Friday, January 27. 2012Friday, January 20. 2012Beware of Fake FedEx Tracking Report Notification.
From last week, some of our customers informing us that they are getting spam email from FedEx having subject line: FedEx Shipment Notification. The email looks like below:
  The spam email contains a Zip file; on extraction it gives an executable file named FedEx_Tracking_Report_Notification_ID.exe. This is a malicious file belongs to Zbot family. Quick Heal detects this file as Trojan.Zbot.Y. When this file get executed, it hooks APIs used by Internet Explorer and Mozilla Firefox to steal login credentials and captures data when a user visits certain websites. It then send the gathered information to remote servers. Cyber criminals may then use this information for their malicious activities or they may be sold it in underground markets. We recommend you all to stay away from such fraud emails and do not ever execute any attachment on the system received from any unknown sender. Friday, January 20. 2012Beware of Free Facebook Mugs Scam.
The Free Facebook Mug Scam is somewhat different than the previous Facebook scams.
Similar to the pervious scams, it redirect the users to complete Online serveys. Additionally the most important things are, it steals users Facebook Email Id and also installs browser plugin. So by using same method, the scammers may installs any malicious files to the users machine.  If you click on the above link, it will take you to a page like below. It's a well crafted webpage which looks similar to that of Facebook so that people will believe it. It says "Facebook is giving away ceramic coffee mugs free of cost and asks the users to click on continue.   After clicking users will be redirected to the page "http: // freemug.info/mug.html". which ask to click on Order now button.  Clicking on Order now will take users to freemug.info /verify.html where it ask users to enter their Facebook Email id.   After entering the Email id and clicking verify it will redirect the users to "http: // freemug.info/final.html" where it displays and asks users to complete Online serveys.  By analyzing the source code of "http:// freemug.info/ mug.html" we come to know that it contains script to install browser plugin with the name "Youtube Extension". By installing such plugins the sacmmers may redirects the Facebook users to any other scam.  Thursday, January 19. 2012Android Malware Targeting Users with Fake Android Market Website
Android Malware Targeting Users with Fake Android Market Website, URL that is nothing like the real Android Market website, which is https://market.android.com.
When users click on the in-app ad, they are taken to something that looks like the official Google Android Market ,what you'd expect if you're about to download an Android app. However, it's really a website designed to look just like the Android Market.   Once on that malicious Web page, users are prompted to download the advertised app by clicking a button that appears to be just like any download button for any Android app. The Trojan then begins to download. The user is then prompted via a dialogue screen to click a notification and then install a specific file again, a different process from installing an app from the Android Market. Quick Heal blocks fake website as,  Downloaded malicious applications are detected by Quick Heal Mobile Security as "Android.FakeNotify.B". Wednesday, January 18. 2012Fake emails- American Airlines
I have come across some significant activity related to spam email messages that are pretending to be from American Airlines. This email misguides the user that his purchased ticket scan copy is attached with this email and print it for use.
 The email has Ticket.zip as an attachment contains a malicious Ticket.exe file. When executed it infects the system with malicious code. In this case the attached sample installs the Rougware named "XP Home Security 2012".   Quick Heal detects and delete the attached file and installed Rogue security software. Friday, January 13. 2012Phishing Campaign Using Spoofed US-CERT Emails
Phishers are using spoofed email addresses from the US Computer Emergency Response Team (US-CERT) to trick recipients into downloading a malicious executable.
The emails is send from the spoofed email address "soc@us-cert.gov",with subject "Phishing incident report call number: PH0000003863970". The fake warning claims US-CERT has opened the incident number PH0000007135030 and invites recipients to enquire about updates at soc@us-cert.gov with the reference PH0000006681938.  The attached zip file is titled "US-CERT Operation Center Report {Random value or string}.zip".The zip attachment contains an executable file with the name "US-CERT Operation CENTER Reports.eml.exe". Quick Heal detects this "US-CERT Operation CENTER Reports.eml.exe" as "TrojanDropper.Injector.bsab". Trojan, being used to spy information, mostly bank access and transaction data. Quick Heal advises that users do not open the email or any of the attachments and promptly delete the email from their inboxes. Thursday, January 12. 2012Android Rougeware targeting “Stevens Creek Software”
We have received a new malicious Android malware, which is using the names of popular games and the applications published under the name "Stevens Creek Software to get installed on the user mobile.
