|
Archive for September, 2008
Wednesday, September 24th, 2008
No, it is not a link, it is a file that does not have photos that you are interested in, and will not direct you to jpegs you are interested in on the facebook site. Also making the rounds is “newestpicture0021.jpeg-www.imageshack.com”, and other “imageshack.com” files.
Another worm is propagating with a .com extension, which is actually an executable format on Windows systems. The file, when run, drops a copy of itself to the system32 directory as “symlasvc.exe” or “symlssdr.exe”, and hides its process from monitoring tools with rootkit components. In both cases, it adds itself to the Run key as the “Symantec Administration Service” so that it starts at every boot. Among other activities, it kills a set of tools that may be used to identify its presence on the system, and mangles the hosts file to prevent access to security information, security software and security update sites, including this blog. Here is an example:
127.0.0.1 blog.threatfire.com
127.0.0.1 www.threatexpert.com
127.0.0.1 blog.hispasec.com
127.0.0.1 mailcenter.rising.com.cn
127.0.0.1 mailcenter.rising.com
127.0.0.1 www.rising.com.cn
127.0.0.1 www.rising.com
ThreatFire currently is preventing these worms as “Worm.Injector”. In the past, we’ve seen similarly effective social engineering schemes:
MSN IM Worm
Surge in IM worm activity — don’t look at that cute puppy
New Undetected Worm
Bot on the loose — careful with images
Please do not run these files when they arrive.
Posted in Embedded trojan, Rootkit, Social Engineering, Worm | No Comments »
Monday, September 22nd, 2008
If you download and plan on running what you think is a codec named “multycodecupgr.7.<20xxx>.exe” (as in “multycodecupgr.7.20680.exe”), you should be aware that users have been effected by this phony codec over the weekend and today in surprisingly high numbers. The file drops a couple of executables. In our lab they were often named a singular letter, like “a.exe”, “b.exe”, “d.exe”, you get the idea. These few files then barrage the user with the usual shock messages that the system is infected, although now they also claim that your system is “probably” infected…
The malware drops “sav.exe” in a self created “program files\AntiVirus 2008″ directory. It’s all related to the AntiVirus 2008 software, warning the user of Blaster.Sasser and other inaccurate scanning results that need to be cleaned up for a price:
Pricing can be found at hxxp://www.s-av2008.com, starting at almost 40 clams. Avoid the site:
It seems now that Atrivo/InterCage is off the grid, these groups are moving resources to host urls like “dowload -best -warez.com” (66.232.126.78, 66.232.126.193) quickly.
Update: What started out as a few redirect links from a potentially compromised small-business t-shirt selling web site is now spreading. While the pages served at the iframe-based redirect link from the original site is down, the phony codec file is showing up on numerous adult sites.
It is advisable not to run the multycodec executables in circulation right now.
Posted in Adware, FakeAlert, Rogueware, Social Engineering, Trojan | No Comments »
Thursday, September 18th, 2008
At BlackHat 2006, the organizers handed out books titled “Perfect Passwords“, a fantastic writeup on selecting, using and evaluating passwords: “Author Mark Burnett has accumulated and analyzed over 1,000,000 user passwords and through his research has discovered what works, what doesn’t work, and how many people probably have dogs named Spot”. Unfortunately, some of the government attendees must have set that book aside to read later. They have the opportunity to reread the text at the book’s preview on Google’s book search.
Yesterday, a link to wikileaks.org made the rounds, along with comments for Sarah Palin, a U.S. Vice Presidential nominee currently in the political media limelight. She reportedly was accused of using a Yahoo! email account for government business to avoid requests under Alaska law for the communications, and hacktivists recently attained access to her Yahoo! account, although it is unclear how they attained access. They posted contents and an index of the mail account on the wikileaks site. Some screenshots of the information were posted on sites like gawker.com. The wikileaks site is either overwhelmed with traffic today or was altogether taken down last night. The Fbi and Secret Service reportedly are investigating the breach.
Simple security practices are necessary to follow. Use a strong password that you can remember, and it’s not “Spot” or “password” (see Perfect Passwords). Pay attention to what you are doing when using your computer and visiting websites or responding to IM and emails or requests for information, and finally, use the secure resources that include antimalware protection provided by your organization.
Update — it appears that the “Forgot your password?” feature was exploited to gain access. Standard security practices would have avoided that problem.
Posted in Disclosure, Password stealing, Security breach | 1 Comment »
|
|
|
|
