In the last week we’ve seen some new screens presented by Blackhole exploit kit installations. The first exploit claims that the Windows installation “has been blocked” and demands a payment of 50 Euros (about US $66) by untraceable UKash or Paysafe checks.

And another, allegedly from Scotland Yard, similarly claims the victim’s machine has been locked because it’s been used to view pornography. Payment is demanded by untraceable UKash.

2.  Facebook Scam of the Week: “Oops!!! There was a hidden camera in Bieber’s bedroom.”

This week’s top Facebook scam uses Justin Bieber’s name to lure users into a never- ending spiral of surveys promising fake prizes. The real point is to get users to share personal info they would normally never share with strangers.

After a user shares a link to the Facebook scam they are promised to see a video from a hidden camera in Justin Bieber’s bedroom.

But after sharing the link to their wall they are then told they must fill out surveys.

This is how the scammers make their money. The more people that fill out the surveys with real information the more money they make.

In the end you never get to see a video because it does not exist.

At the bottom of the scam page you will see many of the victims posting comments that they shared the video but are still unable to see the video. So they fell for the scam but still haven’t realized it yet. If you have friends like this perhaps its time to clean up your friends list.

3. The official DivX codec “labs” sub-site, which is used for making betas available to the public, is hosting fake pharma ads.

These pages are simply injected into their forum.

We detect the actual pharmacy spam site these ads redirect to.

Search engine results to the pages are loaded with “no prescription” notifications:

– AVG Threat Research Group

The developer’s page in the Android market looks like the following:

The icon of the application looks like:

The Android Manifest file looks like:

When the application opened we can see the following:

It asks the user what number to you want to dial and what voice would you like people to hear (deep scary voice, normal voice and high funny voice).

Also mentioned the service costs 6 NIS per minute in place its hard for the user to spot.

These are the strings.

It is mentioned that the user need to wait 15 seconds for dialing – probably while the call is made to the premium service number and the cost (6 NIS for 1 minute).

Calling a premium service number in Romania:

012 – Israeli mobile operator for getting calls abroad

40 – Country calling code

900720674 – Premium service number

How to remove
AVG Mobilation™ Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.

In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.

Related articles

• Fake it till you make it – Mobile Update Week 4 (blogs.avg.com)
• AVG Mobile Threat Update: Week 3 (blogs.avg.com)

After our Security research team reported this to Google. They suspended the app for violating the Android Market Developer Distribution Agreement.

The data for the report is collected by AVG’s Threat Labs from the AVG Community Protection Network. It is an online neighborhood watch, helping everyone in the community to protect each other. Information about the latest threats is collected from customers who choose to participate in the product improvement program and shared with the community to make sure everyone receives the best possible protection.

This report takes a look at the last quarter of last year, 2011 and while the full report can be downloaded here, this article will take a look at some of the more poignant discoveries.

Arrival of Printed Malware

Most importantly, Q4 2011 saw the arrival of printed malware through the abuse of QR symbols. QR symbols are becoming popular for mobile users to insert text and URLs into the mobile device without typing, malware included. The report reviews this emerging phenomenon and predicts that this new technique is expected to gain momentum in 2012 and beyond, as the user does not know what lies behind the QR code until the malware is already installed and running.

Fake Antivirus continues to spread.

Q4 2011 saw no abating in the success of fake antivirus products. They have, however, become more sophisticated. The difference lies in the infection method. In this report, we cover an infection method called ‘2nd click redirection mechanism’ which eventually redirects to a Fake AV  scanner (Rogue AV) page that tries to lure users into downloading and paying for an AV scanner which “removes” fictitious malware. 

PC Threats – Rootkits are getting smarter and smarter.

If you think that rootkits are history, think again. Rootkits are alive and kicking. They are evolving to be much more sophisticated, and some interesting samples show up every few months. Rootkits evolved from commercial use (SONY DRM) through to financial use (Greek wiretapping case) to cyber warfare with a very specific target (Stuxnet, Duqu).

Rapid growth of Mobile Threats.

Throughout 2011, we often reported on the rapid growth of malware targeting Android devices; we presented various examples of malicious code and infection methods.  This trend continues to grow, against a backdrop of enormous growth of activated Android devices in the past 6 months, from 100 Million devices (May 2011) to 200 million devices (Nov 2011) and over 550,000 activations daily.

Other points:

• It has become evident that the ‘underworld’ of cyber crimes is organized.
• Malicious websites do not only share traffic, they also share owners.
• Stolen digital certificates have been discovered on the Android mobile platform.

You can Download the full report here and please come talk to us about any of the subjects on our Facebook Community.

Detections

As far as we know, the sample has been in public view for 4 days(since 2012.1.16). But only 4 AV vendors are reporting it as of now.

That’s generally because most of automated system don’t handle NE file format and HIPS system ignore it , as well as cloud system.

So under current situation, NE malware may exist for a longer period before detected by antivirus software. So it is more threatening to the end user.

Introduction for NE file format

NE (New executable) is elevated from DOS MZ executable format and it is for 16bit windows (Win3.x). Now it has surely been out dated.

Comparing with 32bit PE format, it has ‘MZ’ header, but the signature after DOS header is ‘NE’ instead of ‘PE’. And string in DOS stub is ‘This program requires Microsoft Windows’.

16bit file can run in 32 bit Windows OS with the help of NTVDM(Virtual Dos machine). A separate ntvdm.exe process is created when the file is executed and it’s within the context of ntvdm.exe. That’s why most of the HIPS miss it.

Malware behavior

Most of the malicious action taken by the NE file is  by 16bit api call ‘WINEXEC’ to run 32bit cmd.exe and taskkill with argument.

And the malware drops a 32bit PE and a reg file.

Process creations:

We can see that the malware deletes all shortcuts in desktop/start menu and quick launch. The reg file created by NE contains:

The main purpose is to modify start page.

And the PE file dropped is a simple MFC application that read StartupDVR.ini and run the file specified in the .ini after a time period.

The malware writer didn’t forget the NE file which anti-virus vendors thought it is outdated. NE file could be a new trend of malware carrier so we should aware of it to protect end user.

Related articles

• AVG Mobile Threat Update: Week 3 (blogs.avg.com)

We have seen recently the spread of fake Android official market and website.

The fake android markets usually contain many (if not all of the them) malicious applications which can target the victim in the two places where it hurts the most – namely, money and privacy.

Those are malicious versions of the legitimate applications created by the legitimate developers.

Below you can see an example of fake official Android market (note the icon on the left which is the same as the real Android market found here: https://market.android.com/ )

Fake ‘AVG Mobilation’ Anti-Virus

Below you can see a picture taken from other fake Android market (see ‘Android Market’ text on the top), which contain seem to be legit AVG Anti-Virus free which is the popular Android Anti-Virus in the official Android market.

The information on the seem to be legit Anti-Virus contain images, text , info and explanations from the official Android Market to convince the user that it is the real application and developer.

Here you can see the fake Anti-Virus with other fake popular applications:

One more thing to note – in case you downloaded the fake Anti-Virus application eventually you will not get a fake application of Anti-Virus but other file with malicious activity named ‘FakeInstaller‘ but it is not always the case for all the fake Android markets.

Just to show the difference the real AVG Anti-Virus free application can be downloaded from the following link:

https://market.android.com/details?id=com.antivirus

And look like the following in the official Android market:

Technical Analysis of new variant of ‘Virus Scanner’, Fake Anti-Virus malware

This week, the AVG Mobilation research team found a new variant of ‘Virus Scanner‘ malware that is found in the wild.

The malware can be downloaded from a Russian website with the ‘Opera Virus Scanner’ text:

Below you can see the manifest file of the variant:

In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.

When the Trojan is installed, it will have the ‘AntiVirus’ icon (image was blured in purpose to get confused with an icon of a legitimate Anti-Virus vendor):

And upon opened it will display the following message on the device:

A question is presented to the user if he/she want to see the ‘Rules’ or to ‘Continue’.

In case the user will press ‘Continue’ the virus scanner will be seem to be launched with the following preferences:

- Turn on multi-level protection

- Turn on web site scanning.

- Turn on scanning for malicious applications.

- Turn on scanning for SMS and contacts.

- Turn on installation of application locker.

- Disable remote control of device

- Turn on Wi-Fi protection.

In reality, the malware will send up to 3 SMSs to service premium numbers.

This is written in the ‘Rules’ section as can be seen below:

We can see below hard coded activation code per country so the SMS mechanism can be operation not matter what is the current location of the device:

And here is part of the SMS sending mechanism:

It is good to mention that those are the same methods as seen in PCs.

The malware authors now targeting mobile devices are just transferring their methods and methods to the mobile platforms.

Mitigation (Fake Android Markets)

Always browse to the official Android market and download your application from there.

The official Android market can be found here:

https://market.android.com/

How to remove
AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.

In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.

Related articles

• AVG Mobile Threat Update: Week 3 (blogs.avg.com)

Starting today we began receiving emails from INTUIT at a bankofamerica.com email address (it’s spoofed). These emails notify the recipient of a problem between the IRS and Social Security and ask him to “use the following link” to review the information. The link leads to a Blackhole Exploit kit that will exploit the users PC and install many pieces of malware.

Also in 2012 we continue to see fake BBB and NACHA emails luring users to visit websites that use the Blackhole Exploit Kit.

2. Zeus using high-profile organizations’ names. 

Last week we came across phishing emails that impersonated correspondence from the U. S. Computer Emergency Response Team (US-CERT) that tried to trick victims into opening an infected attachment. The claim was that the attachment was a report of a phishing incident that had been sent to the Anti-Phishing Working Group (APWG).

A similar spam run used the logo of Consolidated Edison. ConEdison provides power to theNew York Cityregion. It attempted to get victims to open an infected attachment (carrying the Zeus bot net malcode) that it claimed was a bill.

3. Facebook Scams

Facebook scams continue to circulate via spam email or via Facebook with improbable gift card offers. Clearly, if it seems too good to be true, it is: a FREE, $500/$1,000 gift card or two free airline tickets? You would have to be very naive to fall for any of these. First they require victims to “like” them on Facebook (to spread the scam) then they then take him down the endless rabbit hole of surveys and affiliate offers.

We found a load of Facebook scam sites being hosted on Amazon Web Services and the images that they called hosted on popular image site Imgur (see below.)

– AVG Threat Research Group

Related articles

• AVG Web threat weekly update – Week 2 (blogs.avg.com)

This week, the AVG Mobilation research team found a new variant of ‘FakeInstaller‘ malware that is not in the wild yet named ‘SMSFraudInstaller’.

