• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Budfred

SWI Community News - December 2010

3 posts in this topic

Howdy everyone!!

 

Welcome to the 1st Edition of Volume 3 of the SWI Community News!! In the last issue we said we tend to be erratic in when we publish and a delay of almost 3 years since the last issue makes that clear, but here we are. As always, if you enjoy it or find it useful, please let us know. This edition includes two articles which are similar to others we have presented, but updated. Again, if there are other topics you would like us to talk about, please let us know by starting a topic in this forum. I hope you enjoy our efforts this month.

 

If you didn't get a chance to read our earlier articles, please feel free to go through them now. Much of the information in them is still relevant.

 

And now for the disclaimer and subscription information:

 

Opinions and information expressed in this publication are not the responsibility of SpywareInfoForum.Com or its owner, administrators or hosting services. Original information and opinions posted here are the property of the respective author.

 

That also means that the material is subject to the copyright of the author and you need to cite the author if you quote any material from this publication elsewhere.

 

And for those who don't already know -- to get notification when a new SWI Community News is available, subscribe to the subscription topic and we will add notices of publishing to that topic so you will receive an email notice if you are set to receive notices of your subscribed topics. Now, on with the show!

 

Subscription topic!

Share this post


Link to post
Share on other sites

Budfred's Rant

What's wrong with my antivirus??

 

We often see people who post about malware issues complain that their antivirus software is clearly no good because they got infected. We make an effort to educate them about the issue and we offer alternatives if needed. What we tell them is that it really doesn't mean anything about an antivirus program if your computer gets infected by anything other than a virus. Antivirus programs are designed to screen and prevent virus infections. Today, many of them also attempt to block worms and some trojans. Some even have an antimalware function and may check your email for indications of phish. However, unless that is an advertised feature of the program, expecting it to manage something like a rogue antivirus program that is spyware or just a scam, is like expecting your dog to tell you the weather report -- it simply isn't a feature that comes with the program. The same logic applies to anti-malware programs stopping virus infections and so on. I recently talked with a woman who thought her anti-malware program was her antivirus, so she did not realize that she had no antivirus protection. She also didn't realize that she had no resident protection since the program she used didn't have it. Even if it is a virus or infection the program is supposed to catch, there is NO security program that can catch everything, there are just too many ways that criminals can attack us for any program to keep up all of the time.

 

So if the program isn't the problem, what is? Well, most likely it is you! The computer user is typically the weakest link even if you have an adequate array of security software. An adequate array is a working resident antivirus program; an active firewall screening incoming and outgoing traffic from the Internet and possibly a resident anti-malware program. If you want to be more protected, use a browser like Firefox, Chrome or Opera with security add-ons like NoScripts. Another good option is SpywareBlaster which can provide passive protection if updated regularly. All security programs need to be regularly updated and most will have an option to do so automatically, though you may need to pay for that privilege. Once all that is in place, deal with the weak link - you. Read "So how did I get infected in the first place?" which is in our Malware Removal forum at: http://www.spywareinfoforum.com/index.php?/topic/60955-so-how-did-i-get-infected-in-the-first-place/ Be aware that if you visit sites that share files, provide porn, have cracked software or engage in any other dubious behavior, you are more likely to pick up an infection. If something pops up and insists you need to buy it to fix infections it has found, shut down your computer and, if you have one, use another computer to contact us for help. If your security programs are up to date, disconnect from the Internet, turn the computer back on and run the deepest scans they will allow to see if they can fix the problem. If you spend a lot of time with online gaming or gambling, you may also be more exposed to attack. However, even casual browsing can lead to infection. Social networking sites, like Facebook and Twitter, are a new source of many infections. This is only a quick overview of ways to keep your computer clean and there are many other things you can do, so please also read other legitimate guides that are available.

 

Important: keep in mind that more is not better when it comes to computer security. If you load more than one resident program of the same type, you may produce conflicts that will actually reduce your protection. It is okay to have two programs, like MalwareBytes Anti-Malware and Spybot Search and Destroy for example, as long as you don't run resident protection in both of them. This means you would have one antivirus, one firewall and one anti-spyware with a resident protection active. If you use a recent version of Windows, you got Windows Defender by default and you would need to turn it off if you use another resident anti-malware program. If your resident protection, like your antivirus, never alerts you, it could mean you aren't infected or it could mean that it has been turned off by an infection, so it is a good idea to pay attention to whether it is on and run a scan occasionally just to confirm it.

