 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
March 2007
Pump-and-dump scammers attempt to manipulate German stock exchang -- Posted by Igor_Donchenko on Thursday, March 29 2007
Sophos has warned European investors of the danger of pump-and-dump stock scams following the discovery of a spam campaign designed to manipulate the share price of a company listed on the German stock exchange.
US-based energy company Stonebridge Resources Exploration Ltd announced its listing on the Frankfurt Stock Exchange on 1 March 2007 under the ticker symbol S3C.
Yesterday, SophosLabs™ experts identified an active spam campaign encouraging German investors to buy shares in the company. The scam, known as a "pump-and-dump", works by spammers purchasing stock at a cheap price and then artificially inflating its price by encouraging others to purchase more (often by spamming "good news" or "investment tips" about the company to others). The spammers then sell off their stock at a profit.
Trading in the stock soared as the spam campaign was distributed via email.
"This is the first time we have seen a widespread spam campaign trying to influence a stock market based outside of the USA, and German language users may be at risk of losing money," said Graham Cluley, senior technology consultant for Sophos. "We saw the price of this stock rise immediately after we intercepted the spam campaign, and there is a danger that some people may be fooled into investing in this firm for bogus reasons. It will be interesting to see if stock scammers, who have plagued North American-listed penny stocks for some time, will now turn more of their attention to European markets
"Some people may be puzzled by the strange use of language in the second half of the email. This is what our labs call 'spamglish' - a mixture of random English words used by spammers in an attempt to slip the email past anti-spam filters," continued Cluley. "This is a classic spammer trick to try and avoid gateway defenses, but should help the human eye identify that the email is far from legitimate."
Sophos's Security Threat Report 2007 revealed that pump-and-dump stock campaigns accounted for approximately 25 percent of all spam last year, up from 0.8 percent in January 2005.
Earlier this month, Sophos reported how the US Securities and Exchange Commission (SEC) had suspended trading in 35 companies as they were found to be commonly referenced in pump-and-dump stock email campaigns.
Source: http://www.sophos.com
|
Over 50% of infections detected in February were spyware and Trojans reports PandaLabs -- Posted by Igor_Donchenko on Wednesday, March 28 2007
Spyware and Trojans were the malware responsible for most infections in February. As in January, spyware accounted for 33 percent of the infections detected by ActiveScan. Meanwhile, Trojans have increased two points in comparison to January, causing 25 percent of infections.
"The aim of malware creators is purely financial and Trojans and spyware are the best types of malware for this purpose. That is why they are so widely distributed," explains Luis Corrons, Technical Director of PandaLabs.
Other types of malware are way behind these two. Worms, with 6 percent, were third. Followed by dialers ( 5%), backdoor Trojans (4%) and bots (3%).
"Interestingly, 24 percent of infections come under the category 'Other', which includes viruses, cookies, etc. This indicates that there is an increasing variety of malware and the combined impact is considerably serious. In general, people still talk of 'viruses' when the truth is that malware is more varied than ever," confirms Luis Corrons.
Regarding new examples of malware, 60 percent of those detected in February were Trojans. This is 11 points up on January.
"The distribution of the new variants that appeared last month is very significant. This classification indicates where malware creators are heading. The high number of new Trojans confirms that cyber-crooks have exclusively financial aims," explains Corrons.
After Trojans came bots and backdoor Trojans, followed by worms (8%), dialers (3%) and spyware (1%).
"Spyware is the type of malware causing most infections. Nevertheless, the number of new variants is lower. One of the reasons for this is the way it is distributed. This kind of malware frequently forms part of legitimate programs. Some sub-categories such as adware, are not considered dangerous since they usually only display adverts. That is why spyware remains active on computers for longer, even though there are less new variants," adds Corrons.
Regarding February's most active malicious codes, Sdbot.ftp is in the first position once again. Sdbot.ftp is the generic script detection that certain worms exploit to download Sdbot onto a computer. This worm has been the most active malware for more than twelve months.
