18 total posts
Avast Antivirus Drops iYogi Support
iYogi Refers to Incident as 'Tylenol Moment'
Avast, an antivirus maker that claims more than 150 million customers, is suspending its relationship with iYogi, a company that it has relied upon for the past two years to provide live customer support for its products. The move comes just one day after an investigation into iYogi by KrebsOnSecurity.com indicating that the company was using the relationship to push expensive and unnecessary support contracts onto Avast users.
In a blog post published today, Avast said it came to the decision after reports on this blog that "iYogi's representatives appear to have attempted to increase sales of iYogi's premium support packages by representing that user computers had issues that they did not have."
"Avast is a very non-traditional company in that positive referrals and recommendations from our user base drive our product usage," Avast CEO Vince Steckler wrote. "We do not distribute our products in retail, via computer manufacturers, or other similar channels. This model has served us well and has made us the most popular antivirus product in the world. Last year we added over 30M new users on top of almost 30M new users in the previous year. As such, any behavior that erodes the confidence our users have with Avast is unacceptable. In particular, we find the behavior that Mr. Krebs describes as unacceptable."
Continued : http://krebsonsecurity.com/2012/03/avast-antivirus-drops-iyogi-support/
Related: Aghast at Avast's iYogi Support
this is very helpful Carol, thank you for the heads up.
i have read the blogs from both Krebs and Steckler.
very much appreciated.
Java-based Web Attack Installs Hard-to-detect Malware in RAM
A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.
Drive-by download attacks are one of the primary methods of distributing malware over the Web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction.
Kaspersky Lab researchers recently investigated such an attack on visitors to www.ria.ru, a website that belongs to the Russian RIA Novosti news agency, and www.gazeta.ru, a popular Russian-language online newspaper.
The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service called AdFox.
What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory.
Continued : http://www.pcworld.com/businesscenter/article/252093/javabased_web_attack_installs_hardtodetect_malware_in_ram.html
Related: A unique 'fileless' bot attacks news site visitors
Rare RAM-Based Malware Attacks Visitors of Russian Sites
Rare RAM-Based Malware Attacks Visitors of Russian Information Sites
An advertising banner on a number of widely used Russian-content sites has been serving a rare, RAM-based form of malware, according to a Securelist report.
Researchers at Kaspersky Lab recently received information from an independent researcher detailing mass infections that appeared to be originating from a number of popular Russian news sites. The symptoms of infection were the same: computers on the network were sending requests to third-party resources and, in turn, encrypted files began showing up on their hard-drives. However, commonalities among the infections were elusive. Websites spreading the infection were hosted on different platforms with different architectures, and attempts to cross-reference this malicious code with others in the Kaspersky Security Network were unsuccessful.
Continued : http://threatpost.com/en_us/blogs/rare-ram-based-malware-attacks-visitors-russian-information-sites-031912
DuQu Mystery Language Solved With the Help of Crowdsourcing
A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.
The language, which DuQu used to communicate with command-and-control servers, turns out to be a special type of C code compiled with the Microsoft Visual Studio Compiler 2008.
Researchers at Kaspersky Lab, who put out the call for help two weeks ago after failing to figure out the language on their own, said they received more than 200 comments to a blog post they wrote seeking help, and more than 60 direct emails from programmers and others who made suggestions.
DuQu, an espionage tool that followed in the wake of the infamous Stuxnet code, had been analyzed extensively since its discovery last year. But one part of the code remained a mystery - an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines.
Kaspersky researchers were unable to determine the language in which the communication module was written and published a blog post asking programmers for help. Identification of the language would help them build a profile of DuQu's authors.
Continued : www.wired.com/threatlevel/2012/03/duqu-mystery-language-solved/
Related: Researchers Seek Help in Solving DuQu Mystery Language
Europeans targeted with new ransomware
In the last couple of years, malware that hijacks the users' machines and demands money to "unblock" it has become an often encountered threat.
Messages presented by this "ransomware" usually contain warnings that seem to come directly from law enforcement agencies and accuse the user of having downloaded pirated music tracks or movies.
The entity behind the warning and the language used in the message are usually well matched, but as Microsoft researchers have shown, that is not always the case.
In a very recent example, the ransomware authors made quite an effort with HTML style sheets and content in order to trick the users into believing that GEMA (a German music copyright organization) is the author of the warning, but they unexpectedly used the English language for it: [Screenshot]
Continued : http://www.net-security.org/malware_news.php?id=2039
Multi-word passphrases not all that secure, says Cambridge
Think that a passphrase of multiple, random dictionary words is as unguessable as long strings of gibberish, but easier to remember?
Research from the Computer Laboratory at the University of Cambridge suggests that this might not be so.
While passphrases using dictionary words may not be as vulnerable as individual passwords, they may still be cracked by dictionary attacks, the research found.
Security researcher Joseph Bonneau reports, in a recent paper (pdf) written with Ekaterina Shutova, that his team studied the problem by turning not to the theoretical space of choices but rather the real-life passphrases that people actually string together.
