Reading Time: ~< 1 min.

Antivirus vs. VPN: Do You Need Both?

Public concern about online privacy and security is rising, and not without reason. High-profile data breaches make headlines almost daily and tax season predictably increases instances of one of the most common types of identity theft, the fraudulent filings for tax...

Notice: What Happens on Public Computers, Stays on Public Computers

These are the places your digital tracks can be dug up. With a little sleuthing. Experts have warned for years of the risks of using public computers such as those found in libraries, hotels, and airline lounges.  Many warnings focused on the potential for hackers to...

The Evolution of Cybercrime

From Landline Hacking to Cryptojacking By its very nature, cybercrime must evolve to survive. Not only are cybersecurity experts constantly working to close hacking loopholes and prevent zero-day events, but technology itself is always evolving. This means...

A Chat with Kiran Kumar: Webroot Product Director

The process of bringing a cybersecurity product to market can be long and tedious, but Kiran Kumar, Product Director at Webroot, loves to oversee all the moving parts. It keeps him on his toes and immersed in the ever-changing world of security technology. We sat down...

Epic Malware Dropper Makes No Attempt to Hide

Reading Time: ~5 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

In the world of first-person shooter games, getting the most headshots — hits on the opponent which instantly take the opponent’s avatar out of the game — is a prized goal. The headshot is the quickest way to dispatch a foe in virtually every shooter, which is why the file name of a malware sample, currently in circulation, stood out.

The file, yogetheadshot.php.exe (VT), is a dropper, a glorified bucket designed to tip over and spill other malware all over a PC. But where other droppers might leave behind a handful of payloads, this one utterly decimated a testbed PC with a malware headshot — an unusually overt infection that, defying conventional wisdom about malware infections, took no apparent effort to mask its behavior or remain low key.

The file, extracted from network traffic recorded while a test system got manhandled by a drive-by download site, was only one of several executable payloads that originated from the same domain hosting the drive-by.

But this sole dropper was more than capable of delivering the terminal blow to a middle aged Windows XP box. We first saw it appear on September 7th, but it has become more widespread since then.

(Update, 22 Sept.: Here’s a video that shows what happens on a system when someone executes this dropper. The dropper is near the upper-left corner of the screen. The rest of the screen is taken up with Process Explorer, which lets you see just how many payloads the dropper delivers.)

[vimeo 15167753]

read more…

New Rogue Is Actually Five Rogues in One

Reading Time: ~5 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.

The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?

Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.

The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.

read more…

Workplace Social Networking: More Like Antisocial Not-working

Reading Time: ~4 min.

By Ian Moyse, EMEA Channel Director

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Hardly a week goes by when the national press doesn’t carry a story about how social networks represent a threat to privacy or security, or both. These news stories aren’t wrong: Users of social networks face a raft of risks, ranging from malware attacks and identity theft, to cyberbullying, grooming from sexual predators or stalkers, viewing or posting inappropriate content, and the ever-present risk that you (or someone you work with) might end up with your foot (or is it your keyboard?) firmly in mouth.

Using social networks to give out too much information about yourself can also lead to some predictably poor outcomes. One Australian employee, fired from his job, had posted about skiving from work after a night of heavy drinking. A group of call center employees swapped brags about abusing customer information on Facebook and were fired. Is it hard to believe that the employer used the employees’ own Facebook posts as a virtual admission of guilt?

With Facebook adding over 400,000 users a day and LinkedIn 400,000 a week, social networks can no longer be ignored by employers, as employee misuse of social networks accelerate.

read more…

Cracked Trojan-Maker Infects Prospective Criminals

Reading Time: ~4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In what seems to be a trend in my September blog posts, the research team has run across a program meant for criminally-minded people which has a nasty surprise inside.

The program in question is called the ZombieM Bot Builder, which is used by the kind of upstanding citizens who spread Trojans in order to build up botnets — a collective of infected computers that can act as one entity. The creators of this program, an Argentinian group called Arhack, sell it for 180 euros. But don’t pull out your stolen credit cards just yet, because Arhack doesn’t take Visa: They sell this garbage exclusively via Western Union money transfer.

Well, someone has cracked both the earlier, 1.0 version of their bot generator and the latest, 2.0 version, and posted it online for other criminals — the cheap kind, who don’t have 180 euros to spare — to use. The cracked version lets you use all aspects of the program to generate bots and manage the botnet without the need for a customized username and password, which you would otherwise need in order to start up the program.

But there’s a hitch: Whenever you run the cracked version, it also installs Trojan-Backdoor-PoisonIvy, a different but equally nasty botnet Trojan. The backstabbing Trojan trifecta is in play.

read more…

Fake Flash Update Needs Flash to Work

Reading Time: ~4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.

I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.

It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits.

And, in order to take on the appearance of a real online video, it uses Flash.

read more…

PHP Backdoor Has Another Backdoor Inside

Reading Time: ~3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Is there no honor among thieves anymore?

The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web page. The code is  nicely appointed with such desirable features as the ability to execute shell commands on the host server, send a flood of data packets at another computer, and scan remote computers.

Once loaded into a victim’s browser, the bot connects to, and is capable of executing commands issued by, a botnet server–until the victim reboots their computer. But for most users, that’s probably long enough. If an attacker can execute commands on an infected user’s computer, installing more Trojans is just child’s play.

But someone appears to have embedded a surprise into this PHP backdoor: It’s another backdoor within the backdoor.

read more…

Pro-Israel Website Receives Passwords Stolen by Koobface

Reading Time: ~5 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence?

We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet. One such hijacked Web domain, migdal.org.il, popped up in a number of blog posts and on Web sites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew of new hijacked servers as distribution points for its malicious files.

