More Mac scareware is continuing to pop up which seems almost daily, with the cybercrooks following the same sort of strategy which has worked so well on Windows: regularly change the look and feel of the fake anti-virus software; use legitimate-sounding brand names (or steal genuine product names); stick to a price-point between $50 and $100; keep the fear factor high; but keep the core programming very similar so development costs are negligible.

Scareware, or fake anti-virus, is fake security software which pretends to find dangerous security threats – such as viruses – on your computer. The initial scan is free, but if you want to clean up the fraudulently-reported “threats”, you need to pay.

Once you’ve paid, the scareware stops lying to you about the non-existent threats, as though it really did clean them up. This means that many victims of this sort of fraud don’t even realise they’ve been duped. Until next time.

These latest OS X scareware variants come from the MacDefender group, though they identify themselves during startup as Mac Shield:

Mac Shield loading screen.

Once activated, the software pretends to look through your files, pretends to find malware, and invites you to clean up:

Mac Shield Virus Scan

But the cleanup isn’t free – you’re required to register:

Mac Shield registration screen.

Registration means payment. The minimum you can get away with is $59.95. But for just $40 more, you can get a lifetime software licence and lifetime support – which would be a good deal, were it not for the fact that the software is completely fraudulent, that the “lifetime” of the software ends tomorrow when the crooks move on to the next bogus brand name, and that there’s nothing to support, since there was no malware in the first place.

You even get a 30-day money back guarantee. Good luck claiming it.

Here are some top anti-scareware tips for Apple users:

* If you use Safari, turn OFF the open “safe” files after downloadingoption. This stops files such as the ZIP-based installers favoured by scareware authors from running automatically if you accidentally click their links.

* Don’t rely on Apple’s built-in XProtect malware detector. It’s better than nothing, but it only detects viruses using basic techniques, and under a limited set of conditions. For example, malware on a USB key would go unnoticed, as would malware already on your Mac. And it only updates once in 24 hours, which probably isn’t enough any more.

* Install genuine anti-virus software. Ironically, the Apple App Store is a bad place to look – any anti-virus sold via the App Store is required by Apple’s rules to exclude the kernel-based filtering component (known as a real-time or on-access scanner) needed for reliable virus prevention.

* Religiously refuse any anti-malware software which offers a free scan but forces you to pay for cleanup. Reputable brands don’t do this – an anti-virus evaluation should let you try out detection and disinfection before you buy.

If you would like to try a great free version of a REAL anti-virus software package for free, Sophos has a great free product you can try out here.

For years, ads pimping malware disguised as legitimate antivirus programs have gone to great lengths to mimic the look and feel of Microsoft’s Internet Explorer browser and Windows operating system. Now Mozilla Firefox, Google Chrome, and Apple Safari are getting the same treatment.

A security researcher from Zscaler has recently uncovered a campaign that’s tailored to the browser that the intended victim is using. Those with IE will see the same tired graphic depicting a Windows 7 security alert, but look what happens when the visitor is using Firefox.

Fake Warning in Firefox

Not only does the image contain internal Firefox elements in the source code, it also spoofs the security warning the browser shows when users attempt to navigate to an address known to be malicious, said Julien Sobrier, a senior security researcher at Zscaler.

When the intended mark visits the page with Chrome, the ruse looks altogether different. The first screen shows a warning window bearing the browser’s distinctive logo and the words “Chrome Security has found critical process activity on your system and will perform fast scan of system files.”

Fake Google Chrome warning

The user then sees what purports to be a Chrome window showing a virus scan.

Fake scan in Google Chrome

Not to be left out, Safari is also spoofed, although with significantly less effort. The initial warning looks like this:

Fake Safari warning

But the scan page defaults to the look and feel of IE.

The ads are an attempt to trick visitors into believing they have infections that can be cured by the software being offered in the ad. By customizing the screens to the browser, it stands to reason, malware mongers stand a better chance of succeeding.

“I’ve seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox,” Sobrier said. “I’ve never seen targeted fake AV pages for so many different browsers.”

Some of the sites that redirect to the scam include columbia.faircitynews.com, www.troop391.org, jmvcorp.com. When successful, the redirected page pushes the file InstallInternetDefender_xxx.exe, where “xxx” is a number that changes frequently. At time of writing, it was detected as malicious by just 9.5 percent of the major (legitimate) AV packages, according to a VirusTotal scan.

