Monday, August 25, 2008

Andromeda AV and AntiVirus PRO 2008 - new Rogue scanners

I helped someone today where Andromeda AV was installed on the computer -
According to the user, it was installed automatically. I'm still waiting for some more info where and/or how it was installed.
Not many hits for this scanner via searchengines yet - so I suspected this as a new Rogue Antivirus, especially after I found the website:
andromeda-av. com, where Antivirus PRO 2008 was hosted as well (antiviruspro2008. net)
All these rogues look the same anyway:




For Andromeda AV..
This one installs as a service called AndromedaAVService (system32\AndromedaAv.exe) and driver AndromedaAvDrv (system32\drivers\winav.sys)

Interesting part here is, it creates some extra files in the system32 folder and dllcache folder (actually renamed MS files) and detects the renamed ones afterwards as infected.
For example, rproxycfg.exe, which is the legitimate file proxycfg.exe, hiissuba.dll, which is the legitimate file issuba.dll, vcliconfg.dll, which is the legit cliconfg.dll etc etc.
It doesn't alter the original files, it only adds renamed copies of them.

Andromeda AntiVirus installed on a clean system (XP Pro):




Threatexpert report here.

Monday, August 18, 2008

The Lists have moved



Quote from Javacool:

I'm happy to announce a new, dedicated home for the CLSID + other helper lists: http://www.systemlookup.com

The list maintainers, contributors and I have been working on this site non-stop, and enough features are up and running to get it in the hands of the people that need it. :)

Although global search of all lists isn't yet up, you can browse and search by list: http://www.systemlookup.com/lists.php
The following lists are currently available, with more (the O4s and others) coming soon:

* CLSID List - BHOs, Toolbars, SHs, Explorer Bars
* O9 List - Internet Explorer Buttons
* O10 List - Layered Service Providers
* O18 List - Extra protocols
* O20 List - AppInit_DLLs & Winlogon Notify
* O21 List - ShellServiceObjectDelayLoad
* O22 List - Shared Task Scheduler
* O23 List - Services


We look forward to continuing to improve the site and building some great new features to make things even easier.

But for now - Enjoy! :)

Best regards,

Javacool & the List Maintainers and Contributors:

TonyKlein
miekiemoes
Metallica
random/random
nasdaq
teacup61
Marckie
Zupe


Feel free to share this announcement anywhere else.

Sunday, August 17, 2008

Your illegal internet activities are being logged

I've found at lot of posts at several different forums recently where people are discussing a mail they received from MediaDefender which says that their illegal internet activities are being logged.

Content of the mail:


Dear User!
Your recent internet activity was logged on the following sites:
• Btjunkie
• SumoTorrent
• isoHuntBtscene
• Mininova
• Fenopy
• Monova
• Yotoshi
• GetInvites
• Btmon
We have attached a report about the copyrighted movies, music, softwares you downloaded or searched on these webpages. We strongly advise you to stop any future activities regarding the downloading of illegal content or you can expect prosecution by 17 U.S.C. §§ 512, 1201?1205, 1301?1332; 28 U.S.C. § 4001 laws.

Sincerely,
MediaDefender Inc.


This mail also contains an attachement, a so called report of their illegal activities. Ofcourse the attachement is malicious and appears to be a W32.Mytob@mm variant.

Sneaky tactic since many people actually do use P2P in order to get their (illegal) software from, so they will certainly open the attachement (if not removed by their Antivirus already) to see what exact activities are being logged.
If you recieve similar mail, delete it asap and certainly do not open the attachement.

More detailed info and screenshots of the mails can be found at TrendLabs

Wednesday, August 13, 2008

Joomla! Password Reset/Remind Functionality vulnerability - update asap!

There was a serious security vulnerability found in the popular CMS-software Joomla! (1.5.x, including 1.5.5).
The vulnerability/bug resides in the 'com_user/models/reset.php' where It allows an attacker to remotely change your Joomla administration password since it can reset the password for the first enabled user (admin user).



The exploit can be found here. It already affected a lot of Joomla! users. Example.
So if you are running Joomla! (1.5.x, including 1.5.5) then you should update asap to version 1.5.6 or newer.

More info here

Thursday, August 7, 2008

Beware of fake email from Microsoft!

This is a mail I received in my spambox today:

Sender: admin @ microsoft. com
Subject: Internet Explorer 7


Download the latest version!
About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

©2008 Microsoft | Unsubscribe | More Newsletters | Privacy

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052




This mail pretends to come from Microsoft, but it's not. There are many different links being used for the download.
If you click the link and install the file, then it downloads/installs the rogue security software Antivirus XP 2008 and its related files. See here for an older threatexpert report of what it may install.
It's detected as Trojan-Downloader.Win32.Small.aafh (Kaspersky Lab), Trojan.Dropper (Symantec), TROJ_RENOS.ADX (Trend Micro), Troj/FakeAle-EF (Sophos), TrojanDownloader:Win32/Renos.DI (Microsoft).

So beware if you receive similar mails and do not click the link in the mail.

Monday, August 4, 2008

I don't use an Antivirus, because I have never been infected...

... said the user while his computer was crippled with malware. His answer didn't make sense, because how would he know that he was (never been) infected if no scanner would alert him?
He asked for my help because his Internet Explorer browser crashed frequently and his computer was crawling. Although he did get popups as well, he didn't really see this as a problem because he had a good popup blocker. O_o
No way malware was causing this (according to him). It has always been like that..... (so you can imagine how long he was infected already...)
And yes, I've found malware from years ago: DollarRevenue crap, EliteMedia, leftovers from the Alcan worm, and a recent Zlob Media variant.

Time to make him aware that his computer really is infected, so the only way to show him the facts is to install an Antivirus....
He was shocked once the scanner started to detect and delete the files. Funny part here was, a HUGE amount of infected files were present in his Limewire shared/complete folder (because of the Alcan Worm, which was luckily already disabled). So it was an extra shock for him since more than 1000 files were already detected and deleted there.
After all, we could clean everything and I'm sure he would never uninstall his Antivirus again. :-)
A shocktherapy is really needed once in a while.



Recently I've been reading many articles, blogposts, discussions about Antivirus Software and Security Suites. Which one is the best and if it's really needed nowadays since a lot of malware can bypass Security software, or scanners don't even detect it.
If I read this, then I'm always wondering what these people actually do online if they are complaining that their Security Software couldn't prevent or detect the infection they are dealing with. Ofcourse you'll get infected if you use 4 different P2P managers and download everything from there. Ofcourse you'll get infected if you visit illegal sites. Ofcourse you'll get infected if you click every link in your mails.
Even with the best Security Software installed, you can get infected if you visit the sources where malware is lurking.
You can even get infected by visiting a (compromised) legit site.
So why blaming your Security software? Also, A LOT of people only install an Antivirus after they got infected... in order to remove the malware... and if it fails to remove the malware, then they complain.

So YES, an Antivirus / Security Software is really needed, not necessarily to remove the malware, but to PREVENT the malware in the first place. It can prevent/detect/delete a lot of malware, but can't prevent all since a lot of new malware is created everyday. After all, it's still better to prevent 80% of the malware than no detection/prevention at all.

Sunday, August 3, 2008

In between message...

One of my shortest blogposts ever...

Almost back... So stay tuned for some new "Security rants" - and some vacation pictures - maybe :-)