Archive for January, 2011

Fake Antivirus Scareware on the Rise

Fake antivirus software masquerading around as the real deal is quickly becoming one of the oldest (and most used) tricks in the malware manual, and for good reason. It’s easy to dupe less savvy computer users, especially as these bogus programs have become adept at looking the part. The latest one making the rounds is a false AV scanner called Antivirus 8.

“Over the last few days, we received numerous reports of computers infected with fake antivirus (scareware),” Roel Schouwenberg, senior antivirus research for Kaspersky, wrote in a blog post. “The name of this particular culprit is Antivirus 8.”

According to Schouwenberg, fake pop-ups related to the bogus application were appearing on users’ systems while not actively using their PC. Instead, they were running as soon as ICQ began fetching/displaying new ads. As Schouwenberg explains it, malware writers went through the trouble of setting up servers that appear to be related to actual retail products, so to outsiders (like Kaspersky) looking in, it appears the ‘store’ was simply the victim of an attack and the dirty ads keep rolling.

“By making it look like their server got compromised, the criminals can claim it isn’t them who’s responsible for distributing the malware,” Schouwenberg explains. “But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.”

How it works isn’t really important here, as none of this is going to matter to inexperienced users in the first place. If anyone requires any support please don’t hesitate to contact us we are always happy to help you.

IT Solutions Support Team


Carberp banking malware upgrades itself

A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims’ PCs, according to the vendor Seculert.

Carberp, which targets computers running Microsoft’s Windows operating system, was discovered last October by several security companies and noted for its ability to steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. It has been billed as a rival to Zeus, another well-known piece of malware.

Carberp communicates with a command-and-controller (C&C) server using encrypted HTTP Web traffic. Previous versions of Carberp encrypted that traffic using RC4 encryption but always used the same encryption key.

Using the same key meant it was easier for intrusion protection systems to analyze traffic and pick out possible communication between the infected Carberp computers and the C&C servers, said Aviv Raff, CTO and co-founder of Seculert. Seculert runs a cloud-based service that alerts its customers to new malware, exploits and other cyberthreats.

A new version of Carberp is mixing it up, using a randomly different key when it makes an HTTP request, said Raff. When it uses the same key, there are some static patterns that can be detected. Even Zeus, which is begrudgingly respected for its high-quality engineering, uses the same key that is embedded in the malware.

“Most network based security solutions are using traffic signatures to detect bots trying to connect to the C&C,” Raff said. “This new feature is used to evade this type of detection and make it hard and almost impossible to create such signatures.”

Seculart has posted a writeup about Carberp.

Carberp has also expanded the scope of the victims it seeks to infect. The latest version is targeted users in Russian-speaking markets, Raff said. Previous versions targeted banks in the Netherlands and the U.S., he said.

January Windows Security Patch Lacks IE Fix

January 11, 2011 1 comment

As expected, Microsoft today released two security bulletins in its January security update.

One of the bulletins is deemed “critical,” while the other is considered “important.” Both are designed to address remote code execution exploit risks in Windows.

Critical and Important Fixes
The critical item affects all supported Windows operating systems and touches Microsoft Data Access Components, which are the link between the operating system and various databases operating in a Windows environment.

“The critical Microsoft Data Access Components vulnerability is one of two MDAC issues fixed this month,” said Joshua Talbot, security intelligence manager at Symantec Security Response. “These components are a collection of technologies that enable applications — both from Microsoft and third-party developers — to access and manipulate databases.”

Meanwhile, Microsoft said that the second and final item in the patch “resolves one reported issue rated important and affecting Windows Vista.” This fix addresses a vulnerability in Windows Backup Manager.

The Backup Manager vulnerability is a fairly tough technical nut to crack, according to security experts. A hacker would have to open up Windows Backup and be able to access the target servers using Server Message Block (SMB) or Web-based Distributed Authoring and Versioning (WebDAV).

What About IE?
Obviously missing from this January slate is an update for the Internet Explorer flaw. It was exposed as a proof-of-concept exploit late last year and early this year. Microsoft hasn’t ruled out producing an out-of-band fix, but the security team may wait till next month on delivery.

The software giant released this table identifying some of the current security issues being considered by the team, along with possible mitigations to implement while awaiting a fix. Microsoft also updated its security advisory on Internet Explorer, adding a new “Fix it” workaround solution associated with preventing “the recursive loading of CSS style sheets in Internet Explorer.”

“The most interesting thing this month is the [Internet Explorer] mitigation tactic that Microsoft is calling a ‘shim’,” said Andrew Storms, director of security operations at nCircle. “The shim uses the application compatibility framework in Windows to rewrite in-memory function calls of MSHTML.DLL.”

Storms said this tactic offers an additional check on the known security bug and prevents the vulnerability from occurring. Storms called the tactic “easy to deploy and is a relatively low risk.”

As for the fixes Microsoft released in this month’s patch, both may require restarts.

Microsoft provides this Knowledge Base article for nonsecurity updates rolled out through Windows Server Update Services, Windows Update and Microsoft Update.