Click here to check if anything new just came in.
January 27 2012
Threat from 16bit executable
Malware writers have got a new way to keep their babies safe. Recently we found a malware in 16bit NE file format and it runs smoothly in modern 32/64bit OS without detection even by the HIPS.
Detections
As far as we know, the sample has been in public view for 4 days(since 2012.1.16). But only 4 AV vendors are reporting it as of now.
That’s generally because most of automated system don’t handle NE file format and HIPS system ignore it , as well as cloud system.
So under current situation, NE malware may exist for a longer period before detected by antivirus software. So it is more threatening to the end user.
Introduction for NE file format
NE (New executable) is elevated from DOS MZ executable format and it is for 16bit windows (Win3.x). Now it has surely been out dated.
Comparing with 32bit PE format, it has ‘MZ’ header, but the signature after DOS header is ‘NE’ instead of ‘PE’. And string in DOS stub is ‘This program requires Microsoft Windows’.
16bit file can run in 32/64 bit Windows OS with the help of NTVDM(Virtual Dos machine). A separate ntvdm.exe process is created when the file is executed and it’s within the context of ntvdm.exe. That’s why most of the HIPS miss it.
Malware behavior
Most of the malicious action taken by the NE file is by 16bit api call ‘WINEXEC’ to run 32bit cmd.exe and taskkill with argument.
And the malware drops a 32bit PE and a reg file.
Process creations:
We can see that the malware deletes all shortcuts in desktop/start menu and quick launch. The reg file created by NE contains:
The main purpose is to modify start page.
And the PE file dropped is a simple MFC application that read StartupDVR.ini and run the file specified in the .ini after a time period.
The malware writer didn’t forget the NE file which anti-virus vendors thought it is outdated. NE file could be a new trend of malware carrier so we should aware of it to protect end user.
Related articles
- AVG Mobile Threat Update: Week 3 (blogs.avg.com)
Fake it till you make it: Mobile Update Week 4
Fake Android Markets
We have seen recently the spread of fake Android official market and website.
The fake android markets usually contain many (if not all of the them) malicious applications which can target the victim in the two places where it hurts the most – namely, money and privacy.
Those are malicious versions of the legitimate applications created by the legitimate developers.
Below you can see an example of fake official Android market (note the icon on the left which is the same as the real Android market found here: https://market.android.com/ )
Fake ‘AVG Mobilation’ Anti-Virus
Below you can see a picture taken from other fake Android market (see ‘Android Market’ text on the top), which contain seem to be legit AVG Anti-Virus free which is the popular Android Anti-Virus in the official Android market.
The information on the seem to be legit Anti-Virus contain images, text , info and explanations from the official Android Market to convince the user that it is the real application and developer.
Here you can see the fake Anti-Virus with other fake popular applications:
One more thing to note – in case you downloaded the fake Anti-Virus application eventually you will not get a fake application of Anti-Virus but other file with malicious activity named ‘FakeInstaller‘ but it is not always the case for all the fake Android markets.
Just to show the difference the real AVG Anti-Virus free application can be downloaded from the following link:
https://market.android.com/details?id=com.antivirus
And look like the following in the official Android market:
Technical Analysis of new variant of ‘Virus Scanner’, Fake Anti-Virus malware
This week, the AVG Mobilation research team found a new variant of ‘Virus Scanner‘ malware that is found in the wild.
The malware can be downloaded from a Russian website with the ‘Opera Virus Scanner’ text:
Below you can see the manifest file of the variant:
In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.
When the Trojan is installed, it will have the ‘AntiVirus’ icon (image was blured in purpose to get confused with an icon of a legitimate Anti-Virus vendor):
And upon opened it will display the following message on the device:
A question is presented to the user if he/she want to see the ‘Rules’ or to ‘Continue’.
In case the user will press ‘Continue’ the virus scanner will be seem to be launched with the following preferences:
- Turn on multi-level protection
- Turn on web site scanning.
- Turn on scanning for malicious applications.
- Turn on scanning for SMS and contacts.
- Turn on installation of application locker.
- Disable remote control of device
- Turn on Wi-Fi protection.
In reality, the malware will send up to 3 SMSs to service premium numbers.
This is written in the ‘Rules’ section as can be seen below:
We can see below hard coded activation code per country so the SMS mechanism can be operation not matter what is the current location of the device:
And here is part of the SMS sending mechanism:
It is good to mention that those are the same methods as seen in PCs.
The malware authors now targeting mobile devices are just transferring their methods and methods to the mobile platforms.
Mitigation (Fake Android Markets)
Always browse to the official Android market and download your application from there.
The official Android market can be found here:
How to remove
AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html
How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.
In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.
Related articles
- AVG Mobile Threat Update: Week 3 (blogs.avg.com)
January 20 2012
AVG Web threat weekly update: Week 3
1. Just in time for Tax Season
Starting today we began receiving emails from INTUIT at a bankofamerica.com email address (it’s spoofed). These emails notify the recipient of a problem between the IRS and Social Security and ask him to “use the following link” to review the information. The link leads to a Blackhole Exploit kit that will exploit the users PC and install many pieces of malware.
