 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
September 2005
Yahoo!, MSN, and Google, cloned again -- Posted by Igor_Donchenko on Friday, September 30 2005
Panda Labs has identified Adware/PremiumSearch a new malicious code that takes advantage of some of the most popular Internet search engines. This attack would seem to mimic the actions of the worm detected last week that altered the sponsored links in Google searches.
In this case the infection originates from visits to a certain web page, when users are redirected from other pages containing warez (illegal software versions) or pornography. In addition to PremiumSearch, this page also installs Application/WorldAntiSpy on victims' computers, along with a variant of Smitfraud, leading users to believe they have been infected by a series of threats and will have to pay to disinfect them.
PremiumSearch exploits some of the vulnerabilities most frequently used by spyware such as ByteVerify, LoadImage, and Mhtredir to install a malicious BHO (Browser Helper Object) on the computer. It then installs a 'Google' toolbar (which does not come from Google but has been created by a third party), and modifies the HOSTS file. The BHO also changes the browser home page to the PremiumSearch search engine, even if a user specifies another in the browser settings.
The modifications to the HOSTS file and the action taken by the BHO direct users that request MSN, Yahoo! and Google (in versions for more than 60 countries) to spoof versions which are indistinguishable from the original versions other than the fact that the first results displayed have been altered (the remaining results are the same as for the genuine web pages). The same occurs with searches launched through the spoof Google toolbar. This malicious code can also affect the Alexa search again, although it has failed to operate correctly on test systems. The web page from which the spoof versions are obtained are hosted in the USA.
"These actions are financially motivated and aim to exploit the popularity of these search engines to increase visits to the pages with the altered results", explains Luis Corrons, director of Panda Labs. "To avoid this kind of attack, it is vital that users have reliable antivirus protection and keep their systems up-to-date, as the vulnerabilities used have often been in existence for some time."
In order to neutralize this threat, Panda Software has already contacted the ISP where the pages used in this attack are hosted.
Source: http://www.pandasoftware.com
|
Phishing, a growing risk to companies -- Posted by Igor_Donchenko on Wednesday, September 28 2005
Phishing (online fraud) is fortifying its position as one of the main threats lying in wait in the Internet for users and companies around the globe. Data from a study[1] carried out by the Anti-Phishing Working Group (APWG), an association made up of companies from different environments, which aims to combat this fraud scam, and of which Panda Software is a member, shows that over 70 companies worldwide were targeted by this type of attack in July 2005. The majority of them, over 85 percent, linked to the financial sector. Despite the intense effort of authorities to eradicate this type of fraudulent websites, and according to APWG, the average time these pages stayed online in July was around six days.
Phishing involves stealing bank details using the Internet. This can be done in two ways: using Social Engineering techniques or with the help of technology. In the first case, the most common method is to send an email to users inviting them to visit a web page, which is actually a copy the entity being spoofing, where users must enter their details, which are then registered.
The second phishing technique is technologically more complex and usually involves dropping a malicious Trojan, which can include a keylogger (program which captures keystrokes), on the victim computer. This program is usually activated when the user visits a website belonging to a bank and from then on, it captures all the keystrokes entered by the user, which usually include usernames, passwords, account numbers and other bank details. Use of these Trojans to steal passwords is growing: between the first and second quarter of this year, the number of variants of this type of Trojan increased by 113 percent, according to data compiled by PandaLabs, and included in the 2nd Quarterly Report for 2005.
This phenomenon is constantly increasing: according to a report published by The Radicati Group, phishing attacks have grown and will increase by 115 percent from 2004 to 2005, (an increase from an average of 51 attacks every day in 2004 to 110 in 2005). The forecast for 2008 is 404 attacks every day.
The risk of this type of attack to companies is evident, as the theft of data, in certain sectors, could seriously affect the functioning of the company. This is not the only way in which companies can be affected. The loss of user confidence in e-commerce can degrade growth of these businesses. A study carried out by the Ponemon Institute shows that 59 percent of users claim to have reduced their number of online transactions due to the threat of phishing.
"Don't make the mistake of underestimating the importance of the phenomenon of phishing in companies," explains Luis Corrons, director of PandaLabs. У"n incident of this type can seriously damage companies; resulting in loss of client confidence, as well as the consequences of falling victim to this type of attack."
To head off the avalanche of attacks of this type, the combination of proactive technologies, which offer high performance without needing updates, with traditional reactive solutions are the most effective way of combating this threat, as the risk of falling victim in the time between a threat being detected and the vaccine being developed is minimized.
Source: http://www.pandasoftware.com
|
A messaging worm spreads under the guise of a postcard, reports Panda Software -- Posted by Igor_Donchenko on Tuesday, September 20 2005
PandaLabs has, over the last, the last 24 hours, recorded numerous incidents caused by a new instant messaging worm Mepe.A, in the area of Latin America, which spreads using instant messaging programs.
This Hispanic worm is designed to appear as a compiled Shockwave Flash file Ц which it isn't- and when it is run, it displays a message claiming that execution has failed. However, it continues to create a series of copies of itself in the system directory, as well as generating a series of registry keys to ensure it is executed on every system startup. What's more, it creates a file in the root directory that contains the phrase in Spanish "Dios sєlo nos dio un 1 y un 0, y con eso, hemos construido un universo" (God just gave us a one and a zero and with this we have created the universe).
This worm spreads using the instant messaging applications. When the user connects to this application, the worm looks for active windows with the title 'Conversaciєn', and sends a message in Spanish inviting the user to download a postcard from a well known website: "te mandaron un recado conmigo, ya te has de imaginar quien y si no sabes me dijo que no te dijera quien, me dijo que te lo escribio en una postal y que de aqui la abras www.[omitido].com ,bueno yo ya cumpli e?". (I have been asked to give you a message, now you must guess from who, and they told me not to tell you if you don't know and that you can open it from here www.[omitted].com, right I've done what I was told - eh?). The link sent to users takes them to a website that contains a copy of the worm, so that it is downloaded to the computer and infects it.
What's more, Mepe.A also monitors the tasks that are running in order to close windows with the following names in Spanish, "Administrador de tareas de Windows", "Panel de Control", "Editor del Registro", "Utilidad de configuraciєn del sistema", and "Restaurar Sistema", so that the user cannot end the process related to the worm.
PandaLabs has already contacted the companies whose servers are housing this worm in order to get the URL deactivated and stop this worm from causing more infections.
Source: http://www.pandasoftware.com
|
|
