A new version of Safari is out. Looks like for Mac and Windows. Plenty of security fixes (mostly for Windows Safari users http://support.apple.com/kb/HT4070 )

Interesting SKYPE SPIM.

Published: 2010-03-11
Last Updated: 2010-03-11 22:40:20 UTC
by donald smith (Version: 1)
0 comment(s)

Earlier this week Jared sent us an interesting SKYPE spim. I suspect this was sent using the Skype IMbot discussed in the previous diary.
This one was a social engineering attempt to get the recipient to load scareware or fakeAV. Like most of these sites it had some java that is intended to simulate an antivirus scan. The scan is free of course. Everyone that gets "scanned" by this junk is infected. Getting cleaned of your viruses costs since you have to buy the commercial version to "clean" your infection. They have nice little functions like "hideActiveXDialog" and a doUpdatePercents which simply counts off tics to make it appear they are scanning the system. Then they throw up a banner2.jpg which is a warning that you have a bunch of scarey viruses including "System Soap Pro", AntiLamer Light, MC 30 day, SoftEther, I-Worm.NetSky.q, I-Worm.Bagle.n, Tofger-A, Zinx-A, B-S Spy 1.90 and KrAIMer 1.1"

Some of those names are known malware others appear to have been made up to insult anyone that gets this message. Who came up with System Soap, AntiLamer, SoftEther or BS spy. Here is the text that was sent out to entice victims to pay for this LAME fake AV.

WINDOWS REQUIRES IMMEDIATE ATTENTION
URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

hxxp://www.onlineck.org

For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW
****************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns
 
Recommendation: Users running vulnerable version should
install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.onlineck.org/
 
For the link to become active, please click on 'Add to
contacts' skype button or type it in manually into your web browser!”


 

Keywords:
0 comment(s)
New version of foxit pdf reader available. http://www.foxitsoftware.com/downloads/index.php

Cert write up on Skype IMBot Logic and Functionality.

Published: 2010-03-11
Last Updated: 2010-03-11 18:28:34 UTC
by donald smith (Version: 1)
0 comment(s)

CERT.at has provided a good technical analysis of a Skype IMBot.
The authors, Christian Wojner, L. Aaron Kaplan, did a good job of analysis of this IMBot.
They also "swapped notes" with Aaron Hackworth of secureworks.com. Such public/private collaboration I find to be very encouraging.

This is a fairly new vector. I have seen other IM based malware using skype IM so it’s not brand new but not too common yet either. The malware detects many Reverse Engineering applications and attempts to make the system unbootable if any type of RE is detected. It uses a new (novel) method to hide its processes/files. It scans local networks for 445 probably to exploit one of the many Microsoft vulnerabilities that can be exploited via that service. It uses "conficker like" encryption. It had logic to "infect" usb drives.

I really enjoyed this analysis as it included some interesting approaches and pointed to functionality that appeared to be in the bot but they were unable to trigger within their RE environment.
http://cert.at/static/downloads/papers/cert.at-an_analysis_of_the_skype_imbot_logic_and_functionality_1.2.pdf
 

Keywords: skype im bot
0 comment(s)
One a day keeps the hackers away. Read our discussion of the top 25 coding errors in the appsec streetfighter blog http://appsecstreetfighter.com .

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives