Facebook exploits

Published by dave at 9:24 PM under computers | Current Threats | Malware | Internet | Daily Tips | Facebook

You may have read this week how Facebook had disabled a number of accounts of people in an attempt to weed out spam accounts (particularly targeting "female" user accounts).   In what appears to be an attempt to exploit the fact many legitimate accounts were inadvertently disabled, hackers have spammed an attack pretending to be from Facebook notifying you that your account password has been changed.  While there are a number of subject lines associated with the spam, they all carry a ZIP file with malicious payload known as Mal/BredoZp-B, and the Trojan horse contained within as Troj/Agent-PLG.

Once again this is an attempt to cause havoc through social engineering and deception.  Do not open the attached file or any attachment that seems suspicious.  Here is sample text of the email you may receive:

Good afternoon.

A spam is sent from your Facebook account.
Your password has been changed for safety.

Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.

Thank you for your attention,
Facebook Service.



[KickIt] [Dzone] [Digg] [Reddit] [] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments


The evolving “LinkedIn” threat

A couple of days ago I posted a warning about false communications pretending to be from LinkedIn.  That threat continues and evolves with a variation on the threat arriving in my email today.  See the screen capture below.  Everything about this email on the surface looks legitimate, except of course for the fact my name is not “Dawn”, nor am I expecting any payment from any of my LinkedIn connections.

As always, your best defense is your own common sense.  If anything arrives in your email that just doesn’t “smell right”, chances are it’s not right and potentially carrying a nasty payload just like the ZIP file attached in this email.

Always make sure your system has the latest critical updates from Microsoft.  Always make sure you have current AntiVirus and other malware detection systems active and most importantly, CURRENT and up to date with the latest threat definitions.  The Internet is a seedy place, browse safely and trust no one.


Email carrying malicious payload

[KickIt] [Dzone] [Digg] [Reddit] [] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments


Today’s Tip: Beware “Antispyware XP2009″


Several acquaintances of mine have been stung in recent months by the rogue program “Antispyware XP2009″. This program relies on social engineering to dupe you into installing a malicious program to then extort money.



Looks legitimate right? Here’s how it works. You visit a website, and without warning, an ominous message appears on screen alerting you that spyware or a virus has been detected on your machine with the instructions to “click now to clean”. Unwittingly falling victim to this ploy can be costly in more ways than one.

When you “click to clean”, this trojan installs Antispyware XP2009 on your system “for free”. After you perform their “free” scan, the software instructs you that you must purchase a license to remove the infected items it “finds”. Unfortunately the one infected or malicious item it never finds is itself. Paying the ransom, er, “license fee” does nothing except extort money from you. In addition, Antispyware XP2009 destroys legitimate program executable files, rendering popular programs such as Windows Media Player, Internet Explorer, Office applications and more, useless.



There are several copycat variants of this malware with similar names so surf cautiously! Your best defense against this type of attack is your own common sense. Never “click here” to clean anything that is presented unsolicited on any website. Also make sure you have a robust security solution that detects rogue applications and viruses in real time. Of course having robust anti-virus and anti-spyware are useless if threat definitions are not updated regularly, and that will be the subject of a future post! If you do fall victim to Antispyware XP 2009, contact the St. George PC Doctor to restore your computer’s health today.

[KickIt] [Dzone] [Digg] [Reddit] [] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments


Top 9 Current Malware Threats

1. Win32/PSW.OnLineGames

This is a family of Trojans with keylogging and (sometimes) rootkit capabilities which
gather information relating to online games and credentials for participating.
Characteristically, the information is sent to a remote intruder’s PC.
What does this mean for the End User?
This represents a return to the top spot for this class of threat, which has been at number
one or number two (alternating with INF/Autorun) for many months now.
However, it’s also important that participants in MMORPGs (Massively Multi-player
Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses”
like Second Life, continue to be aware of the range of other threats ranged against them.
We are not just referring here to harassment nuisances like griefing and pointless quasiviral
attacks like grey goo, but phishing and other scams that can result in financial loss
in the real world.

