The Computer Clarity Blog

PandaLabs, the anti-malware laboratory of Panda Security, The Cloud Security Company, has reported the proliferation of scams hijacking the Facebook “Like” option. The attack uses eye-catching messages related to the popular game Farmville, the “Sex and the City 2” movie or the keyword sex to grab the attention of logged-in Facebook users as they browse Web pages with the “Like” button, the Facebook wall feature or messaging system.

Clicking the link brings the user to a Web page containing photos and videos of the relevant topic. Upon visiting it, a message is displayed on the user’s Facebook profile indicating that they “like” it, with a text that is not controlled by the user. According to Luis Corrons, Technical Director of PandaLabs, “This distribution technique reminds us of computer worms, although this time there doesn’t seem to be any malware behind it (at least yet).”

This technique, known as ‘clickjacking,’ uses a malformed URL with embedded code to carry out the attack. Visiting users are tricked into “liking” a page without necessarily realizing that they are recommending it to all of their Facebook friends. The real business stems from the pay-per-click system, which counts every click and generates revenue for affiliates, and from the tests offered to users on every page, which they must pay to make.

“Cyber-criminals can make money just by tricking you into visiting a Web page with ads,” Luis Corrons says. “Or worse still, they can spread malware and infect you. This possibility has not yet been exploited, but it would be relatively easy and effective to do it.”

PandaLabs advises users to be extremely wary of messages with striking subjects received from Facebook’s internal messaging system, and to take all necessary precautions when clicking the “Like” button on external Web pages. Also, PandaLabs recommends that users refrain from entering any banking or credit card information in applications that try to sell them any kind of test.

Computer Clarity

2/18/2010.

PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has detected a new worm, Spybot.AKB. It spreads using P2P programs (copying itself to the usual shared folders with different names) and also via email. What’s new about this worm is the way it tricks users, spreading under the guise of an invitation to join social networks like Twitter and Hi5, or in an email supposedly from Google replying to a job application. Another new feature is the way it installs on computers, passing itself off as a Firefox security extension.

Email subjects include:
• Jessica would like to be your friend on hi5!
• You have received A Hallmark E-Card!
• Shipping update for your Amazon.com order 254-71546325-658732
• Thank you from Google!
• Your friend invited you to twitter!

Once installed, the worm redirects browsers to different websites if the user launches a search with any of the following words:

A: Airlines, Amazon, Antivir, Antivirus.
B: Baseball, Books.
C: Casino, Chrome, Cialis, Cigarettes, Comcast, Craigslist, Credit.
D: Dating, Design, Doctor.
E: Explorer
F: Fashion, Finance, Firefox, Flifhts, Flower, Football
G: Gambling, Gifts, Graphic.
H: Health, Hotel.
I: Insurance, Iphone.
L: Loans.
M: Medical, Military, Mobile, Money, Mortgage, Movie, Music, Myspace.
O: Opera.
P: Pharma, Pocker.
S: School, Software, Sport, Spybot, Spyware.
T: Trading, Tramadol, Travel, Twitter.
V: Verizon, Video, Virus, Vocations.
W: Wallpaper, Weather.

It also takes a series of actions to compromise the security level of infected computers, adding itself to the Windows firewall list of authorized applications, and disabling the Windows Error Reporting service and the User Access Control (UAC).

Computer Clarity

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

PandaLabs, the anti-malware laboratory of Panda Security –The Cloud Security Company- has published its Annual Malware Report.

The report reviews the major incidents and events concerning IT security in 2009. The outstanding trend of the last 12 months has been the prolific production of new malware: 25 million new strains were created in just one year, compared to a combined total of 15 million throughout the rest of the company’s 20-year history.

This latest surge of activity included countless new examples of banker Trojans (some 66%) as well as a host of fake antivirus programs (rogueware). The report also draws attention to the resurgence of traditional viruses, previously on the verge of extinction, such as Conficker, Sality or the veteran Virutas. See the graph here.

During 2009, spam was also highly active: some 92% of all email traffic was identified as spam. The tricks used to dupe potential victims into opening these emails have focused heavily on exploiting current affairs and dramatic news stories -a tendency which also applied to SEO attacks-. As such, we saw waves of junk mail related to celebrity scandals or deaths (real or fictitious), swine flu, compromising videos of politicians, etc. This year PandaLabs also tracked how spam impacted different industrial sectors, revealing how the automobile and electrical industries were the worst affected, followed by government institutions.

As regards malware distribution channels, social networks (mainly Facebook, Twitter, YouTube or Digg), and SEO attacks (directing users to malware-laden websites) have been favored by cyber-criminals, who have been consolidating underground business models to increase revenues.

The Annual Malware Report also examines how individual countries and regions have been affected throughout the year, based on the data gathered from computers scanned and disinfected free of charge with Panda ActiveScan. Taiwan tops the rankings, followed by Russia, Poland, Turkey, Colombia, Argentina and Spain. Countries suffering fewest infections include Portugal and Sweden.
You can see this graph here.

Last year also saw a rise in the number of news stories related to cyber-attacks with political motives or targets, suggesting that this is no longer the preserve of sci-fi movies and conspiracy theorists and is now becoming a reality.

Finally, and as we announced some days ago, PandaLabs has predicted that the amount of malware in circulation will continue to grow during 2010. Windows 7 will surely attract the interest of hackers when it comes to designing new malware, and attacks on Mac will increase. While we are likely to witness more politically motivated attacks the report concludes that, once again, this will not be the year of the cell phone virus.

Computer Clarity