Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Holiday Spam

According to security firm F-Secure, fake Christmas cards are serving as cover for new greeting card spam which has been hitting inboxes in large numbers. F-Secure has found a lot of Christmas card malware in circulation around the globe. The links are embedded in e-mail messages, which are masked and point to a fake Yahoo greeting card Web site, running in conjunction with American Greetings. The site asks the user to click the URLs in the message that takes them to a fake Web site and there they are requested to download the latest Adobe Flash Player, which in fact is malicious software –macromedia-flashplayerupdate.exe. F-Secure has detected this file as an agent variant, which collects various types of information from an infected machine and sends it back to the malware author via a Web site.

The fake Christmas greeting cards are joined by Happy New Year.exe, which is another piece of spam hitting mailboxes this season. An attachment called Happynewyear.exe when run drops a Christmas tree on to the user’s desktop and Systray. The malware (detected as Trojan-PSW:W32/Delf.BBE) steals passwords and other assorted information and sends them to lbss.3322.org .

Google ads attacked by a Trojan

According to BitDefender, Google text ads are being replaced by malware with ads from another source. The virus called Trojan.Qhost.WU is using the hosts file to redirect the initial query sent to the Google Adsense servers to a malicious host. The hosts file is the first step in the name/IP (Internet protocol) translation process and if an entry is located in this file, the domain name server is not queried.

End users who click on the seemingly legitimate ads are at risk, as they are likely to carry additional malware. Google and the companies that pay for genuine ads are also victimized since the pretenders seize traffic and potential revenue.

This particular Trojan is just another variation of classic phishing malware, Dmitri Alperovitch. Several attacks have been seen using this malware over the last couple of years in which the virus changes the internal setting to point the user to a different server.

At their core, these hack attacks intercept a resolution from the browsers to the DNS server through a simple modification to the Windows system file and no query is made to the real DNS server. A more dangerous variant of this malware is the Zlob virus which infects users by hiding as a video compression algorithm necessary to view a particular video. The malware that is subsequently downloaded replaces resolutions not for just one domain name, but for an entire configuration of DNS servers under the control of a malicious group.