Quick Heal Weblog - Entries from May 2010

Thursday, May 27. 2010

Beware of Trojan.Bredolab that sends ... Posted by Sanjay Katkar at 07:54

Beware of Trojan.Bredolab that sends fake iTunes Gift Certificate!

Yesterday I received a suspicious email with a attachment. The mail had subject line as:
Thank you for buying iTunes Gift Certificate!

I am a iPhone user and do have my account at Apple Store. Initially a thought came in my mind like whether somebody had hacked into my Apple Store account and done a online shopping on my name. Just as I went through the message content I realized its a mail sent by some malware using iTunes subject and message as with good social engineering technique. Quick Heal's DNAScan did flashed a warning of attachment being suspicious and immediately quarantined it.

The email looked as follows:

-------------------

From: "iTunes Online Store"
To: <**********************>
Subject: Thank you for buying iTunes Gift Certificate!
Date: Wed, 26 May 2010 09:42:07 +0100

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50.00 will
be credited to your account, so you can start buying music, games,
video right away.

iTunes Store.
-------------------

On carefully analyzing the attached file my suspicion was confirmed that it indeed was a new variant of Trojan.Bredolab that was being spammed to un-suspecting users through email attachment.

The Trojan made below changes on my Test PC. It modified the registry entry of WinLogon so that it can load in the system automatically.
and dropped a Trojan file in Temp folder. Upon execution it tried to reach out some server in Russia.

Quick Heal now detects and cleans this Trojan by the name Trojan.Bredolab, so Quick Heal users not to worry!

Wednesday, May 26. 2010

Prominent and efficient tools of ... Posted by Basant Sekhani at 02:19

Prominent and efficient tools of Quick Heal Admin Console – Part 2

This blog is the second part of Prominent and efficient tools of Quick Heal Admin Console blog series. In this part, I will provide information about the inception and features of yet another prominent and efficient tool of Quick Heal Admin Console i.e. Quick Heal Admin Console Standalone Update Manager.

Let me tell you how Quick Heal Admin Console Standalone Update Manager was conceptualized. Quick Heal Admin Console, installed on the server uses its integrated Update Manager tool to fetch updates from Quick Heal Internet Center and the clients on the network, in turn fetches the updates from Quick Heal Admin Console. Many organizations have network setups in which the server was not connected to the Internet for security concerns or other reasons. If Quick Heal Admin Console is installed on such network setups then the console installed on the server will not receive updates from Quick Heal Internet Center, and in turn the clients would not receive the updates from the console.

To tackle this scenario we came up with Quick Heal Admin Console Standalone Update Manager tool which will fetch updates on behalf of Quick Heal Admin Console.

I will now list out the steps that can help the administrator to easily and efficiently deploy Quick Heal Standalone Update Manager.

1. Quick Heal Admin Console Standalone Update Manager needs to be installed on a Windows-based system on the network that is connected to the Internet.

2. Please verify the Updates downloaded for Quick Heal Clients. You can uncheck Quick Heal AntiVirus for Linux in case your network doesn’t have Linux systems.

3. The system having Quick Heal Admin Console Standalone Update Manager will download the updates to the default location or to the location of your choice.

Quick Heal Admin Console Standalone Update Manager - Configuration

4. The path or location where the updates are downloaded will be configured as a website using IIS or Apache web server (IIS or Apache needs to be installed, if it is not already installed on the system). The URL of the configured website will be used by the Update Manager, integrated with Quick Heal Admin Console on the server.

Quick Heal Admin Console Update Manager - Configuration

Once these settings are applied the Quick Heal Admin Console installed on the server will fetch the updates from the system having Quick Heal Admin Console Standalone Update Manager.

This tool is freely available for download from following webpage: http://www.quickheal.co.in/admin40.asp

To know more about the deployment, functionalities and working of Quick Heal Admin Console Standalone Update Manager please refer its user guide.

That concludes the two-part blog series of Prominent and efficient tools of Quick Heal Admin Console.

Tuesday, May 25. 2010

Save our tigers website is compromised Posted by Ranjeet Menon at 03:17

Save our tigers website is compromised

Yesterday while traveling to office I saw the hoarding of save tiger the on-going initiative undertaken by Aircel partnered with WWF-India to help "Save Our Tigers".

According to the latest Tiger census in India we have only 1411 left in wild. So I thought of joining this initiative by doing my bit so when i reached office I opened the website... oh no not again... it seem the website www.saveourtigers.com has been compromised and is loading foreign pages which in turn installing rogue security application on visiting user system.

From save our tigers dot com

When i visited the website www.saveourtigers.com it closed the firefox browser, and showed me below message

Fake message

So clicked on "OK" no other button hear (the close button is also of no use). It then started to show a fake scan running on my system.

Fake scan running on system

And at the end of the scan it showed that 100's of malware are running on my system so I need to install a security application. It automatically started to install My Security Engine

My Security Engine installed

Users are advised not to visit this website untill it is cleaned up. We have reported this to website owner and Cert-In, hopefully we will hear from them soon.

Quick Heal successfully detects this rougeware and takes appropriate action.

Monday, May 24. 2010

DHL Delivery Mail lead to Rogueware Posted by Ranjeet Menon at 00:29

DHL Delivery Mail lead to Rogueware

Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it

--------------------------------------------------------------------------
Subject: DHL Tracking number #1488883
From: xxxxxxxxxxxxxxxx
Date: Tue, May 24, 2010 10:09 am
To: xxxxxxxxxxxxxx

Good morning,

We were not able to deliver postal package you sent on the 22nd May in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our
office.

Your personal manager: Dolly Gibson,
Customer Service: 1-800-CALL-DHL
Fax: 888-378-9347
DHL International, Ltd. All Rights Reserved.
--------------------------------------------------------------------------

When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system

[System32 Folder]\pgsb.lto
[Current Profile Folder]\Local Settings\Temp\3.tmp

In registry it added
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe rundll32.exe pgsb.lto csxyfxr"

It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.

Fake message

We have released protection against this fake AV/ Rogueware which is detected as Securityessentials2010.

Thursday, May 20. 2010

Vulnerability in 64-bit Windows 7 ... Posted by Abhijit Kulkarni at 00:05

Vulnerability in 64-bit Windows 7 & Windows Server 2008 R2

Microsoft has warned users of vulnerability in 64-bit Windows 7 and Windows Server 2008 R2.

According to Microsoft’s Jerry Bryant they are investigating into a vulnerability in the Windows Canonical Display Driver (cdd.dll) that enables applications to use graphics and formatted text on the video display and printer. The vulnerability is due to the driver’s failure in properly parsing the information copied from user mode to kernel mode.

The bug would most likely only make the vulnerable machines to reboot. But if the attacker would bypass the Windows’s memory randomization protections (ASLR), which prevents code execution attacks, it could allow a hacker to silently install a malware. The malware can be installed by tricking the victim into viewing a malicious image file on a website or in email.

According to Microsoft, they are working on a security update to address the vulnerability. In the meantime, users can prevent attacks by disabling the Windows Aero Theme. To turn it off, choose Start->Control Panel->Click on Appearance and Personalization->Click on Change the Theme->Select one of the Basic and High Contrast Themes.

Microsoft Security Advisory can be read here.

Wednesday, May 19. 2010

Prominent and efficient tools of ... Posted by Basant Sekhani at 01:48

Prominent and efficient tools of Quick Heal Admin Console

In an earlier blog of mine, I had announced the release of Quick Heal Admin Console 4.2 along with the host of enhancements incorporated with it.

In this two-part blog series related to prominent tools of Quick Heal Admin Console, I will provide you some information about the inception and features of the two prominent and efficient standalone tools that have been bundled with Quick Heal Admin Console 4.2. The tools are:

1. Quick Heal Admin Console Remote Management
2. Quick Heal Admin Console Standalone Update Manager

In this blog I will discuss about Quick Heal Admin Console Remote Management tool. Quick Heal Admin Console Remote Management evolved from the needs of Enterprises, with multiple Quick Heal Admin Consoles, needing centralized management of all the Quick Heal Admin Consoles. For example, if an organization has branches in different cities and each branch has Quick Heal Admin Console installed on the network, then maintaining all the Quick Heal Admin Consoles from a centralized location would be a cumbersome task. The person responsible to maintain the same would be required to remember the URL, Username and Password of each Quick Heal Admin Console.