‘SMSFraudInstaller’ is a Trojan horse for Android devices that sends SMS messages to premium service numbers.

The spread of this malware is mainly in Russia websites and forum and mainly targets Russian users.

Technical details about the new variant

Below you can see the manifest file of the variant:

In the permissions list you can see the SEND_SMS permission used to send the SMS to the premium service.

When the Trojan is installed, it will have the Opera icon:

And upon opened it will display the following message on the device:

If the user chooses to press ‘Next’ (right button) on the screen above, then it will send an SMS to service premium number.

The service premium number that the SMS is sent to will be depending on the country where the SIM card is registered (more on the SMS fees later).

Below we can see the code that is responsible for sending the SMS:

Most of the users will press ‘Install’ at this point without knowing that the application will charge them as they are not aware it is being displayed in the ‘Rules’ button.

The users that press ‘Conditions’ button will see a very hard to read screen with a lot of text that mention in it the payment of sending up to 3 SMS messages:

If there’s no SIM within the device the application will display the following screen:

In the past we published detailed information about the way those Russian SMS installers work.

Information about ‘Android SMS Fake installer’ can be found in the following link:

http://www.droidsecurity.com/securitycenter/secuirtypost_20111110.html#tabs-2

The story behind the massive FakeInstaller malware instances

We have seen recently a burst of application that used to send SMS from the targeted devices to a premium numbers.

The common to all those application is that they have the same origin – the malware author’s website.

As you can see from the picture above there are devices flying in the air throwing golden coins from the devices to a heap of golden coins.

The money that was taken from those devices belong to the users and taken from their targeted devices.

The malware author offers developers to add his malicious payload to their app and earn money out of it.

The malware author will split money between the application author and him leaving the application developer most of the money.

The malware author’s website contain forum where the malware authors offer help services and give detailed explanations how to use it.

Initially the malware author spread malware for Symbian based phones but as there are more and more users own an Android based phones, they are moving to target Android based devices.

Analysis of the malware author’s java code file given to the developers who want to join

Below you can see code snips taken from the jar file the malware author offers the developers to use – in this case SMS sending mechanism:

And also:

Technical details about the spread mechanism of the malware – different devices

When the user browse to the page of the malicious application, the server hosting the app on the other side determines which operating system the user have – Symbian, Android etc and then offer the user to download relevant file type of the malware – each file for each operating system detected.

Below you can see the ‘default’ behavior when identifying it’s a Symbian OS:

Below you can see the behavior when identifying it’s an Android OS:

Technical details about the spread mechanism of the malware – different countries

We could see that the malware instances can check which country the device is operational and then send SMSs to premium service number that is local to that device.

For example you can find below a text taken from user agreement (link marked with red square) in Russian website that give details what is the cost of each SMS in each country that malware is operational in:

That is the reason you always need to read and verify what you are downloading.

How to remove

AVG Mobilation Anti-Virus Free and Pro products provide protection against this threat.
In order for the protection to be activated, update your Android phone with our latest version.
Keep your device safe with AVG Mobilation Anti-Virus Free and Pro products.
Download now from http://www.avgmobilation.com/products.html

How to avoid getting infected:
When installing new apps to your Android device, always look at the permissions an application requests to approve and make sure the list seems appropriate.

In addition, only download apps from application stores, sites and developers that you trust, and always check the application star rating, developer information and user reviews to make sure you know what you are downloading.

AVG’s latest research* called Lost in Transit gives some helpful pointers as to what happens to gadgets and devices once they have been lost or stolen.

Our research, carried out by Research Now, questioned 5,000 people in 11 countries and looks at how people lose their gadgets. It reveals that smartphone theft is more frequently opportunistic, with thieves taking the phones while owners aren’t paying attention.

But when a thief does get their hands on your smartphone they are most likely to simply sell it on.

The story for tablets however is different. Unlike smartphones, tablets are still relatively new and have a novelty factor that phones don’t.

As a result, if someone gets their hands on your tablet the chances of them having a good look through it, accessing your data and using it is 28%, compared with just 9% for smartphones and 13% for laptops.

Once thieves do start accessing the data on your device, the consequences can be unpleasant.

Our research shows that in four in 10 (41%) cases where the data on a device was used against the owner, personal information was accessed.

In over one in three (36%) instances, bank details were stolen, while 37% had their passwords stolen.

Most worryingly, if they are able to, a lot of thieves will even post from your social media profiles. Where the thieves accessed and used the data, 39% of victims fell victim to social media status-jacking.

So what can you do about it?

• Password protect your devices
• Install software on your mobile devices (smartphones and tablets), this will not only protect against viruses, but will help you locate it if you lose it and protect the data. See AVG Mobilation below.
• Try storing your phone in the same safe place. Always use that place, so you know where to check for it easily.
• Check cabs and trains before you leave. Lots of devices are unwittingly left in cabs and trains making easy pickings for thieves.

Device owners need to take these steps now. The alternative could be both a significant loss both in terms of time and money.

To protect your devices download AVG Mobilation software (http://www.avgmobilation.com/). It will not only keep your device safe by scanning and removing viruses with a simple click, if your device does get lost or stolen, you can track it via the device’s GPS and if necessary either lock it or wipe it completely.

*Research Now surveyed 5620 participants on AVG’s behalf in UK, USA, Canada, France, Italy, Germany, Spain, Australia, New Zealand, Czech Republic and Japan. Research conducted in November 2011.

Related articles

• Beware: take more care of mobile devices during the holiday season (blogs.avg.com)
• Lost in Transit: holidays is a time of giving… and losing mobiles and smartphones (blogs.avg.com)

No sooner did the world’s Internet users get the message five or so years ago that they should be running an anti-virus product on their PCs than the dark side jumped in to sell fake products that look and act like real security products.

For the past five or so years, these fake AV (or rogue) products have been huge moneymakers for the scam artists on the Internet, with hundreds of new variants appearing each year to help evade detection and confuse victims.

We’re seeing reports that the fake AV might be fading from the scene. We don’t think so, in only a short amount of time we came up with several examples.

Windows Secure Kit 2011

Antivirus 2011

Please wait! This is important – we check your devices.

Scan & Protect

Windows Security

2. Cloud AV 2012

Blackhole Exploits kits recently started exploiting systems and installing a new rogue antivirus program called Cloud AV 2012. It’s a clone of Open Cloud AV which we previously blogged about.

3. Bank of America spam messages lead to Blackhole Exploit Kit

We’re sure that everyone on the planet who uses the Internet – even those living in caves in Afghanistan – are well aware of the flood of malicious spam that tries to snatch logins and other personal information. Recently we found one that impersonates email from the Bank of America and carries a link to a site that runs the Blackhole exploit kit.

4. Pharma spam site impersonating CVS

Anyone who has the slightest contact with email is all too familiar with “Canadian Pharmacy” or “penis pill” sites. At one time they seemed to be based inChina, however, now they appear to mostly have a .ru (Russia) country domain.

These scam sites claim to be selling Viagra, Cialis and other prescription medications by mail. No one has ever investigated the vast, vast ocean of these things, but it’s safe to say that IF you purchased prescription medication from them what you probably get will be 1) adulterated pills 2) completely fake pills 3) your credit card info ripped off.

The graphics on these sites usually include photos of scantly dressed men and women as well as male and female physicians in white uniforms with stethoscopes looking young, professional and happy. The females often seem to be smirking, which must be off-putting for potential Viagra customers. There is almost always the word “Canadian” on the page somewhere.

Last week, however, we came across one (via spam, of course) that used the logo of the CVS pharmacy chain.

– AVG Threat Research Group

We expect business-as-usual for the dark side, although there seems to be some small successes in fighting the bot nets that distribute vast amounts of spam (including that containing malcode.) In 2011, Microsoft had some significant successes in taking down bot nets using a combination of legal and technical approaches. So it’s good to know that there is some pressure bring put on the distributors of Internet badness.

Here are the threats that we expect to see in the new year in more-or-less priority order:

1. Social media scams will continue at the present rate or increase

The bad guys are going to continue to go after the low-hanging fruit on social media sites. This is a vast goldmine. Facebook estimated in July that it had 750 million users worldwide (  http://www.facebook.com/press/info.php?timeline ) Facebook users with unsecured personal information can expect it to be in the hands of unscrupulous operators who sell it as marketing data.

Fake celebrity news videos and stories will be some of the most used bait for scams and rogue security software installations. These scams will appear as videos or URLs in Tweets or Facebook posts that will lead to survey scams, and sites that download malicious code.

2. Toolkits will continue to appear and they will get more sophisticated

These highly sophisticated applications give malicious operators the capability to quickly design and install customized malicious code. Recently we’ve begun seeing them used to deliver rogue security products – which are huge moneymakers for the dark side.

3. Trojan horse programs, will continue to be the largest category of malicious code,

These are applications available for download that really install key loggers or other info stealers. These like other malware will continue to exploit vulnerabilities on the application level with Adobe products being large, slow moving targets. Browser vulnerabilities also will be targets. Web users are cautioned to install updates promptly to keep their machines secure.

4. Rogue security products will not go away.

These fake anti-virus scanners with professional graphic interfaces and alarming phony scans are not going to go away. In 2011 we started to see them being installed by tool kits.

5. Malware for mobile devices will continue to evolve

Mobile device users should only install apps from legitimate sources. Malicious apps will probably become more sophisticated and more widespread as the malicious operators learn to write for the new operating systems. These will steal personal information for the spammers and underground marketing operators and take passwords for banking and payment system theft.

6. Malicious spam and phishing will continue to be a threat to everyone who uses email.

The Messaging Anti-Abuse Working Group estimated that spam email comprised 88-90 percent of all email in the first three quarters of 2011. http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf  That volume  alone is a problem, but the malicious spam – the spam that tries to trick users into revealing their login credentials to bank, payment system or gaming sites – is the core of the menace. Users should continue to avoid opening attachments or clicking on links in unsolicited email. Spam emails forwarded by friends also can be a threat.

7. Search engine optimization poisoning might decrease as search site operators improve their techniques for detecting it.

Poisoned links in search engines will continue to take victims to sites that download malware on their machines. The biggest draws will be celebrity news and news about major news stories.

8. Fake surveys will continue to waste time and steal money

Anyone familiar with Facebook, by now, has seen this trick. A friend “likes” a lurid video or an offer of a free computer/phone/gift card. Clicking on the video takes one to a long series of “survey” questions and offers for subscriptions to worthless services. These scams often gather victims’ cell phone numbers in order to bill monthly charges.

