Brazilian “Winehouse” Trojan Sends Hotmail, Bank Passwords to China

by

Late Monday, after news about the death of troubled pop singer Amy Winehouse had been circling the globe for a little more than 48 hours, we saw the first malware appear that used the singer’s name as a social engineering trick to entice victims to run the malicious file. Abusing celebrity names, news, or even deaths isn’t a new (or even particularly interesting) social engineering tactic, but there was one unique aspect to this particular malware’s behavior that raised some eyebrows around here: It appears that Brazilian phisher-Trojan writers seem to be working more closely with their Chinese counterparts, using […]

Continue Reading »

Criminals Abuse Amazon Hosting with Rogues, Ransomware

by

The criminals who push rogues at the world don’t really care about the reputations of the ISPs or Web hosting services they abuse. They leap from free service to free service until they’ve thoroughly worn out their welcome and, in some cases, destroyed the reputation of the service they abused. But they have behaved in one predictable way over the years: They’re stingy, and won’t pay for anything unless it’s absolutely necessary, despite the fact that they’re raking in cash by the boatload. But that seemed to change this week when we saw a number of Web sites pop up […]

Continue Reading »

ZeroAccess Gets Another Update

by

By Marco Giuliani Among the most infamous kernel mode rootkits in the wild, most of them have had a slowdown in their development cycle – TDL rootkit, MBR rootkit, Rustock are just some examples. The same doesn’t apply for the ZeroAccess rootkit. The team behind it is working quite hard, which we know for a fact because I’ve seen it. We already talked about this rootkit and its evolutions in several blog posts, along with a white paper that documents more in depth all the technical features of the malware. The last major update released by the team behind ZeroAccess […]

Continue Reading »

Free Anti-Popureb Tool Released

by

Last week, threat researcher and malware reverse-engineer Marco Giuliani wrote up a fairly technical description of a bootkit — a rootkit that infects the master boot record of the hard drive, making it very difficult to remove — called Popureb. Marco’s report made it clear that the bootkit does not require Windows users to format the hard drive and reinstall Windows from scratch, as Microsoft had initially claimed was required for victims of this drive-by infection. Andrea Allevi, one of our developers who works under Marco’s direction, subsequently wrote a tool that can remove the bootkit from an infected computer, […]

Continue Reading »

ZeroAccess Rootkit Guards Itself with a Tripwire

by

By Marco Giuliani The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire. I’ve written about this rootkit in a few recent blog posts and in a white paper. On an infected computer, this new driver sets up […]

Continue Reading »

With IM Buddies Like These, Who Needs Frienemies?

by

The other morning, I walked into the office to find a slew of instant messaging buddy requests from total strangers. This isn’t unexpected: I frequently get buddy requests on IM accounts I maintain for research purposes that contain malicious URLs and other useful research data. But this was one request I wasn’t expecting. The inquiry, written in both English and Russian, was simply an advertisement for “Organization of DDOS attacks” from an ICQ account that has not been used since the friend request came in. The somewhat perplexing offer claims the service offers “support online 24/7/365″ (finally, a DDOS service […]

Continue Reading »

Removing Popureb Doesn’t Require a Windows Reinstall

by

By Marco Giuliani Last Wednesday, Microsoft published a blog post detailing a significant update to a piece of malware named Popureb. The malware adds code to the Master Boot Record, or MBR, a region of the hard disk that’s read by the PC during bootup, long before the operating system has had a chance to get started. Researchers sometimes refer to these kinds of malware as bootkits, or a rootkit which loads at such a low level during the boot process that it is invisible to the operating system, and therefore very difficult to remove. Microsoft researcher Chun Feng detailed […]

Continue Reading »

Five Summer Travel Security Tips

by

Ah, summer. Beaches, drinks with little umbrellas, 4th of July fireworks, baseball games, reading long cheesy novels in a lounge chair, teleconferencing with colleagues from your hotel room in Aruba. Wait, what? Yes, it’s true. It takes serious discipline to travel without schlepping along a laptop, smartphone, digital camera, MP3 player, portable hard drive, SD cards, and a host of support equipment. Well, it does for me, anyway. Along with those devices come pitfalls, from loss to data theft. So, in the spirit of safe summer travel, in advance of the big 4th of July travel weekend, what follows are […]

Continue Reading »

Phishers Cast Their Nets in the Social Media Pool

by

By Ian Moyse, EMEA Channel Director It can seem at times that the only people who like change are Internet attackers. And they don’t just like it—they need it. Technology’s rapid changes give cybercriminals new attack vectors to exploit, and new ways to turn a profit out of someone else’s misfortune. Take phishing, for example. The concept is simple: Send an email disguised as a message from a bank, PayPal, or UPS. Wait for the user to click a link in the message, and enter their private details into a phishing site, and presto! The attacker attains financial or personal […]

Continue Reading »