Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago.

What's interesting about the mails is that along with the usual executable (which in this case is called "access.exe") the messages have a couple of PDFs attached.

The PDFs, which are otherwise harmless, contain alleged financial transactions. Here's an example:

If you get tricked by these and get to run the executable, it will contact kitinjderunhadsun.com and download another executable from there. This second exe is 91095 bytes in size, and we detect it as Email-Worm.Win32.Warezov.iq.

We detected the first version of Warezov almost one year ago and after all this time, the gang behind these worms is still roaming free. I'm really looking forward to the day they get caught.

Online banking and security still seem to have only the most tenuous relation to each other. Even though more and more German banks are moving towards implementing HBCI, an independent protocol for online banking, (entering a PIN number via an external card-reader, which may have its own display) the investment needed (between 70 and 170 euros) is frightening a lot of customers off.

It seems that some of the British banks have been thinking about this, and drawing their own conclusions. A recently published article covers a major British bank's refusal to implement two factor authentication: apparently the increased popularity of online banking shows that 'customers already feel safe on the Internet', without the need for extra hardware. But if the bank has the feeling that customers are blissfully happy, perhaps they should dig a little deeper.

Banks which don't implement appropriate security may find themselves dealing with satisifed customers like the German woman who recently came to us for help. Her antivirus solution (not ours, I should hasten to add!) malfunctioned. The consequence - a Trojan got away with a smooth 5000 euros from her account. The local prosecution service suspended the investigation, because the attack could only be traced back to a computer located at a university. The bank, meanwhile, has spent more than a month trying to push the blame back onto the customer. The happy customer, who thought that the combination of antivirus software and PIN/ TAN would keep her assets safe...

ComputerWeekly.com provided us here at KL with a giggle today.

Boy, are we glad that it wasn't one of us :-))).

Yesterday I came across something interesting. An email caught by some of our mailtraps, written in poor Dutch, about a site which can get you free sex.

Obviously I was interested in the matter as this didn't look like a typical spam email. These days most Dutch spam emails are about casinos. The site mentioned in the email contained a version of the popular MS XML exploit, MS06-71. We already detected this particular variant as
Trojan-Downloader.JS.Psyme.il.

The purpose of the exploit is to download and execute a backdoor, which we are now detecting as Backdoor.Win32.VB.bcv. After discovery we notified GOVCERT, the Dutch CERT, and they acted quickly to have the site taken down.

Next to this incident we're also picking up increased activity of the gang behind the later variants of Backdoor.Win32.MSNMaker, which is mostly spreading in The Netherlands as well.

Malicious emails/messages tailored to the Dutch market have been rare, but they are on the up. People can no longer assume that emails/messages in Dutch are automatically benign and will have to start being more careful.

This morning I received the following message in my Yandex.ru inbox:

I was only half awake when I read this and I almost followed the instructions in the email. But common sense prevailed: I suspected something was fishy and I decided to check this out. Turns out I was right: the address shown in the browser’s status bar when you move the cursor over the link is http://r.yandex.ru/..., which actually takes you to a page hosted by the freebie service tu1. ru. If you go directly to the address (by copying it from the browser window), you will find that there is no such site.

If you look deeper, you will find several other minor things that don’t match up:

• The email is missing at least one comma (according to Russian grammar rules);
• The email is suspicious in terms of the general rules of formal correspondence, i.e. the style of the email is strange;
• Why is the email address for “Yandex.ru Administration" postmaster@sharabee.nichost.ru?
• If you open the link to the so-called “Yandex authorization service”, you’ll see a context ad in the upper right hand corner - an ad which is nowhere to be found on the official Yandex website.

This is a classic example of phishing. Phishing Russian services is still uncommon. As far as I can remember, this is the first mass phishing email using @yandex.ru addresses - at least of the ones that have got around spam filters. This gives phishers an element of surprise, and there's no doubt that they'll manage to harvest numerous passwords, even if their ploy is primitive and poorly thought out (if, for example, there are none of the careless mistakes such as the ones listed above).

It is easy to avoid phishing if you follow some simple rules: always make sure that the domain name of the link is question is authentic. In order to do this, you should not just click on it, but copy and paste it into a new browser window. If you do this, even the slickest phisher tactics used to disguise the real URL won't work.

If you do fall for a phishing ploy and you entered your password on the page they sent the link to, change your password as soon as possible.

There's been quite a lot in the news lately about a mini-epidemic caused by Trojan.Win32.Small.mi. Since the attack started on June 15th, the number of compromised sites (and infected users) has been increasing.

If you've been following the media, you'll know that the majority of sites affected are in Italy. Although Small hasn't caused anything like the havoc wreaked by the worm epidemics of 2004/ 2005, Italian TV went so far as to warn viewers of the danger - both with a short item on the midday news, and by running a warning across their news ticker. This is something that hasn't been seen in Italy since Slammer first hit.

A nice example of an offline approach to online security.

Virus writers didn't take any time off over the public holidays, and the results of their labour have made their way into our May miscellany.

1. Greediest Trojan targeting banks - in May, this title went to Trojan-Spy.Win32.Banker.aqu, a modification that targets 87 banks simultaneously.

