WARNING: Use of the Blogger Navigation Bar to surf random blogs via the "Next Blog" button can compromise your computers security!

Wednesday, June 22, 2005

Spyware Danger Meets Rootkit Stealth

Cool Web Search spyware has gotten nastier and harder to remove. A new variant is using rootkit-like methods to hide from removal attempts.

Read more on how the Cool Web Search Spyware Danger Meets Rootkit Stealth

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 9:37 AM

Friday, June 17, 2005

Spyware Floods In Through BitTorrent

The new darling of file trading formats, BitTorrent, is now a distribution point for spyware/adware.

The article states that Direct Revenue and Marketing Metrix Group are responsible for the infected files. Check your HiJack This logs for "nail.exe" , "aurora.exe". They will be listed alongside "btdownloadgui.exe".

Marketers that use adware/malware like this should be considered lower than lawyers and used car salesman. If you're one of these scumbags please, please, do the world a favor by going home and killing yourself.

These are full details on how Spyware Floods In Through BitTorrent

Download HiJack This and others at this Spywareinfo page.

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 5:50 PM

Wednesday, June 08, 2005

New Triple virus wears down computer defences

A three way tag team of baddies is out there waiting to turn personal computers into zombies

Here's where to read more about how the New Triple virus wears down computer defences

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 5:21 PM

Tuesday, June 07, 2005

Spoofing Risk Returns to Mozilla Browsers

Watch surfing trusted sites and strange sites at the same time is the word from Secunia, a Denmark-based security company. New versions of Mozilla browsers have just now been found to have a frame-injection vulnerability.

Never fear though, the Mozilla foundation is already looking into it. And take notice, they didn't have anyone arrested or sued for pointing out a vulnerability.

Read about how the Spoofing Risk Returns to Mozilla Browsers

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 5:40 PM

Friday, June 03, 2005

WORM_BOBAX.P - Description and solution

As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, India, Ireland, Japan, Peru, Singapore, and the United States.

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: {blank}

Message body: (any of the following)

• Attached some pics that i found
• Check this out :-)
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Osama Bin Laden Captured.
• Remember this?
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Testing

(followed by any of the following strings)

• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com

Attachment: (any of the following names followed by a .ZIP extension)

• bush.1
• funny.1
• joke.1
• pics.1
• secret.2

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

It also propagates by taking advantage of the Windows LSASS vulnerability. Furthermore, it is capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, India, Ireland, Japan, Peru, Singapore, and the United States.

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: {blank}

Message body: (any of the following)

• Attached some pics that i found
• Check this out :-)
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Osama Bin Laden Captured.
• Remember this?
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Testing

(followed by any of the following strings)

• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com

Attachment: (any of the following names followed by a .ZIP extension)

• bush.1
• funny.1
• joke.1
• pics.1
• secret.2

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

It also propagates by taking advantage of the Windows LSASS vulnerability. Furthermore, it is capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.

Get the complete picture on WORM_BOBAX.P - Description and solution

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 1:18 PM

WORM_MYTOB.BI - Description and solution

As of May 31, 2005 9:11 AM PDT (Pacific Daylight Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.BI. TrendLabs has received several infection reports indicating that this malware is spreading in Belgium, Japan, Korea, India, United States, United Kingdom, and Germany.

Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Upon execution, it drops a copy of itself using the file name LIEN VAN DE KELDERRR.EXE in the Windows system folder.

The email message it sends has the following details:

Subject: (any of the following)

- {Random}
- *DETECTED* Online User Violation
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- *WARNING* Your Email Account Will Be Closed
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message body: (any of the following)

- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- Please read the attached document and follow it's instructions.
- Please see the attachement.
- The original message has been included as an attachment.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We attached some important information regarding your account.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (any combination of the following file names and extensions)

File name:
- {random}
- account-details
- document
- document_full
- email-doc
- email-info
- info
- information
- info-text
- instructions
- your_details

Extension:
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP

It gathers target email addresses from the Temporary Internet Files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm also takes advantage of the LSASS vulnerability to propagate. For more information about the said vulnerability, please refer to the following Microsoft Web page:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

It opens a random port, allowing a remote user to access and perform malicious commands on affected machines. The said routine provides the remote user virtual control over affected systems, thus compromising system security.

Moreover, it prevents affected users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also terminates several processes.

This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H. The downloaded file then drops an adware that Trend Micro detects as ADW_MEDTICKS.A.

It affects Windows 98, ME, NT, 2000, and XP.

Get all the details at WORM_MYTOB.BI - Description and solution

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 1:15 PM

WORM_MYTOB.AR - Description and solution

As of May 30, 2005 3:12 AM YEAR TIME PST (PDT/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.AR. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, China, Hongkong, India, Japan, Korea, Philippines, Taiwan, United States.

The following is a brief summary of what this worm is capable of doing:

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

This email message has the following details:

Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• please look at attached document.
• Please read the attached document and follow it's instructions.
• Please see the attachement.
• The original message has been included as an attachment.
• To safeguard your email account from possible termination, please see the attached file.
• To unblock your email account acces, please see the attachement.
• We attached some important information regarding your account.
• We have suspended some of your email services, to resolve the problem you should read the attached document.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (any combination of the following file names and extension names)

File name:

• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• information
• info
• info-text
• instructions
• your_details

Extension name:

• EXE
• PIF
• SCR
• ZIP

This worm also takes advantage of the LSASS vulnerability to propagate.

This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot that allows it to connect to a specific IRC server. It then waits for commands from a remote user.

It also terminates processes, some of which are related to antivirus and security programs.

More Details on WORM_MYTOB.AR - Description and solution

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 1:13 PM

Saturday, May 28, 2005

Download Lavasofts Adaware SE 1.06 Free

Lavasoft has a new version of Adaware out, SE version 1.06. Download it here Download Lavasofts Adaware SE 1.06 Free.

Scroll down the page to the section titled "Adaware SE Personal" The only choice of download sites is C/Net's Download.com

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 12:58 AM

Friday, May 20, 2005

Malicious Bots Hide Using Rootkit Code

Good article on rootkits at the link below. Windows XP/2K are vulnerable to these, whereas Win 9x is not. There are a couple of products for detecting and removing rootkits. One is Systernals freeware Rootkit Revealer. available at Rootkit Revealer

The other is F-Secures Blacklight. This is a timelimited beta product. It will stop functioning on July 1st 2005. After that I assume F-Secure will begin charging. Blacklight has to have .NET installed for its GUI. The beta is located here Blacklight

Malicious Bots Hide Using Rootkit Code

~~~~~~~~~~

"The 1st Commandment of Internet Security:
Thou shalt not surf with Internet Explorer"

posted by FermatsEnigma at 1:00 PM