New 'Seftad' Ransomware Encrypts Drives Demands $100 For Fix

There are several new version of the GpCode ransomware running wild around the web these days however there is a new even nastier piece of code that researchers have discovered that is even more alarming. The new MBR-infecting ransomware known as Seftad overwrites the master boot record on infected machines telling victims that their hard drives have been encrypted and demands a payment of $100 to reverse the damage.

This malware which was first detected and analyzed by Kaspersky Lab malware analyst Denis Maslennikovas shows as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a. This ransomware is downloaded by Trojan.Win32.Oficla.cw. If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted and the following message appears on the screen:

Entering an incorrect password three times will cause the PC to reboot a second time and display the same message again.

"If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’. If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10," Maslennikov said.

This new approach at attacking the master boot record (MBR) is something new that we haven't seen from ransomware in the past. Several variants include the new GpCode utilizes actual encryption (GpCode is now using theAES 256 and RSA 1024 encryption algorithms) but doesn't attack the boot records. Since the MBR is the first section of a users hard drive to be loaded damaging the MBR can be extremely difficult to reverse.

As of now its unclear if a user can use their installation media and run the FIXMBR command or if running a repair install or other work arounds will work.

ScareWare Now Features 'Live Tech Support'

Nicolas Brulez of Kaspersky Labs has discovered that scareware vendors have ramped up their rogue AVs and are now spreading this malicious software with an “Online Support” button. Users installing the fake anti-virus software Security Master AV and clicking on the 'Online Support' button are directed to a chat window in which they can ask questions, or get "tech support", directly from the scareware 'vendor'.

Pressing Support takes you into a live chat with the rogue AV Tech Support. Brulez says he wondered whether it was a bot answering questions based on keywords or real people – and he reports, "yes, they turned out to be real!"

Kaspersky Labs learned that they not only offer Technical Support by chat, but also by phone and email. The email is especially useful if you don’t speak English. The live chat tells you (in English) to send an email in your native language to a given email address to receive support in your native language.

Once you are in the live chat one of three 'tech support agents' (Debora Brown, Kendra Grace or David Lee) attempt to convince victims in fluent English that their free trial software is genuine adding that the first rogue AV is a ‘Free Scanner’ only and that in order to remove the infections users will need to install the bogus full product. The newer products “clean” the machine, unlike the previous ones.

Below are some videos captured by Brulez and the Kaspersky Labs team:

This new hands on approach is like nothing ever seen before. It shows how well organized some of these groups have become.

More MAC Malware Found In The Wild

MAC antivirus vendor Intego has issued a warning about a new piece of malware being distributed primarily in freely available screen saver programs. This new spyware application dubbed OSX/OpinionSpy can scan files, record user activity and send stolen data to remote servers.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.

OSX/OpinionSpy performs the following actions:

• This application, which has no interface, runs as root (it requests an administrator’s password on installation) with full rights to access and change any file on the infected user’s computer.
• If for any reason the application stops running, it is re-launched via launchd, the system-wide application and service launching facility.
• It opens an HTTP backdoor using port 8254.
• It scans all accessible volumes, analyzing files, and using a great deal of CPU time. It is not clear what data it copies and sends to its servers, but it scans files on both local and network volumes, potentially opening up large numbers of confidential files on a network to intrusion.
• It analyzes packets entering and leaving the infected Mac over a local network, analyzing data coming from and being sent to other computers. One infected Mac can therefore collect a great deal of data from different computers on a local network, such as in a business or school.
• It injects code, without user intervention, into Safari, Firefox and iChat, and copies personal data from these applications. Code injection is a form of behavior similar to that of a virus, and this malware “infects” applications when they are running to be able to carry out its operations. (It infects the applications’ code in the Mac’s memory, and does not infect the actual applications’ files on the user’s hard disk.)
• It regularly sends data, in encrypted form, to a number of servers using ports 80 and 443. It sends data to these servers about files it has scanned locally, and also sends e-mail addresses, iChat message headers and URLs, as well as other data. This data may include personal data, such as user names, passwords, credit card numbers, web browser bookmarks, history and much more.
• Given the type of data that it collects, the company behind this spyware can store detailed records of users, their habits, their contacts, their location and much more.
• The application can be upgraded automatically, with new features added, with no user intervention, and without the user being aware of this. It occasionally asks users for information, via the display of dialogs, such as their name, or asks them to fill out surveys.
• In some cases, computers with this spyware installed no longer work correctly after a certain period of time; it is necessary to force-reboot such Macs.
• If a user deletes the original application or screen saver that installed this spyware, the spyware itself will remain installed and continue to operate.

