Posts Tagged ‘Rogue AV’

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

  • Share/Bookmark

Tags: , , , , ,
Posted in Email Security, Security, phishing | No Comments »

Warning! March Madness Means March Malware

Friday, March 12th, 2010

By Barracuda Labs

If you’re working on your Atlantic Coast Conference brackets this week, be extra careful where you click. Cybercriminals are up to their old tricks and hoping you’ll make a fast break to their Web sites.

To raise the chances that you will, they’ve taken over popular search terms such as “ACC Tournament Schedule 2010″ and “ACC Tournament Bracket” and inserted poisoned links that lead to Rogue AV sites. SEO poisoning continues to pick up steam as attackers race to re-direct your browser to a Web site serving up various malicious programs. In this case, “CleanUp Antivirus” Rogue AV seems to be the flavor of choice.

As part of this experiment, Barracuda Labs discovered that a Google search for “ACC Tournament Schedule 2010″ returned 23 malicious links within the first 50 results. Unless you know how to tell the difference between the good links and the bad ones, you stand almost a 50% chance of having your computer taken over by “Scareware” that tries to separate you from as much as $90 for the fake software.

We discuss Rogue AV and SEO poisoning in more detail in our 2009 Annual Report released this week. The attacks are becoming increasingly more popular as hackers target vulnerabilities in legitimate Web sites, making it more likely for the page to be visited and the malicious content to be delivered. .

CNBC sites surveys that show almost 45% of American workers participate in March Madness pools at work. Much of this research is happening on company time, causing a significant decrease in employee productivity as loyal fans follow their favorite teams. While the boss may turn a blind eye to that activity, a malware infection sure won’t help your ranking at work.

Barracuda Web Filter and Barracuda Web Security Service customers are protected from this attack.

Below are screenshots that trace the attack.

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Top results for ACC Tournament Schedule 2010 from Google

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

Beginning at result 11, the links all lead to malicious content.

When the user clicks on a poisoned link, the following page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

When you click on a poisoned link, this page pops up briefly.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Next, an official-looking warning appears.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

Followed by bad news, which is completely untrue.

The Web page wants the user to run a file. Don’t do this!

The Web page wants you to run a file. Don't do this!

The Web page wants you to run a file. Don't do this!

If the user does run the file, the user will become infected with CleanUp Antivirus.


If you do run the file, you are infected with CleanUp Antivirus.

If you do run the file, you are infected with CleanUp Antivirus.

CleanUp Antivirus repeatedly sends you to this ‘money page’ where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.

CleanUp Antivirus repeatedly sends you to this 'money page' where the user is asked to submit a credit card.

  • Share/Bookmark

Tags: , ,
Posted in Internet Security Tips, Research, Security, Web Security | No Comments »