" pandalabs "

PandaLabs Offers Security Tips to Stay Safe This Winter

Panda Security’s anti-malware laboratory, PandaLabs published its annual security tips for consumers to stay safe and prevent falling victim to computer fraud this winter.

During the winter season, with more spare time, people, especially children, use their computers and connect to the Internet more frequently, which increases the risk of falling victim to some kind of malicious code.

One of the latest new forms of scams involves sending fake flight confirmation emails. The potential victim receives a fake confirmation for some ‘recently purchased tickets’ with instructions to open an attachment in order to view the ticket. The file, however, is a Trojan of the Sinowal family designed to steal users’ confidential information.  

“In the winter, lots of people book flights online to get to their holiday destinations,” said Luis Corrons, technical director of PandaLabs. “Cyber-crooks are taking advantage of this situation to send a new wave of fake emails aimed at tricking users into opening the attachments and infecting their computers.”

Security Tips for the Winter Season

PandaLabs is continually analysing the latest Internet trends, and with this in mind, offers the following advice to help safeguard users’ security this season:

  • Use caution with social networking sites: Unfortunately, people give out too much information on social networking sites, to the point that criminals sometimes know when someone is out on a holiday. Don’t share this private information on social networks and check your privacy settings carefully.
  • Parental Control: Children spend more time in front of computers while on holiday. Installing a good parental control program on the computer will help minimize children’s vulnerability on the Internet.
  • If you can avoid it, never use a shared computer: Many people prefer to leave their computers at home while on holiday, and use public PCs in Internet cafés or hotels to access their social network accounts or perform different types of transactions. If that’s your case, prevent identity theft by making sure your account doesn’t automatically save your password and user ID. Also, make sure the computer is malware-free. If you suspect the computer’s security has been compromised by a virus, leave it and use another. Take care when connecting an external device to the computer, as it may become infected without your knowledge.
  • Take care with email: Email is one of the main virus entry points, so pay special attention to it. Do not open messages from unknown senders or click on dubious links.
  • Beware of public Wi-Fi networks, as you could be hooking up to a network set up by hackers to steal any information that you share across the Internet. When you connect to email, social networking sites or online stores, make sure you are using a secure connection (https), so that traffic is encrypted and no one else can access the information.
  • Keep your computer up-to-date: Malware seeks to exploit existing security holes in systems to infect them. Make sure all necessary security patches and updates are properly installed.
  • Protect your computer: Make sure you have reliable, up-to-date protection installed on your computer. There are many free, reliable solutions on the market, like Panda Cloud Antivirus, available for download at www.cloudantivirus.com.

“Follow our tips and enjoy your winter vacation with peace of mind. Just as you lock all doors and windows before going on vacation, you should also take great care to protect your digital world,” added Corrons.

LinkedIn spam serving Adobe and Java exploits

Today we will be reviewing a cybercriminal’s recipe for success:

  1. Hacking LinkedIn’s password (and possibly user-) database.
  2. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible.
  3. A user unawarely clicking on the link.
  4. An exploit gets loaded. Malware gets dropped. Malware gets executed.
  5. User’s computer is now a zombie (part of a botnet).

I was forwarded an email that appeared to come from LinkedIn. The email was inviting you to check your LinkedIn Inbox. As you know, LinkedIn was hacked some time ago and passwords were compromised in the attack. I believe however that (a part of) the user-database was breached as well.

If we verify the “To” and “CC” fields of this email, we see about 100 other recipients. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth… Here’s the email in question:

Subjects of this email might be:
Relationship LinkedIn Mail?“, “Communication LinkedIn Mail?”, “Link LinkedIn Mail” or “Urgent LinkedIn Mail?“. No doubt the subjects of this email will vary, and are not limited to these four.

Step 1 and step 2 of the cybercrook’s scheme are already fulfilled. Now he just has to wait until someone clicks on one of the links. Which brings us to point 3.

Suppose someone clicks on the link. What will happen exactly ? This depends on the version of these programs that may be installed on your computer:

  • Adobe Reader
  • Java

In some cases, your browser will crash. In other cases, the page will just appear to sit there and nothing happens. In unfortunate cases, the exploit will begin doing its work. As said before, a mixed flavor of Adobe & Java exploits are used.

In this case, we will review the specific Adobe exploit. We will check with Process Explorer what exactly is happening:

What’s this ? There’s a process from Adobe Reader loaded under our Internet Explorer ? Which seems to spawn a .dll file, which in turn spawns another file… Okay, you get the point here. Your machine is executing malware and is in the process of being infected.

You might get the following message from Adobe Reader, stating it has crashed (this is due to the exploit):

After the user clicks OK, everything looks fine. Right ? No, of course not. Ultimately, there’s a malicious executable which will start every time the computer boots.

