The Computer Clarity Blog

By Daily Mail Reporter
Last updated at 2:11 PM on 11th August 2010

• Trojan is still at large and may strike again, experts warn
• Bank affected has still not been named

Thousands of British online banking customers have fallen victim to a sophisticated attack by cyber criminals who have stolen thousands of pounds from their accounts.

About 3,000 online banking customers have been victims of a computer virus attack that empties their accounts while showing them fake statements so the scam goes undetected.

Experts have described the attack using a ‘Trojan’ virus as the most sophisticated and dangerous malware program ever created.

The cyber criminals stole an estimated £675,000 between July 5 and August 4 and the attack is still progressing, experts warn.

Out of action: The new Trojan virus can empty bank accounts without their owners knowing about the theft as it shows them fake statements

The latest virus is a variant of the Zeus Trojan banking virus which first emerged three years ago and is called Zeus v3. 

M86 Security said: ‘We’ve never seen such a sophisticated and dangerous threat. Always check your balance and have a good idea of what it is.’

The scam was discovered after M86 gained access to the command-and-control server in Eastern Europe running the thefts.

How to protect yourself from Trojans when banking online

• Make sure your anti-virus software is up to date.
• Keep firewalls set to the highest level.
• Never open an e-mail attachment from someone you don’t know.
• Never double-click on an e-mail attachment that ends in .exe. It is an ‘executable’ file and can do what it likes in your system.
• If you think your machine has already been infected, contact your bank immediately. If the bank thinks you are a genuine victim of fraud it will reimburse you.

It collects data such as passwords and even transfers money out of accounts automatically, but only after checking if there is at least £800 available.

Bradley Anstis, M86 vice-president of technology strategy, said: ‘This is an extremely sophisticated version of the virus and it cannot be detected by traditional security software.’

The company said it was the most-sophisticated and dangerous virus yet seen and advised online banking users to check their balances regularly and have a good idea of what it should be. 

British high street banks do not believe they have become victims of the cyber criminals.

A spokesman for HSBC said: ‘There are millions of viruses and other malicious software.

We urge people to take basic measure to protect themselves from virus attacks.

Any customer who is a victim of fraud will be reimbursed by HSBC.’

However, M86 said it believed one high street bank was breached and failed to act quickly after warnings last month.

More than 100,000 PCs in Britain have been infected with other forms of the Trojan virus.

McAfee Inc, the security software maker, said production of software code known as malware, which can harm computers and steal user passwords, reached a new high in the first six months of 2010.

McAfee said total malware production continued to soar and 10 million new pieces of malicious code were catalogued.

What is a Trojan?

• A Trojan is a type of computer virus that infects your PC
• It is called a Trojan because it will disguise itself as a useful application but when installed can take control of a user’s computer
• It can let a hacker take control of your computer or simply wipe the hard drive
• It can also be used to install key logging software which will let the hacker know what you are typing and give him access  to your passwords
• Trojans are now the most popular form of computer virus or ‘malware’

It also warned users of Apple’s Mac computers, considered relatively safe from virus attacks, that they may also be subjected to malware attacks in the future.

‘For a variety of reasons, malware has rarely been a problem for Mac users. But those days might end soon,’ a spokesman said.

‘Our latest threat report depicts that malware has been on a steady incline in the first half of 2010,’ Mike Gallagher, chief technology officer of Global Threat Intelligence for McAfee, said in the report that was obtained by Reuters.

Last year £59.7million was lost to online banking fraud, according to Financial Fraud Action UK.

Another £440million was lost to credit card fraud.

And the problem is said to be on the rise, with criminals attacking banks’ customers rather than the banks themselves as they are seen as softer targets.

A Financial Fraud Action UK spokeswoman said: ‘The idea that criminals are targeting people by using malicious software or Trojans is nothing new.

Bank systems are hard to attack so they have to go through the easier link in the chain, which is the customers.

They’re hoping customers aren’t taking security precautions. We’ve been seeing this for the last few years and we’re constantly urging people to protect their computers to try to mitigate the risk of becoming a victim.’

Victims of online banking fraud are generally refunded the money.

Computer Clarity

Unfortunately, many users are victims of viruses, worms, or Trojan horses. If your computer gets infected with malicious code, there are steps you can take to recover.

How do you know your computer is infected?

Unfortunately, there is no particular way to identify that your computer has been infected with malicious code. Some infections may completely destroy files and shut down your computer, while others may only subtly affect your computer’s normal operations. Be aware of any unusual or unexpected behaviors. If you are running anti-virus software, it may alert you that it has found malicious code on your computer. The anti-virus software may be able to clean the malicious code automatically, but if it can’t, you will need to take additional steps.

What can you do if you are infected?

