Are Cyber Criminals Targeting Local Events In Your City?

Panda Security has a California based office in Los Angeles.  We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it.  To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources. 

Update: 9/01/08 – The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc

  

Once clicked, the site loads and checks to make sure the user came from Google.  If so, the following script begins the redirection to the Rogueware site:

The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected.  If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer.  At that point it becomes very aggressive and difficult to remove.    

File: Antivirus-x_x.exe
Size: 172032
MD5: 0E9BC3499560EEA9261F5883FAE2A10E

Malware Info: Adware/PersonalAntivirus.

Rogueware attacks are among the most prevalent attacks on the Internet today.  You can see our latest report on them here: The Business of Rogueware (pdf)

5 Steps to Avoid Infection:

1. Always have up-to-date Anti-Malware software installed.  If you don’t have one or if your current solution is not removing the Malware, you could download a free trial from us here: http://www.pandasecurity.com/usa/homeusers/downloads/evaluation/

2. Don’t rely on search engines to provide valid or safe search results.  You can improve your chances of safe browsing by downloading our free Web of Trust browser plugin: http://www.pandasecurity.com/homeusers/downloads/wot/

3. Pay close attention to what links you are clicking on.  If you don’t recognize the source you may want to research the domain in a separate search or avoid the link all together. 
4. Rogueware attacks rely on Social Engineering (I.e. making you believe you are infected when you are not).  Don’t believe it! Simply close the browser window if you see a scan appear all of the sudden.  If you cannot close the window with your mouse you can try ALT+F4 to force close it.
5. Don’t be afraid to ask for help.  Call your Antivirus Company or a tech savvy friend if you feel that you are in over your head.       

 

A new family member: SaveDefense

Two days ago about 3 different variants of the same rogueware family that were just changing the name of the "product". The family keeps growing, yesterday we found a new member, called SaveDefense:

The payment gateway remains unchanged too:

 

New Roguewares: SaveKeep, SaveSoldier & TrustNinja

As you already know if you've read our paper about The Business of Rogueware this is a very lucrative business. Everyday we see thousands of new variants, and a few families that appear trying to infect users and to get their money. Three of the new families we've seen this week, called SaveKeep, SaveSoldier and TrustNinja are at the end the same rogueware but rebranded, which is one of the common strategies they use. Guess how we can know that the three of them are in fact the same rogueware:

Another clue to find out that this is the same piece of malware is that they are using the same payment gateway:

Keep Your Identity Safe

Today, we issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008.

PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007.

PandaLabs estimates that approximately three percent of all users have fallen victim to these techniques. The problem with these types of threats, unlike traditional viruses of the past, is that they are designed to go undetected, and therefore users do not realize they have become victims until it is too late. To avoid falling victim to identity theft, we recommend consumers follow these preventive measures:

1. Be aware of any kind of message that requests personal data from you. It is extremely improbable that online banks, payment platforms or social networks will ever send messages (emails, texts, etc.) to users asking for their login credentials, and much less for their credit card details.

2. Whenever you access an online bank, store, etc. always type the address directly in your browser. It is never advisable to enter these sites through links received through any channel or links returned by search engine results.

3. After having written the address in the browser, double check that the URL is really the one you have entered, and that the address has not changed into something unusual when you have clicked 'Enter.'

4. Check that the page contains the corresponding security certificates (these are generally displayed with a 'locked padlock' icon in the browser).

5. Always have a good security solution installed on your computer.

This will help detect if you are entering a spoof Web page. It is always good to have a second opinion to ensure that you have not been infected by Trojans or the like. You can get this through any reliable free online application, such as Panda ActiveScan (available at http://www.pandasecurity.com/).

6. Above all, if you have any suspicions don't enter your details and contact the corresponding bank, store or service provider that you are trying to access. Any established organization will have a customer service line you can reach directly.

7. If you are someone that frequently uses online services for shopping, banking, etc., you can also get insurance for your online activity, which will cover you in the case of fraud.

Koobface: The saga continues

The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.

Sample malspam:

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate. 

Koobface connection log:

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.