To find such a selection of passphrases, his team used data crawled from the now-defunct Amazon PayPhrase system, introduced last year for US users only.
Continued : http://nakedsecurity.sophos.com/2012/03/19/multi-word-passphrases/
Millions of harvested U.S gov't & U.S military email ..
Millions of harvested U.S government and U.S military email addresses offered for sale
Dancho Danchev @ the Webroot Threat Blog:
Remember the underground service offering millions of harvested emails for sale profiled at the Webroot Threat Blog in January?
It appears that cybercriminals are continuing to innovate in this underground market segment by offering geolocated databases of millions of harvested emails for better targeting in their upcoming spam campaigns.
In this post, I'll profile yet another cybercrime underground service selling millions of harvested emails to potential cybercriminals.
What's particularly interesting about this service compared to the previous one profiled at the Webroot Threat Blog is that it offers segmented databases of harvested emails based on a particular country, or multiple gTLDs for better campaign targeting in upcoming spam campaigns, and targeted attacks.
Screenshots of the inventory of harvested emails currently offered for sale:
Continued : http://blog.webroot.com/2012/03/16/millions-of-harvested-u-s-government-and-u-s-military-email-addresses-offered-for-sale/
Met Police will use 1980s software during 2012 Olympics
"Software Metropolitan Police will use to help coordinate operations during the Games struggled during London riots, finds report"
The Metropolitan Police Service will use software from the 1980s to coordinate the command and communications of its policing operations during the London Olympic Games.
The software, known as MetOps, is installed in the force's special operations room (SOR), the central control room providing communications support during more than 500 major incidents and events each year, according to a report by the Met into the riots of August 2011.
MetOps, a messaging and recording system, was not designed for dynamic incident management, and means commanders have no simple way to view the latest situation during an evolving incident, the report says.
The age of MetOps system means that it is not linked directly to the software used in the force's central communications centre, known as the computer aided dispatch (CAD) system. "This can result in the central communications centre being unaware of what is being dealt with within SOR, and conversely SOR being unaware of what is being dealt with through the CAD system," says the report.
Continued : http://www.guardian.co.uk/government-computing-network/2012/mar/16/met-police-using-80s-software
30 Year-Old Software to Be Used by Metropolitan Police During Olympics
Met plod will use 1980s software to police Olympics
Spoofed LinkedIn Messages Serving BlackHole Exploit
Users of the business-related social network LinkedIn have reported receiving email notifications that are tainted with a malicious link intended to infect the targeted recipient's computer.
The operation was identified by researchers at security provider GFI Labs, and documented on the company's blog.
"Be advised that there are fake Linkedin invitation reminders in circulation sending users to a BlackHole exploit which attempts to drop Cridex onto the PC," writes GFI's Chris Boyd.
The Cridex malware is commonly utilized in spam-based attack operations, and the use of messages designed to look like LinkedIn notifications potentially makes this particular attack all the more effective, as users are accustomed to receiving numerous communications from the platform daily.
"Cridex is a rather nasty piece of work that does everything from target banks and social networking accounts to a little bit of CAPTCHA cracking," Boyd said.
GFI Labs provided a sample of one of the malicious notifications: [Screenshot]
Continued : http://www.infosecisland.com/blogview/20754-Spoofed-LinkedIn-Messages-Serving-BlackHole-Exploit.html
Stolen Encryption Key Compromised Symantec Certificate
When Kaspersky Lab last week spotted code-signed Trojan malware dubbed Mediyes that had been signed with a digital certificate owned by Swiss firm Conpavi AG and issued by Symantec, it touched off a hunt to determine the source of the problem.
The answer, says Symantec's website security services (based on the VeriSign certificate and authentication services acquisition), is that somehow the private encryption key associated with Conpavi AG certificate had been stolen.
"The private key for Conpavi was exposed," says Quentin Liu, senior director of engineering at the Symantec division. "Someone got hold of the private key." For this type of digital certificate, the private key is held by the certificate owner, in this case, Conpavi. Whether the private encryption key was stolen by an insider at Conpavi or outside attacker isn't known. But the incident points out the risks associated with private encryption keys for this type of digital certificate and the need to safeguard them.
Symantec has revoked the Conpavi certificate that was used to digitally sign the Mediyes malware and is assisting the Swiss firm in analyzing what occurred and helping them prevent this from happening again.
Continued : http://www.pcworld.com/businesscenter/article/252099/stolen_encryption_key_compromised_symantec_certificate.html
Related : Trojan Dropper Uses Valid Cert Issued For Swiss Company
New Version of Imuler Trojan Masquerades as Image Files
From The Mac Security Blog:
Intego has discovered a new version of the Imuler Trojan horse, which the company first discovered in September, 2011. At the time, the sample discovered masqueraded as a PDF file containing Chinese text. This was not found in the wild, and the risk was considered to be low.
