Security Blog
April 2009 Archives
April 30, 2009
Threat Lab Report: Malware and Phishing Web Sites
Based on data collected in Q1 2009, we found that pornographic and sexually explicit sites were most likely to host malware. Also, as expected, Streaming Media and Downloads sites are high up at number 3. This is no surprise as such sites have traditionally been near the top of the list. Unexpectedly however, job search sites were amongst the top ten.
As for sites manipulated by phishing, health & medicine related sites top the list, followed closely by Webmail. Social networking sites such as Facebook and Twitter are also becoming more frequently exploited by cyber criminals as a medium to spread malicious code.
Posted by: Netgear Threat Lab at 10:22 AM
Categories: Malware , Netgear Threat Lab , Phishing , Spyware , Viruses
April 29, 2009
Threat Lab Report: New Adobe Reader Security Holes Found
Today, two zero-day security holes in Adobe Reader were announced. Affected versions included those running on Windows, Mac, and Unix based platforms. Attackers exploited the Adobe Reader JavaScript annotation function 'getAnnots()' and the custom Dictionary function (which also exists in the Adobe Acrobat JavaScript system) to execute arbitrary code with the privileges of the user running the application.
Instructions on how to exploit these security holes on Linux platforms can already be found on the Internet leading us to believe that we will start seeing malware exploiting these security holes any time now.
Before Adobe releases a new software update or patch to address the issue, we recommend disabling JavaScript in Adobe Reader to prevent from being hacked.
Posted by: Netgear Threat Lab at 4:57 PM
Categories: General , Malware , Netgear Threat Lab , Viruses
April 27, 2009
Threat Lab Report: A New Kido Variant
April 1st has come and gone, however the activities of the Kido (Conficker) worm have not stopped because of it. Recently, a mutated variant of Kido with new functionality has caught our attention. This new variant is detected as Trojan-Downloader.Win32.Kido, and compared to past variants the main difference is that it uses Peer to Peer (P2P) protocols for communication instead of HTTP which was used by previous variants of this worm. This means that this new variant of Kido utilizes P2P channels to download new malicious code or for botnet control.
Once a user PC is infected by this new variant of Kido, it will automatically download fake anti-malware software by the name of "spyware protect 2009" (detected as FraudTool.Win32.SpywareProtect2009). Once installed, this anti-malware program attempts to scare the user by notifying the user that a "virus" had been detected on their PC and requests the user to pay $49.95 to remove this so called "virus".
At the same time, an email worm by the name of Email-Worm.Win32.Iksmas will also be downloaded. This worm steals user data and sends out spam using the infected host. One more interesting point about this new Kido variant is the author configured a self termination date of May 3rd (date-limited functionality until 3rd May 2009). Why? We are still trying to find out. Perhaps the next Kido update will provide us with more clues.
Posted by: Netgear Threat Lab at 12:09 PM
Categories: Malware , Netgear Threat Lab , Phishing , Spam , Viruses , Worms
April 16, 2009
Just Got an Email From the IRS
I just got an email from the IRS. As you all know, yesterday was tax day and I'm one of those people who wait until the last day to file my taxes. Initially, I was surprised and worried - Did the eFile not go through? Did I make a mistake on my return? It turns out the IRS wanted my social security number... Right.
So this is just a friendly reminder that we've seen (literally) an increase in IRS/tax related phishing spam lately. Always remember, the real IRS does not use email to tell you that you owe them money!
Posted by: Pete at 6:17 PM
Categories: General
April 3, 2009
Threat Lab Report: April 1st Worm Threat
On April 1st, many security companies spent the day nervously monitoring the Internet for signs of large scale attacks. However, there were no such activities by the botnet which mainly consists of PCs infected by the Kido (Conficker, Downadup) worm. In our own monitoring, we found this to be the case as well.
So was this simply an April Fool's Joke? Our data indicates otherwise. We did detect some communication between the Kido worm and its master. The worm asked for further instructions, but did not get a reply. Once again, the worm's creator chose silence over action. This is understandable, based on the data on hand, we guess that Kido's creator gave up on any original plans to take any major action on April 1st due to the amount of security companies monitoring the Internet closely on this day. Of course,they still have many more opportunities in the future. Perhaps just when we think that the storm has passed and dropped our awareness, will be the time which they strike.
The Kido worm was first discovered November of 2008. It mainly exploits the Microsoft Windows vulnerability MS08-067. To this date, over 15 million Windows PCs have been infected by the worm.
Truth be told, protecting against the Kido worm is not a difficult task. The two steps below will go a long way in ensuring that you are protected against this threat:
1. Apply security patches
2. Configure Windows Update to automatically update.
Posted by: Netgear Threat Lab at 11:13 AM
Categories: Malware , Netgear Threat Lab
April 2, 2009
April 1st - Kido Worm Brings Down Entire Internet
No. That didn't quite happen yesterday (thankfully). Based on many reports from media outlets, it sounded like the whole world was coming to an end (remember Y2K?). It was no April Fool's joke either. Truth is, all the Kido worm did was download additional payload hosted by random hard to trace servers. No mass scale DDoS attacks or anything of that nature. But how long will it be before the malware authors flip the switch and wake up the millions of zombies in this enormous botnet? If we can't stop find a way to control and neutralize this worm, the joke will be on us.
Posted by: Pete at 8:48 AM
Categories: Malware
