Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 36

Thread: Rogue AV/AS prolific

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake AV malware campaign - 2012-06-19

    FYI...

    Fake AV malware campaign - 2012-06-19
    - https://isc.sans.edu/diary.html?storyid=13501
    Last Updated: 2012-06-19 10:26:16 UTC - "... 'vulnerabilityqueerprocessbrittleness . in' is currently one of 600+ domains that link to a quite prevalent "Fake Anti-virus" malware campaign. Currently, the domains associated to this scam all point to web servers hosted in the 204.152.214.x address range, but of course the threat keeps "moving around" as usual... The current set of threats involves frequently changing malware EXEs (or EXEs inside of ZIPs) with low coverage on virustotal. The download URLs usually follow the pattern of http ://bad-domain. in/16 character random hex string/setup.exe or /setup.zip .
    Example: http ://fail-safetytestingcontrol. in/fc1a9d5408b7e17d/setup.exe ..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware-as-a-Service spotted in the wild

    FYI...

    Ransomware-as-a-Service spotted in the wild
    - http://blog.webroot.com/2012/09/20/m...d-in-the-wild/
    Sep 20, 2012 - "... recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users...
    Sample underground forum advertisement of the managed DIY Police Ransomware service:
    > https://webrootblog.files.wordpress....ce_managed.png
    According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria...
    Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
    > https://webrootblog.files.wordpress....managed_01.png
    ... thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.
    Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
    > https://webrootblog.files.wordpress....managed_02.png
    The managed service relies primarily on the Ukash voucher-based payment system*, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers..."
    * http://en.wikipedia.org/wiki/Ukash
    ___

    - http://atlas.arbor.net/briefs/index#-685203363
    Severity: Elevated Severity
    Sep 21, 2012
    Ransomware, which can be quite destructive - is being sold as a service in the underground economy.
    Analysis: Ransomware can sometimes be cleaned from a system, however if it is done properly by the criminals, victims of the infection will need to rely on backups to recover from having their files encrypted...

    Last edited by AplusWebMaster; 2012-09-23 at 04:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post "Scareware" Marketer FTC Case Results in $163 Million Judgment ...

    FYI...

    "Scareware" Marketer FTC Case Results in $163 Million Judgment ...
    - http://www.ftc.gov/opa/2012/10/winfixer.shtm
    10/02/2012 - "At the Federal Trade Commission’s request, a federal court imposed a judgment of more than $163 million on the final defendant in the FTC’s case against an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem. The court order also permanently prohibits the defendant, Kristy Ross, from selling computer security software and any other software that interferes with consumers’ computer use, and from any form of deceptive marketing.
    In 2008, as part of the FTC’s efforts to protect consumers from spyware and malware, the FTC charged Ross and six other defendants with conning more than one million consumers into buying software to remove malware supposedly detected by computer scans. The FTC charged that the operation used elaborate and technologically sophisticated Internet advertisements placed with advertising networks and many popular commercial websites. These ads displayed to consumers a “system scan” that invariably detected a host of malicious or otherwise dangerous files and programs on consumers’ computers. The bogus “scans” would then urge consumers to buy the defendants’ software for $40 to $60 to clean off the malware.
    The U.S. District Court for the District of Maryland subsequently ordered a halt to the massive scheme, pending litigation. Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were ordered to give up $8.2 million in ill-gotten gains. Two other defendants previously settled the charges against them; the FTC obtained default judgments against three other defendants..."
    * http://www.ftc.gov/os/caselist/07231...xeropinion.pdf

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rouge AV for Windows 8

    FYI...

    Rouge AV for Windows 8
    - http://blog.trendmicro.com/trendlabs...ing-windows-8/
    31 Oct 2012 - "... cybercriminals are grabbing this chance to distribute threats leveraging Windows 8 and raise terror among users – just in time for Halloween. We were alerted to two threats that leverage the release of this new OS. The first one is a typical FAKEAV. Detected as TROJ_FAKEAV.EHM, this malware may be encountered when users visit malicious sites...
    > http://blog.trendmicro.com/trendlabs...ningresult.jpg
    ... the malware displays a fake scanning result to intimidate users to purchase the fake antivirus program – just like your run-of-the-mill FAKEAV variant. What is different with this malware, however, is that it is packaged as a security program made for Windows 8.
    > http://blog.trendmicro.com/trendlabs...V_Windows8.jpg
    The other threat is a phishing email that entices users to visit a website where they can download Windows 8 for free. Instead of a free OS, they are led to a phishing site that asks for personally identifiable information (PII) like email address, password, name that can be peddled in the underground market or used for other cybercriminal activities.
    > http://blog.trendmicro.com/trendlabs...l_Windows8.jpg
    It is typical for cybercriminals to piggyback on the highly-anticipated release of any latest technology to take their malware, spam, malicious app to new heights... To stay safe, users must keep their cool and think twice before clicking links or visiting webpages, especially those that promise the latest items or programs for free. If it’s too good to be true – it probably is..."

