Trojan Targets Skype Users

Friendly Computers discovered information about a frightening new piece of malware affecting Skype users, which records your voice calls and could potentially send them to a third party. Read more below…

TrendLabs researchers were alerted of a newly released Proof-of-Concept (PoC) that listens and records voice calls carried out via Skype. Trend Micro detects this as TROJ_SPAYKE.C. Skype is a popular application used for making voice over IP (VoIP) calls.

Upon execution, the DLL component (also detected as TROJ_SPAYKE.C) intercepts Skype traffic and hooks the send and recv APIs. This is done before Skype encrypts the traffic it sends to other users. This enables the Trojan to save all gathered information as audio files, which could then be sent to a malicious user. Here’s a screenshot of the captured information:

Figure 1. Sample of intercepted traffic

This poses no threat as of the moment; it only collects information but does not decrypt the said information and consequently send it to a remote user. However, future attacks that do engage in information theft cannot be ruled out.

Users are advised not to give away any crucial information when conversing online to prevent info theft. Trend Micro protects users from this attack through the Trend Micro Smart Protection Network.

Source: http://blog.trendmicro.com/trojan-targets-skype-users/

Beware fake Snow Leopard sites

Although Mac OS X Snow Leopard will not be released until Friday, many websites are offering a free download of what is allegedly the new OS. Really, they are just offering up a trojan that will redirect you to phishing websites and possibly install fake antivirus software. Friendly Computers advises you to avoid these websites and purchase the upgrade from Apple when it is released. You can read more below…

Before the August 28 official release of Apple’s OS X Snow Leopard, cybercriminals are already hitchhiking on this to proliferate their malicious activities. Earlier today, Advanced Threat Researcher Feike Hacquebord discovered several fake sites that supposedly give Mac users free copies of the newest version of the Mac OS, Snow Leopard. However, accessing these malicious sites land users to a DNS changer Trojan detected by Trend Micro as OSX_JAHLAV.K.

Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads other malicious scripts. The said script then alters the DNS configuration and includes two additional IP addresses in its DNS server. Users are thus possibly redirected to phishing sites and other fraudulent sites. In fact, some of these bogus sites are reportedly hosting FAKEAV (rogue antivirus) variants and components.

As of this writing, all malicious URLs are already blocked by Trend Micro. Users are strongly advised to get only the latest Snow Leopard update directly from the Apple site…

Source: http://blog.trendmicro.com/bogus-snow-leopard-update-sites-lead-to-dns-changers/

Snow Leopard Contains an Antivirus

Friendly Computers discovered that the next version of Mac OS X, Snow Leopard, could come with an antivirus feature. This is a surprise, considering one of the major selling points of Macs and Mac OS X is that they are prone to be malware-free. Read more below…

We’ve gotten reports about an interesting feature in Snow Leopard, the new version of Mac OS X due for release this Friday. According to reports we’ve seen – and the screen shot below – Snow Leopard contains an antimalware feature.

We’re not sure yet exactly how this works, but the above screen shot shows this feature working with a download made via Safari, detecting a version of the RSPlug Trojan horse in a downloaded disk image.

Source: http://blog.intego.com/2009/08/25/snow-leopard-contains-an-antivirus/

Rogue Facebook apps steal login data, send spam

Friendly Computers warns you to be careful using Facebook apps. There are few out there that can steal your log in info and spam your friends. Read more below…

Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps is stealing log in credentials and spamming the victim's friends.

So far, six malicious applications have been identified: "Stream," "Posts," "Your Photos," "Birthday Invitations," "Inbox (1)," "Inbox (2)" according to a blog post by Trend Micro researcher Rik Ferguson.

As of Wednesday afternoon, all of the apps were live except for "Stream," he said in an e-mail.

This screenshot shows evidence of the phishing scam on Facebook.

(Credit: Trend Micro)

The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called "sex sex sex and more sex!!!," which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn't appear to be malicious and may have been compromised somehow in order to begin the distribution of the spam, he said.

That first notification included hyperlinks that led to a phishing site on the "fucabook.com" domain, allegedly registered to someone in Armenia, he said. Once Ferguson gave up his credentials (for a Facebook account he uses for research purposes) he was directed to Facebook and to an application install screen for the app called "Posts."

He installed that app and immediately his friends were spammed with a bogus notification "Profile_name has sent you a message," with the hyperlink to the phishing site.

On Tuesday, the first couple of apps were sending notifications that hyperlinked to the fucabook phishing site but by Wednesday the destination had changed to a simple IP address rather than a domain name, he said. A JavaScript that pulls up Facebook bounces the browser around among any of the six rogue apps to get them widely installed and the cycle continues, he said.

All the apps look and act exactly the same and include ads.

"I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation," Ferguson wrote on his blog.

A Facebook spokeswoman said the company was looking into the matter and provide more comment later.

Ferguson recommends that Internet users always check the URL displayed in the browser address bar before entering any sensitive information on a site and hover the mouse over a hyperlink to see the URL. Facebook users should also review their privacy settings regularly and delete any applications they no longer use, he said.

Source: http://news.cnet.com/8301-27080_3-10313618-245.html

Security firms discover botnet on Twitter

Microblogging website Twitter has been on the forefront of news because of its security issues lately, and Friendly Computers just discovered that it could be used to spread malware and create a botnet. Read more below…

A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.

Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.

Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.

But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.

"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.

Source: http://news.cnet.com/8301-13577_3-10310168-36.html

Prevent USB Drives from Spreading Viruses

If you have a USB drive that you use with multiple computers, it could be used to spread viruses and malware from one PC to another. Friendly Computers advises you to change your AutoPlay settings to prevent this from happening, and you can read how to do it below…

When you stick a thumb drive infected with a worm like Conficker/Downadup into a clean system, the normally handy AutoPlay feature launches the worm and spreads the infection. So, what are you waiting for? Turn off AutoPlay! Panda Security offers a free "vaccine" program that will turn it off. But you can actually flip the master switch without any utilities. Here's how:

On non-Home versions of Windows (for example, Windows XP Professional, Vista Ultimate):
1. Click Start, click Run, enter gpedit.msc (launch Group Policy Editor);
2. XP users: Open Computer Configuration | Administrative Templates | System,
Vista users: Open Computer Configuration | Windows Components | AutoPlay Policies;
3. Find Turn Off AutoPlay in the right-hand pane and double-click it;
4. Choose Enabled and set it for All drives.

Or, in any Windows version:
1. Launch the Registry editor (Start | Run | regedit);
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer;
3. Double-click NoDriveTypeAutoRun in the right-hand pane and set its value to hexadecimal FF.

Source: http://www.pcmag.com/article2/0,2817,2343838,00.asp

Cookienator Cleans Up Questionable Cookies

Friendly Computers discovered a useful utility that deletes all of the potentially harmful cookies on your computer while leaving the others in-tact. Read more below…

Windows only: Portable application Cookienator cleans up cookies from any of the major browsers, but instead of removing all your cookies, only removes the ones that are used to track you.

Once you've downloaded and extracted the no-installation-required utility, you can simply launch the executable to analyze just how many evil cookies are sitting around on your computer, and clean them up immediately. The options panel will let you choose which browsers to check, and it even includes the hard-to-delete Flash cookies. The utility can automatically clean your cookies when you log in, or you could choose to only run it manually.

Cookienator is a free download for Windows only. If you'd like to just opt-out of the tracking mechanisms, you can use previously mentioned PrivacyChoice, which works the opposite way—it adds a cookie that tells advertisers not to track you.

Source: http://lifehacker.com/5332032/cookienator-cleans-up-questionable-cookies