The amount and type of data the malware collects makes it a very high risk piece of spyware. Not only does it collect sensitive data such as user names, passwords and credit card numbers, but it opens a backdoor that could led to further attacks and or more malicious code being injected. While Intego suggest the distribution is limited, the company warns Mac users to pay careful attention to which software they download and install. 

Malware Found On New Vodafone HTC Magic Phone

According to a recent blog post Panda Security researchers have discovered as many as three pieces of malware on a brand new Vodafone HTC Magic with Google’s Android OS.

The discovery was made after a n employee of a software security firm plugged the device into a Windows based PC running Panda Cloud Antivirus. The malware programs were on the phone's 8GB microSD memory card, which mounts as an external drive when plugged into a PC. Panda's Cloud AV instantly detected both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

Upon further investigation, Panda found that the employee's phone contained three malware programs: a client for the now-defunct Mariposa botnet, the Conficker worm as well as a password stealer for the Lineage game, said Pedro Bustamante, Panda Security's senior research adviser.

It is likely that this is an isolated incident which may have been caused by Vodafone selling a refurbished/returned phone without clearing the old user settings. However at this time nothing has been confirmed and Vodafone says they will be looking into the incident to "make sure that any necessary changes to their security policies are put in place."

Additional Reading:

• H-Online: Researchers show infecting smartphones with malware is relatively easy
• Android App Used In Phishing Attack Steals Bank Login Details
• New Malware Steals Money From Your Cell Phone

Microsoft Confirms Alureon Rootkit To Blame For BSODs

Microsoft has confirmed that a rootkit is responsible for a recent outcropping of blue screens of death (BSODs) currently occurring with Windows XP. The BSODs occurred following a recent update intended to fix a 17-year old security vulnerability in the virtual DOS machine.

According to a post on Microsoft's Security Response Center blog, all of the affected systems were infected with the Alureon rootkit. The BSODs and subsequent restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places affected systems in an unstable state.

The Microsoft Security Response Team worked with the Microsoft Malware Protection Center (MMPC) on several systems that were delivered to the Microsoft headquarters in Redmond last week. Using these systems the two teams confirmed that all of the affected systems had the Alureon Rootkit installed.

Given the ability of rootkits to hide and the seriousness of the malware that compromised these systems Microsoft suggests that users back up important files and completely restore the system from a cleanly formatted disk. In many cases the company found that customers could not confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software. Therefore it might be best that anyone feeling they are infected go ahead and back-up, format and start fresh!

New Ransomware Blocks Internet Access, Demands Money

Ransomware is nothing new, we've all seen Windows trojans resorting to a little blackmail, and locking up a users PC waiting for them to spend money on fake anti-virus that turns out to be more malicious than the original infect. Today however has to be the first I've ever heard of a piece of Ransomware that blocks a users internet access flat out demanding a ransom before it will return control.

Computer Associates' Internet Security Business Unit, first discovered the new trojan bundled with software named uFast Download Manager. Once downloaded the software was installed along side the uFast download manager without informing the user. The trojan then goes to work blocking internet access until the user enters an activation code. This activation code is obtained by sending an SMS containing a particular number to an expensive premium rate phone number – CA does not mention the sum involved.

The malware, dubbed 'Win32/RansomSMS.AH', appears to be Russian in nature, as it uses a Russian language GUI. The ransom page translates to state:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number ****

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

CA withheld the details of the amount involved in sending the SMS to the premium rate phone service however past ransomware programs demanded upwards of $50-60 for removal. This time around CA ISBU found a way to circumvent the activation scheme and created an activation code generator for this particular ransomware. As of yet there has been no word on actual removal tools. It is suggested that you keep your AV, anti-malware and anti-spyware update to possibly stave off infection.

