Threat Lab

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Our Cup Runneth Over with Farrah Fawcett Files and Michael Jackson Malware

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fawcett1

With the sad news circulating the globe that 70s sex symbol, TV pitchwoman, and former Charlie’s Angel Farrah Fawcett passed away this morning, it didn’t take long for the malware vultures to execute their attack.

Beginning in the afternoon, our Proactive Research team began finding tons of pages that purportedly offered a Farrah Fawcett poster or photo for download. What you got, when you clicked the link that looks suspiciously like a video player (not a static image), was — you guessed it. A load of junk.

Interestingly, hovering the mouse over the video link causes the browser to display a “preview image” that looks awfully like Google’s front door. But clicking the link to the video brings you to yet another page with something that looks like a video player, and only when you click that link do you end up with an executable on your desktop.

fawcett2Few antivirus companies have the malware in their definitions. We’re identifying the files pulled down by the Fawcett installer as Trojan-Cognac (they leave, shall we say, a distinctive aftertaste), as well as Trojan-Zoeken and Adware-Sabotch. Zoeken is a nasty downloader, which brings down all kinds of badness on an infected system, and Sabotch tends to tout those wonderful rogue antivirus products we all love so much.

So far, the Fawcett-related malware is all coming from fake pages set up on blog site Vox.com. Until they clean up this mess (which I imagine will be fairly time consuming, as new ones keep popping up), don’t follow any search links headed in their direction.

And this afternoon, as rumors began to circulate that Michael Jackson was ill in hospital, the jackals pounced on that bit of news. More on that in the next post.

Drive-by Downloads Still Pack a Punch – If You Click

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090624_driveby_grumpy-sIn the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.

And of course, I stumbled into a morass of malware.

Well, “stumbled” isn’t entirely accurate. The site is well-known to us as a host of drive-by downloads — it’s a site that uses browser exploits to infect your computer. But I went there anyway just to see what they’re driving-by with these days. Technically, the site didn’t burn us — it came from an advertising network, which loaded a script that bounced to three separate machines before landing my test PC in the hot seat. Cold comfort if your PC happens to get slammed with this junk.

read more…

If You’ve Got Game, Phishers Want Your Stuff

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090611 - gamephish trojanlist 1Since the beginning of the year, my colleagues in the Threat Research group and I have been researching an absolutely astonishing volume of phishing Trojans designed solely to steal what videogame players value most: the license keys that one would use to install copies of legitimately purchased PC games, and/or the username and password players use to log into massively multiplayer online games, such as World of Warcraft.

I can only imagine that it takes very little effort for the jerks behind this scheme to retrieve thousands of account details. (We began covering this issue briefly last week.) With such an effortless infection method, and the difficulty of prosecution (let alone identifying the perps), they don’t even seem to be concerned in the slightest about covering their tracks.

These single-purpose Trojans are very good at what they do, and can rapidly (and silently) report the desired information back to servers — typically, perhaps unsurprisingly, located in China. We know the exact servers they contact, and what kinds of information they’re sending. And we know why: Thar’s gold in them thar WoW accounts, and the rush is on to cash in.

Today, I’m going to go deeper into how the infections happen.

