Donna's SecurityFlash : In the Wild

Storm Worm variant now using Kittycard.exe as filename

donna — Sat, 27 Oct 2007 16:45:00 GMT

Kittycard.exe is now of one the filename use by this Storm Worm. Email received today: The new filename is Kittycard.exe: Half of malware scanners via VirusTotal.com will detect it while half did not: For you... to read : The Storm Worm: http://www.schneier...(read more)

What's with the malicious PDF file?

donna — Sat, 27 Oct 2007 11:58:50 GMT

Symantec wrote: the PDF file will download ldr.exe file F-Secure reports: The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more components. So I grab both .exe files (ms2.exe and ldr.exe) and uploaded it to Virustotal...(read more)

In the wild: Malicious PDF files; Which AV will detect it?

donna — Fri, 26 Oct 2007 19:32:29 GMT

If you haven't update your Adobe Reader to v8.1.1, you better to do it NOW. The vulnerability is being exploited now and yup, it's in the wild because I received copies already. Screenshots at http://www.dozleng.com/updates/index.php?showtopic...(read more)

Spammer's trick: Redirection. Can't Google, Yahoo and AOL kill the false one?

donna — Thu, 25 Oct 2007 16:26:45 GMT

This is not new since this is 'common' issue with redirection and being use by spammer but geez, can't this company do something to stop the redirection to succeed? Same SPAM emails received today: That's AOL, Yahoo and Google. Guys, you...(read more)

2 more kitty (storm worm) gone undetected by many scanner

donna — Sun, 21 Oct 2007 05:21:13 GMT

I received similar email last week where 15 out of 32 malware scanners will detect or trigger an alert if found or being downloaded in the system. Today, I got 2 more kitty greetings. Result is 10 out of 32 scanners will detect or trigger an alert: Preview...(read more)

Skype Worm Breaks Out in APAC

donna — Tue, 19 Dec 2006 07:42:00 GMT

Symantec and Websense have warned Skype users of a new worm that spreads itself via Skype text messages. Dubbed Chatosky by Symantec, the cycle starts with a Skype user receiving a message offering a file called sp.exe. According to Websense's preliminary...(read more)

Worm Alert: Big Yellow; Worm hits computers via Symantec Corp.'s antivirus program

donna — Sat, 16 Dec 2006 01:50:00 GMT

Date: December 15, 2006 Severity: High Systems Affected: Symantec AntiVirus 10.0.x for Windows (all versions) Symantec AntiVirus 10.1.x for Windows (all versions) Symantec Client Security 3.0.x for Windows (all versions) Symantec Client Security 3.1.x...(read more)

Rustock: Deep Dive

donna — Thu, 14 Dec 2006 16:03:00 GMT

Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach...(read more)

Variant of phished Google Mail in the wild

donna — Mon, 10 Jul 2006 17:52:00 GMT

Websense Security Labs has received reports that a variant of Google phishing attacks are increasing in sophistication. Details at http://www.websense.com/securitylabs/alerts/alert.php?AlertID=545...(read more)

Argh! 2nd instance of fake Windows Genuine Advantage Notification

donna — Thu, 29 Jun 2006 20:26:00 GMT

One earlier and now there's 2nd ... it's at Daniweb 's forum (Thanks to Microsoft MVP Robear Dyer for the link). The bad file is faking Microsoft's Windows Genuine Advantage Notification and Validation Tools. As you can see on earlier (the first report...(read more)

Email Blast, From the Past

donna — Wed, 28 Jun 2006 01:23:00 GMT

McAfee Avert Labs reports : A Microsoft Word document was mass-spammed today, which exploits MS01-034 . While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro...(read more)

Doombot Worm Spreads Via Phishing Model Attack

donna — Fri, 16 Jun 2006 16:16:00 GMT

Security experts at MicroWorld Technologies inform that a Backdoor Worm named 'Doombot.k', is spreading fast via 'abuse warning' emails, spoofing domain names of security software companies and leading business houses. The modus operandi of proliferation...(read more)

Panda Alert: BlackAngel.B worm spreading via MSN Messenger

donna — Thu, 15 Jun 2006 18:18:00 GMT

Panda Software, warns of the spread of the new B variant of the BlackAngel worm. PandaLabs has already received several incidents from users affected by this worm. This worm spreads via Microsoft’s instant messaging program MSN Messenger. In order to...(read more)

Spyware Quake is in the wild

donna — Sat, 25 Mar 2006 16:32:00 GMT

Sunbelt reports "There is a new rogue Anti-Spyware application out there serving as a replacement for Spy Falcon and SpyAxe."

Eric L. Howes added Spyware Quake to its list of Rogue/Suspect Anti-Spyware Products & Web Sites

Spywarewarrior.com Forums is currently helping a victim of said rogue product which means it is REALLY in the WILD so be careful. If you are victim, please let the HijackThis analysts help you (you can find them in many forums i.e. BleepingComputer.com, Spywarewarrior.com, CastleCops.com and in recommended sites that offers HijackThis analysis found in Alliance of Security Analysts Professionals). If you want to help the community, stand up and be heard by going to Malware Complaints forum.

Edit: Self-help guide in removing SpywareQuake is available:

How to Remove SpywareQuake (BleepingComputer.com)
SpywareQuake Removal Instructions (Gladiator Security Forums)

If you are unsure what to do, don't hesitate to seek advise in forums that offers malware removal.

