Monday, October 22, 2007

Nuwar/Storm Worm update!

The gang behind Storm Worm (a.k.a eCard worm) has once again changed their social engineering tactics and also file names. Now, we get a "Psycho Kitty Card" (whatever that means!) instead of plain old eCards:

When we click on the link, we are presented with a fake web page as usual. Along with this, it plays music too!

And in this iteration of Storm Worm, the drive-by-download is back. The PC will be infected with a variant of Tibs Rootkit just by visiting the page. No need to download or click on anything. Now rootkit files are named as noskrnl.exe, noskrnl.sys and noskrnl.config instead of spooldr.exe, spooldr.sys and spooldr.ini,which were prevalent in older versions. Here are some screenshots showing hidden process, SSDT hooks of the rootkit:


Detections for this Storm Worm variant are pretty good. However, to be on the safer side, delete any of the "Psycho Kitty Card" mails that you might have received!

Sunday, October 21, 2007

www.pravingodkhindi.com hacked?!

Pages of www.pravingodkhindi.com – website of renowned Indian flute artist Pravin Godkhindi - have been injected with malicious Javascript. This script tries to load the page stelaartois.ru/index2.php. Here's a screenshot of Privoxy showing webpages that are requested when www.pravingodkhindi.com is opened in a browser:

Here's a screenshot of the injected Javascript:

More information about stelaartois.ru is available here. This hack is probably an old one as the domain stelaartois.ru is inactive now. It redirects to www.sedoparking.com search page, and doesn't drop any malware. However, webmasters at www.pravingodkhindi.com seems to be unaware of this, and the injected code is not yet cleaned!

Saturday, October 20, 2007

More xvgaoke.cn!

In the previous post, we talked about hacked www.myphonegames.co.uk and the malicious site http://xvgaoke.cn. However, MyPhoneGames is not the only one that is hacked to load scripts from http://xvgaoke.cn. This simple Google search query shows more hacked sites, which load scripts and pages from http://xvgaoke.cn. Here's a snapshot of search results:

DShield.org has more information about this, here.

Myphonegames.co.uk hacked?!

It seems that some pages of a mobile-phone games website www.myphonegames.co.uk have been hacked to execute malicious looking Javascript. As seen from below screenshot, the script http://xvgaoke.cn/1.js is executed when certain links at Myphonegames are clicked:


This script makes use of iframe and loads an HTML page - http://xvgaoke.cn/1.htm:

This HTML page drops a file named Ntdetect.exe to the root drive:

However, Ntdetect.exe is not actually an executable but it's an HTML file:

This surely is a drive-by-download attempt to drop malware. Even though files that are dropped as of now are non-malicious, this can change at anytime and malicious files can be dropped without knowledge of the user! Finally, here's what Google says about http://xvgaoke.cn:

Tuesday, October 16, 2007

The netadv - fake toolbar from Zlob

Gang behind Zlob malware has come up with one more smart way to trick PC users into downloading rogue anti-spyware applications and to make (more) money!

This toolbar, known as The netadv, offers various (fake) features like pop-up blocking, system security test, spyware scan, spam protection etc. Here are some screenshots of this toolbar:


All these toolbar buttons point to various rogue sites which push rogue anti-spyware applications. You are guaranteed to get new applications on almost each click! This fake toolbar also warns us about "possible" adware and spyware infection whenever we visit some "suspicious" sites. Here's one such warning issued by toolbar for Microsoft website;)

So, what happens when we click on "Click Here" link? As you might have guessed, we are taken to some randomly named rogue anti-spyware application's website:

At the time of this writing, detections for The netadv toolbar files are poor. Some info about this malware can be found here. Hopefully detections for this malware will improve soon! If your PC is infected with this malware, you may go through the CastleCops Malware Removal And Prevention to get rid of this.

Saturday, October 13, 2007

SystemErrorFixer and fake system shutdown warning

SystemErrorFixer (www(dot)systemerrorfixer(dot)com) is a relatively new addition to the huge family of rogue anti-spyware software. However, the website uses a little different technique to "force" a PC user to download their tool. When the rogue website is visited, we are greeted with a message box which initiates a 30 seconds countdown to shutdown the system. This is reminiscent of the system shutdown messages of Blaster worm. To avoid the shutdown, we are forced to download a "Prevention Tool". Here's a screenshot:

Nothing happens when the counter reaches zero ;)

Thursday, October 11, 2007

Spot The Not!

Here's small comparison between fake and real PayPal login pages. Spot the phishers!



Monday, October 08, 2007

Hacked Indian university site serving malware

We have seen many cases wherein US University websites (.EDU) are hacked and made to serve malware and other junk (info here, here)! Now, gang behind those hacking incidents has targeted few Indian University websites too. One "fine" example is www(dot)mlncollegeynr(dot)ac(dot)in, which is the website of Mukand Lal National College, Yamunanagar, Haryana, India. Here's a screenshot of Google search results for this site:

Those entire dubious webpages link to various other rogue sites such as fake search engines, rogue antispyware pushers, Zlob malware installers etc. Here's one such rogue site, reached from links present in hacked college site:

It seems that, Klik gang (info here (pdf)) is responsible for this. But, sadly this seems to be the second time the college’s site is being hacked. First one happened around April 2007, as evident from this site:

Concerned college authorities have informed by email, however haven't heard anything from them yet. Let's hope they will clean up the mess!

Saturday, October 06, 2007

Rogue application pretends as Microsoft Antispyware

So far, we have seen various rogue anti-spyware applications doing rounds of the Internet. However, here's one such rogue application that needs to be mentioned! Because, the website that pushes this rogue application calls itself as "Microsoft Antispyware Center"! Layout of this website is identical to old rogue applications like SpyShredder, MalwareMonitor etc. Here's a screenshot of the website:


Not to mention, the "Online Security Scanner" is fake too. The online scanner "detects" few "high" rated threats and urges to remove them all.


And, when a user clicks on "Remove All", a file named Setup.exe hosted at www(dot)liveupdatesnet(dot)com (do NOT visit this site), will be prompted for download.



And, the authors of this rogue application have paid attention to small details like setting the "Company" attribute in file properties to "Microsoft".


Fortunately, this piece of malware is detected pretty well by AVs. Here's a VirusTotal scan result: