CyberSafety.co.za

Panda Security is launching the Panda Challenge. Last year’s edition of the competition saw more than 4,000 entrants putting their considerable computer skills to the test.

This year the Panda Challenge asks participants to find the solution to two practical problems published in the PandaLabs Blog. In the first phase, users will have to download the game and then make a keyfile in order to play it; while the second phase involves finding a valid license for a program.

“We launched this challenge for the first time last year, unaware of the fantastic response we would get” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “We were pleasantly surprised to see such a high number of participants with such technical expertise. The challenges were not easy but lots of users managed to find the solution.”

The first challenge will be published on Saturday, July 17 at 09:00 (GMT + 2) and solutions must be received by Monday, July 19 at 17:00 PM (GMT + 2). The second challenge will be published the following weekend, on Saturday, July 24 at the same time, and solutions must be received by Monday, July 26. The winner will be the first contestant to send the correct solution to pandachallenge@pandasecurity.com.

Anyone, from any country, can take part, with no need to register or comply with any requirements. All participants can follow the contest and interact with each other on Twitter, using the hashtag #PC2010.

“This year we have taken into account the suggestions of contestants to better adapt the challenge to everyone’s needs: we’re running it at the weekend, with a timetable that allows people from all over the world to take part, etc. We hope users enjoy it as much as last year”, concludes Matthews.

More information is available in the PandaLabs blog: http://www.pandalabs.com

For more information about Panda, visit http://www.pandasecurity.com/.

Panda  Security has found that malware designed to infect iPhones can also compromise the popular iPad.

Given the increasing popularity of Apple devices and their growing market share, malware designed specifically to target these platforms is beginning to attract more attention. Last year, Panda raised the alert about a worm, iPhone/Eeki, able to infect jailbroken iPhones (i.e. those that have been tampered with in order to install unofficial applications). The worm was also able to spread to iPod Touch.

Logically, all malware designed for iPhones will have the same ability to infect and spread to iPad devices. This is because the iPad and the iPhone share the same operating system, known as iPhone (v3), or iOS (v4) in the forthcoming version.

‘This doesn’t mean we’re about to face an avalanche of infections’, says Jeremy Matthews, head of Panda’s sub-Saharan operations. ‘However, we have always stated that as Apple takes more market share, cyber-crooks will begin to show more interest in targeting those that use this platform.’

Despite the fact that Apple decided to totally close off the hardware (making it impossible to install peripherals) and the software (all applications are installed from the manufacturer’s App Store) cyber-criminals have found a way to infect jailbroken devices with malware.

‘With more and more proof of Apple being targeted, we advise all Mac users to follow the manufacturer’s recommendations to increase security on their operating systems’ concludes Matthews.

Since 1990, Panda’s mission has been to detect and eliminate new threats as rapidly as possible in order to offer maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda’s new security model which can even detect malware that has evaded other security solutions.

Currently, 99.4% of malware detected by Panda is analyzed through this system of collective intelligence. This is complemented by the work of several teams, each specialised in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc).This translates into simple, secure and resource-friendly solutions for users.

For more information, visit http://www.pandasecurity.com/.

Panda Security has exposed a network selling bots which specialise in targeting social networks and webmail systems. The publicly available website contains an extensive catalogue of programs aimed at social networks and webmail services, including Twitter, Facebook, MySpace, YouTube, Friendster, Gmail and Yahoo amongst others.

Each entry explains the reason for which the bot has been created: creating multiple accounts simultaneously on social networks; identity theft and stealing friends, followers or contacts and the automatic sending of messages. According to the page, “All Bots Work in a conventional manner; they gather friends IDs/names and send friend requests, messages and comments automatically.”

“This is another example of the lucrative business that malware represents for cyber-criminals,” warns Jeremy Matthews, head of Panda’s sub-Saharan operations. “While some of the activities the bots are used for are more innocent – such as the creation of accounts – others are specifically focused on fraud, including the theft of identities and photographs.”

Prices range from $95 (R724) for the cheapest bot to $225 (R1715) for the most expensive. The entire catalogue can be bought for $4,500 (R34284). The network guarantees that they will never be detected by any type of security solution, claiming that they have been developed to change users, agents and headers as many times as is necessary to prevent them from being blocked. They also get round CAPTCHA security mechanisms included on many websites so the buyer just has to set the parameters and leave the bots to operate on their own. The bots also include perpetual updates.

The bots are specially adapted for each website, and the list of targets include not just globally popular social networks or communities, but also local sites. On the same portal there is also an offer to earn money by reselling these ‘products’ as an affiliate.

“It is these kinds of models that help to build cyber-mafias and organizations that operate across several countries. We should still not forget, however, that this business exists not just because there are developers creating the threats, but also because there are criminals who are prepared to pay for them. Until we are able to prevent people from defrauding victims in this way, this business model will continue to thrive,” says Matthews.

Panda evangelist Sean-Paul Correll has created a video that explains how banking Trojans work. He writes on the PandaLabs blog:

Banking Trojans are one of the most prevalent Malware species in the threat landscape today.  Malware authors aim to keep infections live and undetected long enough so that they can get what they are really after: money. Financial motivations lead malware developers to craft the stealthiest banking Trojans to steal personal and financial data for further exploitation on the black market.  Day after day innocent victims are hacked with the end result being an emptied out bank account. This video demonstrates how dangerous and stealthy banking Trojans can be and why we must continue to raise awareness on the issue.

Watch the video below:

Live Demo: Banking Trojan from Panda Security on Vimeo.

Panda Security’s anti-malware laboratory has identified a new, more aggressive trend for selling fake antivirus programs or rogueware. Until now, when a computer was infected by this type of malware, users would typically see a series of warnings prompting them to buy a pay version of the program. Now, these technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

“The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine antivirus installed on the computer, thereby leaving the system unprotected,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations.

Once a computer is infected, any attempt made by the user to run a program or open a document will be frustrated. The only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake antivirus.

This fake program, called Total Security 2009, is offered for €79.95 (almost R600). Victims are also offered ‘premium’ tech support services for an additional €19.95 (about R150). Users that pay the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake antivirus however, will remain on the system.

“Users are often infected unknowingly – in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” says Matthews. “Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake antivirus.”

For this reason, Panda has published the serial numbers required to unblock the computer if it has been hijacked on the PandaLabs blog. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of the fake antivirus.

PandaLabs recently published a report about the lucrative business of rogueware. The shift towards hijacking computers indicates either that users are becoming more adept at recognizing these threats and that security companies are beginning to close the net. This would explain why hackers are becoming more aggressive in the methods used to force the victims into paying. The PandaLabs report is available here.

The serial numbers and a video demonstrating how this scam operates is available on the PandaLabs blog.

Malware-creators have broken all records when it comes to creating new threats. Over the last three months, PandaLabs, Panda Security’s anti-malware lab, has recorded five million new strains of malware. Most of these were banker Trojans, although adware and spyware have also increased.

This was revealed in the PandaLabs quarterly report detailing cyber-threat activity from July to September. The report can be downloaded here.

“We are currently receiving some 50,000 new examples of malware everyday,” explains Jeremy Matthews, head of Panda’s sub-Saharan operations. “This is a massive increase from the 37,000 samples were detecting daily just a few months ago. There is no reason to believe that the situation will improve in the coming months.”

Q3 saw a 15% rise of computers infected by malware compared to the previous quarter. In more than 37% of cases, the culprits were Trojans, while adware was responsible for 18.68% of all infections. This category in particular has seen significant expansion due to the major proliferation of fake antivirus programmes.

Panda has detected a major growth in the distribution of malware through spam, social networks and rogue search engine optimization techniques, which draw users to spoof Web pages from which malware is downloaded. These methods for propagating malware often use social engineering, exploiting a range of current issues such as swine flu, Independence Day, forest fires or speeches of Barack Obama.

Download the PandaLabs report here.

“Any Facebook account can be hacked” – so claim the creators of an online service which, for only $100, allegedly provides clients with the login and password credentials to access any account on the popular social networking site. This not only includes accounts belonging to ordinary people, but also celebrities, politicians, or well-known companies.

Uncovered by global IT security vendor Panda Security, the criminal outfit conducts payments online through Western Union, with the money transferred to the Ukraine, further fueling the perception that most Internet mafias are based in Eastern Europe. The domain that hosts the service is registered in Moscow.

The company claims to have been offering this service for four years with only one percent of accounts hack-proof. In these cases, they offer clients a money-back guarantee. However, the domain is just a few days old.

Users can also get extra dollar-credits to spend on the service when they hack more accounts. They can even become affiliates to help hackers reach a broader audience. These affiliates receive 20% of what they sell in credits for hacking more accounts.

“The system’s real purpose may be hacking Facebook accounts as they say, or profiting from those that want to try the service,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “In any case, the Web page is very well designed. It is easy to contract the service and become either the victim of an online fraud, or a cyber-criminal and accomplice in identity theft.”

Once an intruder hacks into a Facebook account, all personal data published on the site can be stolen. Similarly, those accounts can also be use to send malware, spam or other threats to the victim’s contacts. In the case of celebrities of other well-known entities, they can be used to defame the account holder such as through spreading information in their name.

Find out more at the PandaLabs blog.

Trojans accounted for 70% of all new malware between April and June 2009, according to data compiled in the latest PandaLabs Quarterly Report.

Trojans were also responsible for more infections than any other type of malware over this period. This type of malware was behind 34.37% of all infections detected by Panda, an increase of 2.86% with respect to the previous quarter. Adware infection levels remained stable, accounting for 19.62% of the total.

One of the most notable findings of the report is the 6.25% drop in spyware, which now represents just 6.9% of all new malware. In contrast, adware rose dramatically over this period, from 7.54% in the previous quarter to 16.37%. This is largely due to the surge in fake antivirus applications, a type of adware that passes itself off as a legitimate security solution.

As for worms, their percentage has also risen slightly, now accounting for 4.4% of all malware. Dialers, at 4.48%, stubbornly refused to disappear despite the overriding trend for broadband instead of dial-up connections.

In terms of specific strains of malware, the number one ranked specimen in Q2 was Downloader.MDW, a Trojan designed to download other malware on to computers. The Virtumonde spyware and Rebooter.J Trojan were also among the malicious codes that caused most infections.

Malicious use of Twitter

A worm appeared in April which used a cross-site scripting technique to infect Twitter users when they visited the profiles of other infected users. It then infected the new user’s profile to continue propagating. New variants appeared, and finally the creator’s identity was revealed: one Mikey Mooney, who apparently wanted to attract users to a service competing with Twitter.

In early June, Twitter was the focus of other attacks, this time using different techniques, above all BlackHat SEO. Twitter has a feature called “Trending Topics”, which is a list of the most popular topics that appears in the interface of all Twitter users. When users select a topic through this feature, they will see all ‘tweets’ published related to this issue.

In this case, malicious users were writing tweets about the topics listed in Twitter Trends with links to malicious Web pages from which malware was downloaded. The first attack focused on just one of the topics, but just a few days later the scope of the attack increased and all popular topics contained malicious links. When the actor David Carradine died, in just a few hours there were hundreds of malicious tweets, and the same occurred with other popular issues on Twitter.

You can download the PandaLabs Quarterly Report here.

Panda Security’s new quarterly malware report has revealed that Trojans have accounted for 73% of all new malware created during the first few months of 2009 while the distribution of spyware has grown rapidly to 13.15%, up from a mere 2.5% in the previous quarter.

“We have seen a dramatic increase in the amount of spyware in circulation aimed, in all likelihood, at saturating laboratories and consequently infecting more users,” says Jeremy Matthews, head of Panda Security’s sub-Saharan operations.

In some cases, cyber-crooks have been successful, as in the case of the Virtumonde spyware, which infected more computers than any other malicious code in the first quarter of 2009. This malware combines aspects of adware and spyware, monitoring users’ Internet movements, rigging search engine results and displaying advertising banners, pop-ups, etc. for some products. Despite the notable growth of spyware, though, it is still way behind Trojans (31.51%) and adware (21.13%), in terms of the number of infections caused overall during this period.

The region with the highest percentage of active malware continues to be Taiwan (31.7%). Brazil and Turkey are also noteworthy. They occupy second and third place respectively, overtaking Spain and the United States. Mexico, nevertheless, has witnessed a decrease in the amount of active malware (17.95%), dropping almost 10% compared to the 24.87% active malware average recorded for the whole of 2008.

Conficker: the major threat

Although it first appeared at the end of 2008, the Conficker worm has been the malicious code that has kept security companies busiest during the past few months, due to the large number of infections caused between December 2008 and January 2009. Moreover, there was considerable concern about its supposed reactivation on April 1. However, until now, no new versions or additional infections have been detected other than those already associated to the previously active variants.

“It is still possible that at any moment one of the URLs created by Conficker on April 1 could be activated and the worm could download an update to its code or new malware. In any event, this would only affect users who are unprotected against Conficker,’ says Matthews.

The Panda report also includes information about other issues such as the Waledac worm, which had an impact around St. Valentine’s Day, malware on social networks and the most important vulnerabilities detected during the first three months of the year. You can download it here.

By Luis Corrons, head of PandaLabs

Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st.  It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious of the threats they face.  But I also want to say that perhaps it does more harm than good.

Let’s go back over the issues that are flying around the world. Regarding the damn date: will Conficker be activated on the first of April? No. But it will do something that day, won’t it? Yes. Conficker is a malware variant that creates random URLs every day. The PCs infected with it check if there is any new available version to download. It does so 250 times a day. What will happen then on the first of April?

The last variant creates 50,000 new URLs. And although we can’t know if any of them will host an update of the malware, its author could quite easily host a new version or even some other type of malware. If any URL contains an update of the worm, which actions will the new variant carry out? We don’t know — no one, in fact, has been able to figure out the final aim of Conficker. What we do remember from previous infections is that the author’s motive is to become famous, but we doubt very much that it all ends there. If we think about the different business models that there are currently behind malware (mentioned in the PandaLabs blog many times before), it is obvious that its author – or authors – will be looking to make money in some way. But, in which way? One possibility is that it could harness the net of infected PCs to send spam, by installing on the infected PCs some type of rogue antimalware that warns users that their computer is infected, and enticing them to buy a fake antivirus, which will result in them  downloading password stealing Trojans.

Another question posed is whether Conficker really is more dangerous than other types of malware. The answer is no, it’s not more dangerous, although its update functionality do leave a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent Microsoft vulnerability to distribute itself, and that’s why it has reached so many PCs. In this way, its author has been smart and has adopted the model of classic viruses. The author has also rather cleverly used several different means of infection — such as through USB keys and MP3 players. From version to version Conficker has made its detection increasingly difficult by obfuscating code. Although it’s not strictly speaking a polymorphic virus, it follows this direction.

The spreading of the virus through USB devices illustrates Conficker’s attempt to reach the maximum number of PCs. Despite this, the infection rate of the previous weeks has dropped significantly.  There are probably still variants infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:

a) create a new variant which exploits another zero day vulnerability
b) Keep alive  the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…

We bet on option “a”. Not necessarily for the first of April, but definitely on its way. It would be pity for the author to go to so much trouble without getting anything. It’s becuase of this that we think that Conficker won’t be going away so easily.

Above all, don’t get taken in by the panic.  What do users do on the first?  If you have your PCs protected by a good and updated antivirus, nothing.  If you don’t have one, we recommend you install one; you can also use Panda ActiveScan to be sure you are not infected.  And we suggest you to install the free tool we have created to avoid contamination through USB drives.