Source: CA Security Advisor Research Blog

A Week Later Conficker Might Be Rearing Its Ugly Head

Conficker might not have lived up to the early hype but that might be changing as a new variant has begun rearing its ugly head and this newest update might be the ugliest of them all!

Conficker.e, as the update has been named, began downloading and installing on previously-infected PCs at midnight London time, said Kevin Hogan, director of security response operations for Symantec Corp.

The new variant is now installing new bots, scareware/ransomware and other malicious code that might be used by the viruses creators to make money. According to Kaspersky research Alex Gostev, Conficker.e is downloading and installing fake security software. The rogue software, SpywareProtect2009, extorts $50 from users by claiming to remove an infection. When in fact the software is the inrfection.

TrendMicro warns they are now detecting this new Conficker variant as WORM_DOWNAD.E. Some interesting things they have found are:

1. (Un)Trigger Date – May 3, 2009, it will stop running
2. Runs in random file name and random service name
3. Deletes this dropped component afterwards
4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
6. Connects to the following sites:
   • Myspace.com
   • msn.com
   • ebay.com
   • cnn.com
   • aol.com

It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.

In the latest activity the report seing infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do). Waledac is believed to be the successor to the infamous Storm bot and Storm Worm of 2008.

As Expected Conficker Doesn't Live Up To The Hype

April 1st is upon us and predicted last week the largely over-hyped over exaggerated threat from the Conficker.C worm has failed to materialize. As midnight approached over seas and Aprils Fools Day hit the worm has gone relatively un-noticed by anyone other than the media and the security researchers watching it.

"Conficker has activated," said Patrik Runald, chief security adviser at F-Secure, in a blog post posted shorty after 12 AM GMT. "So far nothing has actually happened."

So, when exactly is Conficker activating? So far - nothing. Infected computers are generating the list of 50'000 domains and trying to go to 500 of those as described earlier but so far no update has been made available. According to F-Seacure it goes like this:

• Conficker checks the local clock every 90 minutes (in some cases even more frequently)
  
• The check is done with Windows GetLocalTime function
  
• GetLocalTime gives the local time, based on the local time zone
  
• Because of this, machines around the world are returning different times
  
• Clock skew affects this as well
  
• But not by much, as Windows machines will sync their local clock with time.windows.com once a week
  
• Once the local clock says it's April 1st, Conficker will collect a date from the net

Conficker's net time collection uses several large websites to get the date. When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names.

The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up. However as noted there has been NO SIGN of the alleged update, and no sign of any further malicious activity.

Several other sites are reporting similar information, with many security researchers sitting, watching and waiting but little to nothing to actually report.

"Over the next 24 hours Conficker will change the way it communicates, but we don't expect much of anything else to happen," said Marcus Sachs, director of the SANS Internet Storm Center, in a blog post. "There has been quite a bit of media hype about Conficker, and we've seen dozens of new domain names registered to 'help' those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers."

The ironic part, despite the fact thatwe have seen little to nothing at all from the virus and the fact that security researchers tried to downplay the threat the media still clings to the hysteria with crazy headlines. Over the past few hrs several headlines have popped up that including "Conficker worm set to infect computers worldwide today", "April Fools virus could mean big problem for millions", "Conficker: World Preps for April Fools Attack".

No wonder I received a ton of email from friends asking me if they should be concerned. Even now I see two or three emails that have come in since I started writing this. People spot these crazy headlines and over react!

According to PCWorld.com IBM believes the US held only about 6% off the PCs allegedly infected by Conficker, with 45% of the Conficker.c-infected computers traced to Asian IP addresses, while another 31% were pegged to European addresses. If there was going to be anything of major concern it would have hit those countries long before we had to worry about it.

Read more:

• PCMag.com - 'Conficker' Worm Wakes Up Overseas, But It's Quiet
  
• InformationWeek - Conficker's April Fools' Day Update Begins With A Yawn
  
• PC World - Conficker's Zero Hour Arrives Without Event -- Yet

Conficker April Fool's Joke Or Real Threat?

There has been much debate over what the latest version of the Conficker worm might do come April 1st. Several security researchers have warned that he latest variant labeled Conficker.C, is programmed to do something on April 1. But what exactly will happen no one seems to know.

