using your Facebook profile to spread their spammy links even further.

Because if you do continue, you’ll find that your profile will be yet another victim of the viral scam – spreading the message to all of your online Facebook friends and family. And no, you don’t ever find out who has been viewing your profile.

Ever wondered how many people fall for a scam like this? Well, the figures can be shocking. This current campaign is using a variety of different links – but via bit.ly we can see that at least one of them has already tricked nearly 60,000 people into clicking.

I’ve informed the security teams at both bit.ly and Facebook about these links, and requested that they be shut down as soon as possible.

Always think before you add an unknown application on Facebook, and ask yourself if you’re really comfortable with ceding such power to complete strangers. Rogue application attacks like this, spreading virally, are becoming increasingly common – and do no good for anyone apart from the scammers behind them.

If you’ve been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites.

And don’t forget to warn your friends about scams like this and teach them not to trust every link that is placed in front of them. You can learn more about security threats by joining the thriving community on the Sophos Facebook page.

Security Inspector 2010 is a rogue security product in the UnVirex family that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

Threat name: SecurityInspector2010

Security Inspector 2010 install screens:

 
(Click on graphic to enlarge)


(Click on graphic to enlarge)

Security Inspector 2010 graphic interface:

(Click on graphic to enlarge)

Files created:

APPDATA%%APPDATA%Security Inspector 2010Microsoft\Internet Explorer\Quick Launch\Security Inspector 2010.lnk

APPDATA%%APPDATA%Security Inspector 2010Security Inspector 2010\Security_Inspector_2010.exe

APPDATA%%APPDATA%Security Inspector 2010Security Inspector 2010\securitycenter.exe

APPDATA%%APPDATA%Security Inspector 2010Security Inspector 2010\securityhelper.exe

APPDATA%%APPDATA%Security Inspector 2010Security Inspector 2010\taskmgr.dll

Registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Security Inspector 2010

HKEY_CURRENT_USER\Software\Security Inspector 2010

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Security Inspector 2010

Family history:

5/26/2009          UnVirex
9/6/2009            ContraViro
12/30/2009        AntivirusPC2009
1/22/2010          DesktopSecurity2010
10/14/2010        AntivirusStudio2010
10/27/2010        AntivirusSolution2010
11/13/2010        SecurityInspector2010

Associated sites

antivirusstudio.com
antivirusstudio2010.com
antivirusstudio2010net.com
antivirusstudio2010url.com
antivirusstudioltd2010.com
antivirusstudionet.com
antivirusstudionew2010.com
antivirusstudiosoft2010.com
my-www.tk
scaner-aby.tk
scaner-bro.tk
scaner-bug.tk
scaner-byhj.tk
scaner-core.tk
scaner-creed.tk
scaner-csd.tk
scaner-cst.tk
scaner-cut.tk
scaner-i.tk
scaner-idea.tk
scaner-if.tk
scaner-k.tk
scaner-ka.tk
scaner-kde.tk
scaner-king.tk
scaner-kk.tk
scaner-kl.tk
scaner-kv.tk
scaner-neo.tk
scaner-news.tk
scaner-tdom.tk
scaner.tk
securityinspector2010.com
totalcodec.com
viruscleaner2010.com
viruscleaner2011.com
web-carm.tk
x-cash-x.com
 
How to remove Security Inspector 2010:

If   Security Inspector 2010 has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Security Inspector 2010 from your computer now.

Source: Rogue Antispyware

UltraDefragger is a rebranding of the SystemDefragmenter rogue security product from last month. It pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application.

UltraDefragger warning pop-up:

(Click on graphic to enlarge)

UltraDefragger graphic interface:

 
(Click on graphic to enlarge)

UltraDefragger is a re-branding of the SystemDefragmenter rogue.

Files added:

%USERPROFILE%\Local Settings\Temp\<random_name>.dll %USERPROFILE%\Local Settings\Temp\<random_numbers>.exe

Directory added:

%USERPROFILE%\Start Menu\Programs\Ultra Defragger

How to remove UltraDefragger:

If  UltraDefragger has infected your pc, you should remove it immediately. Click here to use VIPRE to remove UltraDefragger from your computer now.

Source: Rogue Antispyware

ScanDisk is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. It’s new clone of the Defragger family.

Threat name: ScanDisk-Defragger

ScanDisk warning pop-up window:

  
(Click on graphic to enlarge)

ScanDisk graphic user interface

(Click on graphic to enlarge)

How to remove ScanDisk:

If  ScanDisk has infected your pc, you should remove it immediately. Click here to use VIPRE to remove ScanDisk from your computer now.

Source: Rogue Antispyware

149.474 is now available, new definition file for Ad-Aware 8.2.

150.159 is now available, new definition file for Ad-Aware 8.3.

New definitions:
====================
Win32.Backdoor.Stapome
Win32.FraudTool.UltraDefragger
Win32.Trojan.Fidgen

Updated definitions:
====================
ASP.Backdoor.Ace
BAT.Backdoor.Teldoor
BAT.TrojanPWS.Labt
FunWeb
JS.Exploit.Pdfka
JS.Trojan.StartPage
JS.TrojanClicker.Agent
MSIL.Backdoor.Agent
MSIL.Trojan.Agent
MSIL.TrojanDropper.Late
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanPWS.Dybalom
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
MSIL.Worm.NsMes
MSIL.Worm.Reflesh
MSIL.Worm.Volosat
MyWebSearch
NSIS.Trojan.StartPage
NSIS.Trojan.Voter
VBS.Trojan.Agent
VBS.Trojan.HideIcon
VBS.TrojanClicker.Agent
VBS.TrojanDownloader.Agent
VBS.TrojanDownloader.Small
Win32.Adware.AdMedia
Win32.Adware.AdRotator
Win32.Adware.AdSubscribe
Win32.Adware.Admoke
Win32.Adware.Adwin
Win32.Adware.Agent
Win32.Adware.Allsum
Win32.Adware.Altnet
Win32.Adware.Aureate2
Win32.Adware.BHO
Win32.Adware.Boran
Win32.Adware.CashOn
Win32.Adware.Cinmus
Win32.Adware.CometSystems
Win32.Adware.DM
Win32.Adware.Delf
Win32.Adware.DigitalNames
Win32.Adware.Domhel
Win32.Adware.DuDu
Win32.Adware.Ejik
Win32.Adware.Eztracks
Win32.Adware.EzuLa
Win32.Adware.F1Organizer
Win32.Adware.FakeP2P
Win32.Adware.FearAds
Win32.Adware.Gamevance
Win32.Adware.Lop
Win32.Adware.MDH
Win32.Adware.NavExcel
Win32.Adware.NaviPromo
Win32.Adware.OneStep
Win32.Adware.Podcast
Win32.Adware.RON
Win32.Adware.Reklosoft
Win32.Adware.SearchIt
Win32.Adware.ShowBehind
Win32.Adware.SideFind
Win32.Adware.SurfSide
Win32.Adware.WSearch
Win32.Adware.Wintol
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.Agobot
Win32.Backdoor.Assasin
Win32.Backdoor.Bancodor
Win32.Backdoor.Bandok
Win32.Backdoor.Bandoora
Win32.Backdoor.Banito
Win32.Backdoor.BeastDoor
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Buterat
Win32.Backdoor.Cetorp
Win32.Backdoor.Chyopic
Win32.Backdoor.CiaDoor
Win32.Backdoor.Cindyc
Win32.Backdoor.Clampi
Win32.Backdoor.Curioso
Win32.Backdoor.DarkMoon
Win32.Backdoor.Darkshell
Win32.Backdoor.Death
Win32.Backdoor.Delf
Win32.Backdoor.Donbot
Win32.Backdoor.DsBot
Win32.Backdoor.EggDrop
Win32.Backdoor.Firstinj
Win32.Backdoor.Goolbot
Win32.Backdoor.GrayBird
Win32.Backdoor.HacDef
Win32.Backdoor.Harebot
Win32.Backdoor.Havar
Win32.Backdoor.Hobbit
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Irc
Win32.Backdoor.Ircnite
Win32.Backdoor.Jewdo
Win32.Backdoor.JokerDoor
Win32.Backdoor.Joleee
Win32.Backdoor.Kbot
Win32.Backdoor.Koutodoor
Win32.Backdoor.Krafcot
Win32.Backdoor.Kredoor
Win32.Backdoor.Lavandos
Win32.Backdoor.Lolbot
Win32.Backdoor.Mex
Win32.Backdoor.MoSucker
Win32.Backdoor.Nbdd
Win32.Backdoor.Nepoe
Win32.Backdoor.NewRest
Win32.Backdoor.Nuclear
Win32.Backdoor.Obana
Win32.Backdoor.Optix
Win32.Backdoor.PcClient
