Free Spyware Adware Worm and Virus Trojan Horse Download Removal Tools

FBStarter Facebook Phishing Scam

2009-05-18T20:20:00.000-07:00

Threat Type: Phishing Alert

Websense® Security Labs™ has been receiving new Facebook phishing scam messages in our HoneyJax™ systems, the part of our ThreatSeeker™ Network used to monitor social networking attacks. The phishing lure, referred to as “fbstarter”, arrives as a message in a user’s Facebook inbox. For users who have configured forwarding in their Facebook settings, the message also appears in their email inbox.

If users click the link, they are redirected to a Facebook phishing page that spoofs Facebook's sign-in page. By entering their user name and password, they give attackers the information necessary to log into their account and spam their friends.

Lesson learned: Always be suspicious of messages that contain links. This pertains not only to emails, but to any messages that you receive on the Internet. Treat these messages with caution, even if they come from friends’ addresses. Social networking has opened the gates for attackers to take advantage of the transitive trust that exists in social networking platforms like Facebook.

To the credit of the Facebook security team, they have been quick to issue a statement and block further messages that attempt to spread any known offending URL. Attempting to send a message in Facebook that contains the known URLs results in the following error message.

Figure 2: Facebook now blocks any attempt to send the offending URL

As Facebook attempts to block the URLs used in this scam, attackers have been creating new domains that are not blocked by Facebook. It is uncertain whether the cat-and-mouse game will continue, but Websense Security Labs is monitoring the situation.

Websense® Messaging and Websense Web Security customers are protected against this attack.

Swine Flu Topic used in SEO to spread Malware

2009-05-18T20:10:00.000-07:00

Threat Type: Malicious Web Site / Malicious Code

As swine flu spreads throughout the world, Websense Security Labs™ ThreatSeeker™ Network has noticed that thousands of Web sites relating to swine flu have been registered. The results of our monitoring indicate that most of the sites are used for advertisement or email/web spam to sell their products, but of course, the topic also offers plenty of opportunity for malware.

We discovered that some Web sites are using the swine flu topic to spread malware. Interestingly, the sites we found are the type that only redirect users to a malicious Web site when they access the site through certain search engines. The targeted search engines are the most popular such as Google, Yahoo, and AOL. When a user searches using swine flu-related search terms, the malicious sites are returned as high as the fifth result on Google.

The malicious Web site that is redirected is typical: it asks the user to install a missing codec to watch a video, and the download codec is a Trojan Downloader. Until now, these kinds of sites just used hot topics to attract users; we suspect that they will use more advanced SEO techniques to infect more users in the future.

Trojan-Downloader.Win32.Banload.dcd

2008-09-24T15:19:00.000-07:00

This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 113152 bytes in size. It is not packed in any way. This Trojan is written in Visual Basic.

Installation

Once launched, the Trojan copies its body to the Windows program files directory as "lsass.exe":

%Program Files%\Microsoft Studio Files\lsass.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan registers its executable file in the system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

The Trojan then creates a command interpreter file called "vcdg.bat" in the same directory:

%Program Files%\Microsoft Studio Files\vcdg.bat

It writes the following strings to this file:

netsh.exe firewall add allowedprogram PROGRAM="%Program Files%\Microsoft Studio

Files\lsass.exe" NAME="Session Win32" MODE=ENABLE PROFILE=ALL

In doing so, the Trojan modifies the configuration of the Windows XP firewall, permitting any network activity created by the malicious process.

"%Program Files%\Microsoft Studio Files\vcdg.bat" is then launched for execution.

Payload

Once installed, the Trojan downloads files from the following URLs:

http://www.club-vw.cl/*****/modules/subsmanager/api_apache.tar

http://www.*****-consult.net/rcss.res

http://www.photo-*****.ru/images/exhibition_moll2005_file0031.jpg

At the time of writing, these links were not active.

http://www.cemm*****ac.at/img/nav/plus19a_RO.jpg

This file is 2603325 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.Banbra.bak.

Files which are downloaded are saved to the Trojan's installation directory under random names and launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process.

Delete the following system registry key parameter:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

"lsass" = "%Program Files%\Microsoft Studio Files\lsass.exe"

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).

Delete the following directory and its contents:

%Program Files%\Microsoft Studio Files

Delete all files from %Temporary Internet Files%.

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Downloader-UA.h Trojan fake music and video files

2008-08-26T12:44:00.000-07:00

Overview -

--- Update May 6th, 2008 --
Due to an increase in prevalence being seen by our VirusScan Online Customers, the risk assessment of this threat was upgraded to Medium for Home Users and Low Profiled for Corporate Users.

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.
Characteristics
Characteristics -

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.

Method of Infection -

Downloader-UA.h trojans are propagated through P2P networks

Microsoft MJPEG Decoder Vulnerability malicious file buffer overflow

2008-07-02T20:04:00.000-07:00

Description

Windows is an industry-standard operating system developed by Microsoft. A vulnerability in Microsoft DirectX may allow for remote code-execution attacks. The vulnerability lies in the processing of specially crafted MJPEG streams in AVI or ASF files. A user would have to open a malicious file or visit a Web site streaming a malicious file for an attack to occur.

Type - Buffer Overflow
Impact of exploitation - Remote Code Execution
User Interaction - no user interaction is needed
Attack Vector - Maliciously Crafted File
Rating - Medium
CVE reference - CVE-2008-0011,
Vendor Status - Responded and patched

Vulnerable systems
Windows 2000 Sp4,
Windows XP SP3,
Windows 2003 Sp2,
Windows Vista SP0,
Windows Server 2008

Summary
A vulnerability in Microsoft DirectX may allow for remote code-execution attacks.

Recommendations -

Download and install the patch available from Microsoft (951698): http://www.microsoft.com/technet/security/Bulletin/MS08-033.mspx

Monagrey Win32 trojan modifies IE start page Trojan.Monagray Trojan.Win32.Monagrey.a (KAV)

2008-03-05T11:03:00.000-08:00

Overview -

Monagrey is a trojan which modifies IE start page and prevents common applications from running.
Aliases

* Trojan.Monagray (Symantec)

* Trojan.Win32.Monagrey.a (KAV)

Characteristics -

-- Update March 4, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention.

Monagrey is a trojan which modifies IE start page and prevents common applications from running.

It will modify the following registry key to run at startup:
HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows: "%LOCATION%\SRVSPOOL.exe"

(where %LOCATION % is the location of the folder where it resides e.g. C:\)

Upon reboot, the trojan will display a pop up window.

It will change IE start page to point to the following URL:

* http://en.wikipedia.org/wiki/Human_rights

and also prevent applications with the following names in their title bar from running:

* Date And Time
* Windows Task Manager
* Registry Editor
* Irfanview
* Google Talk
* Macromedia
* Adobe
* Microsoft Visual
* Windows Media Player
* Winamp
* Microsoft Office
* Microsoft Excel
* Microsoft Word
* Messenger

Symptoms -

* Unexpected termination of previously mentioned applications
* Modification of IE start page to previously mentioned URL.

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

PWS-LegMir.gen.k.dll passwword stealer virus

2008-02-27T22:41:00.000-08:00

Overview -

PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.

Characteristics -

PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.

The following antivirus applications are detected and terminated:

* KAV (Kaspersky)
* RAV (Rising)
* AVP (Kaspersky)
* KAVSVC (Kaspersky)

Symptoms -

Unexpected termination of previously mentioned antivirus applications.

Method of Infection
Method of Infection -

PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k.

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

WORM_NUWAR.AR Malware Email Virus

2008-02-14T13:06:00.000-08:00

To get a one glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
javascript:void(0)
Publish Post
Malware Overview

This worm arrives as attachment to email messages spammed by another malware or a malicious user.

It drops files detected by Trend Micro as TROJ_PEACOMM.BK.

It propagates by sending email messages containing a link, which redirects users to a malicious Web site where a copy of itself can be downloaded.

W32/Nujama.worm!p2p Peer To Peer Worm Virus.Win32.VB.cy W32.Nujama W32/Nujama-A

2008-02-12T16:18:00.000-08:00

Overview -

W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
Aliases

* Virus.Win32.VB.cy

* W32.Nujama

* W32/Nujama-A

Characteristics
Characteristics -

W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.

* Upon execution, it creates a copy of itself into the Windows system directory:

%Windir%\system32\SystemMonitor.exe, %Windir%\system32\ptsnoop.exe, %Windir%\system32\InfoVersion.exe, %Windir%\system32\commpu.exe, %Windir%\system32\call of duty.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

* Creates the following registry key to hook at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmon: "%Windir%\system32\SystemMonitor.exe"

* Modifies the following registry keys so that a user cannot view hidden files and file extensions.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = "1"

* Drops the following files:

%Windir%\Web\Desktop.ini
%Windir%\Web\Folder.htt
%Windir%\system\oeminfo.ini

* Copies itself into the root folder of all drives(including removable drives and network drives) with filename as as Datos de %Computer_Name%.exe
* Copies itself to all the subfolders of these drives with filename as %sub_folder%.exe

(For instance, it copies itself as WINDOWS.exe in the folder c:\WINDOWS and copies itself as system.exe into the folder c:\WINDOWS\system)

Symptoms -

* created registry key as described above
* created f iles as described above

Method of Infection -

The worm may propagate via Peer-to-Peer Networks, network shares and removable drives.

Removal -

JS/Exploit-YahooGrid datagrid.dll mediagridax.dll buffer overflow vulnerability

2008-02-05T13:27:00.000-08:00

Overview -

JS/Exploit-YahooGrid is a generic detection for YMPDataGrid (datagrid.dll) and YMGMediaGridAx (mediagridax.dll) ActiveX controls buffer overflow vulnerability in Yahoo! Music Jukebox and Yahoo! Messenger.

The buffer overflow vulnerabilities occurs while supplying a long string to the AddImage, AddButton or AddBitmap functions. This vulnerability could be exploited by a malicious user to cause remote code execution.

Symptoms -

This detection is sufficiently generic, such that it can cover a number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system changes that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.

Additionally some exploits simply cause Internet Explorer to crash and nothing more.

Method of Infection -

This threat could be delivered via an email message, IM or an infectious web page.

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

W32/Tufik virus which infects .exe files

2008-02-05T13:18:00.000-08:00

Overview -

W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.
Characteristics
Characteristics -

W32/Tufik is virus which infects .exe files.

Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.

It creates the process alg.exe.

It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It creates the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"

The virus infects.exe files by prepending itself.

It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.
Symptoms
Symptoms -

-registry keys added by the virus as described above

-processes created by the virus as described above
Method of Infection
Method of Infection -

W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.

TROJ_AGENT.HJS malicious Trojan

2008-01-24T15:20:00.000-08:00

This Trojan may be downloaded unknowingly by a user when visiting malicious Web sites.
It drops files also detected by Trend Micro as TROJ_AGENT.HJS.
It creates a registry entry to enable its automatic execution at every system startup.

Solution:

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing Autostart Entry from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Regscan = "%System%\regscan.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
4. Close Registry Editor.

WORM_IMBOT.AC memory resident worm malware

2008-01-24T15:19:00.000-08:00

This memory-resident worm may be dropped by other malware or downloaded unknowingly by a user when visiting malicious Web sites.

It propagates via the popular instant messaging application, MSN Messenger. It does this by sending a message and a .ZIP file that contains a copy of itself to target contacts.

The message it sends may be any of the following:

• Did you see this picture, it's hilarious!!!!!
• Have I shown you this new picture of my cat :)
• Hey, check out this great photo from my trip to England

This worm also has backdoor capabilities. It connects to random TCP ports and executes the commands from a remote malicious user. It also terminates certain processes, if found running in memory.

SYMBOS_BESELO.A Malware Alert

2008-01-24T15:16:00.000-08:00

This Symbian malware infects mobile devices running Symbian OS/S60 2nd Edition.

It drops a file also detected by Trend Micro as SYMBOS_BESELO.A. It also drops two other non-malicious files.

It spreads via Multimedia Messaging Service (MMS) messages. It creates an MMS message with an attached copy of the .SIS installer. These MMS messages contain a copy of the malware.

This Symbian malware also spreads via Bluetooth-enabled mobile phones. It arrives as a .SIS file, using certain file names.

GPCoder.h Trojan Win32 ransomware trojan

2008-01-09T03:06:00.000-08:00

This is a detection for a ransomware trojan. It encrypts files on the harddrive, creates a text-file indicating what has happened, and gives email addresses to send the ransom money to.
Aliases

* Backdoor:Win32/Kollah.D (Microsoft)

* TSPY_KOLLAH.F (TrendMicro)

* Virus.Win32.Gpcode.ai (Kaspersky)

Characteristics

-- Update July 17, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

This trojan encrypts documents, depending on the file extension, and then attempts to extort money from the victim in order for them to obtain a decryptor tool to recover the documents.

When run this trojan searches for files using the following extensions:

