Jump to content


SWI Community News - December 2010

  • This topic is locked This topic is locked
2 replies to this topic

#1 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,637 posts

Posted 02 December 2010 - 10:19 PM

Howdy everyone!!

Welcome to the 1st Edition of Volume 3 of the SWI Community News!! In the last issue we said we tend to be erratic in when we publish and a delay of almost 3 years since the last issue makes that clear, but here we are. As always, if you enjoy it or find it useful, please let us know. This edition includes two articles which are similar to others we have presented, but updated. Again, if there are other topics you would like us to talk about, please let us know by starting a topic in this forum. I hope you enjoy our efforts this month.

If you didn't get a chance to read our earlier articles, please feel free to go through them now. Much of the information in them is still relevant.

And now for the disclaimer and subscription information:

Opinions and information expressed in this publication are not the responsibility of SpywareInfoForum.Com or its owner, administrators or hosting services. Original information and opinions posted here are the property of the respective author.

That also means that the material is subject to the copyright of the author and you need to cite the author if you quote any material from this publication elsewhere.

And for those who don't already know -- to get notification when a new SWI Community News is available, subscribe to the subscription topic and we will add notices of publishing to that topic so you will receive an email notice if you are set to receive notices of your subscribed topics. Now, on with the show!

Subscription topic!


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#2 Budfred


    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,637 posts

Posted 02 December 2010 - 10:24 PM

Budfred's Rant
What's wrong with my antivirus??

We often see people who post about malware issues complain that their antivirus software is clearly no good because they got infected. We make an effort to educate them about the issue and we offer alternatives if needed. What we tell them is that it really doesn't mean anything about an antivirus program if your computer gets infected by anything other than a virus. Antivirus programs are designed to screen and prevent virus infections. Today, many of them also attempt to block worms and some trojans. Some even have an antimalware function and may check your email for indications of phish. However, unless that is an advertised feature of the program, expecting it to manage something like a rogue antivirus program that is spyware or just a scam, is like expecting your dog to tell you the weather report -- it simply isn't a feature that comes with the program. The same logic applies to anti-malware programs stopping virus infections and so on. I recently talked with a woman who thought her anti-malware program was her antivirus, so she did not realize that she had no antivirus protection. She also didn't realize that she had no resident protection since the program she used didn't have it. Even if it is a virus or infection the program is supposed to catch, there is NO security program that can catch everything, there are just too many ways that criminals can attack us for any program to keep up all of the time.

So if the program isn't the problem, what is? Well, most likely it is you! The computer user is typically the weakest link even if you have an adequate array of security software. An adequate array is a working resident antivirus program; an active firewall screening incoming and outgoing traffic from the Internet and possibly a resident anti-malware program. If you want to be more protected, use a browser like Firefox, Chrome or Opera with security add-ons like NoScripts. Another good option is SpywareBlaster which can provide passive protection if updated regularly. All security programs need to be regularly updated and most will have an option to do so automatically, though you may need to pay for that privilege. Once all that is in place, deal with the weak link - you. Read "So how did I get infected in the first place?" which is in our Malware Removal forum at: http://www.spywarein...he-first-place/ Be aware that if you visit sites that share files, provide porn, have cracked software or engage in any other dubious behavior, you are more likely to pick up an infection. If something pops up and insists you need to buy it to fix infections it has found, shut down your computer and, if you have one, use another computer to contact us for help. If your security programs are up to date, disconnect from the Internet, turn the computer back on and run the deepest scans they will allow to see if they can fix the problem. If you spend a lot of time with online gaming or gambling, you may also be more exposed to attack. However, even casual browsing can lead to infection. Social networking sites, like Facebook and Twitter, are a new source of many infections. This is only a quick overview of ways to keep your computer clean and there are many other things you can do, so please also read other legitimate guides that are available.

Important: keep in mind that more is not better when it comes to computer security. If you load more than one resident program of the same type, you may produce conflicts that will actually reduce your protection. It is okay to have two programs, like MalwareBytes Anti-Malware and Spybot Search and Destroy for example, as long as you don't run resident protection in both of them. This means you would have one antivirus, one firewall and one anti-spyware with a resident protection active. If you use a recent version of Windows, you got Windows Defender by default and you would need to turn it off if you use another resident anti-malware program. If your resident protection, like your antivirus, never alerts you, it could mean you aren't infected or it could mean that it has been turned off by an infection, so it is a good idea to pay attention to whether it is on and run a scan occasionally just to confirm it.


Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#3 TheJoker


    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,487 posts

Posted 03 December 2010 - 06:05 AM

The Good, Bad and Ugly News from TheJoker

The Good:

Adobe Reader X
Following a massive security engineering undertaking, Adobe has finally released a fully sandboxed version of its ubiquitous Adobe Reader product, which promises to stop the majority of PDF-based exploits. While the newly released Adobe Reader X (10.0), brings a lot of new document collaboration and multimedia functionality, from a security perspective, the company's greatest achievement is the new Protected Mode, a sandboxing technology enabled by default in the program. Sandboxing means isolating a process within a restricted environment, from where its ability to interact with the underlying operating system is strictly controlled. This major security enhancement will not lower the number of vulnerabilities found in Adobe Reader, but leveraging them to compromise computers will be a much more difficult task.
Get it here - http://www.adobe.com...US-H-GET-READER

Update to Adobe Flash Player
Adobe released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.
The Flash update brings the latest version to v To find out if your computer has Flash installed and what version it may be running, go here. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner. If you'd like to avoid Adobe's Download Manager and all these extras, grab the update from this link instead.

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months. In Wisconsin, police arrested two young men, who were wanted as part of a crackdown in late September on money mules, who were in the United States on J1 student visas. The two men from Moldova are being transferred to New York, where they were charged on September 30 in connection with the international money laundering scheme.

FBI Identifies Russian ‘Mega-D’ Spam Kingpin
Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide. According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.

A website designed to track the control system of the SpyEye crimeware Trojan has been established. The site, spyeyetracker.abuse.ch*, was set up by Swiss security researcher Roman Hüssy, and modelled on his successful Zeustracker website. The latter site, which was established in early 2009, has helped security researchers to track the activities of the infamous botnet, which is linked to numerous instances of banking fraud.

How Google Locates and Identifies Malware
In a session at the SecTOR security conference in Toronto, Google detailed how the search engine giant identifies malware and what it does to help protect the safety and security of Web users. Google had a warning page that was displayed to users about potential malware being on a given page and then provided users with a button that enabled them to click through to the page. 95 percent of users were still clicking through to the page with the malware on it, even though Google had provided a warning, so Google shifted tactics. Now the company provides the URL of the malware site as text, which requires a user to click and paste the address if he or she still wants to proceed to the malware site.

FTC Wants 'Do Not Track' Privacy Option in Browsers
The Federal Trade Commission (FTC) is proposing for users to be given an uniform and persistent way to opt out of online tracking and behavioral advertising. The Commission says that users should have an uniform and easy to understand way of deciding whether to allow the collection and use of their Web searching and browsing activities.

The Bad:

More Fake Adobe Reader Update Emails
Security researchers warn of a new wave of spam emails promoting fake Adobe Reader updates which direct users to scam sites trying to sell them sub-par software. The rogue messages bear subjects of “Action Required : Upgrade New Adobe Acrobat Reader 2011 For Windows And Mac.”
For more technical users the subject line alone should be a dead giveaway that this is scam, because Adobe doesn’t refer to years in the versioning scheme of its Reader and Acrobat product line. However, a lot of average users could be fooled by the emails, especially since this spam campaign happens to come at a time when Adobe is actually promoting a new major version of Adobe Reader, called Adobe Reader X (10.0). In fact, the scammers are very likely aware of this, because in the email body they mention new enhancements that Adobe Reader X really has. According to researchers from GFI Software (formerly Sunbelt), in order to obtain the product, users are asked to sign up for a VIP support plan and other additional services, including “one year full protection against intrusion with ETD Scanner for only $1.49/month.” The important thing to remember is that Adobe Reader is a free product.

FAKEAV 101: How to Tell If Your Antivirus Is Fake
Fake antivirus or FAKEAV, sometimes known as scareware, has become a significant threat and more and more users have become victims of this profitable scam. Trend Micro and the rest of the security industry continues to work hard to protect users against this threat. However, educating and informing users about this scam is more effective than any technical solution that the industry can provide. An antivirus program that installs itself then proceeds to “scan” the PC without user intervention is unlikely to be real.

New Scareware Poses as HDD Defragmentation Tools
Scareware creators have temporarily steered away from the fake antivirus theme they commonly use to put out a new line of rogue programs that pose as defragmentation utilities. According to security researchers from antivirus giant Symantec, these applications started to appear in the later half of October, but have since increased their prevalence and new variants are now detected on a daily basis. Scareware distribution is one of the most profitable underground businesses and is commonly used to fund more cybercriminal activities. According to a recent report from Panda Security, 2010 was the busiest year for scareware developers, with almost 40% of such threats ever created being released this year.

