PandaLabs Blog

RSS Feed Homepage

Articles: 1, 2, 3, 4, 5, 6, 7

Blackhat SEO continues to ravage search results
2009-09-23 01:26:00
Every day cyber criminals are exploiting search engines to display high ranking malicious search results. Targeting hot topics allows for cyber criminals to improve infection rates for their money making Rogueware (pdf) schemes. Below is an example of the attack we observed today.    Most targeted search terms: Dallas Cowboys NFL School Emmy Awards Autumn Equinox (Mabon) Atlanta News ..The full list of targeted keywords can be downloaded here: BlackhatSEO3.txt Sample search result: Redirection to fake security (Rogueware) site: Rogueware: Adware/PCDefender Tag cloud of targeted terms:  
More About: Results , Search

Hack MySpace, ICQ, and Vkontakte for $100 (50% discount for Russians)
2009-09-21 21:43:00
The Ukrainian Facebook scam we blogged about on Friday has similar campaigns for MySpace, ICQ, and Vkontakte. All of the scam sites are identical in design and require the payment of $100 except for the Vkontakte scam site. Vkontakte is a Russian clone of Facebook and the scam offers to hack Vkontakte profiles for 1500 rubles, which is about $50 USD. MySpace ICQ Vkontakte What's strange here is that the Ukrainian scam crew responsible for these scam sites are making a run at conning Russians , which is a tactic we don't see very often in the labs. 
More About: Myspace , Hack , Scam , Discount

Your Facebook account is worth $100
2009-09-18 09:07:00
Yesterday I came across (thanks Sean-Paul!) the following site, which really attracted my attention: As you can see, it is an online service which promises to hack any Facebook account just for 100 bucks (!). My first thought about this was "ok, just another scam", but I wanted to see how far they could go with this. The first thing they request you is to register in their site, which I did. The next step to hack an account was to provide them with the ID of the Facebook account you wanted to hack; first I created a temporary Facebook account for this test, and then went back to "hack" it. Obtaining the ID is something trivial, and with that ID anyone can obtain the Facebook username, but that's something that people is not familiar with, so at the end it gives extra credibility to this "service". Once you enter the ID and click on the "Hack it" button, you are given the owner of the Facebook account (the username) and ...
More About: Worth , Account

Blackhat SEO Attack Targets Obama's Speech
2009-09-10 01:52:00
Using search engines to browse the Internet these days is a dangerous endeavor. Cyber criminals are keen on gaming search engine algorithms and are able to quickly divert innocent news seekers to malicious websites.  Today, WIRED reported that cyber criminals were targeting a highly anticipated Dan Brown novel, but the target and scope is much deeper than that.  Literally every current relevant news topic is actively targeted each day, including highly publicized speeches given by President Obama this week. Clicking the following link in a Google search result will point us to a malicious Rogueware campaign page:      Malware Info: Adware/SmartVirusEliminator  In vestigating the attack shows us a bigger picture of the targeted keywords:  Most commonly targeted keywords: Obama Speech GM group enterprisesAppleBeatlesAmericaWhite HouseJon GosselinLive InterviewSchool SeasonThe full list of targeted keywords can be downloaded here: BlackhatSEO2...

Live Demo: Banking Trojans
2009-09-09 00:09:00
Banking Trojans are one of the most prevalent Malware species in the threat landscape today.  Malware authors aim to keep infections live and undetected long enough so that they can get what they are really after: money. Financial motivations lead malware developers to craft the stealthiest banking Trojans to steal personal and financial data for further exploitation on the black market.  Day after day innocent victims are hacked with the end result being an emptied out bank account. This video demonstrates how dangerous and stealthy banking Trojans can be and why we must continue to raise awareness on the issue.
More About: Video , Banking , Live , Demo

Rogueware Demo: Online Antivirus
2009-09-05 03:51:00
Rogueware authors continue to push the limits when tricking innocent users into infecting themselves.  In this video example, we demonstrate the audio and visual cues used in a scareware campaign.
More About: Antivirus , Online , Demo

