Reading Time: ~ 1 min.

Cybersecurity in Schools: What Families Need to Know

Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents...

Context Matters: Turning Data into Threat Intelligence

1949, 1971, 1979, 1981, 1983 and 1991. Yes, these are numbers. You more than likely even recognize them as years. However, without context you wouldn’t immediately recognize them as years in which Sicily’s Mount Etna experienced major eruptions. Data matters, but only...

Out from the Shadows: The Dark Web

You’ve likely heard of the dark web. This ominous sounding shadow internet rose in prominence alongside cryptocurrencies in the early 2010s, eventually becoming such an ingrained part of our cultural zeitgeist that it even received its own feature on an episode of Law...

Webroot DNS Protection: Now Leveraging the Google Cloud Platform

We are  excited to announce Webroot® DNS Protection now runs on Google Cloud Platform (GCP). Leveraging GCP in this way will provide Webroot customers with security, performance, and reliability.  Security Preventing denial of service (DoS) attacks is a core benefit...

Streaming Safer Means Streaming Legally

It’s been more than a decade since Netflix launched its on-demand online streaming service, drastically changing the way we consume media. In 2019, streaming accounts for an astonishing 58 percent of all internet traffic, with Netflix alone claiming a 15 percent share...

A Cybersecurity Guide for Digital Nomads

Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means...

Botnet malware targets MyYearbook

Reading Time: ~ 3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The team here at Webroot has picked up on a Trojan that appears to target a relatively new social networking site: MyYearbook.com.20090427-myblot-myyb_logo

The site caters to the high-school-age crowd with activities that include various kinds of person-to-person challenges, streaming TV, and a kind of virtual matchmaker service for the tween-and-above set. We’re calling the malware that targets the site Trojan-Myblot.

We received our copy via a malicious BitTorrent download, which purportedly distributed a Windows utility. Instead, we received a file that downloaded several payloads, eventually landing our infected system firmly in the clutches of Myblot.

So what does it do? The trojan, unusual in that it requires the .Net Framework to run and was written in Microsoft’s Visual C#, runs silently in the background. While it’s running, it sends back information about the locally installed bot’s identity, whether the user of the infected system uses Gmail, and whether the infected system has received an updated bot client. It does these update checks about every 15 to 45 seconds.

Myblot reconnaisance data

Myblot reconnaisance data

Myblot phones home several times a minute

Myblot phones home several times a minute

One of MyYearbook’s activities is just called “Battles” — it’s basically a way for people to post photos of themselves, or others, and earn some sort of online cred for being voted “Scariest rollercoaster face” or “Most emo.” As if. The malware spawns popup ads that look like a Battles “IQ challenge” invitation from a teenage girl who needs to put some more clothes on. When clicked, the browser redirects the user through an ad Web site called Yeprevenue.com.

The fake MyYearbook Battles window

The fake MyYearbook Battles window

There is some good news for victims. First, the infection is easily removed, whether you sweep with Webroot Spy Sweeper or delete the file manually. The malware is also pretty badly coded, so unless all the required pieces are in exactly the right location, the Trojan fails to execute, or just throws a .Net error message and quits. Clearing your Temp folder is another way to get rid of it.

Unfortunately, there’s also bad news for users of infected machines: The server that hosts the fake Battles ad also has a tendency to redirect the browser elsewhere. In particular, the browser on my test system was pushed through two separate Web sites that used browser exploits and obfuscated Javascript code to eventually infect the system with another obnoxious piece of malware, Trojan-Relayer-Jolleee.

Jolleee quietly sends spam from infected machines to unsuspecting users, getting lists of victims and the message text from servers it contacts. So while it looks like we can easily stamp out Myblot, it doesn’t want to go out quietly, without putting up a fight.

Do you Think Security First?

Reading Time: ~ 3 min.

20090421_groundtrix_300

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In an era when virtually all businesses use the Internet, in one form or another, to get work done, it’s worth asking the question posed in the title of this blog entry. Think Security First is an organization dedicated to helping spread security gospel to businesses — via chambers of commerce. Their goal: to create a Neighborhood Watch for the Internet, organized around these local business groups.

