Spyware, Viruses, & Security forum

General discussion

NEWS - October 05, 2010

by Donna Buenaventura / October 4, 2010 9:36 PM PDT
Misleading Apps Push Browser Security Update Trick

In a previous blog we reported on how attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users.

In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a ?Download Updates!!? button, unlike Google?s ?Get me out of here? button, for example.

Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button

The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users.

http://www.symantec.com/connect/fr/blogs/misleading-apps-push-browser-security-update-trick
Discussion is locked
You are posting a reply to: NEWS - October 05, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - October 05, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Sality & Stuxnet - Not Such a Strange Coincidence
by Donna Buenaventura / October 4, 2010 9:40 PM PDT

Kaspersky Lab announces the publication of its Monthly Malware Statistics for September 2010. The onset of autumn brought with it advances in the Sality virus and an increase in the number of adware programs on the web.

According to Kaspersky Lab statistics, a new variant of the notorious polymorphic Sality virus, dubbed 'bh', was found to be particularly widespread on users' computers. A newcomer to the ranking, Sality.bh claimed eleventh position and spread with the help of Trojan-Dropper.Win32.Sality.cx which uses vulnerability in Windows LNK files. This is the first detected zero-day vulnerability to be used by the now infamous Stuxnet worm. This same vulnerability was exploited by Trojan-Dropper.Win32.Sality.r back in August. The geographical distribution of the droppers in question mirrors that of the Stuxnet worm, both of them appearing most prolifically in India, followed by Vietnam and then Russia.

"Cybercriminals are usually very quick to release exploits when new vulnerabilities are discovered. The fact that huge numbers of users fail to update their software on a regular basis only encourages them. The extensive media coverage afforded to Stuxnet has only served as an advertisement for the vulnerabilities used by various cybercriminal groups," commented Vyacheslav Zakorzhevsky, Senior Virus Analyst and author of the review. [...]

The full version of the September malware ranking from Kaspersky Lab is available at:
http://www.securelist.com/en/analysis/204792141/Monthly_Malware_Statistics_September_2010

http://www.kaspersky.com/news?id=207576193

Collapse -
The Recent Burst of HTML Attachment Spam
by Donna Buenaventura / October 4, 2010 9:41 PM PDT

During the last 4 months, SophosLabs has seen an explosion in the resurgence of HTML attachment spam. As shown in the following figure, it accounts for 8% of all the spam in the June and September, and about 2-3% in July, August and October.

HTML attachments can be divided into two parts: malicious JavaScript redirectors or phishing attachments.

Malicious JavaScript redirectors: In June, a large number of malicious spam with embedded HTML attachments (detected as Troj/JSRedir-BO), was associated with Facebook password resetting tasks, the FIFA World Cup and Skype [1,2].

SophosLabs saw further waves of mass-spammed JavaScript redirectors in September, which had been detected as JS/WndRed-B.

http://www.sophos.com/blogs/sophoslabs/?p=11165

Collapse -
The Security Effects of Internationalized Domain Names
by Donna Buenaventura / October 4, 2010 9:43 PM PDT

Over the years, many changes have been made to the Domain Name System (DNS). Some of these changes were made to allow internationalized domain names, or IDNs. The concept behind these is simple: to allow language-specific scripts or characters that are not part of the usual Latin alphabet to become part of domain names.

However, the security and cybercrime implications of international domain names have to be considered. We know that criminals jump at every new technological development to make money? and that some open the doors to cybercrime more easily than others.

This is a subject I?ve been thinking about for a while. There are a number of facets to the IDN discussion, and a number of associated risks.[...]

The first threat that comes to mind is domain squatting in these new country-code domains. Let?s consider a theoretical example of the (fictional) company Bingo. Suppose someone registers bingo.?? before Bingo gets around to it.

The customers of Bingo would be exposed to phishing from bingo.?? before the legitimate Bingo organization is able to register their domain. (This threat would occur anytime a new TLD is approved that is applicable to an existing organization.)

It gets worse. With a valid registration, it would not be hard to prove that a domain is legitimately owned and thus get an SSL certificate. This could lead users to believe they are visiting the legitimate site.The only real solution here is vigilance on the part of the domain owners and registrars, and careful scrutiny on the part of computer users.

http://blog.trendmicro.com/the-security-effects-of-internationalized-domain-names/

Collapse -
Comcast Pushes Bot Alert Program Nationwide
by Donna Buenaventura / October 4, 2010 9:47 PM PDT

Comcast, the nation?s largest residential Internet service provider, announced last week that it is expanding an initiative to contact customers whose PCs appear to be infected with a malicious bot program.

The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company?s security page. The system also sends the customer?s browser a so-called ?service notice,? a semi-transparent banner that overlays a portion of whatever page is being displayed in the user?s Web browser.

Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:
Downloading any missing Microsoft security updates.
Making sure the customer has some kind of up-to-date anti-virus software running.
Downloading and running Microsoft?s malicious software removal tool.
Downloading and installing Secunia?s free Personal Software Inspector tool, a program that periodically scans the user?s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.

Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer ? including Mac versions of the Symantec suite.

http://krebsonsecurity.com/2010/10/comcast-pushes-bot-alert-program-nationwide/

Collapse -
Spam Volumes Dip After Spamit.com Closure
by Carol~ Moderator / October 5, 2010 12:55 AM PDT

Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by the one of the world's largest spam botnets - although security experts disagree on exactly which botnet may be throttling back or experiencing problems.

According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right). [Screenshot]

M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day. [Screenshot]

The decline in spam volume comes at about the same time that the world's largest spam affiliate program ? spamit.com ? said it would stop paying affiliates to promote its online pharmacy Web sites ? on Oct. 1.

http://krebsonsecurity.com/2010/10/spam-volume-dip-after-spamit-com-closure/

Prior (Related) Post: Spam Affialite Program Spamit.com to Close

Collapse -
Largest Fake Pharmacy Spam Affiliate Program Closes
by Carol~ Moderator / October 5, 2010 6:45 AM PDT

From the Cisco Blog:

On Monday morning, I woke up and started my weekly routine by looking through the spam captured by our traps over the weekend. It feels as though I am still dreaming, because the most notorious pharmacy affiliate program, Spamit, seems to have made good on its threat of closing its doors. Brian Krebs blogged about this last week, citing that "Spamit administrators blamed the impending closure on increased public attention to its program." So far, we have seen no sign of spam advertising "Canadian Pharmacy" and our SenderBase and SpamCop services are both showing a significant decrease in global spam volumes.

Sun Tzu famously said, "Keep your friends close, and your enemies closer." Spamit, along with the rest of the fake online pharmacy community, has been very near and dear to us at Cisco Security Intelligence Operations (SIO) for several years. We visited the Subway restaurant in Toronto, Canada supposedly occupied by "My Canadian Pharmacy," an affiliate program run by bulker.biz, Spamit?s main competitor.

These affiliate programs solve an interesting problem faced by criminal spammers. It is difficult to accept payments and deliver a physical product while also competing with computer security professionals who are blocking spam email and shutting down websites. The affiliate programs serve the spammers by designing website templates, operating hidden back-end order fulfillment servers, processing credit card payments, shipping and tracking the physical goods and ultimately paying a substantial commission to the spammer.

http://blogs.cisco.com/security/largest-fake-pharmacy-spam-affiliate-program-closes/

Collapse -
WOW!
by MDFlax / October 5, 2010 6:51 AM PDT

I wnder if that means the end to the spam posts in these forums for the famous, (infamous?), 'male pill' we so often see?

We can only hope, although I see from the article that in any case this may only be a temporary reprieve.

Thanks Carol.

Mark

Collapse -
Believe It Or Not..
by Carol~ Moderator / October 5, 2010 7:07 AM PDT
In reply to: WOW!

I had you and Kees in mind, when I read it. And.. when I posted it.

"Wouldn't it be loverly", if those "little blue pill" spam posts were gone??!!

Add to that, the "sports" spam posts and your weekends will be forever free! Happy

Carol

Collapse -
Whistleblower site Cryptome hacked, defaced, all files..
by Carol~ Moderator / October 5, 2010 4:57 AM PDT
...deleted'

The whistleblowing, government-document sharing site Cryptome was hacked and defaced this weekend. All 54,000 Cryptome hosted files were deleted.

According to Cryptome, "A person wrote claiming to know who did the hack. No way to know if this claim is true. Hackers, like spies, often blame one another to cover their tracks. Blocking attacks is nearly impossible due to the purposefully weak security of the Internet. Nearly all security methods are bogus. A competent hacker or spy, or the two working together, can penetrate easily. We monitor and keep back-ups ready. And do not trust our ISP, email provider and officials to tell the truth or protect us."

After its site was restored and Cryptome could view emailed notifications, Cryptome posted the steps of the hack. First, its EarthLink email account was "accessed by unknown means and its access password changed." Using that email address, the hacker then requested information about Cryptome's multiple accounts. The Cryptome.org management account was accessed at Network Solutions (NSI) and all "54,000 files (some 7GB) were deleted and the account password changed."

http://blogs.computerworld.com/17096/whistleblower_site_cryptome_hacked_defaced_all_files_deleted

Also: Hackers Hijack Cryptome and Delete Everything
Collapse -
Fake Apple iTunes Receipts Used as Malware Tool
by Carol~ Moderator / October 5, 2010 4:58 AM PDT

PandaLabs said Monday that the company has discovered fake iTunes receipts that have begun to be sent to users in an attempt to steal personal details.

Ironically, the attack vector is via Flash - a technology Apple refuses to use for its alleged security weaknesses.

According to PandaLabs, the research arm of antivirus vendor Panda Security, users are sent a "receipt" from iTunes that looks completely authentic, with no telltale spelling errors or issues with the image's source code. However, an image posted to the PandaLabs blog had obvious problems with the bill's total, most likely to provoke the user to take action.

The attack begins when the user is invited to click a link to "report a problem".

"After clicking the link, the victim is asked to download a fake PDF reader," PandaLabs said. "Once installation is complete, the user is redirected to an infected Web page containing the Zeus Trojan, which is specifically designed to steal personal data. This phishing attack was uncovered shortly after a similar phishing attack targeting LinkedIn users appeared last week, which appears to have originated in Russia."

http://news.yahoo.com/s/zd/20101004/tc_zd/255262?

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?