Secure Computing Corporation - TrustedSource Blog

Network Security Defeats Microsoft Video ActiveX Exploit

Tue, 07 Jul 2009 23:28:58 UT

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield). Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee [...]

Variant of Mac Malware Another Party Puper

Tue, 07 Jul 2009 21:30:15 UT

We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine. When the DMG file is executed on the Mac, it displays the following message: As the execution continues, the malware gets installed on the machine with the [...]

SWF Flash Exploits: Old Wine in a New Bottle

Tue, 07 Jul 2009 19:24:47 UT

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very [...]

An Artemis View of Zero-Day Attacks

Tue, 07 Jul 2009 11:05:52 UT

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis. Since yesterday, [...]

McAfee Coverage of the DirectShow Exploit

Tue, 07 Jul 2009 08:47:42 UT

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies. Current status for each of the content areas: Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6 HIPS: Generic buffer [...]

July Spam Report Appears

Mon, 06 Jul 2009 14:50:19 UT

Today McAfee released its July 2009 Spam Report, which reveals the Top 15 spam subject lines by domain, among other highlights. So what was the one subject line that was most popular in six continents this quarter? Viagra. For the .COM domain, “hi” and “hello” hit the most in-boxes, while Viagra and “Salute, man!” subject lines [...]

New Attacks Against Internet Explorer

Mon, 06 Jul 2009 10:39:00 UT

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites. At the time of research, over a hundred hijacked sites were found [...]

Fake Alerts Uncovered

Thu, 02 Jul 2009 17:32:26 UT

It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant. These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering. Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade [...]

Generic Rootkit.d Strikes Again in New Variant

Mon, 29 Jun 2009 13:32:04 UT

A few days ago I got a chance to look at a recent variant of the DNSChanger.ad. It drops a common rootkit that is mostly associated with FakeAlert and DNSChanger Trojans. Over a period of time the dropped sys file names have changed from tdss*.sys to seneka*.sys to skynet*.sys and so on. Our memory detection [...]

Michael Jackson News Affects Web Traffic

Fri, 26 Jun 2009 21:58:39 UT

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing. Within hours the percentage of “long-tail” URL traffic associated with [...]

Bad News Offers Opportunity to Spread Malware

Thu, 25 Jun 2009 23:26:23 UT

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news. Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. [...]

Sex the Bait in Mass Orkut Compromise

Tue, 23 Jun 2009 17:38:18 UT

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams. With more than 15 percent of the traffic from India, Orkut is perhaps the most [...]

More Password-Theft Shenanigans

Tue, 23 Jun 2009 07:53:51 UT

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de. When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It [...]

DDoS Not the Most Political Way to Protest

Tue, 16 Jun 2009 01:35:20 UT

So, Iran had elections this weekend. Some people don’t agree with the results. As a consequence, some people are organizing DDoS attacks against Iranian websites, more precisely: http://www.leader.ir/ http://president.ir/ http://www.irib.ir/ http://www.iribnews.ir/ and some specific URLs on those domains. No guys, that’s not the right path and, as it is a malicious activity, we are detecting the tools being distributed to create [...]

Worms Dig Further Than Thumb Drives

Thu, 11 Jun 2009 22:24:11 UT

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters. Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms [...]

Spammers Take Advantage of Air France Crash

Thu, 11 Jun 2009 20:38:52 UT

As we foresaw, spammers have used the Air France AF447 disaster to catch people’s attention and prompt them to open fake news emails related to this event. Less than two weeks after the crash, the firsts emails started to spread. We’ve seen the following subjects: A-330 blackbox record Another plane crushed Last seconds of plane When opened, all these [...]

Dumb Malware Authors Cause More Damage Than Smart Ones

Thu, 11 Jun 2009 20:55:25 UT

I don’t really know which is worse: a dumb or a smart malware writer. Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that. While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, [...]

Zero-Day Exploit Leads to Apparent Suicide

Wed, 10 Jun 2009 23:04:44 UT

This is tragic news, indeed. We have heard of software flaws costing customers hefty amounts of money, man hours, bandwidth, disk space, etc. But now the cost has reached an unprecedented level–causing HyperVM’s creator to apparently commit suicide. The problem started earlier this week, when a large web host company that relied on HyperVM to [...]

ATM Malware Makes Withdrawals in Russia

Wed, 10 Jun 2009 16:55:30 UT

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data [...]

Avoid Housecalls From Rogue ‘Malware Doctor’

Fri, 05 Jun 2009 15:02:49 UT

Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan with our DAT 5635. The new variant comes from the following web pages: hxxp://internetware-sa{blocked}.com/ hxxp://mal-ware{blocked}.net As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to [...]