On Monday, I and several other speakers had the opportunity to address representatives of chambers of commerce at a panel discussion organized by Neil O’Farrell, the group’s founder and chief evangelist. Webroot is a sponsor of the group, along with several other security software companies, credit reporting agency Experian, Microsoft, and various law enforcement agencies. Among the other speakers were former white house cybersecurity czar Andrew Purdy; Dyann Bradbury, the director of the FBI’s Infragard program; and Michael Levin, a cybercrime expert who worked for the Secret Service and helped run Homeland Security’s National Cyber Security Division.

Though all the speakers brought their perspectives to the panel, the bottom line from all the panelists ended up in virtually the same place: Businesses, and the people who run them, have to make fundamental changes about to how they address security concerns, putting thought from the ground up into the security of their own systems and data, and privacy of customer information.

As someone who’s beat that drum for more than a decade, it was both refreshing to hear a chorus of agreement, and frustrating that — eight years after the organization was founded — security evangelists say they feel stuck in a kind of Groundhog Day-esque repetition of the same advice, over and over, while at the same time are constantly reminded that businesses fail to adhere to good security practices every time news breaks about worm infections taking down networks, or a laptop full of customer data vanishes from a bag or is left in an airport/train seat/unlocked car.

Phishing Trojan Targets Russian Finance Websites

Reading Time: ~ 3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090410_russian_banksFor a long time, we’ve heard about phishing attacks originating in Russia or eastern Europe that target western banks. There’s nothing surprising there. Latter-day Willie Suttons typically target big US or European banks because, well, that’s where the money is.

That’s why I was kind of surprised to stumble across a phishing Trojan that targets some of Russia’s largest online financial Web sites, including RBK Money (formerly known as RUPay), Yandex, Moneymail, and OSMP — one of Russia’s Paypal-alternatives. Aside from e-gold, I hadn’t seen this many Russia-specific websites listed as targets within a phishing trojan before.

Is Russia suddenly “where the money is?” According to Forbes, it is. The magazine reported last year that its most recent list of the world’s richest people included 87 Russian billionaires — a year-over-year increase of 64% — and 136,000 millionaires. So, maybe it makes sense for the people who build these malicious tools to target Russian banks and online payment sites. read more…

Inane Shenanigans with Worm-Shiv

Reading Time: ~ 3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

It’s been a long time since I’ve worked on a malware file as singularly obnoxious as Worm-Shiv, a new worm we defined a few weeks ago. There isn’t anything especially technically avant-garde or advanced about the worm, nor was it especially difficult to detect or remove. It just exhibits behavior that, to be blunt, is about as annoying as it possibly can be.

The infection process starts with a small self-extracting RAR archive executable. When run, it drops and executes another .exe file, which in turn drops and executes yet another .exe file. Sounds pretty unobtrusive so far, right?

Well, even though the worm might have snuck by unnoticed, it would be hard to characterize its operational behavior as “staying below the radar.” The worm puts a copy of a file named wsock32.dll into every single folder on the hard drive. Every. Single. One. On my test system there were more than 200 copies left behind.

Then the fun begins.

read more…

Someone Confick-rolled the Internet

Reading Time: ~ 3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Well, the big Conficker.c launch day is upon us and…nothing. So far, anyway. Someone should start selling “I blogged about Conficker and all I got was this lousy T-shirt” shirts. Cafepress, are you listening?

We’ve been keeping to the back of the room about Conficker, not joining the rising hysteria chorus. It’s not that we don’t care, but I’ll tell you why we’re not making a lot of noise: Webroot’s malware removal solution effectively deals with Conficker on PCs. That’s it. As long as you’ve got the File System Shield and the Execution Shield enabled in your application (click the Shields button on the left side of the Webroot Antivirus/Internet Security Essentials window, and look for a little picture of a shield next to those labels in the Windows System Shields category), and definitions updated as long as two months ago, we’ve got your PC’s back.

The only people who need to be concerned about this worm are people with no legitimate malware protection — and no, a copy of the rogue application Antivirus 2008/2009/2010 doesn’t count — and who haven’t checked in with Windows Update since last fall. And even those people only need to worry about the worm’s code attaching itself to their PC. As far as we know, that’s the only thing it’s good at. Oh yes, and pranking the computer security community and the world’s press.

So, since we’re mentioning it, now would be a good time to head over to Microsoft and check to make sure you have those updates you so sorely are missing. And if you have a copy of our product, click the Options button, then the Update tab, and make sure you have both the latest definitions files and the latest version of the application. If you need either, or both, it’ll only take a few seconds on a broadband connection to pull them down.

Then you can get back to life, and stop worrying about whether Conficker is going to destroy the world, kick your cat, and push a baby stroller into the street — or fizzle like a wet firecracker.

From Pixels to Phishers

Reading Time: ~ 4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

File variations (crop)Over the past year, we’ve seen a huge jump in the number of mass downloader spyware. These small executable files have just one job, and they do it very well: They pull down huge numbers of additional installers, which in turn place a large number of password stealing Trojans, ad-clickers, and still more downloaders on the unfortunate victim’s PC.

The trend appears to be that most of the servers from which these phishing Trojans originate are registered within China’s .cn top-level domain, and the phishers themselves target (mostly) the login details for online multiplayer videogames played, primarily, in China, and in some cases, more widely in Asia.

Putting aside the rationale for what the phishers target (the goal may be purely financial, but that’s a discussion for another time), what’s really interesting is how the techniques to massively infect a victim’s PC have evolved, possibly to avoid network-based signature detection techniques that can identify Windows executable files while they’re traveling over the wire. It also seems that the various groups appear to compete with one another, even going so far as to block the domains used by competing groups’ downloaders once they’ve infected the machine.

So not long ago, another interesting mass downloader development seemed to drop into my work queue. These downloaders pull down bitmap images — not just executables with a different file extension, but real graphics files — then convert the color data into binary code, which transforms the data in the picture file into a small executable phisher installer.
read more…

Adware Purveyors Panning for Search Gold

Reading Time: ~ 4 min.

SnappyAdz money noose

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

We know most adware companies are shameless in their pursuit of revenue, but it’s been a while since we’ve seen anything as bizarre (or hilariously bold) as the sales pitch from a relative neophyte to the world of adware, which calls itself SnappyAds. On its homepage, SnappyAds posits the hypothetical glee of two business-suited online ad men counting the thousands of dollars they’ve allegedly earned from their allegedly lucrative venture.

Behind the SnappyAds facade, however, is an adware client we (and a few other AV companies) call SearchPan. The installer for the adware client application is hosted on SnappyAds’ webserver, and it modifies both the IE and Firefox browsers to add code which redirects searches through a number of search engines of dubious distinction.

There really isn’t a whole lot to discuss technically about SnappyAds. It really only came to our attention because the Threat Research group as a whole just couldn’t stop laughing when we all saw the pictures of the guy leaning back in his cushy leather chair counting out his Benjamins. They do arrive, as SnappyAds claims, by the ton. So make sure you invest in a forklift before you sign up as a SnappyAds affiliate. You’ll need one to move your palette-loads of cash.

read more…

New Malware Ruins Firefox

Reading Time: ~ 4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Late last year, we read all the buzz about ChromeInject, a malicious DLL that was being billed as the first malware specifically targeting Firefox. It was interesting to see Installashunthat someone built a phishing Trojan for a different browser platform, but ChromeInject was also clearly an early phase in Firefox malware development: It was fairly obvious, and it was easy to eliminate, because it generated an entry in the Plugins menu called “Basic Example Plugin for Mozilla” which you could simply disable with a single mouse click.

Well now it looks like the bar’s been raised. In the past few weeks, we’ve seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn’t due to any problem or negligence on Mozilla’s part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target.

read more…

As Web 2.0 explodes, does IT security implode?