read more…

May Threat Trend: Misleading Malware

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090608-fakealert_sThe latest data from our customers indicate that, at least in the month of May, we were blocking and removing some of the nastiest threats on the Web. Among the spies we took out, we hit Fakealerts and Rogue Security Products hard. These spies simply try to fool you into making purchases you otherwise wouldn’t. After taking a hiatus of several months, the makers of these types of malware appear to be making a comeback. Simply put, a Fakealert is just a piece of adware. Unlike traditional ads, however, the ads a Fakealert pops up take on the appearance of official-looking error dialogs and Windows-esque warning messages — albeit, not always as poorly worded as the example shown here. Many present themselves as clones of the Windows Security Center control panel, or as those cartoon-voice-bubble popups from the System Tray. Fakealerts push their particular brand of stale baloney on the unsuspecting public for one reason: They want to trick you into downloading and running a program that looks, for all intents and purposes, like a system utility or an antispyware or antivirus product. The program displays realistic-looking “scans” that “find” allegedly malicious files on your computer. The joke of these “scans” is that they’re often no more than Flash animations. Because they run on any operating system that can display a Flash video, you can even get them to “scan” a Mac or Linux box, and “find” malicious files in parts of the filesystem that don’t even exist on those platforms. Oh well; you can’t blame a fraudster for trying. Many of these threats are installed when users inadvertently click a popup message that warns the user that they need to run a file in order to load a missing video codec, or install an ActiveX control that supposedly will perform a “free scan” of a system. Sometimes the people behind these ads even put a fake “close box” in the upper right hand corner of the fakealert message, to trick you into clicking inside the active area of the ad window. If you see this kind of ad appear, hold down the Alt key on your keyboard while you press the F4 key — that will close the ad window without requiring you to click anywhere inside of it. The bottom-line message to you is that while you should remain vigilant against potential frauds and scams, keeping your PC updated with the latest threat definitions is equally if not more important.

Adware client tags you as its pitchman

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090520_btb_promoimgOver the past week, someone has been spamming the file sharing site ThePirateBay.org with comments advertising a new “product” called BittorrentBooster. According to the site’s administrators, the spammer used a large number of fraudulently registered accounts to post the messages as feedback, attached to hundreds, possibly thousands, of downloadable .torrent files, which file-sharers use to initiate a peer-to-peer download session.

I decided to take a closer look, because the product’s claims — to be able to give file-sharers a massive speed boost during the “leeching” (or, downloading) phase of their torrent session — sounded pretty implausible. Impossible is more like it: The spammed ads for the product state, in characteristically broken English, it can help users “get your torrents download in 10 times faster!!”

The simple fact is, the amount of bandwidth available to you, network congestion, the number of people sharing a file, their bandwidth capabilities, and many other factors out of any individual PC’s control determine the download speed for a given torrent. No program can deliver a download performance increase of the scale promised by this product.

So, assuming the claims were snake oil, I took a closer look at what else the program was capable of. As it turns out, it’s a very capable delivery mechanism for advertising—in places I didn’t expect.
read more…

Facebook Miscreants Dealt a Temporary Smackdown

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

After more than a week of harassment by goofballs spamming links, Facebook users can breathe a sigh of relief that, for now, at least one source of trouble has been eradicated.

20090508-mygener_variablenamesLast week’s worm-like spread of links to the mygener.im domain, and this week’s use of the ponbon.im and hunro.im domains to phish Facebook users’ credentials, have been a puzzling diversion from my normal malware analysis tasks. The mygener.im link that was spammed into Facebook accounts redirected users to a page hosted elsewhere that contained nothing but perplexingly obfuscated Javascript (with variables — shown at left — that appear to be comprised mostly of words in Latin) that, as far as I and other researchers here can tell, didn’t do anything at all.

But yesterday I decided that enough was enough, so I emailed the source of the .IM top-level domains — the Isle of Man domain name registry, nic.im — to ask what the heck was going on with all these .IM domains being used for malicious purposes. After all, as a result of the metric tons of malicious code and browser exploits I see that originate on Web sites registered in the .biz and .info top-level domains (TLD), I personally no longer have any confidence in a site registered under either of those TLDs. The big question in my mind was, is .IM on its way to becoming another lost cause?

As it turns out, .IM’s operators really jumped on the problem. The registry’s representative promptly replied to my messages, and the registry has suspended not only the three domains I’ve named, but twelve others I hadn’t heard of that were registered in the .IM TLD through the same intermediary and, in his words, “which we suspect were being used for malicious purposes.”

“We take the reputation of the IM registry seriously and police it to try and prevent events like this from arising,” he continues. “Where we can, we block users from registering via a variety of means and, in the main, this has to date been succesful [but] from time to time we have to make changes to our processes, and these events will act as a prompt to review them to see where we can tighten things up.”

