Welcome to Super Antivirus Blog

I am a Jedi. 我：http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件

American Express Phishing Campaign

An American Express phishing campaign is in circulation this month.  The attack attempts to capture the victims online banking credentials by convincing them that their online banking information is not correct.

Sample E-mail:

The e-mail appears to come from AmericanExpress@welcome.aexp.com and it reads:

Dear Customer,

Our technical service department has recently discovered that your information on file with us is incomplete.

Your American Express on file with us is: 37xxxxxxxxxxxxxx.

Please update your American Express account on our secured server below:

(If you cannot click on the link, please copy and paste it into your browser’s address bar).

Continue To Online Update Form

We appreciate your prompt attention to this important matter.

*If your account information is not updated within 48 hours then your ability to access your account will be restricted.

Thank you

Sincerely American Express Company, Member FDIC.

Clicking the link renders a page identical to the American Express website:

By taking a look at the source code, we can see that the credentials will be passed over to the criminals via a php submission form:

This type of phishing campaign is the oldest trick in the book, but you can easily avoid it by knowing that financial institutions will never ask you to divulge your personal information.

Computer threat trend forecast for 2010

2009 is coming to an end, so it’s time to talk about what we expect to happen in 2010 . I’ve been looking into my crystal ball and this is the result…

More clouds on the security horizon

Welcome to the cloud. In 2007, we launched our first product which took advantage of the cloud, now in 2009 all our products use it and we have launched the first 100% cloud-based antivirus: Panda Cloud Antivirus (www.cloudantivirus.com). We have also seen this year how other major security vendors have followed our steps and taken to the cloud. 2010 will be the year in which all anti-malware companies wanting to offer real-time protection will have to follow suit. And those that don’t will be out of the game.

An avalanche of malware

The amount of malware in circulation will continue to grow exponentially. The greater speed delivered by cloud-based technologies, such as Panda’s Collective Intelligence, will force malware creators to generate even more threats in order to evade detection and elimination. Once again malware will be designed almost exclusively for financial gain, and we can expect to see many new fake antiviruses (rogueware), bots and banker Trojans.

Social engineering

Cyber-criminals will again be focusing on social engineering techniques to infect computers, particularly those targeting search engines (BlackHat SEO) and social networks, along with ‘drive-by-download’ infections from Web pages.

As the football World Cup takes place in South Africa, we can also expect to see significant amounts of malware related to this event: false ticket offers, junk mail, etc. It is always a good idea to take a suspicious view of any messages related with current affairs and large events such as this.

In the case of social networks, there have already been many examples of worms and Trojans targeting Twitter, Facebook, etc. Malware creators will continue to be drawn to these types of platforms used by so many people.

Windows 7

Windows 7 will have a major impact on malware development: where Windows Vista hardly caused a ripple, Windows 7 will make waves. One of the main reasons is the widespread market acceptance of this new OS, and as practically all new computers are coming with Windows 7 64-bit, criminals will be busy adapting malware to the new environment. It may take time, but we expect to see a major shift towards this platform over the next two years.

Cell phones

Will 2010 be the year of malware for cell phones? Several security companies have been warning for some time that malware is soon to affect cell phones in much the same way as it affects PCs. Well, we hate to rain on their parade, but 2010 will not be the year of malware for cell phones.

The PC is a homogenous platform, with 90% of the world’s computers running Windows on Intel, meaning that any new Trojan, worm, etc. has a potential victim pool of 90% of the world’s computers. The cell phone environment is much more heterogeneous, with numerous vendors using different hardware and different operating systems.

Applications are sometimes not even compatible from one OS version to another. So it is once again unlikely that 2010 will see widespread targeting of cell phones by malware. In any event, this year will witness many changes in the world of mobile telephony with more smartphones offering practically the same features as a PC; the emergence of Google Phone –first phone sold directly by Google without tying users to specific operators-; the increasing popularity of Android, not to forget the success of the iPhone. If in some years there are only two or three popular platforms, and if people begin to operate financial transactions from their cell phones, then maybe we could talk about a potential breeding ground for cyber-crime.

Mac

Mac: has the danger arrived? Mac’s market share has increased in recent years. Although the number of users has yet to reach the critical mass required to make it as profitable as PCs for cyber-criminals, it is nevertheless becoming more attractive. Mac is used just as PCs are to access social networks, email, the Internet… and these are the main malware distribution systems used by cyber-criminals. Consequently, Mac is no longer a safe haven against malware. These criminals can easily distinguish whether a system is Mac, and they have malware designed especially to target this OS. In 2009 we have already seen numerous attacks, and there are more to come in 2010.

The Cloud

Cloud-based services are not just used for security. We are all using more services delivered from the cloud, often without realizing. Who doesn’t use Hotmail or Gmail as their email service, or Flickr to store photos? But cloud-based services are not limited solely to storage, they are also used for processing data. The cloud is a tool that can help save considerable costs for companies, and as such is rapidly growing in popularity. This makes attacks on cloud-based infrastructure/services far more likely.

Cyber war

Although this term is more associated with science fiction than the real-world, it’s a phrase we are about to start hearing more often. Throughout 2009, governments around the world including the United States, the UK and Spain, have expressed concern about the potential for cyber-attacks to affect economies or critical infrastructure. We also saw this year how several Web pages in the United States and South Korea were the subject of attacks, with suspicion –as yet unapproved- pointing at North Korea. In 2010 we can expect to see similar politically-motivated attacks.

Google Work At Home Scam

Lately, a Google work at home scam has been plastering its way throughout the Internet.   The scam site is designed to look like a convincing news paper article and is currently circulating heavily through social networks (hacked and spam accounts) and ad networks.  

Example of the scam wall post on Facebook from a hacked account:

The scam site:

To “cash in on the opportunity” all you have to do is fork up a measly $1.95 for the “Easy Google Profit” kit.  Unfortunately, if you fall for the scam, you’re going to be taken for more than what you bargained for. Ripoff Report shows one victims struggle with these scam artists. Aparently they automatically started charging the victim $39.98 per month on top of an additional $129.95 fee.  On top of that, they enrolled him in a 14 day trial for another site, which charges $29.95 a month if not canceled in time. 

A helpful tip for avoiding these types of scams would be to question all links before clicking on them, especially in Social Networks. Nothing should be outrightly trusted.  Ask yourself,  “Would my friend/parent/sibling really post this link?” The chances are that the link will stick out like a sore thumb and you’ll be able to avoid a nasty situation.   We also advise the use of safe browsing technology, such as the community driven browser plugin offered by our partners, Web of Trust.

CDC H1N1 Malspam Campaign

Our spam traps have been receiving thousands of malspam e-mails related to a new Sinowal (zbot) campaign over the past 24 hours. The e-mail attempts to trick users into creating a profile for H1N1 (Swine Flu) vaccination at the Centers for Disease Control website.

The email reads:

You have received this e-mail because of the launching of State Vaccination H1N1 Program. You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

create personal profile
—-
Centers for Disease Control and Prevention (CDC) – 1600 Clifton Rd – Atlanta GA 30333 – 800-CDC-INFO (800-232-4636)

The (several) websites used in this malspam campaign all start with online.cdc.gov.(malicious domain) and could easily convince the most suspicious users of its validity.

The site reads:

“Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug).  All instructions you need are included in the archive below:

Your Temporary ID (valid for 48 hours) H1N1-1574377270
H1N1 Vaccination Profile – Download Archive (130Kb)”

The campaign uses 6 different subject lines for its e-mails. The most common subject lines are Governmental registration program and Creation of personal Vaccination Profile.

Infection information:

 
Sinowal.WRN creates a copy of itself with the name SDRA64.EXE, in the Windows system directory.

Additionally, it creates the following files, where it stores the information it has obtained:

• LOCAL.DS and USER.DS, in the folder lowsec, created by itself, in the Windows system directory.
• 8.TMP and 9.TMP, in the folder Temp of the Windows directory.  

Sinowal.WRN modifies the following entry from the Windows Registry:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  windowsl1vi = %sysdir%\%random file%.exe
  where %sysdir% is the Windows system directory and %random file% is the filename with which the Trojan is copied.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
  Userinit = %sysdir%\userinit.exe,
  where %sysdir% is the Windows system directory.
  It changes this entry to:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
  Userinit = %sysdir%\userinit.exe,%sysdir%\sdra64.exe,
  By modifying this entry, Sinowal.WRN ensures that it is run whenever Windows is started
  Country of malware origin: Ukraine

Phishing targeting Google Adwords

We’ve seen this phishing going around in the latest hours:

When you click on the link you are redirected to the following site:

Taking a look at the URL you can realize that it is not the real Google AdWords site. As always, companies never send you a message with a link to change your credentials. And if they did, they wouldn’t deserve to do it, so please always dismiss these kind of messages. If you need to change your password -something everyone should do from time to time- go directly to the site and then do it.

Rogue Antivirus Optimized for Windows 7

While researching the ongoing Black(hat) Friday SEO campaign. Unlike the typical Rogueware attack, the cyber criminals behind this one have already optimized the campaign to take advantage of users of the brand new Microsoft Windows 7 operating system by emulating its look and feel. 

 

As you can see from the screenshot above, the website creates an exact replica of the Windows 7 explorer shell.  In addition to the popup, the site is configured with a white background in order to create the illusion that the “Windows 7 popup” is not in the foreground of the website, but rather a separate process running on the computer itself.  Both techniques are devilishly deceiving and might even fool an expertly trained eye.

Black(hat) Friday

 

 

If you plan on shopping online for “Black Friday”, or “Cyber Monday”, you might be in for more than you bargained for.　 Cyber criminals behind the Rogueware epidemic have their blackhat SEO campaigns optimized to take advantage of deal seekers looking for advertisements online.　 One misstep and you just might find yourself staring at a scareware site designed to trick you into believing that your computer is infected. 

 

 

 

Google Search:

 

 

 

 

 

Fake Antivirus Page:

 

We are constantly monitoring this and other Blackhat SEO campaigns to protect our customers against the latest malware attacks on the Internet.  If you are not a customer yet, we recommend at least installing our free Cloud Antivirus protection. We also recommend adding an extra layer of browsing protection with safer browsing technology, such as the community driven system provided by our partner, Web Of Trust.

 

 

http://pandalabs.pandasecurity.com/archive/This-way-works-the-worm-for-iPhone.aspx

We have created a video on how the iPhone/Eeki worm targeting iPhones works.

You can see it here:

As you can see in the video, this malware first checks it is not already running on the device. To do so, it checks whether the following file exists:

/var/lock/bbot.lock

This may help you know if you are infected; if the information is in your device, it means the worm is there.
Next, it changes the device host and stops the SSH daemon.
It then tries to spread on the subnet the phone is connected to and tries to create a random IP range. It tries pre-established ranges corresponding to certain companies’ IP addresses:

Once the IP address is created, it remotely accesses the jailbroken iPhone device, establishing an SSH connection and using the default root key, included in all iPhoneOS devices (1G, 2G and 3G Iphone and ipod touch devices). If access is denied, it tries to create a random IP again and repeats the process until it obtains a valid IP from a vulnerable victim.

Once the victim is found with the previous credentials, it obtains a remote session and copies itself to the affected phone, adding:

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist

to run on restart.

It stops the SSH service that has caused the infection. Finally, it copies a photo of Rick Astley and uses the image as the device wallpaper.

 

“Thanks to Gorka Ramírez and Francisco Berenguer for the information and the video”.

Blackhat SEO Aggressively Targets Halloween Related Keywords

Cyber criminals behind the Rogueware epidemic have been hard at work in poisoning search results to increase traffic to their campaign sites. Today, we identified a new Blackhat SEO campaign, which is currently targeting Halloween related keywords aggressively. While studying the campaign, I noticed that the most commonly targeted keywords were classic costume favorites, such as the Cat woman costume, vampire costume, and various adult costumes. In addition to costumes, the BHSEO campaign also targets Halloween related food recipes, haunted house directions, Halloween parties, and the movie Halloween.

Tainted search results:

Fake Antivirus site:

Tag cloud of targeted search terms:

As we have documented in prior blog posts, Blackhat SEO continues to be one of the most prevalent and pervasive attack vectors on the Internet today. As users, we tend to trust search engines to provide safe and accurate search results, but the reality is that today, search engines are becoming the most dangerous way to browse the Internet.