If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.

Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.

But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.

Safari users should practise safe computing, and update their systems as soon as possible.

By Graham Cluley, Sophos

Related posts:

1. Critical security update for Adobe Reader and Acrobat
2. Fake Conflicker.B Infection Alert puts internet users at risk
3. Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.

In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.

As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.

Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.

It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.

The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.

* Image source: wonderferret’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

Related posts:

1. Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)
2. Twitter Using Google Blacklist To Filter Malicious Links
3. Off The Rails: Twitter, Passwords And Twittertrain

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects “Unblock,” then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is:
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are:

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

VS_FIXEDFILEINFO:
Signature:      feef04bd
Struc Ver:      00010000
FileVer:        00010000:00000001 (1.0:0.1)
ProdVer:        00010000:00000001 (1.0:0.1)
FlagMask:       0000003f
Flags:          00000000
OS:             00000004 Win32
FileType:       00000002 Dll
SubType:        00000000
FileDate:       00000000:00000000

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

Remove “Run DLL as an App” exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the “Run a DLL as an App” entry should be removed from the exclusions list.

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

Systems Affected

Source : www.kb.cert.org

Related posts:

1. Microsoft® Windows® Malicious Software Removal Tool (KB890830) v2.12 – (7/14/2009)

Sample Submitted By Sven Berger

Severity Level : 6/10

Alias:

• Mal/Generic-A, Mal / Oficla-A [Sophos]
• SpyAgent-br.dll [McAfee]
• Trojan.Win32.Fregee.av [Kaspersky Lab]
• Trojan:Win32/Oficla.H!dll [Microsoft]

reader_s.exe VirusTotal Report : (Click Here)

file1.exe VirusTotal Report : (Click Here)

File System Modifications

The following files were created in the system:

• %system%\onyc.ffo
  
• %system%\ reader_s.exe
  
• %UserProfile%\reader_s.exe
• %UserProfile%\Local Settings\Temp\?.tmp
• %UserProfile%\Local Settings\Temp\file1.exe

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

Registry Modifications

The newly created or modified Registry Value is:

• [HKCR\idid]
• [HKLM\SOFTWARE\AGprotect]
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>“reader_s” = %system%\reader_s.exe
• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>“reader_s” = %system%\reader_s.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>“Shell” = explorer.exe rundll32.exe onyc.ffo hgikqnb

For auto removal :

Download Fregee.av, Trojan.Win32.Fregee.av Trojan removal tool that provided by VirusExperts.org you can download it from Here.

For manual removal First download these tools:

1- RRT : Registry, Task Manager and Folder Options Repair Tool (Click Here).

2- KillBox : Kill the Process if your Access Denied (Click Here).

3- Task Manager Enabler : (Click Here).

4- Registry Enabler : (Click Here).

Now Follow these instructions :

Recommend Removal from Safe Mode

To Start in Safe mode Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

Kill these Process, by using Killbox

• reader_s.exe

Delete These Files

• %system%\reader_s.exe
  
• %system%\ onyc.ffo
  
• %UserProfile%\Local Settings\Temp\?.tmp
  
• %UserProfile%\Local Settings\Temp\file1.exe

[ No Exact Information about Files, search above related files in Program files Folder ] If you have any of these files in running process from task manger, end the process before removal.

Note: if task manager is disabled, Download Task Manager Enabler and Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

 

 

Click Start, Run,Type regedit,Click OK.

• Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
  and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode.
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it].
• Or Download Regfile to enable Registry editor and Open it withma Registry editor.

Related posts:

1. Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger
2. Removal tool for Dybalom.gd Trojan and Key logger not detected yet
3. Removal tool for Magania.bzmw (Taterf.B,Win32.Inhoo) Trojan

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

By Graham Cluley, Sophos

Related posts:

1. Facebook unnamed app: Hackers poison search results
2. Fake Conflicker.B Infection Alert puts internet users at risk
3. Facebook Fan Check Virus scare leads to malware

Click here to view the embedded video.

Features: What’s new in Internet Explorer 8 ?

Stay safer online

Browse with more confidence knowing Internet Explorer 8 helps protect you from evolving online threats right out of the box . The new SmartScreen filter and other built-in security features help you stay safe by protecting against deceptive and malicious websites which can compromise your data, privacy, and identity.

Learn more

Related posts:

1. Video of Twitter phishing: The BZPharma ‘LOL this is funny’ attack (Video)
2. President Obama Wants You to Protect Your Computer (Video)
3. Case Conficker ( Know More About Conficker,Downadup,Downup and Kido Worm ) (Video)

The new ClamAV for Windows is the result of a partnership between Immunet Corporation (http://www.immunet.com) and Sourcefire, Inc. (http://www.sourcefire.com). It is designed to provide the ClamAV community with a free Windows-specific Anti-Virus (AV) solution using an advanced Cloud-based protection mechanism.  You can use ClamAV For Windows as a stand-alone, host-based AV solution, or in conjunction with your pre-installed AV solution to provide enhanced detection for the latest malware threats.

Say goodbye to the days of watching AV software drain your memory and processing speed. Immunet’s unique Cloud-based technologies allow the ClamAV application to leverage the power of the Cloud to drive the AV engine. When you use ClamAV for Windows, you save system resources for the tasks they really want to run, like games and business applications.