So for now, Facebook users, breathe easy — until the bad guys find a domain registry willing to look the other way. And thank you, .IM, for showing us all how a responsible (and responsive) top-level domain NIC deals with criminals — by swiftly shutting them down.

Old Chinese Hack Tool Used for New Tricks

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090513-zxarps_windowThis week’s installment of what’s-old-is-new-again in the world of malware comes from one of the many groups making and distributing phishing Trojans in China. Earlier this year, someone discovered a hacktool called ZXArps, and began distributing it in earnest as a payload from another malicious downloader.

Unlike most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss Army knife, giving its users a great deal of control over not only the computer on which it’s running, but the immediate network environment in which that computer sits.

In essence, the tool is designed to inject specially-crafted data packets into the network, and some of those packets can manipulate the behavior of the infected computer as well as others on its network. In most networks, a router or gateway acts as a sort of traffic cop, directing information between computers on that network and other networks, and to/from the Internet. The power of ZXArps comes from its ability to impersonate that traffic cop, fooling the network into directing traffic wherever the malware-maker wishes.

And in this case, infected PCs are directed to Web sites hosted in China which, when visited, infect the computer with even more malware. It’s a nasty trick, and it works beautifully. Read on for its damage potential. read more…

Malware targets mobile IMers

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090507_sms_comeon1Once in a while, you don’t have to do anything at all and malware just drops into your lap. That happened to me the other day, when I received a buddy request from a total stranger in my decade-old ICQ instant messenger account. It’s never failed to be a rich source for malicious links, SPIM, and other fun stuff (that is, from a malware research perspective).

ICQ is a multi-lingual community, and this request was written in the Cyrillic alphabet. My client didn’t render it properly, so I couldn’t read the text of the come-on. But I could read the plain-ASCII URL that was linked at the bottom. So, curious, I took a look. The page looks pretty basic, with text (badly translated to English) which reads “There is my candid photos))do you will hear me on him?” and a link to download a file.

20090507_sms_link

I’m a sucker for grammatically tortured social engineering, so I couldn’t resist. Yes, I thought to myself, I do will hear you on him.

read more…

April 2009 wrapup: Thumbdrives under threat

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

We’ve just tallied the top 10 threats Webroot’s consumer products detected during the month of April, and some interesting trends appear to be shaping up.

Conficker aside, the first quarter of 2009 seemed to be dominated by worms that spread not only over a network, but to virtually anything you can plug into a USB port to store files. Thumbdrives and portable hard drives immediately come to mind, but so do  MP3 players, digital picture frames and memory cards — like the kind you’d use in cameras, cellphones, or videogame players.

April proved to be no different. It’s very much a case of what’s old is new again, reminiscent of the era when sharing an infected floppy disk could wreak havoc.

We’re also seeing malware distributors still trying to use old vulnerabilities to try to infect computers. Even JPEG image files containing the MS04-028 vulnerability code — a bug that was fixed in Windows four and a half years ago, are still floating around the net trying to take advantage of older, unpatched system, as are scripts attempting to exploit the ADODB.Stream vulnerability. If you ever needed a reason to run Windows Update, this is it.

Click onward to read the entire list. read more…

Botnet malware targets MyYearbook

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

The team here at Webroot has picked up on a Trojan that appears to target a relatively new social networking site: MyYearbook.com.20090427-myblot-myyb_logo

The site caters to the high-school-age crowd with activities that include various kinds of person-to-person challenges, streaming TV, and a kind of virtual matchmaker service for the tween-and-above set. We’re calling the malware that targets the site Trojan-Myblot.

We received our copy via a malicious BitTorrent download, which purportedly distributed a Windows utility. Instead, we received a file that downloaded several payloads, eventually landing our infected system firmly in the clutches of Myblot.

So what does it do? The trojan, unusual in that it requires the .Net Framework to run and was written in Microsoft’s Visual C#, runs silently in the background. While it’s running, it sends back information about the locally installed bot’s identity, whether the user of the infected system uses Gmail, and whether the infected system has received an updated bot client. It does these update checks about every 15 to 45 seconds.