2. Greediest Trojan targeting e-payment systems – this month's glutton is Trojan-PSW.Win32.VB.kq, which targets four e-payment systems.

3. Greediest Trojan targeting payment cards - Trojan-PSW.Win32.VB.kq wins the prize in this category; it targets four payment card systems, and interestingly also targets e-payment systems (see the above category).

4. Stealthiest malicious program – once again, it's a Hupigon variant winning out in this category. Backdoor.Win32.Hupigon.rc is packed ten times with a whole range of packers. Nevertheless, this didn't save the backdoor from detection.

5. Smallest malicious program - this prize goes to a tiny little program weighing in at a mere 9 bytes. Despite its very compact size, Trojan.DOS.DiskEraser.b is smart enough to delete data from disk.

6. Biggest malicious program - Trojan.Win32.KillFiles.ki was the most space-hungry malicious program in May. This file-deleting Trojan weighs in at a whopping 247MB. Interestingly enough, both May’s smallest and largest programs have the same malicious payload - but the difference in size is remarkable.

7. Most malicious program - the leader in this category in May is Backdoor.Win32.Agobot.afy, which deletes antivirus programs using a variety of methods.

8. Most common malicious program in email traffic - this title went to Email-Worm.Win32.Netsky.t this May. Despite being an old-timer, this worm is still causing major damage, accounting for over 15% of all malicious email traffic in May 2007.

9. Most common Trojan family - the winner of this category this month is the Backdoor.Win32.Rbot family, with 454 modifications in the course of just one month.

10. Most common virus/worm family - the Warezov family once again took this title this month. A total of 78 different variants of the Warezov family were detected in May, up from 72 in April.

The summer holidays are coming up, and although it's unlikely we'll see worm epidemics on the scale of those in 2004/5, we'll still have plenty of work to do. See you in June for the next issue of our Miscellany!

A few days ago the Inquirer published a interesting little article talking about how Google hadn't returned the search results he wanted, but instead told him his computer might be infected with a malicious program. And today one of our clients got caught the same way – the ubiquitous search engine was displaying the same error message to lots of the company's staff.

I'm interested in why this happened. It's not very difficult to find a possible answer: a lot of spammers use Google to find the emails of potential victims and automate this task by using little scripts which may be run from infected machines. So Google can implement a temporary block which is lifted when the user correctly responds to Google's captcha by entering the letters and numbers shown, proving that s/he is not a spambot.

We've managed to reproduce the suspicious behaviour that can get a human user getting locked out of Google. And once the user's been locked out, his/ her IP address get's blacklisted. This can be a problem if the user is coming in via a proxy server – it will be the proxy that will be seen as the attacker, and the proxy that gets blocked. Which means that all the users coming in via the same proxy will also be subject to the same restrictions, until someone correctly solves the captcha. It would of course be helpful if the Google warning clearly stated that it could be the proxy, rather than the user's computer, which is suspected of being a bot. We've suggested this to Google, and we'll let you know their response.

Of course, it might not be a false alarm at all - there might be an infected computer on your network, and Google raising the red flag could be the first sign of infection. But even though Google's search capability may be awesome, a dedicated antivirus program is still going to be the most reliable way of catching malicious programs.

We've heard that another lot of cyber criminals were arrested, this time in Italy. More than 150 arrests for bombarding Italian users with fake mails. The phishers' ill-gotten gains – around 1,250,000 euros.

These guys were targeting the most popular Italian banks, and some users were getting 30+ phishing mails a day! The attacks were such a problem that they were even discussed on TV (although sadly not by the major news channels).

The arrests are the result of an investigation which began in May 2005. We'll be tracking this case, waiting for news of convictions and jail sentences. We'll keep you posted on progress.

Microsoft has released this month's update package, which contains (among other patches) updates for Internet Explorer, Vista, Outlook Express and Visio.

As we mentioned in our pre-patch post, some of the vulnerabilities are critical, so if you haven't done so, check the June Security Bulletins and patch your systems now.

The friendly handlers over at Internet Storm Centre have produced another colorful table to guide you through this month's patch maze.

As a quick reminder, June 12th is patch Tuesday for Microsoft products.
The corporation has several updates planned, including 4 critical patches. All 4 critical patches address remote code execution vulnerabilities found either in Windows, Internet Explorer, Outlook Express or Windows Mail. Microsoft also plans to release seven non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS). Microsoft's prenotification bulletin is here.

Microsoft plans to host a webcast next Wednesday to discuss the bulletins released on June 12th. Additonal information, including how to sign up for the webcast is here.

This week we added another unusual detection – detection for a calculator virus.

Virus.TI.Tigraa.a is a memory resident virus, and in the best tradition of DOS viruses, it's a mere 492 bytes in size. It works on Texas Instruments TI-89 graphing calculators (the TI-89, TI-89 Titanium, and the Voyage 200 which will run most programs for the TI-89) with the Motorola 68000 processor. The virus is designed to clear the screen and then display a message saying 't89.GAARA'.

Of course, Tigraa.a is classic proof of concept code. It'll only work on individual calculators, and can't spread. But nevertheless, it's created another entry in the roll call of potentially infectable devices.