Google Cleans Up

Google announced yesterday that they have purged over 40,000 sites from their search index that were dishing out malware. The purveyors of the malware, which included everything from keyloggers, spyware, virii, trojans, and adware, spent the last few months artificially boosting their sites' rankings on various search engines. When someone would type in a genuine search term into an engine such as Google, Yahoo, or Microsoft LiveSearch, the malware hosting sites would appear in the top results, the user would check out the link, and leave with a few bugs installed.
Over the past few months a particular botnet was employed to spam blogs, comment boxes, and bulletin boards with various key words that would inflate their ranking in these various search engines. You may have seen a few of these that weren't selling V!@gra, and wondered what the point was, well now we all know.
Microsoft said that they were on the case, and Yahoo hasn't released any comments.

iPwned

Hope everyone had a happy holiday. Here's some fun news for those of you are weary of Mac elitists. Two major Macintosh fan sites were recently defaced by a hacker, http://www.applematters.com, and http://iphonematters.com. But that's not the best part, that would be that they were defaced by a self-proclaimed long time Mac user. To quote the hacker ” I’M A MAC USER. I JUST HAVE A STRONG DISTASTE FOR MAC SYCOPHANTS.”
I happen to share this view. I have nothing against Apple, just snobs in general, and unfortunately a lot of computer snobs I have met feel that the Macintosh is part of their uniform, but I digress. It does appear however, that along with the Zlob family crossover earlier, a slew of Apple updates and fixes, and now this, we're going to be seeing a lot more action on the Mac side now that so many people are wearing the uniform. Now I'm going to go listen to my iPod, and price iPhone's on my Safari for Windows browser.
**P.S. Photo courtesy of McAfee.

Multi-Media Phishing Attacks

Some criminals will really go out of their way to get your identity or bank account information. There are new reports out that a particular phishing scheme has surfaced that incorporates the use of an automated telephone call to get you to go to your computer and directly access the phisher's website. The telephone call is to inform you of issues with your bank account, and it instructs you to go to a particular web site address to identify, and repair the problem, which is urgent, of course. Once on the false site, which has been constructed to appear exactly like the phone call recipient's bank site, perhaps a little spear-phishing ground work done there, perhaps they just picked a popular bank, such as Bank of America, and played on statistics, anyway, once on the site you'll be asked to log-in, and that's all they need.

Pop Up Ads and Virii, Two Great Tastes That Go Great Together!

Yesterday computers that were infected with the Storm Worm were treated with pop-up ads advertising another pump and dump stock scam for a company called Hemisphere Gold, trading under HPGI.
So moral of the story, if you saw that pop-up, you're infected. Cleaning it up is another task. Since the worm has root-kit capabilities, it won't be an easy task, coupled with the fact that your AV software likely doesn't have definitions for this particular strain, quite yet.
Mmm, Pop-ups. Here's a picture courtesy of Secureworks.

More Threatening Malware

A few emails have been found in the traps this past week that are trying to threaten, or scare you into opening opening it's attachment, and installing it's malicious payload. The body of the email claims that it's from a private detective hired to watch you, and monitor your telephone traffic. Claiming that they know you don't believe the sender, but as proof they offer a record of your calls from the day before as proof in an attachment labeled call234.rar, and archive file that in actuality contains a trojan that Trend Micro labels as TROJ_AGENT.AAPN.
These threatening emails always interest me a little more considering you don't see them as often, and I just find the deviation from being cordial and making you feel like you're getting something for free they opt to get down and dirty with lame threats. This one was almost as cool as the one from a couple of months ago when they hijacked the documents on your computer, encrypted them, and demanded a ransom for decryption.

Tis the Season...