The exploits’ source is probably the Blackhole exploit kit. The exploits in question are:
CVE-2006-0003
CVE-2010-0840
Unknown (at this point) Adobe Reader exploit

Step 3 and 4 have also been accomplished now. The user clicked on the link, the exploit(s) got loaded and the user is now infected.

The malware will try to phone home or connect to the following IP addresses:
188.40.248.150
46.105.125.7

The IPs above (188.40.248.150 in particular) are part of a known botnet. The IPs are used to receive new instructions from the botherder or to download additional malware.

After all 4 steps have been executed, Step 5 of the process is completed as well and the machine will be successfully part of a botnet. In particular, the Zeus botnet.

Conclusion

Today’s lesson is a very important one and is one of the basics of security:

PATCH PATCH PATCH people ! Keep ALL of your software up-to-date ! This means Adobe, Java, but don’t forget other software, for example VLC, Windows Media Player…. You get the picture.

This also includes installing your Windows patches, keeping your browser up-to-date as well as any plugins or add-ons you might have installed.

If possible, avoid using Adobe and/or Java. There are other (also free) alternatives on the market.

Finally, use an up-to-date Antivirus product to keep your machine safe should you not have done any patching. Several of Panda’s products use heuristics to determine if an exploit is being loaded on the system or a process is being injected into another process.

(Source: PandaLabs)

Four Out Of Five New Malware Samples Are Trojans

Panda Security’s anti-malware laboratory, PandaLabs published its Quarterly Report for Q1, analyzing the IT security events and incidents from January through March 2012. In the first quarter of 2012 alone, six million new malware samples were created, in line with the overwhelming figures of previous years. 

Malware Statistics

Trojans set a new record for becoming the preferred category for cybercriminals to carry out their information theft, representing 80 percent of all new malware. In 2011, Trojans ‘only’ accounted for 73 percent of all malware. Worms took second place, comprising 9.30 percent of samples, followed by viruses at 6.43 percent. Interestingly, these two malware categories have swapped positions compared to the 2011 Annual Report, where viruses stood at 14.25 percent and worms were third with 8 percent of all circulating malware.

As for the number of infections caused by each malware category, the ranking coincides with that of new samples in circulation. Trojans, worms and viruses again occupied the top three spots. Interestingly, worms only caused eight percent of all infections despite accounting for more than nine percent of all new malware. This is quite noteworthy as worms usually caused many more infections due to their ability to propagate in an automated fashion. In any event, the figures simply corroborate what is well known: Massive worm epidemics have become a thing of the past, and have been replaced by an increasing avalanche of silent Trojans, cyber-criminals’ weapon of choice for their attacks.

China Tops List of Infections per Country

The average number of infected PCs across the globe stands at 35.51 percent, down more than three points compared to 2011, according to Panda Security’s Collective Intelligence data. China once again led this ranking (54.25 percent of infected PCs), followed by Taiwan and Turkey. The list of least infected countries is dominated by European countries -nine out of the first ten places are occupied by them. Japan is the only non-European country among the top ten nations with under thirty percent of computers infected. The top three places are occupied by Sweden, Switzerland and Norway. Countries with the most malware infections:

The Quarter at a Glance

PandaLabs highlights several top security incidents during Q1 in the report. There was a marked increased in ‘ransomware’ attacks over the past quarter especially due to the so-called ‘Police Virus’. This virus displays messages containing the logos of international law enforcement agencies to trick users into believing that their computers have been locked by the police for visiting inappropriate websites or making illegal downloads. To unlock it, users have to pay a fine, usually in the range of one hundred euros, dollars or British pounds (depending on the target of the attack). However, those messages don’t come from the police, but from the Trojan itself.

The report also covers the latest attacks on Android cell phones, distribution of malware via Facebook, the Megaupload case, cyber-war and the latest activities of the Anonymous and LulzSec hacktivist groups.

According to Luis Corrons, technical director of PandaLabs, ”Although it’s still early in the year, so far what we have seen in 2012 is a continuation of past trends. Cyber-criminals are still trying to steal users’ information and money by any means possible”.

As always, PandaLabs advises all users to keep their computers adequately protected. With this in mind, Panda Security offers its free tool Panda Cloud Antivirus.

The quarterly report can be downloaded from: http://press.pandasecurity.com/press-room/reports/

Flame: new cyber-espionage tool?

Last week a “new” malware was uncovered (taking a look at our Collective Intelligence database, I can confirm that some of the files involved in this attack date back at least to April 2011.) that could be related to cyber-espionage (detected as W32/Flamer.A.worm). It has been infecting computers in middle-east countries (Iran, Israel, Syria, etc.) and its purpose is to steal information.