* .12m
* .3ds
* .3dx
* .4ge
* .4gl
* .7z
* .a
* .a86
* .abc
* .acd
* .ace
* .act
* .ada
* .adi
* .aex
* .af3
* .afd
* .ag4
* .ai
* .aif
* .aifc
* .aiff
* .ain
* .aio
* .ais
* .akf
* .alv
* .amp
* .ans
* .ap
* .apa
* .apo
* .app
* .arc
* .arh
* .arj
* .arx
* .asc
* .asm
* .ask
* .au
* .bak
* .bas
* .bb
* .bcb
* .bcp
* .bdb
* .bh
* .bib
* .bpr
* .bsa
* .btr
* .bup
* .bwb
* .bz
* .bz2
* .c
* .c86
* .cac
* .cbl
* .cc
* .cdb
* .cdr
* .cgi
* .cmd
* .cnt
* .cob
* .col
* .cpp
* .cpt
* .crp
* .cru
* .csc
* .css
* .csv
* .ctx
* .cvs
* .cwb
* .cwk
* .cxe
* .cxx
* .cyp
* .d
* .db
* .db0
* .db1
* .db2
* .db3
* .db4
* .dba
* .dbb
* .dbc
* .dbd
* .dbe
* .dbf
* .dbk
* .dbm
* .dbo
* .dbq
* .dbt
* .dbx
* .dfm
* .djvu
* .dic
* .dif
* .dm
* .dmd
* .doc
* .dok
* .dot
* .dox
* .dsc
* .dwg
* .dxf
* .dxr
* .eps
* .exp
* .f
* .fas
* .fax
* .fdb
* .fla
* .flb
* .frm
* .fm
* .fox
* .frm
* .frt
* .frx
* .fsl
* .gtd
* .gif
* .gz
* .gzip
* .h
* .ha
* .hh
* .hjt
* .hog
* .hpp
* .htm
* .html
* .htx
* .ice
* .icf
* .inc
* .ish
* .iso
* .jar
* .jad
* .java
* .jpg
* .jpeg
* .js
* .jsp
* .key
* .kwm
* .lst
* .lwp
* .lzh
* .lzs
* .lzw
* .ma
* .mak
* .man
* .maq
* .mar
* .mbx
* .mdb
* .mdf
* .mid
* .mo
* .myd
* .obj
* .old
* .p12
* .pak
* .pas
* .pdf
* .pem
* .pfx
* .php
* .php3
* .php4
* .pgp
* .pkr
* .pl
* .pm3
* .pm4
* .pm5
* .pm6
* .png
* .ppt
* .pps
* .prf
* .prx
* .ps
* .psd
* .pst
* .pw
* .pwa
* .pwl
* .pwm
* .pwp
* .pxl
* .py
* .rar
* .res
* .rle
* .rmr
* .rnd
* .rtf
* .safe
* .sar
* .skr
* .sln
* .swf
* .sql
* .tar
* .tbb
* .tex
* .tga
* .tgz
* .tif
* .tiff
* .txt
* .vb
* .vp
* .wps
* .xcr
* .xls
* .xml
* .zip

Found documents are encoded and a text file named read_me.txt is placed in the directory containing the following text:

Hello, your files are encrypted with RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).
You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.
To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: %s and provide us
your personal code %d. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.
If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.
Glamorous team

The following registry key is created to run itself at Windows login:
# HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\winlogon\userinit = "%SysDir%\userinit.exe, %SysDir%\ntos.exe,"

(Where SysDir is the Windows System directory, e.g. C:\Windows\System32)

Symptoms

* File types mentioned previously, overwritten with "garbage" (encrypted data).
* Presence of aforementioned read_me.txt files.

Method of Infection

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

The next generation of security threats, Microsoft

2007-12-05T09:48:00.000-08:00

REDMOND, Wash.--Microsoft security engineer Robert Hensing had a question for the hundreds of his company's developers seated before him: can a person's PC become infected with a rootkit simply by opening a PowerPoint file?

In the packed conference center, a smattering of developers raise their hands. Nearby, in an adjacent room, where hackers invited to speak at Microsoft's Blue Hat conference watch the presentations on TV, an entire table of hands go up.

"That's one thing I want you to take away from this," Hensing tells the Microsoft developers. "Applications are dangerous."
"We're attacking today's problems. We certainly have to do that. We also need to get ahead."
--Matt Thomlinson, head of security engineering efforts, Microsoft

Indeed, even though Microsoft has spent a fortune securing Windows, experts say that hackers are moving beyond the operating system. Threats such as rootkits, which can corrupt an operating system, can now be transferred by applications or Web-based programs. A new crop of Web-connected mobile devices represent another emerging threat.

"Operating system vulnerabilities are on the decline," Hensing said in his talk at the most recent Blue Hat security conference in September. "Application vulnerabilities are on the rise."

In part, Microsoft is something of a victim of its own success in securing Vista and Windows XP before it. Halvar Flake, a security researcher who attended the latest Blue Hat, estimates the total cost of Microsoft's years-long security push at more than $1 billion, with a significant chunk spent on Vista. George Stathakopoulos, a general manager in Microsoft's security unit, wouldn't say how much Microsoft has spent, but said that it's "a big number."

Flake, CEO of security firm Zynamics, said that all of that spending has paid off. "Vista is the most difficult mainstream OS to break into that I've ever seen," he said. Because it is harder to hack, it is more expensive for criminals to target.

Paradoxically, it's not clear that Vista's improved security is persuading people to move to the operating system any faster. "Security is a tough sell, really," Flake said. "Customers can't really measure it."

Vista's security is likely making life more difficult for hackers. Flake said the malicious side of him "would hope Vista is a huge flop" and, as a result, that no company ever spends that kind of money and effort securing an operating system.

The true measure of the effectiveness of Vista's new security likely won't be measured for years. Microsoft and other vendors often tout how their newest releases have many fewer flaws than previous versions. That's usually true, but it's only part of the picture. Most of the major operating system vendors have seen their total number of vulnerabilities rise since 2004. New operating systems tend to have fewer flaws upon release, but operating systems live for five to seven years.

