Until today I did not know what wake on Lan was.  That is until I came upon a site called “reveilpc.com” that I found out.

It’s an interesting feature that lets you remotely turn a computer on by sending ‘magic packets’ (I’m not making this up! lol).

Well, the site first got my attention because it was linking to malware.

The site’s IP address is: 213.246.56.31 and guess what’s in there?

…

A nasty EXE file!!!!

The file is a password stealing Trojan:

Jerome Segura

Malware ID: 1f919adedbaa909cd62d4e858fdf6bf3.zip

If you don’t already know it, I am on Twitter. Get the latest security updates on there!

Jerome Segura

Caught this one in our Honeypots:

It’s a Koobface Worm variant and not really detected as of yet:

We proactively detect it with our Heuristic engine:

Jerome Segura

Malware ID: cd83349f99c282256ae428e6a4a3ae92.zip

This is an update from my previous post. I noticed an update to one of the pages on the malicious site

oymoma-tube.freehostia.com

Check the screen below and see the July 3rd time stamp:

The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec:

Upon execution, fake alert messages such as this one:

Eventually the scareware will run:

This sample is poorly detected, especially for being a variant of an already known rogue:

Paretologic detects this file as:

Jerome Segura

Malware ID: dcfe992aa25bb1849c1e9f8c2c5d3c5b.zip

Sometimes spending the extra work hours pays off. Actually I kind of get into a groove after searching and things come easily… that is until my wife phones me up!

Anyway, I was investigating a site and checked its source code for anything of interest.

There was a strange link pointing to a gif file that I decided to follow.

It took me to this page, a nice little repository of malicious pages pushing fake video codecs:

oymoma-tube.freehostia.com

As you can see, some of the pages have just been updated today, while others are a little older.

Here are some examples of the pages hosted there. They also have redirect links to other malware sites.

Jerome Segura

And for our partners, I’ve uploaded to our FTP share some of the samples I could grab.

Malware ID: 0d23a0aa75658d81698c727261503628.zip

Malware ID: 6d3b3cd07df5db7f4512a503ace750ac.zip

Malware ID: da3f8fc504e1a640fbc0ae8da568dec7.zip

Malware ID: ee222a68e35225115a1dceac34026ab6.zip

Our HoneyPots found a new variant of the Jahlav Trojan, targeting Mac OS X:

The “dmg” file is hosted on yescrome.com:

So far, only Sophos detects this piece of malware.

Edit: I meant to say that only Sophos detects this sample out of all the AV vendors on Virus Total.

I have been informed that Intego VirusBarrier X5 also detects this Trojan. For more info about Mac security, go to their blog.

Jerome Segura

Malware ID: 428143005e07e510302ba431fe0c28cc.zip

Tomorrow is Canada Day. It is our national holiday.

It was 8 years ago that I first came to Canada for a visit to Halifax, N.S. That’s at the same time I met my future wife.

Years have passed and I am still loving this country.

Jerome Segura

Our Honeypots caught this drive-by download from the following site:

Looks like another blog… the word ‘porn’ is used, well, abundantly.

The site is registered to some guy in Panama.

Other domains sharing nameserver:

They all point to this fake codec site:

The malware file, as with many fake codecs is from exe-xxx-file.com.

A quick Virus Total analysis reveals that this file is pretty much unknown to most AV vendors:

If you happen to be infected with that Trojan, it will not go un-noticed:

Those links are dangerous, stay away unless you know what you’re doing.

Jerome Segura

Malware ID: 749ebc5c812c3d26022a4df847b11d09.zip

As rumors run crazy about Michael Jackson’s death, one thing is for certain: malware authors are rejoicing.

This one is from an old friend (so to speak). Do you remember youtorube? Well, it is the same IP striking again:

Jerome Segura

Malware ID: 33956a21473022daf214311deb131135.zip

Thise site popped up on my radar… The fake Flash Player is malware, of course.

I was very surprised to see that only 3 AV vendors detect this threat!

Jerome Segura

Malware ID: 260f8513934016b9eafb6e9edf650c01.zip