Opera User Agent “Bork-Edition”
Have you seen Bork-edition user agent strings? Wondered what browser uses this string? Maybe noticed nearly all traffic to your site with Bork edition in the user agent string is spam and hacking attempts. User agents with Bork-edition are considered by at least one writer among the top 10 spam bots that must be blocked.
There’s several user agents which on first glance look harmless e.g. user agent string Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Microsoft Security Essentials Under Microscope
A look at Microsoft Security Essentials, the free anti-virus application from Microsoft. Is Microsoft Security Essentials any good? Will it protect a Windows PC from most common threats? Can MSE compete with commercial security applications?
Over the next few months we will see.
Annoyed with Commercial AV Software.
I have become increasingly annoyed with commercial anti-virus applications. They have become overpriced, use too much system resources, interfere with other applications, or slow down internet access. Worse still, none of the apps are able to detect every virus or malware… An example is Trojan Generic 24, which seems to be only detected by AVG (but doesn’t stop or remove it). Trend Micro Titanium and Norton AV don’t find all versions of this dangerous trojan.
Home Grown Malware?
It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported infections came from this locale.
This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.
This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.
The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.
I have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.
Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.
Cyber-Criminals Arrested, US Offices Closed
A cyber criminal network operated by Estonian company Rove Digital was taken down on November 8 2011 in a combined effort involving the FBI (Federal Bureau of Investigation of the USA) and the Estonian Police in co-operation with Trend Micro.
Rove Digital operated a botnet consisting over four million (4 000 000) bots on computers infected with a class of malware known as ‘DNSChangers’. The infected systems will typically have their Domain Name Server (DNS) changed to point to foreign IP addresses.
Rove digital appears on the surface as a legitimate business, with established offices in Tartu, Estonia. They are the parent company of several other operations, including Esthost, Estdomains, Cernel, UkrTelegroup and many less well-known shell companies.
Rove Digital used a variety of criminal methods to earn money from the DNS changers. The cyber crime network has operated from 2006.
Operation Ghost Click
Trojan Generic24 Information
This is a new virus in the wild. Trojan Horse Generic24.cgol is new; so new it has not yet been given a common name. Generic 24.cgol has already been seen in several versions. Trend Micro Threat Library and AVG Library have as yet no information on this version
Generic 24 is extremely dangerous.
At the time of writing this article (20 Sept 2011), and the one for Graphicline, no known anti-virus application is able to detect the initial infection by Generic24.cgol
It is only discovered by heuristic scanning algorithms, after it has infected the user’s PC. Neither AVG was unable able to fully remove the virus; some components needed to be removed manually.
On article on PC1News identifies the virus as an internet re-direct virus, spreading fake AV software with a single click. However I consider this information unreliable, contending there is more to the virus than just this. It definitely downloads other malware, including MsSQL database blockers, and password blockers. I have not seen any other references to this version spreading FakeAV.
The virus, generic24.cgol infected my Firefox browser, installed itself in the program folder, as well as in the Documents/Application settings folders. (and Windows registry)
Sources for this Trojan
The generic24 trojan may infect your PC from an e-mail containing a link to a website from where the trojan will download, or by clicking on a link to a website.
It is possible generic24 may be sent deliberately by malicious persons via e-mail, and may contain an e-mail worm. There is too little definitive information available at present to do anything but advise extreme caution.
For removal information please refer to graphicline.co.za (removing-trojan-generic24cgol).
IMPORTANT – CHANGE ALL ONLINE PASSWORDS
Generic 24 Trojans are typically hacking related.
The trojan, or at least this version poses an active security risk. It may download other malware automatically, including malware files masquerading as Dc#.exe (# = various numbers) as well as a Linux/Unix database blocking virus.
Generic24.cgol may include a keystroke logger, and it definitely tries to actively prevent password changes.
One significant result of the infection was my website graphicline.co.za becoming corrupted. As a normal procedure after any keystroke logger or spyware problem, I change any recently used passwords. When I changed the passwords for my website login, I was still unaware the anti-virus scans had not fully removed the infection, and after logging out of the site, was unable to log back in again. (More on this) Eventually after several failed log-in attempts, the entire CMS website crashed…
NOTE: graphicline.co.za has been completely re-stored (database, CMS, and all active files) from a known clean backup stored remotely, lost content replaced manually, and is safe to visit.
My computer got bugged
There, I admit it, A malware trojan managed to get into my system.
I have firewalls and anti-virus app installed and running, then a trojan first identified around 2006 gets through everything, and goes viral – replicating itself nearly 100 times before the anti-virus scanner decided to do what I paid good cash for, and found the wretched thing.
The bug, identified as a variant of ‘tenga.gen‘
Tenga.gen opens firewalls and downloads other spyware from the net which will compromise any personal banking and such information. AVG does detect it!, but only after it has downloaded and attempts to run. The current version is masquerading as a Microsoft dotnetfx.exe, and carries a digital signature which identifies it as a Microsoft application. It is not. This virus is a serious risk and will inject code into other executable files if allowed to remain on a windows installation. The most vulnerable are users of Internet Explorer (so what’s new).
It also spreads via LAN!
Fortunately no real damage was done. I got lucky. It only replicated itself around 100 times and infected 36 executable files. These were all within a shared folder, only used to keep copies of downloaded app installers, some of which dated back to 2007!
I am also fairly certain it got in on the 28th, maybe 27th of this month, and ran after boot up in the morning of 29th….
The real damage was TIME. 6 hours to run a complete scan during normal productive time, several more hours looking for damaged files and deleting them. then running another scan – 8.5 hrs using House Call, the online app from Trend Micro, and lo, another couple of infected files the AVG scan ‘missed’
I know I’ve had a go at AVG Internet Security before, after a colleague’s system was repeatedly infected over a 6 month period, and required complete re-format and re-installation of ever no less than 3 times in this time frame. This is also the second time a bug got into my system during the 9 months using the 2011 version of this app. The last time it was detected before it had done any damage, but only by running a manual full system scan, like this time, the internet security part of the thing failed miserably.
I can accept a new and unknown bug getting through heuristic scan algorithms, but a 6 YEAR OLD ONE. I am not impressed!
And evidently this is not the only AV app that does not stop this one getting into the system. Reading reports it appears several other of the major brand AV scanners also fail to detect it.
I am going back to Trend Micro Products. I used PcCillin for 4 years without a single instance of a bug getting in. I only switched because it is not the easiest app to get in South Africa. Yes, there is a local agent, but no means to purchase online. This is the 21st century, if the locals can’t provide it online, I will send my money to a company in another country that provides the service.