9. Fraudulent web sites selling phony or non-existent goods will continue to attract victims.

“Canadian pharmacy” sites pushing Viagra and Cialis (often called “penis pill sites”) will continue to thrive. Internet users will get to them chiefly via links in spam. They purport to sell prescription drugs, but really steal credit card info or sell placebos or drugs with incorrect dosages – which in some cases can be fatal.

10. Malicious iframes on legitimate web pages will continue to be a serious vector for attacks.

These can be placed on pages intentionally, by hackers who want to draw victims to malicious sites, or unintentionally, as when the advertising services that deliver ads to web sites get compromised and push out links to pages that download malcode.

– AVG Threat Research Group

The convicted party, Randy Chaviano, 26, appealed against his 2009 conviction in a Florida court for shooting Charles Acosta during an alleged drug deal and when the Appeal Court discovered that almost no records of the trial still existed and the judge had no choice but to annul the conviction and order a retrial., the judge the struck down the conviction and ordered a retrial.

The court stenographer, present in 2009, was responsible for recording the minutes of trial but had accidentally deleted the manually taken primary records, and then to compound the issue, the electronic backup stored at a PC was also destroyed by malware.

“The overturning of a murder conviction always means terrible pain for the victim’s family and frustration for prosecutors and police officers,” Ed Griffith of the Miami-Dade Attorney’s Office was reported as saying.

“Overturning a murder conviction because of a court reporter’s problem creates a brand new level of pain and frustration,” he said.

Although data can be recovered from damaged or infected harddrives, authorities and specialised services have been unable to extract the necessary information.

Related articles

• Killer to be re-tried after virus wipes testimony (technolog.msnbc.msn.com)
• Man convicted of murder gets retrial after virus eats transcripts (go.theregister.com)

What’s the story?

The FBI last week issued warning of a new phishing scam known as “Gameover”. Should the malware gain access to your PC, it can steal usernames, passwords and even circumvent user authentication on banking web pages.

The FBI said it has seen an increase in the use of Gameover, which is an email phishing scheme using the names of prominent government financial institutions — the National Automated Clearing House Association (NACHA), the Federal Reserve Bank or the Federal Deposit Insurance Corporation (FDIC).

The FBI says Gameover is a more recent variant of the Zeus malware, which was created several years ago and was designed to specifically harvest banking information.

Who is affected?

Given that the scam is perpetrated via email, anyone could fall foul of this scheme.

Here’s how the FBI describes the scam: “Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there’s a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you’re there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.”

How do I stay safe?

Make sure you do not fall prey to a phishing scam like this with AVG’s top three tips to staying safe.

• Too Good To Be True

In these days of New Year sales it is tempting to open up an offer that seems too good to be true. More often than not, these “incredible offers” aren’t legit and you should exercise caution when investigating.

• Trust Your Instinct

If you receive an email claiming you’ve paid nearly $300 for a flight that you’re unaware of, chances are that you haven’t. These tricks play on your insecurities, be confident in your actions online.

• Get Protected

Getting a basic level of internet security can help protect you from phishing attacks and fraudsters by warning you when you are going to an unsafe site. AVG’s Linkscanner™ technology does this before you land on the page so that you are aware of the threat prior to exposure.

Related articles

• BBB: Top scams of 2011 (seattlepi.com)
• How to Boost Your Phishing Scam Detection Skills [Security] (lifehacker.com)

The phishing attack which has been active as recently as November 2011 was designed to con American Airlines customers into surrendering their personal information and passwords.

One of the example emails that the airline posted was an email claiming that the recipient had paid for a $278 flight to New York and that they should login in and download their ticket. Another email promises a reward of $50 for completing a five question survey.

As part of American Airlines proactive advice to its customers, they warn anyone who receives bogus emails not to follow any of the links and instead to forward the email, in its entirety, to webmaster@aa.com

American Airlines spokesman Ed Martelle said, “We are aware of the scam. It is being investigated by our corporate security department so we can find a way to shut it down”.

Make sure you do not fall prey to a phishing scam like this with AVG’s top three tips to staying safe.

Too Good To Be True

In these days of New Year sales it is tempting to open up an offer that seems too good to be true. More often than not, these “incredible offers” aren’t legit and you should exercise caution when investigating.

Trust Your Instinct

If you receive an email claiming you’ve paid nearly $300 for a flight that you’re unaware of, chances are that you haven’t. These tricks play on your insecurities, be confident in your actions online.

Get Protected

Getting a basic level of internet security can help protect you from phishing attacks and fraudsters by warning you when you are going to an unsafe site. AVG’s Linkscanner technology does this before you land on the page so that you are aware of the threat prior to exposure.

Its first form uses a callback function to the Twitter API, which makes it hard to discover by scanning core and allowing injection of a harmful iFrame. Furthermore, data about trends, which the function returns, were used for the generation of a domain name.

So what makes this case so interesting? First, it’s used in favorite library jQuery. Whereas the earlier forms relied on function of callback as a tool against emulation, the usage of the library is an evolution as its used for downloading trend data and also for obfuscation of harmful code.

The analysis of the sample, which we obtained, revealed an algorithm for creating domain names. It also contains the part, which is created by selection of groups with predefined values, and the part, which is created in accord with data, obtained from Twitter.