No doubt, many readers are savvy enough to spot scams like this, but what about poor Aunt Mildred, who has being told by a well-meaning relative to never, ever use the heavily targeted IE? Makes you realize why fake AV can be such a huge revenue generator.

Sobrier, who blogged about his findings here, first spotted the customized ads on Monday.

USB Flash Drive

Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past. Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

XP vs. 7 using Autorun.

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission.

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that can we make.

Shortened URLs included in garden-variety emails and tweets are harder for antivirus and antispam applications to weed out, giving hackers another lucrative avenue to spread spam quickly and with much greater efficiency.

That’s the word from security software vendor Symantec (NASDAQ: SYMC), which dedicated most of its July MessageLabs Intelligence report to the pesky shortened URLs that are pretty much a prerequisite for quickly sharing links to stories, tweets and images on Twitter and other microblogging services.

Symantec’s report found that shortened-hyperlink spam hit a one-day peak of 18 percent of all spam emails on April 30, a total of more than 23.4 billion messages in one 24-hour period.

More troubling, Symantec security experts said, is the recent trend showing that shortened, spam-laden URLs are becoming as much a fabric of the spam culture as come-ons from Nigerian royalty and shady pharmaceutical dispensaries.

In the second quarter of last year, Symantec found that there was one day out of the three-month span during which shortened hyperlinks appeared in more than 1 in 200 spam messages. This year, however, there were 43 days when shortened URLs with spam accounted for 0.5 percent of all spam traffic and 10 days when the total surged to more than 5 percent of all spam messages.

“As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited,” Paul Wood, a senior analyst at Symantec’s MessageLabs, said in the report.

“When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional antispam filters to identify the messages as spam based on the reputation of the domains found in the spam emails,” he added.

This alarming influx of shortened URLs containing spam and malware was to be expected, security experts say, as more and more people embrace Twitter, its messages’ 140-character limit and the short URLs they often necessitate. And now that these shortened URLs with legitimate-looking domains are now being disseminated by botnets, the spammers are increasing their infection rate and generating lots of ill-gotten revenue.

Symantec’s surveillance revealed that the infamous Storm botnet, which reemerged in May, is the main source of malicious shortened URLs, accounting for some 11.8 percent of spam in the category.

“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet, such as unidentified spam-sending botnets or non-botnet sources, such as webmail accounts created using CAPTCHA-breaking tools,” Wood added.

The report discovered that that on average, one website visit is generated for every 74,000 spam emails containing a shortened URL link and the most frequently visited shortened links from spam received more than 63,000 website visits.

Example of infected website warning.

According to a new report published in a blog last month by researchers at security firm Dasient, the number of websites infected by malware in the second quarter of 2010 spiked to more than 1.3 million — the first time that figure has ever topped 1 million.

“That’s a jump of almost two times the number that we saw in the previous quarter,” says Neil Daswani, co-founder of Dasient. “The numbers are really surprising.”

Malware authors are becoming more efficient and creative in their methods of attacking websites, Dasient says. For one thing, they are creating new malware at an exceedingly rapid rate: Dasient detected more than 58,000 new infections in Q2 alone, raising its comprehensive malware library to more than 200,000 different infections.

Attackers are also becoming more crafty in the way they distribute their payloads, Daswani observes. For example, many malware authors have begun deploying new infections late on Friday afternoons, when they know most IT departmental resources will be at an ebb over the weekend.

“They can make the campaign last longer by starting it right before a weekend,” Daswani says. The average malvertising campaign in Q2, for example, lasted 11.5 days.

Malvertising itself continues to grow, Dasient says: More than 1.6 million malvertisements are served on an average day, up 20 percent in the second half of Q2, according to the report. Some 42 percent of websites rely on third-party advertising resources, yet many site operators do not vet this content for malware before they serve it, Daswani notes.

Attackers favored JavaScript over iFrames as a means of delivering malware in Q2, according to the report. “In Q2, over 43,000 JavaScripts and over 15,000 IFRAMEs were added to Dasient’s infection library,” Dasient says. “As a percentage of the total number of new entries, JavaScript samples have increased by 19 percent, and JavaScript samples now make up 74 percent of the entries for the quarter [as compared to 55 percent three quarters ago].”

