Online Virus / Malware News

McAfee Labs has been monitoring a spam run that was launched earlier today. The message follows:

The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.

The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).

The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:

fake scanning image

download prompt

icon used by executable

The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.

The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  “{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”

This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.  It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.

• This fake AV executable was detected by Global Threat Intelligence File Reputation at the time of this blogging when running at Very Low sensitivity or higher.
• The first-stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
• The second-stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
• The third-stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
• DAT file coverage is being added under the following names:
  • PWS-Zbot
  • FakeAlert-PE
  • JS/Downloader.gen
  • JS/FakeAlert-AB.dldr

Customers may download updated signatures using the extra.dat request page: https://www.webimmune.net/extra/getextra.aspx. These are also available in the beta DATs.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!

Social networking sites and technologies are among the hottest happenings on the Internet. However, in this case every benefit comes with an equal danger: These sites and technologies are also huge targets for cybercriminals. One of McAfee Labs senior researchers, Anthony Bettini, has written an excellent whitepaper on the subject. Social Networking Apps Pose Surprising Security Challenges details some of these areas of concern. I’ll let Tony tell the story:

Facebook, Twitter, MySpace, and LinkedIn—oh my! If we’re not using these services ourselves or hearing about them in the media, our friends, colleagues, and children remind us each day of their existence. Although Web 2.0 may be a buzzword we all love to hate, media-rich web applications that allow information sharing among users are here to stay and growing in popularity. An article written in October 2009 (so it’s clearly out of date) on the size of Facebook’s data center states Facebook stores approximately 80 billion photos and serves up approximately 600,000 photos per second—making it the largest photo archive in the world.1 Social networking web applications such as Facebook are a big deal.

As social networking gains users, it will increasingly be targeted by attackers, just as instant messaging and other media have been. For an interesting view on how platform prevalence draws attackers like bees to pollen, see the IEEE article “When Malware Attacks (Anything but Windows).” One popular technology ripe for exploitation in social network applications is the “mashup.” (Wikipedia: “A mashup is a web page or application that uses or combines data or functionality from two or many more external sources to create a new service.”) From the perspective of an application provider such as Google, mashups allow their applications—for example, Google Maps—to become more widely used and embedded within other new applications, like Yelp or the iPhone operating system. However, as we’ll soon see, attackers have also been using mashups to their advantage.

Download and share this excellent paper with all the people you know who use social networking sites and technologies. The dangers are real–but with education, action, and proper security we can successfully manage them.

Just in case you are looking for websites to watch the 2010 FIFA World Cup matches online, you will also find many questionable websites offering live football streams! Many of these sites will ask you to install software to get access to a P2P-based streaming network. Some of the common types of software offering such P2P-based streaming are Sopcast, TVU, Veetle, StreamTorrent, and many others.

If you use the SiteAdvisor Ttolbar you will quite quickly see that many of these sites are flagged as Red or Yellow–indicating potential risks such as malware infection, spyware, or other kinds of potentially unwanted programs. Please be careful when surfing and never download any software from websites with bad reputations. Use our SiteAdvisor technology. Another risk you may run into is being ripped off with a charge or even scammed into a multiyear membership. These costs can either be for the software download itself or for the streaming service, but users often get charged for both.

Sopcast or Veetle are actually freeware. They can be downloaded for free and without security risks directly from the vendors themselves or any major, reputable shareware site.

The next risk from using such services is the potential violations of Digital Right Managements laws. TV broadcasting companies have paid a lot of money for exclusive rights to broadcast all World Cup matches. Many of these P2P-based streaming services may in fact violate such rights, for example, as they stream the Chinese or Brazilian broadcasts to worldwide audiences.

The solution for all these problems is actually quite easy.

You don’t need the membership or download charge if you go to the valid websites for the software. Staying with the reputable sites will also keep you away from the possible risks of malware or spyware infections. Also, TV stations in countries like the United States, Germany, United Kingdom, Brazil, or Canada stream all world cup games legally, for free and even in HD.

But the biggest risk of all: If you watch the World Cup in the office, make sure your boss has approved it. Otherwise you might find yourself with plenty of time to watch all games at home on your TV!