As a result, operating system makers try to design products to withstand the types of attacks their software may face toward the middle and end of its life--when operating systems are most heavily adopted.

"We're attacking today's problems," said Matt Thomlinson who heads Microsoft's security engineering efforts. "We certainly have to do that. We also need to get ahead."

The attacks themselves, meanwhile, have grown increasingly targeted. From the mass mailers, to broad phishing scams, to more recent attacks aimed at individuals. Experts expect that trend to continue, with malicious software growing ever more evasive.

Malicious software getting more complex
This year marks a turning point, according a report this week from Cisco Systems-owned IronPort Systems. "For a time, security controls designed to manage malware were working," said Tom Gillis, vice president of marketing for IronPort. "Just when malware design seemed to have reached a plateau, new attack techniques have burst forth, some so complex--and obviously not the work of amateurs--they could have only been designed by means of sophisticated research and development."
Photos: Microsoft's bug hunters

Modern malicious software, IronPort suggests, borrows many characteristics from today's social-networking sites. They are collaborative and adaptive. Plus, the company said, they fly under the radar, "living on enterprise or residential PCs for months or years without detection."

IronPort sees Trojan horses and malicious software becoming "increasingly targeted and short-lived," which will make them still harder to spot.

Layered atop that trend is the rise of new attacks that target software applications. While there are only a handful of major operating systems, there are literally thousands of applications, some used by millions of people.

Microsoft has spent significant time and money on securing its applications. After the experience of Slammer, for example, the company's SQL Server database became a model within the company for how to adopt secure development. Security researcher Dan Kaminsky, who has also attended Blue Hat and done a significant amount of security consulting for Microsoft, said that SQL Server has made significant gains over Oracle thanks to those improved practices.

The Office team, too, has taken note of the fact that its documents are frequently targeted as means for an attack. One of the less-discussed reasons for Office's new XML file formats, in fact, is that they are designed from scratch to be more secure, according to Microsoft.

Trojan.Win32.StartPage.jo

2007-11-28T09:26:00.001-08:00

Aliases
Trojan.Win32.StartPage.jo (Kaspersky Lab) is also known as: StartPage-AI.gen (McAfee), Trojan.StartPage (Symantec), Trojan.StartPage.350 (Doctor Web), Trojan:Win32/StartPage.EZ (RAV), TROJ_STARTPAG.JO (Trend Micro), TR/OLCheck.2 (H+BEDV), Win32:Trojan-gen. (ALWIL), Startpage.6.AR (Grisoft), Trojan.StartPage.EZ (SOFTWIN), Trojan.Startpage.gen-11 (ClamAV), Trj/StartPage.HE (Panda), Win32/StartPage.JO (Eset)

Description added Nov 23 2007
Behavior Trojan

Technical details

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in Delphi.
Payload

Once launched, the Trojan will:

1. modify the following system registry key values:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst" = "yes"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Bar" = "http://www.find-online.net/sp.htm"
[HKCU\Software\Microsoft\Internet Explorer\SearchURL]
"Default" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\SearchURL]
"provider" = "gog1"
[HKLM\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://www.find-online.net/sp.htm"

These changes modify the configuration of Internet Explorer.
2. create the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ziphelp" = "%WinDir%\ziphelp.exe"

This will cause "%WinDir%\ziphelp.exe" to be launched each time the system is started, assuming that such a file is present on the victim machine
3. create the following shortcuts in the current user's Favorites folder:
%USERPROFILE%\Favorites\FINDONLINE.net
%USERPROFILE%\Favorites\Free PORN Ezines
%USERPROFILE%\Favorites\Free PORN Tickets
%USERPROFILE%\Favorites\PORN FINDONLINE.net
%USERPROFILE%\Favorites\Adult\Breast Enlargement Pills
%USERPROFILE%\Favorites\Adult\Penis Enlargement Pills
%USERPROFILE%\Favorites\Adult\
%USERPROFILE%\Favorites\Adult\Sex Toys
%USERPROFILE%\Favorites\Adult\Sexual Enhancers
%USERPROFILE%\Favorites\Adult\Single Girls
%USERPROFILE%\Favorites\Adult\Swinger Clubs
%USERPROFILE%\Favorites\Health\Fitness
%USERPROFILE%\Favorites\Health\Human Growth Hormone
%USERPROFILE%\Favorites\Health\Men Health
%USERPROFILE%\Favorites\Health\Weight Loss
%USERPROFILE%\Favorites\Health\Women Health
%USERPROFILE%\Favorites\Insurance\Auto Insurance
%USERPROFILE%\Favorites\Insurance\Business Insurance
%USERPROFILE%\Favorites\Insurance\Health Insurance
%USERPROFILE%\Favorites\Insurance\Home Insurance
%USERPROFILE%\Favorites\Insurance\Travel Insurance
%USERPROFILE%\Favorites\Internet\Antivirus
%USERPROFILE%\Favorites\Internet\Internet Businesses
%USERPROFILE%\Favorites\Internet\Spyware Remover
%USERPROFILE%\Favorites\Internet\Web Hosting
%USERPROFILE%\Favorites\Internet\Web Site Design
%USERPROFILE%\Favorites\Online Games\Black Jack
%USERPROFILE%\Favorites\Online Games\Craps
%USERPROFILE%\Favorites\Online Games\Online Casinos
%USERPROFILE%\Favorites\Online Games\Poker
%USERPROFILE%\Favorites\Online Games\Roulette
%USERPROFILE%\Favorites\Online Pharmacy\Hydrocodone
%USERPROFILE%\Favorites\Online Pharmacy\Online Pharmacy
%USERPROFILE%\Favorites\Online Pharmacy\Prozac
%USERPROFILE%\Favorites\Online Pharmacy\Valium
%USERPROFILE%\Favorites\Online Pharmacy\Viagra Online

