This Week's Malware Trends
Most of what we're seeing this week is a lot of the same scams related to the economic woes. Credit help, mortgage relief, etc.
However, new this week have been a bunch of Phishing attempts with subjects like, "Regards", "Hi", "Greeting", "Salute", "Aloha",
"take care", and "Hallo". I guess these are the minimalist hackers at work. Or maybe they are paying by the character. Hmmm.
Another new, but old scheme we're seeing is the "Hi Sweety - Remember me?" and "Russian Women are Waiting For YOU!"
As always, stay alert as the scammers keep on looking for new ways to tempt you.
Microsoft Releases Out of Cycle Patch to Stop Worm Attack
Microsoft issued an emergency patch to repair a critical Windows server service vulnerability that leaves Windows systems
dangerously open to attack. The software maker also said it had to act quickly because it was aware of targeted attacks affecting
Windows users.
This fix marks the fourth time that Microsoft has released a security patch outside of its monthly cycle. In its bulletin,
Microsoft said the flaw could be exploited by an attacker without authentication to run arbitrary code. The attacker would have to
send a malicious remote procedure call (RPC) request, which could result in taking complete control of a system. The flaw is rated
critical on Windows 2000, XP, and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server
2008.
"It is possible that this vulnerability could be used in the crafting of a wormable exploit," Microsoft said in its MS08-067
bulletin. "Firewall best practices and standard default firewall configurations can help protect network resources from attacks
that originate outside the enterprise perimeter."
As you'll see in the following article, we are already seeing exploits of this vulnerability. Be sure you're home computers
have successfully implemented this patch.
Trojan Exploiting Microsoft Vulnerability
There are reports emerging Friday morning of a new Trojan exploiting the MS08-067 RPC vulnerability in Windows that Microsoft
patched with an emergency fix yesterday. Known as Gimmiv.A, the Trojan propagates automatically through networks, and also installs
a number of small programs on compromised machines. But its most worrisome capability is a feature that enables Gimmiv.A to find
cached passwords in a number of locations and then send them off to a remote server. Before sending the data, the Trojan encrypts
the passwords with AES encryption.
The Fake Airline Ticket Scam is Back
In a reprise of a summer tactic, hackers are trying to trick people into infecting their PCs with malware by sending them e-mail
that poses as bogus airline-ticket invoices and boarding passes, a security company said today.
The spam, which claims to be from Continental Airlines Inc., thanks the recipient for using a new "Buy flight ticket Online"
service. It also provides a log-in username and password and says the recipient's credit card has been charged more than $900,
according to Trend Micro Inc.'s research.
The message says the attached .zip file includes an invoice and "flight ticket." In fact, noted Trend Micro, the archive file
contains an executable file "e-ticket.doc.exe," which is actually a Windows worm that downloads and installs other attack code to
the PC.
MSN Messenger Used as Lure in Another Malicious Spam Wave.
This was seen in Brazil in mid October - may be coming soon to a computer near you, so be aware!
Websense Labs are reporting a new malicious spam lure that uses the threat of a virus to encourage users to download a
malicious Trojan.
The email explains that by downloading the application linked within the email, users can protect themselves against a virus that
spams messages to a user's contacts. The email offers an update to Live Messenger Plus which is actually a Trojan. The URLs provided in the email
redirect the user to a two-stage downloader named dsc.scr.
As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then
opens pointing to a different site. A scheduled task is then created, and modifications are made to autoexec.bat to disable
GBPlugin and other tools promoted by Brazilian banks to protect against such key loggers and other malware. The malware then goes
on to conduct information-stealing activities.
Compromised Halloween Sites Passing Rogue Software
An internet search using the keywords “halloween costumes” may turn up a number of legitimate sites that have been compromised,
and users might end up with rogue anti-virus software on their machine.
The Halloween attack uses search engine optimization manipulation to distribute the campaigns, according to a Wednesday TrendLabs
blog post.
Attackers prey on the vulnerabilities in legitimate websites to embed malicious code, according to Trend. Once determining a
website is vulnerable, a pointer to a specially crafted rogue page -- containing many mentions of the words "halloween costumes"
-- is injected into the legitimate website. That way, when an unsuspecting web user searches those terms, the legitimate but
compromised website will return a high ranking and he or she will be more likely to visit there.
The infected site contains malicious JavaScript that will redirect users to another site without their knowing. When, for example,
a user clicks an online store to browse Halloween costumes, they will be redirected to a page with a pop-up claiming their
computer is running slower than normal. The pop-up says the user's PC might be infected with some type of malware.
“When users click on the resulting pages, there will be software directions and the final payload will be the fake or rogue
anti-virus software,” Ivan Macalintal, research manager at Trend Micro, told SCMagazineUS.com Wednesday. The pop-up asks users if
they want to download Antivirus 2009, claiming the software will scan their machine for malware -- but Antivirus 2009 is really a
fake program.
Mac Users Aren't Immune - Similar Rogue Software Targeting Macs
A website claiming to sell Macintosh anti-spyware software may soon spring to life to try to infect users with malware and harvest
their credit card information, a Mac security firm warned on Friday.
According to a security memo from Intego, the company discovered the Macguard website Friday morning during routine monitoring,
Intego spokesman Peter James told SCMagazineUS.com Friday.
The website claims its software will search hard drives for malicious adware, spyware and trojans; clean files; eliminate threats
and ensure privacy. The danger is that users might enter their credit card information to purchase the fake software, James said.
If a user does, the website may harvest their account information.
The website does not yet include a downloadable trojan, but James predicted that there will probably be one added at some
point.
Intego discovered that the website is a near word-for-word spin-off of another malicious website that promotes “Winiguard,”
another fake security program. The Macguard domain was registered Sept. 18 to the same person registered for the Winiguard site,
James said.
That site, according to Sunbelt Software, falsely informs users that their Windows machines are infected with viruses in hopes of
duping them to purchase the rogue product. If they do so, their machines may become infected with malware and face degraded
performance.
Some 30 million PCs are infected with some form rogue software, stealing $10 to $15 million a month from people who are desperate
to disinfect their PCs, Ryan Sherstobitoff, chief corporate evangelist at Panda Security told SCMagazineUS.com Friday.
'Block the Vote' Tactics Go Online This Election
Voter suppression and deception tactics could go online in the final days or hours of this hotly contested Presidential election
season -- including spoofing voting and campaign Websites, fake voice-call blasts via VOIP, phishing, and denial-of-service
attacks on legitimate polling Websites -- according to a new report released this week.
There already have been online attempts to disrupt the election activity of specific blocks of voters, according to the Electronic
Privacy Information Center’s (EPIC) E-Deceptive Campaign Practices Report. Phony emails were sent to Florida voters stating that
they would be unable to vote if their ID didn’t match a state database; robo-calls went to women voters in North Carolina with
false information about their voter registration status; and fake emails were sent to voters in Maryland saying they would be
barred from voting if their home was under foreclosure.
Make sure you aren't fooled by these schemes and that your friends and relatives are aware of them as well. And get out
there and VOTE!
Security update for Opera
Opera has released security update 9.61 for its browser of the same name, resolving three vulnerabilities. Among them is the
possibility of web sites extracting the browser history, as well as a cross site scripting hole when changing pages. In addition,
the update fixes minor flaws in the user interface. The new version is available to download for Windows, Mac OS X, Linux, FreeBSD
and Solaris.
TrendMicro and F-Secure Release Patches
Two major security software vendors have released patches for flaws in their own offerings.
F-Secure and Trend Micro have posted updates to address vulnerabilities which could leave customers vulnerable to attack.
Trend Micro issued a fix for its OfficeScan product in which an attacker could use a malformed HTTP request to cause a buffer
overflow in the software's server CGI model.
A successful exploit could allow an attacker to remotely execute code on the targeted system.
F-Secure, meanwhile, has released an update which corrects an issue in its Internet Security, Anti-Virus, Linux and Protection
Service product families as well as several F-Secure server and gateway offerings.
The issue stems from an error which occurs when the software is not set to scan compressed files.
An attacker could use a specially-crafted compressed file to trigger a buffer overflow error and gain complete control at the
system level of a targeted machine and execute arbitrary code.
The US Computer Emergency Response Team is advising users and administrators of all of the affected security products to
install the patches as soon as possible.
