My Anti Spyware

Found new way for steal data encrypted using SSL/TLS

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data’s black market value at least $2 million

There are two other known variants. New variants, similar attacks inevitable.

Read more here: Gozi Trojan

Fake Windows Sites + WMF Explot + Keyloger = New Botnet

Adam Piggott of Proactive Computing received message from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server

For more details on this current exploit and botnet, see SunbeltBLOG’s blog, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note - the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at VirusTotal

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created

LdPinch again spammed via ICQ

Over the weekend, Kaspersky Lab intercepted Trojan-PSW.Win32.LdPinch.ahe - the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim’s ICQ contact list. It sends a Russian message which says:

[translation] How to trick WebMoney!
To find out how, read the Help instructions!

The message includes a link to the malicious program file, which is called Help.chm.

WMF exploit and Phishing

F-secure labs have found a phishing scam exploiting this vulnerability. This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to with the real bank but it sounds close enough.

The site is running on a owned home computer somewhere in Illinois. This machine, connected to the net via a high-speed cable connection, is hosting or has been hosting several other phishing-related domains, including these gems that administrators might want to filter at their gateways: www[dot]i7tgg4rv[dot]com and www[dot]ll67ffgsp[dot]com, www[dot]mrhpd74e[dot]com and www[dot]pph4e32q[dot]com.

The WMF connection comes from the fact that if you visit this site (and please don’t), the front page contains an IFRAME that will try to push an exploit file called tr.wmf to your system. When that is executed, it will download a file called update.exe from the same server. This unexpected gift turns out to be a variant of the Trojan-Spy.Win32.Goldun family, which will start to collect information from the system.

How to detect keylogger on my computer ?

Why Keyloggers Threaten Your Privacy

1. Surveillance software is very common nowadays. A Google search on keyloggers yields 39,000+ results.
2. Software mentioned in (1) has a bunch of features to record your activity in every possible way. See some features here.
3. Due to their “good purpose”, keyloggers and other types of surveillance software are not detected by AntiVirus programs.
4. Most keyloggers are more threatening than the so-called spyware. Keyloggers can record your passwords, emails, credit card number, etc.
5. Some keyloggers can even be installed remotely. Google search here.
6. Most (if not all) keyloggers are invisible. This means you will not know if a keylogger is running on your system.
7. More and more people are using keyloggers or surveillance software. These include your friends, spouse, employer, etc.
8. The recorded keystrokes can be sent to an email address. So physical access to your computer is not necessary.
9. Public computers (e.g. public library’s) might have keyloggers installed. It is just a possibility.
10. You value your privacy, don’t you?

Use follow software for detect keylogger

1. Kldetector - small free program for detecting keyloggers
2. SnoopFree Privacy Shield - informs you when another programme is wanting to log your keystrokes

CounterSpy Protects Against New Spyware Keylogger

The spyware keylogger, named Srv.SSA-KeyLogger, secretly steals data from users’ Internet sessions, including logins and passwords from online banking sessions, eBay, PayPal, and other programs that use html forms to collect personal information. It is a new variant of existing Trojans known by a variety of names, including Troj/Dumaru-BD, Troj/Dumaru-ALTroj/Dumaru-BO, BackDoor-CCT.gen, and Backdoor.Nibu.L.

Note that all of the infections we have observed of this keylogger are on older unpatched Windows XP systems, underscoring the need to have Windows XP SP 2 installed. To protect users from this harmful keylogger, new definitions have been added to Sunbelt’s spyware threat database that powers both CounterSpy and CounterSpy Enterprise. All current customers will receive the latest definition updates.

Make sure the definitions of CounterSpy Consumer are updated to version 261 (and 256 for CounterSpy 1.0.29) by clicking on File, Check for updates and test your PC for this new spyware.

Visit the SSA-KeyLogger cleaning page (Version 21.00, updated Nov 7) to download a free utility to detect and remove the SSA-KeyLogger spyware.

If your PC is infected, and Srv.SSA-KeyLogger shows up as quarantined by CounterSpy, that means your personal information has been compromised. Make sure to warn any financial institution (Banks, PayPal, eBay, stock broker, etc) you have checked via this PC and change your passwords for these accounts immediately!

Download CounterSpy.

Attention Online Shoppers: Identity Theft and Computer Security Hazards at Risk of Increasing During Holiday Season

For those who think shopping
malls are scary places during the holiday season, the threats you can’t see
while shopping on the Internet can be far more prevalent. Online shopping is
predicted to increase by 25% this holiday season, according to Forrester
Research, including 2.5 million new households that will purchase online for
the first time. As the number of online purchases increases, so do the risks
of identity theft, spyware, viruses, worms and phishing. A recent survey by
Consumer Reports showed that users have a one in three chance of suffering
computer damage, financial loss or both because of computer viruses, spyware
or hackers. Yet many home computer users fail to take steps to protect
computers and their confidential information from these serious threats.
Households without adequate computer protection
are also at greater risk for crippling computer viruses, worms, hackers and
spyware that steal their personal information and slow PC performance, and
hackers, which are growing in number. In addition, there can be a greater
level of unsupervised Internet use by children during the holidays, which puts
not just computers, but families at risk. While these threats are present all
year, they are magnified at this time of year, and can be exacerbated by
friends and family members who may be visiting and using home computers in an
unsafe way.
The next step is maintaining safe computing and online
shopping practices. We offers the following tips:
* Print copies of all online receipts to check against your credit card
bill, to prevent overcharges and duplicate charges. Also print copies
of any guarantees or warrantees for your files.

* Businesses and financial institutions will rarely send an e-mail asking
customers to reply directly with personal information. Users who
receive an official-looking e-mail requesting such information should
contact the business directly using an already established contact to
ensure that it is legitimate.

* When shopping online, the Trust-e symbol or a Better Business Bureau
online seal are good indications that the vendor has technology in place
to protect sensitive personal information.

* If a website is secure or using encryption to protect customers’
identities, it will begin with “https” instead of “http” in the browser
address field, and will display a padlock icon on the lower right hand
border of the browser window. Shoppers should make sure they are on a
secure or encrypted site before conducting a transaction online.

* Avoid using social security numbers online. See if the online vendor
can use other information; if not, submit this information to trusted
online vendors only.

* Make sure the selected online vendor has a privacy policy, to ensure
that customer information will not be sold after your transaction has
taken place.

Protect your computer now. Download and install anti-virus, spyware protection, and use Firefox