Singapore is top country worldwide for attacks by banking Trojans

Singapore ranks as the top country globally for Kaspersky Lab users being attacked by banking
Trojans in the second quarter of 2015, according to a study done recently by Kaspersky Lab.

496 Kaspersky Lab users in the city-state had sustained such attacks. In the second quarter of 2015, Kaspersky Lab solutions had deflected attempts to launch malware capable of stealing money via online banking on the computers of 755,642 users. This is a decrease in 18.7% compared to 735,428 in the previous quarter.

Switzerland, Brazil and Australia were next in line in the list of top countries respectively. Hong Kong emerged as the fifth country in the list and also as the only other country in the Asia Pacific region. The bottom ten of the list constituted New Zealand, South Africa, Lebanon and the United Arab Emirates respectively.          

“An A.T. Kearney and EFMA global retail banking study concluded that Singapore is the second country worldwide with the highest inclination for digital banking,” says Jimmy Fong, Channel Sales Director, Southeast Asia, Kaspersky Lab.

“The nation was also placed among the top three for banking capabilities, which included innovative technological developments, a robust financial environment and digital infrastructure. Local banks also fare impeccably well in terms of online banking systems, providing cutting edge features to complement ordinary online banking services. This paves the way towards equipping banks in Singapore for the next level of digital banking.”    

With the large number of technologically savvy consumers, high smartphone penetration rates and strong digital service adoption levels, Singapore is one of the Southeast Asian countries with the highest digital banking penetration rate, pegged at 94%.

Online banking in Singapore was also the second most utilised service platform after ATMs, more than conventional branch visits and telephone banking, as a study conducted by Bain & Company found.      

Kaspersky Lab security solutions had registered a total of 5,903,377 notifications of malicious activity by programmes designed to steal money via online access to bank accounts in Q2 2015.

The percentage of Kaspersky Lab product users who encountered this threat during the reporting period in the country were calculated among all product users in the country. This is to evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide. Only countries with more than 10,000 Kaspersky Lab product users were included in this study.      

“Cybercriminals are always looking for ways to access vital information that can be monetised, especially when it comes to online banking. Securing critical data that can cause financial loss is essential for both individuals and businesses," said Vitaly Kamluk, Principal Security Researcher, Global Research & Analysis Team, Kaspersky Lab. “As the ease of banking becomes more convenient, it is vital that individuals follow best security practices when on the Internet, recognising that they represent a portal or doorway for numerous malicious agents to get into bigger networks and systems, to wreak havoc and cause significant damage for the business they are part of."

New threats for Android phones, how do they work? Beware of your battery!

When buying a smartphone one of the first things we do is choosing an unlock pattern, trusting that by doing this our WhatsApp conversations will be protected from our nosy surroundings. If you are one of those who think that just one finger is able of drawing a complicated route on the screen, you are mistaken! Hacking an Android’s phone lock is easier than what you thought!

Digital thieves can reach even more. Not only can they get physically inside your phone, but they can also do it virtually or, using the phone’s microphone. Now they can even spy on you when the phone is turning off.

Those who trust that clicking on their smartphones “off” switch is enough to stop their contact with the outside world are in trouble. Virtual spies are able to remotely pull the strings, even so when the owner and his phone were sleeping. Security researchers have demonstrated how a Trojan for Android phones can make the users believe that they have turned it off as they usually do.

PowerOffHijack, the new malware, succeeds a very particular task: Hijacks the users’ shutdown process. When pressing the on/off button a fake dialog box appears making the users believe that their phone is turning off. Meanwhile, the malware is manipulating the operating system “system server” file.

The owner rests peacefully, even though the device is not at ease: the Trojan can make outgoing calls (even to foreigner numbers), make pictures and many other things without notifying the user. In China there have been more than 10.000 devices infected by this malware; it seems it expands via some apps.

In order to avoid this mocking Trojan we recommend you to pull out your battery so it doesn’t raise your phone bill to unsuspected limits. As much as the spies try, they are still not capable of controlling the phones without lithium. Another tip is to uninstall the apps that may have caused these silent thieves entry.

Although taking the battery off and putting it back on can resolve the Power Off Hijack issue, some hackers are using the battery’s internal information to spy mobile phones. Researchers of Stanford University together with a group of Israelis experts have developed Power Spy, a new technology that gathers the Android phone’s geolocation, even when the GPS is turned off. How? Tracking the phone’s power consumption over time.

WiFi and GPS connections need the user’s permission in order to work, but the battery consumption data doesn’t. So the cyber criminals can track your phone with 90% accuracy, later using this location information as they please, being able to locating you at all times.

The researchers have proven Power Spy’s capacities in two Nexus phones. This program enabled them to locate the phone even if its owner wasn’t using it at the moment. Power Spy would access your phone without you knowing it. The issue is that you might be downloading it together with any app without noticing it.

“We show that measuring the phone’s aggregate power consumption over time completely reveals the phone’s location and movement”, says Yan Michalevsky, one of the researchers.

Fortunately this technology has its limitations: in order to work it needs predefined routes and to have already traveled along the route before. “If you take the same ride a couple of times, you’ll see a very clear signal profile and power profile,” says Michalevsky.  In addition the tracking accuracy increases if the phone has just  a few apps rather than in the ones with more, where power is used unpredictably.

Anyone can start spying on your phone in ways you would have never suspected. Security is not only needed in your desktop computer, it is essential in the tiniest corners of your phone.

Malicious Android App Fakes Shutdown and Allows Bad Guys to Take Control

Is this thing on?

Unless you have your Android device in one hand and its batteries in another, you might not be sure if it's turned off. An Android Trojan app called PowerOffHijack, which originated from Chinese app stores, was found tricking users into believing that their devices were turned off though they're actually powered on.

Digging into the issue, Trend Micro researchers found that an app believed to be an earlier version of PowerOffHijack appeared as early as September 2014. The app named AndroidFramework (detected AndroidOS_AndFraspy.HAT) disguised itself as a Google service with the package name com.google.progress.

Fake Shutdown Routines
As mobile device users are aware, pressing the power button can result in two things. Tapping the button will turn off the screen, while holding it down will cause it to prompt with device options that include shutting the phone down.

The AndroidFrameworkmalware was designed to perform its malicious operations in the background after you press the power button and the screen goes black.

On the one hand, the PowerOffHijack version was made to run in the background even after you hold the power button down and chose to turn the device off. It will even display the Android shutdown animation to make you believe that your device is shutting down. At this stage, the malware can still make phone calls, send SMS, take photos, and do other malicious routines without user consent.

Both these malware apps were found in third party app stores outside of Google Play and require a rooted device to run.

The PowerOffHijack reportedly works on devices running on Android operating systems that are older than version 5.0, Lollipop. It is said to have originated from third-party Chinese app stores, which explains why most of the 10,000 affected devices are from China.

How to Get Rid of AndroidFramework and PowerOffHijack 
It was previously suggested that users can only be truly safe from the PowerOffHijack threat if they remove the batteries of their devices. However, this is not practical for many users who do need to use the devices as well as for devices with batteries that can't be easily removed.

16 Million Mobile Devices Infected With Malware in 2014

A new report published by Alcatel-Lucent’s Motive Security Labs estimates that 16 million mobile devices were infected with malware in 2014.

The rate of mobile infections in 2014 was 0.68%, which represents a 25% increase compared to the previous year. According to the telecoms company, 16 million is a conservative estimate considering that its sensors don’t have complete coverage in regions like China and Russia.

“In mobile networks, Android devices have now caught up to Windows laptops as the primary workhorse of cybercrime. With one billion Android devices shipped in 2014, the platform is a favorite target of cybercriminals who can have lots of infection success without a lot of work,” Kevin McNamee, director of Alcatel-Lucent Motive Security Labs, wrote in a blog post. “Android is more exposed than rivals because of its open platform and by allowing users to download apps from third-party stores where apps are not always well vetted.”

The number of Android malware samples in Motive Security Labs’ database increased by 161% last year, reaching close to 1.2 million.

The company has pointed out that the sophistication of Android malware has also increased. Older variants used primitive command and control (C&C) mechanisms, they had hard-coded and inflexible configurations, and they were easy to detect. However, in 2014, malware authors started leveraging more advanced techniques and even integrated rootkit technologies, a trend demonstrated by threats such as NotCompatible and Koler.

According to the report, six of the top 20 mobile pieces of malware are from the spyware category. These types of threats are designed to track users’ location, calls, text messages, emails, and Web browsing.

As far as residential fixed broadband networks are concerned, infection rates increased last year, but mainly due to adware. High-level threat infections (bots, rootkits, banking Trojans) increased slightly in the second quarter of 2014, but then they dropped again to roughly 5%, the report shows.

Researchers have also pointed out that many consumers avoid shopping online to prevent their credit card information from being stolen by cybercriminals. However, the risks are even greater at brick-and-mortar stores where cash registers and point-of-sale (PoS) terminals can become infected with malware.

“Card information stolen from online retailers can only be used for online purchases. Online purchases typically need to be shipped to the address of the card owner, making them less usable to fraudsters,” reads the report. “Because the point-of-sale-based malware records all the information in the magnetic strip on the card, the data they collect can be used to make new physical cards. Criminals use these forged cards in stores to buy expensive items such as electronics, which can easily be sold for cash.”