Myblot reconnaisance data

Myblot reconnaisance data

Myblot phones home several times a minute

Myblot phones home several times a minute

One of MyYearbook’s activities is just called “Battles” — it’s basically a way for people to post photos of themselves, or others, and earn some sort of online cred for being voted “Scariest rollercoaster face” or “Most emo.” As if. The malware spawns popup ads that look like a Battles “IQ challenge” invitation from a teenage girl who needs to put some more clothes on. When clicked, the browser redirects the user through an ad Web site called Yeprevenue.com.

The fake MyYearbook Battles window

The fake MyYearbook Battles window

There is some good news for victims. First, the infection is easily removed, whether you sweep with Webroot Spy Sweeper or delete the file manually. The malware is also pretty badly coded, so unless all the required pieces are in exactly the right location, the Trojan fails to execute, or just throws a .Net error message and quits. Clearing your Temp folder is another way to get rid of it.

Unfortunately, there’s also bad news for users of infected machines: The server that hosts the fake Battles ad also has a tendency to redirect the browser elsewhere. In particular, the browser on my test system was pushed through two separate Web sites that used browser exploits and obfuscated Javascript code to eventually infect the system with another obnoxious piece of malware, Trojan-Relayer-Jolleee.

Jolleee quietly sends spam from infected machines to unsuspecting users, getting lists of victims and the message text from servers it contacts. So while it looks like we can easily stamp out Myblot, it doesn’t want to go out quietly, without putting up a fight.

Do you Think Security First?

20090421_groundtrix_300

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In an era when virtually all businesses use the Internet, in one form or another, to get work done, it’s worth asking the question posed in the title of this blog entry. Think Security First is an organization dedicated to helping spread security gospel to businesses — via chambers of commerce. Their goal: to create a Neighborhood Watch for the Internet, organized around these local business groups.

On Monday, I and several other speakers had the opportunity to address representatives of chambers of commerce at a panel discussion organized by Neil O’Farrell, the group’s founder and chief evangelist. Webroot is a sponsor of the group, along with several other security software companies, credit reporting agency Experian, Microsoft, and various law enforcement agencies. Among the other speakers were former white house cybersecurity czar Andrew Purdy; Dyann Bradbury, the director of the FBI’s Infragard program; and Michael Levin, a cybercrime expert who worked for the Secret Service and helped run Homeland Security’s National Cyber Security Division.

Though all the speakers brought their perspectives to the panel, the bottom line from all the panelists ended up in virtually the same place: Businesses, and the people who run them, have to make fundamental changes about to how they address security concerns, putting thought from the ground up into the security of their own systems and data, and privacy of customer information.

As someone who’s beat that drum for more than a decade, it was both refreshing to hear a chorus of agreement, and frustrating that — eight years after the organization was founded — security evangelists say they feel stuck in a kind of Groundhog Day-esque repetition of the same advice, over and over, while at the same time are constantly reminded that businesses fail to adhere to good security practices every time news breaks about worm infections taking down networks, or a laptop full of customer data vanishes from a bag or is left in an airport/train seat/unlocked car.

Phishing Trojan Targets Russian Finance Websites

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090410_russian_banksFor a long time, we’ve heard about phishing attacks originating in Russia or eastern Europe that target western banks. There’s nothing surprising there. Latter-day Willie Suttons typically target big US or European banks because, well, that’s where the money is.

That’s why I was kind of surprised to stumble across a phishing Trojan that targets some of Russia’s largest online financial Web sites, including RBK Money (formerly known as RUPay), Yandex, Moneymail, and OSMP — one of Russia’s Paypal-alternatives. Aside from e-gold, I hadn’t seen this many Russia-specific websites listed as targets within a phishing trojan before.

Is Russia suddenly “where the money is?” According to Forbes, it is. The magazine reported last year that its most recent list of the world’s richest people included 87 Russian billionaires — a year-over-year increase of 64% — and 136,000 millionaires. So, maybe it makes sense for the people who build these malicious tools to target Russian banks and online payment sites. read more…