Archive for October, 2009

Trick or Tweet? Malware Abundant in Twitter URLs

October 30, 2009

Trick or Tweet? Malware Abundant in Twitter URLs: “

kaspersky-kwazy-krab-krawler

As many as one in every 500 web addresses posted on Twitter lead to sites hosting malware, according to researchers at Kaspersky Labs who have deployed a tool that examines URLs circulating in tweets.

The spread of malware is aided by the popular use of shortened URLs on Twitter, which generally hide the real website address from users before they click on a link, preventing them from self-filtering links that appear to be dodgy.

Kaspersky, an anti-virus and computer-security firm based in Moscow, created a tool called Krab Krawler, which extracts URLs from millions of tweets a day. The tools expands shortened URLs to examine words in the web address for those matching known malware sites. For unknown sites, Kaspersky visits the web page to determine if it’s hosting malicious code that could infect visitors.

About 26 percent of Twitter messages contain a URL, according to Costin Raiu, chief security expert at Kaspersky. About half of those appear to be generated by spammers or by people with malicious intent, he said. These URLs get spread quickly in re-tweets.

The Krawler, which was first deployed in August, has scanned about 30 million URLs to date. It extracts URLS from multiple threads in Twitter’s public timeline and currently examines about 500,000 unique URLs a day. It crawls the sites linked to from the URLs, and scans the content with Kaspersky’s high-end heuristic programs to detect malware.

Of the URLs examined, between 100 and 1,000 a day are found to be hosting malware, the company said.

The two most popular URLs that the Krawler found posted to Twitter so far passed through the system in September. Both directed users to online dating sites. One of the sites, getiton.com, is known to have hosted malware in the past, Raiu said.

‘The website is blocked by quite a few services out there,’ he said. ‘It’s not blocked by the Google API, which is why it’s still present on Twitter.’

The most popular piece of malware spread by Twitter messages is the Trojan-Clicker.HRML.IFrame.ob, which accounts for about 31 percent of the malware found. (See chart above.)

In August, Twitter began using a filtering system developed by Google (Safe Browsing API) to detect malicious URLs on its own. The system checks URLs against a blacklist, and either blocks malicious links from being posted, or warns Firefox and Chrome users to think before they click. The filter works only on URLs that are shortened using Bit.ly, the default and most popular URL shortening service on Twitter — it’s backed by the same people behind the microblogging service — or J.mp, an alternative version of Bit.ly that produces even shorter URLs.

Malicious URLs that are shortened with any of the 200 or so other URL shortening services will not be caught with Twitter’s filter, Raiu says, which explains why the majority of malicious URLs currently passing through Twitter are shortened with other services.

The first Twitter malware was found as early as August 2008, long before the service had reached its current peak popularity. This spring, malware began to appear regularly in ‘trending topics’ lists on Twitter — lists of posts discussing the most popular subjects on Twitter.

‘A lot of people will just check the trending topics to see what’s hot and … just click on the link to see what it’s all about,’ Raiu said.

Once Kaspersky detects a malicious URL, it includes the information in its security tools to protect customers. It can take between two and 12 hours after someone has posted a URL to Twitter for Kaspersky to add the info to its detection tools.

The company plans to expand its Krawler to other social networking sites in the near future.

Graphic image courtesy Kaspersky Lab


(Via Wired: Threat Level.)

Advertisements

Data Losses/Breaches Keep Growing In UK, US and Around the World

October 29, 2009

Data Losses/Breaches Keep Growing In UK, US and Around the World: “null

Security Lessons Going Unlearned


(Via IEEE Spectrum.)

Hacked Facebook applications reach out to exploit sites in Russia

October 27, 2009

Hacked Facebook applications reach out to exploit sites in Russia: “All the social networking sites have issues with calling out to exploit pages. Usually what happens is that someone’s website gets hacked, and because they link to it from their MySpace or Facebook page, their contacts and friends sometimes get drawn to the attack sites. This is quite common, and we’ll write about it soon, but today’s story is a little different, in that these seem to be actual Facebook applications that have been hacked. (Please note that the application developer(s) are innocent victims too, and did not intend for their games to be hacked.)

(Via AVG Blogs | Roger Thompson.)

Find and Register Domain Names for Local Businesses Using GeoDomain Map from Godaddy!

October 27, 2009

Don’t they think the criminals can do this too? Make the malware/phishing domains even more appealing?

Find and Register Domain Names for Local Businesses Using GeoDomain Map from Godaddy!: “


Godaddy LogoWith everything going local from a search to shopping to selling to dating to, well you get the point! It was time for the process of registering domain to go local!

I have been a customer for a long long time, superbowl ads being one of the reasons ;)

I am sure with the newly launched a lot of you are about to become customers unless you check the availability on and buy the domains with your existing domain registrar.

So what’s tool from is all about?

is a map based approach to registering local . All you got to do is either browse the map to dwell into the local area you are interested into or simply enter an area code. Also, it lets you add keywords as filters which help you find the domain you are looking for.

Click on the image below to see an enlarged version

GeoDomainMap

As you can see above the orange-brown balloons carry the which are available for registration and the green balloons with the domains names that are up for auction.

For example I clicked on one of the balloon to find out UnionCity.com is available for registration. This domain can be used to put up a local business directory for UnionCity.

Advance search option lets you search using the area code and keyword for more and refined results.

It also lets you select the domain extensions you want to see in the results.

This tool will certainly cut the frustration involved in registering a domain and help the local businesses find what they are looking for easily.

Click here to check it out.

Tags: , , ,

(Via Technology Nerd.)