    Last edited by AplusWebMaster; 2012-11-01 at 11:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Win 8 not immune to Ransomware

    FYI...

    Win 8 not immune to Ransomware
    - http://www.symantec.com/connect/blog...une-ransomware
    Updated: 13 Nov 2012 - "... Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U*) that successfully locked a Windows 8 system, effectively holding it to ransom.
    Figure. Ransomware-locked Windows 8 system
    > https://www.symantec.com/connect/sit...ageW1-blog.jpg
    The Trojan.Ransomlock.U* variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful. As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment...
    > http://www.symantec.com/content/en/u...ing-menace.pdf
    PDF Pg.4 - "... Fake police ransomware can be installed on a computer in a few ways but the most common to date has been through Web exploits and drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without their knowledge when that user browses to a compromised website. The download occurs in the background and is invisible to the user. In a typical drive-by download, the user browses to a website... The attacker has inserted a hidden iFrame — a special redirect — into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware)..."
    * http://www.symantec.com/security_res...100315-1353-99

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Police Ransomware bears Fake Digital Signature

    FYI...

    Police Ransomware bears Fake Digital Signature
    - http://blog.trendmicro.com/trendlabs...tal-signature/
    Nov 22, 2012 - "... We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR... the digital signature’s name and its issuing provider are very suspicious... the fake signature’s sole purpose is likely to elude digisig checks. Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability... Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet. Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI...
    > http://blog.trendmicro.com/trendlabs...ransomware.gif
    ... while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.
    > http://blog.trendmicro.com/trendlabs...ransomware.gif
    First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods. The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive. Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft..."
    ___

    - https://www.net-security.org/malware_news.php?id=2331
    23.11.2012

    Last edited by AplusWebMaster; 2012-11-24 at 15:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue Ads, Rogue YM badness ...

    FYI...

    Finnish website attack via Rogue Ad
    - http://www.f-secure.com/weblog/archives/00002468.html
    Dec 5, 2012 - "... every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory... An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period... all of that malware traffic was pushed by a -single- ad from a third-party advertiser's network. Just one ad... What was blocked? — Rogue Antivirus. As in fake security software...
    > http://www.f-secure.com/weblog/archi...Rogue_Scan.png
    These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front... That's generally a good sign there's something amiss."

    Rogue Yahoo! Messenger ...
    - http://blog.trendmicro.com/trendlabs...est-ym-update/
    Dec 5, 2012 - "On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform*, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger... I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
    > http://blog.trendmicro.com/trendlabs...enger_fake.gif
    However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
    > http://blog.trendmicro.com/trendlabs...M_property.gif
    Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s). Once a browser is found, it connects to the websites http://{BLOCKED}y/2JiIW and http://http://31c3f4bd.{BLOCKED}cks.com, as seen below:
    > http://blog.trendmicro.com/trendlabs...tes_fakeym.gif
    ... this threat doesn’t stop there... these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections. From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author... the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies. To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users... it pays to know more about social engineering tactics and what makes them work..."
    * http://www.ymessengerblog.com/blog/2...enger-features

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware speaks ...

    FYI...

    Ransomware speaks...
    - http://blog.trendmicro.com/trendlabs...are-it-speaks/
    Dec 10, 2012 - "... we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM*, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located...
    > http://blog.trendmicro.com/trendlabs...12/LockNew.jpg
    ... ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily..."
    * http://about-threats.trendmicro.com/...ROJ_REVETON.HM

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue v ransomware - Fear and deception

    FYI...

    Rogue v ransomware - Fear and deception
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    9 Jan 2013 - "... Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:
    • You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
    • Upon completion of the scan, a large number of infections are reportedly found on your computer.
    > https://www.microsoft.com/security/p...oguevran/1.jpg
    • A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
    • Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
    • System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.
    ... there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections. Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.
    > https://www.microsoft.com/security/p...oguevran/2.jpg
    ... numbers broken down by family for most of 2012:
    > https://www.microsoft.com/security/p...oguevran/3.jpg
    ... rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware... You can find detailed information on ransomware here*..."
    * http://www.microsoft.com/security/po...ansomware.aspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware - fear and deception (part 2)

    FYI...

    Ransomware - fear and deception (part 2)
    - https://blogs.technet.com/b/mmpc/arc...edirected=true
    15 Jan 2013 - "Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid...
    > https://www.microsoft.com/security/p...oguevran/4.jpg
    ... they are on the increase.
    > https://www.microsoft.com/security/p...oguevran/5.jpg
    We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.
    > https://www.microsoft.com/security/p...oguevran/6.jpg
    ... while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:
    > https://www.microsoft.com/security/p...oguevran/7.jpg
    ... some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.
    > https://www.microsoft.com/security/p...oguevran/8.jpg
    ... Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine. If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •