FBI IC3 2009 Report

March 13th, 2010

The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.

The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

FakeAv Antivirus XP 2010

March 11th, 2010

Same as we posted last week, Trojan.FakeAv continues to be one of the highest hitting families of malware prevented in the ThreatFire community again this week. And, because so many users continue using Windows XP, it is this variant of the family that continues to pop up the most. Frequently, the malware resides simply as “av.exe” on users’ systems:


The bogus software follows the trends that we presented at Virus Bulletin 2008 two years ago, where we noted the rising FakeAv families and technical details of “Recent Rogueware”, similarities with previous other malware families, and their delivery.


Troyak-AS De-peered for Good?

March 11th, 2010

The victory over dozens of Zeus botnets that was declared over the past couple of days may have been premature, as the Troyak-AS upstream provider that was de-peered from its upstream providers was busy finding new peers to the internet. Yet another check shows that the provider succeeded in regaining connectivity, and only two of the ISP’s that are home to handfuls of Zeus C&C’s are withdrawn (as of 11:30 a.m. Mountain Time 3/11/2010):

50215 TROYAK-AS Starchenko Roman Fedorovich

  Adjacency:     5  Upstream:     1  Downstream:     4
  Upstream Adjacent AS list
    AS8342          RTCOMM-AS RTComm.RU Autonomous System

With the original de-peering, it was thought that 68 monitored Zeus C&C’s were disconnected from the net. But, of the six ISP’s hosting almost five dozen Zeus C&C’s, only two remain de-peered, leaving 43 monitored Zeus C&C up and running. We hope to see these come down soon. In the meantime, ensure that a protective layer like ThreatFire is installed on your system, effective against Zbot attacks. And cheers to the awesome zeustracker site.