Twitter fights back against spam, phishing, and other malicious links
March 11, 2010 by admin
Filed under Security News
In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.
In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.
As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.
Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.
It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.
The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.
* Image source: wonderferret’s Flickr photostream (Creative Commons)
By Graham Cluley, Sophos
Surveillance rootkits on smartphones
February 24, 2010 by admin
Filed under Security News
Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.
The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.
Watch the following YouTube video to learn more:
It’s a cute little video, but how realistic is this threat in reality?
I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.
Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.
Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.
So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.
How are they going to do that?
They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).
So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.
Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.
Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?
If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.
Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.
However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.
It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.
More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]
By Graham Cluley, Sophos
Fake Conflicker.B Infection Alert puts internet users at risk
February 19, 2010 by admin
Filed under Security News
The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.
Here is a typical message that has been spammed out by hackers:
Subject: Conflicker.B Infection Alert
Attached file: open.zip
Message body:
Dear Microsoft Customer,
Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division
Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.
The wording is nearly identical to a similar attack I blogged about last October.
What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!
I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:
By Graham Cluley, Sophos
Mozilla admits Firefox add-ons contained Trojan code
February 6, 2010 by admin
Filed under Security News
Mozilla has issued a warning that two add-ons available from AMO (addons.mozilla.org, the Mozilla Add-ons website) were infected by malicious code capable of infecting Windows computers.
According to a security notice on AMO’s blog, the Master Filer add-on was infected by the LdPinch password-stealing Trojan, and Sothink Web Video Downloader version 4.0 was infected by a version of the Bifrose backdoor Trojan horse.
Judging by the statement on the Mozilla Add-ons blog, a fair few people could have found that their Windows computers were infected:
Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010.
Versions of Sothink Web Video Downloader greater than 4.0 are said not to be infected. Furthermore, both Trojans were specifically written for Windows, meaning they could not infect on Mac OS X and Linux installations of Firefox.
This isn’t the first time malware has slipped through Mozilla’s security procedures. In May 2008, users who downloaded Firefox’s Vietnamese language pack were warned that it had contained a malicious script designed to display irritating advertising messages.
Mozilla says that in light of the security lapse it has strengthened its systems, scanning all add-ons with additional anti-virus tools.
Personally, I would recommend that all computer users remember not to rely on someone else doing the virus scanning for them, and ensure they have anti-malware protection running on their computer.
By Graham Cluley, Sophos
Removal tool for Generic.Malware.SL!!M.807DC390 (mso.exe, usbflash.com) Keylogger
January 31, 2010 by admin
Filed under Removal Tips,Tools and Videos
Submitted By Google Pnookle
- Sets the drive to autoplay by creating autorun.inf file in its root directory.
- Creates a startup registry entry.
Removal for Trojan W32/Virut.CE
November 26, 2009 by ƒιяєƒℓソ
Filed under Removal Tips,Tools and Videos
The Virus.Win32.Virut.ce is a Trojan, which infects Windows Operating system,
The infected system will be Very slow, and infected computer Shuts down after a couple of minutes when user logged in with a dialog box showing an Red X mark and countdown timer. This Trojan infects or copies its files to *.dll and *.exe windows\system32 folder and to C, D drives.
Some Known files names for Virus.Win32.Virut.ce are perrdlm.exe, klpllsm.exe and more
This trojan makes Startup Registry entries at
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“cdmmslpo”=”C:\\WINDOWS\\system32\\klpllsm.exe”
“qaswww”=”C:\\WINDOWS\\system32\\perrdlm.exe”
“shccde”=”C:\\WINDOWS\\system32\\ipismd.exe”
If you delete these files and entries, it will restore again after a system restart, Since virus infected on other files.
So it is very hard to remove this trojan manually, So here we can use this removal with a free removal tool from Grisoft.
The GRISOFT has released a Free Removal Tool for this type trojan, Win32/Virut
Download the following two files
rmvirut.exe
rmvirut.nt
run the rmvirut.exe file.
Note:
You can also specify the disks (or partitions) to heal as a command parameters.
e.g.: “rmvirut C: D:”. If the command is used without parameters, it heals all disks (partitions) on computer.