“One of the advantages of JavaScript is that it can be used to modify a whole Web page, whereas an iFrame is more limited,” Daswani says. “JavaScript offers a larger attack surface.”

Attackers use .com and .cn domains most frequently to host malicious code, Dasient says. In Q2, there was a rise in .info domains that were infected and used to host malicious code, the report states.

Three out of four drive-by-downloads have one letter filenames and are written to the User’s Application Data directory, according to Dasient. The most common name for a drive-by-download was f.exe.

The level of attack sophistication is going to only increase over time, Daswani says. “This is a problem that isn’t slowing down,” he says. “It’s not going away.”

The PowerEdge R410 Rack server has spyware within its embedded systems management software. The direct seller is sending customers letters warning of the danger and also telephoning those affected.

A post in a support forum says customers should hear from Dell shortly. It does not provide any technical explanation of what type of spyware is included with the hardware or what extra cleaning process customers should go through.

Some forms of malware are likely to have spread if the hardware has been attached to a network. The forum post, from yesterday morning, is here.

The forum poster was concerned not to have more technical information – and that the call he received to book technical support said the call might not happen for up to ten days.

In response a Dell support staffer said there was an issue with a small number of service motherboard stock – new PowerEdge systems are not infected. He said the malware would not infect non-Windows servers.

Dell has also sent out the following statement:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Fortunately the forum has also been updated with information which answers some of the relevant questions – the malware was found in the flash on motherboards, not in firmware. It is a W32.Spybot worm which should be detected by any decent anti-virus software.

Dell said that less than one per cent of boards shipped have the infection. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

The Pirate Bay

A series of attacks on The Pirate Bay, one of the most well known and controversial file-sharing websites has allowed a group of Argentinian hackers, headed by malware researcher Ch Russo, to access both the user database and the website administration panel of The Pirate Bay, comprising over 4 million usernames and email addresses in the process.

It is thought that the group first targeted the website administration panel on The Pirate Bay, the group succeeded and then employed a series of SQL injection vulnerabilities to gain access to the user database, where they were able to add and amend records and obtain information to identify trackers and torrents uploaded by specific users.

Ch Russo posted a cryptic message on his blog detailing reasons behind the attack:

As any other website, as any other system or mechanism, www.thepiratebay.org has robust parts and soft spots. We beleive that the people behind this comunity always acted with the local laws on their side, and so have we. The community caused problems to huge companies and corporations which turned into threats between this companies and them. What we have done, we did not do it with anger, or for commercial value. As always, we saw the change, the moment and decided to take it. The protocol or procedure done to achieve this wasn’t anything out of the ordinary.

As you can see, Russo acknowledges that the data would be of huge interest to anti-piracy groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). In a telephone interview with KrebsOnSecurity he said: “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” adding “Instead we wanted to tell people that their information may not be so well protected.”

Screenshot of the backend of The Pirate Bay

According to Softpedia, the attackers have not been in contact with The Pirate Bay administrators since the attack but the offending weakness has since been identified and patched.

Chinese PC manufacturer Lenovo is the latest high-profile company to be compromised. Sometime over the past weekend, its support pages, which allowed users to download drivers and manuals, were compromised with the addition of a malicious iframe.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY (by Trend Micro). This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Later investigations by senior advanced threats researcher Loucif Kharouni established the key role BREDOLAB plays in the criminal underworld. As mentioned earlier, cybercriminals running pay-per-install (PPI) scams frequently use BREDOLAB to infect user systems.

Botnet Model

Lenovo has acknowledged the incident on its official forum and has indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also reported getting antivirus warnings while visiting Lenovo’s download website since Saturday.

Users who did go to the Lenovo pages to download support materials from late on June 18 (Friday) to June 21 (Monday) may have been affected by this compromise and should check their systems accordingly.

This further proves the point that you should always have an antivirus program running on your computer at all times (and make sure its updated as well!). Even websites that you think are safe can fall victim to these types of attacks leaving everyone at risk. So be safe out there… cause the internet is one crazy place!

