The scary “item of note” here is that users were getting fake anti-virus browser pop-ups while not actively using the computer (emphasis mine).  During Roel’s research, he discovered that these pop-ups would appear right when ICQ was fetching/displaying new online ads.

On first blush, this type of behavior would indicate that the ad servers for certain online stores were hacked and outputting these infected pop-ups, but when Roel dug deeper he discovered that the servers “serving” these ads had no formal relationship to the products being advertised.  In Mr Schouwenberg’s words..

This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.

However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn’t them who’s responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.

It looks like virus writers have stepped up their game in trying to compromise your computers, your data and your identity.  To read more about this new threat, please read Roel’s blog post here.

A new trojan horse has cropped up that affects Mac OS X (and Windows as well), primarily disguised as a video flitting around social networking sites. When users click an infected link, a Java applet is launched that downloads multiple files, including an installer that runs automatically without users’ knowledge.

Read the full article

Microsoft has provided a nice write-up on how an unprotected end-user could get blind-sided by a malware infection by visiting a “compromised” web site.  The vehicle for the infection is called a “Drive-By Download Page” and the illustration below shows how an infection can end up on an unprotected system:

If you have any questions related to this post or if we can be of assistance to you or your small business, please drop us a line – we’re here to help.

This imposter is known in the technical world as “Win32/FakePAV.”  FakePAV is a rogue program that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner.

The rogue program persistently terminates numerous processes, such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications that would normally be used by computer technicians to eliminate and remove the threat.

If you feel your system or network may have fallen prey to this type of infection, please get in touch with us immediately so we can insure that the malware doesn’t result in lost productivity and additional costs.  As always, please keep in mind that anything mimicking Microsoft Security Essentials that is asking for payment is not to be trusted.

Last week, we came across quite a few systems that not only did not have this update in place, but were also lacking updates with other Adobe products, most notably Adobe Reader.

Customers without these updates are susceptible to the following zero-day exploit:

This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.”

Even though the Flash Player exploit has already been addressed, separate patches for Reader and Acrobat will be issued this week to tackle the above vulnerability.

We at PCS would like to remind you to keep these Adobe products updated in order to avoid down-time and the added expense incurred after recovering from a compromised computer system.

Starting in October, small businesses will be able to license Microsoft Security Essentials for up to ten PC’s, at no cost.

Compared to other anti-virus solutions out there, that may not seem like a huge savings, but subscription costs do add up over time and MSE is just as good, if not better, than the standard commercial-fare.

For more information, review this posting from Microsoft’s SMB Community blog.

With the proliferation of the iPod, iPhone and now the iPad, the “curse of popularity” now afflicts Apple’s iOS.  Gizmodo is reporting on a new exploit that allows a hacker to gain total control of your Apple device by loading a compromised PDF file:

Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch, or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.

This security threat is particularly scary because all that is needed to infect an iOS device is a link to the PDF.  No user interaction is required other than following a link or being redirected to a “malicious” PDF file.

Safeguard yourself by keeping on top of this issue and making sure that you keep your iOS devices updated with the latest security patches.  It is unclear when Apple is going to be addressing this particular issue, but it is my hope that they don’t hold another press conference (ala’ the iPhone 4 antenna debacle) and decide to spend most of the time blaming Adobe for the problem ;)

The report states that..

Fake antivirus–false pop-up warnings designed to scare money out of computer users–represents 15 percent of all malware that Google detects on Web site..

As Elinor’s article points out, scammers are turning more and more to social engineering and trickery to infect users with Fake Anti-Virus malware and trojans in order to gain access to user information and sensitive data.

Earlier today, I had a conversation with a long-time customer of PCS’s regarding a small rash of infections she was having to deal with on her network. This customer has invested in the proper hardware and software solutions to insure that her network is secure, but malware continues to get through because the habits of her end-users are contributing to the infections.

When Fake Anti-Virus presents itself through a web site, it takes on the familiar role of an anti-virus program warning the end-user of an infection that needs to be cleaned.  The end-user (who is used to this type of behavior from AV programs) accepts the offer to “disinfect” and in turn, becomes infected by essentially doing what the end-user thinks is the “right thing” to do.

Unfortunately, the only sure defense is to make your users aware of this type of attack.  If they get a warning that their system has become infected, make sure they know the procedure to follow to avoid infection.  If you’re an small business or a personal computer user and something about a warning message you’re getting just doesn’t look right, contact us – we’re ready to help.

Masquerading as a game installation screen, [Kenzero] requests the PC owner’s personal details.

It then takes screengrabs of the user’s web history and publishes it online in their name, before sending an e-mail or pop-up screen demanding a credit card payment of 1500 yen (£10) to “settle your violation of copyright law” and remove the webpage.

PCS hasn’t yet run across this new infection, but users should be wary of its existence.  Please read the full article for more details.

According to the report, PDF files could be used to spread malware to clean PDF files stored on a target computer running Adobe Acrobat Reader or Foxit Reader software.

Jeremy Conway, product manager at NitroSecurity, created a proof of concept for an attack in which malicious code is injected into a file on a computer as part of an incremental update, but which could be used to inject malicious code into any or all PDF files on a computer.

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

The good news is that both Adobe and Foxit have provided solutions / fixes to remedy the exploit.  Please take a moment to update your PDF reader software to insure that you and your business are not exposed to this potential threat.

Adobe Reader: http://get.adobe.com/reader/

Foxit Reader: http://www.foxitsoftware.com/downloads/index.php