Posts Categorized: Rogue Security Products


Fake Flash Update Needs Flash to Work

by

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course. I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a […]

Continue Reading »

Pro-Israel Website Receives Passwords Stolen by Koobface

by

Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence? We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet. One such hijacked Web domain, migdal.org.il, popped up in a number of blog posts and on Web sites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew […]

Continue Reading »

Subscription Renewal Spam Points to Drive-by

by

Dear Customers: Please be aware that a crew of Russian malware distributors are circulating a spam message which looks like a subscription renewal confirmation from Best Buy, allegedly for one of our products. The linked text in the message, however, leads to a Web site which performs a drive-by download. Please don’t click the links in the message; If you have any questions about your subscription, please contact support. The spammers appear to have done some homework. Some, but not enough. Best Buy currently sells our products through their online software subscription service. Note to spammers: If you’re going to […]

Continue Reading »

Blackhat SEO of Google Images Links to Rogue AV

by

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products. What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With […]

Continue Reading »

More World Cup Shenanigans: “Anti-Vuvuzela Filter”

by

Someone called my attention today to a Web site selling something called an Anti-Vuvuzela Filter that costs €2.95 to download. Only, it’s a complete fraud. For the twelve other people in the world who haven’t been watching the World Cup matches in South Africa, the Vuvuzela is a South African horn that makes an obnoxious buzzing sound when played. The noise is said to be so irritating that fans have been watching the matches on television with the sound muted so they don’t have to hear the incessant wasp-like drone of Vuvuzela-toting fans inside the stadium. If you haven’t experienced […]

Continue Reading »

Defencelab Rogue Steals Microsoft’s Name (Again)

by

When you see an online order form that bears Microsoft’s logo and the words “pay to: Microsoft Inc.,” are you any more likely to enter a credit card number into the form and click submit? That’s the psychological experiment currently being undertaken by a company that calls itself DefenceLab, which subjects unsuspecting users to its peculiar blend of fakealert with rogue antivirus. Last year, our friends at Sunbelt wrote two very interesting blog items about DefenceLab. At the time, DefenceLab was accused of lifting content from the products and Web sites of legitimate comapnies such as Microsoft and AVG, inserting […]

Continue Reading »

Cloud Defs Limit the Damage of a False Positive

by

If you’re a customer or an employee of McAfee, chances are, you’re having a rough week. The company published a false positive, or FP, in its antivirus definitions that went out to customers a few days ago. The FP resulted in some computers going into a loop where the antivirus engine misidentified a key component of the Windows operating system as malicious, Windows replaced the quarantined file, and then the McAfee engine removed it again. I really feel badly both for McAfee’s customers as well as their researchers. The customers certainly didn’t deserve or want their protection to go haywire. […]

Continue Reading »

Modified Websites Pushing Trojans On the Rise

by

For the past couple of weeks, owners of Web sites have been hit with a wave of attacks that surreptitiously infect unsuspecting visitors with a wide variety of malware types. The first wave inflicted rogue antivirus on unlucky victims, but late last week victims who visited infectious sites were redirected into a drive-by download site that pushes clickers onto a vulnerable visitor’s computer. The affected web sites have been modified to add malicious, obfuscated Javascript code to the footer of each page. Some Web hosts are trying to notify customers or fix the problems. At first, the problem affected sites […]

Continue Reading »

This PC Will Self-Destruct in Ten Seconds

by

Phishing Trojans that try to remain below the radar are still prevalent, but a number of files coming through Threat Research point to a disturbing trend: Several new variants of existing malware families are taking a scorched earth approach to infected computers, rendering the PC unbootable (just check out the batch file at left for just one egregious example) once the malware has retrieved whatever data it’s trying to steal, or deliberately crashing it, repeatedly, if you try to remove it. Since the middle of last year, we’ve seen a sprinkling of malware that also wipes out key files on […]

Continue Reading »

’30 Rock’ Phrase ‘Circulus et Pruna’ Draws Fakealerts

by

Every search result on the first page (and most of the second page) of results for “circulus et pruna” leads to a Fakealert trap.

Continue Reading »