1. Minimize the damage – If you are at work and have access to an IT department, contact them immediately. The sooner they can investigate and clean your computer, the less damage to your computer and other computers on the network. If you are on your home computer or a laptop, disconnect your computer from the internet. By removing the internet connection, you prevent an attacker or virus from being able to access your computer and perform tasks such as locating personal data, manipulating or deleting files, or using your computer to attack other computers.

2. Remove the malicious code – If you have anti-virus software installed on your computer, update the virus definitions (if possible), and perform a manual scan of your entire system. If you do not have anti-virus software, you can purchase it at a local computer store. If the software can’t locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all of your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all of the appropriate patches to fix known vulnerabilities.

How can you reduce the risk of another infection?

Dealing with the presence of malicious code on your computer can be a frustrating experience that can cost you time, money, and data. The following recommendations will build your defense against future infections:

• Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. However, attackers are continually writing new viruses, so it is important to keep your anti-virus software current.

• Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. This includes passwords for web sites that may have been cached in your browser. Make the passwords difficult for attackers to guess.

• Keep software up to date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it.

• Install or enable a firewall – Firewalls may be able to prevent some types of infection by blocking malicious traffic before it can enter your computer. Some operating systems actually include a firewall, but you need to make sure it is enabled.

• Use anti-spyware tools – Spyware is a common source of viruses, but you can minimize the number of infections by using a legitimate program that identifies and removes spyware.

• Follow good security practices – Take appropriate precautions when using email and web browsers so that you reduce the risk that your actions will trigger an infection.

As a precaution, maintain backups of your files on CDs or DVDs so that you have saved copies if you do get infected again.

Computer Clarity

2/18/2010.

PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has detected a new worm, Spybot.AKB. It spreads using P2P programs (copying itself to the usual shared folders with different names) and also via email. What’s new about this worm is the way it tricks users, spreading under the guise of an invitation to join social networks like Twitter and Hi5, or in an email supposedly from Google replying to a job application. Another new feature is the way it installs on computers, passing itself off as a Firefox security extension.

Email subjects include:
• Jessica would like to be your friend on hi5!
• You have received A Hallmark E-Card!
• Shipping update for your Amazon.com order 254-71546325-658732
• Thank you from Google!
• Your friend invited you to twitter!

Once installed, the worm redirects browsers to different websites if the user launches a search with any of the following words:

A: Airlines, Amazon, Antivir, Antivirus.
B: Baseball, Books.
C: Casino, Chrome, Cialis, Cigarettes, Comcast, Craigslist, Credit.
D: Dating, Design, Doctor.
E: Explorer
F: Fashion, Finance, Firefox, Flifhts, Flower, Football
G: Gambling, Gifts, Graphic.
H: Health, Hotel.
I: Insurance, Iphone.
L: Loans.
M: Medical, Military, Mobile, Money, Mortgage, Movie, Music, Myspace.
O: Opera.
P: Pharma, Pocker.
S: School, Software, Sport, Spybot, Spyware.
T: Trading, Tramadol, Travel, Twitter.
V: Verizon, Video, Virus, Vocations.
W: Wallpaper, Weather.

It also takes a series of actions to compromise the security level of infected computers, adding itself to the Windows firewall list of authorized applications, and disabling the Windows Error Reporting service and the User Access Control (UAC).

Computer Clarity

Malware that uses Valentine’s Day as a lure to trick users and infect computers is now a well-established feature of the IT security calendar.  Once again, this year it will be no surprise to see numerous emails in circulation with links for downloading romantic greetings cards, or with subjects related to Valentine’s Day. Cyber-crooks, however, are also exploiting other channels, such as Facebook or Twitter, and given the access to millions of users that these social networks provide, they have become just as popular among the criminal fraternity for spreading malware as email.Social engineering is cyber-crooks’ preferred technique for deceiving users. In these cases it basically involves obtaining confidential information from users by convincing them to take a series of actions. Crimeware and social engineering go hand-in-hand: a carefully selected social engineering ploy convinces users to hand over their data or install a malicious program which captures information and sends it on to the fraudsters.“The continued use of social engineering by cyber-crooks is a good indication of the infection ratios that this technique for tricking users returns. Otherwise, they would simply have stopped using it”, explains Luis Corrons, Technical Director of PandaLabs.

