There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.



The e-mail messages that are sent typically contain funny.zip as the attachment.

E-mail subjects vary but are typically "spammy" in nature:

  Action for pleasure
  Life is good!
  life is beautiful!
  Double energy
  Paradice in your bed
  View this price
  Return sunrise to your life!
  You can be young again!
  Paradice in your bed

We've had detection for this particular malware before the spamming really began on a large scale.
 
 

So Google has these sponsored links in their search results…

Which is all nice and simple when you search for something like "flowers" or "clip art".

But try searching for "bulletproof hosting", and you'll get a bunch of Google sponsored links for companies that sell hosting for spammers:



No, this can't be true… there must be some misunderstanding. Google wouldn't license their sponsored links for such businesses.

Let's follow the first link to see where these go.



Well, duh.
 
 

One week ago we posted video to our
FSLabs YouTube channel.
We now have a high-resolution version of that video available for download.

The video can be freely used for in-house briefings, end-user education, et cetera.

You will need a media player that can handle VOB files, such as VLC, and a BitTorrent client.

Click here:
Re:Solution Torrent — 404MB.

 

 
 
 

Adobe and Sun have released patches today for several critical vulnerabilities that affect their respective Flash Player and Java Runtime Environment. Many of these vulnerabilities can be exploited to execute arbitrary code on victims' computers just by making them access a malicious URL using any application that invokes Flash Player or JRE. In English, this means that you can get hacked just by viewing a web page that contains malicious Flash or Java content.

Many of the vulnerabilities are cross-platform, and between them, they have most OS-browser combinations covered. You are vulnerable until you install the patches. Read the advisories from the vendors and grab the patches here and here.

There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for at least a few of these vulnerabilities.
 
 

Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious website may lead to arbitrary code execution. Apple's website has additional details.

The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.

It's important to update. Why? Because of stuff like MPack.

MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.



The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime.

This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys. Patch your applications as well as your operating system.
 
 

Should police "hack"? We asked this question last February. That post was about Germany's law enforcement and hinged on a legal analysis from the German courts.

Should police hack is still an open question. Do they hack is a different question…

CNET reporter Declan McCullagh has details on a United States Drug Enforcement Administration (DEA) investigation of alleged "ecstasy" makers that utilized keylogger software to gather evidence. This is only the second U.S. case that McCullagh has found any such activity approved by a judge. You can listen to News.com's July 10th podcast for the full story. Listen to the first five minutes of the podcast.
 
 

It's that time of the month once more and for July, Microsoft has released the following security bulletins: three critical, two important and one moderate updates.

There's a new video uploaded to our YouTube Channel. Subscribers may have already noticed since yesterday. The video is a brief history on the evolution of malware and the current characteristics of crimeware.



Note: High-res version coming soon to a weblog near you…
 
 

The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious.

Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as
Packed.Win32.Tibs.ab.

 

 
 
 

One of our analysis tools is named FSCSI. It's what we use to generate a report of the changes made by malware when it runs. It makes snapshots before and after the sample is run and then compares the two for changes.

The FSCSI report provides a basic understanding of what the malware is trying to do, before the analyst begins to really dig into the code. Then the analyst has a better idea of what to look for and it speeds up the whole process. We even have and are further developing automated systems that use this tool.

Another thing that we can do with the FSCSI report is to visualize it in a graphical interface. This can be helpful when dealing with a complex place of code.

Patrik recently spoke to some press in Sydney. He demonstrated the visualization of FSCSI and ZDNet Australia has some video.


 
 

During the last two weeks we've been receiving lots and lots of greeting card samples. So what happens is that someone gets an e-mail saying that they've received a greeting card from a friend, relative, or class mate and all they have to do to view it is to click on a link or go to a website and enter their eCard number. Below is an example:

SANS ISC Handler's Diary has a very interesting post regarding MPack and Apache permissions. With multiple websites being hosted on a single machine, only one of the websites needs to contain a vulnerable PHP script in order to infect all of the sites hosted if Apache permissions are not properly configured.

Italy recently experienced MPack compromises on thousands of web sites that were hosted by only a few machines.

Haven't heard of MPack? It a malware "kit" that sells online for $500 to $1000 USD. It's maintained as if it were legitimate commercial software with modular extras available and maintenance updates. This type of kit provides a layer of insulation to the malware author as he is only writing a tool, and it's other bad guys that are actually carrying out the crime.

Read more about MPack at CNET.