Whether looking for a great restaurant in your neighborhood or researching your next vacation, going online is quickly becoming the easiest way to find anything for which you might be looking. A company’s online reputation, therefore, is crucial to maintaining customer loyalty. Positive reviews can boost business, while negative comments can send shoppers elsewhere.

Yelp, a popular website featuring consumer reviews of local businesses, is a high-profile example of the damage that negative publicity can do to a company’s online reputation. A recent story in the East Bay Express claims that Yelp sales team members engaged in unethical practices by promising local business owners that negative reviews of their companies would be removed in exchange for advertisements. Regardless of whether the claims are true (Jeremy Stoppelman, Yelp’s cofounder and CEO, adamantly denies the accusations), the allegations have caused many users to lose faith in the site’s credibility.

Just as companies must vigilantly monitor their online status, it’s important for individuals to manage their online reputations as well. With the booming popularity of social networking sites like Facebook and Twitter, people are revealing information about their lives at an ever-increasing rate. However, revealing too much online can quickly get you into trouble. Including confidential company data in a post or complaining about your job in a tweet is grounds for termination, as these individuals found out the hard way. Job searchers must also carefully monitor their online personas, as companies are turning to these social platforms to do additional research on applicants. Inappropriate content on your profile page can quickly drop you to the bottom of the candidate list.

Losing your job isn’t the only risk for frequent Facebook and Twitter users. Cybercriminals have also capitalized on this blurring between our public and private lives in cyberspace. Revealing too much information in your profile can leave you susceptible to identity theft. Or, hackers can break into your account to spam your friends with direct messages that include links to phishing scams. Becoming a victim of this type of cybercrime might make your friends think twice before checking out a message from you in the future.

Managing your online reputation is crucial to both one’s professional and private lives. Using Yelp as an example once more, users must build trust through their history on the site. Other consumers can check out a variety of factors to evaluate the reviewer’s comments, including total number of reviews completed, and the distribution of their review ratings (on a 1- to 5-star scale). Grading everything too harshly or too generously can weaken one’s standing as a valuable resource.

It takes time to build trust in your online persona, but it can quickly vanish (just ask Yelp executives). Always take the time to think about what you’re publicizing in cyberspace and take steps to keep your profiles safe.

Posted in Privacy | Tagged , , , | Leave a comment

Fake antivirus software accounts for 15 percent of all malware on the web, according to a study recently released by Google. From January 2009 to February 2010, researchers for the search engine analyzed 240 million webpages and found more than 11,000 domains containing rogue antivirus software scams. Google also discovered that the amount of infected domains steadily increased each week of the study. The company concluded in a statement: “The fake antivirus threat is rising in prevalence, both absolutely and relative to other forms of web-based malware. Clearly, there is a definitive upward trend in the number of new fake antivirus domains that we encounter each week.”

Fake AV software, also known as “scareware,” “rogueware,” or “rogue security software,” tricks victims into downloading malware. For instance, a typical scareware scam will appear as a pop-up warning indicating that the user’s computer has been infected with a virus. Frightened of the potential damage, the victim will then purchase and install the “recommended” software.  Instead of protection, however, the victim has downloaded malware, and his/her credit information is in the hands of a cybercriminal.

The Google report sheds light on several trends related to fake antivirus software. In addition to an increase in the overall amount of scareware on the web, this variety of malware is also becoming more sophisticated. According to the Google report, “More recent fake AV sites have evolved to use complex JavaScript to mimic the look and feel of the Windows user interface…In some cases, the fake AV detects even the operating system version running on the target machine and adjusts its interface to match.”

Scareware is also becoming a major nuisance for high-profile sites that depend on advertisements and ad networks. Rogue antivirus software accounts for nearly half of all malware distributed via ads. Major sites like The New York Times have already been exposed to rogueware. Scareware applications also often use search engine optimization (SEO) techniques, such as keyword stuffing and link farming, to trap additional victims.

Once again, cyberscams are becoming more sophisticated and prevalent, so be sure to protect yourself with premium antivirus software in order to stay one step ahead of those tricky cybercriminals.

Posted in Virus News | Tagged , , | 4 Comments

Analyzing Trends from the Internet Crime Complaint Center’s 2009 Annual Report

A recent report by internet security company Symantec has been widely publicized for the implications it presents for residents of certain US cities. After analyzing factors such as risky online behavior and the number of incidents per capita, Symantec released Norton’s Top 10 Riskiest Online Cities. Seattle tops the list, while Boston, Washington, D.C., San Francisco and Raleigh round out the top five.

While residents of these cybercrime hotspots should take note, a different study shows that Symantec’s riskiest cities are not necessarily home to the greatest percentage of perpetrators per capita. So where are these cybercriminals hiding?

According to the 2009 Annual Report by the Internet Crime Complaint Center (IC3), a partnership between the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI), the District of Columbia harbors the most cybercrooks with 116 per 100,000 residents. When looking at the total number of perpetrators, however, California is number one (14.7%), followed by Florida (9.7%), New York (8.7%), the District of Columbia and Texas (both tied for 4th with 6.4%).

The report by the Internet Crime Complaint Center also concludes that cybercrime is a “truly borderless phenomenon.” In the majority of cases reported to the IC3 in 2009, the complainant and perpetrator lived in different states. For instance, in only 34.8% of crimes in California, where the majority of incidents originated, did both the cybercriminal and victim live in California. Due to the anonymity provided by the internet, cybercrime is unlike any other criminal act: the perpetrator most likely does not know the victim, nor do they need to be in the same location to commit any number of online scams and attacks.

The IC3’s annual report reflects all complaints filed with the organization in 2009. The total number of complaints numbered 336,655, a 22.3% increase from 2008.

