ESET Threat Blog

Urban Schrott, IT Security & Cybercrime Analyst at ESET Ireland, reports seeing more e-mail pretending to be from Microsoft is circulating, "warning" computer users that "Conflicker" is again spreading rapidly.

ESET's ThreatSense engine identifies the malware as Win32/Kryptik.CLU trojan, and running it would result in further malware infections.

Here's an example Urban quotes of one of the spoofed emails, though there are many more:

Subject: Conflicker.B Infection Alert
Date: Thu, 18 Feb 2010 20:15:30 +0900

Dear Microsoft Customer,

Starting 12/11/2009 the ?Conficker? worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Figures at Virus Radar, a resource we maintain to track threats circulating as email attachments, indicates an infection ratio of 0.036% today, putting it a close second to Win32/Zafi.B.

While these aren't the sort of volumes we regarded as high in the early noughties, that's a substantial ratio these days, when email attachments are not a particularly common vector.

In fact, we don't particularly publicise Virus Radar any more, as it comprises a very small proportion of the entire threat-range, and can easily be misinterpreted. However on this occasion, it does suggest a pretty determined spam run.

Recently there were reports of tens of thousands of hotmail passwords being posted on the web. In reality Hotmail, Gmail, Yahoo mail, and all email services are regularly being phished.

If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password. Even if a known IT professional asks you for it. There are only two kinds of people who ask you for your password… thieves and idiots. You don’t want to give your password to a thief and an idiot can’t be trusted with it, so don’t give it out.

Even if the email looks legitimate and says that you will lose your account if you don’t provide information it is a lie.

The 10,000 hotmail account passwords that were put up on a public web site were not a problem with Microsoft security, they were an issue of user education. October is National Cyber Security Awareness month. Help inform your friends that they should never give out their passwords to anyone… even if the email appears to be from Hotmail Support, Gmail, or Yahoo.

Randy Abrams
Director of Technical Education

I received an email from an acquaintance this morning. It said:

Please Urgent Needed

Hello,
  How are you doing?hope all is well, I"m sorry that i didn’t inform you about my traveling to England for a Seminar.I need a favor from you as soon as you receive this e-mail because i misplaced my wallet on my way to the hotel where my money is and other valuable things were kept, i will like you to assist me with a  loan urgently. I will be needing the sum of $2,500 to sort-out my hotel bills and get myself back home.I will appreciate whatever you can afford to help me with,I will pay you back as soon as i return. Kindly let me know if you can be of help? so that i can send you the details.
 
Any asistant you can offer will be greatly appreciated
 
Lynda

If you google “I"m sorry that i didn’t inform you about my traveling to England for a Seminar.” You will instantly find this is a scam involving a hijacked email account. I emailed Hotmail at 3:11 AM PDT. I also responded to “Lynda”. At 9:13 AM I received an email from the attacker, posing as Lynda thanking me and asking me to send the money through Western Union. Hotmail has yet to take action. Yeah, I know not to send the money, but I don’t know about Lynda’s other friends.

The delay by Hotmail may allow this attacker to victimize Lynda’s friends. I would contact Lynda myself,  but I only have her hotmail address.

If you ever receive a request for help in email, call your friend on the phone first!

Randy Abrams
Director of Technical Education

Do you ever use a public computer? Do you realize that potentially everything you type and read may be public information?

I was checking a hotel business center computer this weekend. I found some interesting stuff. A military document for a local air force base. It wasn’t classified. The confidential test results for a semi-synthetic lubricant, the sales figures for a medical supplier and an aircraft flight log. On the personal side I found a Yahoo email message with a purchase confirmation that included the person’s name, address, email address, a link to their online purchase account and what they bought. There was a letter to “one of the other women”. A picture of a cute young girl she took with her cell phone in a fitting room was amusing. At least she was fully clothed.

When you use a business center computer, a library computer, or any public computer it is safest to assume that all you type and read is public information. For that reason I never use such computers for banking, email, VPN access, or anything with a password.

Anything you do on a public computer is everybody’s business!

Randy Abrams
Director of Technical Education

The news broke a short time ago that pop star Michael Jackson died of a heart attack. It is all too predictable that the bad guys will use this news event to spam out fake videos or links to alleged pictures in order to trick users into installing their malicious software.

