Facebook “Photo Album” Spam Drops Trojans

Posted on June 14, 2010 by glhaldeman

By Andrew Brandt

A spammed link campaign that spread through Facebook rapidly over the weekend delivered a malicious payload designed to take control of the Facebook account of any infected user, steal passwords, and hijack clicks in the victim’s browser. The messages appear as links sent by a friend, accompanied by the brain-damaged text “You? I find it on Google.“

Clicking the link directs recipients to a page on online-photo-albums.org which, at the time, pointed to malware hosted on a server (now offline) based in Bosnia and Herzegovina.

This installer drops no fewer than six payloads, including the “clickjacker” Trojan-Bamital, which redirects the browser to a different site when a user on an infected machine clicks a linked result in a very specific subset of search engine Web sites (such as, for example, results on the South Korean version of Google, Google.kr, but not the main Google.com site itself).

In addition, album.exe file also drops Trojan-Downloader-Suurch, which can download and install additional payloads, and leads hapless Web surfers into the abyss by hijacking searches on a broader set of search engines, and injecting its own code into the search results page. The album.exe installer also drops a DLL which captures passwords and other data entered into Web forms in Internet Explorer, and forwards that data on to a different Web domain (which happens to be hosted at the same IP address in Bosnia that was used for the album.exe download — and remains online as I publish this).

Continue reading →

Facebook Spam Leads to Viagra Vendor, Drive-by Download

Posted on May 28, 2010 by glhaldeman

By Andrew Brandt

Annoying as they are, the spam emails circulating that supposedly come from Facebook don’t merely lead the recipient to one of those so-called Canadian Pharmacy pill-vendor websites. They now come with a bonus: An infection, courtesy of a malicious iframe which attempts a series of exploits against the browser, Adobe Reader, and Adobe Flash in an attempt to push a drive-by download down to the victim’s PC.

The messages, which say they come from a service called Facebook Notify (or, sometimes, just Facebook Service) inform the recipient that they’ve received a message. In order to read the message, the recipient is encouraged to click a link in the email that looks like it leads to Facebook.

It’s a sham: The spammers have hotlinked a Facebook URL so it points to another Web site. That Web site redirects the browser to the Canadian Pharmacy page, but that’s not all: In a few cases, while checking out what happens when one visits the page, I found that the test PC was infected afterwards.

As it turns out, a script embedded within the Canadian Pharmacy page loads an iframe that points to yet another site. And that iframe runs through a number of tricks to push down a Trojan installer we classify to Trojan-PWS-Daonol.

Daonol is an obnoxious thief, because in addition to stealing passwords, the Trojan also prevents the browser from loading certain Web sites; redirects the browser to sites other than the one the user clicks in search result pages on Google, Bing, and Yahoo; and prevents Windows from running some applications.

Continue reading →

The Lessons of a ‘Love Bug’ Still Ring True

Posted on May 4, 2010 by glhaldeman

By Ian Moyse

A decade on from the ILOVEYOU worm, what has changed—apart from ‘we’re older and (supposedly) wiser?’

We have allowed the bad in the real world to progressively infect our online world, giving criminals a way to attack victims that is more dangerous for the victim and, coincidentally, safer for the attacker. As recently as a decade ago, bank robbers had to physically enter the bank premises and overcome its defenses. Today, they simply need to be clever enough to trick you, rather than break the defenses of the bank itself.

In humanizing the Internet we have dehumanized cybercrime.

The individual computer user was, and remains, the weak link. The concept of social engineering still poses the principal online threat affecting everyone.

At last week’s Infosecurity Europe show in the UK, I spoke about the latest threats, and how they clash with the realities of the Internet and the Web 2.0 world we live in today. Attendees who spoke to me afterward, many of whom provide support and IT services to business of all sizes, told me they live with these threats every day.

