Friday, July 30. 2010Drooptroop leads to rogueware Security Master AV A variant of the Trojan family Drooptroop leads to the infection of Rougeware named Security Master AV. It redirects the google result to a fake online scanner link. It displays fake threat messages and asks user to download or run the rougeware setup:   QuickHeal detects the setup file as TrojanDownloader.FraudLoad.gxv and Rougeware is detected as Fraudtool.SecurityMaster. Wednesday, July 28. 2010Few hours to Black Hat 2010, Vegas. Black Hat 2010 will kick start few hours from now. Lot of security experts and security community guys and gals will be looking forward for the latest news and happenings there. I am one of the guy who could not make it to the Black Hat and gona miss the fun. I am sure there will be lot of people out there who really wanted to be there but could not. For all those who wanted to keep up with the latest news, photos, announcements etc there are ways to keep and eye on the event remotely. Of course this time Black Hat is having facility of live streaming of video but its not free. Let us see some other ways to follow the event. First think one can do is to follow the hastag #blackhat on twitter. If you are on twitter just install tweetdeck where you can set up the search column for #blackhat. If you do not have twitter account then twitter search is the best way to get current information on #blackhat. One can easily import the twitter search into RSS. One can also follow the security magazines on twitter like SCMagazine (@SCMagazine). For photos its easy to keep checking this link here. That is all on Black Hat and looking for exciting news from Vegas. Tuesday, July 27. 2010Orkut Phishing Attack Recently I received a scrap on my orkut account from unknown person, explaining the trick to Freely Recharge Mobile. And falsely claiming that the version was introduced to all orkut users as a gift from Google services! It asked me to visit a link which I did, it took me to http://meka555.blogspot.com/ [do not click on this link]On this link i was surprised reading below message.  Then it asked me to copy some code in to tthe address bar where www.orkut.co.in/Main#Home is written. So as said I copied the java script to (www.orkut.co.in/Main#Home) and as soon as I hit enter below messages started appearing on my screen.   After giving above messages it diverted me back to orkut login page as below.  Hey hey wait a minute it’s not the actual orkut page. Rather its http://76asgdh.blogspot.com/ After a through analysis of this whole situtation we found that the entered details were forwarded to http://kiranmahi1.freehostia.com/mailer.php So please never reply, click on the link or copy paste the contents send to you from unknown users. Enjoy safe browsing... Thursday, July 22. 2010Workaround from Microsoft to fix the issue related to CVE-2010-2568 Microsoft is working hard to fix the issue related to CVE-2010-2568 and to release the security updates as early as possible to patch vulnerable systems. Meanwhile, Microsoft has released a Microsoft security advisory (2286198) which lists the set of workarounds. Workarounds refers to "a setting" or "configuration change" that does not correct the underlying issue but would help block known attack using the vulnerability.Microsoft has tested the workarounds and states in the discussion whether a workaround has some side effects. • Disable the displaying of icons for shortcuts • Disable the WebClient service • Block the download of LNK and PIF files from the Internet Additionally, Microsoft Support has a Knowledge Base Article which includes their one click "Fix it" buttons to implement the workarounds which enable/disables .LNK and .PIF file functionality automatically.  Knowledge base also has a detailed interactive method to implement the workaround yourself. Wednesday, July 21. 2010StuxNet, CVE-2010-2568 misconceptions and factsLot is being discussed and written about the latest StuxNet worm/virus/trojan/rootkit. After analyzing the StuxNet samples and having closer look at the .LNK files I realized that lot of miss concepts are making round over the internet. Many of the security news websites have just copied the contents of blogs and added their own conclusions which all are not true. Some of the miss concepts about the latest CVE-2010-2568 based attack by StuxNet: Myth 1: Many articles are calling this as a zero day vulnerability in Windows Shell, some are calling it as a vulnerability in .LNK file format and so on so forth. Fact: It is basically a design flaw by Microsoft in handling .LNK files. Can be called as designed to be a feature which got misused by a malware to get executed automatically. Just like Autorun feature which now is being widely used by malware authors to spread the malware. So its not at all a vulnerability in Windows Shell or .LNK file format and nor any kind of buffer overflow that is being happening. Myth 2: Malware/Worm will not work on all pen drives. Needs OllyDbg debugger to start the code or modify the .LNK to make it work. Fact: The worm does work on all pen drives and does not