Be Careful With Your Search Results
2009-09-01 19:29:00
 Update:  Learn about the latest BHSEO attack here.Blackhat SEO (BHSEO) is currently one of the most prevalent distribution methods for Malware on the Internet.  It’s also one of the most dangerous methods because of the user-implied trust in search results.  A Forrester research study conducted in 2008 showed that 50 percent of Internet users trust content delivered by search engines. It’s no surprise that cyber criminals have been using malicious search results as a main monetization stream.The Rogueware campaign we blogged about last week turned into a full blown BHSEO attack targeting relevant news topics such as, the California wildfires, Ted Kennedy’s death, DJ AM’s death, Mega Millions Lottery, Hurricane Danny, UFC 102, CNN and BBC breaking news among thousands of search terms and 123,000 links.  Upon clicking one of many malicious links in the top ranking search results, the victim is put through several redirections and final...
More About: Results , Search , Careful

Are Cyber Criminals Targeting Local Events In Your City?
2009-08-27 23:36:00
Panda Security has a California based office in Los Angeles.  We are located in close proximity to two ongoing wildfires in the Angeles Crest National Forrest that have now burned through at least 30 acres, so naturally we have been keeping an eye on it.  To my surprise, I pulled up a Google search for “Angeles Crest Fire” and the result yielded a malicious link above most relevant sources. Update: 9/01/08 - The Blackhat SEO attack has now grown significantly: http://bit.ly/7jqGc    Once clicked, the site loads and checks to make sure the user came from Google.  If so, the following script begins the redirection to the Rogueware site: The Rogueware site is designed to display a fake Antivirus scan designed scare victims into thinking that their computer is infected.  If the Malware is downloaded and installed as the site suggests, the user will see a fake Antivirus program pop up on their computer.  At that po...
More About: Events , Tips , Local , City , Cyber

A new family member: SaveDefense
2009-08-27 12:58:00
Two days ago about 3 different variants of the same rogueware family that were just changing the name of the "product". The family keeps growing, yesterday we found a new member, called SaveDefense:The payment gateway remains unchanged too: 
More About: Family

New Roguewares: SaveKeep, SaveSoldier & TrustNinja
2009-08-26 11:26:00
As you already know if you've read our paper about The Business of Rogueware this is a very lucrative business. Everyday we see thousands of new variants, and a few families that appear trying to infect users and to get their money. Three of the new families we've seen this week, called SaveKeep, SaveSoldier and TrustNinja are at the end the same rogueware but rebranded, which is one of the common strategies they use. Guess how we can know that the three of them are in fact the same rogueware:Another clue to find out that this is the same piece of malware is that they are using the same payment gateway:

Keep Your Identity Safe
2009-08-20 09:53:00
Today, we issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008.PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007. PandaLabs estimates that approximately three percent of all users have fallen victim to these techniques. The problem with these types of threats, unlike traditional viruses of the past, is that they are designed to go undet...
More About: Identity , Safe

Koobface: The saga continues
2009-08-14 00:49:00
The gang behind the Koobface worm has been hard at work in releasing the next iteration of their worm. We've already identified over 60 active domains spreading the content through the usual method of posting a message linking to a "CooooL Video" on Facebook. Sample malspam: After clicking the link, the victims are automatically redirected to a Koobface controlled server, which then routes the them off to a fake codec site specifically designed for the social network they came from. Fake codec site: The Koobface gang uses the same old "Flash Player upgrade required" tactic to trick users into opening the executable, which then ultimately transforms their machine into a distribution point for the infection to further propagate.  Koobface connection log: On infection, the Koobface worm immediately attempts to download three additional exectuable files. After turning the victims computer into its next distribution point, it also attempts to monetize by...
More About: Social Networks , Worms

