Bogus Windows License Spam is in the Wild

October 26, 2012 by  
Filed under Security News

For everyone’s information:

Below is a screenshot of a new spam run in the wild, and the sender (whoever he, she, or it is) presents to recipients a very suspicious but very free license for Microsoft Windows that they can download.

Sounds too good to be true? It probably is.


From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:

You can download your Microsoft Windows License here –

Microsoft Corporation

Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.



This spam is a launchpad for a BlackholeCridex attack on user systems.

This method is likewise being used by the most recent campaign of the “Copies of Policies” spam, also in the wild.

Our AV Labs researchers have documented their findings in detail regarding these spam runs on our GFI Software Tumblr page. Please visit

Stay safe!


By Jovi Umawing @

Get the New NORMAN Malware Cleaner for Free Today

June 9, 2011 by  
Filed under Removal Tips,Tools and Videos


Use our free and newly improved Malware Cleaner tool to scan and clean your computer from viruses, trojans and other types of malware. This simple and user friendly tool not only detects malicious software but also removes them from your computer.


What are the most common symptoms of an infected computer?

  • Freezing or sudden restarts – Your computer behaves unexpectedly during normal use
  • Unusual updates by you on Facebook or Twitter – Especially after you’ve clicked on a link that appeared not to work or installed a new application
  • Emails you didn’t send – Your friends tell you they’ve received emails you didn’t send


If you suspect your computer might be infected, download and run the new Malware Cleaner for free today!


Remember: the Malware Cleaner is a solution when your computer is already infected. Keeping safe requires a security
solution that protects your computer from malicious software. The easiest and most efficient way to protect your online
identity and your computer against these threats is an antivirus software or an all-in-one security solution. If you don’t
have one, your computer might be infected without you knowing about it.


Key features

  • Easy to install and run
  • Detect and Remove malware (viruses, Rootkit’s, FakeAV, worms and more)
  • Utilize advanced Anti-Rootkit technology
  • Quarantine module to process the detected files
  • Deep scan and cleaning including Norman patented Norman SandBox technology
  • Supports Quick- and Deep Scan mode
  • New command line function for better tailor scanning across several machines (businesses)
  • Daily signature updates available


Supported operating systems: Windows 98, Me, NT, 2000, XP, 2003, Vista, 2008 and 7.



Download Norman Malware Cleaner.exe (139 MB)




Free DE-Cleaner by Avira, Kaspersky and Symantec for Anti-Botnet

March 9, 2011 by  
Filed under Removal Tips,Tools and Videos

DE-Cleaner powered by Avira

Minimum Requirements for the DE-Cleaner powered by Avira:

  • Computer from Pentium, at least 266MHz
  • Windows XP with at least SP 2, (32 oder 64 Bit)
  • Windows Vista (32 oder 64 Bit, SP 1 or higher recommended) Windows 7 (32 or 64 Bit)
  • At least 150 MB free disk space
  • At least 192 MB memory on Windows XP
  • At least 512 MB memory on Windows Vista, Windows 7
  • Internet connection for Updating und first time Download
  • Please note: At the moment there is no DE-Cleaner available for Linux or Mac OS. Since Internet criminals mainly concentrate on and attack Windows based computers.

Read more

Immunet Version 3.0 – The Next Step In Anti-Malware Protection

February 10, 2011 by  
Filed under Security News

Introduction to 3.0


On February 9th we will be releasing our version 3.0 with some notable changes and improvements.


Before I detail what’s new from a feature perspective I should also note that we are changing the name of the product with this release, the new name is going to be Immunet 3.0 – Powered by ClamAV. The new product will look like this screenshot here:



In addition to our name change, you will also note a change in the icon we use in your tray. The new icon is the ‘star burst’ in white and blue, it should like like this in your tray:


The name change is the result of the acquisition of Immunet Corp by Sourcefire Inc. This acquisition has brought both the Immunet and ClamAV teams under the same roof to deliver our 3.0 release and future products.


New Features

Our 3.0 release was primarily intended to sharpen our focus on malware detection and to provide comprehensive protection to users who are not always connected to the cloud. Some of the features we have added are cutting edge and allow both advanced and basic users of our software to benefit from much higher detection rates. Our new features are detailed below.


Complete Offline Protection

The 3.0 release will now ship with an ‘Offline’ engine. This engine (which is ClamAV .97) once enabled will automatically pull down our latest detection sets and allow for complete detection coverage, even when you are not connected to the Internet. We are creating detections for ‘hot’ threats, prevalent on the net, so that you will be protected from current ‘in the wild’ threats and their variants. With our Offline protection we now also have several complex engines for detection native to the desktop and have support for file formats such as .DOC, .XLS, HTML etc. as well as strong unpacking support.


If you are installing fresh, you will have the option to install this engine turned ‘On’ by default. If you are upgrading from ClamAV for Windows this engine will be turned off be default. The screenshot here shows how to enable it from the ‘Settings’ feature on the front the User Interface.



Cloud Recall

One of the advantages of a Cloud model for hunting and identifying threats is that we are able to retain and analyze vast amounts of data about what our community is seeing at any given time. Unlike traditional Anti-Virus, or even other Cloud Anti-Virus we constantly reconsider all the data we see or have seen in our community. This allows us to evaluate every decision we have made about a file in our community and see if we still agree with that decision as time advances. If we find that our position has changed about the security of a file in our community because of new information on that file we can now seamlessly act on it. To put this in practical terms if you look up a file today and we do not know it’s malicious yet and tonight or tomorrow we discover it is malicious we will alert your system to find the file and remove it, all without you needing to download a single definition update. This ‘Cloud Recall’ ensures that your security is advanced with every new piece of information we become aware of. You will always know as much as we do, when we do.


Custom Signature Creation

Something which has been missing in modern Windows Anti-Virus products is a feature which allows advanced users to craft and deploy their own signatures or detection capabilities. With 3.0 we now offer the first Windows Anti-Virus product which allows our users to write their own detections with our engines just as we would.


Users can now hunt threats (or Advanced Persistent Threats if you like) by creating signatures which range from simplistic (straight MD5 matches) to complex (logically chained expressive signatures w/ offset support and wild carding). Signature management is done with the new SigUI tool which is available in Start -> All Programs -> Immunet 3.0 and looks like this:



Documentation for the SigUI may be found here and our manual for creation of signatures can be found here. We encourage you to write your signatures and post them to our online Forum.


All in and all this represents the most ambitious release we have ever done. The beta program for this version has been full of very positive feedback and we are excited by it’s general release.


If you have any feedback about this release or questions, please do not hesitate to email me at ahuger @ .


Microsoft Security Bulletin MS11-003-Critical-kb2482017

February 10, 2011 by  
Filed under Protection Tools

Cumulative Security Update for Internet Explorer (2482017)

Published: February 08, 2011

Version: 1.0


Read more

Be aware of rogue security of Fake AVG software

February 1, 2011 by  
Filed under Security News

We have noticed rogue antivirus software that pretends to be the AVG Anti-Virus 2011. As usually  social engineering is in use –  well known names (AVG, Microsoft Security Essentials)  and designs of trusted applications are present in order to increase credibility.



Read more

Holiday Special Offer: Novosoft Slashes 33% Off Handy Backup Prices

December 22, 2010 by  
Filed under Protection Tools




Read more

Remove Virus.Win32.Sality.aa,,, from windows 7 by kaspersky removal

November 28, 2010 by  
Filed under Removal Tips,Tools and Videos

InformationThe recommendations given concerning disinfection of a computer from Virus.Win32.Sality should be applied only if NO Kaspersky Lab product is installed on an infected computer, and/ or if the computer is already infected and a Kaspersky Lab product cannot be installed by regular means. Kaspersky Lab experts also recommend using Rescue Disk to disinfect an infected computer.


InformationThe SalityKiller.exe utility given in this article allows detecting and disinfecting only the following Sality modification Virus.Win32.Sality.aa,,,

Read more

New Windows zero-day flaw bypasses UAC

November 26, 2010 by  
Filed under Security News

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.


Proof of concept for elevation of privilege exploit


The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.


The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.


There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

  1. As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
  2. Right-click EUDC and choose permissions
  3. Choose the user whose account you are modifying and select Advanced
  4. Select Add and then type in the user’s name and click OK
  5. Click the Deny checkbox for Delete and Create Subkey
  6. Click all the OKs and Apply buttons to exit


Registry permissions for mitigation


The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.


The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.


Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.


I’ve also created this video showing how it works and what you can do.




by Chester Wisniewski @

New variant of cross-platform Boonana malware discovered

November 5, 2010 by  
Filed under Security News

Last week we spoke about the Boonana cross-platform malware, using a malicious Java applet to deliver a cross-platform attack that attempts to download further malware to computers running Windows, Unix and Mac OS X.


Since then some we have seen variants of the original Boonana attack. The samples we have seen have been functionally the same, with the hackers behind them seemingly having obfuscated their code to try and waltz around detection.


Their attempts haven’t been good enough to get past Sophos’s products so far (including our new free anti-virus for Mac home users), and we haven’t had to update our generic detection method.


In the samples we have analysed to date, the attack specifically targets Windows and Mac OS X systems, and just happens to infect other platforms that run Java. Depending upon the flavour of Unix, it doesn’t usually complete its ‘life cycle’ if you’re not running Windows or Mac OS X systems.


Of course, we will update our detection of Troj/Boonana should we see new variants that require it.


In the meantime, watch this video I made last week demonstrating the original version of this attack on Windows, Mac OS X and Ubuntu:


By Graham

Next Page »