And since the summer, Koobface has been delivering a password stealing Trojan among the several payloads it brings down to an infected computer. That Trojan’s name is migdal.org.il.exe, and the stolen passwords it scrapes from infected computers are sent right back to the migdal.org.il Web server, which is physically located at an ISP in the UK.

Migdal also seems to be (if you can believe the content posted to the Web site) a French jewish organization that provides aid and resources to Israeli children and border guards, and whose leadership opposes many of the Israeli concessions that Palestinian negotiators have requested during the long peace process. Have the Koobface gang gone political, or are they just capitalizing on a convenient situation with an abandoned Web site?

(Update: The site went down on September 3rd, the day after this post went live. Thanks, helpful ISP who shall remain nameless.)

read more…

A Cave Monster from Hell Wants Your Financial Data

Reading Time: ~4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

A novel and pretty sneaky Trojan designed to steal financial data appeared on our radar screen last week. The Trojan, once installed on a victim’s computer, rootkits itself to prevent detection, then watches the victim’s browser for any attempt to connect to the secured, HTTPS login page of several online banks. When the victim visits the login page the Trojan has been waiting for, the Trojan generates a form that “hovers” over the login page asking for additional verification information.

“In order to provide you with extra security, we occasionally need to ask for additional information when you access your accounts online,” reads the popup window. Everybody needs extra security, right?

Of course, the additional information that the bank appears to be asking for is all information the bank already should have if you have an account there: The number on your credit and debit cards; a Social Security number; your date of birth and mother’s maiden name; The PIN code for your debit card and the security code printed on the front of any credit card issued by the bank.

The problem is, the form completely blocks the full page, preventing you from logging in — until you fill in all the fields in the form it displays. Then it sends that information (encrypted with SSL, mind you) to a server at the IP address 121.101.216.234, part of the address space allocated to Beijing Telecom.

Your bank may outsource some of its customer service tasks, but stealing your financial identity isn’t part of the normal services your bank provides.

read more…

Subscription Renewal Spam Points to Drive-by

Reading Time: ~4 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Dear Customers: Please be aware that a crew of Russian malware distributors are circulating a spam message which looks like a subscription renewal confirmation from Best Buy, allegedly for one of our products.

The linked text in the message, however, leads to a Web site which performs a drive-by download. Please don’t click the links in the message; If you have any questions about your subscription, please contact support.

The spammers appear to have done some homework. Some, but not enough. Best Buy currently sells our products through their online software subscription service. Note to spammers: If you’re going to try to hijack our trademark, the least you could do is get the name right. Best Buy doesn’t sell anything called Webroot Spysweeper with Antivirus Product. Nor do we.

The email message claims it is a notice that your subscription has been renewed, and includes a serial number (which doesn’t work) and a transaction date of July 17.

The link in the message leads to the Web site of a small bed and breakfast in New Zealand, which has been compromised. We’ve informed the owners of that Web site of the spam campaign and asked them to take down the page referenced in the spam message.

I guess we struck a nerve, hurt some sensitive malware author’s pwetty widdle feewings, and ended up a target for attack, one that falls down. Too bad, so sad.

read more…

Blackhat SEO of Google Images Links to Rogue AV

Reading Time: ~7 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.

What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.

I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.

To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
read more…

Phishers Want You to Have a Coke and a Drive-by

Reading Time: ~3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

As recently as a few months ago, malware distributors went to what looked like great lengths to craft complex, sophisticated Web pages designed to trick visitors into believing they were visiting a page with an embedded video and — oops! — you need to update your copy of Adobe Flash in order to view it.

Well, those days of hard work seem to have faded into memory. All we’re left now is this.

In a recent attack that came to my attention, the guys behind the attack didn’t bother to build a sophisticated Web page. Well, nothing along the lines of pages we’ve seen before, with cool graphics, slick design, or interesting programming. In fact, they hardly built a Web page at all.

In this case, the unknown person or people created an HTML file that loads someone else’s graphic, which happens to be a warning about an outdated version of Flash, that is located elsewhere. Specifically, they load a graphic that just happens to be hosted on the Coca-Cola company‘s Web server. This isn’t a site hack against the Coke people — the graphic is probably legitimate, considering how Flash-heavy the Website is — just an example of how pathologically lazy or incompetent some malware distributors can be.

read more…

Starcraft 2 Launch Day Piracy Infects Eager Gamers

Reading Time: ~3 min.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

While some members of our Threat Research group are attending talks at the Black Hat Briefings, the rest of the team is back at our offices, hard at work watching for novel threats.  That’s good news for gamers, and bad news for malware distributors who might try to take advantage of a confluence of events where many elite members of the security community are temporarily turned away from monitors while they attend the conference. I received a warning about one potential threat facing gamers who might turn to piracy to get a copy of Blizzard’s new real-time-strategy game, Starcraft II.

Apparently, there are a flood of torrents where gamers can download purportedly pirated versions of SC2. While your less ethical gamer might cheer this news, you might be less pleased to find out that some of the SC2 torrents appear to bring along a side order of malware. One of the torrents, for example, touted as a custom game launcher, drops the Zbot keylogger Trojan—albeit a variant we can easily detect and remove.

While this isn’t exactly new, we’re finding that the incredible demand for this game is driving malware distributors to supply something that looks like what the gamers want. We’ll keep an eye on this trend, and update the post if necessary with more details as they become available.

And if you want a copy of the game, just go out and buy it. It may not be the most thrifty use of your money, but it’s the ethical thing to do, and the safest way to get a copy of the game.

(Starcraft 2 logo courtesy of Blizzard Entertainment)

Page 90 of 100« First...8889909192...Last »