So You’ve Fallen For the AntiVirus Scam

October 27, 2009

So You’ve Fallen For the AntiVirus Scam: “

This is pretty typical… you’ve received a really nice looking email stating that there’s a great deal on a new and more powerful anti-virus system for your PC. Who doesn’t want that, right?

This, unfortunately, is a great way to get malware on your machine. How about that… the idea that you’re trying to protect your PC leads you into a trap where you cannot get out installing some kind of crap-ware that, at least, completely goobers up your machine.

So you’ve clicked the link. What now?

Picture-4.png

Notice… it looks like my browser has disappeared! Oh No! Well, I’d better click cancel because I don’t know what’s going on here!

Picture 5

Well isn’t that strange? My browser is back but it looks like some sort of regular explorer window and it’s scanning my PC. Look at all the viruses I have on my PC… right?

Picture 6

Well, actually I am pretty sure I don’t have any viruses. So I am going to click cancel here.

Picture 7

I love it when they beg! I will click OK here.

Picture 8

Well, how about that! It returned me back to the ‘Anti-Virus’ scanner. I guess I have no choice but to install, right? WRONG!

Picture 9

From the Windows Task Bar (that blue thing on the bottom), right-click with your mouse or trackpad, or whatever, and select Task Manager. This will open up a new window.

Picture 10

Click on the ‘End Task’ button. This will prompt you to confirm.

Picture 11.png

Go ahead and choose ‘End Now’ to kill this bad-boy.

So… you may ask, what would happen if I go ahead and install the software the way they want me to? Well, all kinds of fun stuff would happen.

Picture 15

First, as you can see, I now have ‘lots of viruses’ on my machine, which they promise to clean… all for only $69. And I can’t clean them or update the software without purchasing a license key. Do I dare trust these folks with my credit-card??? I think not!

Picture 18

Oh, how about that? They’ve changed my hosts file so that all google sites point to some server in Poland somewhere. Hmmm… can you say ‘Bulletproof Host’?

I wonder what else they’re doing. Wanna bet there’s an infostealer and/or keystroke logger on the machine as well? Signs point to yes! As I analyze, I will fill you in.

The point here is:

1. Don’t click on everything you get in email
2. You can bail out of a hostile web session with Task Manager
3. Don’t believe everything your computer tells you
4. Don’t install software you don’t trust
5. Don’t buy something if you don’t want it
6. Not everything is as it seems
7. etc…

More next time…

(Via Scott… Sit down and shut up!.)

GeoCities Closure sees Surge in Phishing

October 27, 2009

GeoCities Closure sees Surge in Phishing: “Free hosting services have always been attractive to fraudsters, and the speculation over the profitably of GeoCities may not have be the only reason for today’s closure — nearly all of the phishing attacks hosted on geocities.com this month were actually targeted against its owner, Yahoo!.

Related Netcraft Service: Phishing, Identity Theft and Bank Fraud Detection

(Via Netcraft.)

hpHosts Blog: Crimeware friendly ISP’s: Bigness (AS49093)

October 26, 2009

hpHosts Blog: Crimeware friendly ISP’s: Bigness (AS49093): ”

Home | hpHosts Online | Browse Database | Download | Support Forums
Blog for hpHosts, and whatever else I feel like writing about ….

TUESDAY, 20 OCTOBER 2009

Crimeware friendly ISP’s: Bigness (AS49093)
I was trying to decide who to name and shame next, and it was a toss up between Bigness (AS49093), Ecatel and Krypt Technologies. I thought this time, we’d go with Bigness and leave Ecatel and Krypt Technologies for next time.

Bigness came across the radar a few months ago, due to it’s hosting a slew of malicious domains, and ONLY hosting malicious domains (I’ve not seen a single legit site hosted there in all of the time I’ve been monitoring it).

So what have we got over there you ask? Well, we’ve had rogues, phishing scams, fake meds, spam, and exploits, and there’s evidence over at MDL, of their also housing the likes of the Liberty Exploit, amongst other things.

http://hosts-file.net/?s=195.88.19&view=history
http://hosts-file.net/?s=195.88.19&view=matches
http://www.malw”

(Via .)

hpHosts Blog: Crimeware friendly ISP’s: Netelligent

October 26, 2009

hpHosts Blog: Crimeware friendly ISP’s: Netelligent: ”

Home | hpHosts Online | Browse Database | Download | Support Forums
Blog for hpHosts, and whatever else I feel like writing about ….

WEDNESDAY, 14 OCTOBER 2009

Crimeware friendly ISP’s: Netelligent
Netelligent have been around the block a few times, and are no strangers when it comes to malicious activity within their networks. Their network has been found to be involved in everything from exploits to rogues, blackhat SEO, and everything else besides.

Alas, someone from Netelligent recently dropped by the Malwarebytes forums, professing their innocence (their last post was September 21st). Now to be fair, it’s possible they’re waiting for me to post the URL’s to the thread as I mentioned, but given the nature of the URL’s, the amount of them, and most importantly, the fact the Malwabytes support forums are for Malwarebytes, and not to be used as an ISP’s drop desk, I felt it best to e-mail the list to them instead, and just like NetDirekt, I have had no response from them.

H”

(Via .)

Guardian loses half a million CVs

October 26, 2009

Guardian loses half a million CVs: “

Police probe massive hack

The Guardian newspaper’s jobs website has warned 500,000 users that hackers may have got hold of private information held on the site after a ‘sophisticated and deliberate’ attack.…

(Via The Register – Security.)

Cain & Abel 4.9.35 now available

October 26, 2009

Cain & Abel 4.9.35 now available: ”

Cain & Abel 4.9.35 now available
Posted on 26 October 2009.Cain & Abel is a password recovery tool for Microsoft operating systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary and brute force attacks, decoding scra”

(Via .)