One thing they do know for sure is that the two original variants "Conficker.A" and especially "Conficker.B" (also known as Downadup) have built a botnet that has reached estimates of over 10 million PCs. Such a widespread botnet has the potential of wreaking havoc, however up till now Conficker has done little more than spread around to un-protected PCs. Leaving room for much speculation and a ton of hype.

While some security experts such as Eset are warning users that they should take precautions and back up in advance of April 1 others like Joe Stewart, a security researcher at believe there is really not much more to worry about. Stating "there will be no April 1st outbreak." Clean PCs won't suddenly melt down from a new Conficker infection. All that will happen, Stewart writes, is that the worm will begin to use a new trick that gives it a better chance of getting around existing defenses that attempt to prevent it from updating.

The truth is, there will be no April 1st outbreak, despite what some of the press stories have said so far. The only thing that will happen with Conficker on April 1st is that already-infected systems will begin to use a new algorithm to locate potential update servers. There, that’s not so scary, is it?

Th is isn't really a new trick for Conficker. Variant C added the ability to circumvent some of the previous work arounds used to block its access to update sites. Stewart and several other researchers believe there is no reason to worry about the overly hyped April 1st date line for Conficker.C.
And here’s why:

1. Conficker.C is already able to receive updates via its P2P protocol today, so focusing on the April 1st date is misguided.
2. Don’t underestimate the reach of the Conficker Working Group. These are the security industry’s heavy-hitters, and you can be sure they are working diligently to mitigate the domain issue.
3. Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly.
4. If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.

I share Stewart's personal opinion that the April 1st activation of the new algorithm may simply be a distraction, a kind of practical joke on the part of the worm author(s). Conficker may not be something to laugh about, but it’s also not quite as serious as one might believe from reading about it in many of the articles written so far.

For those of you that are truly worried about it then the best bet is having a good offense. You need to make sure both your operating system and your security are updated. The worm originally was spread through exploitation of the MS08-067 vulnerability in Windows. You need to make sure you have installed the latest patch.

If you believe you might be infected then try one of these tools.

• Microsoft Malicious Software Removal Tool: http://mscom-dlcecn.vo.llnwd.net/download/4/A/A/4AA524C6- 239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe
• Symantec Conficker W32.Downadup - Removal Tool
  
• F-Secure removal utility ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip
• McAfee's removal tool http://67.97.80.71/vil/conficker_stinger/Stinger_Coficker.exe
• For AVG users AVG has created a post on how to clean an infected PC
• Sophos' Conficker removal tool
• ESet EConfickerRemover

McAfee just released this Stinger build today, and says it will update it on a daily basis to include new Conficker variants.

On a further related note Symantec researcher John Parks today warned users that searching for Conficker might actually led to infectious sites. By using Google and simply searching for "Conficker C," Parks found result that included a link to an infected site being used to spread a fake antivirus program. Following the malicious link eventually lead to a rogue application installation website which tried to install a maliciuos piece of software.

New Ransomware "FileFix Pro 2009" Holds PCs Hostage

A nasty new piece of "ransomware" has been circulating the web taking PCs hostage with demands of a $50 payment for the restoration of corrupted files.

Ransomeware (aka "scareware") is nothing new, in fact variants have been cruising the web in the form of fake antivirus programs for years. The phony AV programs which include several variants of "AntiVirus 2009" aka know as AV 2009 (the name changes yearly) have been very lucrative for hackers with some hackers reportedly making as much as $5 million a year.

With the old scams gaining attention and many sites trying to get the word out that these fake programs are actually the real culprit. The scammers had to upgrade their tactics. And it now looks like they've done just that. The newest version of "ransomware" are now posing as a "file repair application".

It all begins when a user is dupped into installing a malicous piece of software, typically from a fake active X script, a fake software update or a pop-up box. The file contains a Trojan which can then download and install other pieces of software, or carry out some malicious tasks on its own. The malicious software starts by encrypting several different document types on the infected PC. These files range from Microsoft Word .doc files to Adobe Reader .pdf documents. It also scrambles all the files in Windows' "My Documents" folder.

When an unsuspecting user tries to open one of the encrypted files the virus comes to life and an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message appears to be a legitimate "semi-official" looking notice from the operating system: "Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application," the message reads.

Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software at a price of $50.

Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called "Anti FileFix" available for download that unscrambles files corrupted by the Trojan. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.

