In Windows, the “hosts” file (located in “%SystemRoot%\System32\drivers\etc” directory by default) is often used by malware authors when hijacking websites. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware authors make changes to affected users’ Hosts files to redirect specified URLs to different IP addresses of the author’s choice. In August last year, I blogged about malware authors using Unicode characters...

The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro . Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008. There is a strong connection with the polymorphic file infector Win32/Sality , which shares portions of code with Pramo. For example, let's examine...

When malware is found lurking on a system, quite often it isn't acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain -- for instance, hijacking a browser's search results, or using rogue security software to extract payments from affected users -- and will try to install whatever other malware components they need to in order to make this happen. Such is the case with Win32/Fareit , which is one...

Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database . The spammed email contains an attached PDF file named "stratfor.pdf". Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional...

When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered. For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned...

We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A . Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye. The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates...

In our everyday world, we sometimes make use of thin clients , which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader. The typical routine for trojan downloaders is that the downloaded file is...

Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form: Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink...

I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices. In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported...

The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing , Yahoo! and Google. The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft...