Scam lotteries have been a frequent issue in the past and they continue to exist following the media trend.
Total Defense Intelligence Service (Research ISI Team) today caught an interesting email pretending to come from Facebook’s CEO Mark Zuckerberg.

The email clearly informs of a fake lottery win, getting the user to contact a Mr. Douglas Price as a fiduciary agent who will handle the award.

I have come across the similar scenario when I have downloaded the video.

It must be mentioned that the video format itself is not immune to embedded malicious links, but this time, the links are far more obvious.
In fact, the links are in plain sight. Almost “Helpful” and benign looking... if only they were!
See screen grab.

This new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/SabPub.A.

Once executed, OSX/SabPub.A, the decoy Word file will be executed, it will cause distraction to the user to hide its malicious activity in the background.

Upon accessing the main page, it shows a lot of common error that people may encounter in a typical windows machine and in its “Repair Guide” links, it will always ask the user to download the file “PC_Cleaner_Pro.exe” which TotalDefense products detects as Win32/FraudPCCleanerPro.A.

Recently, another Tibetan-themed malware has been discovered which takes advantage of a patched Java Vulnerability (CVE-2011-3544).

When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet exploiting (CVE-2011-3544) then it will determine the malicious payload depending on what Operating System the user is using. Using the new variant samples, as you can see in Figure 1, if your OS is Windows the file “img.jar” will be executed and if your OS is Mac OSX the file “ref.jar” will be executed.

As you can remember, OSX/Flashback has appeared last year and disguised as Adobe Flash Player Installer. The previous variants connects to remote host to download its component files and installing backdoor that injects to web browsers and other applications in order to steal sensitive user information.

This time the malware author of OSX/Flashback has another trick up its sleeves. A new variant of OSX/Flashback has been discovered and it takes advantages of Java Vulnerabilities namely (CVE-2008-5353, CVE-2011-3544 and CVE-2012-0507). This new variant doesn’t need user interaction in order to infect the system successfully not like its old variants where it needs the user to input the administrator password.

When a user unknowingly visits malicious website, the attack will start by a script loading the malicious Java applet. If the Java in that system is enabled and vulnerable, then the infection will be successful.

Upon execution of the malicious Java applets, it drops a file as “~/.jupdate” in User’s Home folder. It then creates “com.java.update.plist” in the ~/Library/LaunchAgents/, to ensure that the dropped file will be active on the system.

OSX/Flashback botnet has more than 550,000 infected machines according to reports.

Lately, the number of malware targeting Mac OSX has been rising. A new malware that exploits an old vulnerability has been found.

A new malware is taking advantage of an old vulnerability in Microsoft Word (MS09-027). This vulnerability has been already patched since 2009, which could allow remote code execution if a user opens a specially crafted Word file. This malware is detected as OSX/MS09-027!exploit.

Once executed, OSX/MS09-027!exploit, will drop the following files:

•    /tmp/launch-hs
•    /tmp/launch-hse
•    /tmp/file.doc

The file launch-hs are a script that executes the file launch-hse and file.doc. Once the file.doc has been executed, it will cause distraction to the user to hide its malicious activity in the background.

So, What does it do?

It is a typical SMS Trojan that sends SMS to premium message centres. In the process, it makes sure that the messages are sent only once during the first time the code is run. This feature is taken from the very old “FakePlayer” family.

We thought the rogue security software trend went down this year, but in truth we are witnessing two new reported incidents by users and customers of rogues.

According to data obtained, in only one month of monitoring the process of Winwebsec we have seen an impressive number of reported incidents which, in terms of numbers, translates into almost 7,000 issues.

While processing a recent bunch of malware collections, we have noticed heavy use of reflections  in quite a few Android samples. It is important to note that the usage of reflections by malware is not new. It has been practiced by traditional desktop threats created in Java for a long time now and even we have seen the usage of it in some of the android variants sporadically since last year. Now, it is interesting to see this trend adopted in full fledged manner by the new variants in bulk numbers.

It's that time of the year when people in some parts of the world are filing their tax returns, and what better time for cyber crooks to trick them into falling prey for phishing attacks via emails. India has been reported in recent malware threat reports as one of the regions with high spam activity and this blog will briefly discuss a very convincing social engineering spam I ran into recently.
I received an email in one of my email inboxes which seemed to promise me a refund of 34,000 Indian Rupees, provided I submit a request through a URL on the email [see Figure 1]. This email immediately aroused my suspicion, as I have been abroad for more than a year now and was not expecting such an email. The content of the email also seemed fairly convincing from an ordinary net user's perspective. Sure enough, the URL was parked on a German subdomain hosted on a free hosting website. Well I am fairly certain that the Income Tax Department of India would not be hosted on a .de domain.

Yesterday, a familiar Android threat was making news powered by a sound social engineering trick.  This blog looks at the differences/similarities of the different variants of this particular bunch of variants.

Though the variants exhibit the same behavior claiming that the “application” is an installer for famous applications, different variants use different brands such as Opera browser, Jimm, and Skype. However in the process,  they actually send messages  to the message centers obtained by decrypting the config file. After sending the SMS messages, the user may or may not be redirected to the download link of the orignial application.

Although none of the Apps were functionally tested to empirically measure the privacy impact, it's still great to see the FTC continuing their focus on our children.  This report stands in firm support of the COPPA legislation and furthers the dialog necessary to better protect children online.

Earlier yesterday, a few SMS Trojans were found in Android Market and subsequently removed from the market place. In this blog post, we will be demonstrating some of the interesting behaviours uncovered through dynamic analysis.

This blog is written to emphasize the importance of physical security in this current day and age. I myself am a victim to a recent physical security breach that happened with Lucky Superstores in the United States, which has resulted in the theft of debit card details of many of its customers. It has been confirmed that more than 20 stores are affected through the 500 or more self-checkout stations which were compromised to aid in this physical security based attack.

Recently, Adobe has released a new security advisory, APSA11-04, alerting users about a critical vulnerability in Adobe Reader and Acrobat.

The U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe is in the process of finalizing a fix for the issue and expects to make available an update for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit of this kind from executing, Adobe is currently planning to address this issue in Adobe Reader X and Acrobat X for Windows with the next quarterly security update for Adobe Reader and Acrobat, currently scheduled for January 10, 2012. Adobe is planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update scheduled for January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.

Not long ago, the malware called Stuxnet made its foray into the world of Internet capturing people's attention. This was the first malware of its kind which embodied payload that impacted not only software running on infected machines but also affected attached Industrial processes. This malware's impact was very unique, targeted and revolutionary in nature. In September 2011, a new malware called 'Duqu' was discovered which appeared to be identical to Stuxnet and has been deemed as a precursor to the Stuxnet worm.

Last week, we have blogged about an Android malware that was impersonating as a popular browser (http://totaldefense.com/securityblog/2011/09/23/The-SMSer-Trojan-Returns-as-Fake-Browser-Again.aspx).

This time we present the analysis of another interesting Android malware to highlight its noteworthy features that users need to be aware of.
This sample shows how easily such kind of impersonating malware is being created to impersonate many popular messengers and chat clients.

Another new Mac OS X Threat has been discovered and disguises as Adobe Flash Player Installer. Like other malware, it also uses social engineering tricks to lure users to download the malware.

Once the user unknowingly visited a malicious website to watch a video, it will prompt the user that the Adobe Flash plugin has crashed

A new Mac OS X Threat has been discovered masquerading as an innocent PDF document with a controversial topic. It is implementing one of the techniques used by windows malware to hide its malicious activity.

When the Mac malware is executed, it attempts to drop and execute a non-malicious PDF file in the /tmp folder [Figure 1]. The PDF file and the content is intended to distract the user and hide the malicious activity in the background. The dropper is detected as OSX/Revir.A.

A few months ago, we blogged about an increasing trend of SMSer Trojans disguising themselves as popular browser applications targeting the users of smart phones with support for J2ME. For the past few days, we have been observing a similar trend in the influx of SMSer Trojans posing as browser applications in our sample processing channels. However this time, they are actually targeting Android users.

A few weeks ago, we have witnessed Zitmo arriving to Android landscape http://totaldefense.com/securityblog/2011/08/29/ZBot-Targeting-Android-Users.aspx. As it was widely predicted earlier, fellow researchers at Trusteer discovered that now Spitmo emerges for the Android platform. We, like the worldwide research community, have taken the the growth of Android malware very seriously.

Free Facebook t-shirts at the cost of your Personal Information?

Just like the many other social-engineering spam attacks observed on Facebook, the recent one which offers victims free t-shirts as its 7th Anniversary special gift, seem to have gained quite a bit of popularity. If stats are to be believed, [Figure 1, courtesy hacker9] quite a few people have fallen victim to this like-jacking social engineering spam. Interestingly, I already have spotted close to eight people's accounts in my Facebook contact list posting the scam over and over again on my wall, which is one of the aftereffects of falling prey to this social-engineering attack. Another startling fact is that when I checked on other related security blogs, there appears to be different variants of this spam. Some have already been taken down. So this means that possibly scammers have realized that the "free Facebook t-shirt" is an extremely good proposition for luring in innocent Facebook victims.

"Supercookies" (Local Shared Object), or flash cookies as they are otherwise commonly called, and their implication on the privacy of Internet users have been a hot topic in the security- news blogs lately.

"Cookies", as most of you already know, are small text files that are used to keep small pieces of browsing information stored on a computer to track and retain user preference information when Internet users visit various websites online. But the risks involved with tracking cookies are already well known in the security community. There are also options available on various browser setting pages which explicitly allow users to clean these cookies. Many anti-virus companies, including Total Defense, have protection against tracking/third party cookies, too.

The Black Market is not new at all, and we know it exists because illegal products or services are readily available, such as drugs, sex, stolen goods, etc.

These days I have been impressed by the increase in the number of emails targeting Italian users with offers of electronic goods sold at very interesting prices.

Everyday my personal inbox is stuffed with emails coming from people pretending to offer me electronics at below market value prices and suggesting I visit their new commercial web site (Figure 1-2).

Intricacies of its execution

This sample's payload is same as what the age old downloader agents are known to do.  By Design, It downloads additional malware executables from distribution sites on the internet and proceeds to trigger their installation routines. Implemented as an applet, a better and easy understanding of this malware component can be gained through the output of instrumented standalone version of this applet shown in  Fig 1.

SpyEye is now very well known within all security communities and security blogs of the world. The latest version of the SpyEye tool includes very powerful capabilities, specifically designed to steal sensitive data from Windows users conducting monetary transactions over the Internet.

The Trojan tool is sold on the underground market and in cybercrime forums to be used by cybercriminals. Designed to defeat the security defenses in place by online banks, the SpyEye Trojan renders these security systems useless. If people are infected by this Trojan then their credentials and sensitive data such as, identities, credit card numbers and similar information, are stolen and sent to the criminals waiting to collect this data and enumerate their new budget.

Hence, in this blog, we will demonstrate this particular conversation recording payload of the malware.

On its Twitter page LulzStorm posted a supposed dump of the databases of 18 Italian Universities, containing thousands of usernames, cleartext passwords, emails and private information.

Though this sample has been in the wild for some time, it was found now that it is actually the one that Zbot uses to target its victims.

In this blog, we will demonstrate how the sample actually works to target the mTAN based authentication scheme.

Since we have published static analysis of such Trojans in our earlier blogs, this blog covers the dynamic analysis of the Trojan in a controlled environment. Please note that this blog post will only demonstrate one of the malicious activities the sample does and does not intend to demonstrate all the activities of the malware.

We recently witnessed another rootkit infection which raised the attention of the press and Microsoft users.

It is again a high profile malware whose target is the hard drive’s master boot record (MBR) corrupting the bootstrap of the Windows Operating System.

Once run the malware follows the steps below:

1. Open file: \\.\PhysicalDrive0
2. Create File: hello_tt.sys

The first step of the malware is the access phase to the hard drive partition where the operating system is installed. That is the sequence where the malware finds the master boot record (MBR).

The second step is the creation of a service dropped and installed on the victim OS.

A QR Code is a specific matrix barcode (or two-dimensional code), readable by dedicated QR barcode reader.  There are many QR Code Reader apps available today for camera phones. The code consists of black modules arranged in a square pattern on a white background. The information encoded can be text, like a URL, or other data.