need any modification to .LNK file to work or a debugger to start it. Basically the worm drops a .LNK file on pen drive when infecting it which is unique to the pen drive being infected. So if researchers or user copies these files as it is to other pen drive of-course it is not going to get executed automatically on other pen drives. Important thing is the pen drive which is infected by the worm (.lnk and other files dropped by the worm on it) will infect other PCs successfully if we use the same pen drive as it is on the other PC and open the removable drive in explorer. That means attack vector successfully works without any modifications provided it is infected by the worm automatically and not by manually copying the malware files on the pen drive. Myth 3: Attack vector works only on USB/Pen drives. Fact: If the specially crafted .LNK file is dropped on network drive with all the relevant files in same location it will still work. The malware will automatically get executed if we happen to open that particular network drive or even any folder (local or shared) in the system. The flaw is about handling of .LNK files it can be from any location like removable drives (Pen/USB drives), local drives and folders, shared drives and folders. Myth 4: Disabling autoplay or autorun feature of Windows will prevent execution of such malware from infected pen drive. Fact: Disabling of autoplay or autorun feature of Windows will not prevent automatic execution of malware from pen drive. You may still get infected if you simply insert the infected pen drive to your system and open the drive in explorer. As it common practice that users most of the time open the pen drive in explorer to explore the contents and do operations like copy paste or view. So even if you have autoplay off simply opening the infected pen drive in explorer is going to infect your PC. Myth 5: The StuxNet Malware is possibly originated in India. Fact: Some researcher in Russia (working for reputed AV Company there) feels and put the theory that StuxNet malware is originated in India (Link to the blog). India being world leader in outsourced programming and high number of infections being detected in India does not at all mean that Malware is originated in India. I will not comment where the malware must have originated as we can conclude about origin only after proper investigation and looking at the forensic facts. I recommend the Russian researchers to work on facts instead of working on vague theory and leave the predictions job to Paul the octopus. I hope this helps to clear the confusion cloud. Quick Heal users need not fear or have any confusions, Quick Heal (latest updated) successfully protects from StuxNet worm and even similar technique new malwares. Quick Heal automatically removes the malicious .LNK files from all locations. Tuesday, July 20. 2010CVE-2010-2568: LNK file automatically executes code in Control Panel shortcuts
Microsoft LNK files [MS-SHLLINK] which are now turned into auto executable files by malware authors using its undocumented feature is a hot topic on most of the security forums.
We have received specially crafted LNK files along with Portable executable files having the mentioned LNK file vulnerability. When user visits the folder containing these files, the target executable file gets loaded into Explorer process. This could be used to execute the payload. This issue was initially reported by "VirusBlokAda" company specialists on the 17th of June, 2010. It is exploited by StuxNet malware using USB Storage as propagation vector. StuxNet also uses rootkit techniques to hide its LNK and TMP files. After detailed investigation of these specially crafted LNK files we observed that, this is Microsoft Windows specific implementation for processing Control Panel shortcuts. What is special about Control Panel shortcuts? Control Panel items (CPI) are DLLs or executable (.exe) files that let users configure the environment of Windows. They are typically accessed by clicking an icon in the Control Panel. They export special function called CPlApplet. For Control Panel shortcuts Explorer.exe loads CPI and then calls exported CPlApplet function, which is the key to turn LNK file into an auto executable.  Figure 1: Code snippet for CPI DLL  Figure 2: DebugView log It is observed that even if the target file does not export CPlApplet function, DllMain function is executed. Microsoft needs to take major decision on how to process shortcuts for CPIs, may be to load and execute only registered CPIs. Quick Heal detects such malicious LNK files as PIF.StuxNet.A and Exploit.CVE-2010-2568. References: http://anti-virus.by/en/tempo.shtml http://www.microsoft.com/technet/security/advisory/2286198.mspx http://www.kb.cert.org/vuls/id/940193 http://www.ivanlef0u.tuxfamily.org/?p=411 http://msdn.microsoft.com/en-us/library/bb776392%28VS.85%29.aspx http://msdn.microsoft.com/en-us/library/dd871305%28PROT.10%29.aspx Tuesday, July 20. 2010Coca-Cola scam on Facebook
"I am part of the 98.0% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video --> http://www.[deleted_link_to_video]".
What will you do, if you get such post on your Facebook via your friend? Obviously you will be tempted to click the link. If you click on the link, you'll be asked to share the video seven times. But you will realise that you are not making any progress. So eventually you'll be tempted to click on a link that says "Cant Be Bothered To Wait? --> Click Here To Skip This.". This link takes you to a poll, which asks you for personal information. Needless to say, you must not provide your personal information.  So Facebook users, beware! Please do not click on any suspicious links. And avoid providing your personal information, unless you're absolutely sure who you're giving it to. Friday, July 16. 2010For Windows XP Service Pack 2 users July's patch release (blogged by Basant) marks the end of patching support for both Windows 2000 and Windows XP Service Pack 2. So, from now on there'll be no security updates, hotfixes and other updates for Windows XP SP2, regardless of how serious a threat and newly discovered vulnerability may pose to users of this OS.Apart from the base OS itself, Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches. However, support for Windows Embedded XP SP2 (which is frequently used in ATMs and point of sale terminals) will extend until January 2011. Microsoft advises all Windows XP SP2 users to upgrade to either Windows XP SP3 or preferably Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014. Thursday, July 15. 2010Wednesday, July 14. 2010Mercedes Benz promotion email scam
I recently received a mail with the subject line “Mercedes Benz Promotion (Test Questions)”. The subject line was a clear indication that a scam was in the offering. Scammers always keep changing their techniques and try to exploit scenarios that might lure people to fall for their trap.
In this scam, the scammers have tried to tempt the recipients with £ 1,850,000 (One Million Eight Hundred and Fifty Thousand Great Britain Pounds). They have also tried to capitalize on the brand value of Mercedes as the subject line “Mercedes Benz Promotion (Test Questions)” can tempt most recipients of the mail to check out its contents. Scammers have also tried to make the mail look realistic, by sympathizing with the people who lost their jobs in the recent recession, and showing their concern by offering them a reward to help ease their burdens. The mail contains three trivia-based questions on Mercedes that also adds a touch of genuineness to the mail. The recipients need to send the right answers and personal details like Name, Sex, Phone Number, Country and Occupation to a specified email address. Please be aware that the sole purpose of such mails is to extract personal information from the recipients. Most of the time recipients, who have fallen for such traps, have ended up paying their savings to scammers. So I would request the recipients to not trust such emails and delete them immediately. While receiving this mail, Quick Heal AntiSpam automatically filtered it as SPAM. A copy of the entire mail follows: 
Tuesday, July 13. 2010Monday, July 5. 2010Increase your twitter followers, an innovative way to get victims
Recently I came across a below website that is promoting itself through twitter accounts of its members. When I saw its home page I was surprised to learn how people are coming out with innovative ways to collect innocent users login names and passwords of twitter accounts. Further this website seems to be using these passwords to put its advertisments on the users twitter account.
The websites working model is based on idea of following more people so that they will follow back you and you can increase your twitter fan following. All this is free with a twist where the website is making one request of allowing them to post two advertisments on their profile every day. The website is collecting twitter account passwords to offer this service free to the users. Do not believe in such advertisments where the website is stating that : "Its free to join! You have nothing to loose". Revealing your password to such websites gives these people full access to your twitter account where they can communicate to your followers on your behalf. So its the other way as we can say - you have everything to loose. 
Monday, July 5. 2010Beware of Loan Scam
In my earlier blog, I had mentioned how scammers had used current events such as “FIFA World Cup 2010” to launch fraudulent scams. But in this latest scam a sly approach has been taken by scammers to extract personal infromation from victims.
I recently received a mail with the words LOAN APPLICATION in the subject line of the mail. The matter of the mail asked the recepients if they had bad credit or if they needed instant cash to upgrade their business. It also contains a form which the user had to fill out to obtain loan from the respective organization. The form requests personal information from the user like Name, Sex, Address, Telephone Number, Scanned copy of Passport or Driver’s License, etc. Please be aware that such mails are sent by scammers whose sole purpose is to extract personal information from users. Most of the time users, who have fallen for such traps, have ended up paying their savings to scammers. So I would request users to not trust such emails and delete them immediately. While receiving this mail, Quick Heal AntiSpam automatically filtered it as SPAM. A copy of the entire mail follows: 
|
ArchivesCalendarSyndicate This Blog |