If you receive an email about Michael Jackson simply delete it unless you know the sender and you verify (call, email or chat) the send sender actually did send it to you.

If you receive an IM about Michael Jackson and it has a link, ignore the link. Don’t click on it.

If you want to find real news about Michael Jackson then go to a real news site.

Don’t fall for the hoaxes in email, Instant Messenger (chat), tweets on Twitter, or other social networking sites.

Randy Abrams
Director of Technical Education

Pierre Marc just posted about “Win32/Waledac for Valentine’s Day”. The fake greeting cards are an ongoing scam. As Pierre Marc indicated, this one is using polymorphism, which is a fancy way to say the malicious software disguises itself to look different each time someone encounters it. This is done to break signature based detection, which is why heuristics are very important.

Even heuristics are not perfect, so it is important that users learn to make good decisions. When you receive an email purporting to be a greeting card, there are some precautions you should take. Legitimate greeting cards never download an executable file. Your egreeting should not prompt you to download a file. If you are prompted, then cancel and close your browser.

http://www1.yahoo.americangreetings.com/emailprotection/ has some tips for identifying real versus fake greeting cards. I recommend you read the tips there. Education is really your best defense, security software, as I have said before, it like a seatbelt. It can’t prevent all accidents and it can’t prevent all injury when there is an accident, but it’s still a good idea to have it. Good judgment can’t be replaced by software and the more you educate yourself, the better your judgment will be.

A valid greeting card will be sent to you personally and come from someone you know, not “a friend”, or “your sweetheart”, etc. If someone wants to send you an anonymous card, then either know how to read the URL that the link to the card is pointing to, or just delete it.

For this Valentine’s Day, if you get an ecard and are not sure if it is legit, feel free to send it to me at askeset@eset.com and I’ll let you know what the signs are that it is fake or valid.

Randy Abrams
Director of Technical Education

As talk goes on in Washington DC about a 2009 Stimulus payment, the phisher are still trying to exploit the 2008 stimulus program. One such attack claims to be the secure way to get your stimulus payment. There was only one secure way to do that, and it was by going through the IRS. There is no online form to get your stimulus payment.

One phishing attack comes from stumulusref@i-r-s.com. The IRS uses a .gov, not .com email address and does not send you email about obtaining a stimulus check. The phish even includes a logo that resides on the real IRS web site, but the web site the user was directed to, was not an IRS web site at all. It really doesn’t matter what the return email address is, or what the links are. All you need to know is that the IRS does not send you email concerning money owed or refunded. The IRS probably doesn’t send you email at all unless you contacted them.

Assume that any email you get from the IRS is a scam. Still not sure? Call the IRS or better yet, write them a letter. Protecting yourself from these scams is really that easy. Share this information with people you know because it looks like there may be a 2009 stimulus package and we will see a new barrage of these phishing attacks.

Randy Abrams
Director of Technical Education

“What hath God wrought?” were the contents of the first ever telegraph message. http://memory.loc.gov/ammem/today/may24.html

An ominous message that would seem to reveal that Samuel Morse understood some security implications of technology, except, it was his friend’s young daughter who appears to have suggested the biblical verse. Perhaps “What hath God wrought” would have been a better first ever computer message. Rather than “Operating system not found”, “What hath god wrought” would have been a better message! Microsoft would have been well advised, back in 1997, to display a message “What hath god wrought?” rather than “This document contains macros. Enable or Disable”. We see the technology abused on a scale that would have been unimaginable to Morse. Still, there are incredible benefits.

In the doom and gloom that makes up the daily grind of security blogging and news reporting we usually overlook the great things that technology brings.

My wife’s grandmother has a Presto (http://www.presto.com/) email machine. She can’t send email from it, but an effective whitelisting technology blocks spam and viruses and allows us to send her emails and pictures from all over the world. She loves receiving news of what and how her friends and relatives are doing. All of this without the need for technical expertise or security education.

Social networking sites allow us to meet people from all over the world. When I was 18, the cost of communicating with a person half way around the world was prohibitive. The viable options I had were expensive phone calls, inconvenient, and still costly visits to Western Union, where my remote friend may not have the money to return a message, and affordable, but slow post. Today I can IM with people who have access to computers and email, even though they may live on a very small income. Just today I was chatting with a friend in Turkey on IM and got this wonderful offer:

“if you happen to visit my hometown or Istanbul, I’d try my best to offer accommodation and free tour ”

What an amazing thing that the internet helps create cross cultural friendships and can help us to learn about different cultures.