Also in 2012 we continue to see fake BBB and NACHA emails luring users to visit websites that use the Blackhole Exploit Kit.
2. Zeus using high-profile organizations’ names.
Last week we came across phishing emails that impersonated correspondence from the U. S. Computer Emergency Response Team (US-CERT) that tried to trick victims into opening an infected attachment. The claim was that the attachment was a report of a phishing incident that had been sent to the Anti-Phishing Working Group (APWG).
A similar spam run used the logo of Consolidated Edison. ConEdison provides power to theNew York Cityregion. It attempted to get victims to open an infected attachment (carrying the Zeus bot net malcode) that it claimed was a bill.
3. Facebook Scams
Facebook scams continue to circulate via spam email or via Facebook with improbable gift card offers. Clearly, if it seems too good to be true, it is: a FREE, $500/$1,000 gift card or two free airline tickets? You would have to be very naive to fall for any of these. First they require victims to “like” them on Facebook (to spread the scam) then they then take him down the endless rabbit hole of surveys and affiliate offers.
We found a load of Facebook scam sites being hosted on Amazon Web Services and the images that they called hosted on popular image site Imgur (see below.)
– AVG Threat Research Group
Related articles
- AVG Web threat weekly update – Week 2 (blogs.avg.com)
AVG Mobile Threat Update: Week 3
For 2012 our AVG Mobilation™ team will put together weekly reports on the latest threats to Android mobile devices. The reports are written by one of our in house experts called Elad Shapira, a short bio on him will be up in the near future.
This week, the AVG Mobilation research team found a new variant of ‘FakeInstaller‘ malware that is not in the wild yet named ‘SMSFraudInstaller’.
‘SMSFraudInstaller’ is a Trojan horse for Android devices that sends SMS messages to premium service numbers.
The spread of this malware is mainly in Russia websites and forum and mainly targets Russian users.
Technical details about the new variant
Below you can see the manifest file of the variant:
In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.
When the Trojan is installed, it will have the Opera icon:
And upon opened it will display the following message on the device:
If the user chooses to press ‘Next’ (right button) on the screen above, then it will send an SMS to service premium number.
The service premium number that the SMS is sent to will be depending on the country where the SIM card is registered (more on the SMS fees later).
Below we can see the code that is responsible for sending the SMS:
Most of the users will press ‘Install’ at this point without knowing that the application will charge them as they are not aware it is being displayed in the ‘Rules’ button.
The users that press ‘Conditions’ button will see a very hard to read screen with a lot of text that mention in it the payment of sending up to 3 SMS messages:
If there’s no SIM within the device the application will display the following screen:
In the past we published detailed information about the way those Russian SMS installers work.
Information about ‘Android SMS Fake installer’ can be found in the following link:
http://www.droidsecurity.com/securitycenter/secuirtypost_20111110.html#tabs-2
The story behind the massive RUfraud malware instances
We have seen recently a burst of application that used to send SMS from the targeted devices to a premium numbers.
The common to all those application is that they have the same origin – the malware author’s website.
As you can see from the picture above there are devices flying in the air throwing golden coins from the devices to a heap of golden coins.
The money that was taken from those devices belong to the users and taken from their targeted devices.
The malware author offers developers to add his malicious payload to their app and earn money out of it.
The malware author will split money between the application author and him leaving the application developer most of the money.
The malware author’s website contain forum where the malware authors offer help services and give detailed explanations how to use it.
Initially the malware author spread malware for Symbian based phones but as there are more and more users own an Android based phones, they are moving to target Android based devices.
Analysis of the malware author’s java code file given to the developers who want to join
Below you can see code snips taken from the jar file the malware author offers the developers to use – in this case SMS sending mechanism:
And also:
Technical details about the spread mechanism of the malware – different devices
When the user browse to the page of the malicious application, the server hosting the app on the other side determines which operating system the user have – Symbian, Android etc and then offer the user to download relevant file type of the malware – each file for each operating system detected.
Below you can see the ‘default’ behavior when identifying it’s a Symbian OS:
Below you can see the behavior when identifying it’s an Android OS:
Technical details about the spread mechanism of the malware – different countries
We could see that the malware instances can check which country the device is operational and then send SMSs to premium service number that is local to that device.
For example you can find below a text taken from user agreement (link marked with red square) in Russian website that give details what is the cost of each SMS in each country that malware is operational in:
That is the reason you always need to read and verify what you are downloading.
How to remove
AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html
How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.
In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.
AVG Feedback Update: Week 3
1. iTunes store not accessible
A couple of AVG Family Safety™ users mentioned they cannot access the iTunes store. The situation has been rectified after removing AVG Family Safety. Should you face similar situation (with AVG Family Safety installed), please feel free to follow this procedure and post your feedback on AVG Forums.
2. YouTube Safety Mode with AVG Family Safety
A few users reported that the YouTube Safety Mode is not working with AVG Family Safety. The Safety Mode is enabled all the time when AVG Family Safety Safe Surf feature is turned on. The issue has been passed to developers for investigation.
As a temporary work-around, we recommend disabling the Safe Surf feature temporarily and deleting browser cookies as described here.
3. Trojan horse SHeur4.MTZ
We received few reports on Samsung driver software detected as the abovementioned Trojan horse. We can confirm the Trojan horse SHeur4.MTZ was a false alarm already removed with AVG virus database update released on 2012-01-08 11:02 GMT. Please accept our apology for any inconvenience caused by this incorrect detection.
Should you suspect a file is detected in error as malicious while it is in fact harmless, please do not hesitate sending the file to our virus specialists as described in this forum post.
4. AVG Mobilation™: SIM change notification
Several AVG Mobilation users reported they have received notifications about SIM card change recently even though the SIM card was not replaced. Our developers immediately disabled the SIM card change notification e-mails until the issue is investigated in details and rectified. We are sorry for the inconvenience.
5. AVG trial version installed instead of AVG Free Edition?
Please be informed that AVG Free Edition online installer allows either installation of AVG Free Edition™ or AVG Internet Security™ trial version (usage is limited to 30 days). Users sometimes install the AVG Internet Security trial version, which contains the AVG full comprehensive and complementary protection feature set, and are surprised by the 30-day license limitations. After the trial period is over, user can easily downgrade to AVG Free Edition if you are ultimately not interested in the Internet Security package, which we still highly recommend.
When installing, user may choose the preferred package as seen on the following AVG installation wizard screen:
Related articles
- AVG Feedback Update – Week 1 (blogs.avg.com)
- Weekly Feedback Update- Week 49 (blogs.avg.com)
January 19 2012
Introducing the latest Community Award Winners
We at AVG pride ourselves on our Facebook community, which at nearly 400,000 members is one of the most active and helpful communities around. To recognize the people that are busy making the AVG community a great place to come and chat or get help for whatever you may need, we came up with our monthly Community Awards. We at AVG thinks it’s important that we reward people for their hard work and introducing them is a start! So here is some info on the latest members to be thanked for all they do for our community.
Borislav Angelov
I work in IT Network and Computer Security and as a system security maintenance engineer.
AVG has always been my antivirus of choice. I started with the free version and later chose to upgrade to the paid version.
I joined the AVG Community because it is a democratic and free community where you can meet different people from different ethnic groups from around the world. It’s a place where you can seek help or lend a hand on any issue while making friends with people from around the world for life.
This is one of the most beautiful places on the web, congratulations to the entire community, thanks AVG.
Matthew ‘Simmy” Simm
I am currently a student studying computing at city of Sunderland college. I learned about AVG back in the 7.0 days and ever since then, I have recommended it to both family and friends as a great tool for protecting both computers and identities online. I love the LinkScanner technology which has saved me so many times from phishing websites, as well as the identity alert tool which gives me added peace of mind when banking online. Overall I enjoy helping AVG customers and I am proud to be part of the community to bring “people powered protection” to life.
Saul Rojas
I found AVG on Youtube when I was watching a video review of their antivirus product. I have to say I was impressed with what I saw, so I thought I’d give it a try and have not looked back. I care about online security and I help my friends and family when I can. I would recommend AVG to anyone, as I have been using it for a long time now and have never had any issues.
Sharath Kulkarni
I’m a Mechanical Engineering student in my 1st year at Jain University, Bangalore, India.
I’m very interested in computer & mobile Apps and their development and have spent many hours playing with newly launched software and learning how they works.
I came to know about AVG from my brother Varun Parvitaker who is a 4 times award winner and an AVG VIP in AVG community on Facebook.
AVG is simply a superb antvirus, it is user friendly and it has many great features. If you have a little faith and switch to AVG, it will give you great results.
I also have AVG Internet Security which works superbly and includes AVG PC tune up at installation. These are great programs for keeping you safe when you are surfing online and help keep your computer running smoothly. I use PC TuneUp once a week at least.
Since joining, the AVG Facebook community has treated me as a part of its family. It has never let me down.
Good going AVG, keep rocking and blocking (the virus!).
Related articles
- AVG Community Talks Passwords (blogs.avg.com)
- Introducing AVG VIP: Arsa First (blogs.avg.com)
January 17 2012
Introducing AVG VIP: Arsa First
We at AVG pride ourselves on our Facebook community, which at nearly 400,000 members is one of the most active and helpful communities around. To recognize the people that are busy making the AVG community a great place to come and chat or get help for whatever you may need, we came up with our monthly Community Awards. The members which are the most helpful and supportive we reward with special AVG VIP status. So without further ado, here is our latest AVG VIP, Arsa First.
“I work for the government in Indonesia and in my spare time I like to read everything about Information and Technology. I’m very practical and learn by doing. My motto is “Never give up, be BRAVE”, some might call me stubborn but it’s something I believe in.
I have tried Norton, Kaspersky, Panda, Trend Micro and Comodo but I wasn’t entirely happy. In fact, they all have an issue with minimum sensitive protection, high system resource usage, false alarms and have other features that I don’t use or like.
Then I tried AVG, I immediately found some previously undetected threats. The malware and the infected files were removed or moved to the virus vault and now my PC and laptop are absolutely free of viruses.
