by Michael Smith
The Internet security company PC Tools has warned that next Monday could be the worst day of the year for computer attacks.
The spread of viruses and malicious software is expected to peak on Novem 24, along with attempts by hackers to seize control of computers, according to PC Tools.
PC Tools, by the way, is the “maker” of ThreatFire, amongst other items of software, and ThreatFire, which I have reviewed in the pages of this journal and used for a considerable time by now, I am certain, has done the bulk of work in preventing my system, while other have been infected, from staying free of problems.
The company has analysed information on more than 500,000 computers worldwide, and looked at data from the same period last year, which appears to suggest the Monday before Thanksgiving in the US is a prime time for security attacks.
PC Tools believes that this could probably be because of the increased online activity at this time of the year, as people starting shopping online for Holiday gifts, and for details of bargains they might be able to pick up on Black Friday, the day after Thanksgiving, when many US stores hold huge sales.
Online shoppers are a tempting target for hackers and fraudsters, many of whom will try and trick consumers into clicking links in emails and websites that will download software onto their computers that allows malicious attackers to take remote control of the system and/or to gain control of their passwords and other sensitive information.
With such software on board hackers will then be able to log keystrokes in order to access banking login details and passwords for online shopping sites, and more dangerously even, credit card numbers, PayPal account details and such like.
Web users must be especially vigilant in the run-up to the Holidays and they really must keep their wits about them. While in the real world they would shield their PIN for their Credit or Debit cards they must do similar things as regards to protecting their online identity and credentials.
People who plan to do their gift shopping on the Internet should ensure their anti-virus software and firewall security is up to date, that they don't open emails and files from unfamiliar people, and that they ensure they only enter credit or debit card information on secure web pages.
Secure web pages are denoted by the appearance of a padlock symbol somewhere around the border of the webpage or in the address bar, and the "http://" prefix for the website changing to "https://" to show it is a secure link.
As to opening emails let me add that even emails that are sent from friends may not actually be from them. Their details could have been cloned in the same way as your own details can be cloned – even my own. So let the user beware and if in doubt contact the sender of an email, if he is a known associate, as to whether he or she has, in fact sent you and email with this or that title. If so then it is, more than likely, safe to open.
I have received emails even from my own email addresses – supposedly – that never were from my own addresses. However, the address had been cloned and could have, maybe, confused people.
So, as I always say; let's be careful out there.
© M Smith (Veshengro), November 2008
<>
November 24 could be 'Black Monday' for computer viruses
Angelina Jolie Guest Stars in Malware Scheme
Spammers use sensationalized headlines to lure unsuspecting computer users
BitDefender researchers have identified a new wave of spam messages that use fake events related to actor Angelina Jolie in order to trick users into downloading and installing Trojan malware onto their computers.
This new campaign of spreading malware is mostly carried via spam messages based around an alleged adult video footage with the movie star. In order to watch the movie, users have to download binary file, video-nude-anjelina.avi.exe, which is infected with Trojan.Agent.AGGZ.
The spam message is comprised of an explicit image of Angelina Jolie, along with some text claiming that the mail has been sent as part of the MSN Featured Offers program. The text message plays a double role by it trying to trick the user into thinking that this is a legitimate news message and by preventing spam filters from labelling the entire mail as spam message.
“The spam wave is part of a larger category of unsolicited mail messages that rely on social engineering techniques in order to lure unwary users into installing Trojans,” said Vlad Valceanu, Head Of Antispam Research. “This type of attack seems to be extremely successful, as the number of messages has quickly escalated over the last couple months. In order to achieve their goals, spammers usually rely on international celebrities and their pictures, along with catchy, yet fake news leads.”
This is not the only incident involving Angelina Jolie. Recently, the actor has given birth to two children, and spammers took advantage of the event in order to infect more computers. The spam campaign following the event wrongfully announced the fact that Jolie gave birth to no less than five children, and even offered users a link to a website allegedly hosting a small video with the event. The announcement, combined with Angelina Jolie’s fame was meant to take advantage of users’ hunger for sensational events.
Once on the respective page, users were shown an image impersonating a flash video player. When the user landed on the compromised webpage, the download started immediately, without any user intervention (a procedure also refered to as drive-by download). The binary file was infected with Trojan.Downloader.Exchanger.Gen.1, a piece of malware that has been widely used in another spam campaign promoting an alleged antivirus utility, called Antivirus XP 2008.
Although the approach is relatively new, the underlying technique has been widely used in the past. This campaign mostly targets computer users who are not educated in computer security - as they are not aware about free online scanners offered by major security providers.