Win32.Backdoor.Phanta
Win32.Backdoor.Phoenix
Win32.Backdoor.Poebot
Win32.Backdoor.Poison
Win32.Backdoor.PoisonIvy
Win32.Backdoor.PopWin
Win32.Backdoor.Prorat
Win32.Backdoor.Prosti
Win32.Backdoor.Protector
Win32.Backdoor.Protux
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.SDBot
Win32.Backdoor.Shark
Win32.Backdoor.Sheldor
Win32.Backdoor.Shiz
Win32.Backdoor.Singu
Win32.Backdoor.Sinowal
Win32.Backdoor.Small
Win32.Backdoor.Snart
Win32.Backdoor.SpyAll
Win32.Backdoor.SubSeven
Win32.Backdoor.Swz
Win32.Backdoor.TDSS
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.UltimateDefender
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.Vipdataend
Win32.Backdoor.Visel
Win32.Backdoor.Vyrub
Win32.Backdoor.Whimoo
Win32.Backdoor.WinUoj
Win32.Backdoor.Xyligan
Win32.Backdoor.Yobdam
Win32.Backdoor.Yoddos
Win32.Backdoor.Yurist
Win32.Backdoor.ZeroPot
Win32.Backdoor.Zzslash
Win32.Backdoor.mIRC-based
Win32.BackdoorIRC.Zapchast
Win32.BadJoke.BadJoke
Win32.Dialer.Agent
Win32.Dialer.Small
Win32.Dialer.Trojan
Win32.Exploit.IMG-WMF
Win32.Exploit.Imail
Win32.Exploit.MS04-007
Win32.Exploit.MS05-017
Win32.Flooder.MobileBomb
Win32.Flooder.Vknkte
Win32.FraudTool.AntiMalwarePRO
Win32.FraudTool.DesktopDefender2010
Win32.FraudTool.PcCleanPro
Win32.FraudTool.SpywareIsolator
Win32.FraudTool.WinFixer
Win32.Hoax.ArchSMS
Win32.Hoax.Bravia
Win32.Hoax.Gsmgen
Win32.Hoax.Renos
Win32.Hoax.Screensaver
Win32.IMFlooder.ICQBomber
Win32.IMFlooder.VB
Win32.Monitor.ActiveKeyLogger
Win32.Monitor.ActualSpy
Win32.Monitor.AdvancedNetMonitor
Win32.Monitor.Agent
Win32.Monitor.Ardamax
Win32.Monitor.Delf
Win32.Monitor.DeskScout
Win32.Monitor.EliteKeylogger
Win32.Monitor.HiddenCamera
Win32.Monitor.HomeKeylogger
Win32.Monitor.Hooker
Win32.Monitor.KGBSpy
Win32.Monitor.KeyLogger
Win32.Monitor.MonitorSniffer
Win32.Monitor.Orvell
Win32.Monitor.PCAgent
Win32.Monitor.PCSpy
Win32.Monitor.PowerSpy
Win32.Monitor.RealSpy
Win32.Monitor.SCKeyLog
Win32.Monitor.SpyKeylogger
Win32.Monitor.SpyMyPC
Win32.Monitor.StaffCop
Win32.Monitor.WebSiteSpy
Win32.Monitor.XPCSpy
Win32.P2PWorm.Agent
Win32.P2PWorm.Bacteraloh
Win32.P2PWorm.Deecee
Win32.P2PWorm.Palevo
Win32.Rootkit.Agent
Win32.Rootkit.Bezopi
Win32.Rootkit.Bubnix
Win32.Rootkit.Fdog
Win32.Rootkit.Mediyes
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Rootkit.Tent
Win32.SMSFlooder.Ideknet
Win32.Toolbar.Agent
Win32.Toolbar.ChameleonTom
Win32.Toolbar.RK
Win32.Toolbar.WhenU
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoHK
Win32.Trojan.AutoIT
Win32.Trojan.BAT
Win32.Trojan.BHO
Win32.Trojan.Bepiv
Win32.Trojan.Buzus
Win32.Trojan.C4dlmedia
Win32.Trojan.Cariez
Win32.Trojan.Cdur
Win32.Trojan.Chifrax
Win32.Trojan.Chydo
Win32.Trojan.Cidres
Win32.Trojan.Clicker
Win32.Trojan.ConnectionService
Win32.Trojan.Cosmu
Win32.Trojan.Cossta
Win32.Trojan.DNSchanger
Win32.Trojan.DelFiles
Win32.Trojan.Delf
Win32.Trojan.Delfinject
Win32.Trojan.Dialui
Win32.Trojan.Dire
Win32.Trojan.Eckut
Win32.Trojan.Exedot
Win32.Trojan.FakeAV
Win32.Trojan.Fakems
Win32.Trojan.Feedel
Win32.Trojan.Firulozer
Win32.Trojan.FlyStudio
Win32.Trojan.Fraudpack
Win32.Trojan.Genome
Win32.Trojan.Gibi
Win32.Trojan.Gipneox
Win32.Trojan.Goriadu
Win32.Trojan.Grom
Win32.Trojan.Hooker
Win32.Trojan.Hrup
Win32.Trojan.Inject
Win32.Trojan.Jexec
Win32.Trojan.Jkfg
Win32.Trojan.KeyLoma
Win32.Trojan.KillAV
Win32.Trojan.Kilva
Win32.Trojan.Koblu
