The title of this blog reminds me of the old zombie horror movies back from the 80-ies, but what im going to write here is more like a comedy. Some of you guys have probably read my blog post about the time when i tricked them into accessing websites under my control, which led to me collecting alot of information about the callers.

After that blog post i didn’t receive any calls... until today. I was sitting in my home office, drinking my daily smoothie and writing on my paper for the Virus Bulletin magazine, and suddenly i hear the phone ringing. I don’t care about that anymore, because i hear that my wife answers the phone, but after a few minutes she enters my room and tells me that "they" are calling again.

As always, i booted up my VMware image with a totally FRESH installation of Windows XP and start talking to the scammers. For you who are not familiar with the scam, please read my other blog post which can be found below because i won’t cover it in this post. http://www.securelist.com/en/blog/208193750/Trying_to_unmask_the_fake_Microsoft_support_scammers

This time the scammers where using some different methods trying to convince me that my compute where infected with some malware. They even gave me the name "Frozen Trojan", and went to Google and tried to look it up for me. But they only ended up on results talking about the bird flue and other biological viruses which i thought was quite entertaining.

I got the impression that lately the amount of phishing attacks via social media was not as great as we have seen in the past. But just as I logged in to Twitter today I noticed that I had received two direct messages, and they both had a very similar message.

Two days ago I received the first message, and when I tried to verify if it was a link spreading malware, or a phishing site, the URL was already inactive. Now when I received another one I wanted to look at it quickly, and at the time of writing the phishing site is still active.

Virus Bulletin 2012 is now over, the final chapter from this year’s conference needs to be written. Almost all of the participants have packed their bags and gone home. This event was three action packed days containing everything from discussions about cyber war, interesting meetings with fellow researchers and presentations about Indian Phone Scammers. I am now sitting here and writing the last blog post about the Virus Bulletin 2012 conference in Dallas.

This is my second Virus Bulletin, and just like last time it gave me not just the opportunity to network with fellow researchers, but this time I also presented my own research. Vicente Diaz wrote about the second day at VB, and he included some pictures from my presentation on Malware against Linux and the Attackers Automated Tools - check out the pictures here. During my presentation I also had a 30 minute live demo where four people from the audience helped me identify vulnerabilities and exploit them using the same techniques as the bad guys used. The demonstration also contained automated scripts for backdooring and bypassing security mechanisms within the Linux operating system.

Yabbadabba doo!!

The Nordic Security Conference on Iceland is now over, and i must say that it was an amazing conference with several top notch presentations from both local and international researchers. The line up for a conference that was running for the first time was very impressive, and i am pretty sure that history in the Nordic IT-security industry was written this weekend.

I was asked by the organizers to do the keynote and open the conference with the presentation A Diary From A Security Geek which i felt very honored to do. The presentation was the same which i gave in South Africa at the IDC Security Roadshow just some days ago. What i understood from the conversations during the breaks and also after the conference it seems that the keynote was very well received and the majority of the other speakers also made some nice references to it in their talks.

The Nordic Security Conference was located on Iceland, in Reykjavik. Even that the excursion was cancelled due to the bad weather (storm) i must say that Iceland is a very beautiful country. Even before you land and are sitting in the plane looking over Iceland you can see the amazing nature that country have. You can see everything from glaciers, volcanos, hot geysers.

Greetings from the IDC Security Roadshow in Johannesburg, South Africa! I am sitting here in the hotel lobby looking out at the Nelson Mandela Square listening to the explosive track from DJ Fresh - The Feeling (Ft. RaVaughn) (Metrik Remix), reflecting on the last couple of days and the discussions I’ve had with various people.

I have been giving a few interviews and I was also presenting at the IDC security conference; my presentation is called “The Diary of a Security Geek” and it includes material from a one year long research project I have had. It basically contains observations made during these conferences and some really interesting facts on how security managers see IT security, how they prioritize and some interesting false perceptions on IT security and risks. I know that some of you might be interested in this research, so don’t worry - I will publish my research at a later date and I will also be giving the same presentation on quite a few conferences around the world this year.

Yesterday it was a dark day for many companies in Europe, but especially in the Netherlands. A piece of malware known as Worm.Win32.Dorifel infected over 3000 machines globally, and 90% of infected users were both from public and business sector organizations based in the Netherlands. We have seen government departments and hospitals being victims. The other countries with a large amount of infections were detected in Denmark, the Philippines, Germany, the United States and Spain. All users running Kaspersky Lab’s Products are protected from this threat.

The malware is initially distributed via email to victims. It uses a “Right To Left” vulnerability to hide its original file extension. The malware then downloads another malware which encrypts documents and executes them on the infected computer. Dorifel also attempts to encrypt files found on network shares.