Today we announced our McAfee® Family Protection iPhone®, iPod touch® and iPad™ Edition. McAfee now provides strong parental controls to keep young people safe when they are browsing the Internet on an Apple mobile device. McAfee released McAfee Family Protection for the PC in June 2009.

According to data released by Admob in 2010, 65 percent of iPod touch users and 13 percent of iPhone users are below the age of 17. According to The Internet Safety Technical Taskforce in a December 2008 survey, twice as many kids own an Internet-enabled mobile device versus a computer.

McAfee® Family Protection iPhone, iPod touch and iPad Edition offers website and search filtering. The program will automatically block age-inappropriate sites, such as known pornography web sites, as well as filter Google search results. It also includes location tracking for Apple devices that are equipped with GPS technology.

Parents can also view usage statistics, including visited websites and access times, as well as add and remove custom websites while having the option to remotely disable all Web browsing.

From McAfee Chief CyberSecurity Mom, and my pal, Tracy Mooney:

“Many parents don’t consider online dangers when providing their kids with an iPod touch or passing on their old iPhones to them. Even if they are trying to monitor on a regular basis, it’s nearly impossible to know what they’re searching for,” said Mooney. “I’ve tried to be vigilant about checking in from time to time to see what my kids are doing online, but I know that my kids have more access now than ever with their mobile device. This product will help parents be at ease when they are equipping their kids with the latest technology.”

McAfee Family Protection iPhone, iPod touch, and iPad Edition is available for download now at the iTunes App Store and McAfee.com. For more information about McAfee mobile please visit the McAfee Mobile site.

Researchers at McAfee Labs aggressively work to stay on top of the new wave of fake anti-virus software, identifying new blends to ensure our customers are protected. In some cases these domains carry a full page of malicious pornography links.

Malware authors use multiple forms to create and get their fake applications installed in your computers. Fake anti-virus programs pretend to guard you against threats on your PC, although in reality they will infect you themselves. Be careful what you click on; don’t put yourself at risk by visiting websites with suspicious reputation. We recommend keeping your security software up to date, and follow some basic steps to protect your system.

If you get any of these fake applications installed on your PC, you will receive constant advertisements displaying pop-ups or warning messages that your system has been infected. You’ll urgently be requested to visit a particular website to pay for unnecessary protection. Take advantage of free McAfee SiteAdvisor software to make your browsing safer.

A new attack on Twitter users has been arriving as spam with a phishing link. It appears as a notification about an unread message from Twitter Support with a subject line such as “Twit 73-923.” The ending number can vary. The body of the message includes “You have [some number of] delayed message(s) from Twitter” and a link to a phishing site.

If you receive one of these emails, make sure to check where the link points to before clicking on it. To visit a page such as this (or any page even), it’s much safer to manually type the web address instead of clicking a link in an email. Links can easily be faked!

Users without protection who click on any of these links could infect their PCs or reveal their Twitter credentials.

We recommend you take advantage of either or both of McAfee’s TrustedSource™ reputation system and SiteAdvisor Technology to protect yourself against malicious phishing attacks and the sites that host them.

Tweet, search and surf safely out there!

Scams based on the United States Internal Revenue Service requirements increase every year during tax season. It’s common to see online threats and tactics in which identity thieves and hackers try to convince taxpayers to reveal their personal and financial information. This year is no exception.

Researchers at McAfee Labs continuously monitor threats to best protect our customers. We have identified a cluster of fake IRS URLs. Victims might visit these phishing and malicious websites via any number of effective redirection methods: phishing attacks, forum postings, and black-hat search-engine optimizations, among others. However, a few simple precautions will help you avoid identity theft during tax season. If you get an email from the IRS, it’s probably a scam. The IRS does NOT usually contact taxpayers via email. Avoid replying or clicking on links that take you to suspicious sites. You should delete these messages.

The numbers of fake irs.gov domains hosting phishing sites already surpass last year’s:

McAfee customers are protected from malicious sites with high-risk reputations thanks to our TrustedSource technology.