Additionally, the total dollar loss reached $559.7 million last year, compared to $264.6 million in 2008. The mission of the IC3 is to serve “as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cybercrime.” The statistics of the report certainly support the rise in cybeattacks; however, it should be noted that the data reflects only those incidents that are reported to the IC3. In fact, the true rate of cybercriminal activity is probably much higher – a scary thought for anyone with even limited online activity.

While the IC3 report is helpful in identifying important cybercrime trends, it still doesn’t diminish the fact that anyone – regardless of where you live – can become a victim of an online scam or cyberattack. The authors of the study are careful to note: “Anyone who uses the Internet is susceptible. IC3 has received complaints from both males and females ranging in age from 10 to 100. Complainants can be found in all 50 states including the District of Columbia and in dozens of countries worldwide.”

To read the full report, visit the IC3 website. Or, if you are a victim of cybercrime, click here to file a report.

Posted in Online Fraud | Tagged , , , | Leave a comment

Debates still rage over what constitutes a good, secure password. A recent Lifehacker article linked to a much older article by Founding Editor Gina Trapani entitled “Choose (and remember) great passwords” (2006). Her suggestions are smart and reasonable, aimed at steering people away from the danger of using one password for all of their online needs. Her method is simple in theory—pick a base password then customize that to the individual site. Trapani’s base password suggestions include keyboard patterns (asdf) or a combination of initials and a special date, followed by something like AMA for Amazon, so a password could look something like ASDFAMA.

The most interesting part of the article was the ire in the comments. Some commentators felt that the password combinations were far too simple; if Amazon were hacked, with the AMA extension being far too big a coincidence to ignore, the next logical step would be to apply the previous letters to another site, appending a relevant three letter code. Indeed, in testing out a few of her passwords on a password strength checker online, they ranged from “Very Weak” to “Weak,” with only one “Good” rating. (To guarantee an exceptional rating, formulate passwords with the PC Tools Secure Password Generator.)

The counterargument to Trapani’s article pointed out that far too many people still use the same catchall password, and if this article can cause them to take baby steps towards greater online security, then progress certainly has been made.

The first camp would probably reply that if you’re going to change your password anyway, might as well be as intelligent as possible in doing so. What, then, does make a good password? The aforementioned password strength checker awards points based on the following criteria:

Number of characters

Uppercase letters

Lowercase letters



Middle numbers or symbols (inserted among the letters rather than placed at the beginning or the end)

Deductions are made in the case of:

Letters only

Numbers only

Repeat characters

Consecutive uppercase or lowercase letters

Consecutive numbers

Sequential letters or numbers

The bottom line is that combination and variety are most important in selecting smart passwords—emphasis on the “s” of passwords.

Posted in Privacy | Tagged | Leave a comment

ZeuS 2.0 kit release introduces a few tricks designed to complicate the analysis of its configuration files.

Apart from randomized side-effects that the new trojan leaves on a system, including its ability to morph in order to avoid hash-based detections (well, hash-based detections never worked against ZeuS anyway, given the sheer volume and frequency of the generated samples and the variety of used packers), it seems that this time a great care was taken in protecting its configuration files.

The trojan now uses more layers in order to decrypt its configuration files.

Shrek: Onions have layers. Ogres have layers… You get it? We both have layers.
Donkey: Oh, you both have layers..

The new decryption steps are illustrated below:

It starts from initializing a 256-byte key table. At first, its bytes are set to value N, where N is a position of the byte in the key table (from 0 to 255).

Next, the code utilizes a large permutation table – a dynamically constructed table with a variable size around 40,177 bytes, in order to generate a new key table.

The newly generated key table is then used to decipher (RC4) another dynamically constructed table, called in the scheme above a “small table”.

Once deciphered, the small table will contain both the configuration file URL and a new key table to decipher (RC4) the configuration file that the trojan requests from the remote server.

The new key table is stored inside the small table at a variable offset.

Due to polymorphic nature of the trojan, the locations of the large permutation table, encrypted small table and the offset of the key inside the decrypted small table are random.

Nevertheless, these random values are recoverable from the heap memory of any process infected with ZeuS.

In order to decrypt configuration files of ZeuS 2.0 on a host infected with ZeuS (e.g. under a virtual machine), a special tool can be built.

The tool would firstly need to identify ZeuS heap pages with the signatures and then check for the presence of the following code within the same ZeuS page:

// 55                    push    ebp
// 8B EC                 mov     ebp, esp
// 51                    push    ecx
// A1 ?? ?? ?? ??        mov     eax, ds:image_base
// 8B 0D ?? ?? ?? ??     mov     ecx, ds:dwSmallTableOffsetVA
// 56                    push    esi
// 8D 34 01              lea     esi, [ecx+eax]
// A1 ?? ?? ?? ??        mov     eax, ds:XX
// 8B 0D ?? ?? ?? ??     mov     ecx, ds:dwLargeTablePtrVA
// 89 4D FC              mov     [ebp+large_table_ptr], ecx
// 83 F8 02              cmp     eax, 2
// 76 41                 jbe     short XX
// 57                    push    edi

The 1st wildcard (??) in the listing is the virtual address of the allocated page within the host process.

The 2nd wildcard is the virtual address of the small table offset within the same injected page; for example, the small table offset could be 0×33000. The first word of that table is the size of the large permutation table, with the actual small table following that word. The size of the small table is constant – it is 700 bytes in size.

The 4th wildcard in the listing is the virtual address of the large permutation table within the infected process. It is normally allocated as a separate heap page within the same host process.

Another offset still needs to be recovered from the identified malicious heap page – it is the offset of the key within the decrypted small table that is used to decipher (RC4) the configuration file itself. The value of this offset varies from 0 to 255.

To locate that offset, the infected memory page can be scanned for the presence of the following code:

// 8B 03                 mov     eax, [ebx]
// 56                    push    esi
// 57                    push    edi
// C6 45 FF 00           mov     [ebp+flag], 0
// 85 C0                 test    eax, eax
// 74 6E                 jz      short quit
// 8B 7B 04              mov     edi, [ebx+4]
// 81 C1 ?? 00 00 00     add     ecx, bKeyOffset
// 51                    push    ecx
// E8 ?? ?? ?? ??        call    dec_rc4_xor
// 89 43 04              mov     [ebx+4], eax
// 85 C0                 test    eax, eax

The key offset is the first wildcard in the listing above.

Once the tables and the key offset are fully recovered from the memory of an infected process, the tool can now decrypt the configuration file by using decryption algorithms derived from ZeuS via reverse engineering.

To assist those researchers who need to decrypt and analyze the contents of the ZeuS 2.0 configuration files, the ZeusDecryptor tool is available for download here.

Posted in Malware Alerts | Tagged , | Leave a comment

Online gaming password stealers form a large malware category.

Moreover, it is growing: there is strong demand in the virtual experience, there is supply, there are online auction sites where such experience is sold to those who are ready to pay for it. That is, there are mechanisms for converting the virtual experience into the real money. And then there are bad guys are trying to hook into that chain for their personal gain by trying to compromise online gaming accounts in order to steal the virtual experience and then resell it.

However, why there is demand for the virtual experience in the first place?

What state of mind is required in order to pay several hundred dollars for something as virtual as this:

Why the practicality becomes less important and the virtual assets become more and more appealing up to the point when they are associated with a certain social status? Is it the same force that drives the sales of the sleek, glossy and shiny (but questionable practically) i-gadgets, the same sort of virtuality? Is this some kind of “this is me and I am not part of the crowd” message sent to the rest of the world, an attempt to demonstrate an open mind attitude that dismisses anything dogmatic?

By buying the virtual status in gaming, whether it is virtual gold or a level or experience, what are they trying to say? Is this a way to demonstrate to their friends how keen there are and how far they are prepared to go to gain their own social status in the modern world? But why buying the virtual social status instead of building one physically?

Hmm, this must be our evolution then.

Posted in Online Fraud | Tagged | Leave a comment

Though primarily being distributed through spam and drive-by downloads, and in addition to social-engineering tactics, the Zeus/Zbot malware also utilizes specially-crafted PDF files to get into an unsuspecting user’s computer.
The Malware Research Center has seen PDF files that carry embedded javascript codes that in turn exploit the Collab.getIcon buffer overflow vulnerability (CVE-2009-0927) and the Util.Printf buffer overflow vulnerability (CVE-2008-2992).

These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user’s machine.
Deobfuscated javascript code exploiting the Util.Printf vulnerability
Deobfuscated javascript code exploiting the Collab.GetIcon vulnerability
The Zeus/Zbot malware essentially steals online credentials, particularly targeting online banking information from a compromised computer.
Internet users are encouraged to ensure that their Reader software is up-to-date and to be vigilant when visiting sites and downloading and opening files, even those coming from known sources.
PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

We would like to express our gratitude to Jonathan San Jose for using the Browser Defender technology in finding web exploits in realtime and prodiving the malware samples used in this analysis.

Steve Espino
Malware Research Analyst
27/04/2010 – UPDATE:
Aside from the Handcrafted PDF files which are used by Zeus bot, Malware Research Center has also seen additional exploits used by the Zbot variant. Here are the exploits used:
1. Java Exploits
The Java Runtime Environment (JRE) Vulnerability in Deserializing Calendar objects (CVE-2008-5353).

The jj.jar file contains the Hirwfee.class file which exploits the vulnerability in Deserializing Calendar objects.
Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE (CVE-2009-3867).
The j.jar file contains the Uutecwv.class file which exploits the vulnerability in java using getSoundBank function (CVE-2009-3867).
2. Flash Player Exploits on different versions.
Information regarding the vulnerabilities can be found in these links:
Deobfuscated javascript code exploiting the Flash player vulnerability part 1

Deobfuscated javascript code exploiting the Flash player vulnerability part 2
3. Adobe PDF Exploits
It uses iframe tag to load the file img.php

img.php file is the crafted PDF file
It also uses the vulnerability in Collab.getIcon function (CVE-2009-0927) and the util.printf JavaScript function with a crafted format string argument (CVE-2008-2992). Additionally, it exploits a buffer overflow by creating a specially crafted pdf that contains malformed Collab.collectEmailInfo() (CVE-2007-5659).
Deobfuscated javascript code exploiting the collecEmailInfo vulnerability
4. MDAC Exploit (CVE-2006-0003)
Deobfuscated javascript code exploiting the MDAC vulnerability
5. Internet Explorer Exploit
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer (CVE-2010-0806).
Deobfuscated javascript code exploiting the iepeers vulnerability
6. The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11) vulnerability (CVE-2009-1136).
Deobfuscated javascript code exploiting the Spreadsheet vulnerability
These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user’s machine.
Upon installation of the Zeus malware on the user’s machine, it drops a copy of itself in windows system folder with the filename sdra64.exe, it then sets the file time to that of the file %SystemFolder%\ntdll.dll. It also set the file attributes as hidden, system file, read only and archive.
It also creates the folder lowsec in windows system folder with the hidden attribute to create the following files:
• local.ds
• user.ds
• user.ds.lll
These files are the configuration file and the log file where Zeus malware uses to gather and steals information.
This Zeus bot malware also have an autostart technique by attempting to add the string %SystemFolder%\sdra64.exe, in the below registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = %Original value%
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = “c:\Windows\System32\userinit.exe, c:\Windows\System32\sdra64.exe,”
Furthermore, once this Zeus bot failed to modify the above mentioned registry entry, it will create the below autostart registry entry:
userinit = “%SystemFolder%\sdra64.exe”
This Zeus bot malware disable Windows Firewall by creating the following registry entry:
EnableFirewall = dword:00000000
Also creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Network
UID = “%ComputerName%_%HexNumber%”
This Zeus/Zbot malware also attempts to gather information about the below FTP applications to steal ftp servers and the desired username and password if available.
• FlashFXP
• Total Commander
• FileZilla
• WinSCP
• CoreFtp
• SmartFtp
This Zeus bot malware inject its code in certain processes.
One of the process it inject its code is the windows winlogon.exe process.
The injected Zeus code in the winlogon.exe is also capable of injecting another code in windows svchost.exe which is capable of downloading the configuration file of this malware.
The injected code in svchost.exe consists of decryption of the URL where it downloads the configuration file, and the decryption routine of the downloaded configuration file.

