SunbeltLabs detects surge in trojans during February

Sunbelt Software's list of top malware infections seen during February claims to show that there was a sizeable surge in trojans during the month.

Compiling data from its VIPRE anti-malware software and CounterSpy, its anti-spyware application, SunBelt Labs, the firm's research arm, reported that eight of the top 10 types of malware seen during February were trojan horse programs.

New entries in the top 10 during the month were Trojan.Win32.Generic.pak!cobra, a rootkit infection; Trojan-Spy.Win32.Zbot.gen, a password stealing trojan; and Trojan.Win32.Agent, a fake windows service application which modifies users' PC system settings.

According to Sunbelt, there was also a surge in scareware or rogue security products.

Their continued prominence in the top 10 is also due in part to interest in sporting events such as the Winter Olympics, which has encouraged many to visit untrusted websites in search of live video from the various events at the Winter Games.

This surge in traffic to untrusted and potentially malicious websites has, says the IT security vendor, generated higher incidences of scareware, as well as conventional malware threats.

The rogues, once downloaded, present a fake malware scan of a victim's computer then display false warnings that the machine is infected. The malware then urges the user to purchase rogue security software on the promise that it will disinfect their PC, when in fact it does nothing or further infects the target computer.

Tom Kelchner, Sunbelt's research centre manager, said that, along with trojans and bot-installing malware, the spectrum of malware threats out there continues to be quite broad.

"The old standards continue to circulate online and gain increased penetration whenever Internet use peaks, as with events such as the recent Winter Olympics", he said.

"Adware and its associated malcode bundlers, downloaders and installers don't make the news much anymore, but collectively they make up 10% of our ThreatTrack detections", he added.

According to Kelchner, during the month of February, ThreatTrack tabulated over 1,100 discrete adware threats.

The trend of scareware will, says Sunbelt, increase as the world heads towards the 2010 World Cup in June. infosecurity

Scareware launched from tech blog

40 million people have fallen victim to scareware in last year. Visitors to technology blog Gizmodo are being warned that they could have picked up more than tips about the latest must-have gadget.

According to security firm Sophos, the website was delivering advertisements "laced with malware" last week.

A statement on the Gizmodo website admits that it was tricked into running Suzuki adverts which were in fact from hackers.

It follows a similar problem on the New York Times website.

Last month the New York Times' website was targeted by a gang of hackers who purchased ad space on the site by posing as internet telephone company, Vonage.

In both cases the adverts served up fake anti-virus software - known as scareware.

Scareware attempts to convince users that their computer is infected with viruses and trojans, and tricks them into downloading "remedies" which are harmful and can be used by criminals to get at information such as credit card details.

Really sorry

Gizmodo gets a huge amount of traffic with more than 3.1 million page views per day.

It has issued an apology to readers.

"I'm really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam.

BBC News

Millions tricked by 'scareware'

Online criminals are making millions of pounds by convincing computer users to download fake anti-virus software, internet security experts claim.

Symantec says more than 40 million people have fallen victim to the "scareware" scam in the past 12 months.

The download is usually harmful and criminals can sometimes use it to get the victim's credit card details.

The firm has identified 250 versions of scareware, and criminals are thought to earn more than £750,000 each a year.

Franchised out

Scareware sellers use pop-up adverts deliberately designed to look legitimate, for example, using the same typefaces as Microsoft and other well-known software providers.

They appear, often when the user is switching between websites, and falsely warn that a computer's security has been compromised.

If the user then clicks on the message they are directed towards another site where they can download the fake anti-virus software they supposedly need to clean up their computer - for a fee of up to £60.

Con Mallon, from Symantec, told the BBC the apparent fix could have a double impact on victims.
It is very prevalent and it's growing very quickly out there on the internet

"Obviously, you're losing your own hard-earned cash up front, but at the back end of that, if you're transacting with these guys online you're offering them credit card details, debit card details and other personal information," he said.

"That's obviously very valuable because these cyber criminals can try to raid those accounts themselves or they can then pass them on or sell them to others who ultimately will try to use that information to their benefit not yours."
The findings were revealed in a report written following Symantec analysis of data collected from July 2008 to June 2009. Symantec said 43 million people fell for such scams during that period.