New Conficker Variants Add A Few New Tricks

Several top security sites have been warning of thew variants of the Conificker worm also know as the downandup virus. The latest version of the worm has been dubbed W32.Downadup.C or Conficker.c and has been redesigned to circumvent many of the latest techniques used to stop the spread of the virus.

Symantec Corp. has warned that this latest variant uses a new set of tools which is targeting antivirus software and security analysis tools with the aim of disabling them. Any processes found on an infected machine that contain an antivirus or security analysis tool string from the list below are killed:

• wireshark
• unlocker
• tcpview
• sysclean
• scct_
• regmon
• procmon
• procexp
• ms08-06
• mrtstub
• mrt.
• mbsa.
• klwk
• kido
• kb958
• kb890
• hotfix
• gmer
• filemon
• downad
• confick
• avenger
• autoruns

Symantec has also warned that version "C" has bypassed a previous attempt at blocking W32.Downadup.B domain-generation algorithm for communicating. Users can no longer expect protection by simply blocking the sites the worm was allowed to update from. The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm.

The Conificker worm at one time was estimated to have infected nearly 10million PCs worldwide leading to the formation of a $250k reward for information leading to the viruses creators.

*Update*

Read the latest on the Conficker.C worm:

• Geek-News.Net Conficker April Fool's Joke Or Real Threat?
• PCMag.com - 'Conficker' Worm Wakes Up Overseas, But It's Quiet
  
• InformationWeek - Conficker's April Fools' Day Update Begins With A Yawn
  
• Geek-News.Net - As Expected Conficker Doesn't Live Up To The Hype

$250K Bounty Placed On Conficker Worm

The Conficker worm, also known as Downadup, has spread to millions of PCs world wide with no end in sight. The latest estimate shows the worm has infected as many as 10 million PCs. The numbers and scope of this infection have led several companies to pool resources in an attempt at finding a solution.

Thursday Microsoft announced a $250,000 reward to bring the Conficker malware bad guys to justice. The company said it will also be forming a partnership with several major companies in the effort to stop the viruse from spreading any further. The companies include ICANN, Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.

"By combining our expertise with the broader community, we can expand the boundaries of defense to better protect people worldwide," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group.

"The best way to defeat potential botnets like Conficker/Downadup is by the security and Domain Name System communities working together," said Greg Rattray, chief Internet security advisor at ICANN. "ICANN represents a community that's all about coordinating those kinds of efforts to keep the Internet globally secure and stable."

"Microsoft's approach combines technology innovation and effective cross- sector partnerships to help protect people from cybercriminals," Stathakopoulos said. "We hope these efforts help to contain the threat posed by Conficker, as well as hold those who illegally launch malware accountable."

Earlier this week OpenDNS and Kaspersky Lab teamed up to provide user with tools to track PCs on their networks that have potentially been hit with the worm. The tools work to to fight Conficker using the newly introduced OpenDNS Botnet Protection feature, which provides network administrators visibility into the networks they operate and sends notification if the Conficker Windows worm has successfully penetrated their network. This insight then gives network administrators the knowledge necessary to disable the worm and prevent it from causing damage.

The $250,000 reward is for information leading to the arrest and conviction of the Conficker author or authors and Microsoft said it will be available to anyone in any country, subject to local laws.

More Pirated Mac Software Infected

Security and privacy software vendor Intego has reported that pirated copies of Adobe Photoshop CS4 for Apple may contain a variant of the same virus found in pirated copies of Apple iWorks '09 last week.

Intego warned last week that copies of Apple iWorks '09 found on several popular torrent sites contain a virus dubbed, OSX.Trojan.iServices.A. According to Intego's report released today, a new variant dubbed OSX.Trojan.iServices.B, is now being found in torrent downloads of Adobe Photoshop CS4.

"The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program," warns Intego.

After downloading this version of Photoshop, users will run the crack application to be able to use it. The crack application extracts an executable from its data, than installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted. (If the user runs the crack application again, the Trojan horse creates a new executable with a different name; these random names make it harder to ensure safe removal of the malware.)

