NOD32 and Virus News - Virus & AntiVirus News

Google: Spammers Regroup After ISP Takedowns

nancy@compsecglobal.com (Nancy Pursley) — Thu, 02 Jul 2009 08:32:12 -0600

Spammers are pumping out an increasing number of garbage messages as they regain their capacity to send spam through hacked PCs, according to the latest statistics released by Google on Wednesday.

Google releases quarterly statistics from its Postini antispam group. For the second quarter, spam volumes are up 53 percent over the first quarter of this year, said Adam Swidler, product marketing manager for Google Enterprise.

Compared to the same period a year prior, spam volumes are up 6 percent. Google posted more information about spam on its enterprise blog.

Google filters around 3 billion to 3.5 billion spam messages a day for its 50,000 or so customers. Spam volumes have been increasingly erratic as some ISPs notorious for allowing spammers to use their infrastructure have been taken offline, Swidler said.

Last month, the U.S. Federal Trade Commission persuaded a federal court to issue a temporary restraining order to shut down Pricewert, an ISP that did business under the names 3FN and APS Telecom. The FTC said Pricewert was entwined with child pornographers, hackers and malicious software developers.

Swidler said Google immediately noticed a 30 percent drop in spam following the shutdown. Pricewert's closure cramped spammers' capacity to send spam through compromised home computers that form botnets.

Continue reading "Google: Spammers Regroup After ISP Takedowns "

FTC suspends heavy penalty against scareware defendants

nancy@compsecglobal.com (Nancy Pursley) — Wed, 01 Jul 2009 09:44:05 -0600

The settlement must still be approved by a court

The Federal Trade Commission has suspended the majority of a judgment levied against two defendants accused of selling bogus security software to up to 1 million consumers.

James Reno and his Web hosting company, ByteHosting Internet Service of Ohio, now have to forfeit $116,697, just a fraction of the $1.9 million the judgment had originally required Reno and the company to pay. The settlement must still be approved by a court, the FTC said.

The rest of the penalty was suspended because the defendants wouldn't be able to pay it all, the agency said. However, if it is found that Reno and the company misrepresented their assets, they will have to pay the full amount.

More than $100,000 in assets were frozen after a federal court issued a temporary restraining order in December following the FTC complaint. Among other conditions, the court ordered six people and two companies to stop advertising so-called "scareware" security programs under the names WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus.

The applications are sold via deceptive pop-up ads that falsely alert people that their PCs have security problems, badgering them with warnings until they buy the software, which can cost around $40.

The FTC complaint asked hosting providers to prevent people from accessing the Web sites that host the programs. The FTC asked the court to force the defendants to forfeit money from the scam and compensate consumers.
Continue reading "FTC suspends heavy penalty against scareware defendants"

Jackson's death unleashes barrage of online scams

nancy@compsecglobal.com (Nancy Pursley) — Tue, 30 Jun 2009 09:10:07 -0600

Minutes after any big celebrity dies, Internet swindlers get to work. They pump out specially created spam e-mails and throw up malicious Web sites to infect victims' computers, hoping to capitalize on the sudden high demand for information.

Michael Jackson's death was no different, and security experts say the fraud artists are just getting started.

The scams started cropping up almost instantaneously as Jackson's death was still hitting the news. As days have gone by, they've gotten more sophisticated and dangerous.

Jackson's death "took a lot of people by surprise the spammers, too," said Dermot Harnett, principal analyst for anti-spam engineering at Symantec Corp., a security software maker. "It might take them some time to really pounce on this issue. They are catching up pretty quickly, though."

Any major world event, such as the recent protests in Iran, triggers a barrage of Internet attacks. Security experts say the malicious traffic associated with Jackson's death will likely match and perhaps exceed those of other big spamming campaigns, such as those connected with the swine flu outbreak and Saddam Hussein's execution.

Spam is the most common way for fraudsters to find victims after these types of events. They can use a shotgun approach with a boilerplate message about Jackson, taking advantage of people's interests in the topic to improve their batting average over their usual spam campaigns.

By enticing users with such messages and tricking them into clicking on e-mail attachments, scammers can easily infect victims' computers and take command of them for more nefarious activities.

The spam about Jackson's death gets more convincing every day.

One message promises a YouTube video showing the exclusive "last work of Michael Jackson." Instead, victims get a malicious program that steals their passwords. Another promises to show the "latest unpublished photos" of Jackson if you click on a link one that also tries to install a password-stealing program on your machine.

Others purport to be from legitimate news outlets and may contain accurate enough information to convince viewers they're real enough to click on. Others promise access to secret songs.

The effects of specific spam campaigns, like the one surrounding Jackson's death, are hard to quantify, though. Spam levels are already so high that there might not be a noticeable increase in overall spam levels, Harnett said. By some estimates spam accounts for more than 90 percent of all e-mail sent around the world, though the bulk of the messages get filtered out before ever reaching the user.

Celebrity deaths are a gold mine for criminals because lots of people go online looking for news. Google Inc. says the spike in searches for news stories about Jackson's death was so sharp the company initially mistook it for an automated attack.

Many of the information-seekers can be tricked, via e-mail, into visiting malicious Web sites. That opens the door to all kinds of nastiness, like spying on what someone's typing or using the hijacked machine to send spam.

There are also so many more Web sites about celebrities after their deaths that it's hard to figure out which ones are legitimate fan sites, and which ones were created by criminals.

Continue reading "Jackson's death unleashes barrage of online scams "

Fake Online Harry Potter Movies Launch Malware Attack

nancy@compsecglobal.com (Nancy Pursley) — Mon, 29 Jun 2009 09:54:43 -0600

If you happen to see a too-good-to-be-true offer to watch the latest Harry Potter movie online for free, watch out.

According to anti-malware software maker PC Tools, opportunistic crooks are using poisoned blog comments and dirty search engine optimization tricks to highlight lures such as 'Watch "Harry Potter and the Half-Blood Prince" online free. Clicking a link would take you to a post that would then attempt to fool victims into downloading and installing a "streamviewer" to see the movie, which is of course actually malware. Online crooks have used fake video codecs and viewers for years as a favorite social engineering tactic.

While you're at it, keep an eye out for malware-spreading e-mail that attempts to foist the "Zbot" Trojan onto victim PCs. The bad guys are using a variety of e-mails, including some that warn of a supposed critical update for Microsoft Outlook, or declare that you've received an eCard. TRACElabs has a number of screen shots of the fake e-mails in their post. Some e-mails link to a malicious download, while others link to it directly.

There are tell-tales in the e-mails for an astute surfer, but they're hidden behind a layer or two of obfuscation. For example, the displayed link to the fake Outlook update shows as http://update.microsoft.com/...., and checking the actual URL by moving your mouse over the link might initially look legit as well, until you notice that the real URL is http://update.microsoft.com.[fakedomain].com...

Such links are another favorite bad-guy tactic. To guard against all this evil social engineering, your best bet by far is to always send downloads and attachments to Virustotal.com (the site the pros use) for a free multi-engine malware scan before running them on your PC.

Our Comment: It seems we have to be wary of everything now and check all of it out.

Original Article

Yet Another Malware Attack Spreads via Twitter

nancy@compsecglobal.com (Nancy Pursley) — Sun, 28 Jun 2009 02:36:00 -0600

Guy Kawasaki -- a Silicon Valley venture capitalist who was partially responsible for marketing the Macintosh in 1984 -- has almost 140,000 Twitter followers. Many of those followers likely thought it was strange that Kawasaki was suddenly into shilling porn, when a link purporting to host a pornographic video of "Gossip Girl" star Leighton Meester appeared on June 23. Anyone who downloaded the video discovered a virus that ravaged both PCs and Macs.

Antivirus organization Sophos posted a YouTube video explaining how the attack worked. As the Sophos video shows, the attack affected Macs. It can be taken for granted that the malware also infected PCs, because, well, everything infects PCs.

The malicious link has been disabled and no longer prompts visitors to download viruses.

Kawasaki claimed no responsibility for spreading the malware. He told his followers that his account was not hacked, but rather a page or its feed that he linked to was hacked. Kawasaki's Twitter account is hooked up to NowPublic, a user-contributed news site, and this tasty tidbit was filtered through into his account. Kawasaki also claims to have no idea who Leighton Meester is.

Twitter is no stranger to malware. Earlier this month, Twitter spam spread a worm that crippled Windows-based machines. There were also the Twitter worm attacks of April and May.

Twitter itself does not, and will not, filter links. It's the responsibility of the user and the reader to make judgment calls about whether they'd like to read about the Iran elections or expend pent-up energy on porn. The difficulty comes in the form of condensed URLs -- many users have no idea what they're clicking on, and by the time the mistake has been uncovered, it may be too late. It's particularly troubling when infected links appear on ultra-popular user sites that many people have grown to trust.

The Kawasaki Incident shouldn't tarnish your trust of all Twitter users, especially the megalithic ones. But if Oprah sends you off to scope out a raunchy video of Twilight's Edward Cullen, exercise a little self-restraint.

Our Comment: Be careful what you click on.

Original Article

Don't Get Tricked by Fake Microsoft Update E-Mails

nancy@compsecglobal.com (Nancy Pursley) — Sat, 27 Jun 2009 11:13:00 -0600

I've received several phishing e-mails that look surprisingly authentic and professional.

I do not know about you, but for the past couple of days my inbox has received several e-mails claiming to be from Microsoft while touting links to updates for Microsoft Outlook and Outlook Express. :>) Naturally, I clicked on those links right-away and installed me some updates (not).

However, in all honesty, I was surprised at the level of effort that the sender went through in making this phishing e-mail look more "authentic". For example:

§ First, the message itself is formatted to look like a Tech Bulletin from Microsoft.

§ There are links within the e-mail that link off to valid addresses on the Microsoft site.

§ Lastly, the sender took care in crafting the update (phishing) URL such that it almost appears to be going to update.microsoft.com and has a valid query path for the update.

In other words, at first glance, the e-mail looks valid. And, thanks to the sender's efforts within the social engineering arena, I'm sure that the number of people falling for this e-mail is much higher than the normally lame phishing e-mails that are sent out. Thus, unless the e-mail was blocked by some kind of inbound gatekeeper, it's up to the receiver to determine how to handle this e-mail: delete it or fall into trap.

In other words, for organizations and even consumers, the best defense in this case is awareness, training, knowledge, etc. and not some fancy security software. Ah... if only all solutions were so simple.

Our Comment: Make sure that when you do updates that you go to the site not click on a link from an email.

Original Article

Don't Get Tricked by Fake Microsoft Update E-Mails

nancy@compsecglobal.com (Nancy Pursley) — Sat, 27 Jun 2009 11:13:00 -0600

E-Mail Crooks Target Webmail Accounts

nancy@compsecglobal.com (Nancy Pursley) — Wed, 24 Jun 2009 10:09:13 -0600

A wicked e-mail scheme uses your Webmail address--and your contact list--for scams.

Imagine having to explain an e-mail message that asks your friends for money--a message sent from your Webmail account. (Webmail refers to any e-mail service you use via a Web browser rather than through an e-mail client.) That's exactly what's happening: Scammers are breaking into such accounts and, from those addresses, sending e-mail messages to the victims' entire contact list. The messages often tout a Web site (such as an e-commerce site), or even ask for money directly.

It's a new, dastardly twist on an old scam. Crooks have long used harvested addresses in the From:' field on junk e-mail to make messages look realistic. But because antispam measures have been getting better at blocking such spoofed spam, the bad guys are now breaking in and sending e-mail from actual accounts.

Maureen Arnold, a former CPA in Apache Junction, Arizona, was hit by such an attack. When she checked her MSN mail one day, she found several warnings about undeliverable messages sent from her account that she hadn't written, along with messages in her Sent box. The scam e-mail--touting a site selling electronic products--went out to her family and friends. Similar attacks have asked recipients to wire money to a particular account; some have even deleted an account's contact list afterward.

The attacks underscore an oft-ignored fact: Webmail accounts are a major target because they have value. A recent report by the Anti-Phishing Working Group says the most common types of log-ins stolen by keylogger malware are for financial Web sites, e-commerce sites, and Webmail. In addition to hijacking an e-mail account to send out messages, crooks can often glean information that helps them break into a victim's financial accounts.

Continue reading "E-Mail Crooks Target Webmail Accounts"

Bozeman to job seekers: We won't seek passwords

nancy@compsecglobal.com (Nancy Pursley) — Tue, 23 Jun 2009 09:11:04 -0600

The city of Bozeman, Mont., has rescinded its long-standing policy that job applicants provide user names and passwords to social-networking sites such as Facebook and MySpace.

According to a press release (PDF) issued Friday:

The extent of our request for a candidate's password, user name, or other internet information appears to have exceeded that which is acceptable to our community. We appreciate the concern many citizens have expressed regarding this practice and apologize for the negative impact this issue is having on the City of Bozeman.

The city stopped the practice as of midday Friday, until it "conducts a more comprehensive evaluation of the practice," the release said. Bozeman, which is about 100 miles north of Yellowstone National Park, found itself in the international spotlight this week when the local media reported that the city government's background check included evaluating job candidates' suitability based on their social-networking site postings. The city had been doing so for a few years.

Continue reading "Bozeman to job seekers: We won't seek passwords"

Could Opera Unite Be a Botmaster's Best Friend?

nancy@compsecglobal.com (Nancy Pursley) — Mon, 22 Jun 2009 11:22:45 -0600

Opera has added a lot of cool new features to its upcoming Opera 10 browser, and one of them is almost sure to catch the eye of cyber criminals.

It's called Opera Unite, and while Opera promotes it as an exciting new platform for next-generation Web development, some security experts say it could become the botmaster's best friend.

Opera Unite lets anyone run a Web server from their desktop. The browser connects to an Opera proxy server, which then allows the browser to serve content to the rest of the Internet. This simplifies things for home users who want to host their own Web pages; with Opera's architecture, they don't have to configure firewalls or worry about their Internet service providers blocking Web server traffic.

But it also makes a precious resource more readily available to the bad guys.

In recent years, hacked Web sites have become the fastest-growing way for criminals to spread their malicious software. They have developed automated Web-hacking code, such as the recently reported Gumblar program, that can quickly hack into tens of thousands of Web pages in just a short period of time.

With Opera Unite, they may suddenly have a whole new crop of computers to attack.

Unite was just introduced as part of the Opera 10 beta this month, but it's only a matter of time until the criminals start playing with it, according to Don Jackson, a researcher with SecureWorks. "Bad guys always need Web servers," he said. "Anything that runs a Web server is prone to attack."

But because Opera Unite runs on the desktop, it may be easier to hack than most Web servers. "In this case it's a little worse, because instead of a machine that's managed in a data center, you may have someone on a machine in a hotel network that has no firewall on it," Jackson said.
Continue reading "Could Opera Unite Be a Botmaster's Best Friend?"

Spammers Cashing in on Twitter, Iran, New IPhone

nancy@compsecglobal.com (Nancy Pursley) — Fri, 19 Jun 2009 10:47:13 -0600

Spammers are never far from a hot story, it seems, and in the past day they've been flooding Twitter with phoney messages about Iran and the latest iPhone 3.0 operating system.

In one campaign, the spammers apparently took their lead from a Mobile Crunch article about 20 things to check out in iPhone 3.0. They've set up fake Twitter accounts and posted Twitter messages that link to a Web site promoting male enhancement products. The Twitter messages say things like "iPhone OS 3.0 Just Launched. Here are 20 Things To Do With It," and are also being posted by some legitimate (and presumably hacked) Twitter accounts as well.

"The spammers lifted the Crunch title and rode its coattails," said FaceTime researcher Chris Boyd, who blogged about the issue on Thursday.

The plan, apparently, is to have the messages pop up when people search for info on Apple's iPhone, one of Twitter's top Trending topics on Thursday. Apple released the iPhone 3.0 OS on Wednesday.

Spammers are also trying to cash in on the intense interest in the disputed Iranian election, posting messages such as "Mousavi trend? omg stephen colbert hit a woman.earned $2,612 thanks to this to this." Mir Hossein Mousavi is the reformist politician whose defeat in last week's Iranian presidential contest has sparked mass protests.

Often they'll simply put a popular hashtag (the # sign followed by a keyword) or keyword in a message that has nothing to do with the topic in order to gain eyeballs, said Rik Ferguson, a researcher with Trend Micro.

As use of social media sites like Twitter and Facebook has mushroomed, so has their abuse. On Thursday Internet entrepreneur Marc Cuban said he would no longer allow employees to use Facebook, because viruses "are becoming so rampant" on the site.

Continue reading "Spammers Cashing in on Twitter, Iran, New IPhone "

Hacker Hijacks Millions of Cligs URLs

nancy@compsecglobal.com (Nancy Pursley) — Wed, 17 Jun 2009 10:08:28 -0600

The Cli.gs URL-shortening service yesterday reported that an attacker managed break in via a software security hole and take over 2.2 million URL links.

The Cli.gs service works like TinyURL to convert a long URL into a short link that is easier to use in e-mails, IMs and other messages. And lucky for Cli.gs users, this attack doesn't appear to have been intended to infect hapless surfers. According to security company Sophos, the hacked links took visitors to an Orange County Register blog posting on Twitter hashtags. Antivirus maker Kaspersky confirmed there was "No malicious code has been found on that particular page," and suggests the hacker meant to show the site was vulnerable to attack but not harm PCs.

According to the Cli.gs post, cligs editing is currently disabled to prevent further hijacks using the same security hole, and the site is in the process of restoring links from a backup. However, the latest backup is from May, so links created since then may have been lost, per the post.

Cli.gs, TinyURL and URL-shortening services in general are pulling in plenty of hacker attention. While this particular break-in doesn't appear to be malicious, crooks have used such services to obfuscate phishing links and other attacks.

To foil these dirty tricks, Firefox users can use the straightforward LongURL add-on, which will display the full URL for links from any shortening service in a pop-up. Also, the TinyURL service allows setting a preview option (with a cookie) to see the URL before visiting it.
Continue reading "Hacker Hijacks Millions of Cligs URLs "

Sneaky New Web Ads Contain Hidden Viruses

nancy@compsecglobal.com (Nancy Pursley) — Tue, 16 Jun 2009 11:18:55 -0600

On a Saturday night at the end of May, visitors to the forums section of Digital Spy, a British entertainment and media news Web site, were greeted with an ad that loaded malicious software onto their computers. The Web site's advertising system had been hacked.

A number of such attacks have occurred this year, as perpetrators exploit the complex structure of business relationships in the online advertising world, with its numerous middlemen and resellers.

Web security experts say they have seen an uptick in the number of ads harboring malware as the economy has soured and publishers, needing to boost their ad revenues, outsource more of their ad-space sales.

Viruses can be incorporated directly within an ad, so that simply clicking on the ad or visiting the site can infect a computer, or ads can be used to direct users to a nefarious Web site that aims to steal passwords or identities.

In most cases, the problem becomes apparent within a matter of hours and quick fixes are put in place, but that's not fast enough for Internet surfers whose computers end up infected or compromised.

Continue reading "Sneaky New Web Ads Contain Hidden Viruses"

Obama Taps Well-Known Hacker as Security Adviser

nancy@compsecglobal.com (Nancy Pursley) — Sun, 14 Jun 2009 03:50:00 -0600

The Obama administration is embracing the dark side to help it fight cyberattacks.

On Friday, a well-known hacker was one of 16 people named to the Department of Homeland Security's Advisory Council (HSAC).

Jeff Moss, aka "Dark Tangent," started out as a high-school "phone phreak" making free long-distance calls and later founded the DefCon and Black Hat hackers' conferences.

He's since worked in information security for accounting giant Ernst & Young, and now is a consultant testing corporations' cybersecurity.

But he told Wired News and Cnet News he was genuinely surprised to be asked to join a government law-enforcement body.

"I always figured that because of my associations in the past that I would be kind of out of the running for anything like this," he told Wired News.

Moss, 39, went legit years ago after growing disillusioned with the hacker underground.

"You can only stand by and watch so many people you know get busted," he told Wired News in a 2001 interview. "Sooner or later you catch on that ... there's a limited life span to doing this kind of stuff. So before I got out of high school that was pretty much it."

Continue reading "Obama Taps Well-Known Hacker as Security Adviser"

ISPs Report Success in Fighting Malware-infected PCs

nancy@compsecglobal.com (Nancy Pursley) — Sat, 13 Jun 2009 01:39:00 -0600

Computers infected with malicious software remain a big headache for ISPs, but two companies have designed systems that have made the problem much more manageable.

When a PC gets infected with malicious software, it's often used for sending spam. It makes the ISP look bad as well as sucking up bandwidth, making networks more congested.

True Internet, one of Thailand's largest ISPs, had been hit by an ever-increasing number of malware-infected computers on its network. The spam and malware traffic was so severe that its customers -- most of whom are still on dial-up connections -- were complaining of slow speeds, said Tanapon Chadavasu, head of True Internet's network operations.

The problem was also costing the company money, since bandwidth is expensive in the area, and more hardware was needed to keep the network running, Chadavasu said during a presentation Wednesday at the Messaging Anti-Abuse Working Group Meeting in Amsterdam.

True Internet installed equipment from a New Zealand company called Esphion that identifies anomalous behavior on the network. The passive devices identify attack patterns, such as denial-of-service attacks or zero-day worms.

If Esphion's sensors detect something, such as a high amount of spam, an alert is sent to a controller, which can then automatically quarantine the subscriber, Chadavasu said.

If a subscriber then goes online, they are redirected to page that notifies them that their computer may be infected. True Internet has a partnership with security vendor Trend Micro to scan subscribers' PCs.

"Once they have cleaned the computer ... we will allow them to get back on the 'Net," Chadavasu said.

True Internet used to only quarantine a customer after two bad incidents were detected, but changed its policy last August to quarantine after one incident, Chadavasu said. Spam on its network dropped dramatically, and customers' Internet security improved.

Close to 70 percent of the PCs that have been quarantined once or twice are never quarantined again, Chadavasu said, which points to better security awareness among consumers.

"We think it's very effective," Chadavasu said.

NetCologne, an ISP and cable and phone provider in Germany, has taken a similar approach to automating how it deals with subscribers infected with malware.

Continue reading "ISPs Report Success in Fighting Malware-infected PCs "