It has become so popular that the rogue software has been franchised out.

Fake reviews help build the credibility of bogus anti-virus software.

Mr Mallon said some scareware took the scam a step further.

"[They] could hold your computer to ransom where they will stop your computer working or lock up some of your personal information, your photographs or some of your Word documents.

"They will extort money from you at that point. They will ask you to pay some additional money and they will then release your machine back to you."

The scam is hard for police or other agencies to investigate because the individual sums of money involved are very small.

Therefore, experts say users must protect themselves with common sense and legitimate security software.

BBC News

Scareware And Bots Require Layered Defenses

Defense in depth is not a new idea in security, but the importance of taking a layered approach is more important than ever. The current rise in infections by bots and scareware, along with recent reports on anti-malware endpoint protection, demonstrate how we need to be doing more at every layer.

Maybe you're one of the lucky ones, but nearly every IT person I know has seen a considerable increase in malware infections. The majority of the infections are bots and scareware that have come through a Web-based infection vector -- sometimes exploits against the browser, and sometimes taking advantage of users through social engineering. So what's going on?

I think the first problem is an increase in the number of bad guys out there looking to make money using malware. Unfortunately, there's not much we can do about that, so we have to focus on both proactive measures to prevent the infections and reactive measures to deal with the infections as they occur.

Why both? If we put in preventive measures, then why do we need reactive ones? It's simple. Security controls fail. Something will get through. As I've said before, when it comes to security, failure is inevitable so you must plan for it.

The recent testing by NSS Labs of anti-malware products for consumers and enterprises is pretty disheartening -- especially if you're one of those folks still clutching your antivirus under the covers and whispering to yourself that it's all going to be OK. It's not. Take off the blinders because the report clearly shows the products we are paying to protect our users are not completely effective.

Dark Reading

Drudge, Other Sites Flooded With Malicious Ads

Criminals flooded several online ad networks with malicious advertisements over the weekend, causing popular Web sites such as the Drudge Report, Horoscope.com and Lyrics.com to inadvertently attack their readers, a security company said Wednesday.


The trouble started on Saturday, when the criminals somehow placed the malicious ads on networks managed by Google's DoubleClick, as well as two others: YieldManager and ValueClick's Fastclick network, according to Mary Landesman, a senior security researcher with ScanSafe.

The attack comes just a week after the New York Times Web site was tricked into displaying a deceptive 'scareware' advertisement for fake antivirus software from scammers pretending to be ad buyers with Vonage, an Internet telephony company.

Instead of trying to trick Web surfers into buying bogus software, these ads attacked.

They would pop up a nearly invisible window in the victim's browser that contained a maliciously encoded pdf document, which included attack code that placed a variant of the Win32/Alureon Trojan horse program on the victim's computer. Sometimes, the ads would also try to exploit a previously patched flaw in Microsoft's DirectShow software, Landesman said.

"The user would have seen a very brief opening of a blank pdf window and it would be at the bottom portion of their screen," she said. The Alureon Trojan is known to download additional malware and often hijack victims' search results, she said.

The pdf attacks apparently only affected victims with out-of-date versions of Adobe's Reader or Acrobat software, she added.

Between Saturday and Monday, the ads accounted for 11 percent of all Web pages blocked by ScanSafe's Web filtering software, a sign that many people were being presented with the malicious ads. And because the pdf pages were modified slightly every time they were displayed, most antivirus products didn't detect them.

In tests, ScanSafe found that only 3 out of 41 antivirus vendors detected the malware.

"To be honest, they were pretty clever in the way they carried this out," Landesman said. "They managed to infiltrate sites that enjoy very good traffic and they were able to use a mechanism for creating this pdf that caused it to be nearly completely undetected."

This is not the first time Google's DoubleClick has been associated with this type of malicious advertising. Earlier this year criminals placed similar ads on the home page of technology trade magazine eWeek, whose ads were managed by DoubleClick.

PC World