Archive for March, 2009

« Older Entries
Newer Entries »

Pdf Reader Exploitation 2009 (cont)

Tuesday, March 17th, 2009

While Adobe Reader users were urged to upgrade their software in one of our previous posts, Foxit Reader, another free pdf viewer, needs to be actively upgraded as well.


Users should be aware that the same distributors of Adobe Reader attacks are also attacking Foxit Reader, and retrieving the same downloader components via exploitation.

Any new exploitation data would look like this…
Adobe Reader v9 less than 1%
Foxit Reader v2 less than 1%
Adobe Reader v8 48%
Adobe Reader v7 50%

The newest Foxit Reader upgrades can be found here.

Posted in Exploit, Malware Estimates | No Comments »

Bancos Dropper

Tuesday, March 17th, 2009

ThreatFire users in Brazil are being attacked with yet another Bancos dropper/downloader.

The source of the file, “jk982732-2309.zip”, which extracts simply to an aspack’ed “jk982732-2309.exe”, is not entirely clear at this point. If any of our users have seen this file prevented on their desktop, please contact us on the forums or here in the comments with some information on its source and any IM messages or email related to this file.

A dead giveaway that something is unusual is the “Google Inc” file company name property, along with the Microsoft MSN butterfly icon:

Another giveaway that something is amiss is that the file also attempts to download components from free web hosting site “nofeehost.com” that masquerade as Brazilian security Buster Browser Defense components.

Any further information from users would be welcome.

Posted in Bancos, Spyware, Trojan | No Comments »

Terror Attack in ???

Monday, March 16th, 2009

Fill in the blank, depending on where you are. This new Waledac scheme attempts to play on fear, but the U.S. Homeland Security Advisory probably is not going to be rasied above orange because of it. This newest malware distribution campaign emails out shocking and phony reports of terrorism. A link within the message redirects a user’s browser to a phony Reuters video. The Waledac distributors also are continuing to use geoIP locators to identify the location of a user browsing their sites, and customizing their messages littered with poor english grammar. Here is text from one of the current web sites:

‘At least 12 people have been killed and more than 40 wounded in a bomb blast near market in _______. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables. “It was awful” said the eyewitness about blast that he heard from his shop. “It made the floor shake. So many people were running ______.” Until now there has been no claim of responsibility.’

The screenshot below shows the well worn phony Flash player download prompt for unsuspecting users, stating that “You need the latest Flash player to view video content. Click here to download”:



Very few users so far are attemping to run the Trojan files (generally around 448kb in size) run.exe, save.exe or contact.exe being distributed from these sites, which is a good thing.

Posted in Spam, Waledac | No Comments »

« Older Entries
Newer Entries »