Rogue AV/AS prolific

AplusWebMaster

AplusWebMaster

New member
Advisor Team
Google finds a million scareware infections...

FYI...

Google finds a million scareware infections...
- http://krebsonsecurity.com/2011/07/google-your-computer-appears-to-be-infected/
July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
* http://krebsonsecurity.com/wp-content/uploads/2011/07/googhij.png
___

- http://googleonlinesecurity.blogspot.com/2011/07/using-data-to-protect-people-from.html
Updated July 20, 2011

:fear::mad::fear:
 
Last edited:
Fake video codecs... with scareware

FYI...

Fake video codecs - with scareware
- http://threatpost.com/en_us/blogs/get-your-new-video-codecs-and-scareware-072511
July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
* http://sunbeltblog.blogspot.com/2011/07/fakevimes-infection-offers-up-home.html
"... a sample of some of the files found on the infected machine:
c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls ..."

:mad:
 
Rogue activity spikes ...

FYI...

Rogue activity spikes ...
- https://blogs.technet.com/b/mmpc/ar...isn-t-a-form-of-flattery.aspx?Redirected=true
29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
(Screenshots available at the URL above.)

:fear::sad:
 
Rogue rash ...

FYI...

Rogue rash ...
- https://blogs.technet.com/b/mmpc/archive/2012/03/01/a-rogue-by-any-other-name.aspx?Redirected=true
1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
(Screenshots available at the URL above.)

:mad: :fear:
 
Mass injection wave of WordPress sites - Rogue AV

FYI...

Mass injection wave of WordPress sites - Rogue AV ...
- http://community.websense.com/blogs.../03/05/mass-injection-of-wordpress-sites.aspx
5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
* http://community.websense.com/cfs-f...uritylabs/6082.14507_5F00_CUST_5F00_GeoIP.png

> http://community.websense.com/cfs-f...nts.WeblogFiles/securitylabs/8182.FakeAV3.png
___

- http://community.websense.com/blogs...-latest-wordpress-version-am-i-protected.aspx
13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
* http://community.websense.com/cfs-f...itylabs/2844.WordPress_5F00_ditribution1s.png
... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
** http://community.websense.com/cfs-f...itylabs/3404.WordPress_5F00_ditribution2s.png
... having the latest version of WordPress does not make you immune to this threat...
> http://community.websense.com/cfs-f...itylabs/1263.WordPress_5F00_ditribution3s.png
... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."

:mad::mad:
 
Last edited:
Rogue AV tweaked every 12 to 24 hours to avoid detection ...

FYI...

Rogue AV tweaked every 12 to 24 hours to avoid detection
- http://www.gfi.com/blog/vipre®-report-for-february-2012-rogue-av-remains-a-popular-threat-tactic/
Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
- http://www.gfi.com/page/117487/gfi-...us-programs-plaguing-businesses-and-consumers
Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
Top 10 Threat Detections for February
- http://www.gfi.com/content/cmsimages/top10detections-21084.png

:fear::mad:
 
Flash-based Fake AV - drive-by exploits and SPAM

FYI...

Flash-based Fake AV - drive-by exploits and SPAM
- http://www.symantec.com/connect/blogs/flash-based-fake-antivirus-software-windows-risk-minimizer
23 Mar 2012 - "... relatively new fake antivirus application called Windows Risk Minimizer. The -fake- antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then -redirected- users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours. When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected... The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names). Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected... To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up-to-date with all security patches..."
(Screenshots available at the URL above.)

:mad:
 
Fake AV scareware attempts to extort Torrent users

FYI...

New Fake AV scareware attempts to extort Torrent users
- http://www.theregister.co.uk/2012/04/13/scareware_ransonware_hyrbrid/
13 April 2012 - "Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers* into paying for worthless software. SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware... SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages... the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool. Bruce Harrison, VP Research at Malwarebytes, said: "SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
* http://regmedia.co.uk/2012/04/12/torrent_alert_scareware.jpg

:mad:
 
Ransomware police trojan - now targets USA and Canada ...

FYI...

Ransomware police trojan - now targets USA and Canada ...
- http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-and-canada/
May 9, 2012 - "The Police Trojan* has been targeting European users for about a year... the latest incarnations of this obnoxious malware have started targeting the United States and Canada. In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that -spoofs- the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available...
> http://blog.trendmicro.com/wp-content/uploads/2012/05/police_trojan_screenshot.jpg
... the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks..."
* http://blog.trendmicro.com/trojan-on-the-loose-an-in-depth-analysis-of-police-trojan/
"... plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros..."

:fear: :mad:
 
More extortion thru Ransomware

FYI...

More extortion thru Ransomware
- http://www.ic3.gov/media/2012/120530.aspx
May 30, 2012 - "... new Citadel malware platform used to deliver ransomware, named Reveton*. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning:
> http://www.ic3.gov/images/120530.png
... This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do -not- follow payment instructions..."