Basically, the configuration file contains the following:
• URLs of updated copy of itself
• URLs for another Configuration file
• Html Script codes which the Zeus bot used to fake the login to the bank sites
• Bank sites where this bot monitors for information theft
• Non Bank sites where the Zeus bot also monitors for account information theft

This Zeus bot malware is detected by PC Tools as Trojan-Spy.Zbot.YETH
PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

~Jonathan N. San Jose
Malware Research Analyst

Posted in Malware Alerts | Tagged , | Leave a comment

Social networks are attractive forums for cybercriminals looking to spread their scams and malware. Fortunately, one leading social networking site has found a way to combat these aggravating and harmful attacks. Twitter recently announced that it has reduced spam to one percent—this accomplishment marks a vast improvement for users of the popular microblogging site, when just last August spam messages accounted for 11 percent of all tweets.

Continue reading

Posted in Spam | Tagged , | Leave a comment

Tips to Avoid Common April Fools’ Day Scams

April Fools’ Day is a time of hoaxes and practical jokes. Although you might enjoy the opportunity to trick your family, friends and co-workers, don’t let your guard down when it comes to online threats. This April 1st cybercriminals are sure to be in on the action, but their motives are not mere fun and games.

Cybercrime rates spike during any holiday, major event or media story (link to article cybercrime and major events) because these happenings offer prime opportunities to run a variety of schemes – from phishing attacks to infecting computers with malware.  April Fools’ Day is no exception. Every year at this time, there’s a surge of spam emails and spyware infections. Adding to the frustration, this year internet security experts predict that cybercriminals will also target social networking sites.

Reporters have already linked one April Fools’ Day scam to social networks. At the beginning of March, The East Texan, the student newspaper at Texas A&M University-Commerce, received a bogus email claiming that Facebook would start charging users on April 1. The email directed recipients to a fake protest webpage that was infected with malware.

Other common scams include April Fools’ Day-themed emails containing commonly searched images from Google. To protect yourself from online threats this April 1st, follow these security tips:

-          Don’t open any emails, files or attachments from unknown sources

-          Exercise caution even when opening emails and attachments from people you do know

-          Always think before you click and avoid unknown websites

-          Know what kind of antivirus software you have and don’t be fooled by “scareware” tactics (link to glossary or article about scareware)

-          Keep your antivirus software up-to-date, install all updates to your operating system and make sure that all security patches are updated for your internet browser

Posted in Online Fraud | Tagged | Leave a comment

PC Tools’ Malware Research Team received a source code of what appears to be a proof-of-concept (PoC) ransomware application that has been a hot topic at several internet security forums.

Continue reading

Posted in Online Fraud | Tagged , | Leave a comment

     Koobface is a network worm that tries to propagate using social engineering techniques. While it mainly targets the popular social-networking site “Facebook”, it also targets other sites such as “Twitter” and “MySpace” as the vector for infection.

     On 10th March 2010, PC Tools’ Malware Research Centre found another Koobface variant lurking in Facebook. Like its predecessors, it uses existing Facebook accounts by hijacking them and trying to spread by generating a URL directing users to a malicious page. Visiting the malicious URL will redirects users to a webpage with malicious script forcing the user to download a malicious executable that poses as an installer for a video codec.

     Upon execution, this fake video codec silently drops a copy of itself, downloads its components, accesses fake AV sites and continuously monitors an unsuspecting user waiting for him/her to log in to his/her account so as to hijack it. It then uses the acquired account to silently log into Facebook Lite (Twitter version of facebook) to create another loop of infection.

Past reports could be found here

The Propagation Loop

     Koobface uses the hijacked account to send enticing URLs to the “walls” of an account holder’s friends as well as posting another URL to its own wall, in case one of its friends visited its profile.

     Once one of the account holder’s connected friends clicks onto the malicious URL, it will direct him/her to a page which contains a malicious script.

<script src=’[randomname].php’></script>

Here is an example of a page with malicious script:

(The text varies from time to time)

This php (mentioned above) will execute the following malicious code:

     Then from the list of IPs coming from the script, it will try to access it, adding “/go.js?/” to each IP.

     Successful access takes a user/account holder to another redirect page where the user is enticed to download the malicious file by way of a video codec:
Closing or clicking anywhere the page will download “setup.exe”

     Upon execution of the downloaded file, Koobface will then start to download and install itself to the user’s machine, stealthily running in the background waiting for the user to log into Facebook so as to hijack the account and infect another unsuspecting friend.
File Installation:

Koobface drops a hidden copy of itself in Windows Directory (one of the following):
  • %windows%\bill[random chars].exe
  • %windows%\pp[random chars].exe
  • %windows%\fb[random chars].exe
  • %windows%\freddy[random chars].exe
Koobface installs its components:
  • %system%\erokosvc.dll (most probably a random filename)
  • %system%\drivers\imapioko.sys (most probably a random filename)
where %windows% is the windows directory (usually, C:\Windows\)
where %system% is the system directory (usually, C:\Windows\system32)
Registry Installation:

     Koobface creates its own registry entry in order for the malware to be automatically executed upon every boot up.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • sysfbtray = <path of the dropped file mentioned above>

Upon successful installation, the initial file in execution will be deleted, automatically executing and loading the dropped file and its components. The malware will now be running in the background and start its malicious motive—that is, to hijack Facebook accounts, access spam and fake AV sites as well as connecting to its own C&C Server.


