Information and Removal »

Smart Security (also known as Smart security) is a rogue anti-spyware application that was simply copied from the “famous” malware Security Tool. Involving all the malicious techniques and using the name of legitimate ESET Smart Security, the new its variant spreads malicious code through the use of Trojans viruses mostly. Of course, spam emails or [...]

Information and Removal »

April 3 cannot come soon enough for those who are eager to get their hands on the iPad. If anything, Apple’s recent announcement that the gadget will soon be available in the United States only added to the excitement over the much-talked-about gadget. Unfortunately, spammers are using the current enthusiasm over the iPad to their advantage as well.

In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer, Argie Gallego, recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full name and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

iPad Giveaway Gives Users’ Identities Away

Information and Removal »

Antivirus 7 is a rogue anti-virus program that reports false threats and displays fake security alerts to convince you into thinking that your computer is infected with computer worms, trojan viruses and other malware. It pretends to be legitimate security software, but actually this fake program is promoted and installed through the use of Trojans [...]

Information and Removal »

It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year’s Academy Awards, Trend Micro Threat researchers found FAKEAV variants topbilling the search pages.

This time around, users searching for news on the Oscars fall prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live”. Almost 80% of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

The said variant has been observed to connect to a remote web site to send and receive information. It is also able to download other malware, Mal_Xed-22 and TROJ_VUNDO.SMAT included.

With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top web searches. Users are thus reminded to exercise extreme caution when visiting sites especially with Oscar fever still running high.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Post from: TrendLabs | Malware Blog - by Trend Micro

Oscars 2010 Awards Users with FAKEAV

Information and Removal »

that’s RAT as in remote access trojan, for the uninitiated.

by now i’m sure most security folks have heard about this but if you haven’t yet, here’s the US-CERT advisory, symantec’s blog entry by liam murchu, a sophos blog post by graham cluley, a blog post at cybercrime & doing time by gary warner, a sunbelt blog post by tom kelchner, a zero day security blog post by ryan naraine, and that’s just the tip of the iceberg.

now the reason i’m writing about this story that so many other people have written about when i normally eschew over-reported news events is because i have a personal stake in this - i actually have the offending device. worse still, i had the software in question installed on one of my computers since late march of last year. ouch! thanks to a tweet by mikko hypponen i found out about this early saturday morning (thanks mikko, that’s just the way i wanted to start off my weekend) and proceeded to cuss up a storm because this is the first time in my 20+ years of computing that i have legitimately been been hit with malware - my perfect record is over.

oh well, enough of that. there are 2 things about this that i think deserve closer scrutiny. the first is that question of whether the malware shipped with the hardware device itself as many have stated, or whether the symantec blog is right and the software was only available as a download from the energizer website. i can’t say conclusively one way or the other but i can offer some evidence that the software was only ever available from the energizer website.

1. the device has no memory capacity. no drive appears in windows explorer when you plug the device in.
2. when you plug it into a computer it asks to install drivers but can find no drivers to install.
3. the package i got did not contain any separate media, and when i searched for the device on ebay, none of the packages there seemed to either.
4. the instruction sheet (yes, i still have that too) informs you that you can see the charging status on your computer with free software from the energizer website
5. the software is entirely optional. the device works without it (though the software does offer improved usability over the indicator LED). the device even ships with an AC->USB converter (which is what actually drew my attention in the first place) so that you can plug the device into the wall and bypass the computer (and thus any monitoring software) entirely.
6. not only does the instruction sheet instruct you to get the software from the energizer website, but when you plug the device in, the device identifier displayed in both the new hardware notification bubble and driver installation wizard includes not just the product name but also the URL for downloading the software from energizer.

perhaps there was alternate packaging that included the compromised software, but when even the hardware tells you to download the software from the web then it hardly seems necessary for there to ever have been software packaged with it.

the second thing i think deserves examining is the question of what went wrong. as i said, i got hit with this, but could it reasonably have been avoided? that’s a question i’ve been mulling over since saturday. let’s go through the various failures and see if i acted unreasonably wrecklessly:

• anti-virus products didn’t detect it back then. i scan everything and the software came up ‘clean’. av failed to save me here.
• application whitelisting also failed me. it asked if i wanted to allow the software to run but this is software i intentionally installed - why wouldn’t i allow it to run?
• of course there are reasons to disallow software you just installed - i did my due diligence and googled the file and everything told me that it was associated with the charger and nothing said there was anything untoward about it. as such the community intelligence, the nascent reputation system of the internet let me down also.
• the software firewall is an interesting case - in theory i could have made the connection and asked why battery charger software needs to open a port and listen for connections. on the other hand, i did research the file and found nothing to indicate it wasn’t legitimately part of the software and therefore no reason not to trust that whatever it was trying to do was something it was supposed to do. maybe i could have been more suspicious, maybe i even was - the compromised system was a 10 year old clunker that isn’t particular responsive to input at the best of times which, when combined with the occasional popup overload from the firewall/whitelist combo, has resulted in at least one instance of my clicking the accept button without seeing what i was accepting.
• could i have saved myself some headache (and saved a bit of face) by using sandboxing? given the particulars of the system there’s no way i would use a full virtual machine on it, and besides that would have been overkill for this application. it also would have interfered with the rather desirable behaviour of automatically launching the monitor UI (application virtualization wouldn’t have been much better in that regard). that sounds like a strange thing for me to say, but the PC is so old that launching anything on it is painfully slow so the automated behaviour was welcome at the time. i suppose the fact that i never had any intention of hooking it up to my main PC (which actually has power running through it far more often) means that at some level i actually was using a sandbox of sorts - a physical sandbox machine if you will - but really, i trusted the software and had no reason to think i needed to run it in a sandbox.

trust seems to be the recurring theme here. i trusted the software. maybe i shouldn’t have trusted it, but you can’t get very far in computing without trusting at least some software, and there wasn’t a compelling reason not to trust this software.

one thing to take away from this (or at least something that i’m taking away from it) is that a number of my security behaviours only help to protect me against the unknown. if i trust something, even though i’m wrong, there isn’t much my defenses can do to help me. i will certainly be thinking about ways to overcome that weakness in the future.

of course, since i was behind a NAT-enabled router and wasn’t forwarding port 7777 to the compromised machine, some of my defenses did work - but i was lucky. if it had been some other, more aggressive type of malware things might not have turned out so well for me. or, on the other hand, anything more than the passive listening for commands might have actually tipped me off to the presence of something malicious.

we can play “what if” until we’re blue in the face - i’ve identified both the fact that my defenses have room for improvement and the nature that improvement must take. i’ve also been reminded that what they say really is true - it happens to everyone eventually. it took more than 20 years for me which is longer than most and i’ve been a little cocky about that, but in the end there’s always some weakness, some way in, and if it hadn’t been for my monitoring of security-related events i’d probably still be compromised right now. in the end the thing that helped me the most was my interest in security itself.