For example you want to scan a folder in d drive, folder name is tools
d:\rmvirut.exe D:\tools
this command is executed from
Start – Run, In the run Command Menu box type Full path including rmvirut.exe with path of folder or drive to scan.
type Command, Press Ok to run ( In vista Confirm Allow to continue)
For Successful running of the remover requires administrator rights. For proper functionality of the remover it is necessary to save the rmvirut.nt into the same folder as rmvirut.exe.
For Further Support Contact Us,
VirusExperts.org
Panda’s Cloud Antivirus leaves beta behind
November 10, 2009 by admin
Filed under Security News
First introduced in beta in April, Panda Cloud Antivirus graduates to a stable, public release and signifies a major security vendor taking aim at the freeware competition–instead of the other way around. Cloud Antivirus was notable on its beta release for being one of the few security options available to users that contained most of its protections in the cloud. This allowed it to protect users while consuming significantly fewer resources than many competing programs.
Panda Cloud Antivirus 1.0 is notable as a free security solution for two reasons: Panda is a reputable security vendor, and the program achieves its goal of freeing up system resources. In a press release, Panda Security CEO Juan Santana described Cloud Antivirus as a game-changer. It’s not clear quite yet that that’s the case, but at the very least the program looks to fill a niche created by resource-conscious netbooks.
As light on resources as advertised, Cloud Antivirus offers strong reputation-based protection for those who want their security program out of sight and out of mind. A third-party efficacy evaluation wasn’t available at the time of writing, but in empirical testing the program only used 9 MB of RAM while idle, and only 56 MB of RAM when scanning. Many other security programs will run scans at 150 MB of RAM or more.
Despite keeping most of its database in the cloud, Panda Security’s Senior Research Advisor, Pedro Bustamante, noted during an interview in October that Cloud Antivirus isn’t disabled just because the host computer is disconnected from the Internet. “Panda has an offline mode that uses a small cached copy of Collective Intelligence on your local drive, it’s only the most recent threats on a real time wild list.” Collective Intelligence is the name that Panda gave its cloud system when it was introduced in 2007.
When you open Cloud Antivirus, the main window lets you know whether you’re safe or not with a big red or green icon. Cloud Antivirus works as other antivirus solutions do, offering a Quick Scan and a Custom scan for specific folder, files, and drives, but its ancillary features are exceptionally light. The Quick Scan took 13 minutes on my Windows 7 Lenovo T400 laptop.
Dragging an active Cloud Antivirus window, in Windows 7 at least, will turn it translucent.
(Credit: Screenshot by Seth Rosenblatt/CNET)
You can opt out of contributing anonymous data to the cloud, but that also opts you out of automatic threat management. There’s a network connection proxy option should you need it, and a reporting feature that will show you what kind of threats have been detected and removed from your computer. You can filter the report by All, Last 24 hours, Last Week, or Last Month, and there’s a Recycle Bin pane from which you can recover a false positive, should you need it. Unfortunately, the Recycle Bin is hidden behind an obnoxious “flipping” screen that cheesily rotates when you need to access it.
If you’re familiar with the minimalist Microsoft Security Essentials, Cloud Antivirus is even simpler. I did notice some odd interface rendering around the minimize and close buttons in Windows XP, but not in Windows 7. There are other more serious concerns about the program. Most notably, it lacks a scheduler, and it removes user input from update functions. Scans are also limited: you can tell the program what to scan, but not what to look for, so forget about toggling heuristics or rootkits. Then again, the point of this kind of security is that it’s all wrapped into one.
Keeping in mind its limited feature set, and that we don’t have efficacy numbers at the time of reviewing, Panda Cloud Antivirus makes good security choice for those willing to take the plunge.
by Seth Rosenblatt from Cnet
New Free SUPERAntiSpyware Online Scanner/Remover!
November 3, 2009 by admin
Filed under Removal Tips,Tools and Videos
Follow the instructions below to initiate the SUPERAntiSpyware Online Scan. The scanner will detect AND remove over 1,000,000 spyware/malware infections. The scanner does NOT install anything on your Start Menu or Program Files and does NOT need to be uninstalled.
The SUPERAntiSpyware Online Safe Scan is free for personal use.
How To Use :
1. Start the Scan
Click on the button to start the scanner download process.
2. Download the Scanner
Click the RUN button when prompted. If you are using a browser other than Internet Explorer then prompt may be different.
3. Wait for the Scanner to Download
The scanner will download in just a few seconds.
4. Run the Scanner
Click the RUN button when prompted. This will start the scanner.
5. Do the scanner and removal
Click the “Click here to Start” button and then “Check for Updates” to update the Definition then click on “Scan your Computer” button to start the scanning process.
How to Remove All Types of Magania (W32_Gammima,Trojan-GameThief,Taterf,Win32.Inhoo) Trojan
October 13, 2009 by admin
Filed under Removal Tips,Tools and Videos
- Magania trojan Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.
- Downloads/requests other files from Internet.
- Creates a startup registry entry.
Automatic Propagation of Malicious Code via HTTP
October 3, 2009 by admin
Filed under Security News
Well we know that the processes by automating the propagation of malware is one of the basic objectives of any cyber criminal, regardless of the attack vectors and technologies used.
In this sense, the Internet has become the cradle that rocked different parts alternatives through alternative malicious attack that evolves daily. Several years ago it was quite difficult to assume that by merely accessing a page is a danger of infection if certain requirements are met the system requirements that have to do primarily with operating system updates and applications.
Today, we find script’s whose instructions are made maliciously and are part of a cycle of spread and infection, unfortunately, very effective. A concrete example of not only evolution but also of effectiveness, it’s the art Drive-by-Download with his attacks evolved version of Multi-Stage, highly used by botmasters to propagate threats.
The following is an actual scenario that more clearly exemplifies what I have. This is a site hosted in EEUU under the IP 66.116.197.186 in AS32392. Below shows a screenshot of the website.
The domains hosted on that IP are:
- phonester.biz
- phonester.com
- phonester.info
- phonester.net
- phonester.org
When accessed from Windows, through a script embedded in HTML code, it automatically runs a window offering to download Flash Player. It’s obviously false. The file that is propagated is called “install_flash_player.exe” (abed2d16e5e4c3e369114d01dff4b19c) and has a low detection rate, as only about 25% of the antivirus engine detects malware that is In-the-Wild.
However, in a transparent way the script is run that prompts to download the fake Flash Player. Now … the issue doesn’t end here. From a more technical standpoint, there are many details that aren’t difficult to grasp.
In principle, desofuscar the script, get a series of relevant data. The script has iframe tags that address a range of websites from where you download other malicious files.
- diggstatistics.com/flash/pdf.php
- diggstatistics.com/flash/directshow.php
- diggstatistics.com/flash/exe.php
Download files are “tylda.exe” (abed2d16e5e4c3e369114d01dff4b19c) that has a low detection rate (5/41-12.20%) and “pdf.pdf” (9cc400edcdc5492482f5599d43b76c0c) with a detection rate too low (13/41-31.71 %) and designed to exploit vulnerabilities in Adobe Reader and Acrobat. Adobe util.printf overflow (CVE-2008-2992) and Adobe getIcon (CVE-2009-0927) respectively.
Moreover, in the unlikely event that the file is downloaded in the first instance (install_flash_player.exe) is executed, the connection set against 174.120.61.126/~ garynic/ from where you downloaded the binary “coin.exe” (258c0083f051b88ea36d3210eca18dd7) with a detection rate also quite poor. This file is downloaded at random from:
- digital-plr.com
- giggstatistics.com
- xebrasearch.com
With regard to the ASN in which these threats are, pose a criminal history interesting as it’s used to carry out activities such as spreading malware phishing. In the next image, the highest peak of phishing activities took place on 1 March 2009, while the malicious code was on 12 September 2009.
That is, these activities are operated together, not in isolation. This information doesn’t assume that the pattern behind all these criminal activities is hiding some botmaster greed, since the actions are typical of a botnet.
By Jorge Mieres from http://evilfingers.blogspot.com/