     While the malware is running in the background, Koobface will be doing some of the following types of behaviours.
1. Bypassing Captcha
     It will first download and automatically execute its component files – bypassing captcha.
     From time to time, it will present a window mimicking the captcha test. The user will be forced to comply with this test since it disables other applications and prompts a message that the machine will shutdown unless a user complies. These “captcha” words will be used for creating accounts and/or sending messages. (More details on Koobface’s ability to resolve facebook’s captcha)

2. Contacting Rogue Sites
     Not only it does propagate but it also tries to connect and market rogue software to be installed in the computer’s machine, while running in the background

3. Hijacking Facebook Accounts
     And lastly, the main purpose of this malware – hijacking Facebook accounts for propagation.
     It continues to monitor the computer until a user logs into his/her Facebook account. Once logged-in, the malware will hijack the current logged in Facebook account and make its own session using Facebook Lite.
Then it will automatically send an enticing message that includes the malicious URL, to each of the user’s friends. And the propagation loop starts over.

     In time, the user will find out that he/she has sent a message that he/she didn’t send at all.
     And not only does Koobface send crafted messages unknowingly but also publishes an enticing post to the user’s own Facebook wall.

     Internet users are encouraged to be vigilant when visiting sites, even those coming from a known source. 
     Affected users are advised to immediately change their Facebook account password. The hijacked credentials may be used again as a vector for malware propagation with more dangerous intent.
     PC Tools detects this malware as Net-Worm.Koobface. It is recommended to make sure that your signature is up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.
Posted in Virus News | Tagged , | Leave a comment

The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.

The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

Posted in Online Fraud | Tagged , | 1 Comment

Same as we posted last week, Trojan.FakeAv continues to be one of the highest hitting families of malware prevented in the ThreatFire community again this week. And, because so many users continue using Windows XP, it is this variant of the family that continues to pop up the most. Frequently, the malware resides simply as “av.exe” on users’ systems:


The bogus software follows the trends that we presented at Virus Bulletin 2008 two years ago, where we noted the rising FakeAv families and technical details of “Recent Rogueware”, similarities with previous other malware families, and their delivery.


Posted in Malware Alerts | Tagged | 2 Comments

The victory over dozens of Zeus botnets that was declared over the past couple of days may have been premature, as the Troyak-AS upstream provider that was de-peered from its upstream providers was busy finding new peers to the internet. Yet another check shows that the provider succeeded in regaining connectivity, and only two of the ISP’s that are home to handfuls of Zeus C&C’s are withdrawn (as of 11:30 a.m. Mountain Time 3/11/2010):

50215 TROYAK-AS Starchenko Roman Fedorovich

  Adjacency:     5  Upstream:     1  Downstream:     4
  Upstream Adjacent AS list
    AS8342          RTCOMM-AS RTComm.RU Autonomous System

With the original de-peering, it was thought that 68 monitored Zeus C&C’s were disconnected from the net. But, of the six ISP’s hosting almost five dozen Zeus C&C’s, only two remain de-peered, leaving 43 monitored Zeus C&C up and running. We hope to see these come down soon. In the meantime, ensure that a protective layer like ThreatFire is installed on your system, effective against Zbot attacks. And cheers to the awesome zeustracker site.

Posted in Hackers | Tagged | Leave a comment

Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.

There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.

This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.

A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.

Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.

The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.

Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:

<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m
edia.com/st?ad_type=iframe&ad_size=468x60&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=300x250&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=120x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=160x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>

After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:



After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:

hxxp://ad1.ad–vo. com/st?ad_type=iframe&ad_size=728×90&section=758786
     hxxp://ad2.ad–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad1.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.as–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
     hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=–vo.com%2Fst%3Fad_size%3D728x90%26ad_type%3Diframe%26–ler.com%2Fiframe3%0juvrDBw5kMNESk6cFF%3D%3D%2C%2Chttp%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728x90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
     hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ 

Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:

 hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/

ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.

Posted in Online Fraud | Tagged | Leave a comment

Another earthquake has struck, another hot news, and another vector of malware infection.

Scientists may say that these series of earthquakes were just a coincidence and the end of the world is far from beginning.

But in most probability, hours after the news has broken, it will be the beginning of malicious deeds from malware writers and take advantage of this hot news through social engineering and Search Engine Optimization (SEO); And spread malwares such as Bots, Trojans and Rogue AVs.

Internet users should be careful of clicking the links, and visiting the sites that were coming from unknown source.

Make sure that your Antivirus Software is up to date and be ALWAYS vigilant to what you are clicking and visiting in the internet.

Have a virus free day!


Posted in Virus News | Tagged , | Leave a comment

The Bangkok Post’s article on a Malaysian man’s arrest and extradition to the U.S., charged with identity theft, a part of a prosecution begun in 2008, exposes potentially the 12th person known only by his handle “Delpiero”. The man will be extradited for theft and sale of over 40 million credit card numbers and personal information. From a 2008 article reporting the original case:

“Indictments against Hung-Ming Chiu and Zhi Zhi Wang, both of China, and a person known only by the online nickname “Delpiero” were also unsealed in San Diego.”

Damages from the hack(s) were not estimated in 2008:  ‘”They used sophisticated computer hacking techniques that would allow them to breach security systems and install programs that gathered enormous quantities of personal financial data, which they then allegedly either sold to others or used themselves,” Attorney General Michael Mukasey said at a news conference. “And in total, they caused widespread losses by banks, retailers, and consumers. Mukasey called the total dollar amount of the alleged theft “impossible to quantify at this point”‘, but the Bangkok Post article seems to cite an estimated $150 million for the ring’s take.

