Maximum PC Trojan RSS Feed

Threat Update: Spam and Phishing Out, Trojans and Scareware In

Mark Edward Soper — Thu, 09 Apr 2009 18:20:42 -0500

If you've been worrying about computer security for awhile, you might remember when macro viruses in Microsoft Word and Excel files were at the top of the exploit list. These file formats, along with the omnipresent Adobe Reader PDF format, are once again among the biggest threat vectors being exploited by today's malware, according to a new report from the Microsoft Malware Protection Center. Fittingly, the full report and a condensed key findings version are available in either PDF or Microsoft's own XPS formats. These reports cover the July-December 2008 period.

Some key findings include:

Scareware (which Microsoft calls "rogue security software") is on the rise, including the latest versions of our old friend Antivirus XP.
A slight reduction in unique vulnerability disclosures from 2007, but the High (most serious) category was larger in the second half of 2008 than in the first half of the year or the second half of 2007.
Applications continue to be the biggest target (86.7%, with browsers at 8.8%, and operating systems at only 4.5%)
The second half of 2008 saw a big rise in Microsoft security bulletins: over 67% more than in the first half of the year.
US English and Chinese-language browsers were the chief targets of browser-based exploits, accounting for almost 60% of all attacks.
Microsoft-based vulnerabilities accounting for more than 40% of browser-based attacks on systems running Windows XP, but less than 6% on systems running Windows Vista.
Ironically, the most frequently exploited vulnerabilities in Microsoft Office have been patched since 2006, but were targets mainly because up-to-date service packs were not installed.
Adobe PDF-based attacks rose sharply in the second half of 2008, but the attacks cited in the survey are blocked by the current versions of affected products.
Despite the rise in software-borne attacks, lost and stolen equipment continues to be the biggest security risk, amounting to 50% of the incidents listed in the OSF Data Loss Database.
The US, Canada, Europe and Russia continue to lead the world in phishing sites.
Miscellaneous Trojans, followed by Trojan downloaders and droppers are the two most common threat types detected and removed by Microsoft's Windows Live One Care and Forefront Client Security apps in the second half of 2008.
By contrast, older threats such as backdoors, viruses, exploits, and spyware are significantly less of a threat than in 2006 and 2007.

What have you found to be the biggest security threats you face in the office - and at home? Hit Comment and share your security war stories.

Online Scammers Using Obama's Site to Spread Trojan

Pulkit Chandna — Tue, 27 Jan 2009 08:53:23 -0600

Online scammers have contrived an ingenuous way to ride Obama’s rampant wave of popularity. According to Websense Security Labs, certain unscrupulous elements have registered several accounts on my.barackobama.com, the social network on Obama’s website that affords all standard social networking features to users, including personal profiles, groups and blogs.

The charlatans created various accounts on the website and planted a hideous Youtube image with the message, “click here to see movie.” Users who click on the image mistaking it for a Youtube video are redirected instead to a website, which resembles Youtube, but appears to be fraught with pornographic content.

However, when a user proceeds to view one of the videos the website asks the user to download a missing video codec. In its stead is downloaded a Trojan. Further proof of Obama's widespread popularity.

Image Credit: Websense Security Labs

Latest Phishing Scam Preys on Surfers’ Morbid Curiosity

Pulkit Chandna — Fri, 09 Jan 2009 18:12:25 -0600

Internet shenanigans are keeping abreast with the latest developments around the world and using it to their advantage. An email doing the rounds around the internet hoodwinks the recipient into believing that it is from CNN. The clandestine email ostensibly contains a link to a “graphic” video of the ongoing Israel-Hamas conflict. However, the fake website contains a Trojan that betrays the user’s sensitive data, according to the RSA.

The author of the phishing attack has tried to make the website as plausible as possible. Upon visiting the link, the user is greeted with a message asking him to update his Adobe Flash Player. If the user lends his countenance to the download, a Trojan is downloaded instead of the latest version of Flash

Image Credit: Cnet

Fake Microsoft Security Update Email Includes Haxdoor Trojan

Mark Edward Soper — Thu, 16 Oct 2008 16:07:25 -0500

I know it, you know it, almost everybody that reads Maximum PC knows it - but that doesn't mean that your family, your co-workers, or your bosses know it. What's it? Simply this: Microsoft never - repeat never - sends out security updates via email.

Cnet reports that yet another fake security email purporting to be from Microsoft is busy delivering a nasty Trojan called Haxdoor to unwary emailboxes near you.

The email, ironically enough, claims that "Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users." And, it's signed "Steve Lipner, Directory of Security Assurance, Microsoft Corp."

Well, at least the bad guys got Steve's name right. However, he's actually senior director of security engineering strategy in Microsoft’s Trustworthy Computing Group, according to a recent interview.

The message (minus the Trojan, of course), is available at the Microsoft Malware Protection Center blog, where you can see for yourself the classic hallmarks of a fake message: a shaky command of the English language, sentence construction that's so stiff it looks as if it belongs on a Victorian-era calling card, and off-the-wall sentiments that show it was adapted from a different con job document: "We apologize for any inconvenience this back order may be causing you." Back order? Whaat? I didn't order any malware!

If you've been called in by baffled family, friends, or co-workers only after Haxdoor's done its work (system slowdowns, popup ads and other nasty business are typical symptoms), check these links for help:

After you solve the problem, remind them: Microsoft never - repeat never - sends out security updates via email.

Know somebody who's been hexed by Haxdoor? Have a clever way to get rid of it? Seen other recent examples of Haxdoor fakery? Hit Comment and share your stories.

Malware Miscreants Selling Trojan Guaranteed to Evade Detection

Paul Lilly — Tue, 29 Jul 2008 17:27:35 -0500

You've been told money can't buy you love, but for $1,300, you can buy a Trojan guaranteed to screw the recipient without them ever knowing it's there. Apparently not completely fool proof, security company Prevx discovered the supposedly undetectable super virus now known as Limbo 2 and reports that hackers are selling custom variations of the Trojan. If a variation gets detected, the Trojan can be tweaked to fly under the radar without changing its payload.

Once infected, Limbo 2 not only logs your keystrokes, but it will set a trap by generating spoofed information boxes when victims navigate to certain login pages. Keystrokes, credit card information, and any other personal data it manages to harvest from the hard drive then gets transmitted back to Botnet Central.

These types of Trojans aren't new, but it's Limbo 2's speed and customization that has security vendors concerned. On a broader scale, it's all part of a seedy underground economy driven by stolen data. It's become so prevalent that hackers have had to lower prices and look for new types of stolen data to sell for bigger profits, including health care information and corporate emails.

How secure is your PC?

Image Credit: Thinkquest.org

T2W Spells Bad News for Your PC's Security

Mark Edward Soper — Thu, 19 Jun 2008 15:40:15 -0500

The Register.co.uk website ('Biting the hand that feeds IT') isn't just an industry gadfly: concealed beneath its British-accented snark is a lot of useful news – including this report about a new malware-creation tool that's point-and-click easy.

Meet Trojan2 Worm, aka Constructor/Wormer

Initially reported to Panda Software, the Trojan2Worm (T2W) toolkit (also known as Constructor/Wormer) features a simple checkbox-driven interface with options to control compression, startup, date range for activity, operating system functions to disable, messages to display, custom icons, and startup methods including load, shell, or scripting. Just add malware, shake, and pour: instant worm! Panda Software suspects T2W comes from a Spanish malware writer, since it supports Spanish, English, and Catalan languages only.

What's Behind the Development of T2W?

InformationWeek security blogger George Hulme suggests that the real reason for the release of this tool is to overwhelm already stretched-thin security firms. Hulme writes, quoting Panda Software's Ryan Sherstobitoff:

They want to continue to increase the amount of malcode so that AV firms get saturated, and so that organizations get distracted with the worms and malware created by script kiddies using tools like this.

It's just one more reason to make sure your systems are ready for anything, and, as our own Will Smith says, think before you click!

Smart New Malware Targets E-Banking: Are You Ready?

Mark Soper — Mon, 14 Jan 2008 22:28:43 -0600

Silently Stealing Your Money

Symantec's security blog is reporting that banking Trojans have now gone way beyond the poorly-worded emails asking you to log in and "correct" your account information.

With the introduction of Trojan.Silentbanker, attackers can now intercept valid e-banking transactions that use two-factor authentication and grab your banking information. This trojan is targeting both major US and foreign banks (over 400) in many countries, and uses the following techniques:

- man-in-the-middle attack (intercepts and redirects valid transactions)
- steals usernames, passwords, cookies used by e-banking sites
- adds HTML code to legitimate e-banking login forms to steal information
- steals FTP, POP, webmail, protected storage, cached passwords
- can convert infected machine as a proxy or web server
- is being updated on a daily basis to add new targets
- changes DNS servers to make attacks easier

Trojan.Silentbanker attacks all Windows versions from Windows 95 through Windows Vista. Using Firefox is no protection against this Trojan, as it hooks APIs used by both IE and Firefox. Learn more on the Symantec website.

A companion piece of malware, Downloader.Silentbank, continuously tries to download Trojan.Silentbank and tries to change security and firewall settings for various products. Although Symantec's website rates it as a "very low" risk, that assessment is based mainly on low geographic distribution. Obviously, if an unprotected system tangles with Trojan.Silentbanker, the risk to your money and your identity is high.

Mebroot's Targets: the Master Boot Record - and Your Money

The master boot record (MBR) is an old target for malware. So old, in fact, that when some Maxtor external drives were discovered to have been infected with the MBR-targeting Virus.Win32.AutoRun.ah virus last fall, a Seagate spokesperson reportedly said "...I have never heard of a virus that lives the master boot record." Well, viruses and malware are still attacking the MBR.

The BBC is reporting that another e-banking threat, Trojan.Mebroot, replaces the normal MBR with a replacement MBR that contains a rootkit (enabling the threat to hide from normal operations), and then installs keyloggers targeting over 900 banking institutions. When you log into a targeting institution, the keyloggers go to work. Over 5,000 systems (mainly in Europe) have been infected thus far.

Symantec's Security Response blog offers a useful history of MBR-based threats, including the new MBR+rootkit threats typified by Mebroot. Mebroot can also be detected by Sophos as Troj/Mbroot-A, by McAfee as StealthMBR or StealthMBR/rootkit, and by Trend Micro as TROJ_SINOWAL.AD.

Stopping the Threat

These new threats can be detected and removed by up-to-date antivirus software, but are hard to stop if your antivirus and antimalware software programs are even a little out of date (or missing in action): these threats were detected just this month. Make sure you're using up-to-date programs and signature files, and as our own Will Smith says, "think before you click!"

Big Maxtor Disks Making Big Security Headaches [Updated]

Mark 'Marcus Soperus' Soper — Mon, 12 Nov 2007 16:02:01 -0600

First, the Bad News

Seagate, which owns Maxtor, reported today that Maxtor Basics Personal Storage 3200 hard disks produced since August 2007 may be infected with Virus.Win32.AutoRun.ah. This virus, which Symantec calls W32.Drom, and McAfee calls PWS-LegMir (see the notification page for a complete list of aliases), searches for online game passwords and sends them to a ~~China-based~~ server, and knocks your existing antivirus program out of action.

[Update: Paul Ferguson, a researcher for Trend Micro, has determined that the servers are actually located in Dallas, TX and Korea, according to Robert McMillan of IDG News Service]

Most of the affected games are Chinese, but one big exception is World of Warcraft. Ouch!

Kapersky Helps Seagate (and You) Fight Back

Seagate says that most major antivirus vendors have issued updates to stop the virus. However, if you've been lazy about updating your antivirus, or just plain don't have an antivirus program, Seagate and Kapersky Labs, which first alerted Seagate, have teamed up to offer you a 60-day trial of Kapersky's Anti-Virus 7.0, which you can download from the product notification page. Here's a direct link to the US English version.

But Wait! There's More (Bad News, That Is)

Hey, it could be worse - and maybe it is. According to the Taipei Times, some Maxtor Basics 500GB hard disks sold in Taiwan contain two Trojan Horse viruses that send "any information saved on the computer" to Chinese websites www.nice8.org and www.we168.org.

Authorities in Taiwan believe this incident may be an attempt by the mainland Chinese government to perform cyberespionage. About 1,800 drives were affected, but only 300 were sold before the products were pulled from store shelves. In a follow-up, the Taipei Times reported that Seagate has determined that the infections originated with a China-based subcontractor.

Wondering if this is an isolated case? Wondering what you should do to protect yourself? Read on...

Time to Think Twice About Maxtor Drives?

Unfortunately, this isn't the first time that Maxtor portable drives have been fingered in an information-stealing probe. Back in September, Kapersky Labs reported finding the same Virus.Win32.AutoRun.ah virus on Maxtor Portable Storage 3200 drives sold in the Netherlands. At the time, Seagate blew off the report, with a spokesperson reportedly saying "...I have never heard of a virus that lives in the master boot record." The spokesperson had evidently never heard of the notorious Brain or Michaelangelo boot-sector viruses. With the latest infection, though, Seagate has become a believer in boot-sector viruses.

So, is it time to think twice about Maxtor external hard disks? Maybe it is, and maybe it's time to think twice about any storage coming from mainland China. Keep in mind that with today's global economy, even a hard disk that has a different "assembled in" country on the packaging might have a disk assembly hailing from China.

Protecting Yourself (and Your Data)

So, how can you protect yourself from getting zapped by a virus coming from a new hard disk?

Scan any brand-new external hard disk for viruses and malware as soon as you connect it to your system.
If you have a system you're not using for anything, consider making it a virus testing system.
Keep your antivirus and anti-malware software up to date.
Reformat external hard disks before using them to recreate the master boot record.
To prevent a portable hard disk from starting automatically in Windows XP, download and install TweakUI from the Windows XP PowerToys website. Use the AutoPlay section of TweakUI to disable AutoPlay.
To disable AutoPlay in Windows Vista, open the Play CDs or Other Media Automatically link in Control Panel's Hardware and Sound category and uncheck the Use AutoPlay checkbox. The How-To Geek's website also has tips for controlling AutoPlay for specific media types and how to disable AutoPlay with Group Policy or registry tweaks.

With all of the new-found emphasis on safeguarding consumers from dangerous Chinese products, let's hope drive and storage vendors are jumping on the bandwagon.