Category Archives: malware

Facebook Admin E-mail

0
Posted by chris on Friday, April 15, 2011 – 11:34 AM
Filed under cybercrime, e-mail, Facebook, malware

Just in case you still think one day you may get a useful attachment in your e-mail, you should know it won’t be coming from someone claiming to be a Facebook Administrator. Here’s a scam e-mail I got this morning..

from: Administration of Facebook [official-no.893@facebook.com]
subject: Facebook Support. Personal data has been changed! No81864
attachment: Facebook_Password_INM.152.zip (99k)

body:

Security service of FaceBook.

Your password is not secure!
To secure your account the password has been changed automatically!
Attached document contains a new password to your account and detailed information about new security measures.

Thank you for attention,
Your Facebook

He was astonished at the ease with which he twisted Deane upon his back and put the handcuffs about his wrists.The work was no sooner done than he understood. A rag was tied about Deanes head, and it was stained with blood. The mans arms and body were limp. He looked at Billy with dulled eyes, and as he slowly realized what had happened a groan broke from his lips. In an instant Billy was on his knees beside him. He had seen Deane twice before, over at Churchill, but this was the first time that he had ever looked closely into his face. It was a face worn by hardship and mental torture. The cheeks were thinned, and the steel-gray eyes that looked up into Billys were reddened by weeks and months of fighting against storm. It was the face, not of a criminal, but of a man whom Billy would have trusted– blonde-mustached, fearless, and filled with that clean-cut strength which associates itself with fairness and open fighting.

That’s kind of weird, isn’t it. I mean do they think this little piece of a story will make you lose all control and run the attached virus file? Maybe the author is looking for a book deal and wants to steal a publishers identification. Either way, do not open the attachment, it contains a virus/trojan. At the time of this writing, 25 of 42 antivirus programs detect it, according to VirusTotal

One final thought. Facebook has come under major attack lately. By now you should know better than to ever open an attachment from anyone you don’t expect to get one from. I would also go a step farther, and not click on any links that come in e-mails claiming to be from Facebook. Just go directly to Facebook, either by typing in the address yourself, or using a bookmark YOU created yourself.
Stay Safe

Fake Xvid Update Serving Up Malware

4
Posted by chris on Sunday, April 10, 2011 – 10:52 PM
Filed under adware, cybercrime, malware, scams, video, virus
Tagged as , , , , ,

I’m going to make this short and sweet to get the word out there. I will delve further into what actual malware is being served and what the effects are at a further date.

The following image was taken from a screen shot I made. It shows the fake video player that shows a rotating “waiting” graphic and pretends that it can’t load the video because it needs to be updated.

I knew this was a threat because I’m also a video editor and I keep all my codecs up to date. However, I thought I would pursue this further so I could see what file was going to be installed. Then I could run analysis on it and report my findings here. But I was running ESET NOD32 and it recognized this page was a threat and also blocked whatever this page tried top send me. You can see the results below.

Fake xvid page block

So just don’t update your video player through any website that claims your video player needs to be update to view an online video. I would imagine there will be variations of this soon. Like fake Quicktime Player or Windows Media Player updates. I will grab a copy of the file this site is trying to distribute, for further analysis, later and post my findings here. That’s going to take some time and I have seen this fake xvid update a couple times now and decided I should spread the word sooner rather than later.

Fake Apple Store Order E-mail

4
Posted by chris on Saturday, April 10, 2010 – 10:15 PM
Filed under 0day, malware, scams, security, virus
Tagged as , , ,

Time to add another fake e-mail to the long list of social engineering e-mail scams. This one looks like this.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

Malware Removal Sites, Software and Thoughts

5
Posted by chris on Sunday, February 7, 2010 – 1:50 AM
Filed under adware, cybercrime, free software, malware
Tagged as , ,

Last night I saw a banner ad for a “new” version of Risk. I use to play Risk, the board game, many years ago and thought this looks like fun. So I downloaded and installed it. With in a couple of minutes, ESET NOD32 was blocking downloads from a site I wasn’t at. Next time I went to use google to search for something, my search results were being redirected. Looks like it installed some malware on my computer. Most likely it’s some sort of XSS cross scripting exploit.
Read More »

Another Adobe Acrobat Reader 0-Day Exploit

0
Posted by chris on Thursday, January 7, 2010 – 4:13 AM
Filed under 0day, adobe, malware, patch, security
Tagged as

Here we go again. This isn’t news hot off the press, but I decided I should post about it here just in case some of you have missed it. There has been another Adobe Acrobat Reader exploit, CVE 2009-4324. Since it was first disclosed back in the middle of December, it has grown even nastier. The Internet Storm Center over at sans.org has a good analysis of one of the current variants.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

E-Card Virus Warning

0
Posted by chris on Wednesday, December 16, 2009 – 10:20 AM
Filed under malware, virus
Tagged as ,

Just got an e-mail that says it’s from e-cards@hallmark.com with the subject: You have received A Hallmark E-Card! It had an attachment called Postcard.zip which was identified by my antivirus, I use NOD32 by E-Set

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

Metasplot Framework 3.3 Just Released

13
Posted by chris on Friday, November 20, 2009 – 2:07 AM
Filed under download, free software, hacking, malware, security, software, Uncategorized
Tagged as , ,

metasploit t’s been about a year since one of the best pen testing tools has seen an upgrade to the framework. Metasploit Framework 3.3 is now available. Not only does it support Linux, Windows, OS X, and many versions of BSD, but now it also supports Windows 7. And according to the website this release has 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. However one of the new features that I’m pleased about is you can now run a full console version in Windows using Cygwin which is how I like to run nmap when I’m on my Windows computers, and RXVT. To be honest, I haven’t fired up any of my Linux machines in a while. I just boot from a Linux Live CD most the time but I digress.
The Windows installer works on all versions of Windows from 2000 to Windows 7 and the Linux installer works on most versions of Linux released in the last five years.
I’d like to point out, this is not a toy. This is the bad boy of penetration testing tools. I love using this because I know that if I can’t get into the system I’m testing with it, I can feel pretty confident that system is pretty secure. I wouldn’t go so far as to say that I’m 100% secure because I’ve been doing this long enough to know there is no such thing. But if you can’t successfully attack one of your computers with this, then chances are neither can the script kiddies.

Remove Fast Browser Search From IE 7 & IE8

5
Posted by chris on Thursday, October 22, 2009 – 8:48 PM
Filed under fix, malware, scams, virus
Tagged as ,

As you may know, I was never able to get Web Tattoo to install into IE7. Something I have done during the removal of it and Fast Browser Search from Firefox somehow causes the install file to crash when I tried to install it in IE7. This is fine for me, but because I never could get MakeTheWebBetter installed in IE7 or IE8, I couldn’t figure out how to uninstall it and tell you how.

Over on a google forum is a link to my first post on removing Fast Browser Search from Firefox. So I subscribed to that thread and today when I checked my e-mail, I found this in it, how to remove Fast Browser Search from IE7 & IE8

Re: [Web Search Help] How do I remove “Fast Browser Search”?

Inbox X

Reply

|
Google Help
to me

show details Oct 14 (9 days ago)

from Google Help
to
date Wed, Oct 14, 2009 at 12:35 AM
subject Re: [Web Search Help] How do I remove “Fast Browser Search”?
mailed-by confucius.bounces.google.com
signed-by google.com

hide details Oct 14 (9 days ago)

Kundan555 has posted an answer to the question “How do I remove “Fast Browser Search”?”:

PLEASE FOLLOW THE INSTRUCTIONS AND RESOLVE THE ISSUE FOR IE8 AND IE7.

=================================================================

Please uninstall fast browser from the program and features in vista and, add and remove program in XP. Then

To fix the new tab issue you need to be comfortable using regedit. Run regedit and navigate to the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerAboutURLs

under Tabs, clear the fastwebsearch junk and input the following as value data:

res://ieframe.dll/tabswelcome.htm or any entry related with fastbrowser listed over there.

close and restart IE.

I have been unable to verify this, however my knowledge of the registry tells me this could fix it and would be worth trying. Just be CAREFUL any time you run regedit. Messing around in the registry could really bork your system.

Here’s the links to my other Fast Browser Search removal posts

http://www.pccybertek.com/2009/08/my-web-tattoo-fast-browser-search-search-gurad-plus-uninstall-removal/

http://www.pccybertek.com/2009/08/more-my-web-tatto-removal-information/

http://www.pccybertek.com/2009/07/removing-my-web-tattoo-phone-number/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-removal-update/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-remove-part-1/

http://www.pccybertek.com/2009/05/remove-fast-browser-search/

Fake Adobe Flash Player

1
Posted by chris on Friday, September 11, 2009 – 3:27 AM
Filed under 0day, adobe, fix, malware, security, virus
Tagged as

There is a fake adobe flash player updater that monitors your google searches. It looks just like the adobe flash installer. I’m not sure where I picked it up, but luckily I found this fake adobe flash player on a computer running firefox. Good thing I run NOD 32. I have been getting a notice that NOD 32 was blocking an outbound connection fake_flash

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

My Web Tattoo – Fast Browser Search – Search Gurad Plus Uninstall & Removal

4
Posted by chris on Sunday, August 2, 2009 – 1:09 AM
Filed under malware
Tagged as , , ,

While writing a new article about removing Fast Browser Search and My Web Tattoo, I was analyzing a new version of MakeTheWebBetter, which is the file I got from the MyWebTattoo site. I noticed it connected to a new site since the last time I looked at it, www.tattoodle.com Looks like they have expanded their operation to include My Space. I also found a new updated uninstall page which included Search Guard Plus, which was another new file I found that was being installed since I wrote my first uninstall guide. I am going to keep writing the new article I am working on but in the mean time, check out the new official uninstall page they have set up. It’s much better than before and like I said it includes the new programs.

Official Tattoodle Uninstall Page

It still doesn’t tell you how to fix the search redirection in Firefox so if that still plagues you, I have a guide for that here

If that still doesn’t fix it for you, and you have some basic computer skills, my next post may be the one to help you.