I’ve now been using AVG for about 4 years and have never had a problem.”
Thanks to AVG for protecting my PC and laptop for 4 years.
January 16 2012
Is this IT Security Breach “Stuff” really Happening?
The problem with the Internet is that it’s just “out there” in many people’s perception.
A large proportion of users don’t stop to think about the web server software that sits on data centres to drive cloud-based applications on their desktop or mobile device and, to a degree, why should they?
Everyone wants an Internet that “just works” and not everyone wants to know how its underlying mechanics operate.
The approach is fine until something goes wrong. When a virus works its way into your business and/or a phishing or social engineering scam preys on an unsuspecting employee, the reality of the web and IT security breaches start to kick in.
So is this IT security breach stuff really happening?
Yes it indeed is. AVG’s recent SMB Market Landscape Report found that one-in-six SMBs have experienced an IT security breach in some form. While this figure is marginally down against 2010, it still represents more than 1 million companies in the USA and UK who have suffered as the result of failing or insufficient IT security.
So as real as the threats are, the challenge for small to medium sized businesses remains the same. It’s a simple mathematical equation = big businesses have more scope than SMBs to spend money on providing dedicated resources focused on IT security across the board – but, SMB’s face the same risks that big businesses face both in terms of the number of potential malware attacks and their severity.
If a breach does occur, a further imbalance comes to light. Both business models must devote an equally proportionate amount of time and money to rectifying the breach. But the cost of replacing damaged hardware and the cost of interrupted business will be felt much more acutely in the SMB, who will logically not have the size and scope to channel or balance resources from other departmental pools or silos.
It’s akin to being hit with a knock out punch full in the face rather than taking a glancing blow to the ribs.
Fortunately, as malware has evolved over the years so have resources dedicated to SMB-level IT security. Tools such as AVG Business Edition have been developed with an innate appreciation for the constraints of the small to medium sized businesses within which it is typically deployed.
AVG also understands that IT security should be based around more than just size. A company is made up many elements, but its people, its technology and its operational structure often have the greatest impact upon what type of security risks it will most commonly expose itself to. We have a core competency in IT security; companies should not be fooled into taking their eye off their own central market proposition and USP (unique selling point). Stay in business and stay safe.
Related articles
- SMB IT Security Size Matters, But It Shouldn’t (blogs.avg.com)
- Revisiting the insider myth (liquidmatrix.org)
- Warning: Traditional Security Breaches are Still at Large (techsecuritytoday.com)
AVG Community Talks Passwords
We asked our AVG Facebook Community whether the device they are using affects the complexity and length of the passwords they use. We received a host of responses, some of which might just surprise you.
“Touchscreens like on my iPod make it harder to make a complex password work well. When I had to redo my router a while back I went ahead and changed the password code to secure it. It’s a pain to redo those passwords on my iPod or BlackBerry.” Cynthia C.
“I always try to use different and complex passwords; I do not want to get hacked too easy 
” Barry E.
“For me it really depends on the site/location. Facebook for example would have a longer password than an intranet login (DET for me). Simply because no one would bother hacking a small school-based intranet when there’s Facebook around.” Jaiden C.
“Nope, I always use a password with at least 8 characters, of which at least 1 number and 1 capital letter.” Masa H.
“I hate having to change my passwords numerous times. Length is not so much of a factor as constantly having to change.” Dennis G.
“I used to use simple passwords on my phones and long difficult one on my pc’s but these days with the advent of full integration of smart devices I am tending towards the same types of passwords for both.” Russel M.
“I choose passwords depending on the importance of the service/device. I use different email addresses for different purposes, I have an address which I use for social network at yahoo and one at hotmail for browser games, both have a passwords with a combination of 6 letters and numbers. My main addresses at Google and web.de have both a length of 9, and so on…” Guido E.
“ I had to change ma password since I bought a new phone because I have to type my password every time I log into Facebook I miss my old phone that on always keep me sign in now I have a short password ” Saul R.
“The device doesn’t change what I use for passwords but it does make entering the long complex passwords that I use much more difficult to enter on some devices, like my XBOX 360 and my Boxee Box. Complex passwords are also a problem when setting up my wife’s equipment and accounts.” Clark F.
As the community has highlighted, it can be easier to cut corners when setting passwords on mobile devices such as smartphones or tablets but it’s important to be vigilant and maintain password strength across any device.
Here are some basic guidelines to using some strong passwords:
- Length is key: The longer your password, the harder it is to hack using brute force methods.
- Mix it up: Throw some symbols in there, and don’t be afraid to make up words!
- Don’t get personal: Don’t use personal data such as your mother’s maiden name for your passwords. Should your information fall into the wrong hands, it could cause further complications.
What about you? Do you use different password complexity depending on the device? Let us know here on the blog or join in the discussion with our Facebook Community.
January 11 2012
AVG Web threat weekly update – Week 2
1. Is FakeAV Dead?
No sooner did the world’s Internet users get the message five or so years ago that they should be running an anti-virus product on their PCs than the dark side jumped in to sell fake products that look and act like real security products.