Quick Heal Admin Console Remote Management - Add New Location

The standalone Quick Heal Admin Console Remote Management tool addresses this situation by allowing you to assign the URL, Username and Password of a specific Quick Heal Admin Console to a desired location name. Just accessing the location name will connect you to the desired Quick Heal Admin Console. This will relieve the administrator from remembering the URLs and respective login credentials.

Quick Heal Admin Console Remote Management - Add User

Quick Heal Admin Console Remote Management also provides you the facility to create 3 users: Administrator, Read-only and Report Viewer. The user privileges will be similar to the privileges in Quick Heal Admin Console. The user with “Administrator” privileges has complete control over the tool and is responsible for creation of remaining two user privileges. When connected with administrative privileges you will have complete control over the respective Quick Heal Admin Console. The users with “Read-only” will be able to connect Quick Heal Admin Console and view all the settings and configurations but they cannot modify them. The users with “Report Viewer” privileges will be able to connect Quick Heal Admin Console and access reports of Quick Heal Admin Console but will not be able to view or modify any settings or configurations.

This tool is freely available. Quick Heal Admin Console user can download from following webpage: http://www.quickheal.co.in/admin40.asp

To know more about the functionalities and working of Quick Heal Admin Console Remote Management, please refer the user guide.

Watch out for the next part of the blog related to tools of Quick Heal Admin Console. In that blog I will discuss inception and features of yet another prominent and efficient standalone tool called Quick Heal Admin Console Standalone Update Manager.

Tuesday, May 18. 2010

Indian PCs are most infected by ... Posted by Sanjay Katkar at 06:41

Indian PCs are most infected by Trojans and Trojan Downloaders

The recently released Microsoft Security Intelligence Report Volume 8 which highlights the statistics for last year shows that Indian PCs has more than 30% infection by Trojans and Trojan Downloaders together on all the infected computers in 2nd half of 2009. The spyware infection is surprisingly very low. Below is the summary page. For more detail report please download the complete report from Microsoft site.

Wednesday, May 12. 2010

Microsoft Security Bulletin released ... Posted by Basant Sekhani at 23:47

Microsoft Security Bulletin released for the month of May

Microsoft has released its security bulletin summary for May 2010. This month Microsoft has released two bulletins, addressing a total of two vulnerabilities.

Both the bulletins have been rated “Critical” and both the bulletins are related to “Remote Code Execution” vulnerability. The bulletins released this month provide security updates for Microsoft Outlook Express 5.5 (SP2), Microsoft Outlook Express 6, Microsoft Outlook Express 6 (SP1), Microsoft Windows Mail, Microsoft Windows Live Mail, Microsoft Office XP (SP3), Microsoft Office 2003 (SP3), Microsoft Office 2007 System Service (SP1 & SP2) and Microsoft Visual Basic for Applications.

The bulletins released are as follows:

- Bulletin MS10-030 resolves vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server.

- Bulletin MS10-031 resolves vulnerability in Microsoft Visual Basic. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to the Visual Basic for Applications runtime.

For detailed information about both the bulletins and the corresponding vulnerabilities addressed, please visit Microsoft Security Bulletin Summary - May 2010 page.

I will recommend users to set Windows Update in Install updates automatically mode. So the important patches get applied automatically.

Tuesday, May 11. 2010

PC2Mobile Scan patch released to ... Posted by Basant Sekhani at 02:34

PC2Mobile Scan patch released to support more mobile phones

I would like to announce that the PC2Mobile Scan feature in Quick Heal Total Security has expanded the list of mobile phones supported. The release of the latest patch, within two months of the earlier patch release, is a strong indication of our constant and increasing focus in ridding malwares from mobile devices and also ensuring compatibility with maximum and popular mobile phone brands and their versions, including brands like Apple iPhone and BlackBerry. Quick Heal PC2Mobile Scan now supports over 581 mobile phones of various brands.

Visit the News section to know more about the latest patch release.

Quick Heal Total Security 2010 users can download this patch to add the protection for newly added mobile phones. You can also visit the PC2Mobile Scan section to check out the complete list of mobile phone brands and their versions supported by the PC2Mobile Scan feature in Quick Heal Total Security.

Tuesday, May 11. 2010

"Account Alert" ... Posted by Abhijit Kulkarni at 02:06

"Account Alert" mail.....Nothing but a spam

Like everyone, I keep on getting such stupid/funny mails. Yesterday, I received one such mail (shown above) on my Windows Live ID.

The Subject is “ACCOUNT ALERT” which will make anyone to open the mail and so did I. The From field displays the name “Windows Live Team” but the email-id shown is totally irrelevant unless Microsoft would have been in scooter spares business. The mail body tries to explain that congestion due to “anonymous” registration is the reason why “genuine” accounts (like the one I have) will be deleted……Wow…….Superb! Next, it asks for Username, Password and other personal information. Lastly it displays a warning, which is enough for many of the users to make them reply with their personal information.

No genuine email service asks you for your personal information in the way the mail does.

So the first thing to do after reading such mail is……….DELETE IT.

Friday, May 7. 2010

Iceland volcano scam Posted by Abhijit Kulkarni at 02:23

Iceland volcano scam

Time and again we have seen how good the email scammers are at exploiting the latest news to concoct mails intended to empty your pockets. This time they are intending to deceive the passengers stranded due to the Icelandic Eyjafjallajokull volcanic eruption.

The (above) email comes from a fake Frank Adam at the Civil Aviation Authority and invites the recipients to apply for compensation. Anyone replying with the personal information will be asked for an administration fee to release the payment or will be sent a fake cheque and be asked to send the fee by wire transfer once the cheque is deposited in the account.

Such frauds are called as advance-fee fraud and are intended to part you from your cash and yes, in some cases, also your personal information.

Friday, May 7. 2010

Surviving PDF “/Launch” attack Posted by Rajesh Nikam at 00:41

Surviving PDF “/Launch” attack

After Didier Stevens revealed about PDF “/Launch” Social Engineering Attack that could be used to launch applications from PDF files, we have received malicious PDF files which use this technique -doc.pdf, Royal_Mail_Delivery_Invoice_[].pdf. These PDF files modify Adobe's Launch File warning which is prompted to the user before opening embedded non-pdf attachment. As Adobe has mentioned, default option shown is to not execute the file.

If user clicks on "Open" options, it drops and executes embedded VBScript and malicious file.

Below image shows the script from doc.pdf file which drops and executes game.exe.

Quick Heal detects doc.pdf as Exploit.PDF.Pidief and dropped file game.exe as Trojan.Agent.pack.

Users are advised to configure Adobe to disable execution of JavaScript files and opening of non-PDF file attachments with external applications.

From the Preferences panel, select "JavaScript" and uncheck the "Enable Acrobat JavaScript" option as shown below.

From the Preferences panel, select "Trust Manager" and uncheck the "Allow opening of non-PDF file attachments with external applications" option as shown below.

References:

http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/

Thursday, May 6. 2010

Identity theft through spam mail Posted by Abhijit Kulkarni at 02:32

Identity theft through spam mail

I received this mail yesterday. Few points to note about the mail are:
The From field (which is blackened out) tries to portray a genuine name.
The To field suggests that the mail may not be directed to me alone which is contradictory to the mail body which proposes the deal to me.
The Subject field prompts me to reply urgently.
The mail body is well composed. The first paragraph tries to prove the genuineness of the sender by providing a legitimate link to the merger news. The second paragraph sets up a background again by providing a legitimate link to the plane crash news. The third and the final paragraph lures by offering a percentage partnership but at the cost of personal information (full name, address, age, occupation, telephone and fax numbers).

So, ignore such mails and don’t reveal your personal information.

« previous page (Page 1 of 1, totaling 13 entries) next page »
Frontpage