The latest version, Imuler.C, has been found to be disguised as image files. Intego found two samples of this malware on the VirusTotal website, a site used by security companies to share malware samples. Two samples were found, both in zip archives: "Pictures and the Ariticle of Renzin Dorjee.zip" and "FHM Feb Cover Girl Irina Shayk H-Res Pics.zip." In both cases, an application was included among the various files, with an icon making it look like an image: [Screenshot]
This technique is not new, and takes advantage of a default setting in the Mac OS X Finder, whereby file extensions are not displayed. Users double-clicking on the application launch the malware, which quickly deletes itself, replacing the original application with a real JPEG image corresponding to the one that was an application, and displays this image in the user's default image viewer. There is no visible trace of the application after this point.
Continued : http://blog.intego.com/new-version-of-imuler-trojan-horse-masquerades-as-image-files/
From F-Secure: Mac Malware at the Moment
Criminals Behind Rogue AV Leverage on Google
Certain compromised pages, which are search engine optimized, are found in the wild and accessible via popular search engines like Google and Bing. There pages were found to direct the user to a site where a faux scan is performed on the affected system - typical of rogue AV. What is atypical about the said scan, however, is that it claims to originate from Google. [Screenshot]
Google systems have detected unusual traffic from your computer. Please check you PC on viruses.
To continue, please download and install our antivirus software.
or our system will block your access to Google services.
Once users heed this fake warning, they download a rogue AV file contained in a password-protected archive.
Continued : http://www.gfi.com/blog/criminals-behind-rogue-av-leverage-on-google/
Search My Logs of Affiliate Fraud
From Ben Edelman and Wesley Brandi:
Since 2004, I've been tracking and reporting all manner of rogue affiliates -- using spyware and adware to cover competitors' sites; using trickier spyware and adware to claim commission on merchants' organic traffic; typosquatting; stuffing cookies through invisible IFRAME's and IMG's, banner ads, and even hacked forum sites; and the list goes on. I now have automation catching these practices in ever-increasing quantities.
While I've written up dozens of rogue affiliates on this site and in various presentations, today Wesley Brandi and I are introducing something better: query-based access to our records of affiliate fraud targeting top affiliate merchants. Enter a merchant's domain name, and we'll tell you how much affiliate fraud we've seen targeting that domain -- handy for merchants wanting to check whether their program is clean, and for affiliates wanting to confirm the trustworthiness a program they're considering promoting. We're not currently posting details of the specific perpetrators, but we have affiliate ID numbers, domain names, and packet log proof on file for each violator, and we can provide these upon request.
Take a look: Affiliate Fraud Information Lookup.
Fake or hijacked Facebook accts used in scams to steal money
From the Kaspersky Lab Weblog:
Sweden recently experienced a large banking scam where over 1.2 million Swedish kronor (about $177,800) were stolen by infecting the computers of multiple victims. The attackers used a Trojan which was sent to the victims and, once installed, allowed the attackers to gain access to the infected computers. Luckily these guys were caught and sentenced to time in jail, but it took a while to investigate since over 10 people were involved in this scam.
It's possible that these attacks are no longer as successful as the bad guys would like, because we are now seeing them use other methods to find and exploit new victims. For quite some time now we have seen how hijacked Facebook accounts have been used to lure the friends of whose account has been hijacked to do everything from click on malicious links to transfer money to the cybercriminals' bank accounts.
Please note that this is not a new scam - it has been out there for quite some time. But what we are now seeing is the use of stolen/hijacked accounts, or fake accounts, becoming very common on Facebook. So common, in fact, that there are companies creating fake accounts and then selling access to them to other cybercriminals. As you might expect, the more friends these accounts have, the more expensive they are, because they can be used to reach more people.
Continued : http://www.securelist.com/en/blog/208193413/Fake_or_hijacked_Facebook_accounts_used_in_scams_to_steal_money_are_on_the_raise
Phishers Introduce Adult Cams into Gaming Scams
From Symantec's Security Response Blog:
Phishing sites with adult content are not uncommon. Phishers have often used adult content as bait in fake social networking applications. In March 2012, a phishing site spoofing a gaming brand claimed to have an adult webcam application. The phishing site was hosted on a free web hosting site and the phishing page was in Italian.
A fake offer was given on the phishing site and an adult webcam image was placed below it. According to the fake offer, the gaming brand had prepared a list of users who were willing to perform nude webcam shows for a small price, even free.
The phishing site further claimed that by entering login credentials one could receive through email the names of the users willing to perform and be able to add them to their contact list. The phishing site explained that login credentials were required because the brand decided could not disclose the names of performers outside the network to maintain privacy. To gain the users' confidence, phishers assured there was no scam involved in this offer and verified each performer did perform nude in the webcam shows. The cost for each performance was set at 1 or 2 credits or free, depending on the performer. After login credentials are entered, the phishing page displays the message: "Incorrect password". If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes. [Screenshot]
Continued : http://www.symantec.com/connect/blogs/phishers-introduce-adult-cams-gaming-scams