Websense Security Labs(TM) ThreatSeeker(TM) Network has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV.

Threat Type: Malicious Web Site / Malicious Code

Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low.

To view the details of this alert Click here

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered rogue antivirus sites returned by Google searches on Ann Minch. Ann Minch launched a one-woman "Debtors Revolt" against her bank for an unjustified APR increase on her credit card. She posted a video on YouTube two weeks ago sharing her thoughts. Her video made a huge splash and was viewed over a quarter of a million times.

When searching for Ann Minch and related terms in Google, rogue antivirus sites, ranked as high as top match, can be returned. These sites lead to fake antivirus pages which claim your computer requires an immediate antivirus scan and prompt you to download malicious files. These files have very low AV detection. (SHA-1: 314c7d8c16ff4a43e9f6994a39eee614d02e4924)

View the details of this security alert

You may find the full report and a video summary of the findings at: http://www.websense.com/threatreport
View the details of this alert at: Websense Alert 3475

Today, Websense released its biannual "State of the Internet" report, a deep dive into the most significant threats on the Internet during the first half of 2009.

Today, most threats to information security are leading to the Web -- either using the Internet as the attack vector, or simply the route through which stolen, confidential data is transmitted. Key findings from the Websense report include:

Websense Security Labs identified a 233 percent growth in the number of malicious sites in the last six months and a 671 percent growth over the last year.

* In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns. Read More...

Websense Security Labs(TM) ThreatSeeker Network has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Websense® Messaging and Websense Web Security customers are protected against this attack.

To view the details of this alert Click here

 

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave.

If the user's browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The malicious file has an extremely low AV detection rate. The file (MD5: 24bd24f8673e3985fc82edb00b24ba73) is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP.

 

::

From WebSense Security Labs

Michael Jackson Death Prompts Malicious Spam

Date:06.26.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs(tm) ThreatSeeker(tm) Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports Michael Jackson's death was confirmed yesterday.

The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates - see VT results here. The malware then installs a malicious BHO that is registered with this file %windir%Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%system32kproces.exe. Another malicious file installed by the malware is %windir%system32fotos.exe.

Translation of the email is as follows:

:: Read More...