PandaLabs offers users a series of tips to avoid falling victim to computer threats:

• Don’t open emails or messages received on social networks from unknown senders.
• Do not click any links included in email messages, even though they may come from reliable sources. It is better to type the URL directly in the browser. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications, etc.
• If you do click on any such links, take a close look at the page you arrive at. If you don’t recognize it, close your browser.
• Do not run attached files that come from unknown sources. Especially these days, stay on the alert for files that claim to be Saint Valentine’s greeting cards, romantic videos, etc.
• Even if the page seems legitimate, but asks you to download something, you should be suspicious and don’t accept the download.
• If, in any event, you download and install any type of executable file and you begin to see unusual messages on your computer, you have probably been infected with malware.
• If you are making any purchases online related to Valentine’s Day, type the address of the store in the browser, rather than going through any links that have been sent to you.
• Only buy online from sites that have a solid reputation and offer secure transactions, encrypting all information that is entered in the page. To check that the page is secure, look for the security certificate in the form of a small yellow padlock next to the toolbar or in the bottom right-hand corner of the screen.
• Don’t use shared or public computers for making transactions or operations that require you to enter passwords or other personal details.
• Have an effective security solution installed, capable of detecting both known and new malware strains.

Computer Clarity

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

This week’s PandaLabs report looks at three new fake antiviruses.

LivePcCare is the first of these malicious programs. As usual with these malicious codes, first it carries out a fake scan of the infected user’s computer, and then claims the system is infected. It asks the user to purchase a license (of a fake antivirus) at a very attractive price to resolve this issue. If users purchase it, they will have paid for fraudulent software. This fake antivirus stands out because of the way it spreads, as it uses Black Hat SEO techniques, exploiting the launch of Google’s Nexus One phone and the Haiti earthquake. Thanks to these techniques, it manages to include malicious malware-downloading links in search engines’ top results

(see images in Flickr:http://www.flickr.com/photos/panda_security/4274685650/ and http://www.flickr.com/photos/panda_security/4274685718/).

You can get more info at: www.pandalabs.com.

DesktopDefender2010 also makes users believe their computers are infected and prompts users to purchase the product.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4274685852/)
(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941293/).

Finally, APcDefender uses the same techniques. It is a fake antivirus program that falsely informs users they have dangerous software on their computer.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941147/).

It tries to fool users by offering them its own anti-malware solution to solve the problems it claims to have detected, and invites them to purchase the software using their credit cards. This way, in addition to stealing users’ money, it also obtains their credit card details.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941179/).

More information about these and other malicious codes is available in the Panda Security Encyclopedia

Computer Clarity

This week’s PandaLabs report looks at two new fake antiviruses and a Trojan.

Safety Antispyware and InternetSecurity 2010 are malicious programs that try to pass themselves off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate threats that actually do not exist.  For more information about this type of malware read “The Business of Rogueware”, a report on fake antivirus programs written by Luis Corrons and Sean-Paul Correll, PandaLabs researchers.

This report is available at:http://www.pandasecurity.com/img/enc/El%20Negocio%20de%20los%20falsos%20antivirus.pdf.

Safety Antispyware tricks users by warning them their computers are infected by (non-existent) threats, prompting them to buy a program to remove them. This program can be downloaded from the vendor’s site. The link can reach users through spam messages, fraudulent Web pages, etc. The fake antivirus shows an icon similar to that of real antivirus programs. Once installed, the program interface opens and runs a full system scan looking for malware.

You can see an image here:http://www.flickr.com/photos/panda_security/4208462422/

Then, it shows a series of messages prompting the targeted user to buy the product.

(http://www.flickr.com/photos/panda_security/4208462446/)

If the user decides to follow the program instructions to get rid of the ‘threats’, they will be asked to enter an activation code and be redirected to a website to buy the product. Once run, InternetSecurity 2010 scans the computer for malware. However, this is a fake scan that always reports that the computer is infected. Then, it offers users the possibility of disinfecting the computer. As the fake antivirus version is supposedly a trial version, users are first requested to buy the antivirus license. To this end, the malware opens the user’s Internet browser on the fake antivirus purchase page.  To reassure users that the purchase is safe and the antivirus is legitimate, it shows certificates of authenticity and claims to have been tested by McAfee. It even offers the antivirus license for a long time, apparently at a good price.

See an image here:http://www.flickr.com/photos/panda_security/4207698275/

If the user decides not to purchase the antivirus, it will keep running and displaying warnings about the threats the user is exposed to if they remain infected and do not update the antivirus. These warnings are displayed in two ways: through warnings on the toolbar or on-screen pop-up messages.

Banker.MAI is banker malware aimed at stealing banking data, credentials and/or credit card details when users try to log in to their online banking services.  This malware goes memory resident and does not show any symptoms that warn of its presence on the affected computer. The malware works in the background, waiting to be run, and send or receive data.  Banker.MAI arrives as a self-extracting RAR file attached to an email message, usually with the subject “Comprovante Deposito-29092009″. This email message appears to come from a legitimate banking institution, and asks the user to open the attached file to enter some necessary data. If the user opens the file they will become infected. The malware creator is notified via email whenever a computer is successfully infected.

More information about these and other malicious codes is available in the Panda Security Encyclopedia http://www.pandasecurity.com/homeusers/security-info/.

Computer Clarity