Trojan Targets Skype Users

Friendly Computers discovered information about a frightening new piece of malware affecting Skype users, which records your voice calls and could potentially send them to a third party. Read more below…

TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.

Upon execution, the DLL component (also detected as TROJ_SPAYKE.C) intercepts Skype traffic and hooks the send and recv APIs. This is done before Skype encrypts the traffic it sends to other users. This enables the Trojan to save all gathered information as audio files, which could then be sent to a malicious user. Here’s a screenshot of the captured information:

Figure 1. Sample of intercepted traffic

This poses no threat as of the moment; it only collects information but does not decrypt the said information and consequently send it to a remote user. However, future attacks that do engage in information theft cannot be ruled out.

Users are advised not to give away any crucial information when conversing online to prevent info theft. Trend Micro protects users from this attack through the Trend Micro Smart Protection Network.

Source: http://blog.trendmicro.com/trojan-targets-skype-users/

Beware fake Snow Leopard sites

Although Mac OS X Snow Leopard will not be released until Friday, many websites are offering a free download of what is allegedly the new OS. Really, they are just offering up a trojan that will redirect you to phishing websites and possibly install fake antivirus software. Friendly Computers advises you to avoid these websites and purchase the upgrade from Apple when it is released. You can read more below…

Before the August 28 official release of Apple’s OS X Snow Leopard, cybercriminals are already hitchhiking on this to proliferate their malicious activities. Earlier today, Advanced Threat Researcher Feike Hacquebord discovered several fake sites that supposedly give Mac users free copies of the newest version of the Mac OS, Snow Leopard. However, accessing these malicious sites land users to a DNS changer Trojan detected by Trend Micro as OSX_JAHLAV.K.

Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads other malicious scripts. The said script then alters the DNS configuration and includes two additional IP addresses in its DNS server. Users are thus possibly redirected to phishing sites and other fraudulent sites. In fact, some of these bogus sites are reportedly hosting FAKEAV (rogue antivirus) variants and components.

As of this writing, all malicious URLs are already blocked by Trend Micro. Users are strongly advised to get only the latest Snow Leopard update directly from the Apple site…

Source: http://blog.trendmicro.com/bogus-snow-leopard-update-sites-lead-to-dns-changers/

Snow Leopard Contains an Antivirus

Friendly Computers discovered that the next version of Mac OS X, Snow Leopard, could come with an antivirus feature. This is a surprise, considering one of the major selling points of Macs and Mac OS X is that they are prone to be malware-free. Read more below…

We’ve gotten reports about an interesting feature in Snow Leopard, the new version of Mac OS X due for release this Friday. According to reports we’ve seen – and the screen shot below – Snow Leopard contains an antimalware feature.

We’re not sure yet exactly how this works, but the above screen shot shows this feature working with a download made via Safari, detecting a version of the RSPlug Trojan horse in a downloaded disk image.

Source: http://blog.intego.com/2009/08/25/snow-leopard-contains-an-antivirus/

Rogue Facebook apps steal login data, send spam

Friendly Computers warns you to be careful using Facebook apps. There are few out there that can steal your log in info and spam your friends. Read more below…

Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps is stealing log in credentials and spamming the victim's friends.

So far, six malicious applications have been identified: "Stream," "Posts," "Your Photos," "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.

As of Wednesday afternoon, all of the apps were live except for "Stream," he said in an e-mail.

This screenshot shows evidence of the phishing scam on Facebook.

(Credit: Trend Micro)

The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!," which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow in order to begin the distribution of the spam, he said.

That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts."

He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message," with the hyperlink to the phishing site.

On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.

All the apps look and act exactly the same and include ads.

"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.

A Facebook spokeswoman said the company was looking into the matter and provide more comment later.

Ferguson recommends that Internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.

Source: http://news.cnet.com/8301-27080_3-10313618-245.html

Security firms discover botnet on Twitter

Microblogging website Twitter has been on the forefront of news because of its security issues lately, and Friendly Computers just discovered that it could be used to spread malware and create a botnet. Read more below…

A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.

Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.

Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.

But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.

"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.

Source: http://news.cnet.com/8301-13577_3-10310168-36.html

Prevent USB Drives from Spreading Viruses

If you have a USB drive that you use with multiple computers, it could be used to spread viruses and malware from one PC to another. Friendly Computers advises you to change your AutoPlay settings to prevent this from happening, and you can read how to do it below…

When you stick a thumb drive infected with a worm like Conficker/Downadup into a clean system, the normally handy AutoPlay feature launches the worm and spreads the infection. So, what are you waiting for? Turn off AutoPlay! Panda Security offers a free "vaccine" program that will turn it off. But you can actually flip the master switch without any utilities. Here's how:

On non-Home versions of Windows (for example, Windows XP Professional, Vista Ultimate):
1. Click Start, click Run, enter gpedit.msc (launch Group Policy Editor);
2. XP users: Open Computer Configuration | Administrative Templates | System,
Vista users: Open Computer Configuration | Windows Components | AutoPlay Policies;
3. Find Turn Off AutoPlay in the right-hand pane and double-click it;
4. Choose Enabled and set it for All drives.

Or, in any Windows version:
1. Launch the Registry editor (Start | Run | regedit);
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer;
3. Double-click NoDriveTypeAutoRun in the right-hand pane and set its value to hexadecimal FF.

Source: http://www.pcmag.com/article2/0,2817,2343838,00.asp

Cookienator Cleans Up Questionable Cookies

Friendly Computers discovered a useful utility that deletes all of the potentially harmful cookies on your computer while leaving the others in-tact. Read more below…

Windows only: Portable application Cookienator cleans up cookies from any of the major browsers, but instead of removing all your cookies, only removes the ones that are used to track you.

Once you've downloaded and extracted the no-installation-required utility, you can simply launch the executable to analyze just how many evil cookies are sitting around on your computer, and clean them up immediately. The options panel will let you choose which browsers to check, and it even includes the hard-to-delete Flash cookies. The utility can automatically clean your cookies when you log in, or you could choose to only run it manually.

Cookienator is a free download for Windows only. If you'd like to just opt-out of the tracking mechanisms, you can use previously mentioned PrivacyChoice, which works the opposite way—it adds a cookie that tells advertisers not to track you.

Source: http://lifehacker.com/5332032/cookienator-cleans-up-questionable-cookies

Mysterious computer virus quiet, but attack may be in works

The Conficker worm that caused an uproar in April may finally be launching an attack sometime soon. Friendly Computers has more information below…

Malicious software installed on millions of computers has yet to wreak havoc on technology systems worldwide as some fear, but researchers warned that the ”Conficker worm” could still strike in the future.

Also known as Downadup or Kido, Conficker turns infected PCs into slaves that respond to commands sent from a remote server that effectively controls an army of slave computers.

Researchers feared that the network created by Conficker might be deployed Wednesday for the first time since the worm surfaced last year because its code suggested it would seek to communicate with its master server on April 1.

They formed an industry-wide task force to fight the worm, bringing widespread attention that experts said probably scared off the criminals who command the army of slave computers, known as a botnet.

“The Conficker-infected machines attempted to call home to get new commands from their master but those calls went unanswered,” said Joris Evers, spokesman for security software maker McAfee Inc.

Researchers warned that the botnet’s commanders are probably waiting until they are under less scrutiny before they mobilize the network of infected computers.

“I never thought it would happen April 1,” said Roger Thompson, chief research officer at AVG, an anti-virus firm. ”It might be tomorrow. It might be next week. It might be next month.”

Privately held AVG and other firms with security labs including Microsoft Corp, Symantec Corp, McAfee and Trend Micro Inc will closely monitor the botnet’s activities long after Wednesday.

The virus exploits weaknesses in Microsoft’s Windows operating system. It can evade corporate firewalls by passing from an infected machine onto a USB memory stick, then onto another PC.

In February, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of whoever is responsible for creating Conficker, saying the worm constituted a criminal attack.

Source: http://www.canada.com/technology/Mysterious+computer+virus+quiet+attack+works/1452302/story.html

Firefox 3.5.2 and 3.0.13 security updates now available for download

Users running Mozilla Firefox, including some of us here at Friendly Computers, should make sure they have updated their browser to the newest version that was just released, as it corrects some major security flaws. Read more about the update below…

As part of Mozilla’s ongoing stability and security update process, Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads:

• Firefox 3.5.2 is available at http://firefox.com/
• Firefox 3.0.13 is available at http://www.mozilla.com/firefox/all-older.html

We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please review the Firefox 3.5.2 Release Notes and the Firefox 3.0.13 Release Notes.

Note: All Firefox 3.0.x users are encouraged to upgrade to Firefox 3.5.2 by downloading it from http://firefox.com/ or by selecting “Check for Updates…” from the Help menu.

Source: http://blog.mozilla.com/blog/2009/08/03/firefox-3-5-2-and-3-0-13-security-updates-now-available-for-download/

Using software updates to spread malware

Friendly Computers stumbled upon an intriguing story about a new way for malware could be transmitted to your computer – via your Wi-Fi connection during software updates. Read more below…

Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.

About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.

Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network.

With the tool, an attacker can scan a Wi-Fi network for computers checking for new updates via HTTP (Hyper Text Transport Protocol). If the system detects a computer sending a software update request, the tool replies before the app update server can respond, Kotler said.

Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said. A malicious file is then downloaded from the attacker's server onto the victim's computer.

The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.

"You have to assume when on a public infrastructure that the infrastructure can be attacked," he added.

There is also the possibility that someone could spread an "airborne virus" via software updates that uses victim machines to attack and infect other machines on a network, according to Kotler.

Source: http://news.cnet.com/8301-27080_3-10301485-245.html