An add-on program that allegedly infected the computers of 4000 users of the Firefox Web browser was clean and malware free, according to the maker of the application.

According to Sothink Software, the add-on, Web Video Downloader 4.0, was misidentified as a malware carrier due to a compression utility called Armadillo embedded in Sothink’s offering. The utility is often used by crackers to compress and hide malicious code in malware, the company explained. “That’s the reason why the [virus] scans are hitting on the file as suspicious,” it said, “[T]here isn’t any virus in Web Video downloader or in Armadillo….”

The company added that it hasn’t used Armadillo in the software for quite some time and that the latest release of the add-in, version 5.7, has been certified clean and safe by Virustotal, an independent virus detection service.

The Video Downloader add-on is a free program that allows a user to capture from Firefox Adobe Flash video from Web sites such as YouTube, Google and MSN and save it in a number of formats, including FLV, WMV, ASF, AVI, MOV, RM AND RMVB.

Last week, the Mozilla Foundation, makers of Firefox, removed Video Downloader 4.0, as well as another program called Master Filer, from its add-ons, or AMO, Web site claiming the software was infected with a bad app.

Continue reading Firefox add-on was clean, maker says»

Wednesday’s launch of the highly anticipated Apple iPad has resulted in a spike of Apple related spam. Security researchers say a 30% spike in phishing spam was detected following the announcement as spammers rushed to take advantage of the huge audience looking for info on the device. In addition to phishing spams hawking deals on MacBooks and iPhones, the researchers discovered widespread SEO poisoning designed to lure people searching for terms like “iPad price” or “iPad specs” to malicious sites serving malware, mostly fake anti-virus software.

Security experts are predicting such activities to keep rising as the iPad’s March release date draws closer. They advise users to keep their anti-virus software up to date and to get their Apple news from trusted, familiar sites. Companies should review their site security and keep a close eye on their code as many of the poisoned search results point toward legit sites that have been compromised by SQL injection attacks.

A new report out by security experts says that over 25 million new strains of malware were discovered in 2009, and that number is expected to rise in 2010. Trojans are the most popular type distributed, making up 66% of all malware, followed by Adware at 17%. Adware includes scareware such as fake anti-virus, fake registry cleaners, and fake anti-spyware programs. Viruses, spyware, rootkits and worms make up the remainder.

The report also identified Taiwan (62.20%), Russia (56.77%) and Poland (55.40%) as the countries with the highest levels of malware infected computers and Sweden (31.63%), Portugal (37.79%) and the Netherlands (38.02%) as the countries with the lowest infection levels. The United States is in the middle with about a 50% infection level. Many of these infections may not even be known to the user. Millions of computers have been turned into “zombies” and added to botnets.

Experts say malware attacks will be on the rise and become more and more sophisticated as scammers develop new techniques to avoid detection. Social networking sites will bear much of the brunt as spammers and scammers seek to take advantage of the huge audiences these sites attract. Facebook has 400 million members and Twitter over 15 million in the US alone.

As 2010 continues to unfold stay with All Spammed Up for the latest spam and security news. It’s going to be an interesting year.

Security experts have detected a new phishing campaign that uses fake Microsoft Outlook notifications to spread malware. Over a million of the spam messages have been intercepted by spam and phishing filters since Thursday.

The messages look like an alert from the recipient’s IT department notifying them that a security upgrade is available and asking them to log into their accounts to  retrieve the new settings. The link in the messages leads to a fake Outlook Web Access page which asks them to download a file containing the new security settings. The file is actually an .exe containing the Zbot banking Trojan.

What sets this spear phishing attack apart from past ones is the sheer volume of messages being sent out and the fact that the messages are highly personalized to each domain they are sent to.

In a related attack, search engine results for “office.microsoft.com” have been poisoned with pages leading to fake anti-virus software sites. 2010 has kicked off with a bang for malware distributors, hackers, and spammers. They are growing more and more sophisticated everyday, meaning 2010 could be a record year for attacks.

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and exploit known vulnerabilities in several different apps including Adobe Flash, ActiveX, IE, and several other Microsoft applications. If found, a rootkit called Backdoor.Win3.Buzus.croo is installed. This malware steals banking information and likely downloads even more malware to the infected system. It’s believed to be related to the Rustock botnet.

Rustock, along with Cutwail, Zeus and Mega-D, control over 5 million computers and send out billions of spam messages. The shutdowns of cybercrime friendly ISPs McColo and Real Host have done little to stop them-in fact current spam levels have exceeded pre-McColo ones. Experts say botnet herders no longer rely on a single ISP or domain so that if a shut down happens they will be back up in hours instead of weeks or months.

Experts say those with properly updated and patched systems are in no danger so make sure all your users are protected.

Heartland Payment Systems announced it has reached a settlement with American Express regarding the massive data breach revealed earlier this year. The $3.6 million dollar settlement is only the beginning for Heartland as they are also working on reaching settlements with MasterCard and Visa.

The breach was the largest in history, affecting over 100 million credit and debit cards. The company said they had discovered data stealing malware on their system, which processes payments for over a quarter of a million companies. Heartland says no SSN, PINs, or other personal information was stolen.

