Rogue AV/AS prolific

MacDefender variant changes tactics ...

FYI...

MacDefender variant changes tactics...
- http://isc.sans.edu/diary.html?storyid=10927
Last Updated: 2011-05-26 08:11:01 UTC - "MacDefender... has upped the ante with a new version according to Intego* that does not need to ask the user's password any longer... it's not using an exploit to avoid asking the right to write in the /Applications directory, it simply installs the software and activates it for the current use only. Since most macs are using only a single user that changes little for the malware. But it removes the pop-up for your password. Anybody in the admin group can write to the /Applications directory..."
* http://www.intego.com/news/new-mac-defender-variant-macguard.asp
May 25, 2011 - "... effective SEO poisoning has led many Mac users to this type of malware, and no administrator password is required to install this new variant..."

:fear: :mad: :fear:
 
Fake Firefox SCAM leads to scareware ...

FYI...

Fake Firefox SCAM leads to scareware...
- http://nakedsecurity.sophos.com/2011/05/30/fake-firefox-warnings-lead-to-scareware/
May 30, 2011 - "... latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser... Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window... We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices. If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program..."
(Screenshots available at the Sophos URL above.)

:mad:
 
FakeRean - turns hard-core ...

FYI...

FakeRean - turns hard-core ...
- http://sunbeltblog.blogspot.com/2011/06/fakerean-comes-of-age-turns-hard-core.html
June 06, 2011 - "FakeRean was initially discovered by Microsoft* a couple of years ago. Like all rogue AV families, it displays fake scanning results to users in an effort to dupe them into coughing up cash in order to register the software and clean their systems supposedly. This family also alters the infected system's registry quite extensively and drops lots of component and shortcut files, among other things. What sets FakeRean apart from the usual rogues is its ability to hijack a file association for executable (.EXE) files, which allows it to reappear every time an application is run... page is found on SourceForge.net, a prominent repository of open-source software, as a profile page... get a free but malicious software to download and run on your systems once you click -any- of the buttons there. This software is a PDF exploit that, once installed, drops and also installs FakeRean. We detect the exploit as Exploit.PDF-JS.Gen... This SourceForge profile URL, and some 100+ other varying Web page URLs, is contained on imonline(dot)nl(slash)ukabefijac... All URLs are -redirect- via seoholding(dot)com... Be extra careful, if not steer clear all together, when visiting online profiles hosted on any site that -looks- suspicious."
(Screenshots available at the sunbeltblog URL above.)
* http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/FakeRean

:mad:
 
Malware campaign injects Java exploit code

FYI...

Malware campaign injects Java exploit code
- http://community.websense.com/blogs...es-direct-injection-of-java-exploit-code.aspx
20 Jun 2011 - "... detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages... attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera... The payload in this case is the nowadays ubiquitous Rogue Antivirus. In case you haven't already done so, don't forget to update your Java version* as soon as possible."
(Screenshots available at the Websense URL above.)
* http://www.java.com/en/download/index.jsp

:mad:
 
DoJ indictments - scareware distribution

FYI...

DoJ indictments - scareware distribution...
- http://www.fbi.gov/news/pressrel/pr...ional-cybercrime-rings-distributing-scareware
June 22, 2011 - "... The first of the international criminal groups disrupted by Operation Trident Tribunal infected hundreds of thousands of computers with scareware and sold more than $72 million of the fake antivirus product over a period of three years. The scareware scheme used a variety of ruses to trick consumers into infecting their computers with the malicious scareware products, including web pages featuring fake computer scans. Once the scareware was downloaded, victims were notified that their computers were infected with a range of malicious software, such as viruses and Trojans and badgered into purchasing the fake antivirus software to resolve the non-existent problem at a cost of up to $129. An estimated 960,000 users were victimized by this scareware scheme, leading to $72 million in actual losses. Latvian authorities also executed seizure warrants for at least five bank accounts that were alleged to have been used to funnel profits to the scam’s leadership. A -second- international crime ring disrupted by Operation Trident Tribunal relied on online advertising to spread its scareware products, a tactic known as “malvertising.” An indictment unsealed today in U.S. District Court in Minneapolis charges the two operators of this scareware scheme with two counts of wire fraud, one count of conspiracy to commit wire fraud and computer fraud... avoid purchasing computer security products that use unsolicited “free computer scans” to sell their products. It is also important for users to protect their computers by maintaining an updated operating system and using legitimate, up-to-date antivirus software, which can detect and remove fraudulent scareware products..."

- http://www.theregister.co.uk/2011/06/23/fbi_scareware_arrests/
23 June 2011 - "... The Feds worked with police in Cyprus, Germany, Latvia, Ukraine, France, Romania, the Mounted Police in Canada and London's Met Police."

- http://www.theinquirer.net/inquirer/news/2081147/fbi-smacks-transatlantic-botnet
23 June 2011
___

- http://krebsonsecurity.com/2011/06/72m-scareware-ring-used-conficker-worm/
June 23, 2011 - "... The New York Times reported* that dozens of Web sites were knocked offline when FBI officials raided a data center in Reston, Va. and seized Web servers. Officials from an affected hosting company told the Times that they didn’t know the reason for the raid, but the story suggested it may have been related to an ongoing investigation into a string of brazen intrusions by the hacktivist group “Lulzsec.” Sources close to the investigation told KrebsOnSecurity that the raid was instead related to the scareware investigation*. The FBI’s statement confirms the SBU’s estimate of $72 million losses, estimating that the scam claimed at least 960,000 victims. Although the FBI made no mention of Conficker in any of its press materials, the Ukrainian SBU’s press release names and quotes Special Agent Norman Sanders from the FBI’s Seattle field office, broadly known in the security industry as the agency’s lead in the Conficker investigation..."
* http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

:fear: :mad: :spider:
 
Last edited:
You must log in or register to reply here.
Back
Top