The Trojan then ceases running.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Revert the following system registry key values:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst" = "yes"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Page" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Bar" = "http://www.find-online.net/sp.htm"
[HKCU\Software\Microsoft\Internet Explorer\SearchURL]
"Default" = "http://www.find-online.net/index.htm"
[HKCU\Software\Microsoft\Internet Explorer\SearchURL]
"provider" = "gog1"
[HKLM\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://www.find-online.net/sp.htm"
4. Delete the following registry key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ziphelp" = "%WinDir%\ziphelp.exe"
5. Delete all shortcuts created by the Trojan.
%USERPROFILE%\Favorites\FINDONLINE.net
%USERPROFILE%\Favorites\Free PORN Ezines
%USERPROFILE%\Favorites\Free PORN Tickets
%USERPROFILE%\Favorites\PORN FINDONLINE.net
%USERPROFILE%\Favorites\Adult\Breast Enlargement Pills
%USERPROFILE%\Favorites\Adult\Penis Enlargement Pills
%USERPROFILE%\Favorites\Adult\
%USERPROFILE%\Favorites\Adult\Sex Toys
%USERPROFILE%\Favorites\Adult\Sexual Enhancers
%USERPROFILE%\Favorites\Adult\Single Girls
%USERPROFILE%\Favorites\Adult\Swinger Clubs
%USERPROFILE%\Favorites\Health\Fitness
%USERPROFILE%\Favorites\Health\Human Growth Hormone
%USERPROFILE%\Favorites\Health\Men Health
%USERPROFILE%\Favorites\Health\Weight Loss
%USERPROFILE%\Favorites\Health\Women Health
%USERPROFILE%\Favorites\Insurance\Auto Insurance
%USERPROFILE%\Favorites\Insurance\Business Insurance
%USERPROFILE%\Favorites\Insurance\Health Insurance
%USERPROFILE%\Favorites\Insurance\Home Insurance
%USERPROFILE%\Favorites\Insurance\Travel Insurance
%USERPROFILE%\Favorites\Internet\Antivirus
%USERPROFILE%\Favorites\Internet\Internet Businesses
%USERPROFILE%\Favorites\Internet\Spyware Remover
%USERPROFILE%\Favorites\Internet\Web Hosting
%USERPROFILE%\Favorites\Internet\Web Site Design
%USERPROFILE%\Favorites\Online Games\Black Jack
%USERPROFILE%\Favorites\Online Games\Craps
%USERPROFILE%\Favorites\Online Games\Online Casinos
%USERPROFILE%\Favorites\Online Games\Poker
%USERPROFILE%\Favorites\Online Games\Roulette
%USERPROFILE%\Favorites\Online Pharmacy\Hydrocodone
%USERPROFILE%\Favorites\Online Pharmacy\Online Pharmacy
%USERPROFILE%\Favorites\Online Pharmacy\Prozac
%USERPROFILE%\Favorites\Online Pharmacy\Valium
%USERPROFILE%\Favorites\Online Pharmacy\Viagra Online

Virus Profile: PWS-Banker.gen.ak

2007-11-12T22:23:00.001-08:00

Virus Profile: PWS-Banker.gen.ak
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 11/12/2007
Date Added: 11/12/2007
Origin: Unknown
Length: N/A
Type: Virus
SubType: Generic
DAT Required: 5161

Virus Profile: W32/Sdbot.worm.gen.z

2007-11-12T22:09:00.000-08:00

Recent Threats
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 12/15/2004
Date Added: 9/22/2004
Origin: N/A
Length: Varies
Type: Virus
SubType: Generic Worm
DAT Required: 4394

Virus Characteristics
Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.

Please review the W32/Sdbot.worm.gen description.

The W32/Sdbot.worm.gen.z exhibits the following behavior:

* The worm file is eXPressor protected
* Mlqm.exe process will listen for TCP communication on port 3032
* Issues a DNS query to the following domain: r3x.ma7d.com

Files Added

* %WINDIR%\system32\dllcache\mlqm.exe

The worm attempts communication with a server for further instructions. A remote attacker can use the worm to perform various tasks:

Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
SYN Flood others
Kill processes
Download files
Execute files

At the time this was analyzed the worm attempted to SYN Flood various addresses provided by the server.

Indications of Infection

Presence of %WINDIR%\system32\dllcache\mlqm.exe

Unexpected TCP communication on port 3032

Method of Infection

The exact method of propagation will vary between variants. However, the following characteristics are typical:

Share Propagation

*
The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:
* DCOM RPC vulnerability (MS03-026) -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
* LSASS vulnerability (MS04-011) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

WordPress founder looks into blogging's future

2007-11-08T13:25:00.000-08:00

LAS VEGAS, Nev.--If you type "Matt" into the Google search bar, you won't immediately get results for the actor Matt Damon or the political site owner Matt Drudge, as you might expect.

Instead, the No. 1 listing points to the site of Matt Mullenweg, the 23-year-old founder of WordPress, the widely used open-source software for blogging.

Befitting his Google ranking, Mullenweg could be considered a superstar here at the BlogWorld conference, where he spoke to hundreds of attendees Thursday about how he started WordPress and the future of blogging. To be sure, when people in the audience were asked if they use WordPress for their personal blogs, a unanimous show of hands went up. Everyone from political to bowling bloggers seemed eager to get Mullenweg's advice on the art of the craft--and how to make money from it.

Mullenweg offered simple pearls of wisdom about what makes a blog compelling.

"One universal about blogging is a lot like music: You have to be unique and you have to absolutely love what you're doing," he said.

Mullenweg started developing WordPress while he was still in college; and he worked on it over several years, including while at CNET, publisher of News.com. Once he left CNET in late 2005, he started the business behind WordPress, called Automattic, which sells blog hosting services and an anti-spam application.

Now, the site draws roughly 100 million unique monthly visitors and is among the top 25 global sites, according to research firm Comscore.

Still, WordPress and Automattic only have 18 employees and they operate from a small investment made in the company more than two years ago, Mullenweg said. How do they fulfill all that demand with 18 people? "Lots of caffeine," he said.

When asked about the future of his business, he answered that he likes the Craigslist model, which as a company has stayed relatively small and does not accept advertising. But he said that he believes there's a way to incorporate ads that are tasteful.

"I would like to stay small but logistically we need many more people on the support side."

Blogs are also one tier in the frenzied social media industry that encompasses Facebook and others. Asked how his software meshes with sites like Facebook, he said he'd like to see more incorporation between the two. Because ultimately, he said, blogs are more telling of a person's personality. That's why he believes Wordpress will become a more popular social network platform, allowing people to post things like widgets of their Facebook profile on a blog or vice versa.

"The software is getting smaller, faster and lighter but what you can do with it is going up," he said.

In the grand scheme of things, Mullenweg said he wants the future of the Web to be open source; and he hopes to get more people using open source platforms to write their blogs, even if it's not WordPress.

But he's obviously driven competitively, too. (His blog ranks No. 1 on Google because of all the links back to his site from WordPress.) He recently saw a survey from Google, in which the search giant examined all of the http headers of Web. He found that .8 percent of those pages were powered by WordPress.

"That's how far we've come, but we have a lot of work to do," he said.

Exploit posted for Viewpoint Media Player flaw

2007-11-06T11:25:00.000-08:00

Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.
The exploit, available at Milw0rm.com, takes advantage of a stack-based buffer overflow in the Viewpoint browser plug-in that sits on millions of computers thanks to bundling deals with AOL, AIM, Netscape and Adobe.

The player serves as the graphics engine for AOL Instant Greetings, AIM Themes and other popular web applications and is also used to power product tours for the Toyota 4Runner and Sony laptop, desktop, and server computing products.

According to “Shinnai,” the hacker who discovered the flaw, the exploit was tested on a fully-patched Windows XP Professional SP2 with Internet Explorer 7.

The bug was found in the xMetaStream.dll (version 3.3.2.26), which is marked as safe for scripting.

The AxMetaStream activex contains various methods which accept parameters as String. All these methods are vulnerable to a stack based buffer overflow when you pass an overly long (greater than 6999 characters).

In the absense of a patch, Shinnai recommends uninstalling the Viewpoint Media Player.

“Shinnai” was the hacker behind the Month of ActiveX Bugs project.