Apple OS X gets its first virus

donna — Thu, 16 Feb 2006 16:26:00 GMT

The first virus to target Apple's OS X operating system has been identified in the wild.

Leap-A (also known as Oompa-A) spreads via the iChat instant messaging system, forwarding itself as a file called 'latestpics.tgz' to contacts on the infected user's buddy list.

When the file is opened on a computer it disguises itself with a JPEG graphics icon in an attempt to fool people into thinking it is harmless.

"Some owners of Mac computers have held the belief that Mac OS X is incapable of harbouring computer viruses, but Leap-A will leave them shell-shocked as it shows that the malware threat on Mac OS X is real," said Graham Cluley, senior technology consultant at Sophos.

"Mac users should not think it's OK to lie back and not worry about viruses. "

http://www.vnunet.com/vnunet/news/2150477/apple-osx-gets-first-virus

Phishing-based attacks on 3 banks

donna — Tue, 07 Feb 2006 18:09:00 GMT

Websense Security Labs has received reports yesterday (Feb. 6, 2006) of a new phishing attack that targets customers of the following banks:

- First Bank
- Banco del Bajio
- The Farmers Bank

As usual, users receive a spoofed email, which claims:
- the account has had multiple, unsuccessful login attempts
- that due to recent activity their accounts need to be updated immediately or certain functionality will be restricted.
- that the customer's account has an unconfirmed email address.

Then usual recommendation is ignore and delete the messages. Do not click on those live links in the messages (why not disable HTML in your email program too so the message will not phone the sender).

References:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=417
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=418
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=419

Websense Alert: Yahoo! Account Compromise through Yahoo! Messenger

donna — Tue, 24 Jan 2006 14:08:00 GMT

Websense Security Labs has received several reports of a new phishing attack that targets Yahoo! customers. Users receive a message through Yahoo! Instant Messenger, enticing them to access a website with "click on this website."

Upon clicking on the website, users are forwarded to a fraudulent website, which is hosted in the United States and was up at the time of this alert. It requests their Yahoo! Photos username and password. Once users have entered their username and password, they receive an error message that their email account was incorrect, at which time the account information is forwarded to a third party and the end-users' account information could then be compromised.

Another Dasher

donna — Tue, 20 Dec 2005 12:52:00 GMT

Dasher.A, B and C few days ago. Now it's Dasher.D. See Symantec's article on Dasher.D here. Dasher infects 3,000 machine already!

Spyware Lures to Install Potentially Unwanted Software

donna — Tue, 20 Dec 2005 12:08:00 GMT

Websense Security Labs is seeing a large increase in the number of websites and emails that use deception and/or browser vulnerabilities to install potentially unwanted software. The common theme among these threats is the use lures of possible spyware infections on your machine. In some cases, the scam actually reports fraudulent information regarding the security of your PC.

In many cases they also request money in return for cleaning the outlined security problems (we have seen as much as $500 per year).

Over the last 2 weeks, we have identified more than 1500 sites that have some (or all) of the following criteria:

They are hosted in Ukraine and Russia
The website domain names are registered in countries like Vanuatu and Mexico
IP netblocks hosting sites are often hosting other questionable sites such as fraudulent search engines
IP netblocks have been hosting malicious code such as Trojan horse downloaders, droppers, and hosts-file redirection software
Malicious code that modifies DNS settings has used these netblocks for DNS resolving
Downloaded code often includes several pieces of spyware, adware, and other potentially unwanted software
Removing the software often requires that you to fill out a survey
Several of the sites contain links to other sites that are hosting IE exploit code

Screenshots and other details in WebSense

Dasher A, B, C - Internet worm exploits MS05-051

donna — Sun, 18 Dec 2005 05:57:00 GMT

Read Microsoft's MVP Harry Waldron's journal on this Dasher worm. Some antivirus vendors have released Dasher detections:

Dec. 15 - Symantec released Dasher.A and Dasher.B detections while Sophos released Dasher.B detection. Like Symantec, F-Secure released detections on Dasher.A and Dasher.B. Dr.Web released too a detection for Dasher. McAfee released two detections on Dasher here and here

Dec. 16 - Sophos released the Dasher.A detection then Symantec released Dasher.C detection. Eset released Dasher and Dasher.A detections while Norman released Dasher.A and B variant.

Dec. 17 - Eset released the Dasher.B detection while Trend Micro released detections on Dasher.A and Dasher.B

Dec. 18 - Sophos released the Dasher.C detection.

Hopefully other antirus vendors will detect Dasher and its variant. Internet Storm Center said "most of them don't detect it" :-(

What we need to do? As always, take advantage of the early detections update by antivirus vendors. Keep informed on what's in the wild and take precaution before opening any e-mail attachments. Keep that system fully patched by turning on the Automatic Updates functionality in Windows or by visiting Microsoft Update website (or visit Windows Update and Office Update websites). If you need help on security-related issues such as viruses and security updates, you can take advantage of the no-charge support from Microsoft by calling 1-866-PCSAFETY
or 1-866-727-2338 (for US and Canada). It is available 24 hours a day. For phone numbers outside of the U.S. and Canada, select your region. You may also seek help in removing malware by visiting Alliance of Security Analysis Professionals member websites. Of course, the antivirus vendor that you are using should be able to help you too in removing the virus. Check the documentation or their website on how they can help you in removing the virus.

UPDATE: Analysis by Microsoft on Win32/Dasher.A in Malicious Software Encyclopedia
Microsoft's Live Safety Center (BETA) will remove this worm: http://safety.live.com/