Don Davidson Computer

Gumblar Malware Exploit Circulating

added May 18, 2009 at 12:47 pm

US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.  The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

UPS malware attack bombards inboxes with dangerous attachment
6-1-09
----
In the early hours of June, computer users were deluged with a malicious spam campaign spreading a Trojan horse.  The emails, which claim to come from UPS, lure you into opening an attachment believing it to be information about a failed delivery. More

WiniBlueSoft
5-2009

WiniBlueSoft is a rogue anti-spyware program that deliberately creates fake malware files on your computer in order to trick you into thinking they are infections. These files, though, are not real executables or programs and therefore cannot harm your computer. These fake infection files are randomly made and created in your C:\Windows and C:\Windows\System32 folders and you can have as many of 600+ of these types of files created. The reason WiniBlueSoft creates these files is so that you think your computer is badly infected and then you purchase the program.

When the program is installed it will also be configured to start automatically on your computer when the you login into Windows. When the program is started it will scan your computer and display all the fake files it created as infections. These files will not be removed by WiniBlueSoft, though, until you first purchase the program. As these files are all fake, and are only being shown to scare you, please do not purchase the software.

More: http://www.bleepingcomputer.com/virus-removal/how-to-remove-winibluesoft

Conficker Worm
5-2009

According to a report by Xinhua News Agency, Conficker-infected machines are now being turned into servers for e-mail spam. Quoting Vincent Weafer, vice president of Symantec Security Response, Xinhua reported Conficker now installs a second virus--Waledac--that sends out e-mail spam without the computer owner's knowledge.

"Expect this to be long-term, slowly changing," Weafer was quoted as saying of the Conficker impact. "It's not going to be fast [or] aggressive."

According to security vendor Trend Micro, the worm also installs malware that masquerades as antivirus software.

Earlier this month, Trend Micro's advanced threats researcher Paul Ferguson, said Conficker and Waledac originated from the same authors. Waledac has been referred to by some experts as a new version of Storm, a mass-mailing worm that surfaced in early 2007.

1-2009 / 3-30-09

The Conficker worm (also known as Downadup or Kido) has been making headlines as it infects computers unprotected by a critical Microsoft security patch. Make sure your Windows Updates are current!
(MS specific Link to XP patch KB921883 for this venerability - download) Best to just use Windows Updates.

What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October 2008.

Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 9 to receive updated copies or other malware or instructions.

Microsoft released an out-of band update with their security bulletin MS08-067 way back on 23 Oct 2008, but millions of people aren’t installing the patch. Needless to say, not patching has led to many of those computers becoming infected with Conficker.

Keep your Windows Updates and Antivirus up to date!

Online Removal Tools: Below

• AhnLab
• ESET
• Kaspersky
• F-Secure Malware Removal Tool
• McAfee
• Microsoft Malicious Software Removal Tool
• Sophos
• Sunbelt Software
• Symantec FixDownadup.exe Notes
• TrendMicro

Also...
Researchers at Marshal8e6’s TRACElabs have intercepted a spam campaign that’s issuing bogus “Conficker Infection Alerts” and redirecting users to rogue security software upon clicking on the links.
See all about this fake malware here=> http://blogs.zdnet.com/security/?p=3105

Fake alert that downloads malware looks like this.

AntiVirus XP, 360, 2008 or 2009 - TOP Threat The threat looks like this and this.
9-2008
  A rogue anti-malware program that displays false virus results and requires you to first purchase the software before you can remove anything. When installed, Antivirus 2008 or 2009  will scan your computer and list a variety of infections found on your computer. Results are fake and they are just trying to scam you into purchasing the software.
 This program is typically known to infect a computer just after performing an install of specific video codec or an infected email link. This corrupted video codec is usually distributed with a Trojan, Malware and Virus. It is crucial to remove all the components of XP Antivirus and all malware and trojans such as zlob.trojan, trojan.vundo and trojan.downloader that may have been installed along with it. 