Thanks to technology, my friends and I can record songs we have written and share them. We can take pictures of beautiful places and share them. There are tons of wonderful things that technology brings us, but we mostly hear about the problems.

It really isn’t the intent to focus on the negative, but by pointing out the problems we hope to help people to avoid trouble. Just the same, mental health experts teach that it is important to appreciate, to be grateful for the good things we have. So, as you read the blogs and news articles that spell doom and destruction, remember to also think of the wonderful benefits your computer brings you. You’ll be much happier if you can learn to avoid problems, but also take some time to appreciate blessings.

Randy Abrams
Director of Technical Education

I recently received an email stating

“It is a privilege to inform you that you are being considered for inclusion into the 2009/2010 Princeton Premier Honors Edition Registry.
This recognition is an honor shared by only the most accomplished professionals who have demonstrated excellence within their careers and communities.”

I had always assumed these were “legitimate” offers that rather egotistical people sign up for. The money is made by then selling the registry to those who wish to see their names in the book. Kind of a pay for a compliment scheme.

I had to look in my spam folder to find the message as ESET Smart Security had accurately placed it there. The email was sent to askeset@eset.com. I never send email from that account and it is only advertised as being for users with security related questions.

For whatever reason, I decided to see who was behind the “offer” and what I found leads me to believe this is at best a very shady organization. To begin with, I looked at who the “premierespecial.com” domain is registered to. The phone number associated with the record is for a medical doctor’s office in Tennessee while the address for the company is listed as being in New York. Highly suspicious. The email address is a Gmail account. Usually a legitimate business will have an account associated with their domain. The odds are that the information provided to the registrar, Names.com, is not accurate and that is not allowed.

They provide a form to apply online with. The link in the email does not actually display the real link, however it does redirect to the same domain as the displayed link. The link goes to a page on formdesk.com, which provides online data collection forms. It is probably a cost effective service. A free 90 trial and only $50 per year for basic service.

A little googling turned up an interesting find….

“These guys took to ringing the office up to 6 times a day and were most abusive to staff who would not put their calls through to me.
Now here’s the clanger……….these guys were calling from New York……..my office is in Wetherill Park. Where’s that I hear you ask? SYDNEY AUSTRALIA! In all they made about 60 calls before I finally took one of their calls and told them to bugger off. They want money to list you in this "quality" publication that goes into the Library of Congress (is there such a place?) and a substantial sum too.

The discrepancies in Princeton Global Networks [info@premierespecial.com] domain registration, and the fact that they are blatant spammers, would recommend that they are not to be trusted with money or personal information.

Randy Abrams
Director of Technical Education

Welcome to prime-time scam season. This is when the advertisements for taxes in the USA really start to pick up. Granted, they go on all year long, but now is when we traditionally see an increase in volume. There are a variety of such scams.

The worst of the scams are the phishing attacks. If you get an email from the IRS and you did not initiate contact with the IRS, then the email is not really from the IRS. The IRS will never ask you for any information, like your bank account number or credit card information in email. These emails are always scams. Usually the emails say that you owe the IRS money or the IRS owes you money. The idea is to trick you into going to a web site, or sending an email and providing information used to steal from your credit card or bank account. This information may also be used for identity theft.

For virtually everyone, IRS emails are 100% fake. Don’t respond to them and do not follow links in them.

Other scams include fake offers to help with your taxes. These can be as simple as offers to file online to expensive offers to do your taxes for you. If you get an offer to do your taxes for much less than others are charging then it is probably because the person making the offer is going to simply take your money and do nothing at all. Worse yet, they may do it wrong and you are still responsible for any owed taxes and penalties.

Always use a reputable tax preparer. It is a god idea to use someone who is listed with the Better Business Bureau unless you have personal references from people with experience with the tax preparer.

Do your friends and relatives a favor and remind them that emails from the IRS are fake, even if they look legitimate. If there are any questions you can always call the IRS to be sure, but not using a phone number in the email.

I’m sure we will revisit this subject in future blogs. There are still lots of people falling for the scams.

Randy Abrams
Director of Technical Education