Bogus FTC e-mail has virus

2007-11-04T14:48:00.000-08:00

The Federal Trade Commission, which has declared war on Internet scams, warned consumers on Monday not to open a bogus e-mail that appears to come from its fraud department because it carries an attachment that can download a virus.
The e-mail says it is from "frauddep@ftc.gov" and has the FTC's government seal.

But it was not issued by the agency and has attachments and links that will download a virus that could steal passwords and account numbers, the agency said.

"It's a treasure trove for identity theft," said David Torok of the FTC's Bureau of Consumer Protection. "We're concerned. The virus that's attached to the e-mail is particularly virulent."

The agency, which is one of several government agencies investigating cyber fraud, did not know how many people had received the e-mail.

"We've received hundreds if not thousands of calls and complaints, this one may have had a large distribution," he said.

Recipients should forward the e-mail to spam@uce.gov, an FTC spam database used in investigations.

Nine percent of people surveyed in a poll conducted in August and September reported having had their identities stolen, Bari Abdul, a vice president at security software maker McAfee, said at a cybersecurity conference on October 1.

Fighting spyware

2007-11-01T16:15:00.001-07:00

Fighting spyware may seem like an uphill battle, but it is a campaign that most of us have little choice but to wage. Over a 15-month period. Microsoft's MSRT alone removed 16 million instances of malicious software from 5.7 million computers, 62 percent of which housed at least one backdoor trojan.
Even the most computer- and security-savvy Internet users occasionally fall victim to spyware. Given the financial gain that drives spyware, these pests will undoubtedly continue to proliferate. For spyware. the best defense is a strong offense: taking reasonable steps to prevent and detect spyware can reduce your risk of compromise and your need for expensive remediation .

The old adage, "An ounce of prevention is worth a pound of cure" certainly applies to spyware. Once spyware has been installed on a host, it can be extremely difficult to return that host to a trustworthy state. Efficient spyware defense starts with proactive steps intended to circumvent popular delivery methods.

Porn Trojan may mark new era for Mac security

2007-11-01T14:18:00.000-07:00

A new piece of malware, specifically designed to exploit Apple's OS X, has been found by Mac security software firm Intego, but Symantec has said the firm is prone to "hype".

Intego issued an alert on Wednesday, warning Mac users of the OSX.RSPlug.A malware, which it describes as a Trojan horse.

The malware is being distributed via a porn site that promotes itself as offering free content. Mac users are being lured to it via links distributed to a number of Mac community message boards.

When visitors attempt to launch the video, they are advised that QuickTime cannot be used and, to view the content, they must download a new version of codec. For the Trojan to be installed, it requires the user to open up the .dmg (disk image) file, click the installer.pkg file, and enter the administrator's password, according to Intego.

If the user does install the Trojan, it changes the user's domain name system (DNS) settings and redirects them to phishing or a number of porn websites. DNS settings are used to look up the correspondence between domain names and IP addresses for websites.

Users of the Mac OS X 10.4 operating system — Tiger — will be unable to see the changed DNS server in the operating system's graphical user interface (GUI). However, those using Mac OS X 10.5 — Leopard — are able to view the changed DNS through its advanced network preferences. The added DNS servers are dimmed in Leopard's GUI, reports Intego.

Intego claims the vulnerability is likely to exist in older versions of Apple's operating system because all versions of OS X have what Intego calls the "scutil command", which allows the DNS server to be altered.

"The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this ensures that, in such a case, the malicious DNS server remains the active server," said Intego on its blog.

For users that do fall for the scam, Intego claims its security software can remove the Trojan. However, Macworld's Rob Griffith has also provided instructions for users on how to manually remove it.

New era or just vendor hype?
Symantec claimed that Intego tends to "overhype things", but Alex Eckelberry, of security firm Sunbelt, disagreed on his blog, citing the firm's resident Mac guru as being "genuinely surprised" by the Trojan discovery.

"I've been using Macs since 1989. This is the first time I've seen something like this," Eckelberry wrote, quoting his colleague.

"I'm not trying to over-hype. Mac users hungry for pr0n really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and iPhone, running OS X," Eckelberry added.

Simon Clausen, director of security vendor PC Tools, agreed the Trojan is a significant milestone for Mac users.

The use of cron tabs — a file that tells the operating system to run commands — is rudimentary, but it's just a first attempt.

"It's the same thing that happened when Vista came out; people had to go through a few steps to get infected, but that was until people figured out a way to get around it. Really, the Mac is less about being a computer than it is about being an everyday device. That's why there's a huge potential for people to target that platform in general. Think how attractive it is to tap the iPhone market that is always on and owned by upper middle-class [users]," said Clausen.

"Anything that's targeted towards Macs is the beginning of Macs becoming a targeted platform. Macs are not impossible to get around. There are probably less known exploits, but they are only less known because fewer people are focusing on the platform," Clausen added.