Win32.Trojan.Kreeper
Win32.Trojan.Llac
Win32.Trojan.Logoninvader
Win32.Trojan.MMM
Win32.Trojan.Mahato
Win32.Trojan.Mailfinder
Win32.Trojan.Mejax
Win32.Trojan.Mepaow
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Miser
Win32.Trojan.Monder
Win32.Trojan.Naiput
Win32.Trojan.Obfuscated
Win32.Trojan.Ormimro
Win32.Trojan.Pakes
Win32.Trojan.Pasmu
Win32.Trojan.Pasta
Win32.Trojan.Phires
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.PopUpper
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Rabbit
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Rettesser
Win32.Trojan.Riner
Win32.Trojan.Rozena
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Sefnit
Win32.Trojan.ShipUp
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Skor
Win32.Trojan.Slefdel
Win32.Trojan.Small
Win32.Trojan.Smardf
Win32.Trojan.Spy
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Swisyn
Win32.Trojan.Swizzor
Win32.Trojan.Tdss
Win32.Trojan.Tirnod
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Vkhost
Win32.Trojan.Vpuzus
Win32.Trojan.Workir
Win32.Trojan.Xih
Win32.Trojan.Zmunik
Win32.Trojan.Zybr
Win32.TrojanClicker.Agent
Win32.TrojanClicker.AutoIT
Win32.TrojanClicker.BHO
Win32.TrojanClicker.Cycler
Win32.TrojanClicker.Delf
Win32.TrojanClicker.VB
Win32.TrojanClicker.VBiframe
Win32.TrojanClicker.Vesloruki
Win32.TrojanDDoS.Agent
Win32.TrojanDDoS.Boxed
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Alphabet
Win32.TrojanDownloader.Apher
Win32.TrojanDownloader.Asune
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.BHO
Win32.TrojanDownloader.Bagle
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.BaoFa
Win32.TrojanDownloader.Boltolog
Win32.TrojanDownloader.Calipr
Win32.TrojanDownloader.Clopack
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.ConHook
Win32.TrojanDownloader.Cyrel
Win32.TrojanDownloader.Dadobra
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Dluca
Win32.TrojanDownloader.Fload
Win32.TrojanDownloader.FlyStudio
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Hmir
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Hover
Win32.TrojanDownloader.ISTBar
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Lipler
Win32.TrojanDownloader.Losabel
Win32.TrojanDownloader.Metfok
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Mutant
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Nurech
Win32.TrojanDownloader.Obfuscated
Win32.TrojanDownloader.Obitel
Win32.TrojanDownloader.PepperPaper
Win32.TrojanDownloader.Peregar
Win32.TrojanDownloader.Pgino
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Radonl
Win32.TrojanDownloader.Refroso
Win32.TrojanDownloader.RtkDL
Win32.TrojanDownloader.Selvice
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.Sumara
Win32.TrojanDownloader.Tobor
Win32.TrojanDownloader.Trad
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.WebDown
Win32.TrojanDownloader.Winad
Win32.TrojanDownloader.Zlob
Win32.TrojanDownloader.Zudz
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Aholic
Win32.TrojanDropper.Autoit
Win32.TrojanDropper.BHO
Win32.TrojanDropper.Binder
Win32.TrojanDropper.Blastit
Win32.TrojanDropper.Blocker
Win32.TrojanDropper.Bototer
Win32.TrojanDropper.Champ
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Cryptrun
Win32.TrojanDropper.Danseed
Win32.TrojanDropper.Decay
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Dron
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.Ekafod
Win32.TrojanDropper.Flystud
Win32.TrojanDropper.Hdrop
Win32.TrojanDropper.HeliosBinder
Win32.TrojanDropper.Joiner
Win32.TrojanDropper.Juntador
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Klop
Win32.TrojanDropper.Kwotc
Win32.TrojanDropper.MSIL
Win32.TrojanDropper.Meci
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.MultiJoiner
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Pasdon
Win32.TrojanDropper.Pendr
Win32.TrojanDropper.Pincher
Win32.TrojanDropper.Purityscan
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Scheduler
Win32.TrojanDropper.Shiz
Win32.TrojanDropper.Small
Win32.TrojanDropper.Stabs
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.Tab
Win32.TrojanDropper.Typic
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vidro
Win32.TrojanDropper.Wlord
Win32.TrojanDropper.Zaslanetzh
Win32.TrojanDropper.taob
Win32.TrojanMailfinder.Delf
Win32.TrojanMailfinder.Gadina
Win32.TrojanNotifier.Faceless
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Batist
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf2
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Eruwbi
Win32.TrojanPWS.Fakemsn
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.Gamad
Win32.TrojanPWS.IcqSmiley
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kukuraz
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.Maran
Win32.TrojanPWS.Mfirst
Win32.TrojanPWS.Minild
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.PdPinch
Win32.TrojanPWS.QQGame
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.QQShou
Win32.TrojanPWS.Qqfish
Win32.TrojanPWS.Rumrux
Win32.TrojanPWS.Staem
Win32.TrojanPWS.Steam
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.VB
Win32.TrojanPWS.Vkont
Win32.TrojanPWS.WOW
Win32.TrojanPWS.WebMoner
Win32.TrojanPWS.Yahupass
Win32.TrojanProxy.Agent
Win32.TrojanProxy.Cimuz
Win32.TrojanProxy.Puma
Win32.TrojanProxy.Ranky
Win32.TrojanProxy.Saturn
Win32.TrojanProxy.Small
Win32.TrojanRansom.Blocker
Win32.TrojanRansom.Chameleon
Win32.TrojanRansom.Digitala
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.PinkBlocker
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.SMSer
Win32.TrojanRansom.XBlocker
Win32.TrojanSpy.Agent
Win32.TrojanSpy.Amber
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Baraklo
Win32.TrojanSpy.Burda
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Dibik
Win32.TrojanSpy.IESpy
Win32.TrojanSpy.Insain
Win32.TrojanSpy.Keylogger
Win32.TrojanSpy.Lordspy
Win32.TrojanSpy.Luzia
Win32.TrojanSpy.Lydra
Win32.TrojanSpy.MultiBanker
Win32.TrojanSpy.Plankton
Win32.TrojanSpy.Pophot
Win32.TrojanSpy.Sincom
Win32.TrojanSpy.Spenir
Win32.TrojanSpy.SpyEx
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.VB
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Zapchast
Win32.TrojanSpy.Zbot
Win32.TrojanSpy.Zcbhiv
Win32.Worm.Agent
Win32.Worm.AutoIt
Win32.Worm.Bybz
Win32.Worm.Carrier
Win32.Worm.Downloader
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Kolabc
Win32.Worm.Koobface
Win32.Worm.LockSky
Win32.Worm.LovGate
Win32.Worm.LoveLetter
Win32.Worm.Mabezat
Win32.Worm.Mytob
Win32.Worm.Netsky
Win32.Worm.Pinit
Win32.Worm.Polip
Win32.Worm.Qvod
Win32.Worm.Runfer
Win32.Worm.SDBot
Win32.Worm.Scano
Win32.Worm.Tdownland
Win32.Worm.VB
Win32.Worm.Viking
Win32.Worm.Warezov