Be careful with Tixcet.A
2008-06-02 10:45:00
PandaLabs has recently discovered the worm Tixcet.AIt is a very destructive worm, as it deletes files with several extensions and replaces them with a copy of itself keeping the same name as the original files. Among the affected extensions are the following: .DOC, .PPT, .MP3, .MOV, .ZIP and .JPG. This means that we can lose our photos, songs, Word documents and other important files for us.Additionally, it does not allow files to be copied, as it disables the option Paste and contents to be copied, as the text that is copied is not the selected by the user but one selected by the worm.It reaches the computer passing itself off as a Word document in order to deceive users. It also creates several files that contain a signature of the author, like the following:  PandaLabs has analysed this worm deeply and has prepared an interesting video where we can see some of the actions it carries out in the affected computers.
More About: Careful

Lost in Translation (II)
2008-05-27 12:25:00
As promised, here you can see some pictures. This is the Grand Prince Hotel Akasaka, where the meeting is taking place:This is me inside the hotel:This is the Tokyo Tower, a 250-meter-high tower from which you can see the whole city:Finally, I recommend you to visit Japan, it’s an unforgettable experience:Well, this is all for the moment, you’ll hear from me soon.Signing off,Luis
More About: Lost , Translation

Lost In Translation
2008-05-26 09:56:00
Today it has just begun the 2nd Counter eCrime Operations Summit (CeCOS II), taking place in Tokyo. It is really exciting to meet so many people that are working to fight against the eCrime, sharing information and trying to build a safer "eWorld". The meeting is organized by the AntiPhishing Working Group.Even though all the Japanese speakers are presenting in Japanese, thankfully the simultaneous interpretation is really good, as the slides are also in Japanese! It is very interesting to see how some attacks are really targeting specific countries. Geok Meng Ong and Shinsuke Honjo, from McAfee, have explained some local attacks happened in South Korea and Japan.Tomorrow I'll upload some pictures from the event and this awesome city.
More About: Lost , Translation

Fake Security Center
2008-05-22 11:58:00
PandaLabs has detected the Adware/XP-Shield which passes itself off as the Windows Security Center .This malware, which is installed after running the XPShieldSetup.exe file, creates a shortcut in the Desktop and in Start menu.  This fake security center simulates an analysis of the computer which warns us that our system is infected. In order to eliminate the malware, we are requested to purchase a certain program.Peridiocally, it displays popups on the screen reminding us again that the system is infected: In spite of closing the program, it remains resident in the system: It is possible that while we are visiting different websites, several popups are displayed informing us that our system is infected or that our computer is not working properly and in order to solve these problems they recommend us to purchase a certain program. Be careful with this type of software, which will not really solve the problem and will make you lose money. Anyway, it is always advisabl...
More About: Fake

Microsoft Updates for May
2008-05-14 16:52:00
Four new security bulletins have been published (from MS08-026 to MS08-029) as part of the usual launch of Microsoft updates. We recommend you to update your systems as soon as possible, as according to Microsoft’s classification three of the bulletins are rated as “critical”, while the last one is rated as “moderate”.You can find more information about the security bulletins by clicking the following links: MS08-026: An update for Microsoft Word which solves two vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file.MS08-027: An update for Microsoft Publisher which solves a vulnerability that could be exploited in order to execute arbitrary code if a user opens a malicious Publisher file.MS08-028: An update to solve a remote code execution vulnerability in Microsoft Jet Database Engine.MS08-029: A security update in order to match two vulnerabilities in the Microsoft Malware Engine, which could allow a...
More About: Updates , Microsoft Updates

Firefox Vietnamese Language Pack Infected
2008-05-08 18:54:00
Mozilla has published in its blog some news regarding the incidence with the Vietnamese language pack for Firefox 2.In February, a Vietnamese language pack for Firefox was published. The problem was that before being uploaded to the corresponding server, it had been already infected, as the internal code of the *.xhtml files had been modified and included the following instruction:The files which contain that malicious code are detected as W32/Xorer.T.This instruction resolves to: http://js.k0102.com/01.asp , don’t worry because this URL is currently offline.The question is: how can anybody be sure that their computer is malware free?You can check it in http://www.infectedornot.com, and scan your computer with the ActiveScan 2.0 online scanner, a security solution that operates on the basis of 'collective intelligence', which allows many more threats to be detected.
More About: Language , Pack , Infected