The fact that the algorithm does not create active domain names may be caused by these reasons:

1. Algorithm of creating the domain names was changed

It’s very likely, since the code contains numerous places, which can be manipulated.

2. Method is used in longer time windows

Twitter allows a discovery of trends for one month backwards. Domains, which we found registered in this time window, have preset status clientHold. It means that domain is not published.

3. The author has registered only few of possible names and relies on the fact, that favorable conditions will happen.

Since none of the created addresses was functional during time of analysis, we cannot determine the creators’ intentions exactly. Most probably it’s a ploy to get to the resources/digital assets of their victims.

author:  Jaro Brtan

Every week we talk about the latest spam run that is out there luring users to websites that use the Blackhole exploit kit to install various pieces of malware on their PCs.

Normally, users are tricked through a malicious spam emails that contains a link that when followed will eventually infect the users PC.

They also use another spam technique that is much easier and doesn’t require an exploit kit. The emails in these spam messages carry malcode in ZIP file attachments. Often it’s the same malware that would be installed with the exploit kit, but the bad guys are hoping their victims will be gullible enough to just run the EXE.

Often, they’re right, and the bad guys then don’t need to download an exploit via a malicious URL, if the victim can be tricked into immediately executing the malware on his or her computer.

To see this in action, look at this example below. The email is from: “KingCountyEcommerce@KingCounty.gov” (which is not a working email address) about overdue property taxes.

The attachment is, as always, a ZIP containing an EXE. Most people’s reaction to this would probably be something like: “What?  I don’t even own property in King County, this must be a mistake, or worse….”

That would prompt them to double-click the attachment to investigate. Then, as the expression goes “it’s all over red rover….” as the bot malcode infects their machine.

Also here are some lures that purport to be from USPS, FedEx and the IRS.

One very important fact to remember is that spam never comes from the “from” address it contains. Any piece of an email message can be forged. If the email looks suspicious, if you don’t normally get emails from your bank or if you haven’t ordered any packages, don’t follow the link and don’t open the attachment.

If it is just too much for your curiosity and you absolutely must check, go directly to your bank, FedEx, USPS, IRS or other ecommerce website, email them directly, or pick up the phone.

Probably the best advice is: if you are the least bit suspicious, delete the email or report it to your IT department.

2. Malware installed via drive-by exploit kits: XP Home Security 2012, XP Internet Security 2012, and XP Security 2012 rogues.

In the last week, we have been seeing rogue security products installed by drive-by exploit kits appearing with 2012 version names on their graphic interface. They’re all clones with slightly different names to confuse potential victims and anti-virus researchers.

 XP Home Security 2012

XP Internet Security 2012 

XP Security 2012

Drive-by ransom ware installations

Drive-by installs of ransom ware this week include phony notices from the German Bundespolizei National Cyber Crimes Unit that claim to have found child porn and terrorist-related correspondence on the victim’s machine – which is locked up. The malcode splash screen says that the little matter can be cleared up if the victim pays 100 Euros ($131 USD.)

3.  Facebook Scams

The usual Facebook scams have been doing the rounds in the last week with no new lures, just many of the same old ones – celebrity sex tapes, videos and bogus death stories.

The top scam on Facebook remains the “install the YouTube premium plugin to see the video” for Firefox and Chrome. YouTube doesn’t actually have a “premium” plugin, it’s an invention of the malicious operators.

Most sites distributing the premium plugin are hosted on blogspot.com, Google’s free blog hosting sub domain, so keep your eyes peeled for that in the URL.

What has been found?

Two new vulnerabilities in Adobe’s ubiquitous Flash Player have been discovered and allegedly can be used to an arbitrary code execution remotely. Essentially these vulnerabilities could allow someone to remotely seize control of a PC without the consent of the owner.

Who discovered these exploits?

The exploits were discovered by a Russian vulnerability research firm called Intevydis. They have created a popular application called Vulndisco designed to test the robustness of programs to exploits. The process, known as “penetration-testing”, is an excellent way of finding software vulnerabilities and security holes.

Interestingly, Intevydis has refused to give Adobe the details of the vulnerabilities. As of last year Evgeny Legerov, the founder and CEO of Intevydis, declared that they will no longer inform software vendors of vulnerabilities they discover.

How can I stay protected?

While Adobe is yet to comment on these latest Zero-day exploits, they are actively working to resolve vulnerabilities as soon as they are aware of them. Next week should see the release a patch to fix some previously discovered security holes in Adobe Reader.

To ensure that you are as well protected as possible, ensure that you have automatic updates enabled for any software you are running (including your OS). Most programs will have this automatically enabled as default.

As always, ensure that you have security software installed so that you have the best possible chance of thwarting a problem or intruder before any damage is caused.

What happened?

Last week patients at the Gwinnett Medical Center in Lawrenceville Georgia had to be turned away as an “unidentified malware” caused havoc with the hospitals internal network. The problem was so severe that hospital workers were forced to return to using paper documentation for existing patients and was forced to divert all non-emergency admissions to other medical centers.

What type of attack was it?

The cause of the outbreak, which lasted from Wednesday until Saturday, is still unknown but given the symptoms mentioned in reports, a worm infection (for example by Conficker or one of its variants) seems the most likely cause, which could have spread rapidly across the hospital’s network forcing IT to pull connectivity to avoid it spreading further with unknown consequences.

Gwinnett Medical Center spokesperson, Beth Okun emphasized that “It’s not affecting patient care in any way, shape or form,” she said adding that patient data had not been at risk.

Has this sort of thing happened before?

Unfortunately, the attack is not the first of its kind, with New Zealand’s St John Ambulance Service coming under attack only a few weeks ago, forcing administrators to direct staff to emergencies via radio contact.

Further back, three hospitals in London were forced closed in 2008 after nearly 5,000 computers became infected with a computer worm.

Should I be worried?

As the hospital ensures that no customer data was leaked during the attack, there should be little cause for concern to most end users.

For your own personal security, we at AVG would strongly recommend that you protect your PC and your data with security software. Security software is your basic front line defense and warning system to keep your system clear from malware infection.

If you’re unsure of where to start, we offer free antivirus protection, just visit http://free.avg.com

What has been fixed?

In the last Patch Tuesday of the year, Microsoft has released a major Windows patch which has fixed over 20 vulnerabilities in the operating system.

Among the changes, seven tackle Windows flaws, five address problems in Microsoft Office and one relates to Windows Media Player. Microsoft labeled three of the Windows bulletins as “critical,” meaning they could allow an attacker to gain unauthorized access and execute malicious code on an infected system.

Importantly, this patch ended the month long wait for a fix for the Duqu vulnerability (CVE-2011-3402).

What is Duqu?

Discovered in early September, Duqu is a computer worm that has drawn concerns among the security community, which found it was built to harvest data from industrial control systems such as power plants. Researchers believe the same authors that built the infamous Stuxnet worm also designed Duqu.

Although Microsoft promptly provided a workaround to resolve the Duqu vulnerability issue, it was a temporary measure and the latest change is designed to resolve the issue on a permanent basis.

Who is affected?

All versions of Windows from XP onwards will need to be patched for the flaw.  Most computers should update automatically but updates can also be downloaded manually from the Microsoft support site.

Full details of the patch can also be found on Microsoft’s Security Bulletin page.

On the Facebook/YouTube scam front this week we came across phony posts that led to the usual survey sites, but also a new and potentially malicious YouTube Premium plugin (for Firefox/Chrome).

The video offered is of an uncommonly well endowed Italian model and TV hostess, Marika Fruscio, suffering a “wardrobe malfunction” during a soccer match. A little web research suggests that incident actually happened. Fruscio’s photos on the Web and Facebook scams seem to be matched like peas and carrots.

Marika Fruscio YouTube Premium plugin scam

In this scam, a user is told he or she must install a YouTube Premium plugin to view a video. The plugin is only offered to Firefox and Chrome users.

Installation of the plugin.

After installing the plugin the user is allowed to see the video.

Also unknown to the user the video has been posted to their wall and their contacts’ walls as well.

Browser plugin security suggestions:

– Always install extensions from known sources. (Chrome – from chrome store, Firefox – from Mozilla add-ons)

– Use add-ons like No-script, No-Ads to avoid such malicious scripts.

– Stay away from scams/spams that promise to provide a gift or money.

– If spam messages are seen on you wall or messages, do not open it. Open the drop down box by the side and click “Report/Mark as spam”.

2. Three drive-by downloads from exploit kits

One way malicious operators can use their exploit kits to make cash is to install rogue security products. Recently we’ve spotted Blackhole exploit kit software installing two rogues, Security Defender and XP AntiSpyware 2012. Like all rogues, they do a fake scan on a potential victim’s machine, display warnings of numerous (phony) serious infections then present a payment screen. Their application, of course, doesn’t “remove” the infections until payment is made.

The rogue scam, which has been going on for five years or more, depends on the distribution of a constant flow of new fake products (to evade detection by legitimate security products) and new victims who cannot recognize a legitimate security product from a fake.

For a good list of current legitimate anti-virus software, see the “about” section of the

VirusTotalweb site: http://www.virustotal.com/about.html and click on the “credits” tab.

The two rogues are:

Drive by download #1: Security Defender

Drive by download #2: XP AntiSpyware 2012

XP Antispyware also lists many fake certifications in order to win the trust of the user.

x 

Drive by download #3: Ransomware

This piece of ransomware locks up a victim’s machine, claiming (in German) to be a notice from a German music rights management organization. It claims that pirated music has been found on the victim’s machine and demands 50 Euros (about $67 USD) to unlock it.

This malware uses the logo and graphics of the German society for musical performing and mechanical reproduction rights GEMA ( https://www.gema.de/en/ ):

3. Spam leading to exploit kits

Last post we reported on malicious operators using spam that appeared to be from the payment agency NACHA and the Internal Revenue Service to lure victims to their download sites to install exploit kit malcode on their machines. This week we’ve seen the Federal Deposit Insurance Corporation and Better Business Bureau used in a similar way.

Spam email is a constant threat. Internet users should be wary of ANYTHING they receive by email, but especially from banks and other well-known government agencies and institutions. The links in malicious spam emails take victims to web sites where malcode is downloaded onto their machines – called “drive by” downloads. Also, attachments in spam are especially dangerous since they can contain executable malcode.

As a precaution:

– Use common sense. If a spam email contains an offer that is too good to be true, skip it. If it appears to be a notice from a business or organization that you haven’t done business with, skip it. If it contains an alarming warning from a government agency, skip it. If it appears to be a warning from you bank – call your bank.

