One of the quickest and easiest ways to tell if you are infected with Conficker virus is to look below and see if any of the images from four of the 100+ security sites blocked by Conficker do not load.  I put four images for the following security websites: Kaspersky Lab, F-Secure, Secureworks, and Trend Micro below. If you have any problems loading these images or visiting the sites listed, you may be infected with the Conficker virus. If you are using a proxy server you will likely still be able to load the images and this is not a good test.

If you believe you are infected with Conficker (Kido/Downadup) check out Kaspersky’s KKiller tool to remove it.

Images are trademarks of their respective owners.

Tags: Conficker, conficker removal, Downadup, Kido, Malware, MS08-067, MS08-068, MS09-001, remove conficker, Security, virus

Author: Christopher

Spammers continue to refine their methods in an effort to stay ahead of security measures.  At the same time, the profit motivations behind spam are expanding.  Previously, the main reason for sending out spam was to sell something.  Spam is now increasingly part of a “blended” attack, which is a sophisticated coordination of a variety of techniques designed to breach the security of targeted systems, steal data, and take control of the compromised systems by adding them to botnets.

In many cases, the actual malicious code is delivered when a user visits a compromised website which is capable of infecting the user’s computer.  Because of this, security vendors are stepping up their marketing efforts to sell web security devices and software.  The fact is that the majority of these infections occur when a user follows a link received in a spam message.  Security Labs reports that 65 percent of spam contains malicious URLs leading either to compromised web sites or to sites that are created by spammers and fraudsters.

Trend Micro recently reported on targeted attacks on CEOs that began with spam emails.  These emails appeared to contain links to court documents related to subpoena actions.  The links actually led to fake websites, where users were prompted to install browser plug-ins in order to view the files.  The “plug-in” was actually a Trojan which secretly connected to other malicious sites and installed yet more malicious software.

Another recent example was the wave of attacks from the Storm botnet, which consisted of spam emails claiming that the U.S. had invaded Iran.  This message appeared to link to websites where video footage would show some 20,000 U.S. soldiers launching world war three.  The site showed what appeared to be an embedded video player, but clicking on the player button resulted in the execution of malicious code that installed a Trojan on the user’s computer.

Tags: email security, Information Security, Malware

Author: Christopher

Our listing of the top 10 malware threats for December 2008 provided by the Kaspersky Security Network.

1)   Virus.Win32.Sality.aa

2)   Packed.Win32.Krap.b

3)   Trojan-Downloader.Win32.VB.eql

4)   Worm.Win32.AutoRun.dui

5)   Trojan.HTML.Agent.ai

6)   Trojan-Downloader.WMA.GetCodec.c

7)   Virus.Win32.Alman.b

8)   Trojan.Win32.AutoIt.ci

9)   Packed.Win32.Black.a

10) Worm.Win32.AutoIt.ar

Source: Kaspersky Lab

Tags: Malware, statistics

Author: Christopher

Fake Antivirus programs – also known as Rogue Security software – continue to plague PC users.  Last week, when Microsoft pushed out it’s weekly security patches, the Malicious Software Removal Tool targeted one particular file responsible for most of these extortionist programs, known as FakeSecSen.  Data released by Microsoft indicates that this malware was removed from over 990,000 computers.  Approximately 5 out of every 1000 PCs showed signs of infection.

FakeSecSen has gone by many names, including Vista Antivirus 2008, Windows Antivirus, XPert Antivirus, Power Antivirus, Antivirus 2009, and several variations of these terms.  These programs pretend to be anti-malware solutions, but in fact they do not really scan PCs, they report finding dozens or hundreds of infections which actually don’t exist, and prove extremely annoying until the users either pay the “upgrade” or “registration” fees or find a way to remove them.  Removal generally requires a genuine anti-malware utility or entails long, complicated manual steps involving registry entries, hidden files, and invisible processes.

Infection often occurs when users visit a compromised web site and click in pop-up windows offering a free security scan or free security software downloads.  Spam emails and even “drive-by” infections are also possible.

It’s nice that Microsoft has addressed this in their most recent patch release, but this is small consolation to those who become infected with this type of malware after last Tuesday, or those who have suffered for months before that.  A good computer / internet security suite such as those offered by Kaspersky Internet Security offer full protection against FakeSecSen and related malware.

Tags: malicious software, Malware, Patch, rogue security software

Author: Christopher

Neosploit, a crimeware kit thought by some security experts to have been retired, has reared its ugly head again, and may have been used in one of the biggest organized crimeware attacks in history.  Ian Amit, a security researcher investigating the possible resurrection of the notorious kit, discovered a server hosting the login credentials of more than 200,000 servers in more than 86 countries around the world.  According to Amit, he has uncovered evidence suggesting that 80,000 legitimate web sites from dozens of countries have been infected with the malware, which in turn infect visitors to these sites with various Trojans and other malware.

Last April, the neosploit development team had announced that it was discontinuing support and development of the kit, despite the success of the “product,” citing concerns with the ongoing viability  of the business.  Now it appears that this statement was a ruse designed to buy the gang some time to perfect the next release of the kit.  The latest discoveries by Amit and his crew indicate that a new version was used to compromise the data of millions of users across hundreds of thousands of systems.  These include major overseas weapons manufacturers, the U.S. Postal Service, Fortune 500 companies, universities, and government departments.

Amit is working with US-CERT (a department of Homeland Security) as well as other local and international law enforcement agencies to investigate and shut down the servers operated by these criminals, and to notify and work with infected enterprises to clean up their systems.

Tags: crimware, Malware, NeoSploit, US-CERT

Author: Christopher

Here is September’s most widespread malware according to Kaspersky Security Network. The most interesting thing the previous leader Trojan.Win32.DNSChanger.ech is nowhere to be found.

1	New	Rootkit.Win32.Agent.cvx
2	Return	Trojan-Downloader.WMA.Wimad.n
3	New	Packed.Win32.Black.a
4	+8	Trojan.Win32.Agent.abt
5	New	Trojan-Downloader.HTML.IFrame.sz
6	New	Trojan-Downloader.Win32.VB.eql
7	New	Trojan-Downloader.JS.IstBar.cx
8	+1	Trojan.Win32.Agent.tfc
9	+1	not-a-virus:AdWare.Win32.BHO.ca
10	New	Trojan-Downloader.Win32.Small.aacq
11	-	not-a-virus:AdWare.Win32.Agent.cp
12	New	Trojan.Win32.Obfuscated.gen
13	+1	not-a-virus:AdWare.Win32.BHO.sc
14	+1	not-a-virus:AdWare.Win32.BHO.vp
15	+3	Trojan.Win32.Chifrax.a
16	-3	Trojan-Dropper.Win32.Agent.tbd
17	+2	Trojan.RAR.Qfavorites.a
18	New	Email-Worm.Win32.Brontok.q
19	New	Trojan-Downloader.JS.Agent.cme
20	-12	Trojan-Downloader.JS.Agent.chk

Source: Kaspersky Lab

Tags: Kaspersky, Malware, Trojan

Author: Christopher