By Lain Thomson 1 October 2008
A single family of Trojans has accounted for over 60 per cent of malware infections in September, according to Fortinet. The RogueSecurity Trojan and its variants accounted for 61.5 per cent of all malware attacks in September the company claims. The Trojan and its varients took the top four positions of the company’s malware list.“Not since the start of this year when the notorious Storm virus made a continuous run of devastating attacks has any comparison been seen with this level of activity,” said the company.“However where the Rogue security applications excel is the accumulated volume: maintaining these extreme levels of activity for at least six days, not to mention the other variants. “The bulk of malware activity occurred in the second and third week of the month, with the W32/Inject.GZW!tr.bdr Trojan peaking at nearly two million in the middle of the month.
Virustotal report from two samples:
Sample 1 Sample 2
This is usual Fakealert trojan that have capability to inject it's own dll process to any executable (PE) files that alerts users being danger of "new bogus" infection or actually telling user that their PC is compromised and buy their Anti-virus or Anti-Spy product.
Monday, October 6, 2008
Tuesday, August 19, 2008
Symantec acquires Sydney's PC Tools
Symantec acquires PC Tools
Mahesh Sharma | August 19, 2008
PC Tools also recently released anti-virus software to protect the Mac OS X operating system.
Mahesh Sharma | August 19, 2008
SYMANTEC has bolstered its consumer product portfolio with the acquisition of Australian security software developer PC Tools.
The value of the deal wasn’t disclosed. It is expected to be finalised by the end of the year.
PC Tools is headquartered in Sydney, with offices in US, Britain, Ireland and Ukraine. Symantec said the acquisition expands its reach in emerging regional markets.
PC Tools has over 200 staff globally and will remain a separate entity in the security giant’s consumer business.
Chief executive Simon Clausen will report to Symantec’s group president of consumer products, Janice Chaffin.
Symantec will not rebrand PC Tools’ products and will maintain existing partners and channels.
PC Tools also recently released anti-virus software to protect the Mac OS X operating system.
Tuesday, August 5, 2008
Vista Service Pack 1 isn't actually SP1
It appears that Microsoft's woes with Vista aren't quite over yet. According to the company's official Windows Vista blog, a bug in the SP1 update is the latest in a mounting load of blunders.
A number of users reported problems resulting from the service pack prerequisite KB937287. After receiving reports of the error, Nick White, Microsoft's Product Manager, quickly responded by notifying customers that a decision has been made to "temporarily suspend automatic distribution of the update to avoid further customer impact while we investigate possible causes." Microsoft says that only a small number of users has been effected and that the company is presently working to crack the problem and put the update back online as soon as possible.
Also, if your Vista PC have installed SP1, makesure you have done all the critical Windows Updates upto late June's update. Apparently there are two major critical updates relating to Windows stability and performance issues.Tuesday, April 8, 2008
Trend, Sophos and McAfee flunk Vista SP1 anti-virus tests
Trend, Sophos and McAfee flunk Vista SP1 anti-virus tests
That would be a FAIL, then
By John Leyden → More by this author
Published Thursday 3rd April 2008 16:52Â GMT
Article from: http://www.theregister.co.uk/2008/04/03/vista_sp1_av_tests/
Top tier anti-virus vendors including McAfee, Trend Micro, and Sophos all failed to secure Windows Vista SP1 in recent independent tests.
Virus Bulletin, the independent security certification body, said 17 of 37 anti-virus products tested failed to reach the VB100 certification standard. McAfee VirusScan, Trend Micro Internet Security and Sophos Anti-Virus overlooked threats known to be in circulation. Other vendors whose products failed to make the grade included Alwil, BitDefender, Norman, PC Tools, and VirusBuster.
Some of the ignored threats - largely polymorphic file infectors - have been in circulation for months. "It is disappointing to see so many products tripping up over threats that are not even new - computer users should be getting a better service from their anti-virus vendors than this," Virus Bulletin technical consultant John Hawes said.
Products from Symantec, Microsoft (which has problems in the past in previous VB100 tests), AVG, and Kaspersky Lab all passed.
Although still lagging behind Windows XP, Vista is likely to see more widespread use with the introduction of its first service pack, making it more important for anti-virus vendors to deliver dependable protection for the platform. Vista SP1 came out in mid March.
Virus Bulletin's VB100 tests pit each anti-virus product against a set of viruses from the WildList, a publicly available up-to-date list of viruses known to be circulating. To earn VB100 certification, products must be able to detect all the viruses contained in the WildList test set without generating false alarms when scanning a set of clean files.