I asked the people watching my talk who thinks malware is still as much of a threat as it ever was, and the sea of hands that shot up spoke volumes: Ten years on, we face the same problem on an increasingly large scale. The attackers however have gotten smarter, and more malicious. We have seen more malware in the last 18 months than the last 18 years combined — and the attacks which deliver that malware to victims are equally creative, ingenious, and devious.

Continue reading →

Social Nets Put Your Privacy at Risk

Posted on March 30, 2010 by Mike

By Mike Kronenberg

Attention Facebook and Twitter users: You’re still at risk. Last year, our survey found that lots of people using social networking sites were taking the risk of financial loss, identity theft, and malware infection. Have things gotten any better? Well, the answer is yes but, unfortunately, not better enough — and potentially a lot worse for some of you.

The results of our 2010 survey reveals that more of you are adhering to some safe behaviors — like blocking profiles from being visible through public search engines. That’s a good thing, but the downside is over 25 percent of you haven’t changed your default privacy settings. And more that three quarters of survey respondents haven’t placed any restrictions on who can see their recent activity.

I worry about this because you can’t escape the fact that rogue operators are always trying to extract details about you. They want access to anything that can help them dig into your private life. They can break into Web mail accounts, get your credit card number, steal your identity, or even attack you through cyber-stalking.

And they’ll do anything to get the info, from attacking you with malware to tricking you into revealing passwords.

With that, and our survey in mind, on the following page I’ve posted a few suggestions you can follow to protect yourself.

Continue reading →

Weird New Koobface URLs Use Old Tricks

Posted on March 19, 2010 by glhaldeman

By Andrew Brandt

Pretty much since it arrived on the malware scene, Koobface has used the technique of sending messages with Web links — in your name, to your friends — as a method of propagating the infection to others. Using your name is a powerful social engineering trick, and the makers of the worm have tried innumerable ways to mask the danger behind those dangerous links: They’ve used “short link” services like Bit.ly to hide the destination; They build pages on sites normally considered safe, like Blogspot or Google Reader, that simply redirect users to a dangerous page; and they use stolen credentials for the Web servers of legitimate businesses to upload their own malicious content there.

Since February, Koobface has tried another technique: It has used different URL encoding schemes, which many browsers but few humans can interpret. You click an odd-looking link and before you know it, you’re on a site that’s trying to push an infection at your PC.

This “new” trick actually harkens back to 2001, when spammers were using so-called dotless IP address tricks to bypass security features in Internet Explorer. A Windows patch issued in October of that year fixed the bug in IE that gave dotless IP addresses additional security permissions. But the IE, Firefox, and other browsers remain capable of taking a URL in the form of (for example) http://1078900434 and correctly translating to a standard IP address, then loading, the page hosted at the IP address that number represents. (The dotless link above will take you to Webroot’s Web site.)

Continue reading →

New Research: IT Pros Sound Off On 2010 Security Concerns

Posted on February 17, 2010 by glhaldeman

Research from the enterprise security experts at Webroot

With the explosion of social networking sites like Twitter and Facebook in 2009, it’s no surprise cybercriminals have set their sights on these Web sites for new victims. Facebook now has over 400 million active users and Twitter has over six million — a sizeable pool of potential targets.

These new threats are a cause of great concern for IT managers and businesses. Webroot recently surveyed over 800 IT professionals in the US, UK and Australia, at companies ranging from 100 to 500 people in size, to learn what are their biggest concerns for 2010. Eighty percent of those who responded anticipate Web 2.0-based malware threats will be among their biggest challenges, and 73% said these types of malware are much harder to manage than email-based threats.

Many IT admins reported they thought their organizations were sufficiently protected, but that wasn’t always the case: Significant numbers reported attacks from viruses (60%), spyware (57%), phishing attacks (47%), hacking attacks (35%), and SQL injections of their Web sites (32%). What’s more, because malicious hackers have a financial motive, individuals who possess sensitive business data are perfect targets. Increasingly, small and medium-sized businesses (SMBs) come under attack because they are less likely to have the multpile layers of protection that larger enterprises do.

