Thursday we observed a new worm that started to spread over Internet by emailing the address books of infected PC. The email contains the subject line as “Here you have” or “Just for you” and contains a link to a file which seems to be a PDF file.

The email when received in inbox looks as below:
--------------------------------------------------------------------

Subject: Here you have (sometimes it is "Just for you")

Body:

This is the document I told you about, you can find it
here. http://xxx. x..x

Please check it and reply as soon as possible.

Cheers,
--------------------------------------------------------------------

The link in the email does not actually points to a PDF, but instead points to a script that infects the computer with the new worm once, the user agrees to install the file. Once the worm infects the computer it will propagate by sending itself to all the emails in the contact list.

The worm has supposedly hit some of the major company networks in US that include ABC, Disney, Coca Cola etc. as reported by MSN NEWS.

The worm is simple email worm which can be easily detected and mitigated by having updated Quick Heal protection on the PC.

A critical vulnerability (CVE-2010-2883) exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and Unix and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.

Currently we have not come across such sample but our lab is constantly monitoring the suspicious PDF files that we receive.

All the posts point towards below facts:

- The vulnerability is reported to be exploited by a malware that is spreading through PDF file.
- The exploit works on Windows XP, Windows Vista and Windows 7 as well.

Precautions:
Avoid opening PDF files that are arriving from new unknown source.

Adobe is aware of this vulnerability and may release a out-of-band update to fix the same.

Visit Adobe Advisory page for more details.

Yesterday I received a mail regarding “Payment Processed by Visa Bill Pay” as below...


If one open this file then a Trojan get installed on system in application data folder, this Trojan connect to below domain and it may further lead to fake antivirus scams, malicious redirects, viruses, trojans, rogue installers, key loggers, droppers, browser exploits, and a range of other security threats.

http://votrebuyh.com/xman/xman.bin
http://votrebuyh.com/xman/gogo.php


“VISABILLPAY-VODAFONE.exe” is a Banking Trojan which is used to steal banking credentials from the victim (including confidential details such username, password, credit card number, etc.). By harvesting cookies and accessing other information, the criminals can extract a lot of personal information which can be used to increase their chances to get access to the victim’s online banking account.

Quick Heal detect this as Trojan.Agent2.cuyv

We are seeing rise in scam email posing as tracking mail notification from US based delivery company United Parcel Service. The mail pretends to be from UPS it has subject line Delivery problem.

It notify user... We failed to deliver postal package sent on so on date... in time because the recipent's address is wrong. please print out the invoice copy attached and collect the package at our our department. This message is send as an JPG image in the mail.

If the user opens the attached zip file (In our observation the size of file is around 30 KB). When this zip file is extracted it will give you .exe file "UPSInvoice.exe", with an icon that looks like word document. When you open the file, It will install a rouge security software Antimalware Doctor.


Once installed Antimalware doctor will perform a fake scan of your computer and state that you have a malware infection and these infections will be removed after you purchase a full version of the software. Antimalware Doctor then attempts to procure your financial information under the guise of infection.

Quick Heal detects downloader Trojan as Trojandownloader.Katusha and the Rogueware as FraudTool.AM-Doctor

Today I received scam mail as below related some lottery in which i won, this one i never bought ...Lottery scam letters are sent out by the thousands every day. There are only two things the bad guys want: your money and your identity.


*******************************************

from GRAHAM SMITH
to
date Thu, Aug 26, 2010 at 2:46 PM
subject Lottery Winning Notification!!
mailed-by shaw.ca

Your Email Has Won £1,500,000 (One Million, Five hundred thousand Great Britain PoundSterlings).
These are your Winning Information and Identification Numbers:
Batch Number.......................................PC/835X/2010
Pin no............................ ................MMB/676/96803/D
Winning Numbers....................................MV004930
Reference Number...................................ML34963SB
To file your claims, kindly contact the claims manager:
Mr. John Howard (Claims Officer)
EMAIL: claimdepartmentunity113@hotmail.co.uk
Endeavour to e-mail us your Full Names, Address, Mobile Number, Age, Resident Country and Occupation.
Yours Sincerely,
APPROVED
GRAHAM SMITH (PHD)
LOTTERY CO-ORDINATOR.

******************************************


They will pretend to be lawyers, claims agents, bankers, law enforcement agents, people of high rank in the government, gaming officials, tax collectors, and any other title that will convince you they are good people. After you answer the first email, they will write back asking for your personal identification. This is used to steal your identity. They can commit crimes using your name and leave you holding the bag.

These are all fake notifications, never respond to such mails.

Happy Surfing!
Vishal

This is in continuation to my yesterday’s blog.

Microsoft’s advisory has confirmed that the attacks exploit a weakness in the way programs load associated libraries. The binary files can be located in a variety of directories, including those on networks controlled by a malicious hacker.

According to Microsoft the vulnerability exists in Windows applications made by third-party developers however it is still investigating whether any Microsoft programs are susceptible to the “binary planting” or “DLL preloading attacks".