Scareware Accounts for Almost a Quarter of All Malware
McAfee warns that fake antivirus applications, collectively known as scareware, are one of the driving forces behind the cybercriminal economy and have grown to account for nearly a quarter of all malware in circulation. These programs have one ultimate goal - to scare people into parting with their money and compromise their credit card details in the process.

Fake Facebook Alerts Distribute ZeuS Trojan
Security researchers from Trend Micro warn of spam emails posing as security alerts from Facebook, which have a version of the ZeuS banking trojan attached. The infected emails purport to come from “Secure Facebook” and have a subject of “To Facebook user. (#FIRST_DESCR).”

Polymorphic Injection Attack Targets WordPress Blogs
Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories. However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique.

Security researchers from BitDefender have come across a new rootkit, which seems designed to drop a lot of adware programs on the infected systems. Detected as Rootkit.Woor.A, the malware installs itself as a randomly named service and runs as a system driver. This allows it to perform actions with kernel privileges. The rootkit overwrites the legit explorer.exe with a malicious version, which is subsequently called during the normal system boot process. When started, the rogue explorer.exe makes sure every component of this threat is running properly and that the unauthorized registry keys it needs are in place. It then proceeds to load the legit Windows Explorer from the system's dll cache, making it appear to the victim as if everything is functioning properly. The researchers warn that this component proceeds to download all sorts of adware-like programs, such as games, video players or streaming and instant messaging utilities, and asks users to pay for licenses.

Security researchers warn Avalanche, a large cybercriminal syndicate believed to operate out of Eastern Europe, is now relying on the infamous ZeuS trojan to steal sensitive data from users.

Security researchers from FireEye have identified a new banking trojan, which is capable of launching man-in-the-browser (MITB) attacks and targets an unusually high number of financial institutions. The threat steals online banking credentials and other sensitive information by intercepting data inputted into Web forms, as well as injecting rogue HTML elements into pages. It's worth noting that the trojan doesn't only target banks, but also services like PayPal, Amazon, Myspace or Gmail.

A ransomware Trojan threat is back – in an even more noxious form – two years after it last appeared. A new variant of the GpCode ransomware encrypts user files on infected Windows PCs. The latest version of the malware overwrites data in files instead of simply deleting files after encryption, making it far harder to use data-recovery software. A write-up of the attack, together with screenshots, can be found in a blog post by anti-virus analyst Vitaly Kamluk of Kaspersky Lab here - http://www.securelis...somware_Is_Back

New Ransomware Installs Itself in the Master Boot Record
Security researchers from Kaspersky have identified another new piece of ransomware which installs itself into the master boot record (MBR) and prevents the computer from booting into the operating system. Upon execution, Seftad.a overwrites the master boot record with rogue code and forces the computer to reboot. The new MBR prevents the operating sytem from starting back up and displays a message which reads:
"Your PC is blocked. All the hard drives were encrypted. Browse www.[CENSORED].ru to get an access to your system and files. Any attempt to restore the drives using other way will lead to inevitable data loss !!!
Please remember your ID: ##### [where # is a digit], with its help your sign-on password will be generated. Enter password: _"

Fortunately, data on the hard drives is not actually encrypted and can be accessed again by bypassing the prompt and restoring the MBR. The Kaspersky researchers note that a password of ‘aaaaaaciip’ should work to boot back into the system, but if it doesn't, they recommend downloading and using the free Kaspersky Rescue Disk 10 available at http://www.softpedia...cue-Disk.shtml.

According to Czech antivirus vendor AVAST, a botnet which grows by compromising websites with rogue code has so far affected over 1 million computers and 100,000 domains. Dubbed Kroxxu, the botnet appeared in October 2009 and is the successor of Gumblar, once the most prominent threat on the Internet. Unlike other website infecting worms, Kroxxu does not exploit any vulnerabilities. Instead, it steals FTP credentials from compromised systems and uses them to inject rogue iframes into Web pages. Kroxxu has a highly flexible infrastructure. AVAST estimates that the 100,000 infected domains are interconnected through over 12,500 traditional and PHP-based redirectors.

Cross-Platform Boonana Trojan Gets New Version
A new version of the Boonana trojan, which infects both Windows and Mac OS computers, gives attackers control over the compromised computers. Boonana spreads through Facebook, where it uses social engineering to direct users to a fake YouTube page and trick them into running the Java applet.

The Ugly:

Spammers "Gearing Up" Botnets for Holiday Rush
Spammers are pushing out e-mail borne malware at unprecedented rates in an apparent attempt to build up botnets in advance of the busy holiday shopping season, according to a report by Google.

Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card. Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards. Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005

Member of UNITE
Support SpywareInfo Forum - click the button