The crack application then requests an administrator password, launching the backdoor with root privileges. This copies the executable to /usr/bin/DivX, then creates a startup item in /System/Library/StartupItems/DivX. The program checks to see if it has been launched with root privileges, then saves the root hash password in the file /var/root/.DivX. It listens on a random TCP port, and answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses.

Next, the crack application opens a disk image which is hidden in its resource folder, in a folder named .data, and proceeds to crack the Photoshop program, allowing it to be used.

Since the malicious software connects to a remote server over the Internet, the creator of this malware will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.

My.BarackObama.com Spreading Ransomware

A once popular site for Pre-Election Barack Obama supporters, My.BarackObama.com, is being used by hackers to spread malicious ransomware. A trojan downloaded from the site installs a pieces of software which poses as fake security program creating phony warnings that a users computer is infected with spyware. The persistent pop-ups will continue to plague users until the victim pays for the worthless program usually priced between $40 and $50.

According to ComputerWorld.com, the criminals have set up bogus accounts on the site and used them to create blogs. When a user reaches one of the fake blogs, a YouTube-like video window is displayed; clicking on that video frame takes the user to a malicious Web site packed with pornography.

If the user clicks to view the porn, a message pops up claiming a video codec must be downloaded and installed. The executable file is not a real codec, but rather a Trojan horse that hijacks the PC and installs the ransomware.

Websense first uncovered the phony blogs a week ago, it has had no luck reaching someone responsible for the My.BarackObama.com site. "We've been constantly trying to reach them, and tried every possible angle, from e-mail to the site itself to the phone, but we haven't heard back," said Dan Hubbard vice president of security research at Websense. "Obviously, they've been fairly busy."

Visitors to the site that have already been infected should download and run actual spyware removers. There are several free alternatives such as Ad-Aware, Spy-Bot Search & Destroy or Avira. In past dealings with these tricky pieces of malware I've had success removing them using the Smitfraudfix as well as Malwarebytes Anti-Malware

Koobface Worm Reaches Out To More Sites

Researchers at security vendor F-Secure said yesterday in a blog about the Koobface worm that the new infection is designed to spread to other popular social networking sites, including MySpace.com, MyYearbook.com, BlackPlanet.com, and Friendster.com.

The Koobface worm has been spreading like wildfire through Facebook since it was first reported last week by McAfee Avert Labs. The virus uses Facebook's private messaging system to spread itself across the social networking site. Facebook users receive a message from an infected profile that offers them a video link paired with the message, "You look just awesome in this new movie." The link takes users to a separate Website that recommends installing an update to watch the video. But the download is actually the virus itself, and installing it leads to another infected computer.

"Facebook is already aware of this [new] threat and is purging the spammed links from their system. But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better," Craig Schmugar of McAfee Avert Labs wrote on the company's blog. "It's important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms."

The newest version of Koobface (W32/Koobface.CZ) is actually a resurgence of an older version of the same virus which was reported by Kaspersky Labs in July. Kaspersky warned users then that the two variants the new worm, Net-Worm.Win32.Koobface.a. and Net-Worm.Win32.Koobface.b, where capable of attacks on both MySpace and Facebook.

If the virus is not properly removed it will turn affected computers into "zombies" or bots, allowing hackers to control those infected computers to either spread more malicious code or ro carry out attacks on other systems.

Facebook has posted generic instructions for it's users to follow on how to remove the infection. Essentially they tell users to change their passwords and immediately run a virus scan using one of these sites:

• http://www.kaspersky.com/virusscanner
• http://security.symantec.com
• http://us.mcafee.com/root/mfs/scan.asp?affid=56
• http://www.bitdefender.com/scan8
• http://onecare.live.com/site/en-us/default.htm
• http://ca.com/securityadvisor/virusinfo/scan.aspx
• http://www.ewido.net/en/onlinescan
• http://www.pandasecurity.com/homeusers/solutions/activescan

Even if you haven't been hit with the virus I'd suggest you take a proactive approach and download one of the several free antivirus programs such as AVG, Avira or Avast. And as I always point out a little common sense browsing goes a long way. If you reach a site that tells you you need to update your software its always best to leave and go directly to the software vendor's site.

Cybercrime Group Use Trojan To Steal 500k Bank & Credit Card Logins

Researchers at RSA FraudAction Research Lab have recently discovered that, dating back as early as February 2006, the Sinowal Trojan, also known as Torpig and Mebroot, has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.