And the interesting thing about this Rougeware is that unlike other android malware which ask for numerous permission before getting installed; it asks for only three permissions. After installation is shows the below message  When the user click on the screen, after multiple redirects,leads the user to websites advertising an online income solution.  To avoid such situations we request the user before installing the software to check the publisher of the paid version and free version are same. Thanks Sandip for providing the details. Quick heal Mobile Security detects the file as Android.Fakeseek.A Thursday, January 12. 2012Security updates available for Adobe Reader and Acrobat A Critical vulnerabilities have been identified in in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh. These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system. These updates include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30. -These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-4370). -These updates resolve a heap corruption vulnerability that could lead to code execution (CVE-2011-4371). -These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-4372). -These updates resolve a memory corruption vulnerability that could lead to code execution (CVE-2011-4373). The vulnerabilities are reported in the following products: -Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh -Adobe Reader 9.4.7 and earlier 9.x versions for Windows -Adobe Reader 9.4.6 and earlier 9.x versions for Macintosh -Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh -Adobe Acrobat 9.4.7 and earlier 9.x versions for Windows -Adobe Acrobat 9.4.6 and earlier 9.x versions for Macintosh These updates include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows as referenced in Security Bulletin APSB11-30. So, please update your Adobe Reader and Adobe Acrobat to version 10.1.1 in order to avoid being affected by the CVE-2011-2462 and CVE-2011-4369 vulnerabilities. For detailed information please go through the below link, http://www.adobe.com/support/security/bulletins/apsb12-01.html Wednesday, January 11. 2012Friday, January 6. 2012Tuesday, January 3. 2012Indian Cyberspace hit by Kim Jong-II Malware Mails! It is observed that cybercriminals are using the name of the North Korean leader Kim Jong-II after his death, to target internet users. Attackers are achieving this by spamming malicious emails containing specially crafted pdf named “BriefintroductionofKim-Jong-il.pdf” This PDF file found to be exploiting CVE-2010-2883 and CVE-2010-3333 Vulnerabilities in Adobe Acrobat Reader. Once successfully exploited, it leads to remote code execution in the victim's system. At the time of analysis we found below dll active in the system "Rundll32 %temp%com.dll,COMResModuleInstance" We also found connections attempts made to c[xxxx]p.m[xxxx]u.com Quick Heal detects it as "Trojan.BHO.btgg" We suggest users to apply below patches if they are using older versions of PDF Reader: http://www.adobe.com/support/security/bulletins/apsb10-21.html http://www.adobe.com/support/security/bulletins/apsb11-08.html In addition we also suggest users: -Do not visit untrusted websites -Do not click on any link or attachments in the mail -Do not disclose any financial or personal information being asked in any of such mails Monday, January 2. 2012Saturday, December 31. 2011Top 10 Malware Families (Mobile) of 2011
Today is the last day of the year and the right time to list out the top 10 Android Malware of this year. Below list is based on our report which is generated from the automated feedback that we collect from Quick Heal installations across India.
Top 10 Malware Families (Mobile) of 2011 •Android.Lotoor.A: A Trojan that attempt to exploit vulnerabilities in the Android operating system to gain root privilege. •Android.Lightdd.A: A Trojan that steals information from Android devices such as IMEI number, IMSI number, etc. and sends stolen information to remote server. •Android.FakePlayer.A: A Trojan that is disguised as a “media player applications”, and which is used to send SMSs to premium rate numbers. •Android.Basebridge.A: Is a Trojan that runs malicious services in the background and send information such as "SMS content; phone calls" to servers and also to premium rate numbers. •Android.Lotoor.B: It attempt to exploit vulnerabilities in the Android operating system to gain root privilege and sends the collected information to remote server. In addition to it, it also creates a backdoor root shell, stored in the system partition in an attempt to survive after software upgrades. •Android.DroidKungFu.A: Another botnet , which utilizing the root exploits and steals information such as "OS type, SDK version, IMEI number, IMSI number etc. "and send to remote server. It also downloads and installs malicious application. •Android.Bgserv.A: It transfers the information from the device to a remote location. It collects information in logs and it uses HTTP POST method for posting data. It steals sensitive information. •Android.Erahsooc.A: It steals information from Android devices and sends SMSs to premium rate numbers. It also sends information such as "SMS content, phone calls OS type, SDK version, IMEI number, IMSI number, location information etc." to remote server. •Android.Geimini.A: Android’s botnet, which comes in bundle with popular and legitimate Android application gains root privilege. It transfers the information from the device to a remote location and it uses HTTP POST method for posting data. For example it sends a victim's geographic location and controls his/her phone remotely. •Android.GoldDream.B: It creates logs of the incoming SMS messages and outgoing message and calls, and uploads them to a certain web site. It comes with seemingly legitimate games application and which is re-packaged to include malicious code. It sends information such as "SMS content, phone calls OS type, SDK version, IMEI number, IMSI number, location information etc." 
Saturday, December 31. 2011Top 10 Malware Families of 2011
Today is the last day of the year and the right time to list out the top 10 Malwares of this year. Below list is based on our report which is generated from the automated feedback that we collect from Quick Heal installations across India.
Top 10 Malware Families of 2011 • W32.Autorun.Gen: Autorun worms spread from USB/thumb drives as well as fixed and mapped drives. Autorun worms typically drop or download additional malware, usually backdoors and password stealers. •W32.Sality: Is PE-Infector that infects executable in the root folder, files on network shares, and removable drives. •Trojan.Agent.gen: A malware family that uses HTTP to reach a remote server. Trojan Agents use packers to evade signature detection, install themselves using randomly-generated filenames, and add auto-run keys to the Windows registry. Trojan Agent downloads the Rogue Application and other components. •W32.Virut: Is file infecting virus with IRC-based backdoor functionality. It can accept commands to download other malware on the compromised machine. •Worm.VBNA: A worm is a malware designed to propagate and spread across networks. Worms are known to propagate using one or several of different transmission vectors such as email, IRC, network shares, instant messengers (IM), and peer-to-peer (P2P) networks. VBNA also displays a fake virus infection warning to trick users into purchasing fake anti-malware software. Scare tactics like this appear to be on the rise, preying upon uninformed users. •Trojan.Starter: A malicious Trojan horse or bot that may represent security risk for the compromised system and/or its network environment. •LNK.Exploit: Is a malicious shortcut files that exploits the vulnerability that is currently exploited by the malware family. When a user browses a folder that contains the malicious shortcut using an application that displays shortcut icons, the malware runs instead. •Worm.SlenfBot.Gen: Another botnet that can spread via instant messaging programs such as include MSN Messenger, Yahoo Messenger and Skype. It may also spread via removable drives and also by exploiting the MS06-040 vulnerability. The worm also contains backdoor functionality that allows unauthorized access to an affected machine. •FakeAV. Though strictly not a virus, it’s the scam of choice of most of modern malware so all infections have a fake antivirus scam as a visible payload. This enabled fake antivirus groups to become the con artists of the year helped by virus creators everywhere. One reason that FakeAV is that users have grown accustomed to receiving virus warnings in mail messages, generated by legitimate desktop, server, and gateway AV programs. •TDSS/Alureon. It infects the MBR of victim machine and takes control at boot time. It has one of the most complex Bootkit components ever seen and apparently a very shrewd development team behind it. Malware components alter DNS settings, hijack search requests, display malicious ads, intercept confidential data, download arbitrary files, and corrupt disk drivers. •W32.Ramnit: Is PE-Infector that infects executable and html files in the root folder, files on network shares, and removable drives. Virus opens a backdoor and waits for instructions. 
Thursday, December 22. 2011Fake Facebook alert for Change the password
Facebook users are being targeted with fake emails pertaining to come from the social network, alerting them to change the Password.
The emails is send from the spoofed email address Facebook (update+{Random Characters}@facebookmail.com) with subjects like for example, -Security alert. -You account information. -New notifications. The email comes with an attachment, -alert1523230352.zip -alertN75139832.zip -instructions2374870680.zip  Upon execution it connect to remote servers to report its infection and to download additional malicious files. If you come across such E-mails do not open the attachment. Instead delete them and keep your Antivirus updated. Quick Heal detects the malicious attached file as "Trojan.Yakes.ljl". So users are already protected. We recommend users not to open such attachments from the unknown emails. |
CalendarSyndicate This Blog |