For the past five or so years, these fake AV (or rogue) products have been huge moneymakers for the scam artists on the Internet, with hundreds of new variants appearing each year to help evade detection and confuse victims.
We’re seeing reports that the fake AV might be fading from the scene. We don’t think so, in only a short amount of time we came up with several examples.
Windows Secure Kit 2011
Antivirus 2011
Please wait! This is important – we check your devices.
Scan & Protect
Windows Security
2. Cloud AV 2012
Blackhole Exploits kits recently started exploiting systems and installing a new rogue antivirus program called Cloud AV 2012. It’s a clone of Open Cloud AV which we previously blogged about.
3. Bank of America spam messages lead to Blackhole Exploit Kit
We’re sure that everyone on the planet who uses the Internet – even those living in caves in Afghanistan – are well aware of the flood of malicious spam that tries to snatch logins and other personal information. Recently we found one that impersonates email from the Bank of America and carries a link to a site that runs the Blackhole exploit kit.
4. Pharma spam site impersonating CVS
Anyone who has the slightest contact with email is all too familiar with “Canadian Pharmacy” or “penis pill” sites. At one time they seemed to be based inChina, however, now they appear to mostly have a .ru (Russia) country domain.
These scam sites claim to be selling Viagra, Cialis and other prescription medications by mail. No one has ever investigated the vast, vast ocean of these things, but it’s safe to say that IF you purchased prescription medication from them what you probably get will be 1) adulterated pills 2) completely fake pills 3) your credit card info ripped off.
The graphics on these sites usually include photos of scantly dressed men and women as well as male and female physicians in white uniforms with stethoscopes looking young, professional and happy. The females often seem to be smirking, which must be off-putting for potential Viagra customers. There is almost always the word “Canadian” on the page somewhere.
Last week, however, we came across one (via spam, of course) that used the logo of the CVS pharmacy chain.
– AVG Threat Research Group
January 10 2012
What threats will Web users face in 2012?
The AVG threat research lab expects no radically new web threats in 2012, but rather refinements of existing scams and malicious techniques.
We expect business-as-usual for the dark side, although there seems to be some small successes in fighting the bot nets that distribute vast amounts of spam (including that containing malcode.) In 2011, Microsoft had some significant successes in taking down bot nets using a combination of legal and technical approaches. So it’s good to know that there is some pressure bring put on the distributors of Internet badness.
Here are the threats that we expect to see in the new year in more-or-less priority order:
1. Social media scams will continue at the present rate or increase
The bad guys are going to continue to go after the low-hanging fruit on social media sites. This is a vast goldmine. Facebook estimated in July that it had 750 million users worldwide ( http://www.facebook.com/press/info.php?timeline ) Facebook users with unsecured personal information can expect it to be in the hands of unscrupulous operators who sell it as marketing data.
Fake celebrity news videos and stories will be some of the most used bait for scams and rogue security software installations. These scams will appear as videos or URLs in Tweets or Facebook posts that will lead to survey scams, and sites that download malicious code.
2. Toolkits will continue to appear and they will get more sophisticated
These highly sophisticated applications give malicious operators the capability to quickly design and install customized malicious code. Recently we’ve begun seeing them used to deliver rogue security products – which are huge moneymakers for the dark side.
3. Trojan horse programs, will continue to be the largest category of malicious code,
These are applications available for download that really install key loggers or other info stealers. These like other malware will continue to exploit vulnerabilities on the application level with Adobe products being large, slow moving targets. Browser vulnerabilities also will be targets. Web users are cautioned to install updates promptly to keep their machines secure.
4. Rogue security products will not go away.
These fake anti-virus scanners with professional graphic interfaces and alarming phony scans are not going to go away. In 2011 we started to see them being installed by tool kits.
5. Malware for mobile devices will continue to evolve
Mobile device users should only install apps from legitimate sources. Malicious apps will probably become more sophisticated and more widespread as the malicious operators learn to write for the new operating systems. These will steal personal information for the spammers and underground marketing operators and take passwords for banking and payment system theft.
6. Malicious spam and phishing will continue to be a threat to everyone who uses email.
The Messaging Anti-Abuse Working Group estimated that spam email comprised 88-90 percent of all email in the first three quarters of 2011. http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf That volume alone is a problem, but the malicious spam – the spam that tries to trick users into revealing their login credentials to bank, payment system or gaming sites – is the core of the menace. Users should continue to avoid opening attachments or clicking on links in unsolicited email. Spam emails forwarded by friends also can be a threat.
7. Search engine optimization poisoning might decrease as search site operators improve their techniques for detecting it.
Poisoned links in search engines will continue to take victims to sites that download malware on their machines. The biggest draws will be celebrity news and news about major news stories.
8. Fake surveys will continue to waste time and steal money
Anyone familiar with Facebook, by now, has seen this trick. A friend “likes” a lurid video or an offer of a free computer/phone/gift card. Clicking on the video takes one to a long series of “survey” questions and offers for subscriptions to worthless services. These scams often gather victims’ cell phone numbers in order to bill monthly charges.