A posting today on the RSA FraudAction Research Lab Blog shares details of a three year investigation following the the Sinowal Trojan and its possible ties to a Russion organzied cybercrime group knows as the RBN.

"Sinowal has been the subject of rumor and speculation in the industry, and little is known about its source. Some have alleged that it was owned and operated by a Russian online gang with past ties to the infamous Russian Business Network (RBN). Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN."

RSA's findings on how Sinowal operates

Like other Trojans, Sinowal uses an HTML injection feature that effectively injects new Web pages or information fields into the affected victim’s Internet browser – and these injections seem like legitimate pages to the victim. Just as an example, Sinowal can falsely prompt an unsuspecting victim for personal information such as a social security number and other details which their bank previously pledged to never request be provided online. Even though a prompt like this is not a novel approach to stealing credentials and other information – what struck us the most was the amount of URL "triggers" that cause Sinowal to actually launch this prompt and other functions: Sinowal is triggered by more than 2,700 specific URLs, which means that this Trojan quickly moves into action when users access the websites of what are now hundreds of financial institutions worldwide.

Sean Brady, the product marketing manager for RSA's ID and access assurance group provided a few comments and a few more details in a PC World article.

"The sheer enormity of this makes this unique," said Brady. "And the scale is very unusual." All told, the gang behind Sinowal managed to obtain access to nearly half a million bank accounts and credit cards, a volume RSA dubbed "ruthless" and "extraordinary."

"And the fact that the Trojan was managed by one group through its history, and maintained for nearly three years is also very unusual," Brady said. RSA uncovered records that showed the Trojan had been in active operation since at least February 2006. "In malware life cycles, that's ancient, and to keep it up required a high degree of resources and effort."

The compromised data belongs to customers of hundreds of financial institutions within many regions of the world. RSA found affected financial institutions within North America (both the United States and Canada), Europe (United Kingdom, France, Spain, Germany, the Netherlands, Italy and others), Asia Pacific (Australia, China, Malaysia, and others) as well as some countries in Latin America. However, they note that they found that no Russian accounts were compromised by Sinowal.

Gpcode.ak Ransomware Fix

Last week we reported on Gpcode.ak, new nasty piece of "ransomware" that has been spreading around the web. This week Kaspersky labs believed they have found a solution to the virus.

The Gpcode.ak virus encrypts files on a victim's hard drive and demands a ransom to decrypt them/ So far the encryption that is sued has proven too strong to crack. But Kaspersky Lab, which first identified Gpcode.ak earlier this month, says there is a way for most victims to at least recover their files.

Kaspersky says Gpcode.ak works by making a copy of the original file it wishes to kidnap using 1,028-bit encryption, then deleting the original. However, "it doesn't wipe the file from the system," says Roel Schouwenberg, senior antivirus research analyst at the security company.

Kaspersky has been recommending the freely available PhotoRec utility, a nifty piece of software that was initially created as a tool for graphic files’ recovery. The program was crated by Cristophe Grenier and is distributed with GPL license, so anyone can use it.

For more details and instructions checkout the Kaspersky Forums

Virus.Win32.Gpcode.ak Ransomware On The Loose

Kaspersky Lab has issued a security alert following the detection of a particularly malicious piece of "ransomware." Kaspersky researchers were the first to detect and issue warnings that a new, stronger version of the Gpcode virus was on the loose.

The new new malware variant employs RSA 1,024-bit encryption to encrypt nearly every type of file on a victim's hard drive, including .doc, .txt, .pdf, .xls, .png and .jpg. The "ransomeware" contains a ransom note offering a decryption key to the user for a price.

Kaspersky is urging Net users to take extra precautions, make sure they are running the latest versions of anti-malware solutions and back up their data regularly, making sure to disconnect storage devices as soon as the back-up process is completed to avoid infection. If infected, do not power down or restart your PC, the company advises.

Kaspersky also urges victims not to succumb to the ransom threat and instead report details of infection to their security providers, Kaspersky and law enforcement authorities.

Detection to Prevention

So far Kaspersky researchers have not been able to crack the viruses encryption, making it nearly impossible to remove. Therefore the only known solution is to complete erase an infected drive. Users can and should take steps to avoid infection, don't download any suspicious files, update all you anti-virus/anti-malware programs ect.

