by Blog Staff | Jun 24, 2009 | Industry Intel, Threat Lab
In the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.
And of course, I stumbled into a morass of malware.
Well, “stumbled” isn’t entirely accurate. The site is well-known to us as a host of drive-by downloads — it’s a site that uses browser exploits to infect your computer. But I went there anyway just to see what they’re driving-by with these days. Technically, the site didn’t burn us — it came from an advertising network, which loaded a script that bounced to three separate machines before landing my test PC in the hot seat. Cold comfort if your PC happens to get slammed with this junk.
(more…)
by Blog Staff | Jun 17, 2009 | Home + Mobile
Last week, I posted a blog item that explained how gamers face a growing security threat in phishing Trojans — software that can steal the passwords to online games, or the license keys for offline games, and pass them along to far-flung criminal groups. We know why organized Internet criminals engage in these kinds of activities, because the reason is always the same: There’s a great potential for financial rewards, with very little personal risk.
So I thought I’d wrap up this discussion with some analysis of how the bad guys monetize their stolen stuff. After all, how do you fence stolen virtual goods? And knowing that, is there a way to put the kibosh on game account pickpockets?
(more…)
by Blog Staff | Jun 12, 2009 | Industry Intel, Threat Lab
Since the beginning of the year, my colleagues in the Threat Research group and I have been researching an absolutely astonishing volume of phishing Trojans designed solely to steal what videogame players value most: the license keys that one would use to install copies of legitimately purchased PC games, and/or the username and password players use to log into massively multiplayer online games, such as World of Warcraft.
I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details. (We began covering this issue briefly last week.) With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don’t even seem to be concerned in the slightest about covering their tracks.
These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers — typically, perhaps unsurprisingly, located in China. We know the exact servers they contact, and what kinds of information they’re sending. And we know why: Thar’s gold in them thar WoW accounts, and the rush is on to cash in.
Today, I’m going to go deeper into how the infections happen.
(more…)
by Blog Staff | Jun 9, 2009 | Industry Intel, Threat Lab
The latest data from our customers indicate that, at least in the month of May, we were blocking and removing some of the nastiest threats on the Web. Among the spies we took out, we hit Fakealerts and Rogue Security Products hard. These spies simply try to fool you into making purchases you otherwise wouldn’t. After taking a hiatus of several months, the makers of these types of malware appear to be making a comeback. Simply put, a Fakealert is just a piece of adware. Unlike traditional ads, however, the ads a Fakealert pops up take on the appearance of official-looking error dialogs and Windows-esque warning messages — albeit, not always as poorly worded as the example shown here. Many present themselves as clones of the Windows Security Center control panel, or as those cartoon-voice-bubble popups from the System Tray. Fakealerts push their particular brand of stale baloney on the unsuspecting public for one reason: They want to trick you into downloading and running a program that looks, for all intents and purposes, like a system utility or an antispyware or antivirus product. The program displays realistic-looking “scans” that “find” allegedly malicious files on your computer. The joke of these “scans” is that they’re often no more than Flash animations. Because they run on any operating system that can display a Flash video, you can even get them to “scan” a Mac or Linux box, and “find” malicious files in parts of the filesystem that don’t even exist on those platforms. Oh well; you can’t blame a fraudster for trying. Many of these threats are installed when users inadvertently click a popup message that warns the user that they need to run a file in order to load a missing video codec, or install an ActiveX control that supposedly will perform a “free scan” of a system. Sometimes the people behind these ads even put a fake “close box” in the upper right hand corner of the fakealert message, to trick you into clicking inside the active area of the ad window. If you see this kind of ad appear, hold down the Alt key on your keyboard while you press the F4 key — that will close the ad window without requiring you to click anywhere inside of it. The bottom-line message to you is that while you should remain vigilant against potential frauds and scams, keeping your PC updated with the latest threat definitions is equally if not more important.
by Blog Staff | Jun 3, 2009 | Home + Mobile
By Mike Kronenberg
E3, the annual trade show for the computer and video games industry, kicked off in Los Angeles yesterday, not long after the unofficial start of summer on Memorial Day. These events got me thinking about what many students might do with their free time over the next three months. I imagine that for legions of young PC gamers, this could mean hour after blissful hour spent honing their skills as a blacksmith and earning gold in their favorite online fantasy universe. You can bet cybercriminals are imagining the same thing, too – and banking on it.
In PC gaming, it used to be that hackers would seek to steal log-in information to take control of someone’s character for their own personal enjoyment. But they’ve figured out in-game currency translates into real-world money, and now many people log onto World of Warcraft or Lineage to find their account balances wiped to zero.
To help keep hackers out — and hopefully make their summer a little less lucrative – I’ve outlined the most common tactics for infection during gaming and how gamers (of all ages) can avoid them. (more…)
by Blog Staff | May 21, 2009 | Threat Lab
Over the past week, someone has been spamming the file sharing site ThePirateBay.org with comments advertising a new “product” called BittorrentBooster. According to the site’s administrators, the spammer used a large number of fraudulently registered accounts to post the messages as feedback, attached to hundreds, possibly thousands, of downloadable .torrent files, which file-sharers use to initiate a peer-to-peer download session.
I decided to take a closer look, because the product’s claims — to be able to give file-sharers a massive speed boost during the “leeching” (or, downloading) phase of their torrent session — sounded pretty implausible. Impossible is more like it: The spammed ads for the product state, in characteristically broken English, it can help users “get your torrents download in 10 times faster!!”