ClamAV for Windows utilizes advanced Cloud-based and community-based detection methods. Developed by Immunet, these detection methods leverage the computers of your friends, family and a worldwide global community to harness their collective knowledge for securing your PC. Every time someone in this collective community encounters a threat, everyone else in the community gains protection from that same threat in real time. You no longer have to rely on the isolated security of your current Anti-Virus vendor. You are able to protect your friends and family while being better protected yourself. This is exactly what we designed ClamAV for Windows to do. By providing a fast and light layer of virus detection, and linking everyone in a global community, we harness a security sum that is far greater than its individual parts, we call this Collective Immunity.

Immunet placed ClamAV into their Cloud infrastructure alongside their Ethos detection engine, and several other detection technologies.  By combining all these technologies, and utilizing the power of community-based detection, we feel we have the most effective Anti-Virus technology on the market. And it only gets better with every user that installs and utilizes our technology.

Download New ClamAV :

• ClamAV for Windows 32 bit
• ClamAV for Windows 64 bit

Minimum System Requirements

1. Windows XP SP2, Windows Vista SP1, Windows 7
2. A working Internet connection

Optional Requirements

1. A Facebook account
2. A Twitter account

Related posts:

1. Immunet Protect – Free Anti-Virus Protection From The Social Cloud (Windows)
2. Panda’s Cloud Antivirus leaves beta behind
3. Kaspersky Anti-Virus & Internet Security 2010 V9.0.0.313 Beta

The most notable improvement is that we have gotten rid of the initial account registration which used to be mandatory for first-time installs. Panda Cloud Antivirus will not ask for account during install anymore. Only if you want to participate in the Cloud Antivirus Support Forums will you need to create an account.

I have Cloud Antivirus 1.0 already installed. Do I need to download & install this version?
Not really. This new version incorporates hotfixes which you probably already have installed anyway. To check if you have them installed, simply browse to “C:\Documents and Settings\All Users” (XP) and you should see a subdirectory called “HF_PCA_somenumber”.

I have the hotfixes installed but I still have some problems with Panda Cloud Antivirus. Should I install this version?
Yes you might want to give it a try. Below you can find some more detail of what this version fixes which is not included in the existing hotfixes. In order to install this version on top of the one you already have, first uninstall your current version, then reboot and finally download & install the new version from http://acs.pandasoftware.com/cloud/CloudAntivirus.exe.

What’s the changelog of this version 1.0.1?

1. Preactivated version does not require account creation during install
2. Fix for certain conditions of stuck quick & full scan
3. Improved cloud-heuristic detection for unknown malware – From HF_2
4. Improved prevalence algorithms for priorization of new malware – From HF_2
5. Fix of problems scanning certain files in system directories – From HF_1
6. Fix for loss of connectivity after malware disinfection involving LSP – From HF_1
7. Improved cloud-heuristic detection – From HF_1

Related posts:

1. Free Cloud Antivirus 0.08.81 Beta2 from Panda
2. Cloud Antivirus 1.0 Final Release
3. Panda’s Cloud Antivirus leaves beta behind

Your online accounts, computer files, and personal information are more secure when you use strong passwords to help protect them.

Test the strength of your passwords: Click Here

Powered by Microsoft

Related posts:

1. Free Sophos Endpoint Assessment Free Online Test
2. Could Hotmail Password Theft be Due to a Trojan?
3. The password dilemma (Podcast)

Messages include

Lol. this is me??
lol , this is funny.
Lol. this you??

followed by a link in the form of

http://example.com/?rid=http://twitter.verify.bzpharma.net/login

where ‘example.com’ can vary. As we have seen many variations of the URL in its entirety, you would be wise to avoid clicking on any links which refer to bzpharma.net at the very least.

Watch this YouTube video for more details:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Although Twitter has urged users to be vigilant about the threat being distributed via private direct messages, it’s clear that dangerous links are also being posted in public feeds. This means that you can stumble across the links even if you aren’t sent it directly, or even if you are not a signed-up user of Twitter.

It appears what is happening is that the messages are being shared more widely because of third-party services like GroupTweet which extend the standard Twitter direct message (DM) functionality and allow private messages to be sent to multiple users *and* optionally made public.

As a result, as you can see in the video above, we have found Twitter accounts that have warned their followers about the phishing attack, only to subsequently fall victim to it themselves!

Regardless of how you come to click on the dangerous link, if you do enter your username and password on the fake Twitter login page your details will be phished and placed in the hands of hackers.

The page then displays a “fail whale” screen, claiming that Twitter is over capacity, before taking you back to the real Twitter main page. As a result, compromised Twitter users may not realise that their login details have been stolen.

Interestingly, the bzpharma.net site doesn’t just appear to have been set up for Twitter phishing. It appears to also have been created for stealing the online identities of the Bebo social networking site too:

If you have been tricked by the phishing attack and accidentally handed over your username and password, change your password immediately.

We’re going to see many more attacks against social networks in the future I’m afraid. Last month, Sophos published its Security Threat Report revealing that there had been an astonishing 70% rise in the number of users reporting spam and malware attacks via social networks in the last year.

Update: The phishing campaign appears to be bearing fruit for the hackers as they are now distributing spam selling herbal viagra from the compromised accounts. Learn more now.

By Graham Cluley, Sophos

Related posts:

1. Twitter fights back against spam, phishing, and other malicious links
2. StalkDaily messages bombard Twitter users (Video)
3. Paypal SCAM (phishing-attack) In Action (Video)