When I was sitting down and investigating the Dorifel malware I noticed that the servers hosting the Dorifel malware was not configured properly and allowed for example directory listing in certain directories. This triggered me to search for more interesting directories, which I did and to my surprise I noticed that the server was hosting a lot more malicious “components” and not just the Dorifel malware. It is very difficult to say if this scam is complex and advanced since it uses many different components with different complexity level. Some of the interesting things I found includes:

I’m pretty sure that most of you guys know about the recent phone scam which is circulating right now. They have been calling a lot of people in countries such as Germany, Sweden, the UK and probably more. The scam is pretty simple; they pretend to be from a department within Microsoft which has received indications that your computer is infected with some malware. They will then offer (for free) to verify if this is the case. If the victim agrees on this, they will ask the victim to perform certain actions, and also type certain commands, which will trick a non-experienced user that the output is actually showing that the computer is infected.

I just want to mention that there is no such department at Microsoft, and they would never call up customers offering this. So if you ever get a call ‘from Microsoft’ stating that there are some indications that your computer is broken or infected - please hang up!

Well, they have called me several times, and finally Ii got fed up with this and started to play along. At the same time I had my virtual machines running and was recording everything that they were doing. The goal was to find out who they were and exactly what the scam was. Luckily I was able to get hold of information such as their internal IP addresses, the PayPal accounts used to wire money and the numbers they are calling from.

I am now back from the Kaspersky conference: Security For The Next Generation, the International Cup 2012 which took place in the Netherlands, more specifically in Den Haag and Delft. All the guests stayed at an amazingly nice hotel named the Steigenberger Kurhaus Hotel. The hotel was located just by the beach at Scheveningen in The Hague.

Kaspersky had invited the winners from the local student conferences taking place all over the world and had them compete for the final title. Not only students attended the conferences, we also had professors from universities around the globe and also some of the experts from the Kaspersky Global Research and Analysis Team.

More information about the student conference can be found here: http://www.kaspersky.com/about/events/educational-events/it_security_conference_2012_international

This day was probably one of the weirdest days in my entire life. It started out amazingly with a nice breakfast, a sweet espresso and great music flowing out from my speakers. I checked that I had everything fixed: passport was there, all the clothes was there, flight and hotel bookings, everything was there.

Suddenly I heard the taxi coming, so I took my bags, my stuff and I locked the house. The taxi then took me to the train station, where I had to take a bus for half the journey due to some maintenance. I didn't really care about this because I had some bombastic dubstep with me, so I just jumped on the bus en enjoyed the ride.

After about an hour, we stopped at some deserted train station where we all got off, and then took the original train to the airport. Before jumping on the train I just wanted to double check that I had everything with me, but there was something missing... MY WALLET! DAAAANG!

Sweden recently experienced a large banking scam where over 1.2 million Swedish kronor (about $177,800) were stolen by infecting the computers of multiple victims. The attackers used a Trojan which was sent to the victims and, once installed, allowed the attackers to gain access to the infected computers. Luckily these guys were caught and sentenced to time in jail, but it took a while to investigate since over 10 people were involved in this scam.

It's possible that these attacks are no longer as successful as the bad guys would like, because we are now seeing them use other methods to find and exploit new victims. For quite some time now we have seen how hijacked Facebook accounts have been used to lure the friends of whose account has been hijacked to do everything from click on malicious links to transfer money to the cybercriminals’ bank accounts.

Please note that this is not a new scam - it has been out there for quite some time. But what we are now seeing is the use of stolen/hijacked accounts, or fake accounts, becoming very common on Facebook. So common, in fact, that there are companies creating fake accounts and then selling access to them to other cybercriminals. As you might expect, the more friends these accounts have, the more expensive they are, because they can be used to reach more people.

The problem here is not just technical – it’s primarily a social problem. We use Facebook to expand our circle of friends. We can easily have several hundred friends on Facebook, while we in real life we may only have 50. This could be a problem because some of the security and privacy settings in Facebook only apply in your interactions with people who you are not friends with. Your friends, on the other hand, have full access to all the information about you.

At the time of writing there is a new Facebook phishing attack going on. It will not just try to steal your Facebook credentials; it will also try to steal credit card information and other important information such as security questions.

This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website. It will reuse the stolen information and login to the compromised account and change both profile picture and name. The profile picture will be changed to the Facebook logo and the name will be translated to “Facebook Security” but containing special ascii characters replacing letters such as “a” “k” “S” and “t”.

Once an account is compromised it will also send out a message to all contacts of the compromised account. The message looks like this: