Webroot Retired ThreatBlog Member - Andrew Brandt

Andrew Brandt

Role: Retired ThreatBlog Member
Threat Blog Posts: 149



Posts by Andrew Brandt:

Do you Think Security First?

by

In an era when virtually all businesses use the Internet, in one form or another, to get work done, it’s worth asking the question posed in the title of this blog entry. Think Security First is an organization dedicated to helping spread security gospel to businesses — via chambers of commerce. Their goal: to create a Neighborhood Watch for the Internet, organized around these local business groups. On Monday, I and several other speakers had the opportunity to address representatives of chambers of commerce at a panel discussion organized by Neil O’Farrell, the group’s founder and chief evangelist. Webroot is […]

Continue Reading »

Phishing Trojan Targets Russian Finance Websites

by

For a long time, we’ve heard about phishing attacks originating in Russia or eastern Europe that target western banks. There’s nothing surprising there. Latter-day Willie Suttons typically target big US or European banks because, well, that’s where the money is. That’s why I was kind of surprised to stumble across a phishing Trojan that targets some of Russia’s largest online financial Web sites, including RBK Money (formerly known as RUPay), Yandex, Moneymail, and OSMP — one of Russia’s Paypal-alternatives. Aside from e-gold, I hadn’t seen this many Russia-specific websites listed as targets within a phishing trojan before. Is Russia suddenly “where […]

Continue Reading »

Inane Shenanigans with Worm-Shiv

by

It’s been a long time since I’ve worked on a malware file as singularly obnoxious as Worm-Shiv, a new worm we defined a few weeks ago. There isn’t anything especially technically avant-garde or advanced about the worm, nor was it especially difficult to detect or remove. It just exhibits behavior that, to be blunt, is about as annoying as it possibly can be. The infection process starts with a small self-extracting RAR archive executable. When run, it drops and executes another .exe file, which in turn drops and executes yet another .exe file. Sounds pretty unobtrusive so far, right? Well, […]

Continue Reading »

Someone Confick-rolled the Internet

by

Well, the big Conficker.c launch day is upon us and…nothing. So far, anyway. Someone should start selling “I blogged about Conficker and all I got was this lousy T-shirt” shirts. Cafepress, are you listening? We’ve been keeping to the back of the room about Conficker, not joining the rising hysteria chorus. It’s not that we don’t care, but I’ll tell you why we’re not making a lot of noise: Webroot’s malware removal solution effectively deals with Conficker on PCs. That’s it. As long as you’ve got the File System Shield and the Execution Shield enabled in your application (click the Shields button […]

Continue Reading »

From Pixels to Phishers

by

Over the past year, we’ve seen a huge jump in the number of mass downloader spyware. These small executable files have just one job, and they do it very well: They pull down huge numbers of additional installers, which in turn place a large number of password stealing Trojans, ad-clickers, and still more downloaders on the unfortunate victim’s PC. The trend appears to be that most of the servers from which these phishing Trojans originate are registered within China’s .cn top-level domain, and the phishers themselves target (mostly) the login details for online multiplayer videogames played, primarily, in China, and […]

Continue Reading »

Adware Purveyors Panning for Search Gold

by

We know most adware companies are shameless in their pursuit of revenue, but it’s been a while since we’ve seen anything as bizarre (or hilariously bold) as the sales pitch from a relative neophyte to the world of adware, which calls itself SnappyAds. On its homepage, SnappyAds posits the hypothetical glee of two business-suited online ad men counting the thousands of dollars they’ve allegedly earned from their allegedly lucrative venture. Behind the SnappyAds facade, however, is an adware client we (and a few other AV companies) call SearchPan. The installer for the adware client application is hosted on SnappyAds’ webserver, […]

Continue Reading »

New Malware Ruins Firefox

by

Late last year, we read all the buzz about ChromeInject, a malicious DLL that was being billed as the first malware specifically targeting Firefox. It was interesting to see that someone built a phishing Trojan for a different browser platform, but ChromeInject was also clearly an early phase in Firefox malware development: It was fairly obvious, and it was easy to eliminate, because it generated an entry in the Plugins menu called “Basic Example Plugin for Mozilla” which you could simply disable with a single mouse click. Well now it looks like the bar’s been raised. In the past few […]

Continue Reading »

Introducing the Threat Blog

by

Welcome, readers. I’m a member of the Threat Research team at Webroot, and I’ve been asked to contribute to Webroot’s new Threat Blog. I’d like to take a moment to introduce myself, tell you a little about what we do, and explain how we plan to use the blog to keep you informed. Webroot’s threat experts are responsible for defining new malware, and variants of existing malware, that are being introduced every day. We spend the bulk of our time, to summarize in a massively oversimplified manner, breaking PCs by infecting them with Trojan Horse applications, virii, worms, rootkits, password […]

Continue Reading »

Stepping up to the Loserbar

by

Last year, we at Webroot (as well as many other people) saw a huge spike in two specific types of malware: Rogue antispyware products — the ineffective, deceptive kind — and the various tricks the companies that sell rogues use to trick you into downloading (and eventually buying) their bogus products, something we refer to, generally, as Fakealerts. Here’s usually how the trick works: First, you’re fooled into browsing to a Web site which employs any of a number of tricks to install the Fakealert code onto your PC. The Fakealert then begins popping up messages warning you about some […]

Continue Reading »