Click here… to get infected
July 22nd, 2008
More and more malware authors are tricking people with YouTube knock-offs. And amazingly, it works quite well. Curiosity kills the cat. Well, here it kills your computer.
JSegura
More Angelina…
July 21st, 2008
First, can’t help but notice the spelling mistake: Anjelia? Her full name is: Angelina Jolie Voight Anyway, yet another spam campaing extremely popular, which I even got in my personal mailbox. Funny how the spammers are trying to lure people with Microsoft’s blessing. Looks like some solid cut and paste. If you click one the link if will open a nasty Trojan.
JSegura
Angelina Jolie malware
July 16th, 2008
Today, our HoneyPot captured a new Trojan named after movie star Angelina Jolie (file name: nude-anjelina.avi.exe). This is a massive spam campaign using different domain names but the same IP address. Interestingly enough, the domains are registered to a Chinese company although the IP is located in Germany.
Fake suspended account still delivers malware: Check out the registrar and the IP location:
Fairly new to AV vendors… unknown to most: JSegura
You got a nice tie Mr Hacker
July 15th, 2008
I came across this picture for a rogue anti-spyware program called IE Antivirus. It kind of made me laugh for two reasons:
Well, I like the degree of professionalism seen here, but I’m not sure it’s depicting the real stuff. They’d be better off showing a kid in his basement playing Halo and checking the status of his botnet every now and again. Anyway, the domain for IE Antivirus is hosted by ESTDOMAINS. (from Russia, with Love) Domain Name: free-{removed}.com Status: clientTransferProhibited Registrar: ESTDOMAINS, INC. Expiration Date: 2009-06-18 JSegura
Malware authors messing with SysInternals screensaver
July 14th, 2008
Malware authors seem to be having fun these days. They stole the BSOD screensaver from SysInternals and turned it into malware. Note the message: “SYSINTERNALS_GREAT_SITE”
The screensaver is injected in two locations: the System32 folder, of course, as well as in the System Restore disk.
SysInternals (now owned by Microsoft) has made some really great tools: Process Explorer, Rootkit Revealer just to name a few. JSegura
Spare the environment, spare yourself
July 14th, 2008
It’s hard these days not to be aware of global warming. It already affects millions of people and is going at an alarming pace. Anyway, I could go on and on about this, but it would really help too much, would it? Now, as far as our energy consumption goes, there are many things we can and probably should do. Back in the 80’s and 90’s, people were advised to leave lights on (apparently it cost more to start a light, than to leave it on all night). I’m not too sure about that one. Today however, there is a general consensus to turn appliances OFF when you are not using them. I couldn’t agree more with that statement. There is also another reason why you should do it, and this has to do with malware attacks (finally In today’s malware threats, botnets are the big topic. They are groups of zombie computers that participate in illegal activities. Zombie computers are anybody’s PCs, which happen to be infected and controlled by hackers. You may not know it, but chances are that your computer is sending out spam while you’re sleeping at night. Hackers can detect if a computer is idle and launch a task, instead of risking the chance of being exposed while you are on it. (why are my hard drive and modem lights going insane?). Anytime your computer is online, you are at risk of being attacked. Contrary to some beliefs, you don’t have to be downloading stuff or surfing the web for something bad to happen. Also, if your machine is already infected, it will gladly enjoy having 100% free resources again after you leave. For the sake of the environment and for your own protection, it makes sense to turn the PC off when you’re not using it. It’s a hacker’s worse nightmare when he sees his bot infected machines go offline because suddenly, he can’t control them anymore and his chance of harming you and other people goes down. JSegura
Bit by a dog with the plague
July 9th, 2008
I was going to title this post differently, but I thought it wouldn’t be appropriate for this blog. Anyway, beware of the dog! (picture), it contains a dangerous Trojan that will infect your PC. It comes in the form of an executable that uses social engineering: - it has a photo editor type of icon - its name is id_dog0704jpg.exe Upon running it, a picture of a grumpy-looking dog appears:
In the background, things are happening. It hooks into your system by creating two files set to run when you restart your computer:
It is detected by most (not all though) anti-virus companies.
JSegura
Locked out of my desktop
July 8th, 2008
I came across this annoying little program that pushes a Rogue. I say annoying because it locks your desktop to display either an all white page or a black one, with some fake error message. The file locker.exe creates an Internet Explorer window (containing that fake error) and also an executable that seems to prevent different keystrokes. For example, you can’t do Ctrl+Tab, or Alt+F4.
Needless to say, I am also assaulted by various pop ups and such.
And finally, the app everybody was waiting for, at a cheap price of only $99.95 (”you save more than $400): JSegura
Kit of the root (RootKit)
July 3rd, 2008
There is something annoying about certain pieces of malware: they are shy and hide from you. However, they do some real nasty stuff in the background, so much so that you may want to get rid of them. I was analyzing some malware samples and found this fake Soundman.exe (the real one is a process from RealTek sound cards). I use Process Explorer (a better Taskmanager-like utility) to show me what running processes are on my PC, and see this SoundMan.exe process, right there, doing some bad stuff. Process Explorer tells me that the file is located under c:\Windows, but I can’t find it!
Reason is, this file is a rootkit, which means it has capability of hidding itself from Windows, as well as other processes. If Windows won’t show it to you, most likely your Anti Virus won’t either. You may want to use a rootkit scanner to find it out, there are several free tools available. Keep it mind though that not all rootkit scanners will detect AND let you remove the files. Personally, I prefer to use a more “hands on” approach: I grab a Linux boot CD (here I use Ubuntu, one of Linux’s several distros) and reboot the PC under the Linux OS. Then I mount the Windows disk, search for the file and voila!
It is there indeed By the way, the file is effectively malware:
Jerome Segura
Caught in the web of AntiSpySpider
June 25th, 2008
Welcome to planet AntiSpy!
An awesome application, “created by the industry’s top spyware experts”. Shouldn’t it be “anti-spyware experts”? Oops… Also, they “protect your computer and your privacy.html“. What’s my privacy.html, some web 2.0 application I don’t know?
Let’s take a look at how they protect my computer: Hijack my desktop:
Hijack my HomePage:
Show me friendly warnings:
And a company everyone wishes they could work for:
I’m glad to hear about the “exceptional customer service” because I really need that right now! JSegura
|
Categories
|



