Phishing & ScamPages Kits
2008-05-07 17:26:00
Nowadays launching a phishing attack or creating an online service fake website is quite an easy task for anybody. There is no need for advanced technical knowledge or significant financial resources.Generally we tend to relate phishing only to fake webs of banking entities. However, there are also kits related to other online services such as Gmail, Yahoo, Youtube, Fotolog, Hi5, etc… as we have commented in a previous post.It is possible to find information or even instructions of how to use these kits and how to carry out the attacks in forums, blogs, online videos, etc. Additionally, sometimes not only you can find the instructions but the tools themselves for free. Below you can see some examples of the availability of these kits: The way these kits work is similar whether the attack is launched against a banking entity or any other service. Using a mass mailing tool, a fake message -which passes itself off as the real entity or service-, is sent to a wide ...
More About: Phishing , Kits

2nd CARO Workshop
2008-05-02 11:37:00
Actually it is taking place the 2nd CARO meeting at the Crowne Plaza Hoofddorp in The Netherlans. This year's topic is about Packers, Decryptors and Obfuscators, and indeed some of the presentations are superb. The program is published here. While I'm writing this post, Mike Morgenstern & Andreas Marx, from AV-Test.org are giving a speach about their Runtime Packer Testing Experiences.In a few minutes we'll have 3 different talks about detection and blacklisting of packers, which is both interesting and controversial. 
More About: Workshop

Looks can be deceiving
2008-04-30 18:00:00
We have recently detected another spam message that contains a malicious URL. This is nothing new, but what if you receive an email message coming from a reliable source, such as a security company? This is what has happened with a spam message that uses our free online analysis tool Activescan as a bait to deceive users. The following image is the fake message that the user would receive. Note that it contains the logo of our company, but as we can see the analysis tool points to a malicious URL and not Panda’s. If the link is followed, a file called ScanActive.zip will be downloaded, as can be seen in the image below: This file is not really our online analysis tool but a Banker Trojan belonging to the Banbra family, concretely Banbra.FRJ, which is designed to steal confidential information related to certain Brazilian banking entities.    

IFRAMES Attack !!! (Update II)
2008-04-28 11:58:00
The first thing we observed when we analysed the attack which included an iframe pointing to a malicious website in hundreds of thousands of web pages was that all the compromised websites were in servers with IIS and MSSQL. Initially, the most likely hypothesis was that some known exploit was being used to attack some of these platforms.However, after a deeper analysis, we observed that it was not a vulnerability in IIS or MSSQL Server, but some badly programmed asp code, which compromised the websites hosted in these IIS servers with MSSQL.The asp code we show below (“orderitem.asp”), interacts with a MSSQL database, which allows the use of SQL injection techniques in order to insert data in the database, in such a way that it was possible to include the iframe in the hosted websites. For security reasons, the whole asp code has not been included.
More About: Update , Attack

IFRAMES Attack !!! (Update)
2008-04-25 14:19:00
This graph is an example of the infection process that takes place from the moment when a user accesses a legitimate website that has been modified until the possible infection is effective.Thanks to Oscar and Olaiz for their collaboration.
More About: Update , Attack

IFRAMES Attack !!!
2008-04-24 19:27:00
Nowadays it is usually taken for granted that we can only get infected if we visit malicious websites or run files coming from untrustworthy sources. However, lately we have detected several cases in which by exploiting vulnerabilities in the web servers malicious code can be introduced in the websites hosted in them. Therefore, we might come across trustworthy websites which contain malicious code introduced by a cyber-crook.The following is one piece of code we found introduced in certain websites: It must be noted that up to now the number of websites that contain this piece of code are approximately 282.000. This malicious script of the web, known as iframe, contains instructions that will be interpreted by the browser, redirecting it to a web or to the downloading of a malicious file. The instructions it contains are the following:  In this particular case, the user will be redirected transparently to a URL which will check if our system is protected against...
More About: Attack