In second place is Bagle.HX. This worm was in the tenth position last month. Bagle.HX is from the Bagle family of worms, one of the most active last year. This variant uses rootkit features to hide its processes. It also disables some security solutions' functions. The aim of both characteristics is to make it more difficult to detect.
Virus Name| Percentage | | | W32/Sdbot.ftp.worm | 1.65 | | W32/Bagle.HX.worm | 1.39 | | W32/Puce.E.worm | 1.16 | | W32/Brontok.H.worm | 1.15 | | W32/Nurech.A.worm | 1.14 | | Trj/Abwiz.A | 1.05 | | Bck/PcClient.DU | 0.88 | | Trj/Torpig.A | 0.86 | | W32/Netsky.P.worm | 0.84 | | Trj/Rizalof.TT | 0.84 |
Puce.E is in the third position, as it was last month. It is a worm that spreads through P2P networks. The fourth and fifth positions also correspond to two worms: Brontok.H and Nurech.A. The first spreads by making copies of itself on the affected system. The second is the first variant of a family that was very active in February. What's more, Nurech.A caused PandaLabs to declare an Orange Virus Alert half way through the month.
Nurech.A spreads in subjects pretending to be greeting cards. It hides in an attached executable file with names like Flash Postcard.exe or Greeting Card.exe. Nurech.A is one of the few new entries in the list.
"Users think there are no dangerous threats. That is why they don't bother to update their anti-malware solutions or download security patches. This allows old malicious codes to continue infecting computers. This is also the reason why there are few new variants among the most active malware month after month" explains Corrons.
Abwiz.A has dropped from fourth to sixth position. It is a Trojan designed to steal passwords stored on the system. In seventh position is PcClient.DU, a backdoor Trojan which opens a port in the system in order to allow attackers to remotely control the infected computer.
Torpig.A is the malware that has decreased most drastically in February. It has gone from second to eighth position. Torpig.A is a Trojan that steals confidential data from users, such as passwords stored on certain Windows services.
Netsky.P is in the ninth position. It is a worm that uses specific Internet Explorer vulnerabilities in order to spread. The tenth most active malware in February was Rizalof.TT. This Trojan captures users' confidential data.
Source: http://www.pandasoftware.com
|
US named biggest single source of web attacks -- Posted by Igor_Donchenko on Tuesday, March 27 2007
A new report has named the US as the biggest single source of computer attacks, with computers from the country responsible for some 31 percent of all such incidents in global terms. This puts the US way ahead of it's nearest "competitors", with second place taken up by China (10 percent of attacks) and third by Germany (7 percent).
A significant rise has been noted particularly in the number of computers taken over by cybercriminals to form part of massive botnets. According to the latest data there were more than 6 million machines commandeered by malicious users by the end of 2006, an increase of 29 percent from the first six months of last year. China currently has the largest number of these hijacked computers, with 26 percent of the global total. The biggest reason for this, according to experts, has been the sheer number of zero-day vulnerabilities disclosed and exploited by attackers in 2006. According to research data, 77 percent of malicious attacks were aimed at Internet Explorer.
While the cost of cybercrime to Internet users has risen significantly over the past years, the cost of carrying out attacks for cybercriminals is actualy dropping due to increased organisation, which leads to better efficiency from cybecrime syndicates that are quickly becoming global players. For instance, the price paid at the moment for a stolen identity oscillates between $14 and $18, and this would include key data such as personal, financial and SSN details. On average victims of ID theft in the US last year incurred losses of $5,720 according to another annual study, with the number of victims numbering more than 8 million. And another report claimed that last month alone there were nearly 150,000 stolen credit card numbers on sale in underground cybercrime forums.
Source: http://www.viruslist.com
|
MySpace malware could steal information from web users -- Posted by Igor_Donchenko on Monday, March 26 2007
IT security and control firm Sophos has advised companies to set policies over which websites users can visit during work hours, following the discovery of more malicious code posted on the MySpace social networking website.