Iranian CERT has published information about this threat here and our colleagues from Kaspersky have been investigating it for some time and have published a nice Questions and Answers article here.

Usually targeted attacks are performed using Trojans, but this time you can see we are talking about a worm. Worms self-replicate, so at a certain point the owner / creator of the worm cannot control where it is spreading and who it is infecting to, and when you have some specific target(s) you want to be under the radar to avoid being discovered. How has Flame solved this issue? Even though it is a worm, its spreading mechanisms are disabled. It looks like whoever is behind can activate that feature when needed, a smart move when you want to go unnoticed.

What can Flame steal? Is it looking for the most hidden secrets that no other malware is capable to find? The answer is no, we have not found any feature not seen before in other malware samples yet. But it has a number of different stealing ways that are present all together, and has a number of different plugins that give Flame the capability to know everything about its target, even turning on the microphone and record whatever conversation is taking place.

I would like to quote this question and answer from the article our friends from Kaspersky have published:

Is this a nation-state sponsored attack or is it being carried out by another group such as cyber criminals or hacktivisits?
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group. In addition, the geography of the targets (certain states are in the Middle East) and also the complexity of the threat leaves no doubt about it being a nation state that sponsored the research that went into it.

First thing I want to say is that I do agree that this looks like a nation-state sponsored attack. However the explanation given is not good at all: as it is not stealing money from bank accounts and it is not a hack tool, it has to be a nation-state attack. Sure. Following this reasoning, “I love you” was also a nation-state sponsored attack.

Flame is designed to steal information in many different ways, it is controlled by a “mastermind” from a number of Command & Control servers and it has been developed and managed in a completely different way we are used to see in cybercriminals. It can spread but only when the people behind it want, and it has been seen only in a small number of countries in a region with a lot of political and economical interests.

(Source: PandaLabs)

Panda Security celebrates 5 years in the cloud with 1.7 billion files processed

Panda Security is celebrating the fifth anniversary of the launch of its cloud security system, Collective Intelligence, which automatically detects, scans, classifies and disinfects 99.4 percent of all new malware received every day at PandaLabs.

The system has now processed more than 1.7 billion files since its launch. The Collective Intelligence database currently occupies 25.2 TB and generates 500 GB of logs every day.

In 2007, after two years of development, Panda Security made this pioneering technology available to users and it was this system that allowed the company to offer cloud-based protection solutions to home users and companies alike. This internationally-acclaimed protection model has led the way for the rest of the industry, and offers all users a series of key benefits: investment costs reduced by 50 percent, reduced local server and desktop resource consumption, and greater overall protection in real-time.

Every day, Collective Intelligence receives more than 3 billion data requests from users of Panda solutions and processes more than 150,000 new files to determine whether or not they are malware. Currently, around 73,000 new, unique strains of malware appear every day. According to PandaLabs Q1 Report, this malware avalanche has elevated the average number of infected PCs across the globe to 35.51 percent, with China leading the ranking of most affected countries (54.25 percent of infected PCs), and followed by Taiwan (47.15 percent) and Turkey (42.75 percent).

Thanks to this system, Panda Security was the first company to bring cloud-based security solutions to the market:

  •  Panda ActiveScan, scanning from the cloud since 2007.
  • For home users, cloud scanning was implemented in the 2008 consumer solutions, and in the first antivirus designed specifically to protect from the cloud, Panda Cloud Antivirus in April 2009.
  • For businesses, cloud-based scanning was offered through Panda Cloud Protection in November 2009, delivered through the SaaS (Security-as-a-Service) model.

Free Trial of Panda Security Technology

Panda Security offers all users free trials of its groundbreaking technologies through the following solutions:

NEW TROJAN WITH BOT CAPABILITIES, DOMINATES ALL

Panda Security’s anti-malware laboratory, PandaLabs have reported a new bot called Ainslot.L doing the rounds.

This malware is designed to log user activities, download additional malware and take control of the system. Additionally, it acts as a banker Trojan, stealing log-in information related to banks. It also scans the computer looking for and removing other bots so that it becomes the only bot on the system.

“The fact that Ainslot.L removes other bots from infected systems definitely caught our attention”, explained Luis Corrons, technical director of PandaLabs. “It eliminates all competition, leaving the computer at its mercy. It reminds us of the popular ‘Highlander’ movies, – There can be only one –.”

It spreads in a fake email purporting to come from UK clothing company CULT. The message, which is very well crafted, informs users that they have placed a £200 order on CULT’s online store and the invoice amount will be charged to their credit card. The text includes a link to view the order which actually downloads the bot onto the computer.

 

According to Corrons, “Phishing emails are not usually so well done. There is no doubt that this time fraudsters have been very careful to try to make these messages look as real as possible to get as many bites as they can”.