2. INF/Autorun

This detection label is used to describe a variety of malware using the file autorun.inf as a
way of compromising a PC. This file contains information on programs meant to run
automatically when removable media (often USB flash drives and similar devices) are
accessed by a Windows PC user.
What does this mean for the End User?
Removable devices are useful and very popular: of course, malware authors are well
aware of this, as INF/Autorun’s persistent appearances at number one or number two in
these statistics clearly indicate. Here’s why popularity is sometimes a problem.
The default Autorun setting in Windows will automatically run a program listed in the
autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always
the program’s primary distribution mechanism, malware authors are always ready to
build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this
heuristic, it’s better, to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. Microsoft Security Advisory (967940) “Update for Windows Autorun”, published February 24, 2009, is a further attempt by Microsoft to address the issue
( see also

3. Win32/Conficker.AA

Win32/Conficker.AA is a worm that spreads via shared folders and on removable media.
It connects to remote machines in attempt to exploit the Server Service vulnerability.
What does this mean for the End User?
Make sure your anti-virus has effective detection for Conficker variants. It is important to ensure that your systems are updated with the Microsoft patch, which has been
available since the end of October, so as to avoid other threats using the same
vulnerability. Information on the vulnerability itself is available
Note that Conficker uses the autorun facility misused by members of the INF/Autorun

4. Win32/Conficker.A

The Win32/Conflicker threat is a network worm that propagates by exploiting a recent
vulnerability in the Windows operating system. The vulnerability is present in the RPC
sub system and can be remotely exploited by an attacker. The attacker can perform his
attack without valid user credentials.
Win32/Conflicker loads a DLL through the svchost process. This threat contacts web
servers with pre-computed domain names to download additional malicious
What does this mean for the End User?
It is important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at
There is an exhaustive analysis available at

5. Win32/TrojanDownloader.Swizzor.NBF

The Win32/TrojanDownloader.Swizzor malware family is commonly used to download
and install other malicious components on an infected computer. The Swizzor malware has been seen installing multiple adware components on infected hosts. Some variants of the Swizzor family will not execute on systems using the Russian language
What does this mean for the End User?
There is often no clear distinction between out and out malware and other nuisances such as adware, and malware is frequently used to promote advertising. Whereas virus authors used to do what they did without commercial gain, whether from misguidance, mischief or malice, contemporary malware authors are more often driven by profit.

6. WMA/TrojanDownloader.GetCodec

Win32/GetCodec.A is a type of malware that modifies media files. This Trojan converts all
audio files found on a computer to the WMA format and adds a field to the header that
includes a URL pointing the user to a new codec, claiming that the codec has to be
downloaded so that the media file can be read. WMA/TrojanDownloader.GetCodec.Gen
is a downloader closely related to Wimad.N which facilitates infection by GetCodec
variants like Win32/GetCodec.A.
What does this mean for the End User?
Passing off a malicious file as a new video codec is a long-standing social engineering
technique exploited by many malware authors and distributors. The victim is tricked into
running malicious code he believes will do something useful or interesting. While there’s
no simple, universal test to indicate whether what appears to be a new codec is a
genuine enhancement or a Trojan horse of some sort, I would encourage you to be
cautious and skeptical: about any unsolicited invitation to download a new utility. Even if
the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.

7. Win32/Adware.TencentAd

The Win32/Adware.TencentAd threat family is used to display advertisements on
infected computers.
This Adware seems to be targeting computers in Asia and is often installed by drive-by
download attacks.
What does this mean for the End User?
The proportion of drive-by downloads to user-launched infections is probably
overestimated. Social engineering, by which the victim is tricked into executing
malware, is successful time and time again. By contrast, malware that relies on
vulnerabilities in the system to infect without the victim’s intervention tends to decline
in effectiveness as more potential victims learn to patch vulnerable systems, and the
number of exploitable vulnerabilities is finite. Good patch management (by individuals
as well as businesses) lessens the risk further.

8. Win32/Toolbar.MywebSearch

This is a Potentially Unwanted Application (PUA). In this case, it’s a toolbar which
includes a search function that directs searches through
What does this mean for the End User?
Anti-malware companies are sometimes reluctant to flag PUAs as out-and-out malware,
and PUA detection is often an option rather than a scanner default, because some
adware and spyware can be considered legitimate, especially if it mentions (even in the
small print of its EULA or End User Licensing Agreement) the behavior that makes it
potentially unwanted. It always pays to read the small print.

9. Win32/Adware.Virtumonde

This detection represents a family of Trojan applications used to deliver advertisements
to users’ PCs. Among other actions, Virtumonde may open multiple windows while
running, which contain unwanted advertising material, and it can be very difficult to
automate removal completely. Adware is still a big profit generator for malware
What does this mean for the End User?
Virtumonde has become a particularly difficult problem for vendors and customers alike,
far more than its classification as “adware” might suggest.

[KickIt] [Dzone] [Digg] [Reddit] [] [Facebook] [Google] [StumbleUpon] [Twitter]

Tags: , , , , , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Comments