Category Archives: Malware

New PushDo trojan variants currently active

The PushDo trojan has been around for a while, but recent variants are making it more difficult for security researchers.

PushDo infects vulnerable computers when users visit an infected web site (drive-by download). Once installed on a computer, PushDo sends out phishing email purporting to be from banking institutions, tricking other users into clicking links within the email and infecting their computers with other malware.

What makes the new versions of PushDo different is that they hide communication with the botnet’s controlling servers amongst a flurry of traffic to other, unrelated servers. This makes the process of finding the controlling servers much more difficult and time-consuming.

Phishing email examples

‘Phishing’ is the term used to describe email sent with the intention of tricking the recipient into divulging personal (often financial) information to the perpetrator.

A recent ISC Diary post provides some examples of recent phishing email received by ISC handler Johannes Ullrich. The associated analysis is helpful for learning how to distinguish legitimate from phishing email.

ISC is the Internet Storm Center, which “provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The site and associated services provide a wealth of information regarding Internet security.

New Java vulnerability likely to remain unpatched until October 2012

UPDATE: Oracle releases a fix ahead of schedule.

A recently-discovered security flaw in Java is going to make web browsing more dangerous than usual over the coming weeks.

The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.

Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.

Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.

Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.

Recommendations

Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.

If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.

Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.

Here are some more technical details from CERT.

Additional related articles

Don’t be fooled by fake FBI warnings

The FBI has issued an alert about Reveton, drive-by ransomware that first appeared in early 2012.

The term “drive-by” is typically applied to malware that affects users when they visit an infected web site. To put it another way: your computer can become infected by this malware if you visit an infected web site, even if you don’t click anything on that web site or view anything other than the home page. This is why even web searches have become somewhat dangerous.

“Ransomware” refers to malware that presents a warning to the user, in some cases pretending to be from a government agency, that they have violated some law or regulation. The solution presented is to pay a ‘fine’; any money paid goes to the malware’s perpetrator. Surprisingly, this fools enough people to make it a worthwhile scam.

PCWorld has additional information.

Beware Olympic email

High profile events like celebrity deaths are seen as opportunities by malicious hackers and other nefarious persons on the Internet. Recent malicious email campaigns focus on the Olympics, trying to lure unsuspecting recipients into clicking web links or opening attachments, both resulting in the installation of backdoor/trojan software.

Please be extremely wary of all Olympic-themed email you receive during the Olympics.

The Sourcefire Vulnerability Research Team has more information on Olympic malmail.

ZeroAccess malware can use massive amounts of bandwidth

ZeroAccess appeared in the wild in early 2012 and shows no signs of slowing down. This insidious malware is part of a botnet which is apparently focused on clickfraud: infected computers simulate clicking on web advertisements, thereby generating ad revenue for the botnet’s perpetrators and their customers.

What makes ZeroAccess particularly nasty is that it can use a lot of bandwidth, causing infected computers to reach and surpass bandwidth caps. Unsuspecting users may find bandwidth overage charges on their ISP’s bills.

Most up to date anti-malware software can detect and remove ZeroAccess, so if you’re not already using such software, you should start. If you’ve noticed a spike in your Internet bandwidth usage, you should scan your computer immediately. Free on-line scanners such as Housecall, as well as free offline scanners like Microsoft Security Essentials will do the job.

Additional details:

Grum botnet officially neutralized

One of the world’s largest spam botnets has finally been eradicated. At its peak – as recently as January 2012 – the Grum botnet was the largest spamming network in the world.

Spam levels worldwide are expected to drop as a result, although it seems probable that newer, more sophisticated botnets will rise to take Grum’s place. Enjoy the respite while you can.

Credit goes to several dedicated security researchers and anti-spam companies, including FireEye researcher Atif Mushtaq, researchers from anti-spam organisation Spamhaus, the Russian Computer Security Incident Response Team and other experts in the field.

Techweek Europe has all the details in their article on Grum’s demise.

Computers infected with DNSChanger will lose Internet access on July 9, 2012

DNSChanger is a nasty piece of malware that – according to the FBI – still infects more than four million computers worldwide.

When the FBI arrested the people responsible for creating and controlling DNSChanger, they realized that taking down the servers controlling the malware would interrupt Internet access for computers still infected. So they left the DNSChanger servers up, but disabled the malware’s ability to spread further. They issued warnings to the general public, stating that they intended to shut down the DNSChanger servers on July 9, 2012. That day is approaching.

To avoid having your computer essentially cut off from the Internet on Monday, you should use one of the many available DNSChanger detection sites to determine whether your computer is infected. In the unlikely event that your computer is found to be infected, instructions and tools for removal of DNSChanger are available.

Recent phishing emails

VRT reports on a phishing campaign seen recently. This particular phishing attempt arrives as an unsolicited email that appears to be from UPS, about a delivery failure.

As with all phishing attempts, the goal is to trick the email recipient into thinking that this is a legitimate email from UPS. Once the user has been tricked into clicking one of the embedded links, software is installed surreptitiously. This software then attempts to steal usernames, passwords and banking information.

Other phishing attacks may use slightly different approaches, such as tricking the user into entering their banking information onto a malicious web page.

There are very few anti-malware packages that can prevent this sort of attack. The exceptions are typically expensive and geared toward corporate clients. Average users must rely on their own common sense to detect these attacks and simply delete the offending email.