The Computer Clarity Blog

2/24/2010.

- Fotolog is a photo-blogging site with almost 30 million users worldwide

- The worm tricks users with a video that conceals the dangerous worm

PandaLabs has reported the appearance of a new worm, FTLog.A, which spreads through the popular Fotolog social networking site. This foto-blogging portal is used by almost 30 million users around the world.
The worm spreads by inserting comments in the targeted user’s page prompting them to click a link, supposedly pointing to a video.

This comment reads as follows:
“hey xxxxxxxxx, encontré este video tuyo acá (hey xxxxxxxxx (user name), I found a video of you here (Malicious link), Eres tu no es verdad? (It’s you, isn’t it?)

(see image in Flickr: http://www.flickr.com/photos/panda_security/4384612808/)

If the user clicks the link, the system will ask for permission to download a divx video codec, which is actually the worm.

(see image in Flickr http://www.flickr.com/photos/panda_security/4384612850/)

Once installed, FTLog.A redirects the browser to a site with explicit content and a Web page that asks users for their data in order to claim a (false) prize.

(see image in Flickr http://www.flickr.com/photos/panda_security/4384612782/) 

If the user clicks Get Free Access a setup.exe file is downloaded which, once run, installs the MediaPass Plugin. 

It also changes the Internet home page and injects code into the browser to display pop-up ads, disrupting the user’s browsing experience.

“Cyber-crooks are increasingly exploiting social networking sites to spread their creations as they offer a huge number of potential victims”, explains Luis Corrons, Technical Director of PandaLabs. “We have already seen malicious code that exploits Facebook or Twitter. This time it is Fotolog’s turn unfortunately”.

To prevent this type of infection it is important to remind users not to click suspicious links from unknown senders and keep an up-to-date antivirus solution installed on their computers.

2/18/2010.

PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has detected a new worm, Spybot.AKB. It spreads using P2P programs (copying itself to the usual shared folders with different names) and also via email. What’s new about this worm is the way it tricks users, spreading under the guise of an invitation to join social networks like Twitter and Hi5, or in an email supposedly from Google replying to a job application. Another new feature is the way it installs on computers, passing itself off as a Firefox security extension.

Email subjects include:
• Jessica would like to be your friend on hi5!
• You have received A Hallmark E-Card!
• Shipping update for your Amazon.com order 254-71546325-658732
• Thank you from Google!
• Your friend invited you to twitter!

Once installed, the worm redirects browsers to different websites if the user launches a search with any of the following words:

A: Airlines, Amazon, Antivir, Antivirus.
B: Baseball, Books.
C: Casino, Chrome, Cialis, Cigarettes, Comcast, Craigslist, Credit.
D: Dating, Design, Doctor.
E: Explorer
F: Fashion, Finance, Firefox, Flifhts, Flower, Football
G: Gambling, Gifts, Graphic.
H: Health, Hotel.
I: Insurance, Iphone.
L: Loans.
M: Medical, Military, Mobile, Money, Mortgage, Movie, Music, Myspace.
O: Opera.
P: Pharma, Pocker.
S: School, Software, Sport, Spybot, Spyware.
T: Trading, Tramadol, Travel, Twitter.
V: Verizon, Video, Virus, Vocations.
W: Wallpaper, Weather.

It also takes a series of actions to compromise the security level of infected computers, adding itself to the Windows firewall list of authorized applications, and disabling the Windows Error Reporting service and the User Access Control (UAC).