The spam message directs the user to a legitimate webpage who’s index page has been doubled to facilitate the attack. For instance, while the normal home page is index.php, the compromised URL would always end in index1.php. This secondary index page is neatly crafted using the Windows Vista look-and-feel (the Aero wallpaper and icon buttons). The professional look dramatically contributes to gaining users’ confidence, but there are a few details that should tip off the visitor about the scam.
For instance, the virus top on the upper right side of the screen displays the most aggressive viruses that were active during May - meaning the page has not been updated. Secondly, the other text elements are written in plain English, with ambiguous explanations (such as ”Trojan attacks damage more than $3 million/hour.”) The spam message itself is written using poor grammar, with multiple obfuscations to trick spam filters.
”This spam wave built on an older recipe, making heavy use of text obfuscation in order to prevent spam filters from identifying and marking the message as junk,” said Vlad Valceanu. “The message itself should be enough of a warning for the user that the advertised piece of software is not legitimate and might come from ’unorthodox’ sources. More than that, users should pay extra attention to webpages that automatically try to download a file on the computer.”
Once installed on the computer, the rogue antivirus utility would stealthily start installing other high security risks such as adware, spyware or other malware from multiple servers or sources on the internet. Also, when run, the antivirus would display that it found multiple fake or false security threats on the host computer. This is a common tactic for rogue security applications, as they try to mislead unaware computer users and make them pay for the “full” version of a bogus utility.
Source: BitDefender News Center
<>
P.S. Such headlines are not limited to dealing with Angelina Jolie or other such celebrities and such malware also comes by means of emails with other titles, such as claiming to be news and weather information, news of military operations by US and allied forces in Iraq, Afghanistan, or claims that attack on Iran has started, and many other such headlines.
The advice can only be as always... DO NOT OPEN such emails.
Variant of blackmailing virus spreading on Internet
Another blackmailing virus. Oh, how lovely - NOT
by Michael Smith (Veshengro)
Security software firm Kaspersky Lab has reported a new and dangerous blackmailing virus and is alerting computer users everywhere about a new variant of Gpcode, a dangerous encryptor virus.
The Virus.Win32.Gpcode.ak malware encrypts users' files with various extensions, including .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more, using an RSA encryption algorithm with a 1024-bit key, and that is a lot.
Kaspersky Lab itself added a virus signature to block Virus.Win32.Gpcode.ak in early June 2008.
Kaspersky Lab says it has succeeded in thwarting previous variants of Gpcode by cracking the private key held by the attackers.
However, the author of the new Gpcode variant has taken two years to improve the virus and previous errors have been fixed and the key has been lengthened to 1024 bits instead of the original 660, which was crackable.
So far, it would appear that Kaspersky have been unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and so far no errors have been found in the implementation. That means, according to Kaspersky, the only way to decrypt the encrypted files, presently, is to use the private key which, unfortunately, only the author of that virus has.
After Gpcode.ak encrypts files on the victim's machine, it changes the extension of these files to ._CRYPT, and places a text file named !_READ_ME_!.txt in the same folder.
In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor: "Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com"
Kaspersky Lab is still working on a way to recover data that has been encrypted without having to use the criminal's decryptor. Let's hope that they will do so and in addition to that that those criminals get caught.
In addition to that, what can one do? Even the best anti-virus software is and will be always one step behind the virus writers and criminals.
While personal vigilance as to where one goes and what email one opens is important, and more often than not it is the bad email protocol of users that bring them those lovely viruses and Trojans. However, Trojans sometimes come packaged in different ways even where the user would not suspect them to be.
See my article “Viruses and Trojans in Trusted Downloads” on how easy it is to have such things reach your computer.
© M Smith (Veshengro), June 2008
Viruses and Trojans in Trusted Downloads
by Michael Smith (Veshengro)
Recently – though I never gave it a thought before and I did not have any anti-virus program check it – Bitdefender v10 FREE found in an ISO image help on my external hard drive a Trojan.
The ISO was for the OPEN CD 7.04 (both ISO and cut CD have now been destroyed) and came via a direct download from the official website.
This could only mean one of two things, I believe, and that is that either there is, or has been, at time of my download, infection on the site or two that there is a Trojan, according to BitDefender, embedded in the CD, in one of the programs.
Although few of us will ever think this necessary I would suggest – and I shall be one to follow my own advice this time for a change – that everyone always save any download to desktop and then check anything for hidden dangers and pitfalls prior to actually installing anything on the PC. Anything that cannot be saved to disk but wants to force install should be considered suspect, even if from a supposedly reputable source, and left well alone.
I am glad to say that I never actually installed anything from that particular OPEN CD – though I love OPEN CD in general – and therefore never actually had the Trojan let loose on my system.
Let the user beware!
© M Smith (Veshengro), June 2008
Seed Newsvine