The simple fact is, the amount of bandwidth available to you, network congestion, the number of people sharing a file, their bandwidth capabilities, and many other factors out of any individual PC’s control determine the download speed for a given torrent. No program can deliver a download performance increase of the scale promised by this product.
So, assuming the claims were snake oil, I took a closer look at what else the program was capable of. As it turns out, it’s a very capable delivery mechanism for advertising—in places I didn’t expect.
(more…)
by Blog Staff | May 15, 2009 | Industry Intel, Threat Lab
After more than a week of harassment by goofballs spamming links, Facebook users can breathe a sigh of relief that, for now, at least one source of trouble has been eradicated.
Last week’s worm-like spread of links to the mygener.im domain, and this week’s use of the ponbon.im and hunro.im domains to phish Facebook users’ credentials, have been a puzzling diversion from my normal malware analysis tasks. The mygener.im link that was spammed into Facebook accounts redirected users to a page hosted elsewhere that contained nothing but perplexingly obfuscated Javascript (with variables — shown at left — that appear to be comprised mostly of words in Latin) that, as far as I and other researchers here can tell, didn’t do anything at all.
But yesterday I decided that enough was enough, so I emailed the source of the .IM top-level domains — the Isle of Man domain name registry, nic.im — to ask what the heck was going on with all these .IM domains being used for malicious purposes. After all, as a result of the metric tons of malicious code and browser exploits I see that originate on Web sites registered in the .biz and .info top-level domains (TLD), I personally no longer have any confidence in a site registered under either of those TLDs. The big question in my mind was, is .IM on its way to becoming another lost cause?
As it turns out, .IM’s operators really jumped on the problem. The registry’s representative promptly replied to my messages, and the registry has suspended not only the three domains I’ve named, but twelve others I hadn’t heard of that were registered in the .IM TLD through the same intermediary and, in his words, “which we suspect were being used for malicious purposes.”
“We take the reputation of the IM registry seriously and police it to try and prevent events like this from arising,” he continues. “Where we can, we block users from registering via a variety of means and, in the main, this has to date been succesful [but] from time to time we have to make changes to our processes, and these events will act as a prompt to review them to see where we can tighten things up.”
So for now, Facebook users, breathe easy — until the bad guys find a domain registry willing to look the other way. And thank you, .IM, for showing us all how a responsible (and responsive) top-level domain NIC deals with criminals — by swiftly shutting them down.
by Blog Staff | May 14, 2009 | Industry Intel, Threat Lab
This week’s installment of what’s-old-is-new-again in the world of malware comes from one of the many groups making and distributing phishing Trojans in China. Earlier this year, someone discovered a hacktool called ZXArps, and began distributing it in earnest as a payload from another malicious downloader.
Unlike most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss Army knife, giving its users a great deal of control over not only the computer on which it’s running, but the immediate network environment in which that computer sits.
In essence, the tool is designed to inject specially-crafted data packets into the network, and some of those packets can manipulate the behavior of the infected computer as well as others on its network. In most networks, a router or gateway acts as a sort of traffic cop, directing information between computers on that network and other networks, and to/from the Internet. The power of ZXArps comes from its ability to impersonate that traffic cop, fooling the network into directing traffic wherever the malware-maker wishes.
And in this case, infected PCs are directed to Web sites hosted in China which, when visited, infect the computer with even more malware. It’s a nasty trick, and it works beautifully. Read on for its damage potential. (more…)
by Blog Staff | May 7, 2009 | Industry Intel, Threat Lab
Once in a while, you don’t have to do anything at all and malware just drops into your lap. That happened to me the other day, when I received a buddy request from a total stranger in my decade-old ICQ instant messenger account. It’s never failed to be a rich source for malicious links, SPIM, and other fun stuff (that is, from a malware research perspective).
ICQ is a multi-lingual community, and this request was written in the Cyrillic alphabet. My client didn’t render it properly, so I couldn’t read the text of the come-on. But I could read the plain-ASCII URL that was linked at the bottom. So, curious, I took a look. The page looks pretty basic, with text (badly translated to English) which reads “There is my candid photos))do you will hear me on him?” and a link to download a file.
I’m a sucker for grammatically tortured social engineering, so I couldn’t resist. Yes, I thought to myself, I do will hear you on him.
(more…)
by Blog Staff | May 1, 2009 | Industry Intel, Threat Lab
We’ve just tallied the top 10 threats Webroot’s consumer products detected during the month of April, and some interesting trends appear to be shaping up.
Conficker aside, the first quarter of 2009 seemed to be dominated by worms that spread not only over a network, but to virtually anything you can plug into a USB port to store files. Thumbdrives and portable hard drives immediately come to mind, but so do MP3 players, digital picture frames and memory cards — like the kind you’d use in cameras, cellphones, or videogame players.
April proved to be no different. It’s very much a case of what’s old is new again, reminiscent of the era when sharing an infected floppy disk could wreak havoc.
We’re also seeing malware distributors still trying to use old vulnerabilities to try to infect computers. Even JPEG image files containing the MS04-028 vulnerability code — a bug that was fixed in Windows four and a half years ago, are still floating around the net trying to take advantage of older, unpatched system, as are scripts attempting to exploit the ADODB.Stream vulnerability. If you ever needed a reason to run Windows Update, this is it.
Click onward to read the entire list. (more…)
Page 146 of 148« First«...144145146147148»
In the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.
E3
Once in a while, you don’t have to do anything at all and malware just drops into your lap. That happened to me the other day, when I received a buddy request from a total stranger in my decade-old ICQ instant messenger account. It’s never failed to be a rich source for malicious links, SPIM, and other fun stuff (that is, from a malware research perspective).