It happens every year, along with the Christmas season, so come the throngs of spam and malware authors geared up to take advantage of holiday shoppers. Ever since people started receiving their email at home, other people with malicious intent have been targeting them. There are so many threats to watch out for, from simple spam emails trying to steer you toward a certain product, or towards a certain vendor that would be happy to take your money, and may even sometimes send you the product that you had payed for, to complex phishing schemes designed to usurp all of your Christmas savings before you can spend it yourself.
Even the most non-holiday oriented items tend to take on a seasonal charm around the holidays. Such as dating site spams that don't want you to "be alone this holiday season", or the crude subject lines of pharmaceutical spam playing off of the theme.
A few pieces of spam you're highly likely to see, and should avoid, I might add, are:
The letters from Santa spam. A company that will send a letter from Santa to your child with a North Pole postmark, perfect for those kids on the cusp of belief! Their website looks legit enough, complete with testimonials, but the real problem is that this is a favorite for holiday spammers looking to earn their commissions.
Another scam in your email is seen all year 'round, but it's frequency becomes much higher during the holidays. That is the Gift Card scam. Those of you on MySpace are likely seeing a ton of these. The product of your friends' phished accounts, and posted in their name along with how they couldn't believe how easy it was to get their $500 gift card. They were so amazed that they took a picture of it, and had to show you. Wow. Even outside the social networking sites, these are very prevalent. You see them injected into ads on websites, or connected to online surveys, that will only take a minute of your time, save for the hours you'll spend deleting the ensuing flood of extra spam you'll be receiving daily. I know a few people who have filled out those surveys, but I'm unaware of any of them that received a free gift card, or that free iPod.
The biggest threat to all during the holidays is the increased and aggressive phishing activities. With so many people shopping online nowadays, and the popularity of sites such as eBay, or Amazon, or any site that utilizes a PayPal account, phishing is abundant. Sites designed to look exactly like any of these aren't difficult to end up on. Once you're there, it's possible you'll be none-the-wiser, and proceed to hand over all of your information, and a lot of money to the bad guys. You will often be redirected to one of these sites via email link, or through some moderately complex DNS poisoning.
These phishers don't necessarily need a bogus site in order to steal your information, either. Many strains of holiday virii have been written to steal your information for them, or just cause general holiday chaos for that matter. Among many others, there were Zafi, Love Letter, the appropriately named Navidad, the 'Holiday' strains, Fun Love, and Kriz, which even though it was discovered in August, it was designed to deliver its payload on Christmas Day. All of these pieces of malware spread via email, so as always, just delete unsolicited email that you don't feel 100% confident about, especially those with a holiday theme, promoting hard to find gadgets, free gift cards, or holiday prizes. They're all bad news.
One thing you can be guaranteed to see in your Christmas inbox this year will be our buddy the Storm Worm. Storm enjoys holidays the most, where it takes advantage of socially engineered emails to lure in its victims. I'm guessing it'll return to its roots during Christmas and pose as a greeting card from a friend or family member as it did starting back in mid-June. Storm can be very convincing, as it has become, I dare say, the most successful worm to date. It's authors are obviously professionals constantly building in self defense mechanisms, and rewriting its code with every release to keep the AV vendors on their toes. I'd suggest telling your friends and relatives to send the traditional paper Christmas cards if they were planning on it, and delete any e-card you receive, especially if you don't recognize the sender. Perhaps you'd enjoy a managed email security option such as AppRiver, where we'll take the threats out for you? Shameless plug?! Yeah, so.

Mac Users Invited to the Party

They've been written before, but due to the smaller percentage the Mac user held in the computer user community, malware specifically for the Mac usually remained on a proof of concept level. Well now it looks like we've got a little something for them. So now when I get into one of those annoying arguments with a fellow geek about how their Mac is better than a PC, now at least they won't be able to use the "Mac's don't get virii!" argument.
As it turns out our friend the Zlob Trojan has made a platform crossover to the Mac OSX side. The Zlob's main method of infection is a social engineering technique that I discussed earlier. The Zlob tricks the user into downloading it's contents when the user is online trying to view supposed video content. A website that hosts the malware will present a still image posing as a thumbnail link to the video. However, when you click on it to try to play the video, it will tell you that your media player, in this case, Quicktime, doesn't have the proper video codec to play the video, but since they're such nice people at that site, they'll just go ahead and give it to you.
The file is a .dmg, disk image file, and once it mounts, a package file named install.pkg will run infecting the target machine.
The virus will use of the Mac's scutil command to change the machine's DNS server to the infected host. The DNS server is what resolves what you type into your browser, or domain name, to the IP address that is needed to actually get to the site. So now when you try to go to certain sites, such as ebay.com or paypal.com, or your bank account or the like, the fake DNS server will return false information, and you'll end up with a fake web page designed to phish your valuable information, that may appear to look just like the page you intended on going.
Apparently, the author of the virus has attracted many people to its website by spamming out ads for the free videos on other sites and blogs.
I'm guessing this will be the first in many very successful Mac infections considering most Mac users are still feeling immune to malware, and never have their guard up as much as PC users are used to, but we'll see.
Oh, and I don't think PCs are better than Macs, they're all what you make them, it's just that PCs are much cheaper, and you can find software that works on them, that's all.