Reading Time: ~ 3 min.

By Jesse McCabe

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Social media sparked a revolution in how we communicate. From best friends to business owners, more of us every day are using a social networking site to connect with people. Facebook welcomes 700,000 new members daily, and an estimated 4-5 million people are now reading tweets on Twitter.

istock_000000590930_med_lockedkeyboard01And cybercriminals are having a field day exploiting the vulnerabilities social networks have exposed in our Internet security practices.

By and large, Internet security at the network level has recently consisted of on-premise URL filtering mechanisms used by organizations to enforce company Internet use policies and improve employee productivity.  These solutions also offered protection by blocking access to sites classified as containing malware. For a while, this approached appeared to work.

read more…

Introducing the Threat Blog

Reading Time: ~ 3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Welcome, readers. I’m a member of the Threat Research team at Webroot, and I’ve been asked to contribute to Webroot’s new Threat Blog. I’d like to take a moment to introduce myself, tell you a little about what we do, and explain how we plan to use the blog to keep you informed.

Webroot’s threat experts are responsible for defining new malware, and variants of existing malware, that are being introduced every day. We spend the bulk of our time, to summarize in a massively oversimplified manner, breaking PCs by infecting them with Trojan Horse applications, virii, worms, rootkits, password stealers, and other malicious and undesirable software, then figuring out how to fix them again. We infect our PCs, over and over and over again, so you don’t have to; then we make sure Webroot’s products will protect against or remove the infections.

As you can imagine, our perspective on the front lines of Internet security gives us significant insight into the workings of these unwelcome software pests. And we’re now seeing an unprecedented volume of infected PCs and networks, and greater sophistication employed by those doing the infecting. We were compelled to create a vehicle to share that insight with the rest of the world.

My role is to serve as an information conduit between our malware, spam, and Web security experts and you, the reader. I and others will post details about the most dangerous and difficult security threats we encounter, and how to avoid them. We’ll also be sharing trending data we collect about spyware, computer viruses and other infections, and the origins of the infectious agents that propagate them. Our goal is to provide useful information that will, hopefully, help you protect yourselves from what seem — to us, anyway — like wave after wave of increasingly hostile, damaging, and obnoxious malware.

So, thanks for stopping by. We look forward to chronicling the threat landscape for you. Please add us to your RSS feed using the link that looks like a little billboard at the top of the page. And feel free to let us know what you think by sending your comments, questions, or requests to the address on the right side of the page.

Stepping up to the Loserbar

Reading Time: ~ 5 min.

fake google search result

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Last year, we at Webroot (as well as many other people) saw a huge spike in two specific types of malware: Rogue antispyware products — the ineffective, deceptive kind — and the various tricks the companies that sell rogues use to trick you into downloading (and eventually buying) their bogus products, something we refer to, generally, as Fakealerts.

Here’s usually how the trick works: First, you’re fooled into browsing to a Web site which employs any of a number of tricks to install the Fakealert code onto your PC. The Fakealert then begins popping up messages warning you about some sort of infection in the System Tray, or in dialog boxes, and/or by opening browser windows to pages that look uncannily similar to control panels or dialog boxes used by Windows XP and/or Vista. Later, after you’ve been provided a smoke-and-mirrors “free scan” of your system (which, of course, reports all kinds of salacious and undesirable “detections”), you’re directed to a page where, for just $59 you can be rid of your spyware problems forever.

Yeah, right.

The tricks these guys employ get more creative with every new iteration. We’ve seen them drop hundreds of junk files on a hard drive, which are then “detected” as infections; install screensavers that look just like your computer is going through Blue Screen of Death convulsions; and run every dirty trick and cheap gimmick to get a sale.

So it came as no surprise when we encountered yet another Fakealert — we decided to call it Adware-Loserbar — that leads, eventually, to a rogue product. What set this one apart was its sheer gall — and a few new tricks we hadn’t seen before.

read more…