Computer Clarity

Malware that uses Valentine’s Day as a lure to trick users and infect computers is now a well-established feature of the IT security calendar.  Once again, this year it will be no surprise to see numerous emails in circulation with links for downloading romantic greetings cards, or with subjects related to Valentine’s Day. Cyber-crooks, however, are also exploiting other channels, such as Facebook or Twitter, and given the access to millions of users that these social networks provide, they have become just as popular among the criminal fraternity for spreading malware as email.Social engineering is cyber-crooks’ preferred technique for deceiving users. In these cases it basically involves obtaining confidential information from users by convincing them to take a series of actions. Crimeware and social engineering go hand-in-hand: a carefully selected social engineering ploy convinces users to hand over their data or install a malicious program which captures information and sends it on to the fraudsters.“The continued use of social engineering by cyber-crooks is a good indication of the infection ratios that this technique for tricking users returns. Otherwise, they would simply have stopped using it”, explains Luis Corrons, Technical Director of PandaLabs.

PandaLabs offers users a series of tips to avoid falling victim to computer threats:

• Don’t open emails or messages received on social networks from unknown senders.
• Do not click any links included in email messages, even though they may come from reliable sources. It is better to type the URL directly in the browser. This rule applies to messages received through any mail client, as well as those in Facebook, Twitter, or other social networks or messaging applications, etc.
• If you do click on any such links, take a close look at the page you arrive at. If you don’t recognize it, close your browser.
• Do not run attached files that come from unknown sources. Especially these days, stay on the alert for files that claim to be Saint Valentine’s greeting cards, romantic videos, etc.
• Even if the page seems legitimate, but asks you to download something, you should be suspicious and don’t accept the download.
• If, in any event, you download and install any type of executable file and you begin to see unusual messages on your computer, you have probably been infected with malware.
• If you are making any purchases online related to Valentine’s Day, type the address of the store in the browser, rather than going through any links that have been sent to you.
• Only buy online from sites that have a solid reputation and offer secure transactions, encrypting all information that is entered in the page. To check that the page is secure, look for the security certificate in the form of a small yellow padlock next to the toolbar or in the bottom right-hand corner of the screen.
• Don’t use shared or public computers for making transactions or operations that require you to enter passwords or other personal details.
• Have an effective security solution installed, capable of detecting both known and new malware strains.

Computer Clarity

This week’s PandaLabs report looks at a worm, a Trojan and a new fake antivirus.

TwittWorm.A is a worm that uses Twitter and Messenger in order to spread, sending a malicious message to all contacts of the infected user. These messages appeal to the curiosity of users, with subjects such as “I just got a piercing and you’ll never guess where! Take a look at the photo.   ” or “You’re going to be mad at me for sending you this photo, but you NEED to see it :3″. The worm edits the registry so the system cannot be restored or started in safe mode. It also makes a series of changes to the host file to prevent users from accessing certain Web pages, particularly those related with antivirus companies.

Another feature is that it prevents the running of certain programs for viewing active processes or monitoring network traffic. Twittworm.A also spreads through USB devices, creating an autorun.inf to automatically infect computers on connection. To protect these types of devices, Panda Security has launched Panda USB Vaccine, which can be downloaded free from: http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

Sinowal.WTF is a keylogger Trojan, designed to capture keystrokes with an aim to stealing passwords and other information from infected systems. This Trojan reaches computers through an email claiming to have been sent from MySpace

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518692/).

The message warns victims about a change to the user’s password and contains a .zip file attachment which supposedly contains the new password. The attached file, once extracted, has an Excel icon, but is really malware. When run, the system is infected and the icon disappears.

Finally, GhostAntivirus is a new strain of fake antivirus. As with other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4292776611/).

If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4293518638/).

This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Computer Clarity

As has become tradition, PandaLabs, the anti-malware laboratory of Panda Security -The Cloud Security Company- has published its 2009 Virus Yearbook, reviewing the malicious codes that have appeared over the last 12 months and examining those that have stood out for one reason or another.
Rather than a ranking of the most widespread viruses, or those that have caused most infections, PandaLabs has selected those which, either for their use of social engineering or their visible effects on computers, stood out most last year. For this reason, some of the more well-known malicious codes (such as the Koobface virus) are absent from the list.