Posted in Hackers | Tagged | 1 Comment

The Koobface gang’s changing tricks and longevity are noted at a recent USAToday article. They’ve recently upped their activity on a major social networking site and user infections appear to have a quick jump. The current theme has been effective for the past month. A message will arrive in a user’s box from a friend (names purposely removed from image). Note that the gang is no longer using the bit.ly service in their attack links:


The link will lead the user to the familiar phony Yuotube “Broadcast Yourself” page with video frame and flash installer prompt “This content requires Adobe Flash Player 10.37. Would you like to install it now?”. The “setup.exe” file from “SquarePants”. When setup.exe is run, this file in turn drops and runs “bill103.exe” or “bill104.exe” and begins its badness. ThreatFire prevents it effectively.


Past posts on Koobface here.

If you are prompted to install the Flash Player, you can skip the install and go to the vendor’s site directly to download the player’s installer and install it in your web browser. Then browse the page you want to view. For legitimate sites, the content should play.

Posted in Virus News | Tagged , | 1 Comment

SEO : Search Engine Optimization.

No, it’s not another buzz word. It’s a technique used by malware authors to propagate their malware. They use one of the most respected search engines today (Google) to make their way into the user’s machine. Piggybacking on a prestigious, and highly trusted search engine is an efficient and effective way to reach out to billions of users worldwide.

Rogue AVs usually use this method. They create fraudulent sites (site A) which redirects to another site (site B) which in turn downloads Rogue AVs into the system. The malware industry makes sure that Site A gets a hit during Google search by targeting search queries that are sensational or new, for example, the Haiti earthquake.

In light of this, users are advised to be vigilant when accessing sites. When even Google is used as a medium by malwares, blind trust on returned links is unacceptable.

Posted in Online Fraud | Tagged , | Leave a comment

In this era of spywares, file infectors have little exposure left. But nevertheless, they are still a challenge to antimalware engineers. Years ago, the names Nimda and CIH were famous in both the malware and antimalware industry. These past few years, the spotlight is on Virut.

Last year we saw an influx of Virus.Virut infected samples. Virus.Virut is, in my opinion, one of the best viruses in a while. Despite the fact that viruses are harmful, I cannot help but admire the work done to create such a virus.

Virut is a polymorphic file infector. What makes Virut different is the fact that it employs all known infection routines: Entry-Point Obscuring, appending, prepending, cavity. Not only does it employ all these techniques, it can combine them (e.g. EPO appending, EPO + cavity + appending, cavity + appending). It also has decryption layers, the algorithm of which can change from ADD/ SUB/ XOR, etc. Both detection and analysis pose as a challenge, but is one that the antimalware industry has met head-on.


Posted in Virus News | Tagged , | Leave a comment

The magnitude 6.4 earthquake does not only rattle Taiwan but even the internet users as well. It is another opportunity for Malware writers to poison returned results from searches about this disaster. It now became a constant attack every time there is major news, earthquake, tsunami or any other event that would call the attention of the people. It seems now it guarantees every news has equivalent virus site. This abused infection vector by fake AVs serve as a warning.

Once unsuspecting users click the malicious site, it will be redirected to fake AV online scan page and shows different annoying pop-ups warning the user that his system is infected and vulnerable to attacks. This might lead the user to download and install the Rogue Antispyware such as Security Antivirus. They have used multiple malicious domain names to prevent them to be easily identified. This infection routine is the same with other reports as you might have read from the previous blogs. But despite of awareness campaign, there are still an increasing number of victims fallen to this scam and worst, lost their money.

I have seen few malicious searched results which start with comma (,) and dash (-) such as above screen shot and from this blog. It is advisable to prevent from visiting these kinds of searched results. Internet users should be very careful in picking which sites to read the latest news. It is much better to read from reputable sources.

Posted in Malware Alerts | Tagged , , | Leave a comment

The U.S. Secretary of Homeland Security Janet Napolitano was this morning’s keynote speaker at RSA Conference 2010, speaking about succeeding in the cybersecurity battle. She joins the list of prominent speakers this week, along with Symantec’s Enrique Salem on “Defeating the Enemy: The Road to Confidence”. The conference continues through the week, and you can keep up to date with links to interactive webcasts  here.

This year’s Cryptographer’s Panel discussed some interesting work on the new MD6 hash algorithm within the SHA-3 Competition, and MD5 as a ”dead hash algorithm”. This talk marked hopefully the last year of commercial Md5 use, in light of Md5′s fairly substantial and vulnerable use by vendors, webmasters and Certificate Authorities up through the beginning of 2009. May its death arrive quickly and a new, performance sensitive MD6 born soon.

Posted in Privacy | Tagged , | Leave a comment
PC Tools just came across to spammed email that contains a FakeAV sample as a file attachment. The email disguises itself as a postcard received from a family member but is actually an installer of RogueAntiSpyware.XPAntispyware2010 that could do extreme damage to your computer.

The email contains the subject: You’ve received a postcard

And the message body arrives as follows:

Good day.

Your family member has sent you an ecard. If you wish to keep the ecard longer, you may save it on your computer or take a print.To view your ecard, open zip attached file.

It appears that this technique used in distributing this rougue program has been proven effective before as few weeks ago, we’ve spotted another sample file of this fake application being spammed. The email seems to contain an invoice copy coming from United Parcel Service of America and instructs user to open the attachment,invoice.exe, which leads to the installation of RogueAntiSpyware.XPAntispyware2010.

Below is the details of the e-mail:

UPS Delivery Problem Number 3512


Message Body

Dear customer!Unfortunately we were not able to deliver the postal package which was sent on the 20th of February in time because the addressee’s address is incorrect.Please print out the invoice copy attached and collect the package at our office.United Parcel Service of America.

After executing the file attachement, it will display fake scan and results. Similar to the behavior of other rogue applications, it display several annoying pop-ups and alerts and urges user to buy the program in order to delete the imaginary threats!