Fortunately the virus can be detected providing users at least a little protection.

"We can detect it, and we have shared this internationally so that [system administrators and e-mail service providers] can also protect their users, but the most reliable method is creating back-ups of external media, which of course should be disconnected after the back-up procedure. If you leave the external hard drive running, Gpcode will infect the external hard drive and equipment. It's just good back-up practice in any case," Schouwenberg advised.

What to Do If Infected
Kaspersky explains, "After Gpcode.ak encrypts files on the victim machine, it adds '._CRYPT' to the extension of the encrypted files and places a text file named '!_READ_ME_!.txt' in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a 'decryptor.'"

Kaspersky is offering to help victims trying to recover their data. If infected, Kaspersky urges victims to e-mail the labs at stopgpcode@kaspersky.com and include the following information in the e-mail:

• Date and time of infection,
• Everything done on the computer in the five minutes before the machine was infected, including programs executed and Web sites visited.

Hong Kong's ".hk" Labeled Most Dangerous Domain By McAfee

According to McAfee's annual assessment of the riskiest and safest places in cyberspace Hong Kong and China are the "most dangerous" places to surf the Web based on country domain.

The report, based on the Web-crawling and analysis technologies that power McAfee's SiteAdvisor tool for safe Web surfing, looked at 9.9 million heavily trafficked Web sites in 265 countries ending in country domain codes, such as .br for Brazil.

"We looked at the major categories, including exploits by drive-by downloads, spam, and downloads that come with malware such as viruses," says McAfee analyst Shane Keats about the security company's new report, titled "Mapping the Mal Web Revisited." He describes the report as a bit like a "Lonely Planet" travel guide for the Web, adding, "Danger on the Web is very fluid."

The world’s most dangerous overall country web domains:

1. Hong Kong (.hk)
2. PR of China (.cn)
3. Philippines (.ph)
4. Romania (.ro)
5. Russia (.ru)

The world's safest overall country web domains:

1. Finland (.fi)
2. Japan (.jp)
3. Norway (.no)
4. Slovenia (.si)
5. Colombia (.co)

The most risky generic domain from 2007's report became more dangerous with 11.8% of all sites ending in .info posing a security threat and is the third most dangerous domain overall while government websites (.gov) remained the safest generic domain. The most popular domain, .com, is the ninth riskiest overall. The full McAfee "Mapping the Mal Web Revisited" report is available for download at http://www.mcafee.com/advice.

Other key findings from McAfee "Mapping the Mal Web Revisited" report 2008 include:

• The chance of downloading spyware, adware, viruses or other unwanted software from surfing the Web increased 41.5% over 2007
• Sites which offer downloads such as ringtones and screen savers that are also loaded with viruses, spyware and adware increased over the last year from 3.3% to 4.7%
• The Philippines (.ph) experienced a 270% increase in overall riskiness
• Tokelau (.tk) and Samoa (.ws) were notably safer in 2008 dropping to 28th and 12th
• In Europe, Spain (.es) experienced a 91% increase in overall risk

Fake Grand Theft Auto IV Torrents Contain Viruses

According to DriveSentry hundreds of users have been infected when trying to download Grand Theft Auto IV via P2P.

Hackers having been planting Trojans and other viruses in bogus game files, masking them as torrents that contain the files for GTA 4. The torrents are then being downloaded from P2P networks by those trying to illegally experience the game without purchasing it.

John Safa, chief technical officer of DriveSentry, said: "People are exploiting the popularity of GTA IV in a way which could bring mayhem to the internet."

Former hacker Safa highlighted that within two minutes of logging on to P2P network Limewire he found evidence of Trojan viruses disguised at GTA IV files.

We all know the huge risk involved in using P2P, and Geek-News.Net does not condone the action of illegally downloading files. But a few words of caution here:

Tread very carefully around these files, if you are going to download them do so from a good source. If you are hit with a link to a site that says it has a download chances are its a fake. Always check the main sites first. Invest in a good anti-virus Avast and AVG are great products that are free. Make sure you have the latest updates, viruses definitions are updated constantly and it does little to no good to use an outdated AV program.