Data breaches, when they happen, can be devastating to SMBs: According the the FBI, blended Web and email attacks led to approximately $100 million in attempted losses last year. SMBs can take precautions to make sure they aren’t a part of these staggering statistics. It is important to keep up with the latest threat vectors by using a security service with URL filtering, end user policy management and virus protection, and by making sure employees are educated on know to avoid threats in a growing landscape — especially when it comes to social media.

Webroot will address this topic in greater depth when our CTO Gerhard Eschelbeck delivers a Web security trend report at the RSA Conference 2010 Wednesday, March 3, at 4:30 p.m. PST in the Briefing Center on the Expo Hall floor. We’ll continue the conversation at Infosec Wednesday, April 28 at 3:20 p.m. GMT in Earls Court when Eschelbeck presents Securing the Internet for a Web 2.0 Collaborative Culture.

Play it Safe on Safer Internet Day

Posted on February 8, 2010 by glhaldeman

By Andrew Brandt

February 9 marks Safer Internet Day, and around the world, people are trying to help their fellow netizens navigate an obstacle course of threats to their security and privacy. InSafe, the organization funded by the EU that sponsors the annual youth-targeted event, has themed the day around the concept “Think B4 U post.” As grammatically sloppy as that sounds, it’s actually good advice.

Readers of this blog shouldn’t be surprised that myriad dangers threaten the safety of all Internet users: Keylogging software disguised as “updates” are everywhere; Fake security alerts pop up when you least expect them; Phishing Web pages are more cleverly designed than ever to steal your passwords; Spam is choking email; Worms stalk social networks; Even your mobile phone is at risk of malicious software designed to steal valuable information from you. The big question on everyone’s mind is: What do you do to protect yourself?

The answer’s simple, really. You have to think before you act, and make sure you understand the consequences of whatever you do, write, post, or click online. Once you develop your Internet spidey senses, you’ll be able to spot something that’s out of place, or weird, or just dodgy before it catches you out.

Despite the increasingly clever tricks criminals employ, they still have to lie and cheat in order to steal. What follows are a few easy ways you can catch them out in their lie before it’s too late. We’ve also put together a short video that shows just how easy it is, once you’re in the right frame of mind.

Continue reading →

Massive Spam Campaign Impersonates Social Networks

Posted on February 5, 2010 by glhaldeman

By Andrew Brandt

Spammers are the source of a flood of messages that appear to originate from various social networks, including Facebook and Myspace, as well as popular sites like iTunes.

The spam messages usually just contain a link, and possibly a few words. Their subject matter falls into three general categories common to most contemporary spam: Pill vendors, Russian bride “vendors,” and drive-by download sites hosting Zbot password-stealer installers.

It’s not unusual for spammers to forge the return addresses, but the sheer volume of spam that has been forged so it appears to originate from MySpace, Facebook, or iTunes is notable.

Continue reading →

‘Spongeface’ Koobface Variant Uses Spongebob as a Tease

Posted on January 20, 2010 by glhaldeman

By Andrew Brandt

A new variant of the Koobface social networking worm is sending social networkers links that lead to fake videos supposedly posted by the beloved cartoon antihero Spongebob Squarepants. The fake videos only display a popup message labeled “Adobe Flash Player Update” that says “This content requires Adobe Flash Player 10.37. Would you like to install it now?” Clicking anywhere on the page downloads the Koobface installer to the victim’s PC.

The technique isn’t new, but this is the first sign that the crew behind Koobface is switching from ‘holiday mode’ (when they sent around links to videos that were supposedly posted by Santa Claus) to ‘post-holiday mode.’

In other ways, the worm features a few small tweaks: Its Captcha tool, which attempts to convince infected users to enter the text of a captcha into a dialog box, has been modified to read and properly display the new ReCaptcha format used by some social network sites. The new format randomly places black circles ‘behind’ the text, and inverts the text of the captcha phrase where the text and black circles intersect.

Continue reading →

WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Follow “Webroot Threat Blog - Internet Security Threat Updates from Around the World”