As always, PC tools advises PC users to ignore these false alert messages and do not fall into this trick. Regularly update to the latest database via smart update in order to remove this unwanted program as well as the files associated with it.

Posted in Spam | Leave a comment

Spanish law enforcement nabbed three operators of the Mariposa botnet:  “Authorities identified them by their Internet handles and their ages: “netkairo,” 31; “jonyloleante,” 30; and “ostiator,” 25.”

The massive infection rate described in the article presents just another reason why you need our quiet ThreatFire product protecting your workstation. On a weekly basis, thousands of updated ThreatFire-protected systems were attacked and protected from variants of the bots with a feature we call “behavioral recognition”. It is far superior to AV file scanner signatures and definitively identifies the behavior of malware families like the bots that were a part of the Mariposa botnet. Problems with signature based AV scanner recognition and various Mariposa variant bots were described in a technical paper here.


If you saw a red dialog from ThreatFire warning that it is protecting your system from “Worm.Palevo” or “W32.Pilleuz”, your system was protected from becoming another one of over 12 million Mariposa victims.

Posted in Hackers | Tagged , | 1 Comment

Shortly after the Haiti earthquake incident, the world is rocked again with the news of the Chile earthquake. And with the wave of searches on google about the Chile earthquake, malware authors have once again taken this opportunity to proliferate rogue antipsyware.

Searches returned from google are generally not suspect, especially if they bear URLs that seem normal. But one particular site (bostonmassduilawyer.com/ypi.php?…chile-earthquake-videos) when accessed will redirect you to

This site will display a fake system scan using an HTML page, and clicking anywhere on the page will prompt the user to download the INST.EXE file (detected as RogueAntispyware.SecurityTool by Spyware Doctor). It also displays annoying popups that feeds FUD to users (FUD: Fear, Uncertainty, Doubt).

INST.EXE is just another Security Tool installer. Shortly after executing, it will display a fake scan showing some bogus results. Attempting to activate it will lead you to a page where they offer you a 2 year software license of $49.95, and a lifetime software license of $79.95. Looks tempting, but it’s just a ploy to part you with your money. In truth, it’s one hell of a hefty price to pay for such a useless and annoying scareware.

Posted in Virus News | Tagged , | Leave a comment

      Another variant of Rogue Anti Spyware is creating nuisance to most of internet users. Similar to its predecessors, it comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Further study of its history reveals to us that this Fake software is a clone or a family of previously popular Rogue AVs called Antivirus Live and Antivirus System Pro.

      It displays a fake antivirus scan result enticing the user that his/her computer is infected with so many malicious programs that may lead to the unaware user to download and purchase it.

      Antivirus Soft will also make annoying popups interrupting normal use of computer and may also affects the performance of the computer. While running in the background, it also prevent other normal application to be executed.

      It also makes use of randomized filename and registry entries to make its cleanup difficult.


      File system modifications:
      You may also want to check this name on your process list and terminate them.

  • %AppData%\[random name directory]\[random chars]sysguard.exe
  • %AppData%\[random name directory]\[random chars]sftav.exe
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

      System Registry Modifications:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • [random name] = “%AppData%\[random name]\[random character]sftav.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • [random name] = “%AppData%\[random name]\[random character]sysguard.exe”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • [random name] = “%AppData%\[random name]\[random character]sftav.exe”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • [random name] = “%AppData%\[random name]\[random character]sysguard.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
    • LowRiskFileTypes = “.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
    • JITDebug = 0×00000001
  • HKEY_CURRENT_USER\Software\avsoft
  • HKEY_CURRENT_USER\Software\avsoft
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

Sample details: ThreatExpert Report

Manual Removal: See “System Modifications” (Locate and delete the following)

Some Reference:

Posted in Malware Alerts | Leave a comment

A recently reworded post on Microsoft’s attempt to pursue malware distribution in the courts makes it appear that something permanent and substantial has happened in anti-malware efforts (demonstrated by a legal and collaborative effort called “Operation b49″ to takedown Waledac C&C domains). Because of the complications (legal and otherwise) delaying server and domain takedowns, it’s great to see this botnet’s well-known command and control server domains pursued by the powerful legal team. On the other hand, in the meantime, users’ systems continue to be infected with Waledac. And much like the FakeAv organizations and the “John Doe” defendants that Microsoft has filed against in the courts in the past, cybercriminals herding Waledac most likely will pick up and continue to operate in the shadows beyond the reach of law enforcement — the domains and malware most likely will change to evade the takedowns pushed by their court approach. It’s a situation that has been described as “wrestling with a pig”.

In the meantime, the best way to protect yourself is with the latest install of ThreatFire. From our statistics in the ThreatFire community, we see that Waledac binaries continue to attack systems on a daily basis as a bump on the “threat landscape”. The ISC’s post title mistakenly implies that Waledac is not infecting system’s on a daily basis because the group’s “Storm-like” spam campaigns of 2009 have discontinued and because a specific list of domains have been removed, but in fact, Waledac binaries like these are attacking systems on a daily basis. For instance, over the past few days, workstations in the ThreatFire community were attacked by and protected from Waledac in the US and parts of Europe.

Anyways, the ISC handler’s post was an interesting writeup and description of past problems in takedowns (current collateral damage described here), and “Operation b49” adds another strong effort and collaboration to clean up the wild wild web. Cheers to that. Let’s hope that the Waledac bot distributors and botnet operators are worn down with the new strategy while watching their C&C servers becoming unreachable. We’ll monitor the bot’s distribution over the next few weeks and post results. Hopefully, the group is worn down for good.

Posted in Malware Alerts | Tagged , | Leave a comment
by: Mylene Villacorte

Security Essentials 2010 (SE2010.exe) is a new rogue application which is usually arrives as a file dropped by a Trojan or downloaded from the internet. It employs the same techniques as of Internet Security 2010…then again, said techniques have proven effective before, so why fix what is not broken?