MasterCard and Visa both hit Heartland with steep fines after the breach was announced, claiming the company was negligent and failed to take corrective actions once they knew of the breach.

“Heartland believes that it responded appropriately to all information that it learned regarding the possibility of the system breach, and that upon discovering the intrusion, it took immediate and extraordinary action to address the intrusion,” Heartland Chairman and CEO Bob Carr said.

Security experts say Heartland deliberately tried to downplay the breach by announcing it on January 20^th, which was the day of the historic inauguration of President Obama. Some say doing so was downright deceptive.

Heartland’s problems aren’t over yet. Visa said that while the company was previously validated as Payment Card Industry Data Security Standard compliant, that status is now under review. If they lose that status they could find themselves losing business fast as businesses won’t do business with a processor that’s been cut off by the major CC companies.

Intuit is warning its customers that a new spam campaign has launched that targets users of its popular Quickbooks software. The spam messages claim to be an urgent notification from Intuit informing the recipient that the company has suffered a data breach that resulted in customer names, addresses and phone numbers being stolen. The email goes on to reassure them that no banking info was accessed and that the company has taken corrective measures, which includes a “Windows Quickbooks Update” and “Internet Explorer Plug-In”. The email urges the recipient to click on the included links and download them immediately or they will no longer be able to use the Quickbooks software.

The links, not surprisingly, lead to malware downloads, namely a Trojan Horse. Intuit has not provided any specific details as to the type of malware, but given the group of users the spam campaign is targeted at, it is likely some form of data theft malware such as Zbot/Zeus.

The company calls it a phishing attempt but it is actually a campaign that has blended characteristics of spear phishing, malware attacks and plain old spam. Since Quickbooks is designed as a way for businesses to organize their payroll and finances, it’s not surprising that cyber-criminals are targeting it. Fortunately most of the software’s users are probably well aware that Intuit pushes its updates through the program itself and not via emails. The company is asking that anyone who receives this spam forward it to security@intuit.com for investigation.

Anatomy of automatically generated English encoding.

The fractured English in spam messages can be amusing but in the future, it could have a malicious subtext.

That’s what a quartet of researchers demonstrated recently at the 16th ACM Conference on Computer and Communications Security held in Chicago.

The foursome–Joshua Mason and Sam Small from John Hopkins University, Fabian Monrose from the University of North Carolina and Greg MacManus from iSight Partners in Washington, D.C.–in a paper presented at the conference outlined how they created an engine to produce malware based on plain English text.

The researchers were able to transform arbitrary shellcode into a representation that is superficially similar to English prose.

        “The shellcode is completely self-contained i.e., it does not require an external loader and executes as valid IA32 code-and can typically be generated in under an hour on commodity hardware,” they wrote.

Shellcode is a code injection technique used by crackers to compromise computers. The code is used to create a buffer overflow in a program.

Buffer overflows result when invalid input is given to a program making it behave in a way that’s unintended by its writers. For example, an application may ask for a password that’s limited to 10 characters. Giving it 20 characters might cause a buffer overflow.

Continue reading Malware can be camouflaged in plain English»

Authorities in the UK have arrested two people suspected of distributing the Zeus Trojan. The arrests were made by the Metropolitan Police’s Central e-Crime Unit and are the first ever in connection with the Trojan, which has infected hundreds of thousands of computers across the globe.

Detective Inspector Colin Wetherill of the PCeU said: “The Zeus Trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world. The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Zeus records banking account numbers, logins and other personal info and adds the infected computer to the ZBot botnet, which then uses the computer to pump out malicious spam designed to spread the infection.

Authorities would not identify the two suspects, saying only that they are a man and woman in their 20’s. They are being charged under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Security experts say Zeus is spreading so fast because there is a toolkit available that allows anyone to customize the malware, create their own versions, and use it to commit bank fraud.

Gumblar uses SQL injection to infect Web servers.

Malware watchers are reporting that Gumblar botnet is working its mischief once again, this time on a larger scale than ever. The malicious software first attracted the notice of White Hats this spring when it used SQL injection attacks to infect legitimate websites–sites such as Tennis.com, Variety, and Coldwellbanker.com–and spread itself to the personal computers of visitors to those netposts. SQL injection attacks are performed on the database layer of an application. They take advantage of vulnerabilities in the layer that can be exploited by input that produces unintended consequences, such as forgetting to authenticate a user’s identity.

After making its initial splash, its activity abated only to experience a revival at the end of the summer. Now it’s running wild again, according to security researchers, infecting hundreds of trusted sites and through them, thousands of PCs.

In its birth form, the badapp poisoned a site’s back end server or used an iFrame or other ploy to redirect a visitor to black server for a proper fleecing and contamination. The use of iFrames has become a popular ruse of cyberbandits. Once injected into a trusted site, it redirects a browser to another iFrame that executes clandestine javascript code on an unsuspecting keyboard jock’s computer. The code then connects to Net places where more code is secretly executed to exploit vulnerabilities in a target system. Crackers leverage those vulnerabilities to gain control of a user’s computer and filch usernames, passwords and other information from the system. It also looks for FTP credentials so it can infect more servers.

Continue reading Gumblar has new face on ugly head»