MD5 checksum for Ad-Aware 8.2 core.aawdef is 367941b7290ad1b07b1fafcb1cc92fb4

Source: Lavasoft Malware Labs Blog

Compared to some other Eastern European countries, Croatia is not very well known for being a land of malware writers so I was very surprised when I found out that there is a malicious Facebook application targeting Croatian users

As this is an attack on my home ground I spent some time to analyse its components and find out more about the attacker’s skills.

The rogue Facebook app invites users to install a new “Love” Facebook button and uses a malicious Java applet to install a password stealing Trojan. The Trojan is designed to steal Facebook credentials and other passwords from various sources on the system, including Internet Explorer, Firefox and Google Chrome.

The attack reminded me of a recent “Dislike” button attack but it is clearly the work of a different attacker. The Facebook application is actually a simple web page hosted on one of the free web hosting providers.

This handcrafted page contains a tag to load a Java applet to allegedly install the Love Facebook button rather than the usual obfuscated Javascript code with a drive-by exploit.

The applet is not signed so it needs the user permission to be able to access the local file system. The standard Java warning screen is the first indicator that the Love button may induce more negative than positive feelings for the users that will install the applet.

It did not take a lot of skill to decompile the Java code and realize that applet attempts to download and run two additional Windows PE files. One from the same free web hosting provider and the another one from a location which was not accessible when I analysed the attack.

The reason for not being able to access the malicious file is that the user has exceeded the bandwidth limit, which means that either the limit was very low or that many Croatian users have fallen victim of the attack.

Sophos users will be pleased that the Java applet was detected proactively by Sophos as Mal/JavaFKS-B before the attack was seen in the wild.

The other application, downloaded by the applet, is a password stealing Trojan dropper most probably created with a Trojan generator program Facebook Hacker.

The Trojan generator allows the attacker to generate new Trojan variants with no programming skills required. The only other requirement is a dedicated email account which will be used to receive passwords sent from infected systems. In this case the attacker chose to add a layer of a commercial software protection code, to evade the anti-virus detection.

Variants of the Facebook Hacker Trojan have been detected by Sophos since July 2010 as Mal/PWS-BA.

A Trojan generated by Facebook Hacker contains several components designed to steal user credentials including the ones stored by Internet Explorer, Firefox, Google Chrome and various instant messaging applications.

The Trojan’s components are actually freeware applications developed by Nirsoft and they are not made with a malicious intent. However, as with other system utilities, they can be used in a malicious attack.

Overall, this attack is not very significant, when compared to the latest and most sophisticated attacks. It is clearly not a work of an organised and skilled malware writer or a cybercriminal group as we are used seeing in the last few years.

It is nevertheless interesting because it shows that even an unskilled attacker can create a multicomponent attack on social networking applications in areas where user awareness is not as well developed.

I just hope that the Croatian script kiddie will find a more useful hobby in the future.

If you’re a keen Facebook user, you should join our buzzing community on the Sophos Facebook page.

View full post on Naked Security – Sophos

Internet Security Suite is a rogue security product that pretends to find malicious code on a victim’s machine in order to frighten him or her into purchasing this useless application. It’s the latest rogue of the FakeVimes family. Both the downloader and module are detected as FraudTool.Win32.FakeVimes!VB (v).

This replaces SmartEngine.FakeVimes as the latest member of the FakeVimes family

Threat Name: InternetSecuritySuite.FakeVimes

InternetSecuritySuite installer:

(Click on graphic to enlarge)

InternetSecuritySuite graphic interface.

  (Click on graphic to enlarge)

How to remove Internet Security Suite:

If  Internet Security Suite has infected your pc, you should remove it immediately. Click here to use VIPRE to remove Internet Security Suite from your computer now.

View full post on Rogue Antispyware

Whois record for adware-2010.com

Registrant Contact:
Name: Domains by Proxy, Inc.
Address: 15111 N. Hayden Rd., Ste 160, PMB 353
City: Scottsdale, Arizona 85260
Country: United States

hxxp://adware-2010.com
Result: 5/17 (29 %)
Domain Hash: b414c04b50a49afffbe7bccfc2018358
URLVoid
Note: this page does not trigger a “scan” of your computer.

Some related domains:

hxxp://www.antivirus-armor.com/
hxxp://www.anti-virus-professional.com/
hxxp://www.adwareprofessional.com/
hxxp://adwareprofesional.com/
hxxp://adwareprofessional.net/
hxxp://adwareprofessional.org/
hxxp://adware-2009.com/
hxxp://www.antivirus.nhinfosys.com/
hxxp://www.adware-2011.com/
hxxp://adware2010.com/
hxxp://adware2011.com/

The following file was downloaded:
setup.exe
Result: 21/43 (48.8%)
MD5: 161abe66e920925699d88f935838696c
VirusTotal
Anubis Report
ThreatExpert Report

Screenshot examples:

Adware Professional 5.0 home page

When executing the file (setup.exe)

Adware Professional 5.0 installation wizard

View full post on Malware Database

Removal information: deletemalware.blogspot.com

The worst rogue I have ever seen.

“This is video ffrom yourd alst party”

(click graphic to enlarge)

Alert reader Wendy received a link to a dangerous-looking video link through her Facebook private messages that turned out to be malicious. Her Facebook friend, however, hadn’t been suspicious enough.

(click graphic to enlarge)

Clicking on the icon to run the video presented a download – an executable file. It just doesn’t get any more suspicious than that.

It was one of the rogues from the FakeVimes family. To see descriptions of the latest in that family, check out the GFI Rogue Blog here.

Thanks Wendy. Thanks Matthew.

Tom Kelchner

View full post on Sunbelt Blog

Alert reader Laurie (my boss actually) forwarded a copy an email she received from a friend. It said the sender was “…pleased to announce the newest version of Antivirus 2010 for Windows.”

There was a link to click, of course.

(Click graphic to enlarge)

Something called “Antivirus 2010” for sale in November is very odd for three reasons:

1) It’s nearly 2011 and legitimate AV companies are putting out their 2011 versions.
2) There was a rogue security product last year called “Antivirus 2010.”  (VIPRE detection: FraudTool.Win32.Antivirus2010 (v))
3) Although a lot of companies make a product named Anti-Virus 2010, they usually put their name in front of it, such as “Kaspersky Anti-Virus 2010” or “Norton AntiVirus 2010.”