Without being asked, SE2010 scans the infected computer and displays the list of threats present in the system. Note that the said list is fake and the files do not really exist.

It displays several fake alert messages and warnings to pursuade user into buying the full version of the application.

Aside from the annoying pop-ups and alert messages, it will not allow users to run any applications, legitimate or not. Instead, it displays a message stating that the application is infected and the only solution to execute the affected application is to purchase the product!
It must be clear that SE2010 should be removed from the infected machine as it only imitates legitimate Antispyware program, not to mention the endless annoying pop-ups and messages. To automatically remove Security Essentials 2010, use a reputable anti-spyware program such as PC Tools Spyware Doctor. Also, provided below the manual removal instructions for free!
Posted in Malware Alerts | Tagged | Leave a comment
The Hockey games on the 2010 Winter Olympics are well under way and SEO poisoning attacks abound! Hockey enthusiasts turning to the Internet in search of game schedules are in for quite a surprise as cyber-criminals are quick to ensure that their malicious websites appear in the top Google search results.

Unsuspecting users who click on the malicious search results are redirected to a fake My Computer online scan page. Here is where the bad guys attempt to ‘scare’ their way into the user’s computers.
Fake My Computer online Scan
Message displaying false detections on the user’s computer
Navigating Away
Users attempting to manoeuvre away from the malicious website are presented with the following message and are left with very little choice:

Countermeasure Against the Good Guys

Malware researchers often share URLs with each other as a way of spreading the news and to warn others and prevent further infection. But the bad guys behind this attack are smart enough to devise a countermeasure. The URLs are no longer enough to replicate the attack. Entering the URL directly on the browser simply redirects the users to the CNN website.

CNN Website

The fake My Computer online scan page ultimately offers a solution to in the form of an installer of the fake antivirus software called Security Antivirus.
File Download
The Works
As with other fake security software, Security Antivirus displays a decent graphical user interface to give its victims that warm fuzzy feeling of installing a legitimate software that will protect their computer.
As mentioned in a previous post, Security Antivirus is a clone of Live PC Care, Windows Security Suite, and Windows System Suite.
Fake Scans
Annoying Pop ups
As unsuspecting users would like to remove all the purported detections found on their machine, Security Antivirus requires activation. And for a lifetime subscription, victims would have to say goodbye to a hefty $89.95 from their hard-earned cash.
License Selection
Credit Card Payment
Entering credit card details here seals the deal. But there’s no stopping the bad guys from abusing the information they have collected.
If you have been a victim of this attack, immediately contact your credit card company to get your money back and to make sure there will be no future unauthorised charges.
Also, when searching for information relating to the Winter Olympics, it always a good idea to turn to reputable sources like news networks and of course the official 2010 Winter Olympics website.
Posted in Online Fraud | Tagged , | Leave a comment
Another hot topic circulating around the internet is the Winter Olympics and the hits around the search engines come soaring when the news of the death of a 21 year old luger Nodar Kumaritashvili breaks out. Malware writers are quick on taking advantage of this news to infect computer users browsing every website wanting to be updated. They also use as well as the current medal count at the said Olympics.
Moreoever, the (malware) samples that are found in the previous hot events (such as Haiti Earthquake, Twilight and Superbowl) were all the same kind of Rogue AV found now. They are of the same family, same setup and the same characteristics. It seems that they’re doing this fashion in an automated way. They’re trying to link these hot keywords so that search engines would point the users to their malicious websites where the malware is hosted.

Death of a luger in winter Olympics triggered the Rogue AV writers to use this as a vector of their infection most especially when the actual video of his death is released.

Search result for luger’s death. Clicking the search result (in red box) would redirect to RogueAV

Internet users who wanted to be updated with this news will unknowingly visit one of these malicious sites. Redirections will occur until the user will experience fake AV pop-ups and enticing them to download the malicious installer file..


Another Malware Writers takes advantage of as the winter Olympics are on-going is the medal standings of each participating countries. They use keyword such as “Medal Count”, “Olympic medal count”, “Olympic standing” in order to be included in search engines and be able to infect users.

Search result for Winter Olympic Medal Standings. Clicking the search result (in red box) would redirect to RogueAV.

Unaware users who wanted to look for medal standings will unknowingly visit one of these malicious sites. Visiting these malicious URLS will download Rogue AV and make the user’s computer have annoying pop ups.


Upon clicking the enticing malicious URL / link, there will be redirections and some different enticing pop-up messages or web page for the user to click on it and download a malicious file.

Pop-up messages telling that the user’s machine is currently infected:

Pop-up messages posing as media player:

The URLs used with these redirections are constantly changed to ensure that propagation of this Rogue AVs are always obtainable for every malicious search result and make certain that it will not be blocked by legit Antivirus Vendors.


As of this writing, there were two types of Rogue AV that can infect user’s computer. One is Security Antivirus and the other is Security Tool (which is a constant download even with the previous RogueAVs’ SEO campaign).
  • Security Antivirus file to be downloaded:

- packupdate_build<1-3>_<1-3>.exe

  • Security Tool file to be downloaded:

- install.exe or player_update.exe


Security Antivirus

It comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Looking further, we can say that it is a clone or a family of Rogue AVs called Live PC Care, Windows Security Suite, and Windows System Suite. Upon execution of the downloaded sample, installation on computer takes place. It will display a welcome message before installation and then runs in the background making annoying pop-ups. It also tries to stop execution of all legit AV executables through registry modification.

Main Window

Security Tool

Upon execution of the downloaded sample, installation on computer takes place. It will then silently drop a copy of itself with randomised filename and registry autorun key for automatic execution upon boot up. The user will only know that installation takes place when a message box appears saying that Security Tool successfully installed.
Same with other RogueAVs it will silently run in the background and make annoying fake AV messages. It also has the ability to prevent legit files to be executed when the user tries to.

Posted in Malware Alerts | Tagged , | Leave a comment