Here is an example of how McAfee SiteAdvisor Technology and the McAfee TrustedSource™ reputation system protect users from cyberfraudsters. Malicious phishing attacks are blocked when they trying to steal consumers’ information:

The IRS Consumer Alert page says “The IRS does not send taxpayers unsolicited email about their tax accounts, tax situations, or personal tax issues.” To verify whether the IRS is trying to contact you, call the agency.

This is the time of year when basketball fans go online to fill out their bracket selections. While fans are playing with their brackets, hackers are also playing their own game of “spamdexing”-–manipulating search results to promote, in this case, malware-infected sites.

At the time of this posting, top search results for terms such as ncaa bracket and march madness predictions are already poisoned. Five out of the first ten hot searches on Google Trends, with ncaa+bracket+blank taking second place, are being promoted by a network of legitimate sites that were hacked to serve malware.

Let’s look at the bracket-related malware site. Our investigations reveal the site has an embedded Flash file that downloads malware from another site and installs without user interaction. Who would have thought that a simple, harmless-looking site with only a bunch of March Madness-related texts as content and not even a single pop-up or web ad could be that dangerous?

This simple–yet very sneaky and effective technique of downloading malware through exploitation, also called a “drive-by download”–will surely infect a lot of users, especially users with no virus and malware protection. To reduce the chance of getting infected by this type of site, we recommend using our SiteAdvisor technology, a free browser plug-in that shows site ratings with search results. And, as always, make sure your anti-malware software is up to date and properly configured!

On March 9 McAfee warned consumers that “scareware,” or fake anti-virus software, may be the most costly online scam in 2010, causing significant monetary loss and damage to users’ computers. In this blog, I’ll give you some additional details about the figures we cited last week in McAfee’s new Consumer Threat Alert program.

Apart from the scareware files themselves, many malware that aid rogue anti-virus programs in attacking computers are grouped into the fake-alert Trojan family. As shown in the following graph, their number exploded in 2009. To give you some idea of the rapid growth, from March 1 to March 10, 45,000 new FakeAlert samples entered in our malware collection!

Between January 2004 and December 2009, I cataloged more than 3,000 scareware software “products” created by various rogue companies. Many of them have a short life cycle (some weeks, some months), while others, some created in 2004, are still available on the web. For half of them (see next table) we were able to extrapolate the year they appeared. Their number surpassed 100 for the first two months of 2010.

For many of these “products,” only the name changes. This trick maximizes a malware developer’s chances to catch victims. The scareware companies create website after website with a single rogue offer repeated under various names.

Fake-alert malware and scareware software are numerous. But scareware companies are restricted in number. Perhaps between 30 and 50. The names change, but the managers remain the same. They create many subsidiaries and recruit affiliates. For more than 2,000 of these products, I was able to map them to the companies that distribute them. To avoid possible legal hassles as well as personal trouble, I will not give you the names–but the following table speaks for itself.

Some companies work openly. Their managers are not afraid to create even LinkedIn profiles. When the pressure becomes too strong they simply create a new business.

To multiply sales, scareware companies recruit affiliates and promise them commissions reaching 75 percent of the product’s sales price.

When I presented our research on scareware in Paris in January, I explained that a colleague monitored–during a six-month period–the production servers of one of the main scareware companies. In 10 days, he counted more than four million downloads (that is, more than four million scareware infections)! This was from only one company, and some victims made more than one download in a day.

In 11 months, this scareware company received more than 4.5 million orders. Using this figure, I forecast annual revenues of greater than US$180 million. This leads to a substantial worldwide income for this criminal activity.

Finally, these scareware companies have not only fake security software for sale. They also peddle many other fake products (multimedia software, fitness software, family software, etc.). And, above all, they offer pornography. Consequently, their revenues are still greater.

To avoid becoming a security software scam victim, the McAfee Consumer Threat Alert advises the following:

1. Before downloading any security software from the Web, get a recommendation from someone you trust who is savvy about Internet security software
2. Investigate the company before purchasing the software
3. Be careful when responding to pop-up ads
4. You can protect your computer from these types of cybercrimes by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection, such as McAfee Total Protection. Ensure that your software is always up to date (enable the “auto-update” feature) and perform regular scans.