The SpaceStalk spyware Trojan horse has been discovered embedded in a QuickTime movie on the MySpace page of MAMASAID, a French rock band. The Javascript code downloads further malicious code from the net designed to steal information.
A malicious script has been found on the French rock band's MySpace page.
"MySpace is phenomenally popular - but sadly not just with teenagers trying to keep in touch and internet-savvy pop groups. Hackers are also interested in stealing information from MySpace users," said Graham Cluley, senior technology consultant for Sophos. "Companies are becoming concerned that workers are visiting social networking websites, not just because it can distract from real work - but also because it may introduce malware into the workplace."
Sophos customers have been automatically protected against the SpaceStalk malware since 15:02 GMT on 16 March 2007. Users of Sophos's WS1000 Web Security Appliance can set policies over which websites are acceptable to access during the working day.
Sophos continues to recommend that all organizations protect their email with an integrated security solution to thwart spam, spyware and malware threats.
Source: http://www.sophos.com
|
PC users attacked by Pushu Trojan pushed by porno spam -- Posted by Igor_Donchenko on Monday, March 26 2007
IT security and control firm Sophos is warning of a widespread spam campaign that attempts to fool computer users into downloading a spyware Trojan horse. The emails, which contain phrases such as 'hot photos from my birthday', purport to be linking users to adult online content, when in fact the links lead to a website containing the Troj/Pushu-A Trojan horse, which attempts to steal information from infected PC owners.
According to Sophos, visitors to the website are encouraged to download what they believe will be a selection of hardcore adult photographs in an archive file - in reality the file is a malicious executable called xxx.exe or foto.exe. When investigating one website hosting the malware, experts at SophosLabs also discovered a peculiar photograph of two US comedians, Lewis Black and Dave Attell, which is apparently unrelated to either the spam emails or the malware itself.
"As with all messages offering salacious content, the danger is that some people may be so excited about the prospect of viewing the pictures that they'll click before thinking about what might be in the best interests of their PC's health," said Graham Cluley, senior technology consultant for Sophos. "The comics in the photograph certainly add a strange twist, though it's unlikely anyone will be laughing if their PCs are compromised by downloading Pushu."
A typical spam email, pointing to the Pushu Trojan horse.
"The email spam campaign has been widely distributed, although thankfully we haven't received many reports of users infected by the Trojan horse," continued Cluley. "Those that visit the phoney adult websites risk throwing open their PCs for cybercriminals to steal information or carry out further online attacks. Thanks to its continued success rate, it seems likely that this type of illicit material will be used to tempt people into infection for some time to come."
Source: http://www.sophos.com
|
Ldpinch.ZO trojan steal confidential data -- Posted by Igor_Donchenko on Monday, March 26 2007
PandaLabs has reported the appearance of LdPinch.ZO, a new dangerous Trojan aimed at stealing users' confidential data. This malicious code reaches systems attached to emails or hidden in Internet downloads.When run, it opens the Windows Explorer displaying pictures with sexual content. These pictures aim to distract the target user's attention while the Trojan is dropping a file onto the system. This file is designed to steal passwords, login details, telephone numbers for dial-up connections, etc.
LdPinch.ZO gathers this information from browsers, (FireFox, Mozilla, Internet Explorer,...), FTP clients (CuteFTP, SmartFTP, ...), instant messaging programs and others. The Trojan sends all this information to its creator via email, who can then use it for fraudulent purposes: theft of banking data, confidential information, etc.
«Corporate espionage is just one of the multiple uses that this type of Trojan can have. Companies keep confidential information in their computers or email accounts. Thanks to malicious code such as LdPinch.ZO, a cyber-crook could get this data and sell it to a company's competitor, or use it in their own benefit», says Luis Corrons, Technical Director of PandaLabs.
LdPinch.ZO opens a port through which an attacker can access a command interpreter and use it to run commands on the compromised computer and control it remotely.
If the firewall warns the user that there is a suspect Internet connection, Ldpinch.ZO can simulate clicking OK to continue accessing the Web and stealing information.
Source: http://www.pandasoftware.com
|
|
