A post in a support forum says customers should hear from Dell shortly. It does not provide any technical explanation of what type of spyware is included with the hardware or what extra cleaning process customers should go through.

Some forms of malware are likely to have spread if the hardware has been attached to a network. The forum post, from yesterday morning, is here.

The forum poster was concerned not to have more technical information – and that the call he received to book technical support said the call might not happen for up to ten days.

In response a Dell support staffer said there was an issue with a small number of service motherboard stock – new PowerEdge systems are not infected. He said the malware would not infect non-Windows servers.

Dell has also sent out the following statement:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Fortunately the forum has also been updated with information which answers some of the relevant questions – the malware was found in the flash on motherboards, not in firmware. It is a W32.Spybot worm which should be detected by any decent anti-virus software.

Dell said that less than one per cent of boards shipped have the infection. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

New data gathered from users of a free smartphone security tool shows the bad guys are increasingly going after smartphone users. According to Lookout, which offers a free lightweight mobile client with cloud-based security, backup, and anti-theft features, there were about nine pieces of malware and spyware per 100 smartphones as of last month — more than twice as many as in November 2009.

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. “We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband” and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. “The same trends are going to hold true here [with smartphones].”

Tyler Shields, senior security researcher with Veracode, says he has seen a definite uptick in malware arriving for smartphones during the past few months. “It’s coming at a much faster rate now. It’s difficult to quantify the amount of growth,” however, he says. Shields earlier this year developed and released proof-of-concept source code for a spyware app he created that forces a BlackBerry to hand over its contacts and messages. The spyware can also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS.

Spyware is the main type of malware Lookout sees being created for BlackBerrys, while Windows Mobile phones suffer more from traditional malware, and Androids from a little of both, according to Lookout’s data. “We’re seeing a pretty equal spread [of the threats] across these platforms,” Lookout’s Hering says. The firm doesn’t yet support the Apple iPhone in its app, so data on the iPhone isn’t included.

Why mostly spyware on the BlackBerry? Veracode’s Shields says it might be due to the heavy corporate use of BlackBerrys, which would make any data lifted from them more easily monetized. “The type of data on a BlackBerry generally is going to be corporate-centric and could be of interest to attackers,” he says.

A recent malware attack against Windows Mobile phones basically took an existing, legitimate smartphone app and booby-trapped it with malware: The 3D Anti-Terrorist app game for Windows Mobile was rewritten with auto-dialer malware, according to Lookout’s Hering. The app basically fires up the auto-dialer malware when the user runs the game. “It sits dormant for hours or days, and then wakes up and calls numbers at a premium rate — from Somalia to the South Pole,” for instance, he says. “The victim is then incurring charges but doesn’t notice until [he] receives the phone bill.”

A Windows codec and poker app also were hijacked, copied, and repackaged with malware. The apps are being distributed via typical mobile download and app store sites, such as sharewareplaza.com, geardownload.com, myzips.com, and top4download.com. “We’re seeing the same evolution on mobile as on the desktop: It’s going from notoriety [purposes] to trying to profit,” Hering says.

The malware attack vector being used against smartphones isn’t the SMS or email spam that was all the rage in the early days of mobile attacks. Instead, it’s following smartphone user behavior trends and exploiting downloadable applications, experts say. “Users are downloading apps at a huge pace,” Hering says.

And smartphones are actually more “personal” than PCs. They include GPS location, payment information, email, text messages, and records of who a user communicates with. Hering says today’s smartphone malware is all about grabbing personal information and, now, attempting to monetize it. “On the spyware side, you can imagine an app grabbing personal data that you’re unaware of [occurring] and transmitting that to a third-party location” where it can be resold, for example, he says.

Meanwhile, enterprises should be aware of the risks of breaches via their smartphone users. “They should be worried about this,” Hering says.

But the likelihood of another Operation Aurora-scale targeted attack isn’t as likely to hit via the smartphone just yet: “At this point in time, the PC [attack] model is so much easier and faster. I don’t foresee that level of coordination to target mobile devices at this point,” Veracode’s Shields says.

EYEBOT is still just a “newbie,” but should the ZBOT criminal minds choose to respond, there is some potential for a Bot war to ensue.  However, at this stage, we cannot be certain what if any response, the ZBOT criminals are likely to make. On the other hand, both EYEBOT and ZBOT use rootkit technology even though the former behaves more like a “backdoor.”

The new spyware exhibits routines similar to ZBOT, aka “Zeus” variants, which are considered some of the most dangerous malware in relation to information, financial, and identity theft. The EYEBOT spyware steals account credentials by logging users’ keystrokes. It is also drops a configuration file similar to those ZBOT uses to monitor bank-related websites. EYEBOT likewise utilizes rootkit technology to hide its malicious files and processes from affected users, which helps it avoid detection and consequent removal.

Originating from Russia, this spyware also acts as a server to a graphical user interface (GUI)-based client, which is one of its notable differences from ZBOT variants. While ZBOT variants are usually standalone programs, the EYEBOT has to receive commands from a remote malicious user. In this regard, the EYEBOT acts much like a typical backdoor program, which gives cybercriminals access to affected systems.

What further sets it apart from its more experienced counterpart, however, is its capability to terminate ZBOT-instigated processes. A closer look at its binary file reveals that the spyware was designed to monitor known ZBOT mutexes, _AVIRA_ and __SYSTEM__.

Only time will tell if anything comes of this or if this will just become another small player in the ever-growing fight against growing botnets.