According to Microsoft Security Response Center blog, this issue cannot be directly addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. The attack works because many applications ignore best security practices and search for the library based only on the file name, rather than the full directory path. When the current working directory is set to one controlled by the attacker, it's possible to load a malicious file.

Microsoft suggests that admins disable WebDAV and block outgoing SMB connections on ports 445 and 139. Additionally it has also released a software tool that changes the way Windows searches for DLL files. There are different versions of tool depending upon the Windows versions you use. You can download the tool from here.

About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files on Windows OS (at least XP, Vista and Windows 7).

According to Mitja Kolsek, CEO of Acros Security, the critical vulnerability, which has already been patched in Apple's iTunes media player for Windows and VMware Tools, will be difficult to fix, because each application will ultimately need to receive its own patch.

Security experts from Acros have found that about 200 of the 220 applications they've tested so far suffer from this “binary-planting bug”. The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file.

Until a fix is released users can reduce their exposure by blocking outbound SMB connections on ports 445 and 139 and on WebDAV. This will not prevent attacks originating from the local networks which can be a problem in large organizations, where compromised machines infect other PCs in the network.

A detailed advisory can be found here.

The "DHL delivery" related mail carrying variants of Trojan.Bredolab, Trojan.Oficla and
many others are still on our radar.


Current email comes from the spoofed address like

-DHL Parcel Support
-DHL Tracing Support
-DHL Manager Elsa Addison
-DHL Manager Magdalena Lindsey
-DHL Delivery Services

having common subjects

-DHL Tracking number 844018042457
-DHL Tracking NR 3119547460
-DHL Servise. Get your parcel ID1345
-DHL Delivery. Please get your parcel NR3243
-DHL Delivery. Get your parcel NR23245
-DHL Delivery. Get your parcel ID09554
-DHL Delivery Service. Error in delivery address
-DHL International. Your Parcel Number 7889
-DHL Servise. Parcel number 76980

If a user fall prey to such mail he/she eventually end up having Security Tool Rogueware install on system. Quick Heal detect and removes Rogueware.SecurityTool

Domain name scams

Intellectual property is a very complex area and covers a vast range of diverse subjects. As a result, there are opportunities for bad guys and fake organizations to take advantage of those wishing to secure protection for their domains.

Recently we received a mail as below.
----------------------------------------
Subject: Urgent Message- About Internet intellectual Property Issue
From: "Andy Wang"

(If you are not in charge of this , please transfer this urgent email to your CEO. Thanks )

Dear CEO,

We are a leading internet solutions organization in Asia, and we have something urgent to confirm with you. Yesterday we received a formal application from a company called " Meller Investment Co., Ltd ". They were trying to apply for " quickheal" as Brand Name and following Domain Names through our organization:

quickheal.com.hk
quickheal.com.tw
quickheal.hk
quickheal.net.cn
quickheal.tw


After our initial examination, we found that the Brand Name and Domain Names above are similar to yours. These days we have been dealing with it. Now we hope to get your affirmation. If your company did not authorize the aforesaid company to register these, please contact us as soon as possible.


In addition, we hereby declare that time limit for this issue is 7 workdays. If your company don’t respond within the time limit, we will unconditionally approve the application submitted by Meller Investment Co., Ltd.


Best Regards,


Andy Wang
Senior Examinant
----------------------------------------


These email pretends to be acting in your favor, are nothing but lies and just a way for these companies to generate more business. They contact you and make you believe that a foreign company is trying to purchase websites using your domain and trademark names. They portrait as a responsible and caring Domain Name Registration Service, they first contacts you, the owner of the existing domains and trademarks, and will give you the amazing opportunity to get these website names first and therefore protect your brand.

The scammers behind this are using two of the greatest marketing tricks.

The first is the "likability". They make you almost like them; by appearing to be nice, diligent and on your side.

The next is the "scarcity". You may never have considered registering your domain in other countries, but when you find that someone else is about to grab your precious name and it won't be available anymore, you suddenly develop an irrational urge to buy this n.ame

It’s a scam, please dont respond to them.

As per Sanjay’s earlier blog, the Independence Day offer of Quick Heal Technologies, provided three additional months of updates for free if the Quick Heal product was activated on 14th, 15th or 16th August 2010.

Due to the popular demand of this offer Quick Heal Technologies has extended the offer till 18th August 2010. So grab your copy of Quick Heal, and activate it immediately.

Celebrations of 64th Independence Day for 15th August 2010 has already begin. Independence Day is our opportunity to celebrate India's hard fought freedom. It is a time to reflect on how far the nation has come. As we Indian's celebrate the 64th Independence Day, we are faced with greater challenges and more responsibility towards the nation. We take on the challenge of standing against the new generation cyber crime by becoming more vigilant, innovative and responsible. We are committed to virus free Cyber world.

On behalf of Quick Heal Team, I extend my best wishes to every citizen of India. May each of you and your families have a safe and happy 15th of August.

Quick Heal brings to you Independence Day Special Offer. Buy and register your Quick Heal before 16th August and get 3 months of extra updates free.
Visit offer page for more details.

New online game where you can adopt your very own pet monster offered by Moshi Monster, seem to be catching up. As we witnessed SEO Poisoning with Moshi Monster.

When searched in Google it returned



Visiting poisoned links lead to Rogueware installation FraudTool.MySecurity

Users of iPad, iPhone and iPod Touch and can heave a sigh of relief as Apple has kept its word and released a security patch for a vulnerability that could have exposed the concerned devices to malicious attacks.

The vulnerability existed in Apple’s Safari browser and the way it handled Adobe Acrobat PDF documents. For example, if a PDF file containing malicious code was downloaded using Mobile Safari browser it gave remote attackers a chance to take complete control of a vulnerable device. This exploit was also said to have imitated JailbreakMe utility that allowed iPhone users to run non-Apple approved applications.

The iOS 4.0.2 update for iPhone and iPod Touch can be downloaded and installed using iTunes. For additional information, visit Apple's support advisory HT4291. The same process can be used to update Apple iPads to version 3.2.3 of iOS, with detailed information about the vulnerability published on Apple's support knowledgebase.

I will recommend Apple iPad, iPhone and iPod Touch users to apply this patch on priority otherwise the exposed devices may be prone to malicious attacks.

Microsoft has released its security bulletin for August 2010. This month Microsoft has released 15 bulletins, addressing total 32 vulnerabilities.

Out of the 15 bulletins, nine bulletins have been rated "Critical" and six bulletins have been rated "Important". 11 bulletins are related to "Remote Code Execution" vulnerability and four bulletins are related to "Elevation of Privilege" vulnerability.

The following vulnerabilities have been rated “Critical”:

- Bulletin MS10-046 resolves vulnerability in Windows Shell that could allow remote code execution if the icon of a specially crafted shortcut is displayed in Microsoft Windows operating system.
- Bulletin MS10-049 resolves two vulnerabilities in Secure Channel (SChannel) security package in Windows that could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser, in Microsoft Windows operating system.
- Bulletin MS10-051 resolves vulnerability in Microsoft XML Core Services that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer, in Microsoft Windows operating system.
- Bulletin MS10-052 resolves vulnerability in Microsoft MPEG Layer-3 audio codecs that could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content, in Microsoft Windows operating system.
- Bulletin MS10-053 resolves six vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page using Microsoft Internet Explorer.
- Bulletin MS10-054 resolves three vulnerabilities in Microsoft Windows that could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system, in Microsoft Windows operating system.
- Bulletin MS10-055 resolves vulnerability in Cinepak Codec that could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content, in Microsoft Windows operating system.
- Bulletin MS10-056 resolves four vulnerabilities that could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message, in Microsoft Office.
- Bulletin MS10-060 resolves two vulnerabilities that could allow remote code execution on a client system, if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application.

The following vulnerabilities have been rated “Important”:

- Bulletin MS10-047 resolves two vulnerabilities that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application, in Microsoft Windows operating system.
- Bulletin MS10-048 resolves four vulnerabilities in Windows kernel-mode drivers that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application in Microsoft Windows operating system.
- Bulletin MS10-050 resolves vulnerability in Windows Movie Maker that could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file in Microsoft Windows operating system.
- Bulletin MS10-057 resolves vulnerability in Microsoft Office that could allow remote code execution if a user opens a specially crafted Excel file.
- Bulletin MS10-058 resolves two vulnerabilities that could allow elevation of privilege due to an error in the processing of a specific input buffer in Microsoft Windows operating system.
- Bulletin MS10-059 resolves vulnerability in Tracing Feature for Services that could allow elevation of privilege if an attacker runs a specially crafted application in Microsoft Windows operating system.

The above bulletins released this month provides security updates for Microsoft Windows operating system, Microsoft Office, Microsoft Internet Explorer, Microsoft .NET Framework and Microsoft Silverlight.

For detailed information of all the bulletins and the corresponding vulnerabilities addressed, please visit Microsoft Security Bulletin Summary - August 2010 page.

I will recommend users to set Windows Update in Install updates automatically mode. So the important patches get applied automatically.

A new variant of TrojanPSW.Zbot campaign themed
- FDIC has officially named your bank failed bank
- An unauthorized transaction billed to your bank account
- You are in a higher tax bracket
- Your Order with Amazon.com” is currently flooding the mailboxes

The email pretends to be from the
- American Bankers Association
- FDIC
- Tax Commissar
- Internal Revenue Service

Invites the victim to review the attached report.







The file transaction report.exe , tax statement.exe, tax report.exe is a Banking Trojan used to steal banking credentials from the victim (including confidential details such username, password, credit card number, etc.). By harvesting cookies and accessing other information, the criminals can extract a lot of personal information which can be used to increase their chances to get access to the victim’s online banking account.