9. Fraudulent web sites selling phony or non-existent goods will continue to attract victims.
“Canadian pharmacy” sites pushing Viagra and Cialis (often called “penis pill sites”) will continue to thrive. Internet users will get to them chiefly via links in spam. They purport to sell prescription drugs, but really steal credit card info or sell placebos or drugs with incorrect dosages – which in some cases can be fatal.
10. Malicious iframes on legitimate web pages will continue to be a serious vector for attacks.
These can be placed on pages intentionally, by hackers who want to draw victims to malicious sites, or unintentionally, as when the advertising services that deliver ads to web sites get compromised and push out links to pages that download malcode.
– AVG Threat Research Group
Murder retrial ordered after court records destroyed by virus
A convicted murderer has had his appeal for a retrial granted after the record of his trial, stored by the court stenographer, was apparently destroyed by a malware infection.
The convicted party, Randy Chaviano, 26, appealed against his 2009 conviction in a Florida court for shooting Charles Acosta during an alleged drug deal and when the Appeal Court discovered that almost no records of the trial still existed and the judge had no choice but to annul the conviction and order a retrial., the judge the struck down the conviction and ordered a retrial.
The court stenographer, present in 2009, was responsible for recording the minutes of trial but had accidentally deleted the manually taken primary records, and then to compound the issue, the electronic backup stored at a PC was also destroyed by malware.
“The overturning of a murder conviction always means terrible pain for the victim’s family and frustration for prosecutors and police officers,” Ed Griffith of the Miami-Dade Attorney’s Office was reported as saying.
“Overturning a murder conviction because of a court reporter’s problem creates a brand new level of pain and frustration,” he said.
Although data can be recovered from damaged or infected harddrives, authorities and specialised services have been unable to extract the necessary information.
Related articles
- Killer to be re-tried after virus wipes testimony (technolog.msnbc.msn.com)
- Man convicted of murder gets retrial after virus eats transcripts (go.theregister.com)
FBI warns of new Zeus-based malware phishing scam
What’s the story?
The FBI last week issued warning of a new phishing scam known as “Gameover”. Should the malware gain access to your PC, it can steal usernames, passwords and even circumvent user authentication on banking web pages.
The FBI said it has seen an increase in the use of Gameover, which is an email phishing scheme using the names of prominent government financial institutions — the National Automated Clearing House Association (NACHA), the Federal Reserve Bank or the Federal Deposit Insurance Corporation (FDIC).
The FBI says Gameover is a more recent variant of the Zeus malware, which was created several years ago and was designed to specifically harvest banking information.
Who is affected?
Given that the scam is perpetrated via email, anyone could fall foul of this scheme.
Here’s how the FBI describes the scam: “Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.”
How do I stay safe?
Make sure you do not fall prey to a phishing scam like this with AVG’s top three tips to staying safe.
- Too Good To Be True
In these days of New Year sales it is tempting to open up an offer that seems too good to be true. More often than not, these “incredible offers” aren’t legit and you should exercise caution when investigating.
- Trust Your Instinct
If you receive an email claiming you’ve paid nearly $300 for a flight that you’re unaware of, chances are that you haven’t. These tricks play on your insecurities, be confident in your actions online.
- Get Protected
Getting a basic level of internet security can help protect you from phishing attacks and fraudsters by warning you when you are going to an unsafe site. AVG’s Linkscanner™ technology does this before you land on the page so that you are aware of the threat prior to exposure.
Related articles
- BBB: Top scams of 2011 (seattlepi.com)
- How to Boost Your Phishing Scam Detection Skills [Security] (lifehacker.com)
January 09 2012
American Airlines warns of scam emails
American Airlines has posted online several examples of scam emails, claiming to be from the airline in an effort to help protect their customers from falling victim to the scam.
The phishing attack which has been active as recently as November 2011 was designed to con American Airlines customers into surrendering their personal information and passwords.
One of the example emails that the airline posted was an email claiming that the recipient had paid for a $278 flight to New York and that they should login in and download their ticket. Another email promises a reward of $50 for completing a five question survey.
As part of American Airlines proactive advice to its customers, they warn anyone who receives bogus emails not to follow any of the links and instead to forward the email, in its entirety, to webmaster@aa.com
American Airlines spokesman Ed Martelle said, “We are aware of the scam. It is being investigated by our corporate security department so we can find a way to shut it down”.
Make sure you do not fall prey to a phishing scam like this with AVG’s top three tips to staying safe.
Too Good To Be True
In these days of New Year sales it is tempting to open up an offer that seems too good to be true. More often than not, these “incredible offers” aren’t legit and you should exercise caution when investigating.
Trust Your Instinct
If you receive an email claiming you’ve paid nearly $300 for a flight that you’re unaware of, chances are that you haven’t. These tricks play on your insecurities, be confident in your actions online.
Get Protected
Getting a basic level of internet security can help protect you from phishing attacks and fraudsters by warning you when you are going to an unsafe site. AVG’s Linkscanner technology does this before you land on the page so that you are aware of the threat prior to exposure.
SMB IT Security Size Matters, But It Shouldn’t
It’s an inconvenient and unfortunate truth. It is (and always has been) typically the case that companies at the larger end of the SMB market (i.e. 51-100 employees) tend to exhibit the most IT security awareness.
