by Blog Staff | Jan 15, 2011 | Industry Intel, Threat Lab
It’s been a few months since Google implemented new ways that it displays search results, and in that time, it’s been difficult to find the kinds of hijacked search results we saw in huge numbers a year ago. But if you thought the search engine manipulators were laying down on the job, you’d be wrong.
A new campaign seems to have hijacked Google search terms of not just products or words, but of people’s names, towns, and phrases in both English and Spanish to lure victims into a trap. One of our Threat Research analysts stumbled upon the new scheme while searching for information about a friend. We were surprised to find that the top four results of that search led directly to that dreaded Sarlaac Pit of malware, the rogue antivirus fakealert.
At first, visiting the four top links in our searches led to the same fakealert. After an hour passed, however, the pages started to shake things up, leading to fakealerts that mix up their appearance. One screen displays something that looks like an alert from the Windows Security Center in Windows Vista; Another generates a dialog that looks like the Security Center alert from Windows 7. Still others take on the now-classic faux-Windows Defender appearance.
(more…)
by Blog Staff | Jan 6, 2011 | Industry Intel, Threat Lab
On the morning of January 2nd, still bleary eyed, I checked my email to find a charming notification informing me that I’d received an electronic greeting card. Yay! I thought to myself: The first targeted malware of 2011 plopped right into my lap.
I immediately pulled up my research machine, browsed to the URL in the message (don’t try this at home, kids), and found my test system swamped in malware. After classifying the files and their source URLs into our definitions — I didn’t want this to happen to you, after all — I turned the computer back off and slept until Tuesday, when I resumed my analysis.
As it turns out, the payloads delivered by the drive-by download are as common as sand at the beach, but some of the techniques used by the malware’s distributor to obfuscate the true nature of the executable payload files (which may have been stored on what appears to be a hijacked, legitimate server running Joomla) are fairly novel, and also a bit ridiculous.
(more…)
by Blog Staff | Jan 1, 2011 | Industry Intel, Threat Lab
With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.
Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.
Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.
Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.
(more…)
It’s been a few months since Google implemented new ways that it displays search results, and in that time, it’s been difficult to find the kinds of hijacked search results we saw in huge numbers a year ago. But if you thought the search engine manipulators were laying down on the job, you’d be wrong.
