It’s retro day in the world of Internet security, with an Internet worm dubbed “Morto” spreading via the Windows Remote Desktop Protocol (RDP).
F-Secure is reporting that the worm is behind a spike in traffic on Port 3389/TCP. Once it’s entered a network, the worm starts scanning for machines that have RDP enabled. Vulnerable machines get Morto copied to their local drives as a DLL, a.dll, which creates other files detailed in the F-Secure post.
SANS, which noticed heavy growth in RDP scan traffic over the weekend, says the spike in traffic is a “key indicator” of a growing number of infected hosts. Both Windows servers and workstations are vulnerable.
Firefox users have targeted by a new scam that tries to load a user’s PC with fake antivirus software using a passably convincing version of the Windows Update page.
Fake antivirus scams are legion, and ones using bogus update pages of one sort of another are also an established trick. The oddity of the latest incarnation of the attack, discovered by Sophos, is that it triggers only when encountering Windows users of Firefox pushed to it through a page redirect.
Artwork: Chip TaylorThe first big giveaway? Windows Update can only be started as a background activity in Windows or through Internet Explorer.
The page itself is a copy of the Windows Update page offering an “urgent” 2.8MB download which will turn out to start a useless security scan plugging fake antivirus software. The technique is clever. Users who agree to the update without being entirely sure that it is genuine will be more easily convinced that a PC has been infected with the non-existent malware later detected by the bogus program.
“Users need to be more vigilant than ever before as bogus security alerts pop-up in their browsers,” said Graham Cluley of Sophos. “Fake anti-virus attacks are big business for cybercriminals and they are investing time and effort into making them as convincing as possible.”
“Malicious hackers are using smart social engineering tricks more and more often, and the risk is that users will be scared by a phoney warning into handing over money to fix problems that never existed in the first place,” he said.
Scareware came by its name honestly (or perhaps dishonestly). The particular strain of malware we are looking at here (distributed as UltraDefragger and SystemRecovery) attempts to ensnare unwary users by displaying sensational and frightening alerts.
As Symantec recently discovered, the bad guys have added a new twist to their fake disk defragmentation tools: falsely notifying users that a hard drive is about to fail. Like so many other rogue applications, this “recovery tool” is designed to trick users into purchasing a paid application which can fix the problems that were detected. In truth, of course, there were no problems and thereis no fix.
This malware goes beyond mere sensational alerts, however. Symantec notes that it moves files from All Users and the current Windows user’s profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user’s ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well (check out the video to see it in action).
If there’s one thing which incites panic in the average computer user, it’s the thought of losing important files. When a rogue application does as convincing a job as this one does, it’s really not surprising that the panic button gets pushed and purchases are made. So just how much would you have to shell out to undo the damage caused by this phantom hard drive crash? $79.50.
When asked about computer security and virus protection, most people are under the assumption that a Windows computer is expected to be in constant battle against malware and viruses of all kinds, while the Mac is generally safe, allowing users to do or download whatever they wish without any repercussions. Well, this assumption is not only being challenged at this point, but is actively being proven false thanks to the “Mac Defender.”
Mac Defender is a trojan horse that is actively targeting Mac users and has already successfully infected hundreds of systems. The way this virus works, like a lot of Windows viruses, is by showing users a pop-up message that warns them that their system is infected by a virus and that they must install anti-virus software to get rid of it.
In reality, this pop-up is telling users that they would make great targets, and that they should install the virus, or at least this is how most tech-savvy computer users would see it and know to avoid it. However, many computer users still fall for this old scam, and once installed, the virus either loads porn websites on the computer like the Mac Defender appears to, or might do something much more malicious like steal personal information such as passwords, user names, or credit card numbers.
So what do you with your infected PC or Mac? For PC users, we would recommend installing a good anti-virus program and clean the system, or if possible (which might not be so with many viruses locking up certain computer features), try to run a system restore to a point in time before the virus was downloaded. As for infected Macs, try to contact Apple and see if they’d be able to help you with removing the virus, or if you have been using the “Time Machine” feature to back up your files, restore your computer to the last known good point before the virus was installed. And for those Mac users that don’t know what “Time Machine” is, it is an automatic back-up of all your files that creates restore points as you use your computer in case you somehow mess up the system or download malware, but it does have to be manually activated for the first time before it starts backing up your data.
A security researcher discovered a new cross-site-scripting vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.
“Found another instance of that Facebook app XSS—and it’s a Facebook XSS issue. Do not click links involving a video of a bully,”Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.
The app can post the link to the “video” on the user’s wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.
Many past Facebook scams displayed a page and told users to download a plug-in—really malware—to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they’d clicked to see.
Facebook has informed Tyson that it is tracking the attack and will be pushing out an update “soon,” according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyze. He pasted the actual exploit code on text-sharing site Pastebin, which pointed to a video titled “Pal Pushes Bully.”