So when it comes to SMB security awareness size really does matter. But, as most us know, it really should not.
The common perception among many fledgling businesses is that paying for IT security is an unnecessary expense. If controls are put in place at any level then they are often administered without any third party support or consultancy — and this is fine, as long as certain caveats, policies and mechanisms are put in place to ensure its effectiveness.
The challenge here is to think big.
Small to medium sized businesses from two person partnerships up to newly formed firms still numbering less than ten employees need to treat their IT security protection as if they were a multinational.
Just as every Dollar, Pound, Yen and Euro of profit is treated with ultimate respect in ANY size of business, the same universally level playing field should also govern the security controls that ANY firm uses to protect itself from malware, phishing, spam and social engineering in all its forms.
The problem is that hackers don’t discriminate when it comes to electronic data and the opportunity to make money from implanting malware onto users’ machines. It’s a numbers game and if a successful malware attack starts at a small business level then it can still “perform well” for the perpetrators by spreading to all a user’s contacts and their contact’s contacts exponentially.
Think about it – in the time it takes for a hacker to get through the defense shields of a major international banking corporation, they could be dropping infected code into a thousand or more small businesses operating without any anti-virus protection technologies.
Malware is a numbers game
Without wanting to deliberately coin a phrase here, there’s an awfully succinct way of summing this subject up – “distributing malware is a numbers game, just ensure that you don’t become one of the numbers.”
You can download the full AVG SMB Threat Landscape Report at the AVG Resource center.
Related articles
- Botnets: The Biggest Threat to Enterprise Security – Quick Take (biztechmagazine.com)
- How safe is your surfing? Few SMBs have social networking security policy (zdnet.com)
- SMBs more security-savvy but don’t see themselves as targets (zdnet.com)
AVG Feedback Update – Week 2
1. Speedtest.net
Please be informed the speedtest.net service is now promoted in AVG user interface:
You will be redirected to speedtest.net website by clicking the Speedtest component to perform quick test of your connection speed. We recommend terminating all running applications using Internet connection (peer-to-peer client software, software update tools, your browser, Skype client, etc.) before running the test to get accurate results.
Feel free to post your comments regarding Speedtest at AVG Forums.
2. Anti-Virus not active?
One of AVG Forums visitors reported AVG Anti-Virus component is inactive. This issue is usually caused by hardware failure. We recommend running memory and hard drive tests to check your hardware health should you face similar situation. If the tests reveal that any of the RAM modules or hard drives is faulty, please consult local computer repair shop or your computer vendor for further guidance. The respective faulty component will need to be replaced.
If the hardware appears to be perfectly healthy and the issue persists, please contact AVG technical support for investigation of the issue.
3. Stubborn infection
AVG Forums visitors reported hard to remove infections lately, sometimes accompanied by rootkits. Scanning the system using updated AVG Rescue CD when an infection is coming back usually rectifies the issue. AVG Rescue CD is able to find rootkits easily as they are not active when the host operating system is not running.
In case an infection is still coming back or cannot be removed, it may be hidden in a virtual file system which is not accessible by usual means or protected in a different way.
Should you need assistance with infection removal, please contact AVG technical support or describe the issue on AVG Forums.
4. AVG LiveKive voucher could not be redeemed during trial period
One of AVG LiveKive users reported trouble redeeming his LiveKive voucher at AVG Forums. We have investigated the situation and found a technical issue preventing redeeming vouchers before the trial period is over. This issue has been reported to our developers.
Should you face any trouble redeeming LiveKive voucher, please wait until your trial period is over and try to redeem the voucher afterwards. Should the issue persist, please do not hesitate contacting AVG technical support for assistance.
5. Groupon offer: AVG license missing
A few AVG users reported purchasing AVG license from SRE Computing company using a Groupon offer. It seems that some users were not provided with license keys properly. If you have used this Groupon offer lately too and you are missing AVG license, please proceed as described in this AVG Forums post.
January 03 2012
New Year’s IT Security Resolutions For SMBs
New year is a time of change and so we very typically we use this period as a chance to set new goals, work on self improvement (both at home and at work) — and here’s the hard bit — stick to the objectives we set ourselves in order to achieve our resolutions.
A time of business re-orchestration…
Looking ahead at 2012, what initiatives will you take to ensure that your business achieves more? What new business drives will you undertake and how will you orchestrate and manage your business processes to maximise profits? Specifically, how will you approach your IT security protection in the new ‘social media’-connected web 2.0 landscape to keep your data and application assets safe?
The most important aspect of setting resolutions and goals is the need to keep them realistic and achievable. Start your new year security planning methodically without a feeling of unnecessary panic.
A good starting point for an average SMB might perhaps be to carry out an inventory of current computers and mobile devices. Once you know how much equipment you’re going to need to protect, it’s easier to quantify and start tackling the task ahead of you.
In the post Christmas period or ‘holiday’ season many employees will come to into work with new ‘devices’ they may have received as gifts. From tablet computers to smartphones to pocket video recorders and so on, these units all represent a data security risk if they are connected to your business IT system.