Free Tool Very effective against  this threat:
Malwarebytes' Anti-Malware

Or for the geeks among us:
How to manually remove XP Antivirus:
Navigate to Start-> Run, type cmd in the box and click Open 
In the command window, type regsvr32 /u shlwapi.dll and press Enter 
Next type regsvr32 /u wininet.dll and press Enter 
Next Press Ctrl + Shift + ESC

Right click on XPAntivirus.exe from the processes window and select the option to end process 
Right click on XPAntivirusUpdate.exe from the processes window and select the option to end process 
Navigate to Start-> Search, then click on Files and Folders. Search for and delete the following files: 
XPAntivirus.exe 
XPAntivirusUpdate.exe 
shlwapi.dll 
wininet.dll 
XP Antivirus 2008.lnk 
Uninstall XP Antivirus 2008.lnk 
XP antivirus 
XPAntivirus.lnk 
Uninstall XPAntivirus.lnk 
XPAntivirus on the Web.lnk 
XPAntivirus.url 
Navigate to Start-> Run, type regedit in the box and click Open 
Delete XP antivirus in the following path: HKEY_USERS\Software\ 
Restart your PC and everything should be back to normal 

Fake Windows XP activation trojan.
11-20-08

Known as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?
Their credit card details end up automatically into an IRC channel specifically set for that purposes. 

Furthermore, this backdoor opens several TCP ports that allow remote attackers to connect to the comprmised PC and execute files, steal information from it, or upload and download files. The attachment’s file name varies, but uses the convention KBxxxxxx.exe, where xxxxxx is a random 6-digit number. Below are some of the file names we’ve seen, and are being used:

KB199250.exe
KB246586.exe
KB535548.exe
KB572906.exe
KB763412.exe

Virus infects BOGUS FedEx Tracking email
 8-2008
Subject: Fedex Tracking Number 4296240370

Virus: Win32:Rootkit-gen

Message:
Unfortunately we were not able to deliver postal package you sent on August the 1st in timebecause the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

IBack to the top

1. Most Prolific: Mass Compromises Hundreds of thousands of websites in Asia were compromised to spread malware in May. Attacks were carried out against popular sites and targeted specific audiences (music lovers, online shoppers, tourists, social network users, political advocates, etc.). The goal in the majority of these attacks was to drop information stealing malware.
2. Most Persistent: Botnets The STORM, KRACKEN, MEGA-D, MayDay and Asprox botnets were active throughout 2008. Even the shutdown of McColo could not deter MEGA-D from continuing its cybercrime wave as it looked to alternative means of proliferation.
3. Largest Distribution Campaign: Fake AV An increase in fake antivirus in the second half of the year coincided with the usual annual release of security suite updates. The success of rogue AV can be attributed to its use of very convincing social engineering. This year's fake AV used a variety of infection channels: spammed eCards containing malicious URLs, IMs containing malicious URLs, private messages on social networking sites, downloaded from previous malware infections and mass SEO poisoning.
4. Most Untraceable: DNS Changers A new DNS changer Trojan uses a new method to poison other hosts on the local subnet by installing a rogue Dynamic Host Configuration Protocol (DHCP) server on the network. What makes this DNS changer particularly egregious is the fact that a single connected PC infected with this DNS-changing Trojan is enough to exploit an entire network.
5. Most Automated: WORM_DOWNAD.A WORM_DOWNAD.A is a .DLL worm that exploits the MS08-067 vulnerability. Security analysts believe this worm is the key component in the development of a new botnet. Thus far more than 500,000 hosts have been infected in the U.S., China, India, the Middle East, Europe and Latin America.
6. Most Technologically Advanced: The MBR Rootkit The MBR (Master Boot Record) rootkit surfaced in early 2008. Malicious codes are downloaded and executed and the rootkit is installed via the MBR. The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system. It looks for the bootable partition of the affected system and then creates a new malicious MBR that loads the rootkit component, detected as RTKT_AGENT.CAV. It is then saved in an arbitrary sector within the bootable partition.
7. Most Destructive: Ransomware A new version of GPcode ransomware, detected as TROJ_RANDSOM.A, surfaced in November.  It searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible without the encryption key.  It also changes the names of the encrypted files, by adding the .XNC extension.  The user is then informed that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. This is done through a text file dropped in each folder containing an encrypted file.
8. Most Pesky: Autorun Malware The fourth highest infection vector is removable drives (portable / external hard drives, thumb drives, flash disks, memory cards, etc.). Asia and Australia have the highest rate of infection via removable drives followed by Europe, Middle East and Africa (EMEA). They're so successful in propagation that these malware have also infiltrated the NASA (Data-stealing malware stowed away to the International Space Station) and the Pentagon. Some of HP's Proliant USB keys were found to be carrying worms as well.