So here are the viruses we believe deserve a mention:

- The biggest headache. There can be no doubt that Conficker.C has been the most obnoxious virus over the last 12 months. It first appeared on December 31, 2008, and has spent the last year causing serious infections to companies and home users alike. The insidious and tenacious nature of this malicious code has earned it first place in our ranking.

- The Harry Potter of viruses. Although there is no reference to the world’s most popular fictional wizard, the on-screen messages Samal.A displays are all about magic. When it infects a computer, users will see the message “Ah ah you didn’t say the magic word” (see photo on Flickr), and the cursor then flickers waiting for users to enter a word. The truth is, it doesn’t matter what is entered, because after three attempts, the phrase “Samael has come. This the end” (see photo here), will be displayed and the computer is restarted.

- V for Vendetta. We still don’t know who is the real target of this vendetta, but DirDel.A wreaks vengeance on infected users, progressively replacing folders in different directories with copies of itself. The worm is carried in a file called Vendetta.exe with a typical Windows folder icon (see photo on Flickr).

- Plane nuisance. The Sinowal.VZR Trojan has infected thousands of computers under the guise of plane tickets supposedly purchased by the user (see photo on Flickr).

- The all-action virus. We are talking about Whizz.A. Once infected, computers will start emitting a series of beeps, the mouse pointer moves uncontrollably around the screen, the CD/DVD tray opens and closes, while the screen is ‘decorated’ with a row of bars like those in the image.

- The snooper. Waledac.AX ensnares its victims by claiming to offer a free application for reading SMS messages on anyone’s cell phone. Ideal for those that want to check up on their partners. Perhaps that’s why so many users fell victim to this intelligent virus.

- The most affectionate. BckPatcher.C tops this category, as it changes the desktop wallpaper to an image reading “virus kiss 2009” (see photo on Flickr. What a charmer!

- A touch of the sniffles. We couldn’t fail to mention here a couple of the viruses,WinVNC.A and Sinowal.WRN that used the widespread alarm surrounding swine flu to trick users and infect their systems.

- And the award for incompetent newcomer goes to… Ransom.K. This Trojan encrypts documents on infected computers, and then asks for a $100 ransom to release them. However its reator, probably lacking in experience, included a programming error which allows users to release the files with a simple key combination.

- The most deceitful. This year, the winner in this category is FakeWindows.A, which infects users by passing itself off as a license activation process for Windows XP.

- The party animal. Banbra.GMH arrives in an email promising photos of Brazilian parties (with dancing girls included)… Who could resist?

Computer Clarity

This week’s PandaLabs report looks at three new fake antiviruses.

LivePcCare is the first of these malicious programs. As usual with these malicious codes, first it carries out a fake scan of the infected user’s computer, and then claims the system is infected. It asks the user to purchase a license (of a fake antivirus) at a very attractive price to resolve this issue. If users purchase it, they will have paid for fraudulent software. This fake antivirus stands out because of the way it spreads, as it uses Black Hat SEO techniques, exploiting the launch of Google’s Nexus One phone and the Haiti earthquake. Thanks to these techniques, it manages to include malicious malware-downloading links in search engines’ top results

(see images in Flickr:http://www.flickr.com/photos/panda_security/4274685650/ and http://www.flickr.com/photos/panda_security/4274685718/).

You can get more info at: www.pandalabs.com.

DesktopDefender2010 also makes users believe their computers are infected and prompts users to purchase the product.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4274685852/)
(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941293/).

Finally, APcDefender uses the same techniques. It is a fake antivirus program that falsely informs users they have dangerous software on their computer.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941147/).

It tries to fool users by offering them its own anti-malware solution to solve the problems it claims to have detected, and invites them to purchase the software using their credit cards. This way, in addition to stealing users’ money, it also obtains their credit card details.

(see image in Flickr:http://www.flickr.com/photos/panda_security/4273941179/).

More information about these and other malicious codes is available in the Panda Security Encyclopedia

Computer Clarity