http://blogs.paretologic.com/malwarediaries Malware Diaries, a blog about the job of a security researcher Fri, 03 Jul 2009 23:26:21 +0000 http://backend.userland.com/rss092 en Until today I did not know what wake on Lan was.  That is until I came upon a site called "reveilpc.com" that I found out. It's an interesting feature that lets you remotely turn a computer on by sending 'magic packets' (I'm not making this up! lol). Well, the site first got ... http://blogs.paretologic.com/malwarediaries/index.php/2009/07/03/wake-on-lan-site-hosts-malware/ If you don't already know it, I am on Twitter. Get the latest security updates on there! Jerome Segura http://blogs.paretologic.com/malwarediaries/index.php/2009/07/03/follow-me-on-twitter/ Caught this one in our Honeypots: It's a Koobface Worm variant and not really detected as of yet: We proactively detect it with our Heuristic engine: Jerome Segura Malware ID: cd83349f99c282256ae428e6a4a3ae92.zip http://blogs.paretologic.com/malwarediaries/index.php/2009/07/03/new-koobface-variant/ This is an update from my previous post. I noticed an update to one of the pages on the malicious site oymoma-tube.freehostia.com Check the screen below and see the July 3rd time stamp: The page hot-tube.htm is now pushing a rogue, namely XP Deluxe Protector, disguised as a free codec: Upon execution, fake alert ... http://blogs.paretologic.com/malwarediaries/index.php/2009/07/03/malware-repo-gets-updated/ Sometimes spending the extra work hours pays off. Actually I kind of get into a groove after searching and things come easily... that is until my wife phones me up! Anyway, I was investigating a site and checked its source code for anything of interest. There was a strange link pointing to ... http://blogs.paretologic.com/malwarediaries/index.php/2009/07/02/unsanitized-repo-of-fake-codecs/ Our HoneyPots found a new variant of the Jahlav Trojan, targeting Mac OS X: The "dmg" file is hosted on yescrome.com: So far, only Sophos detects this piece of malware. Edit: I meant to say that only Sophos detects this sample out of all the AV vendors on Virus Total. I have been informed ... http://blogs.paretologic.com/malwarediaries/index.php/2009/07/02/new-jahlav-mac-trojan-variant/ Tomorrow is Canada Day. It is our national holiday. It was 8 years ago that I first came to Canada for a visit to Halifax, N.S. That's at the same time I met my future wife. Years have passed and I am still loving this country. Jerome Segura http://blogs.paretologic.com/malwarediaries/index.php/2009/06/30/happy-canada-day/ Our Honeypots caught this drive-by download from the following site: Looks like another blog... the word 'porn' is used, well, abundantly. The site is registered to some guy in Panama. Other domains sharing nameserver: They all point to this fake codec site: The malware file, as with many fake codecs is from exe-xxx-file.com. A quick Virus ... http://blogs.paretologic.com/malwarediaries/index.php/2009/06/30/new-ad-clicker-trojan/ As rumors run crazy about Michael Jackson's death, one thing is for certain: malware authors are rejoicing. This one is from an old friend (so to speak). Do you remember youtorube? Well, it is the same IP striking again: Jerome Segura Malware ID: 33956a21473022daf214311deb131135.zip http://blogs.paretologic.com/malwarediaries/index.php/2009/06/30/michael-jackson-malware-in-italian/ Thise site popped up on my radar... The fake Flash Player is malware, of course. I was very surprised to see that only 3 AV vendors detect this threat! Jerome Segura Malware ID: 260f8513934016b9eafb6e9edf650c01.zip http://blogs.paretologic.com/malwarediaries/index.php/2009/06/29/fake-celebrities-site-drops-malware/