Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2009  
Jan Feb Mar
Apr May Jun
Jul Aug Sep
Oct Nov  
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Viruslist poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog / March 2009

Analyst's Diary

Criminals Surfing the Kido/ Conficker Hype


  Georg       March 31, 2009 | 08:30  GMT

comments (3)  

As already reported by F-Secure earlier, criminals are using the Kido/ Conficker hype to bring their rogue Anti-Virus amongst the people. Their solution will sometimes display false alerts on clean systems and try to lure their victims into buying a fake cleaning program for $39.95 from them. Opposed to what they were claiming on remove-conficker.org (website already taken down), their solution fails to detect Kido:


However, these are not the only people trying to make money from public fear of this supposed new mega-worm. Other people for example are trying to sell their assistance in removing Kido from computers on a certain website:


Do not provide them with your real data, there are utilities to help you available for free:
  • Kaspersky offers a free removal tool for Kido. You can just download it to an infected machine and execute it to clean it from Kido.
  • Felix Leder and Tillman Werner of the University of Bonn have developed a remote Conficker scanner that is able to determine if a system is infected with Kido over port 445 without further impacting the system.

Furthermore, the Conficker Working Group maintains a list of possibly malicious sites abusing the general Kido/ Conficker confusion.

BBC crosses the line again


  David       March 19, 2009 | 23:06  GMT

comments (7)  
BBC reporters, posing as fraudsters, have bought UK names, addresses and credit card details from a 'broker' of stolen data in Delhi, India. It seems that one in seven of the cards they bought were valid. The BBC has notified the owners of the stolen details.

The BBC ran the story on this evening's News at Ten TV programme and has posted details on its web site.

This is the second time this week that the BBC has dealt with those on the wrong side of the law. Although this case differs from the previous one, we still firmly believe it's the wrong way to highlight the dangers of cybercrime.

Smack on the bot for the Beeb


  David       March 12, 2009 | 18:03  GMT

comments (3)  
The BBC’s Click program has been getting quite a bit of publicity after it “acquired” a botnet. It used the botnet to send spam (to specially created addresses) and bring down a website (with the consent of the site’s owners). This was all done in the name of consumer education.

Normally, the BBC does a great job telling people about the potential dangers of computing. But this time they’ve gone about it the wrong way. The Computer Misuse Act clearly states that a person is guilty of an offence if “he causes a computer to perform any function with intent to secure access to any program or data held in any computer”.

I’m not a lawyer, and smart lawyers often manage to find loopholes in the law. But I do work for a security company, and it’s my view that the Click guys certainly broke the spirit, if not the letter, of the law.

Accessing other people’s computers is wrong. Accessing other people’s computers to create TV content, even with the best of intentions, is very wrong indeed.

Phishing for dummies


  Aleks       March 04, 2009 | 20:46  GMT

comment  
Yesterday we published our annual report, which includes my favourite topic - how the threat landscape’s going to change in 2009. One of the things we expect to see is an increase in the number of phishing attacks and scams on the Internet:

"Secondly, the technical sophistication needed to develop and spread new malicious programs will force many cyber criminals to search for simpler and cheaper ways of making a profit. Phishing may be one of the more attractive solutions."

And, whether by coincidence or design, yesterday I got an email which is just what I’m talking about above – a scam that’s easy and cheap to implement.

Subject: please see the attachment
Sender (fake): Internal Revenue Service [nonereply@irs.gov]
Message: Please see the attachment make sure you fill all the columns and send fax to: +1-646-308-1145.

This type of phishing has been around for a while, but it’s the first time I’ve received a message like this - maybe I’ve just been lucky, because I know my address is all over spammer databases :)

This is so-called offline phishing; the bad guys don’t even go to the trouble of making a fake site, but just ask you to fax through all your details. Using a fax number gives an additional aura of credibility to the whole thing – most people have heard of phishing sites, but a lot of them won’t have heard of phishing by fax. And the combination of a government department and a fax number fits perfectly with the perception that public institutions are more than a bit behind the times.

So what threat do these messages pose? (Apart from the obvious scam factor, that is.) Well, files attached to messages could easily contain malicious programs – the sample I got had two Word docs attached. There’s nothing that makes this type of file inherently less dangerous than executables. If you’ve been following the news, you’ll know about the unpatched vulnerability in Adobe PDF Reader, and that it’s being exploited using OLE files – that’s just one example of the threat that MS Office files from untrusted sources can pose.
Because we’re experts, though, we know how to open files like this safely. So we did, to take a look at what the authors of the email wanted from us.

This is what’s in the file called Form W-4100B2 A1.doc.

 



And this is what’s in the file called Form W-4100B2A2.doc.

 



It’s pretty clear that the information you're asked to give is exactly the type of information which always features in media reports about data leaks. And exactly the type of information that the bad guys can use to do a thousand and one bad things...all under your name!

Let’s dig a bit deeper and take a closer look at these documents or rather, at their properties.

The second file claims to be FORM W-4100B2. A quick Google gives results for a similar mass mailing back in November 2008. There’s an example here and you can see that since November, the only thing that’s been changed is the fax number.

However, the document properties show it was originally called FORM W-8BEN (NRA Recertification). Another quick Google shows results for scams which used this document running from the beginning of 2007 up until autumn 2008.

It’s no surprise that this form is almost identical to a genuine IRS document which has the same name. The only difference is that the legitimate form clearly states “Do not send Form W-8BEN to this office. Instead, give it to your withholding agent” rather than asking for information to be faxed back.

So the file properties show the old file name, even though it’s currently circulating under a different name. Makes it look almost certain that it’s the same person (or group of people) behind all the attacks – s/he just recycles the original file with slight modifications. We even know that this was last done on 22nd November 2008.

I find this pretty depressing. Someone’s been sending out these messages for at least the last two years, just tweaking the attack sometimes by changing the fax number and the name of the documents. And it looks as though they’re not having any problems at all.

See for yourself. Take a look at the number - +1-646-308-1145. It’s only linked to the current attack. Take a look at the complaints from victims. Take a look at the IRS site which has info about attacks like this. And what action is being taken? As far as I can see, none.

I don’t know the details of US law regarding anonymity for the owners of phone numbers. It just strikes me as pretty strange that for a long time now, the guys behind these attacks have been exchanging their old numbers for new ones without anyone trying to track them down and arrest them.

Take care of yourself, and take care of your personal details. “Phishing for dummies” is going to happen more and more often in 2009. It’s easy. It’s cheap. And at the moment, there doesn’t seem to be much danger of getting caught.

 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com