As reported in detail by Trend Micro researcher Rik Ferguson in the Counter Measures blog, the New York Times issued warnings through both Twitter and its website’s front page about malvertisements that trigger the display of a malicious pop-up window. The said pop-up window displays the typical fake antivirus warning indicating malware infection. This forces the affected user to purchase a full version of a rogue antivirus software. Of course, the reported infections are in reality nonexistent. The alarming messages are mere distractions to convince the user into giving away important information.

Not only is good money wasted on purchasing a useless software. Important information such as credit card details are also compromised and made available to cybercriminals.

Lately I have been personally seeing a ton of computers at work with this exact infection (Personal Antivirus). The odd thing I take from it is that it doesn’t usually bring along any other malware with it when it gets onto a system. From time to time I see this program on a system that is infected with a rootkit or other more vicious piece of malware, but for the most part, it seems to work alone and does nothing but want to get your money and credit card information.

So it would seem that the creators of this certain rogue security software don’t want to harm their victim’s computers why placing harmful trojans on the system with it, but merely to create an annoying piece of software that will bug you until you pay it to stop… or remove it with a program such as Spybot – Search and Destroy. So be careful out there… cause even well trusted websites seem to be getting hit with these types of breaches that can harm your computer!

Last week the Federal Trade Commission approved its final consent order against Sears Holding Management Company, the parent company of both Sears and Kmart. According to Ars Technica, the company must destroy all data gained from its “My SHC Community” program, and halt all incoming transmissions from the hidden spyware provided by the company currently  installed “in the wild.” The program threw up a red flag as far back as early 2008, with security researchers declaring that Sears was after more than what was originally disclosed in the user agreement.

The voluntary “My SHC Community” survey collected the participant’s online web browsing in exchange for $10. However, the program that participants installed collected more than just casual browsing, but rather transmitted the complete contents of a browsing session, including secure sessions. That meant Sears and Kmart collected personal data including bank accounts, credit cards, addresses, home telephone numbers and more. The installed software also collected non-Internet information about the participant’s computer.

After an investigation, the FTC said that Sears disclosed its tracking intent, but did so in a confusing manner that appeared after a lengthy, multi-step tracking software’s data collection,” the FTC said. Sears has agreed to provide clearer disclosures, separate from any user license agreement, in future marketing programs.

This just goes to show that even the big companies resort to these low blows when it comes to getting information on us… and if even they do it, is any of our data really safe at all?

The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

• allincorx
• bigdron
• cikaredo
• civilizxx
• comeandtryx
• deribrowns
• draxxtermania
• givendream
• hitrowzone
• jumborad
• ltdkeeper
• operationelx
• oxxadox
• paxxtiger
• rednetx
• rstdeals
• simplexdoom
• sinisteer
• tdenuwas
• tniredrum
• ufapeace

If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as/tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website. This is just another small example that proves that even Mac users aren’t

While I have seen a large variety of different forms of infections, the most common one right now is the Rogue Security Application. More specifically a couple of related programs called “WinAntivirus 2007,2008,2009″. Basically how this programs work is pretty simple and easy to spot if you know what to look for. They are usually found in popups while looking around on the internet, and once you have downloaded the “free” version it can claim to find HUNDREDS or even THOUSANDS of security risks or other threats on your system. It then goes on to tell you that to remove all of these threats you need to purchase the “Pro” version of the software as the FREE version can’t remove the threats, and can only identify them for you.

Little do most users realize that infact it has pointed out harmless cookies and registry files as these high alert threats and also in the background is secretly downloading real viruses and other threats to your computer wihout telling you are anything. Because of this users usually start to notice their computers get really slow, the Rogue Security Application start bugging them more frequently to upgrade to the “Pro” version, and as it downloads random BAD things into your system, system files can go missing, and your computer can stop working at all if the more worse ones are downloaded and executed on the system.

This is where a user will either realize something is wrong and seek help (like from us!) or will by that “Pro” version that it keeps popping up on their computer saying it can fix all of these problems. The real problem here is not only will this “Pro” version not fix anything, but it also gives the hackers access to your information of your credit card as well as the money you just paid them for this “Pro” edition. But the good news is there are tools out there to help you clean out your computer if it has been infected by these types of infections. So keep reading!

Here are a few easy steps to help clean out your system if you think you are infected:

1. Boot the computer into “Safe Mode with Networking”
2. Download the file “Combofix.exe” onto your desktop double click it and let it do what it does.
3. If the computer reboots itself make sure to catch it and load it up into Safe mode again.
4. Download and install “ClamWin Portable” to your system. (remember to update the program after it is installed to get the latest updates for the program) Go into the setting and make sure you have it set to “REMOVE” the harmful or infected files and not just report them!
5. Let this program run (though it make take a while) it scans all the files on your computer so it is a very good and intensive tool.
6. Download, Install, and Update Spybot – Search and Destroy and let it check your system for infected files, then clean out anything that it may find on the system!
7. Download AVG 8.0 Trial (must be installed in normal mode not safe mode), update it, then go to scan the computer. Make sure you check the “Change scan settings” and allow it check check for rootkits and to scan media files. Then tell it to scan and clean out anything it finds.

NOTE: Make sure to uninstall any previous Antivirus software you may have on your system because if the system has been infected it is probably pretty likely that your current install of Antivirus software has been damaged and will not work how it should. If you are looking for something to replace and old or outdated Antivirus software on your system to keep it safe from future attacks, what we suggest at my work and what I personally use is the AVG 8.0 Free Edition. This edition is mostly the same as the paid version (the trial you used in the removal process) but it is completely free and has about 95% of the same features that the paid version has to offer.

There you have it, and if you have anymor questions / concerns feel free to contact me or simply leave a comment and I will be happy to reply and help as much as I can!