DP's Security Bits : Alerts

Pop-Up Security Warnings Pose Threats

Don — Tue, 15 Dec 2009 12:59:00 GMT

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

Press Release

H1N1 Malware Campaign Circulating

Don — Wed, 02 Dec 2009 18:38:00 GMT

US-CERT reports

US-CERT is aware of public reports of a malware campaign circulating. This campaign is circulating via email messages offering information regarding the H1N1 vaccination. This email messages contain a link to a bogus Centers for Disease Control and Prevention website. Users who click on this link may become infected with malware. Public reports indicate that these email messages are noted as having subject lines such as: "Governmental registration program on the H1N1 vaccination" and "Your personal vaccination profile." Please note that subject lines may change at any time.

US-CERT encourages users to take the following precautions to help mitigate the risks:

Install antivirus software, and keep the signature files up to date.

Do not follow unsolicited links and do not open unsolicited email messages.

Use caution when visiting untrusted websites.

Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.

Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on avoiding social engineering attacks.

Koobface Now Using Christmas Theme

Don — Tue, 01 Dec 2009 13:58:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that the Koobface malware campaign is now using a Christmas theme. Recent developments by Koobface have included use of Google Reader.

The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal.

On the compromised Facebook page the user is presented with a link to ch[removed]cher.ch which is a compromised site in Switzerland. The user is redirected to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends.

Alert Details

Malicious Code Circulating via Social Security Administration Phishing Messages

Don — Tue, 01 Dec 2009 13:55:00 GMT

US-CERT is aware of public reports of malicious code circulating via phishing email messages that appear to come from the Social Security Administration. The messages indicate that the users' annual Social Security statements may contain errors and instruct users to follow a link to review their Social Security statement. If users click this link, they will be redirected to a seemingly legitimate website that prompts them for their Social Security number. If users enter their Social Security number and continue to the next page, they will be given an option to generate a statement. If users attempt to generate a statement, malicious code may be installed on their systems. This malicious code attempts to collect online banking traffic to gain access to the users' bank accounts.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

Install antivirus software, and keep the virus signatures up to date.

Do not follow unsolicited links and do not open unsolicited email messages.

Use caution when visiting untrusted websites.

Use caution when entering personal information online.

Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.

Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#malicious_code_circulating_via_social

Federal Deposit Insurance Corporation Warns Public of Fraudulent Email

Don — Wed, 28 Oct 2009 12:33:00 GMT

The Federal Deposit Insurance Corporation (FDIC) has released information warning the public about fraudulent email messages purporting to come from the FDIC. These email messages provides a link to a fraudulent FDIC website. Users are then instructed to download their "personal FDIC Insurance File."

More information regarding these messages can be found in the Federal Deposit Insurance Corporation's Consumer Alerts website.

Users are encouraged to take the following measures to protect themselves from this type of phishing scam:

Do not follow unsolicited web links received in email messages.

Verify the website by manually typing the URL when attempting to connect to web sites recommended in an email.

Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks

Source: US-CERT

Malicious Facebook Password Spam

Don — Tue, 27 Oct 2009 08:47:00 GMT

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook. The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients. The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today.

Alert Details

Outlook Web Access Social Engineering Malware Scam

Don — Thu, 15 Oct 2009 07:55:00 GMT

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious attacks claiming to be an update for Microsoft Outlook Web Access (OWA). Victims receive a message leading to a site to apply mailbox settings which were supposedly changed due to a "security upgrade." The especially dangerous thing about these messages is that they are very deceiving. The messages and attack pages are personalized for the To: email address to imply the message is being sent from tech support of the domain. The URL in the email looks like it leads to the company's own OWA system. We have seen upwards of 30,000 of these messages per hour and they have low AV detection.

Alert Details

Federal Bureau of Investigation Warns Public of Fraudulent Spam Email

Don — Wed, 07 Oct 2009 12:44:00 GMT

The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system.

More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site.

To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages. Additional tips regarding email attachments can be found in the US-CERT Cyber Security Tip - Using Caution with Email Attachments.

Source: US-CERT

Update: Phishing scheme affecting some Hotmail customers

Don — Mon, 05 Oct 2009 21:54:00 GMT

Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.

Phishing is an industry-wide problem and Microsoft is committed to helping consumers have a safe, secure and positive online experience. Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.” If you believe you’ve been a victim of a phishing scheme, it’s very important that you update your account information and change your password as soon as possible. More information on what to do is available on this page at our support community.

Microsoft recommends customers use the following protective security measures:

Renew their passwords for Windows Live IDs every 90 days
For administrators, make sure you approve and authenticate only users that you know and can verify credentials
As phishing sites can also pose additional threats, please install and keep anti-virus software up to date

Full Story

Google Wave SEO Poisoning

Don — Wed, 30 Sep 2009 20:17:00 GMT

Websense Security Labs™ ThreatSeeker Network has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today.

There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results.

Alert Details

Microsoft Security Essentials SEO Poisoning

Don — Wed, 30 Sep 2009 18:16:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV.

Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc)
If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split).
The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site, to check internet connectivity.
Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).

Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today.

Alert Details

Fake Monopoly Game Downloader

Don — Mon, 21 Sep 2009 21:16:00 GMT

Websense® Security Labs™ ThreatSeeker™ Network discovered a new spam campaign that is targeting players of the Monopoly game.

The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks.

Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan.

Alert Details

Labor Day Sale-Related SEO Poisoning Leads to Rogue Antivirus

Don — Sat, 05 Sep 2009 09:31:00 GMT

Websense Security Labs™ ThreatSeeker Network has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Alert Details

The Cell Phone Forums of IT168.com Injection

Don — Tue, 25 Aug 2009 09:53:00 GMT

Websense® Security Labs™ ThreatSeeker™ Network has discovered that some well-known cell phone forums at IT168 in China have been injected with malicious JavaScript. The infected forum sites - including forums for Nokia, Motorola, and Sony Ericsson - are serving some exploits that target a number of vulnerabilities in the wild.

IT168.com is one of the largest mainstream IT information platforms in China, providing IT product price and market orientation information. It has a high Alexa rank of 170. The forums on the site, especially the cell phone bulletin boards, are very popular, and unsuspecting visitors to these sites can easily get infected.

Alert Details

Rumors of Emma Watson's Death Leading to Rogue AV Sites

Don — Mon, 27 Jul 2009 20:12:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter.

The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google.

Alert Details

Adobe Reader, Acrobat and Flash Player Vulnerability

Don — Thu, 23 Jul 2009 08:10:00 GMT

Adobe has released a blog post indicating that it is aware of reports of a vulnerability affecting Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10.

US-CERT encourages users and administrators to review the blog post and implement the following workarounds until the vendor releases additional information:

Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".

Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

Additional information regarding this vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#adobe_reader_acrobat_and_flash

National Pharmaceutical Control Bureau of Malaysia Web site Compromised

Don — Wed, 22 Jul 2009 08:41:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the the Web site of the National Pharmaceutical Control Bureau of Malaysia has been compromised and injected with malicious code. The Web host has been injected with an iframe that leads to a site laden with exploits.

Details

Waledac Independence Day Theme - New Campaign In The Wild

Don — Fri, 03 Jul 2009 19:31:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The United States of America celebrates Independence Day on July 4 each year.

The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.

The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine.

Alert Details

Michael Jackson Death Prompts Malicious Spam

Don — Fri, 26 Jun 2009 13:27:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports Michael Jackson's death was confirmed yesterday.

The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates - see VT results here. The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Alert Details

Fort William Mountain Bike World Cup 2009 Site Hijacked

Don — Wed, 24 Jun 2009 12:44:00 GMT

Websense Security Labs™ ThreatSeeker™ Network has discovered that the Web site of Fort William Mountain Bike World Cup 2009 has been hijacked by attackers, and redirects users to rogue AV sites if they visit the site through well-known search engines such as Google, Yahoo, and MSN.

This site has been injected by the Nine-Ball malicious code twice this month. Now, the injected code has been cleaned but system control has been lost without the administrator's knowledge. Once the attackers gained system control, they likely made small changes to the configuration of the Web server to redirect any visitors to rogue AV Web sites if arriving at the site via search engines. We would like to remind Web masters that a full examination of the whole system is necessary after removing code injections.

Alert Details