Kiss me!!!
2008-04-16 13:06:00
Several years ago, the main aim of cyber-crooks was to achieve notoriety with their creations, that is, to be famous. In order to do so, they wanted to attract as much attention as possible and causing massive epidemics was their springboard to fameTheir motivation has changed and now is purely economic. The best way to obtain money is to carry out malicious actions as stealthily as possible. It has become a usual technique to hide malware creations using rootkits, such as the famous Stormworm family.This trend has made malware creation become a very lucrative business.However, we still come across with samples as eye-catching as W32/MSNworm.EI.worm, which spreads via the MSN Messenger and displays a funny picture of a little pig sending us a kiss while it is infecting our computer:
More About: Kiss

Microsoft Updates for April
2008-04-09 12:34:00
Five critical and three important updates have been released (from MS08-018 to MS08-025). It's time to start updating your system if you haven't done it yet. Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.Most of them allow remote code execution, so don't forget to update your system asap. You can find more information about the security bulletins by clicking the following link: MS08-April  
More About: Updates , Microsoft Updates

You are nominated?to distribute malware!!! (II)
2008-04-04 14:11:00
Big Brother Brasil again. I am not very fond of this type of programs, but spammers have made me pay attention to them. JThen, we wondered who would be the following participant selected to distribute malware. We thought they would make the selection among the finalists. However, this time the candidate has been a female participant called “Juliana”, who had already been evicted from the house.  These spam messages, which contain malicious websites, have subjects such as “Juliana do BBB do modo como você queria ver.” or “Chegou um Vivo FotoTorpedo para voce !!!”, and will invite us to view a video or photos of this participant. However, when the link of the message is followed (http://www.gallimard-jeunesse.fr/[Remove d]/visualizer/Visualizar.php), we will be redirected to a web from which the malware detected as Trj/Banbra.FPJ will be downloaded:This Trojan is designed to obtain the affected users’ access keys to several banking e...
More About: Malware , Nominated

April Fools' Day malware
2008-04-01 14:10:00
The social engineering never ends. Today is April Fools' Day, and we have received a spam message with a link, similar to the ones we could see in Saint Valentine. Some of the subjects we have seen so far:- Today's Joke!- Happy All Fools!- Gotcha! April Fool!- Happy April Fool's Day.- All Fools' Day- Surprise! The joke's on you.This is what you see when you go to the site: We have seen different file names being downloaded, as kickme.exe, foolsday.exe or funny.exe, but it is the same file, the name is the only thing that changes. We are detecting this malware as W32/Nuwar.SK.worm. Be careful, and as always, never trust this kind of messages.
More About: Malware

Quarterly Report January-March 2008
2008-04-01 12:42:00
We have just published the latest PandaLabs Quarterly Report . There, you can find statistics and information about the current situation of malware as well as different sections analyzing the most interesting events of the first quarter. Regarding malware, Trojans continue being the most relevant category of malware, at 62.16%.The well-known Storm Worm attack, which infected thousands of computers worldwide, is still active. That’s why it is worth mentioning and we have prepared a section in which we remember the most significant dates of its infection and the social engineering techniques it used to spread. We also approach you about some of the tools used by the malware creators in order to check their creations’ undetectability.Nowadays, the use of Web 2.0 services is very widespread, being the social networks one of the most extended services. The wider and more active a social network is, the higher the possibilities are of malware spreading on the network and reach...
More About: January , March , March 2008 , 2008

Do-It-Yourself AV comparatives
2008-03-27 15:55:00
I've just read a press release form AV-Comparatives where they announce a partnership with AntiMalware Test Lab. Long time ago we decided not to participate in AV-Comparatives tests, for a number of reasons. Our opinion is the following:- The tests should be run by skilled people that must be able to distinguish a malware sample from a goodware one. - The testers should have a malware test-bed, and of course it should include malware files, with no clean files, no damaged files, etc. It also has to be representative, it does not make sense to test malware that died 15 years ago. - The testers should check the detection capabilities of each and every product. To do that you will run different samples and see what each product is able to do (behaviour blocking, heuristics, signatures, etc.).  - The testers should be vendor independent, to avoid any bias. Even though the new alliance won't solve all the mentioned problems, at least we know that now there is ...