The New Year might be a good time to declare a ‘Device Amnesty’ and ask all employees to list the mobile devices that they intend to use at work.
Any new year is a time of uncertainty; nobody quite knows what the next 12-months have in store. With this in mind, it is the perfect period to lay down a security policy for your firm to adhere to.
Whether this document is a simple one-pager or needs a binder and a front cover to hold it together, it doesn’t matter, just do it – write it, follow it, update and revise it, but above all, enforce it.
Ensure that your firm’s forward-looking business plan embraces and includes IT security protection commensurate with the needs of your online and digital activities.
Put your firm’s data safety sensitivities on the table and analyse where your risks are most likely to exist. Then and only then, deploy protection software appropriate to your company’s position as an electronically connected business.
Lastly, we at AVG would love to wish all our business customers a safe, “secure” and prosperous New Year. Happy 2012 everyone.
January 02 2012
AVG Feedback Update – Week 1
1. AVG LinkScanner™ compatible with Firefox 9
Please be informed Mozilla Firefox 9 is fully supported by AVG 2012 and AVG 2011 currently. More information can be found in this AVG Forums post.
Should you face any compatibility issues (LinkScanner, AVG Toolbar) while using AVG and Firefox 9, please make sure to update your AVG and restart your Firefox browser.
2. AVG Family Safety™ enables YouTube Safety Mode
AVG Forums visitors reported the YouTube Safety Mode is always enabled regardless on configuration of the YouTube profile which may prevent viewing videos. YouTube Safety Mode is forced if the Safe Search option is enabled in AVG Family Safety. Please proceed as described in this AVG Forums post if you would like to browse YouTube videos freely.
3. MS Outlook is freezing when AVG Anti-Spam is installed.
AVG Forums users reported MS Outlook startup is slowed down, sometimes freezing. This issue seems to be caused by AVG Anti-Spam component if user has the MS Outlook plugin for AVG E-mail Protection installed. This issue has been fixed by the recently released AVG 2012.1890 program update. More information on how to update AVG can be found in this FAQ article.
When browsing e-mails in MS Outlook, you may face similar slowdown with AVG Anti-Spam enabled. This issue will be fixed in one of the upcoming cumulative AVG program updates.
Should you face such slowdown even after updating AVG and restarting your computer, we recommend disabling AVG Anti-Spam component temporarily. Please proceed as follows to do so:
- Open the AVG user interface and click the E-mail Protection component.
- Clear the Enable Anti-Spam check mark.
- Click Save changes.
Please note this issue does not occur when AVG Free Edition or AVG Anti-Virus is installed, because they do not feature the Anti-Spam component. The issue is limited to AVG 2012 product line only. AVG user interface will report E-mail protection not fully functional after disabling the Anti-Spam component. Rest assured that virus protection is still active, only spam messages are not being filtered.
Should you need additional assistance, please contact AVG technical support.
4. How to revert unwanted changes done by AVG PC Tuneup™?
AVG PC Tuneup is powerful optimizing tool. Unfortunately, it may happen that some changes of the system configuration do not quite suit your needs. If using AVG PC Tuneup resulted in unwanted system behavior, you can easily revert any of the taken changes using the Rescue Center as described in this FAQ article.
5. Stubborn infection
AVG Forums visitors reported hard to remove Trojan Horse Agent type infections lately. Scanning the system using updated AVG Rescue CD when an infection is coming back usually rectifies the issue. Please see this example AVG Forums infection removal thread.
In case an infection is still coming back or cannot be removed, it may be hidden in a virtual file system which is not accessible by usual means or protected in a different way.
Should you need assistance with infection removal, please contact AVG technical support or describe the issue on AVG Forums.
December 29 2011
jQuery powered malware
We have already written numerous times about the fact that social networks can be used by cyber criminals to harm their users. This technique we have spotted on the twitter network is not new, but it is interesting nonetheless.
Its first form uses a callback function to the Twitter API, which makes it hard to discover by scanning core and allowing injection of a harmful iFrame. Furthermore, data about trends, which the function returns, were used for the generation of a domain name.
So what makes this case so interesting? First, it’s used in favorite library jQuery. Whereas the earlier forms relied on function of callback as a tool against emulation, the usage of the library is an evolution as its used for downloading trend data and also for obfuscation of harmful code.
The analysis of the sample, which we obtained, revealed an algorithm for creating domain names. It also contains the part, which is created by selection of groups with predefined values, and the part, which is created in accord with data, obtained from Twitter.
The fact that the algorithm does not create active domain names may be caused by these reasons:
1. Algorithm of creating the domain names was changed
It’s very likely, since the code contains numerous places, which can be manipulated.
2. Method is used in longer time windows
Twitter allows a discovery of trends for one month backwards. Domains, which we found registered in this time window, have preset status clientHold. It means that domain is not published.
3. The author has registered only few of possible names and relies on the fact, that favorable conditions will happen.
Since none of the created addresses was functional during time of analysis, we cannot determine the creators’ intentions exactly. Most probably it’s a ploy to get to the resources/digital assets of their victims.
author: Jaro Brtan
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
