Weblog : News from the Lab
Monday, October 16, 2006
Earlier this month, McDonald's Japan shipped 10,000 MP3 players as prizes in a competition they organized with Coca-Cola.
The players, carrying the McDonald's "M" logo, were shipped with 10 preloaded songs.
Unfortunately, the players were also preloaded with a variant of the QQPass password-stealing trojan. We haven't seen these players ourselves, so we can't confirm how exactly you would get hit by this trojan, but some sources report you only had to plug it into your Windows PC.
More information for affected customers is available from McDonald's Japanese web site.
Friday, October 13, 2006
We've received several reports of a trojan that is being spammed out. The message looks like an order confirmation for the purchase of a $2482 Sony Vaio laptop. The attachment, named order_37679041.exe, contains the actual malware.
We detect this as W32/Small.DXC.
Weblog reader Per-Erik sent us a URL that he's received as an intrusive pop-under. It's for a product named Drive Cleaner that is classified as a rogue because of its employed sales tactics.
The first pop-up window uses animation and attempts to look like Windows Explorer. Examine the details that it displays in the left hand frame. The "Warning" message that it displays appears to offer a choice, but it's really just an image and clicking on the Yes or No has the same result - you're prompted to download the installer.
If you cancel the download, you get a "Notice" asking you to reconsider. We like the kind reminder that having tracks of your online activities could harm your career and your marriage.
If you select cancel from the second dialog, you'll get yet another dialog. This message states that Drive Cleaner will now scan your computer and that you must select Run or Open. This is another attempt to get the user to download and install the application.
While it completely over-hypes the privacy danger as a critical issue rather than a risk, the application itself doesn't do anything really malicious if installed. It just doesn't do anything but scan unless you buy it. But do you really want to pay €35 to remove temporary files and cookies? You can set your browser to do that automatically when it closes.
Our thanks to Per-Erik for submitting the URL.
Thursday, October 12, 2006
Greetings from the Virus Bulletin 2006 conference in Montreal, Canada!
The second day of the conference is just starting with many interesting presentations to come. I'm especially looking forward to the presentations by Guillaume Lovet, Alex Shipp, and Jose Nazario - too bad Alex and Jose have been scheduled exactly at the same time!
I held my keynote presentation yesterday morning and it went very well.
As you might remember, I asked for your help in choosing the topic for my presentation, and I'd like to thank all of the 150 people who took the time to send feedback and share their ideas. The suggestions covered the whole spectrum of the field, from rootkits, to virus history review, to mobile virus issues, to product pitches. In the end, I ended up talking about the history and the future, and how this is not merely a fight between antivirus companies and virus writers - but a fight between good and evil.
I managed to pack 164 slides into my 40-minute presentation (no joke). As promised, my slides are available for download now.
Wednesday, October 11, 2006
Dateline July 2006: Microsoft discontinued update support for Windows 98.
Dateline October 2006: Microsoft discontinued updates for Windows XP Service Pack 1. October 10th's SP1 updates were the last of all public assisted support.
Service Pack 2 was released in September 2004. So, if you're still running with SP1 - it's really the time to update.
And another thing. We mentioned this last month, but it bears reminding that Microsoft will be pushing Internet Explorer 7 as an automatic update rather soon. Perhaps during October. According to the details that we've read, the update will prompt for confirmation before installing. If you have Automatic Updates enabled, be ready for the prompt; backup your settings and favorites. And maybe install a second browser if you don't have one already.
A few weeks ago, we tested the install of IE7 RC1 on an adware toolbar loaded IE6. The toolbars caused some buggy behavior, but the install completed itself with no trouble. Still, that's a lot of browser installs that will take place when the update is released. Hopefully it will go smoothly.
If you're an admin and your domain isn't ready for IE7 - there's a toolkit available to disable delivery.
Microsoft's monthly updates are now available. There are 6 critical patches - most of them focus on Remote Code Execution patches for Microsoft Office applications such as PowerPoint, Excel, and Word.
More details about this month's patches here.
Tuesday, October 10, 2006
A software prototype to do this has been developed by ERA IT solutions. It doesn't seem that the software would decypt any of the VoIP traffic itself. The software is a client side application that would listen to the computer's microphone and speakers to record the VoIP calls. The recordings made would be passed back in small packages over the Internet to the police authority. Two solutions to install the software on a suspect's machine have been presented. The first - police covertly install it locally. The second - the suspect's Internet service provider installs it remotely over Internet. How the later solution would be implemented is unknown to us.
F-Secure will most likely add detection for this software if we find it used in the wild. We have previously made a statement about government developed spying programs.
Monday, October 9, 2006
Microsoft has eleven security bulletins scheduled for tomorrow's patch Tuesday. They'll be released at approximately 10am PDT (17:00 GMT). That's tomorrow evening for those of us in Europe. So it looks like it will be quite a busy Wednesday morning with a significant number of updates to be installed. Many of them are rated critical.
They have a nice selection of recent academic papers on security research topics.
All this at this handy address: http://s3g.i2r.a-star.edu.sg.
Sunday, October 8, 2006
The "Rechnung" spam run keeps up.
We've seen Bzub or Haxdoor variants being spammed since February 2006 in German mails looking like this:
Starting August 14th, we've seen spam runs with the same message translated in Swedish, targeting Sweden:
And now, on Friday the 6th of October, we saw the first e-mails which have the message translated in Danish:
This latest attachment contains Regning.exe, which we detect as Trojan-Downloader.Win32.Small.dwf.
It seems to download additional components from speedest-net.com.
|[ Older News >> ]|
Copyright © 2006 F-Secure Corporation