Reveton removal instructions:
* https://www.f-secure.com/v-descs/trojan_w32_reveton.shtml

:mad:
 
Fake AV malware campaign - 2012-06-19

FYI...

Fake AV malware campaign - 2012-06-19
- https://isc.sans.edu/diary.html?storyid=13501
Last Updated: 2012-06-19 10:26:16 UTC - "... 'vulnerabilityqueerprocessbrittleness . in' is currently one of 600+ domains that link to a quite prevalent "Fake Anti-virus" malware campaign. Currently, the domains associated to this scam all point to web servers hosted in the 204.152.214.x address range, but of course the threat keeps "moving around" as usual... The current set of threats involves frequently changing malware EXEs (or EXEs inside of ZIPs) with low coverage on virustotal. The download URLs usually follow the pattern of http ://bad-domain. in/16 character random hex string/setup.exe or /setup.zip .
Example: http ://fail-safetytestingcontrol. in/fc1a9d5408b7e17d/setup.exe ..."

:mad:
 
Ransomware-as-a-Service spotted in the wild

FYI...

Ransomware-as-a-Service spotted in the wild
- http://blog.webroot.com/2012/09/20/managed-ransomware-as-a-service-spotted-in-the-wild/
Sep 20, 2012 - "... recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users...
Sample underground forum advertisement of the managed DIY Police Ransomware service:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed.png
According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria...
Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed_01.png
... thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.
Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed_02.png
The managed service relies primarily on the Ukash voucher-based payment system*, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers..."
* http://en.wikipedia.org/wiki/Ukash
___

- http://atlas.arbor.net/briefs/index#-685203363
Severity: Elevated Severity
Sep 21, 2012
Ransomware, which can be quite destructive - is being sold as a service in the underground economy.
Analysis: Ransomware can sometimes be cleaned from a system, however if it is done properly by the criminals, victims of the infection will need to rely on backups to recover from having their files encrypted...

:mad: :mad:
 
Last edited:
"Scareware" Marketer FTC Case Results in $163 Million Judgment ...

FYI...

"Scareware" Marketer FTC Case Results in $163 Million Judgment ...
- http://www.ftc.gov/opa/2012/10/winfixer.shtm
10/02/2012 - "At the Federal Trade Commission’s request, a federal court imposed a judgment of more than $163 million on the final defendant in the FTC’s case against an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem. The court order also permanently prohibits the defendant, Kristy Ross, from selling computer security software and any other software that interferes with consumers’ computer use, and from any form of deceptive marketing.
In 2008, as part of the FTC’s efforts to protect consumers from spyware and malware, the FTC charged Ross and six other defendants with conning more than one million consumers into buying software to remove malware supposedly detected by computer scans. The FTC charged that the operation used elaborate and technologically sophisticated Internet advertisements placed with advertising networks and many popular commercial websites. These ads displayed to consumers a “system scan” that invariably detected a host of malicious or otherwise dangerous files and programs on consumers’ computers. The bogus “scans” would then urge consumers to buy the defendants’ software for $40 to $60 to clean off the malware.
The U.S. District Court for the District of Maryland subsequently ordered a halt to the massive scheme, pending litigation. Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were ordered to give up $8.2 million in ill-gotten gains. Two other defendants previously settled the charges against them; the FTC obtained default judgments against three other defendants..."
* http://www.ftc.gov/os/caselist/0723137/121002winfixeropinion.pdf

:fear:
 
Rouge AV for Windows 8

FYI...

Rouge AV for Windows 8
- http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/
31 Oct 2012 - "... cybercriminals are grabbing this chance to distribute threats leveraging Windows 8 and raise terror among users – just in time for Halloween. We were alerted to two threats that leverage the release of this new OS. The first one is a typical FAKEAV. Detected as TROJ_FAKEAV.EHM, this malware may be encountered when users visit malicious sites...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FAKEAV_scanningresult.jpg
... the malware displays a fake scanning result to intimidate users to purchase the fake antivirus program – just like your run-of-the-mill FAKEAV variant. What is different with this malware, however, is that it is packaged as a security program made for Windows 8.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FAKEAV_Windows8.jpg
The other threat is a phishing email that entices users to visit a website where they can download Windows 8 for free. Instead of a free OS, they are led to a phishing site that asks for personally identifiable information (PII) like email address, password, name that can be peddled in the underground market or used for other cybercriminal activities.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/phishingemail_Windows8.jpg
It is typical for cybercriminals to piggyback on the highly-anticipated release of any latest technology to take their malware, spam, malicious app to new heights... To stay safe, users must keep their cool and think twice before clicking links or visiting webpages, especially those that promise the latest items or programs for free. If it’s too good to be true – it probably is..."

:mad:
 
Last edited:
Win 8 not immune to Ransomware

FYI...