The number of malware and spyware programs found on smartphones has more than doubled in the past six months — and some types of malware are more prevalent on certain smartphone platforms than others.

New data gathered from users of a free smartphone security tool shows the bad guys are increasingly going after smartphone users. According to Lookout, which offers a free lightweight mobile client with cloud-based security, backup, and anti-theft features, there were about nine pieces of malware and spyware per 100 smartphones as of last month — more than twice as many as in November 2009.

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. “We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband” and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. “The same trends are going to hold true here [with smartphones].”

Tyler Shields, senior security researcher with Veracode, says he has seen a definite uptick in malware arriving for smartphones during the past few months. “It’s coming at a much faster rate now. It’s difficult to quantify the amount of growth,” however, he says. Shields earlier this year developed and released proof-of-concept source code for a spyware app he created that forces a BlackBerry to hand over its contacts and messages. The spyware can also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS.

Spyware is the main type of malware Lookout sees being created for BlackBerrys, while Windows Mobile phones suffer more from traditional malware, and Androids from a little of both, according to Lookout’s data. “We’re seeing a pretty equal spread [of the threats] across these platforms,” Lookout’s Hering says. The firm doesn’t yet support the Apple iPhone in its app, so data on the iPhone isn’t included.

Why mostly spyware on the BlackBerry? Veracode’s Shields says it might be due to the heavy corporate use of BlackBerrys, which would make any data lifted from them more easily monetized. “The type of data on a BlackBerry generally is going to be corporate-centric and could be of interest to attackers,” he says.

A recent malware attack against Windows Mobile phones basically took an existing, legitimate smartphone app and booby-trapped it with malware: The 3D Anti-Terrorist app game for Windows Mobile was rewritten with auto-dialer malware, according to Lookout’s Hering. The app basically fires up the auto-dialer malware when the user runs the game. “It sits dormant for hours or days, and then wakes up and calls numbers at a premium rate — from Somalia to the South Pole,” for instance, he says. “The victim is then incurring charges but doesn’t notice until [he] receives the phone bill.”

A Windows codec and poker app also were hijacked, copied, and repackaged with malware. The apps are being distributed via typical mobile download and app store sites, such as sharewareplaza.com, geardownload.com, myzips.com, and top4download.com. “We’re seeing the same evolution on mobile as on the desktop: It’s going from notoriety [purposes] to trying to profit,” Hering says.

The malware attack vector being used against smartphones isn’t the SMS or email spam that was all the rage in the early days of mobile attacks. Instead, it’s following smartphone user behavior trends and exploiting downloadable applications, experts say. “Users are downloading apps at a huge pace,” Hering says.

And smartphones are actually more “personal” than PCs. They include GPS location, payment information, email, text messages, and records of who a user communicates with. Hering says today’s smartphone malware is all about grabbing personal information and, now, attempting to monetize it. “On the spyware side, you can imagine an app grabbing personal data that you’re unaware of [occurring] and transmitting that to a third-party location” where it can be resold, for example, he says.

Meanwhile, enterprises should be aware of the risks of breaches via their smartphone users. “They should be worried about this,” Hering says.

But the likelihood of another Operation Aurora-scale targeted attack isn’t as likely to hit via the smartphone just yet: “At this point in time, the PC [attack] model is so much easier and faster. I don’t foresee that level of coordination to target mobile devices at this point,” Veracode’s Shields says.

Is your computer secure?

Have you got $67 burning a hole in your pocket? Then you can rent a botnet for 24 hours to launch distributed denial of service (DDoS) attacks, sell fake antivirus software and relay spam to unsuspecting email users via millions of compromised — aka zombie — PCs. Or if you only need an hour, that’s just $9.

Those findings come from iDefense VeriSign’s security intelligence service, which studied 25 black market botnet offerings. Based on the company’s research, botnets are becoming increasingly commoditized, with sellers freely hawking their wares via online forums and banner advertising.

“Organizations need to be wary of the fact that their critical online applications or services could be taken down in under a day by a criminal renting services from bot herders,” said Rick Howard, director of intelligence at iDefense, in a statement.

Unfortunately, the easy access to botnets, as well as the emergence of more automated botnet software, has lowered the botnet barrier to entry for less technologically inclined or well-connected criminals.

In March, for example, Spanish police arrested the three alleged masterminds behind the Marisposa botnet, which ran undetected for six months, compromising more than 12 million PCs, many at blue-chip firms and banks.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research adviser with Panda Security, told the Guardian. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

Mariposa may now be defect, but one of the most well-known botnet tools, Zeus, is still alive and well. According to a recent report from managed security services provider SecureWorks, “Zeus is sold in the criminal underground as a kit for around $3,000-4,000, and is likely the one malware most utilized by criminals specializing in financial fraud.”

Customize Zeus with numerous add-ons: virtual networking to take over an infected PC ($10,000), an upgrade for attacking Windows 7 or Vista ($2,000), Jabber IM broadcasting to receive stolen data in real time ($500), a Firefox form grabber ($2,000) and a back-connect module for making financial transactions from an infected PC ($1,500). Interestingly, the Zeus application also includes sophisticated anti-piracy features.

If the going rate for renting a botnet or buying the right software seems steep, antivirus vendor Sunbelt recently said that it’s been tracking a Twitter-controlled botnet that can be used to launch DDoS attacks. Dubbed TwitterNET Builder, the tool — available at no charge — lets an attacker simply enter a Twitter username and hit “build” to generate the required malware.

Thankfully, the tool’s reliance on public Twitter commands for control means that attackers get what they pay for. “We’ve notified Twitter about this bot creation system, and they’re looking into it,” said Boyd. In other words, don’t try this at home.

Example of a Server Room.

At the Federal Trade Commission’s request, a district court judge has permanently shut down 3FN, a rogue Internet service provider that recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other illegal content.

The ISP’s computer servers and other assets have been seized and will be sold by a court-appointed receiver. The operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.

In June 2009, the FTC charged that 3FN, which does business under a variety of names, actively recruited and colluded with criminals to distribute harmful electronic content, including spyware, viruses, Trojan horses, phishing schemes, botnet command-and-control (C&C) servers, and pornography. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.

The FTC complaint alleged that 3FN actively shielded its criminal clientele by either ignoring takedown requests issued by the online security community, or by shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.

The FTC also alleged that 3FN deployed and operated botnets. According to the FTC, the defendant recruited bot herders and hosted the C&C servers.

Transcripts of instant-message logs filed with the district court show the defendants’ senior employees discussing the configuration of botnets with bot herders. And, in filings with the district court, the FTC alleged that more than 4,500 malicious software programs were controlled by C&C servers hosted by 3FN.

This malware included programs capable of keystroke logging, password stealing, and data theft; programs with hidden backdoor remote control activity; and programs involved in spam distribution, the FTC said.

On June 15, 2009, the court issued a preliminary injunction to prohibit 3FN’s illegal activities and require its upstream Internet providers and data centers to stop providing services to 3FN.

The court has now ordered a permanent bar on the illegal activities of 3FN and its agents. It has appointed a receiver and instructed him to liquidate the operation’s assets.

The defendants named in the FTC’s complaint are Pricewert LLC, also doing business as 3FN.net, Triple Fiber Network, APS Telecom, APX Telecom, APS Communications, and APS Communication.

If you get a posting on your Facebook wall telling you “this is without doubt the sexiest video ever! ” which seems to be accompanied by a video titled “Candid Camera Prank [HQ]” then don’t click on the video: it’s a lead-in to malware.

Clicking the link will take you to what seems like a Facebook application which then tells you that your video player is out of date – and encourages you to download a file.

If you do, then the same “video” plus link gets posted using your avatar to al your friends on Facebook -– meaning it is spreading virally.

It’s not clear at present whether Facebook has acted to halt it. You should, however, expect that it will mutate in the coming hours/days (depending on how determined the virus writer is), so it might not be exactly that message or video frame. The key element in the attack is that it tells you to download a file.

At Sophos, Graham Cluley notes that:

“Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.”

The file seems to install a piece of adware called Hotbar, which thus generates revenue for the malware writer. (About Hotbar: “displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.”)

Microsoft is, separately, strongly encouraging people and companies to stop using Internet Explorer 6, using the argument that “you wouldn’t drink 9-year-old milk, so why use a 9-year-old browser?”

Though aimed at the Australian market (possibly IE6 has a higher prevalence there due to some geographical quirk), the arguments for abandoning IE6 are stronger than ever, and have been repeated many times – not least on this site (the browser that won’t die, why the NHS can’t get its browser act together). And of course it is widely believed – though so far not confirmed – that IE6 was the vector for an attack against Google by Chinese hackers at the end of last year.

A decade after the Love Bug virus attacked millions of computers worldwide and put the Philippines in the IT world map in a negative way, computer security experts have noticed that today’s computer attacks are more malicious than the original computer security threat.

In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

“Although mass mailing viruses like the Love Bug are rare today, cyber criminals’ techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft,” Symantec said in a statement. “On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.”

“The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year,” said MessageLabs Intelligence senior analyst Paul Wood. “Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks.”

Bot Attacks

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

The report noted that Rustock has reduced the output of individual bots by 65 per cent but increased the number of active bots by 300 per cent, thus, making up for the decreased output. Meanwhile, Cutwail has reduced in size to 600,000 bots from two million bots in May 2009 and is now responsible for only four per cent of all spam. “Rustock remains the largest spam-sending botnet responsible for 32.8 per cent of all spam,” the report read.

“Affected by the closure of ISP Real Host in August 2009, Cutwail likely lost the ability to update some of its bots causing its numbers to diminish greatly without the ability to recover,” said Wood. “As a result, Rustock has taken over significant volumes from spammers by undercutting the market with greater capacity and lower operational costs.”

Spam

Worldwide, the spam rate this month was pegged at 89.9 per cent, a drop of 0.8 per cent from the previous month. In the region, Malaysia and Singapore also saw a drop in the spam rate to 87.7 per cent, and 87.6 per cent respectively, the report added.

“Spam is more commonly sent from computers running Windows than from those running other operating systems,” Wood said. “However, spam not identified as coming from botnets was seen in lower proportions coming from Windows machines than from known botnets.”

A smiley-faced instant message with a photo link posing as if it’s from someone on your buddy list is actually spreading misery worldwide in the form of a worm on Yahoo Instant Messenger: The IM ultimately delivers a worm that allows an attacker to take over the victim’s machine, not to mention spread itself among the victim’s contact list.

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. “Today it started spreading like wildfire,” Coisoi says.

He says the socially engineered message appears to be capitalizing on the May 1 national holiday in Romania. “People expect to see pictures [from their friends and colleagues] after a national holiday,” he says. But he also expects the worm to make inroads in the U.S. today and tomorrow, with potential victims coming off of a weekend.

The worm — known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec — is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable.

BitDefender says the worm contains a backdoor, which lets an attacker take over the victim’s compromised machine, to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems. It’s also spreading the way the infamous Conficker worm has done, via network shares and removable USB drives using the Autorun feature. When an infected memory stick gets loaded into a machine with Autorun enabled or unprotected, the machine can automatically be infected with the worm.

“You can do anything you want with a backdoor — keylogging to search for passwords, or it could be a botnet,” Coisoi says. “It offers the attacker full system access.”

It also spreads via peer-to-peer sharing sites, such as Kazaa and LimeWire which are all too easy to pack these types of files in with movies files and software cracks.

The good news: Because it drops an .exe file, it requires the user to run it for it to go live. According to Symantec, once the worm is run, it adds itself to the Windows Firewall list, stops the Windows Update service, and configures itself such that it runs each time the system boots. The worm automatically sends itself to everyone on the victim’s contact list.

“The nature of this attack is nothing new, because some worms already used this way of attack,” BKIS researchers blogged. “However, it is always potentially dangerous to [unaware] users. Bad guys have integrated some phishing elements to trick [the] user into clicking the link and then opening the downloaded file.”

So basically, if someone sends you a link via an instant message out of the blue, it might be best to double check with them what exactly they are sending you, so you don’t fall victim to this new worm.

There are few signs that indicate your computer is part of a botnet that might not be indicating something else. Any malware can cause almost all of the same symptoms that a bot can. Sometimes conflicts between programs or corrupted files can cause the same symptoms as well, but still, there are some signs that should not be ignored. So, in no particular order…

1)    Your fan kicks into overdrive when your computer is idle
This can indicate that a program is running without your knowledge and using a fair amount of resources. Of course this could also be a bunch of Microsoft updates being installed. Another problem that can cause the fan to kick in like that is excessive dirt in the computer or a failing CPU fan.

2)    Your computer takes a long time to shut down, or won’t shut down properly
Oftentimes malicious software has bugs in it that can cause a variety of symptoms, including long shut down times of a failure to shut down. Unfortunately, operating system bugs and conflicts with legitimate programs may cause the same symptom.

3)    You see a list of outbound Wall posts you didn’t send on your Facebook page (see below)

There are few reasons other than malicious software or having your account hacked that would cause this problem. If you see this happening, you definitely want to change your password and make sure you computer is not infected. Best to make sure your computer is not infected before changing your password!!! Don’t use your Facebook password on multiple sites!!!

4)    Programs are running very slowly
This can be a sign that hidden programs are using a lot of your computer’s resources. This also can be a sign of other problems. On Windows systems if there are 10,000 files or more in a single directory it can really bring a system to a crawl.

5)    You cannot download operating system updates
This is a symptom you cannot ignore. Even if it isn’t a bot or other malware, if you don’t keep your system patched your computer probably will get infected.

6)    You cannot download antivirus software updates / visit vendors’ websites
Malware often tries to prevent antivirus software from running or being installed. An inability to update your antivirus software or visit the vendor’s web site is a pretty strong indicator of malware.

7)    Internet access slows to a crawl
If a bot is using your computer to send massive amounts of spam or participate in an attack against other computers, or to upload or download a lot of data it can make your internet access very slow.

8)    Your friends and family have received e-mail message from you that you did not send
This can be a sign of a bot, other malicious software, or that your webmail account has been hacked.

9)    You receive pop-up windows and advertisements even when you are not using a web browser
While this is a classic sign of adware, bots can install adware on your computer. You definitely want to get this problem taken care of.

10)    Windows Task manager shows programs with very cryptic names or descriptions (the highlighted line is the example)

Using task manager requires some skill and research. Sometimes legitimate software uses cryptic names as well. An entry in task manager is generally not enough to identify a program as being bad. This can help you find bad programs, but many additional steps must be performed to validate you findings. Killing processes and deleting files or registry entries because you “think” it is a bot or other malware can result in the inability to even boot your computer. Be very careful of making assumptions and acting on them.

Although this doesn’t cover everything that could mean you are part of a botnet, this is a good list of the major signs you will see, and means you need to get your computer cleaned ASAP!

TrendLabs recently received a new FAKEAV sample, which they now detect as TROJ_FAKEAV.BLW. Like previous variants, it poses as a legitimate antivirus application that displays false detections, disables firewall and security center functions, and produces pop-up warnings to force affected users to purchase rogue antivirus software.

Unlike its predecessors, however, this sample uses the file name AV.exe. If users are not into computers, they may think this is a valid antivirus application. It uses registry shell spawning as autostart technique, which means the malware is executed every time a user runs files that have the .EXE file name extension. It also uses any of the following application names:

• %1 Antispyware 2010
• Antivirus %1 2010
• %1 Guardian 2010
• %1 Guardian
• %1 Defender 2010
• %1 Antivirus
• %1 Antivirus 2010
• %1 Antivirus Pro
• %1 Antivirus Pro 2010
• %1 Internet Security
• %1 Internet Security 2010

Note that %1 refers to the OS installed on the affected machine. This makes the malware flexible in that it is able to take advantage of the features of an infected user’s OS.

Whenever an infected user attempts to access the Internet via Internet Explorer (IE) or Firefox, this malware displays warning messages saying these browsers are malicious. (Internet Explorer on the left and Firefox on the right)

This may cause the user to panic since these are two of the most commonly used browsers. Users who are tricked into purchasing the bogus product are redirected to multiple rogue antivirus domains.

This list ensures that the malware can access other domains even if some have already been taken down. Lastly, this malware does not allow users to execute files from security companies, which prevents the affected user from scanning the affected computer.

When faced with these kinds of false alarms, I would urge users to calm down and avoid purchasing rogue antivirus products. This does not help solve the problem. Instead, it makes things even worse, as this is just a waste of hard-earned money.

This is only the latest tactic seen from the perpetrators of rogue antivirus malware. Recently, advanced threats researchers spotted another FAKEAV run using Sandra Bullock’s recent marital difficulties to spread malware. If you have any questions about this type of malware, please feel free to contact me and I will be glad to answer any of your questions.

Criminals reused an attack from 2008 to hit the Internet with a huge wave of ransomware in recent weeks, a security company has reported.

In the space of only two days, February 8 and 9, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale.

The attack itself takes the form of a spam e-mail with an attachment, report.zip, which if clicked automatically downloads a rogue antivirus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers.

Such scams have been common on the Internet for more than a year, but this particular one features a more recently-evolved sting in the tail. The product doesn’t just ask the infected user to buy a useless license in the mode of scareware, it locks applications and data on the PC, offering access only when a payment has been made through the single functioning application left, Internet Explorer.

What’s new, then, is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won’t know they are being scammed, while the latter assumes they will but won’t know what to do about it.

The technique is slowly becoming more common — see the Vundo attack of a year ago — but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign.

Fortinet notes that Security Tool is really a reheat of an old campaign from November 2008, which pushed the notorious rogue antivirus product Total Security as a way of infecting users with a keylogging Trojan.

“This is a great example of how tried and true attack techniques/social engineering can be recycled into future attacks,” says Fortinet’s analysis.

According to Fortinet, the “engine” pushing the spike in ransom-based malware is believed to be the highly-resilient Cutwail/Pushdo botnet, the same spam and DDoS system behind a number of campaigns in the last three years including the recent pestering of PayPal and Twitter sites.

Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).

In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft. ”As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday.

“The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key,” Ross added.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.” Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available.

“Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk,” said Jerry Bryant, a senior manager with the MSRC, in an e-mail. By Prodeus’ account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Microsoft has not set a timeline for a fix, saying only that, “Microsoft will take the appropriate action to help protect our customers.” The next scheduled security patch date for the company is March 9.

Although it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system. Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.

The Mariposa botnet had the power to dwarf Georgia and Estonia cyberattacks if it had been used to launch denial of service attacks, say Spanish police.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed “Netkairo”, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Coruña. None of the suspects have been named at this stage of proceedings.

In a statement (in Spanish here), Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who’s possibly based in Venezuela.

Defence Intelligence discovered the botnet last May and formed a team that brought in security experts from Bilbao-based Panda and computer scientists at Georgia Tech Information Security Center. Security researchers infiltrated the botnet’s command and control systems, learning enough to mount a successful takedown operation in cooperation with ISPs on 23 December.

Netkairo responded to this by launching a retaliatory denial of service attack against Defence Intelligence that took out customers at a Canadian ISP for several hours. In wrestling to obtain control of the botnet he made the mistake of connecting to compromised systems using his home PC, a mistake that led to his identification.

Luis Corrons, technical director of PandaLabs, explains the Mariposa botnet’s business model and the takedown operation in a video below.

It turns out a rootkit is responsible for some Microsoft users experiencing the dreaded “blue screen of death” after applying one of the latest Windows patches, Microsoft said today.

Post-Patch Tuesday reports of XP SP2 and SP3 users being unable to restart their systems after applying the new MS10-015 patch led Microsoft to suspend its automatic distribution of that patch while it investigated whether the patch itself was causing the problem. The director of Microsoft’s Security Response Center, Mike Reavey, said in a blog post today that the issue occurs when a system is infected with the so-called Alureon rootkit.

“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015,” Reavey said. “Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”

The finding syncs with what some security researchers concluded earlier in the week, after initial concerns that the patch itself was flawed.

Meanwhile, distribution of the MS10-015 patch is still on hold for some systems via Automatic Update until Microsoft comes up with a fix for the issue, which it says only affects 32-bit machines. Automatic Updates for 64-bit systems are now again pushing the MS10-015 patch, which fixes a bug in the Windows kernel.

“A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,” Reavey said.

Microsoft is working on a “simpler solution” to detect and eradicate the rootkit from infected systems, which it plans to release in a few weeks, according to Reavey.

Setting a machine to “standard” rather than “administrator” account mode typically prevents kernel malware from infecting systems, he said, and keeps antivirus signatures up-to-date is also helpful.