Unlike other certification schemes, Virus Bulletin tests all products free of charge and does not allow re-testing. Virus Bulletin's comparative reviews also cover detection rates against a selection of zoo viruses (those not seen outside the laboratory), scanning speeds, and computational overheads.
Test results are here (free registration required). ®
That would be a FAIL, then
By John Leyden → More by this author
Published Thursday 3rd April 2008 16:52Â GMT
Article from: http://www.theregister.co.uk/2008/04/03/vista_sp1_av_tests/
Top tier anti-virus vendors including McAfee, Trend Micro, and Sophos all failed to secure Windows Vista SP1 in recent independent tests.
Virus Bulletin, the independent security certification body, said 17 of 37 anti-virus products tested failed to reach the VB100 certification standard. McAfee VirusScan, Trend Micro Internet Security and Sophos Anti-Virus overlooked threats known to be in circulation. Other vendors whose products failed to make the grade included Alwil, BitDefender, Norman, PC Tools, and VirusBuster.
Some of the ignored threats - largely polymorphic file infectors - have been in circulation for months. "It is disappointing to see so many products tripping up over threats that are not even new - computer users should be getting a better service from their anti-virus vendors than this," Virus Bulletin technical consultant John Hawes said.
Products from Symantec, Microsoft (which has problems in the past in previous VB100 tests), AVG, and Kaspersky Lab all passed.
Although still lagging behind Windows XP, Vista is likely to see more widespread use with the introduction of its first service pack, making it more important for anti-virus vendors to deliver dependable protection for the platform. Vista SP1 came out in mid March.
Virus Bulletin's VB100 tests pit each anti-virus product against a set of viruses from the WildList, a publicly available up-to-date list of viruses known to be circulating. To earn VB100 certification, products must be able to detect all the viruses contained in the WildList test set without generating false alarms when scanning a set of clean files.
Unlike other certification schemes, Virus Bulletin tests all products free of charge and does not allow re-testing. Virus Bulletin's comparative reviews also cover detection rates against a selection of zoo viruses (those not seen outside the laboratory), scanning speeds, and computational overheads.
Test results are here (free registration required). ®
Top Spam Botnets Exposed
SrizbiEstimated # of bots: 315,000Alternate names: Cbeplay, ExchangerSMTP engine: Template-basedTotal botnet spam-sending capacity: 60 billion spams/dayControl: encrypted, UDP and TCP ports 4099Rootkit-enabled: YesIdentifying strings: \SystemRoot\Minidump\%s, Udp6, Tcp6, MachineNumNotes: With the combination of stealth and an efficient SMTP engine, Srizbi is a highly capable botnetspamming machine. However, Srizbi is not a monolithic botnet - it is split between several customers ofReactor Mailer, with over a dozen control servers. Because of this, a wide variety of spam can be seencoming from Srizbi at any given time. In addition, Srizbi is one of the most active botnets attempting toseed new infections by advertising links to porn-related video files of different celebrities, which areactually new copies of Srizbi.
Srizbi has emerged over the past year as the distributed part of the long-established Reactor Mailerweb-based spam tool. Reactor may have used proxy servers in the past, but at some point a re-write of thesoftware was commissioned by the head of the company, known only as “spm”. The author who did there-write of the backend is a contract programmer living in Smila, Ukraine. It is unclear as to whether ornot he wrote the Srizbi trojan also, but it is a likely possibility.
BobaxEstimated # of bots: 185,000Alternate names: Bobic, Oderoor, Cotmonger, Hacktool.Spammer, KrakenSMTP engine: Template-basedTotal botnet spam-sending capacity: 9 billion spams/dayControl: encrypted, TCP port 447Rootkit-enabled: NoIdentifying strings: cCdipsuxX%, w:\projects\b3\release\core.pdbNotes: Despite reports of its demise, Bobax continues to be a strong player in the spam arena. At onetime, Bobax was solidly in the business of sending mortgage spam, but lately has been seen mailing lowinterestloan spam.
RustockEstimated # of bots: 150,000Alternate names: RKRustok, CostratSMTP engine: Template-basedTotal botnet spam-sending capacity: 30 billion spams/dayControl: HTTP with encryption, TCP port 80Rootkit-enabled: YesIdentifying strings: tmpcode.bin, unluckystrings, filesnamesNotes: Although Rustock started out in the stock spam business, it has branched out, and can currently beseen sending out pharmaceutical spam.
CutwailEstimated # of bots: 125,000Alternate names: Pandex, Mutant (related to: Wigon, Pushdo)SMTP engine: Template-basedTotal botnet spam-sending capacity: 16 billion spams/dayControl: HTTP with encryption, TCP port 4080Rootkit-enabled: YesIdentifying strings: Poshel-ka ti na hui drug averNotes: Cutwail is the most common spambot installed by the Pushdo malware installer system, but it'snot the only one. We've also seen Srizbi, Storm, Xorpix and Rustock installed on the same host togetherwith Pushdo and Cutwail.Canadian Pharmacy spam is one of the things we most commonly see withCutwail, but other types of spam are sent. Sometimes the botnet is used to send social-engineering emailsin order to seed more infected hosts with Cutwail.
StormEstimated # of bots: 85,000 (only 35,000 send email)Alternate names: Nuwar, Peacomm, ZhelatinSMTP engine: Template-basedTotal botnet spam-sending capacity: 3 billion spams/dayControl: HTTP on random ports with base64/zlib encoding, P2P-based server directoryRootkit-enabled: YesIdentifying strings: [blacklist], [peers]Notes: Although Storm has been rumored to be quite large in the past, it has dropped to a morereasonable size. In addition only Storm bots behind NAT firewalls actually send spam. This makes thecapacity of the spam-sending part of the Storm botnet smaller than most of the other lesser-knownbotnets. However, those other hosts don't go to waste, they are used as fast-flux HTTP and DNS hosts forthe spam system. Storm spent a lot of time sending pump-and-dump stock spam in the past, butoccasionally will send pharmaceutical spam and job-offer (phishing mule) emails. When it's notspamming, Storm is sending links to fake greeting card sites which use browser exploits and socialengineeringto infect more users with Storm.
GrumEstimated # of bots: 50,000Alternate names: None known, except for generic/misassignedSMTP engine: Template-basedTotal botnet spam-sending capacity: 2 billion spams/dayControl: HTTP on TCP port 80Rootkit-enabled: YesIdentifying strings: Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasksNotes: Although little-known, Grum has accumulated a seizable botnet over the past year by sendingspam with supposed porn URLs which actually point to browser exploiting pages. This botnet usuallysends URLs hidden in non-related HTML, so it may be the botnet referred to by anti-spam vendorMarshal as “HTML”. Ultimately the links lead to Canadian Pharmacy sites.
OneWordSubEstimated # of bots: 40,000Alternate names: UnknownSMTP engine: Template-basedTotal botnet spam-sending capacity: UnknownControl: UnknownRootkit-enabled: UnknownIdentifying strings: UnknownNotes: Although we see a significant amount of spam emanating from this botnet, as of yet the malwarebehind it has yet to be identified. Due to the format of the spam it is sending, we believe this is the samebotnet which anti-spam vendor Marshal refers to as "One Word Sub". This botnet has been seen sendingCanadian Pharmacy spam.
OzdokEstimated # of bots: 35,000Alternate names: Mega-DSMTP engine: Template-basedTotal botnet spam-sending capacity: 10 billion spams/dayControl: encrypted, TCP port 443Rootkit-enabled: NoIdentifying strings: KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MXNotes: Although Ozdok has a relatively small set of bots compared to some of the other botnets listedhere, it is quite capable of pumping out a generous amount of spam, most of it related to enlargementproducts, but designer knock-offs and other spam are frequently seen.
NucryptEstimated # of bots: 20,000Alternate names: Loosky, LockskySMTP engine: Template-basedTotal botnet spam-sending capacity: 5 billion spams/dayControl: HTTP with encryption, TCP port 3133Rootkit-enabled: YesIdentifying strings: 1f34ff45, taskmon.sys, /synctl/updNotes: Relatively small yet capable botnet - may have been evolving for a few years. Last seen sendingCanadian Pharmacy spam.
WoplaEstimated # of bots: 20,000Alternate names: Pokier, SloggerSMTP engine: Template-basedControl: encrypted, TCP port 8080Total botnet spam-sending capacity: 600 million spams/dayRootkit-enabled: YesIdentifying strings: %sxtempx.xxx, %.250s.lzo, ctxlsp.dll, psrip.dat, mailgrab_emails.dat, OEMSO2000Notes: Wopla is frequently installed by drive-by exploits in the same way as Srizbi, Rustock and Cutwail,although it doesn't appear to have been spread as widely. An interesting feature – Wopla can send spamdirect-to-MX or by logging into at least one public webmail service. Bots which send spam throughwebmail providers will probably continue to increase in number, since the spam can evade IP-basedblocklisting, and must rely solely on content-detection (or fingerprinting/anomaly detection at thewebmail provider). Wopla seems to be primarily dedicated to porn spam.
SpamthruEstimated # of bots: 12,000Alternate names: Spam-DComServ, Covesmer, XmilerSMTP engine: Template-basedTotal botnet spam-sending capacity: 350 million spams/dayControl: encrypted, multiple TCP portsRootkit-enabled: NoIdentifying strings: hs5p, XSMTPXNotes: Another botnet which cut its teeth mailing stock spam in 2006 and 2007, nowadays can be seensending pharmaceutical spam.
Other SpambotsIn addition to these bots, there are several other template-based spam botnets, and still many more proxybasedbotnets. Creating network-based fingerprints for proxy botnets is much more difficult, becauseultimately you are fingerprinting the mailer engine, not the bot itself. In the case where the same spamtool might utilize multiple proxy botnets, it would greatly skew the results.One template-based botnet (Warezov/Stration/Opnis) that was a major player six months ago hascompletely dropped off of the radar. Warezov was known for sending Chinese pump-and-dump stockspam. Perhaps it is no coincidence that in the same time frame that we stopped seeing Warezovspam/malware, the notorious spam kingpin Alan Ralsky was arrested and charged (among other things)with sending pump-and-dump stock spam for Chinese companies.
Srizbi has emerged over the past year as the distributed part of the long-established Reactor Mailerweb-based spam tool. Reactor may have used proxy servers in the past, but at some point a re-write of thesoftware was commissioned by the head of the company, known only as “spm”. The author who did there-write of the backend is a contract programmer living in Smila, Ukraine. It is unclear as to whether ornot he wrote the Srizbi trojan also, but it is a likely possibility.
BobaxEstimated # of bots: 185,000Alternate names: Bobic, Oderoor, Cotmonger, Hacktool.Spammer, KrakenSMTP engine: Template-basedTotal botnet spam-sending capacity: 9 billion spams/dayControl: encrypted, TCP port 447Rootkit-enabled: NoIdentifying strings: cCdipsuxX%, w:\projects\b3\release\core.pdbNotes: Despite reports of its demise, Bobax continues to be a strong player in the spam arena. At onetime, Bobax was solidly in the business of sending mortgage spam, but lately has been seen mailing lowinterestloan spam.
RustockEstimated # of bots: 150,000Alternate names: RKRustok, CostratSMTP engine: Template-basedTotal botnet spam-sending capacity: 30 billion spams/dayControl: HTTP with encryption, TCP port 80Rootkit-enabled: YesIdentifying strings: tmpcode.bin, unluckystrings, filesnamesNotes: Although Rustock started out in the stock spam business, it has branched out, and can currently beseen sending out pharmaceutical spam.
CutwailEstimated # of bots: 125,000Alternate names: Pandex, Mutant (related to: Wigon, Pushdo)SMTP engine: Template-basedTotal botnet spam-sending capacity: 16 billion spams/dayControl: HTTP with encryption, TCP port 4080Rootkit-enabled: YesIdentifying strings: Poshel-ka ti na hui drug averNotes: Cutwail is the most common spambot installed by the Pushdo malware installer system, but it'snot the only one. We've also seen Srizbi, Storm, Xorpix and Rustock installed on the same host togetherwith Pushdo and Cutwail.Canadian Pharmacy spam is one of the things we most commonly see withCutwail, but other types of spam are sent. Sometimes the botnet is used to send social-engineering emailsin order to seed more infected hosts with Cutwail.
StormEstimated # of bots: 85,000 (only 35,000 send email)Alternate names: Nuwar, Peacomm, ZhelatinSMTP engine: Template-basedTotal botnet spam-sending capacity: 3 billion spams/dayControl: HTTP on random ports with base64/zlib encoding, P2P-based server directoryRootkit-enabled: YesIdentifying strings: [blacklist], [peers]Notes: Although Storm has been rumored to be quite large in the past, it has dropped to a morereasonable size. In addition only Storm bots behind NAT firewalls actually send spam. This makes thecapacity of the spam-sending part of the Storm botnet smaller than most of the other lesser-knownbotnets. However, those other hosts don't go to waste, they are used as fast-flux HTTP and DNS hosts forthe spam system. Storm spent a lot of time sending pump-and-dump stock spam in the past, butoccasionally will send pharmaceutical spam and job-offer (phishing mule) emails. When it's notspamming, Storm is sending links to fake greeting card sites which use browser exploits and socialengineeringto infect more users with Storm.
GrumEstimated # of bots: 50,000Alternate names: None known, except for generic/misassignedSMTP engine: Template-basedTotal botnet spam-sending capacity: 2 billion spams/dayControl: HTTP on TCP port 80Rootkit-enabled: YesIdentifying strings: Hi all, Already start, $TO_HEXMAIL, /spm/s_alive, /spm/s_tasksNotes: Although little-known, Grum has accumulated a seizable botnet over the past year by sendingspam with supposed porn URLs which actually point to browser exploiting pages. This botnet usuallysends URLs hidden in non-related HTML, so it may be the botnet referred to by anti-spam vendorMarshal as “HTML”. Ultimately the links lead to Canadian Pharmacy sites.
OneWordSubEstimated # of bots: 40,000Alternate names: UnknownSMTP engine: Template-basedTotal botnet spam-sending capacity: UnknownControl: UnknownRootkit-enabled: UnknownIdentifying strings: UnknownNotes: Although we see a significant amount of spam emanating from this botnet, as of yet the malwarebehind it has yet to be identified. Due to the format of the spam it is sending, we believe this is the samebotnet which anti-spam vendor Marshal refers to as "One Word Sub". This botnet has been seen sendingCanadian Pharmacy spam.
OzdokEstimated # of bots: 35,000Alternate names: Mega-DSMTP engine: Template-basedTotal botnet spam-sending capacity: 10 billion spams/dayControl: encrypted, TCP port 443Rootkit-enabled: NoIdentifying strings: KILL_LAZZY_ON_CONNECT, KILL_LAZZY_MXNotes: Although Ozdok has a relatively small set of bots compared to some of the other botnets listedhere, it is quite capable of pumping out a generous amount of spam, most of it related to enlargementproducts, but designer knock-offs and other spam are frequently seen.
NucryptEstimated # of bots: 20,000Alternate names: Loosky, LockskySMTP engine: Template-basedTotal botnet spam-sending capacity: 5 billion spams/dayControl: HTTP with encryption, TCP port 3133Rootkit-enabled: YesIdentifying strings: 1f34ff45, taskmon.sys, /synctl/updNotes: Relatively small yet capable botnet - may have been evolving for a few years. Last seen sendingCanadian Pharmacy spam.
WoplaEstimated # of bots: 20,000Alternate names: Pokier, SloggerSMTP engine: Template-basedControl: encrypted, TCP port 8080Total botnet spam-sending capacity: 600 million spams/dayRootkit-enabled: YesIdentifying strings: %sxtempx.xxx, %.250s.lzo, ctxlsp.dll, psrip.dat, mailgrab_emails.dat, OEMSO2000Notes: Wopla is frequently installed by drive-by exploits in the same way as Srizbi, Rustock and Cutwail,although it doesn't appear to have been spread as widely. An interesting feature – Wopla can send spamdirect-to-MX or by logging into at least one public webmail service. Bots which send spam throughwebmail providers will probably continue to increase in number, since the spam can evade IP-basedblocklisting, and must rely solely on content-detection (or fingerprinting/anomaly detection at thewebmail provider). Wopla seems to be primarily dedicated to porn spam.
SpamthruEstimated # of bots: 12,000Alternate names: Spam-DComServ, Covesmer, XmilerSMTP engine: Template-basedTotal botnet spam-sending capacity: 350 million spams/dayControl: encrypted, multiple TCP portsRootkit-enabled: NoIdentifying strings: hs5p, XSMTPXNotes: Another botnet which cut its teeth mailing stock spam in 2006 and 2007, nowadays can be seensending pharmaceutical spam.
Other SpambotsIn addition to these bots, there are several other template-based spam botnets, and still many more proxybasedbotnets. Creating network-based fingerprints for proxy botnets is much more difficult, becauseultimately you are fingerprinting the mailer engine, not the bot itself. In the case where the same spamtool might utilize multiple proxy botnets, it would greatly skew the results.One template-based botnet (Warezov/Stration/Opnis) that was a major player six months ago hascompletely dropped off of the radar. Warezov was known for sending Chinese pump-and-dump stockspam. Perhaps it is no coincidence that in the same time frame that we stopped seeing Warezovspam/malware, the notorious spam kingpin Alan Ralsky was arrested and charged (among other things)with sending pump-and-dump stock spam for Chinese companies.
Thursday, August 30, 2007
Article: A walk on the dark side
Found interesting article on one of the world's worse company that caters crackers and spammers.
Article link from: economist.com
=============================================
Article link from: economist.com
=============================================
A walk on the dark side
Aug 30th 2007
From Economist.com
These badhats may have bought your bank account
ACCORDING to VeriSign, one of the world’s largest internet security companies, RBN, an internet company based in Russia’s second city, St Petersburg, is “the baddest of the bad”. In a report seen by The Economist, VeriSign’s investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.In one sense, RBN (Russian Business Network) does not exist. It has no legal identity; it is not registered as a company; its senior figures are anonymous, known only by their nicknames. Its web sites are registered at anonymous addresses with dummy e-mails. It does not advertise for customers. Those who want to use its services contact it via internet messaging services and pay with anonymous electronic cash.
But the menace it poses certainly exists. “RBN is a for-hire service catering to large-scale criminal operations,” says the report. It hosts cybercriminals, ranging from spammers to phishers, bot-herders and all manner of other fraudsters and wrongdoers from the venal to the vicious. Just one big scam, called Rock Phish (where gullible internet users were tricked into entering personal financial information such as bank account details) made $150m last year, VeriSign estimates.
Plenty of other internet companies sail close to the wind—hosting unregulated online gambling for example. But according to a VeriSign investigator, “the difference is that RBN is solely criminal”. The pricing depends on the level of complaints. A discreet organisation pays little; one that attracts a lot of unwelcome attention, forcing RBN to take expensive countermeasures, has to pay more.
Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as “trojans” that sit inside a victim’s computer collecting passwords and other sensitive information and sending them to their criminal masters.
A favourite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a programme such as Corpse’s Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth.
RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank’s security director belonged. RBN-based cybercriminals replied by crashing the bank’s home-page for three days.
What can be done? VeriSign has tracked down the physical location of RBN’s servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. “RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks,” says VeriSign. The head of RBN goes under the internet alias “Flyman”; his uncle is thought to be a senior St Petersburg politician. Repeated e-mails to RBN’s purported contact addresses asking for comment have gone unanswered.
Companies can simply block access to any site registered at an RBN IP address. But that will not help most victims, such as those who receive infected e-mails. VeriSign says only strong political pressure on Russia will make the criminal justice system there deal with this glaring example of cyber-illegality.
Sunday, August 26, 2007
Top 5 malwares
Current HOT malwares:-
1. Virtumonde - This is well known mystery little sucker that gives users with Fake Alert and popups with rogue antispyware product advertisements like Winantispyware 2007, DriveCleaner etc.. informing users that their computer is not protected from bogus virus.
The big issue with this Virtumonde (aka; Vundo, FakeAlert, Conhooks) is very users have differnt sets of Virtumonde which means threats can change file names and it's content to avoid detection. I've heard Virtumonde can re-generates every hour into newer variants.
2. Adware.Agent variants - This is very similar to Virtumonde in behavior, this threat also causes popups informing users to buy some bogus programs to clean out computer problems.
3. Maxifies & PurityScan - Also causes popups, usually hijacks wedsite to some bogus sites like "Test your Internet Speed" or some "dating sites" - then when user clicks to continue to test speed of their Internet or to find cyber lovers - then user's computer will be hijacked and start downloading hips of malware on to their computers. I usually find them through many freebie sites such as downloading ringtone, screensavers, wallpapers, games and mp3s etc..
4. Trojan.Popuper - This threat disguise itself as video or audio codec, usually invites users to some porn or dating or free music/movie trailers sites then informing users that their Windows is missing some essential video codecs to display their videos, after user clicks to install codecs, their PC gets hijacked and displays hips of popups - some what similar to Virtumonde stuffs (and they usually are bundled with Adware.Agents as well).
[Myspace.com] had this ealier, which many hackers can setup bogus profile on myspace.com and invites users to be friend.
5. Free game trojan - This can be very risky as I have seen so many trojans that bundled with free games & screensaver, I had few MDT logs showing no sign of malware but had free Porn games or poker games. many users with repeat detection also suffers from their istalled programs that keeps re-inserting trojans on to user's computer after scan & fix. This sort of problem can't be fix completely without uninstalling risky games.
Subscribe to:
Posts (Atom)
Global Virus Map