Share this post


Link to post
Share on other sites

The Good, Bad and Ugly News from TheJoker

 

The Good:

 

Adobe Reader X

Following a massive security engineering undertaking, Adobe has finally released a fully sandboxed version of its ubiquitous Adobe Reader product, which promises to stop the majority of PDF-based exploits. While the newly released Adobe Reader X (10.0), brings a lot of new document collaboration and multimedia functionality, from a security perspective, the company's greatest achievement is the new Protected Mode, a sandboxing technology enabled by default in the program. Sandboxing means isolating a process within a restricted environment, from where its ability to interact with the underlying operating system is strictly controlled. This major security enhancement will not lower the number of vulnerabilities found in Adobe Reader, but leveraging them to compromise computers will be a much more difficult task.

http://news.softpedia.com/news/Sandboxed-Adobe-Reader-Finally-Here-167463.shtml

http://krebsonsecurity.com/2010/11/adobe-reader-x-seeking-safety-in-the-sandbox/

Get it here - http://www.adobe.com/go/EN_US-H-GET-READER

 

Update to Adobe Flash Player

Adobe released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.

The Flash update brings the latest version to v 10.1.102.64. To find out if your computer has Flash installed and what version it may be running, go here. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner. If you'd like to avoid Adobe's Download Manager and all these extras, grab the update from this link instead.

http://krebsonsecurity.com/2010/11/flash-update-plugs-18-security-holes/

 

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months. In Wisconsin, police arrested two young men, who were wanted as part of a crackdown in late September on money mules, who were in the United States on J1 student visas. The two men from Moldova are being transferred to New York, where they were charged on September 30 in connection with the international money laundering scheme.

http://krebsonsecurity.com/2010/11/authorities-nab-more-zeus-related-money-mules/

http://www.fbi.gov/wanted/alert/federal-cyber-crime-charges

 

FBI Identifies Russian ‘Mega-D’ Spam Kingpin

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide. According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

http://krebsonsecurity.com/2010/12/fbi-identifies-russian-mega-d-spam-kingpin/

http://news.softpedia.com/news/FBI-Believes-23-Year-Old-Russian-is-Behind-the-Mega-D-Botnet-169982.shtml

 

A website designed to track the control system of the SpyEye crimeware Trojan has been established. The site, spyeyetracker.abuse.ch*, was set up by Swiss security researcher Roman Hüssy, and modelled on his successful Zeustracker website. The latter site, which was established in early 2009, has helped security researchers to track the activities of the infamous botnet, which is linked to numerous instances of banking fraud.

http://www.theregister.co.uk/2010/11/09/spyeye_tracker/

 

How Google Locates and Identifies Malware

In a session at the SecTOR security conference in Toronto, Google detailed how the search engine giant identifies malware and what it does to help protect the safety and security of Web users. Google had a warning page that was displayed to users about potential malware being on a given page and then provided users with a button that enabled them to click through to the page. 95 percent of users were still clicking through to the page with the malware on it, even though Google had provided a warning, so Google shifted tactics. Now the company provides the URL of the malware site as text, which requires a user to click and paste the address if he or she still wants to proceed to the malware site.

http://www.esecurityplanet.com/news/article.php/3910241/How-Google-Locates-and-Identifies-Malware.htm

 

FTC Wants 'Do Not Track' Privacy Option in Browsers

The Federal Trade Commission (FTC) is proposing for users to be given an uniform and persistent way to opt out of online tracking and behavioral advertising. The Commission says that users should have an uniform and easy to understand way of deciding whether to allow the collection and use of their Web searching and browsing activities.

http://news.softpedia.com/news/FTC-Wants-Do-Not-Track-Option-in-Browsers-170236.shtml

http://www.ftc.gov/os/2010/12/101201privacyreport.pdf

 

The Bad:

 

More Fake Adobe Reader Update Emails

Security researchers warn of a new wave of spam emails promoting fake Adobe Reader updates which direct users to scam sites trying to sell them sub-par software. The rogue messages bear subjects of “Action Required : Upgrade New Adobe Acrobat Reader 2011 For Windows And Mac.”