Win 8 not immune to Ransomware
- http://www.symantec.com/connect/blogs/windows-8-not-immune-ransomware
Updated: 13 Nov 2012 - "... Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U*) that successfully locked a Windows 8 system, effectively holding it to ransom.
Figure. Ransomware-locked Windows 8 system
> https://www.symantec.com/connect/sites/default/files/images/imageW1-blog.jpg
The Trojan.Ransomlock.U* variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful. As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment...
> http://www.symantec.com/content/en/...e/whitepapers/ransomware-a-growing-menace.pdf
PDF Pg.4 - "... Fake police ransomware can be installed on a computer in a few ways but the most common to date has been through Web exploits and drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without their knowledge when that user browses to a compromised website. The download occurs in the background and is invisible to the user. In a typical drive-by download, the user browses to a website... The attacker has inserted a hidden iFrame — a special redirect — into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware)..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2012-100315-1353-99

:mad:
 
Police Ransomware bears Fake Digital Signature

FYI...

Police Ransomware bears Fake Digital Signature
- http://blog.trendmicro.com/trendlab...lice-ransomware-bears-fake-digital-signature/
Nov 22, 2012 - "... We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR... the digital signature’s name and its issuing provider are very suspicious... the fake signature’s sole purpose is likely to elude digisig checks. Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability... Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet. Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI...
> http://blog.trendmicro.com/trendlab.../files/2012/11/fake_fbiwarning_ransomware.gif
... while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.
> http://blog.trendmicro.com/trendlab...files/2012/11/fake_pceuwarning_ransomware.gif
First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods. The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive. Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft..."
___

- https://www.net-security.org/malware_news.php?id=2331
23.11.2012

:mad:
 
Last edited:
Rogue Ads, Rogue YM badness ...

FYI...

Finnish website attack via Rogue Ad
- http://www.f-secure.com/weblog/archives/00002468.html
Dec 5, 2012 - "... every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory... An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period... all of that malware traffic was pushed by a -single- ad from a third-party advertiser's network. Just one ad... What was blocked? — Rogue Antivirus. As in fake security software...
> http://www.f-secure.com/weblog/archives/Dec1_Rogue_Scan.png
These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front... That's generally a good sign there's something amiss."

Rogue Yahoo! Messenger ...
- http://blog.trendmicro.com/trendlab...ahoo-messenger-cashes-in-on-latest-ym-update/
Dec 5, 2012 - "On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform*, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger... I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/yahoo_messenger_fake.gif
However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/fake_YM_property.gif
Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s). Once a browser is found, it connects to the websites http://{BLOCKED}y/2JiIW and http://http://31c3f4bd.{BLOCKED}cks.com, as seen below:
> http://blog.trendmicro.com/trendlab...e/files/2012/12/payper_click_sites_fakeym.gif
... this threat doesn’t stop there... these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections. From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author... the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies. To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users... it pays to know more about social engineering tactics and what makes them work..."
* http://www.ymessengerblog.com/blog/2012/11/30/updates-to-yahoo-messenger-features

:mad::mad:
 
Ransomware speaks ...

FYI...

Ransomware speaks...
- http://blog.trendmicro.com/trendlabs-security-intelligence/latest-on-police-ransomware-it-speaks/
Dec 10, 2012 - "... we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM*, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/LockNew.jpg
... ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily..."
* http://about-threats.trendmicro.com/us/malware/TROJ_REVETON.HM

:mad:
 
Rogue v ransomware - Fear and deception

FYI...

Rogue v ransomware - Fear and deception
- https://blogs.technet.com/b/mmpc/ar...ption-rogue-v-ransomware.aspx?Redirected=true
9 Jan 2013 - "... Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:
• You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
• Upon completion of the scan, a large number of infections are reportedly found on your computer.
> https://www.microsoft.com/security/portal/blog-images/roguevran/1.jpg
• A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
• Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
• System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.
... there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections. Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.
> https://www.microsoft.com/security/portal/blog-images/roguevran/2.jpg
... numbers broken down by family for most of 2012:
> https://www.microsoft.com/security/portal/blog-images/roguevran/3.jpg
... rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware... You can find detailed information on ransomware here*..."
* http://www.microsoft.com/security/portal/shared/ransomware.aspx

:mad::mad::fear:
 
Ransomware - fear and deception (part 2)

FYI...

Ransomware - fear and deception (part 2)
- https://blogs.technet.com/b/mmpc/ar...ogue-v-ransomware-part-2.aspx?Redirected=true
15 Jan 2013 - "Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid...
> https://www.microsoft.com/security/portal/blog-images/roguevran/4.jpg
... they are on the increase.
> https://www.microsoft.com/security/portal/blog-images/roguevran/5.jpg
We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.
> https://www.microsoft.com/security/portal/blog-images/roguevran/6.jpg
... while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:
> https://www.microsoft.com/security/portal/blog-images/roguevran/7.jpg
... some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.
> https://www.microsoft.com/security/portal/blog-images/roguevran/8.jpg
... Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine. If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it."

:mad: :fear:
 
You must log in or register to reply here.
Back
Top