– Simply don’t click on links in any email – go the bank or organization’s site by typing its URL into your browser’s URL bar.

4. Domain registration scam spam

We recently received the following scam email that looked so genuine at first glance that we actually had several AVG offices check it out.  It appears that it was from a scammer trying to sell us registrations with .asia, .cn, .hk and .tw (that’s Asia,China, Hong Kong andTaiwan) country domains similar to ones we use. The email inferred that they were ready to sell the domains to someone else if we didn’t buy.

It’s the Internet version of that timeless scam: selling the Brooklyn Bridge.

Our investigation revealed:

A Web search for “Envot Holding, Inc.” (the company allegedly ready to buy the domains) returns no hits.

The “From:” email address on the spam is a workable email address and the phone and fax numbers match those on the Whois information for dekagroups.net (registered inShanghai.) Clearly the scammers want us to call.

One tiny bit of information that is REALLY suspicious though: the Dekagroups.net domain was registered in August. Somehow one would expect the “department of registrant service inChina” to be a government office and to have been around a lot longer than four months. And at least to be spelled with capitals.

One would also expect a Chinese government agency to employ people who can write decent English.

——————————————————————————–

From: Watson Liu [mailto:watson.liu@dekagroups.net]

Sent: Monday, December 12, 2011 3:35 AM

Subject:  XXXXXXX -Urgent Confirm Registration

Importance: High

(If you are not in charge of this, please forward this urgent email to your President & CEO, thanks.)

Dear President & CEO,

We are the department of registration service in China. we have something need to confirm with you. We formally received an application on December 9, 2011, One company which called “Envot Holding, Inc.” is applying to register as below:

Brand name: XXXXXX

After our initial examination, we found that the brand name being applied is as same as your company’s name and trademark. These days we are dealing with it, hope to get the affirmation from your company. If your company and this “Envot Holding, Inc.” are the same company, there is no need reply to us, we will accept their application and will register these for them immediately.

If your company has no relationships with that company or you did not authorize them, please reply us within 7 workdays, after getting the confirmation, we will handle it according to international domain names registration rule. If we can’t get any information from you within 7 workdays, we will unconditionally approve the application which is submitted by “Envot Holding, Inc.”

Waiting for your reply ASAP Today.

Best Regards,

Watson Liu

Senior Consultant

Tel:  +86.21.67222201

Fax:  +86.21.67222202

——————————————————————————–

2011-12-12

5. Celebrity Facebook Scams

Miley Cyrus and Justin Bieber are currently the top Facebook celebrities used to fool users on Facebook into giving up personal information.

Justin Bieber scam

Miley Cyrus scam

– AVG Threat Research Group

As part of our ongoing research into consumer safety, we recently carried out our Lost In Transit study; a survey into when, where and how the average person loses a device that could potentially contain vital personal data.

We commissioned research agency Research Now to ask over 5,000 people in 11 countries across the globe a series of questions about which devices they own, which devices they’ve lost and the circumstances surrounding those losses.

The results contained some alarming statistics. While users of laptops (64%) and tablets are likely to password protect their device, a startling 61% of US respondents who had lost a smartphone answered that their lost device was NOT password protected.

As smartphones become more and more part of our day-to-day lives, we store a considerable amount of personal information on them. So nearly two-thirds of US smartphone users were potentially giving thieves access to their email, social profiles, bank details and more.

Couple this with the fact that 42% of smartphone users in the countries we surveyed had lost their phone in the past year and it’s clear that a worrying amount of personal data is up for grabs for opportunistic criminals.

Losing a device isn’t just a case of seeking reimbursement from an insurance company (although 62% of laptop owners and 74% of smartphone owners do not insure their devices), it also puts the owner’s personal data at quite serious risk.

During the holiday season, a disproportionately high number of devices are lost or stolen. In the UK, 36% of phone losses or thefts occur during the holidays, while in the US 34% of lost or stolen laptops go missing during the same period.

Much higher vigilance is clearly necessary over the festive season to ensure devices and the personal data they contain don’t fall into the wrong hands.

Smartphones, tablets, MP3 players, laptops are small but relatively expensive items. Beyond the monetary value, the potential for personal data to be stolen is huge, and the effects much worse.

Luckily, AVG can help. Our free AVG Mobilation product offers far more than just virus protection. When you lose a device, AVG Mobilation (hyperlink to AVG Mobilation) can locate it.

If the device has been stolen (90% of stolen devices in the UK are never recovered), AVG Mobilation gives you the ability to flash a message up on the screen offering a return address or reward.

And if all other avenues have been exhausted, AVG Mobilation can lock and wipe the device, protecting all of your personal data and rendering the device unusable.

Here’s some helpful tips to keeping your smartphone safe

• Password protect it
• Ensure it has security software, preferably with a lock, locate and wipe feature – find out more at www.avgmobilation.com
• Store your phone in the same safe place. Always use that place, so you know where to check for it easily.
• Check the cab before you leave it after your Christmas party.

This survey was conducted for AVG by Research Now and questioned 5,620 adults in 11 countries across the globe. These were USA, UK, Italy, France, Germany, Spain, Canada, Czech Republic, Japan, Australia and New Zealand. Full survey results can be found here Lost In Transit Results Tables