For more technical users the subject line alone should be a dead giveaway that this is scam, because Adobe doesn’t refer to years in the versioning scheme of its Reader and Acrobat product line. However, a lot of average users could be fooled by the emails, especially since this spam campaign happens to come at a time when Adobe is actually promoting a new major version of Adobe Reader, called Adobe Reader X (10.0). In fact, the scammers are very likely aware of this, because in the email body they mention new enhancements that Adobe Reader X really has. According to researchers from GFI Software (formerly Sunbelt), in order to obtain the product, users are asked to sign up for a VIP support plan and other additional services, including “one year full protection against intrusion with ETD Scanner for only $1.49/month.” The important thing to remember is that Adobe Reader is a free product.

http://news.softpedia.com/news/More-Fake-Adobe-Reader-Update-Emails-170331.shtml

 

FAKEAV 101: How to Tell If Your Antivirus Is Fake

Fake antivirus or FAKEAV, sometimes known as scareware, has become a significant threat and more and more users have become victims of this profitable scam. Trend Micro and the rest of the security industry continues to work hard to protect users against this threat. However, educating and informing users about this scam is more effective than any technical solution that the industry can provide. An antivirus program that installs itself then proceeds to “scan” the PC without user intervention is unlikely to be real.

http://blog.trendmicro.com/fakeav-101-how-to-tell-if-your-antivirus-is-fake/

 

New Scareware Poses as HDD Defragmentation Tools

Scareware creators have temporarily steered away from the fake antivirus theme they commonly use to put out a new line of rogue programs that pose as defragmentation utilities. According to security researchers from antivirus giant Symantec, these applications started to appear in the later half of October, but have since increased their prevalence and new variants are now detected on a daily basis. Scareware distribution is one of the most profitable underground businesses and is commonly used to fund more cybercriminal activities. According to a recent report from Panda Security, 2010 was the busiest year for scareware developers, with almost 40% of such threats ever created being released this year.

http://news.softpedia.com/news/New-Scareware-Poses-as-HDD-Defragmentation-Tools-169914.shtml

http://press.pandasecurity.com/news/40-of-all-fake-antiviruses-ever-have-been-created-in-2010/

 

Scareware Accounts for Almost a Quarter of All Malware

McAfee warns that fake antivirus applications, collectively known as scareware, are one of the driving forces behind the cybercriminal economy and have grown to account for nearly a quarter of all malware in circulation. These programs have one ultimate goal - to scare people into parting with their money and compromise their credit card details in the process.

http://news.softpedia.com/news/FakeAV-Accounts-for-Almost-a-Quarter-of-All-Malware-163582.shtml

 

Fake Facebook Alerts Distribute ZeuS Trojan

Security researchers from Trend Micro warn of spam emails posing as security alerts from Facebook, which have a version of the ZeuS banking trojan attached. The infected emails purport to come from “Secure Facebook” and have a subject of “To Facebook user. (#FIRST_DESCR).”

http://news.softpedia.com/news/Fake-Facebook-Alerts-Distribute-ZeuS-Trojan-169877.shtml

http://blog.trendmicro.com/warning-about-spam-fake-not-from-facebook/

 

Polymorphic Injection Attack Targets WordPress Blogs

Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories. However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique.

http://news.softpedia.com/news/Polymorphic-Injection-Attack-Targets-WordPress-Blogs-169953.shtml

http://www.infosecurity-magazine.com/view/14369/mass-injection-attack-on-wordpress-blogs-revealed/

 

Security researchers from BitDefender have come across a new rootkit, which seems designed to drop a lot of adware programs on the infected systems. Detected as Rootkit.Woor.A, the malware installs itself as a randomly named service and runs as a system driver. This allows it to perform actions with kernel privileges. The rootkit overwrites the legit explorer.exe with a malicious version, which is subsequently called during the normal system boot process. When started, the rogue explorer.exe makes sure every component of this threat is running properly and that the unauthorized registry keys it needs are in place. It then proceeds to load the legit Windows Explorer from the system's dll cache, making it appear to the victim as if everything is functioning properly. The researchers warn that this component proceeds to download all sorts of adware-like programs, such as games, video players or streaming and instant messaging utilities, and asks users to pay for licenses.

http://news.softpedia.com/news/New-Rootkit-Functions-as-Adware-Distribution-Platform-169448.shtml

http://www.malwarecity.com/blog/rootkit-advertises-games-and-media-applications-971.html

 

Security researchers warn Avalanche, a large cybercriminal syndicate believed to operate out of Eastern Europe, is now relying on the infamous ZeuS trojan to steal sensitive data from users.

http://news.softpedia.com/news/Avalanche-Gang-Switches-from-Traditional-Phishing-to-ZeuS-162138.shtml

 

Security researchers from FireEye have identified a new banking trojan, which is capable of launching man-in-the-browser (MITB) attacks and targets an unusually high number of financial institutions. The threat steals online banking credentials and other sensitive information by intercepting data inputted into Web forms, as well as injecting rogue HTML elements into pages. It's worth noting that the trojan doesn't only target banks, but also services like PayPal, Amazon, Myspace or Gmail.

http://news.softpedia.com/news/New-Banking-Trojan-Targets-Over-a-Dozen-Financial-Institutions-162419.shtml

 

A ransomware Trojan threat is back – in an even more noxious form – two years after it last appeared. A new variant of the GpCode ransomware encrypts user files on infected Windows PCs. The latest version of the malware overwrites data in files instead of simply deleting files after encryption, making it far harder to use data-recovery software. A write-up of the attack, together with screenshots, can be found in a blog post by anti-virus analyst Vitaly Kamluk of Kaspersky Lab here - http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back

http://www.theregister.co.uk/2010/11/30/ransomware_trojan_returns/

 

New Ransomware Installs Itself in the Master Boot Record

Security researchers from Kaspersky have identified another new piece of ransomware which installs itself into the master boot record (MBR) and prevents the computer from booting into the operating system. Upon execution, Seftad.a overwrites the master boot record with rogue code and forces the computer to reboot. The new MBR prevents the operating sytem from starting back up and displays a message which reads:

"Your PC is blocked. All the hard drives were encrypted. Browse www.[CENSORED].ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!!

Please remember your ID: ##### [where # is a digit], with its help your sign-on password will be generated. Enter password: _"

Fortunately, data on the hard drives is not actually encrypted and can be accessed again by bypassing the prompt and restoring the MBR. The Kaspersky researchers note that a password of ‘aaaaaaciip’ should work to boot back into the system, but if it doesn't, they recommend downloading and using the free Kaspersky Rescue Disk 10 available at http://www.softpedia.com/get/Antivirus/Kaspersky-Rescue-Disk.shtml.

http://news.softpedia.com/news/New-Ransomware-Installs-Itself-in-the-Master-Boot-Record-169398.shtml

http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware

http://threatpost.com/en_us/blogs/new-seflad-ransomware-attacks-master-boot-record-113010

 

According to Czech antivirus vendor AVAST, a botnet which grows by compromising websites with rogue code has so far affected over 1 million computers and 100,000 domains. Dubbed Kroxxu, the botnet appeared in October 2009 and is the successor of Gumblar, once the most prominent threat on the Internet. Unlike other website infecting worms, Kroxxu does not exploit any vulnerabilities. Instead, it steals FTP credentials from compromised systems and uses them to inject rogue iframes into Web pages. Kroxxu has a highly flexible infrastructure. AVAST estimates that the 100,000 infected domains are interconnected through over 12,500 traditional and PHP-based redirectors.

http://news.softpedia.com/news/Gumblar-Successor-Kroxxu-Steadily-Growing-Larger-167759.shtml

http://www.avast.com/en-gb/pr-avast-kroxxu-botnet-infects-100000-domains-without-a-money-trail

 

Cross-Platform Boonana Trojan Gets New Version

A new version of the Boonana trojan, which infects both Windows and Mac OS computers, gives attackers control over the compromised computers. Boonana spreads through Facebook, where it uses social engineering to direct users to a fake YouTube page and trick them into running the Java applet.

http://news.softpedia.com/news/Cross-Platform-Boonana-Trojan-Gets-New-Version-165127.shtml

 

 

The Ugly:

 

Spammers "Gearing Up" Botnets for Holiday Rush

Spammers are pushing out e-mail borne malware at unprecedented rates in an apparent attempt to build up botnets in advance of the busy holiday shopping season, according to a report by Google.

http://threatpost.com/en_us/blogs/spammers-gearing-botnets-holiday-rush-101910

 

Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card. Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card.

http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0