The Antivirus 2010 rogue graphic interface from 2009:

(Click graphic to enlarge)

We checked out the URL (officialversion.ru) in the email, putting in our name and “promotion code” (actually any number will do) , went past the “member login page” that made some mentions of the very legitimate AVG anti-virus company, and went on to a credit card payment page. The REAL AVG company (fourth largest AV vendor in the world) offers “AVG Anti-Virus Free Edition 2011” in addition to security software that users purchase.

We noticed the logo on the page mimicked the colors of the AVG logo:
 

The prices:
– $2.49 per month.
– A two-year “Full Access & Support” choice for $17.49 per month
– Three year “VIP” access for $11.67 per year.
– (optional add on) Firewall for $14.88 – marked down from $39.95
– (optional) Antivirus Pro Version Updates for $8.95.

(Click graphic to enlarge)

We didn’t make a purchase, so, we don’t really know what’s behind the “pay now” button however, you can be sure it isn’t anything good.

We can pretty well conclude that the scam email is offering:

– A rogue security product
– AVG’s Anti-Virus Free Edition, except they charge you before they redirect your browser to AVG’s site for download.
– Something else called “Antivirus 2010” that has no visible presence on the Web.

AVG’s real page is here: http://free.avg.com/us-en/homepage

Thanks Laurie. Thanks Doug. Thanks Patrick.

Tom Kelchner

View full post on Sunbelt Blog

I wonder how much longer rogue AV will ride the wave of major news?  Having recently blogged about Rogue AV riding the US Midterm Elections wave, we spotted further activity on what appeared to be blank pages from the Black Hat SEO we noticed yesterday.  Websense customers are continually being protected against this attack through our Advanced Classification Engine.

In line with what we noticed previously, these blank pages were being prepared for what we can only assume is a major assault today, being election day itself.  This particular attack is browser-aware, as the threats are specific to the browser being used.   

Using the same source as yesterday's Black Hat SEO campaign, the links within the page are now fully primed to become active and ready to serve the malicious content.  The main differences from what we noticed in the previous attack are that no URL is provided in the "script : if (navigator:userAgent.indexOf("MSIE")<0)var url= "http:" part, and in addition the parking page is now active. However, when the link is clicked, the user is still not redirected to the intended malicious site.

Let's start off with the first of the malicious candidates in the rogue AV election Adobe Flash update.  This is specific to Internet Explorer 8, and when the link is activated, the unsuspecting user gets a prompt to install fake Macromedia Flash Components, claiming this is required to view the web site.

The second malicious component, which masquerades as a Firefox update message, is – as can be guessed – specific to Firefox browser users.

As shown above, the user again gets prompted to update Flash player, but this time specific to Firefox.

With all other browsers, we notice it just redirects to the same site for the rogue AV download page we noticed yesterday.

As of the time of writing and publishing this blog, the coverage for the file download prompts for both IE Flash Update and Firefox Flash update was about 27.9% as confirmed by VirusTotal.

View full post on Security Labs

On the eve of the 2010 US Midterm Elections, Websense Security Labs™ ThreatSeeker™ Network has discovered that some search terms related to the ongoing event return sites employing black hat SEO.  Websense customers are protected against this attack through our Advanced Classification Engine.

As you can see, some of the infected sites already come with a warning.  However, there are still a handful of Web sites that do not have warning messages attached to them.  Search terms used in this attack include:

2010 midterm election
midterm election results
midterm election 2010
midterm election latest polls
midterm election 2010
midterm election season
midterm election latest polls gallup

At the time of writing, the black hat SEO'd sites appear benign, only redirecting users to what appears to be a blank page.  A closer look at the code reveals that the page contains a URL to a rogue AV site.

If you copy and paste this URL in your browser, it will redirect you to the rogue AV download page which prompts the user to download inst.exe, identified by 10 of 43 VirusTotal engines.

If you put the pieces together, the black hat SEO'd sites + blank redirect page + blank redirect page containing a URL leading to rogue AV sites, we can now conclude that the bad guys are actively prepping these Web sites for deployment tomorrow when the actual elections happen.  As always, be extra-cautious when clicking links, particularly those related to hot and trending topics and events.

View full post on Security Labs