Symantec Uncovers Sophisticated, Stealthy Computer Spying Tool

Computer security researchers at Symantec say they have discovered a sophisticated piece of malware circulating the world that appears to be used for spying at Internet service and telecommunications companies, and was likely created by a government agency. And while its origin is unclear, a short list of capable countries would include the U.S., Israel and China.

The research, published today, comes from the same team at Symantec that four years ago helped discover and ferret out the capabilities of Stuxnet, the world’s first digital weapon. It is believed to have been created by the combined efforts of the U.S. and Israel and used to sabotage the Iranian nuclear research program.

The team has dubbed this newly found Trojan “Regin” according to a Symantec blog post, and they are describing it as a “complex piece of malware whose structure displays a degree of technical competence rarely seen.” They say the tool has an “extensive range of capabilities” that provides the people controlling it with “a powerful framework for mass surveillance.”

The researchers said Regin has been used in what appears to be an ongoing spying operation that started in 2008, stopped suddenly in 2011, and then resumed in 2013.

The campaign was carried out against government organizations, businesses, researchers and private individuals. About 100 Regin infections have been detected, the researchers said, with most — a combined 52 percent — in Russia and Saudi Arabia. The remainder have occurred in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan. No infections have yet been detected in the U.S. or China.

Symantec was first made aware of Regin after customers discovered parts of it and sent the code for analysis. “We realized there was more to what was sent us than was readily apparent and went back to investigate further,” said Liam O’Murchu, one of the researchers. Symantec security software can now detect it, he said.

The quality of Regin’s design and the investment required to create it is such that it was almost certainly made by a nation-state, said O’Murchu. But asked to speculate which nation-state, he demurred. “The best clues we have are where the infections have occurred and where they have not,” he said in an interview with Re/code. “We know it was a government that is technically advanced. … This has been a huge spying campaign dating back at least to 2008 and maybe even as early as 2006.”

It doesn’t take much of a leap to wonder out loud if the U.S. National Security Agency or the Central Intelligence Agency, perhaps working with Israel, might be the source, especially given the list of countries targeted. However, there are other possible sources, including China.

There is still a lot about Regin that’s not known. (And for more technical detail on what is known, there’s a 21-page white paper here.) There are pieces of it, O’Murchu said, that haven’t yet been found and examined. But here’s what understood so far:

Regin attacks systems running Microsoft Windows. It attacks in stages and requires five pieces. Only the first stage is detectable– it opens the door for the subsequent stages, each of which decrypts and executes the following stage. In this way it’s similar to Stuxnet and its sibling Trojan, Duqu which was designed to gather intelligence on a target by stealing massive amounts of data.

Nearly half of all Regin infections occurred at Internet service providers, the targets being the customers of those companies. Other companies attacked included telecom providers, hospitality companies, energy companies, airlines and research organizations.

How the malware spreads is also a mystery. In one case — but only one — the infection was carried out by way of Yahoo Instant Messenger. In other cases, Symantec believes victims were tricked into visiting spoofed versions of well-known websites. “Other than that one example, we have no firm information on how it has been distributed,” O’Murchu said.

Once a computer has been compromised, Regin’s controllers can load it up with whatever payload is needed to carry out the spying operation. Said Symantec: “Some custom payloads are very advanced and exhibit a high degree of expertise in specialist sectors,” say something that’s specifically geared toward spying on an airline or an energy company. This is “further evidence of the level of resources available to Regin’s authors,” the company said.

There are dozens of these payloads. One seen in several cases is a remote access tool, or RAT, which gives an attacker the ability to take control of a computer remotely — copy files from the hard drive, turn on the Web cam, turn on the microphone. RATs are also good for capturing keystrokes, a good way to steal passwords. Some of the more advanced payloads seen on machines compromised by Regin include software to monitor network traffic and a tool to manage mobile phone base stations.

Exceptional effort was made by its creators to prevent Regin and its communications to its handlers from being detected. “Even when its presence is detected, it is very difficult to ascertain what it is doing,” said Symantec.

Several pieces of Regin are still circulating and are as yet undiscovered, O’Murchu said. He hopes that with the publication of Symantec’s findings, more information from other researchers will come to light.

Fake Facebook alert leads to Blackhole, malware

Due to the huge popularity of Facebook and its one billion active users, bogus emails impersonating the social network are constantly hitting users' inboxes.

The latest of these is a notification alert about "activity you may have missed on Facebook":



Clicking on any of the offered buttons or the "unsubscribe" link ultimately lands users on a page hosting the Blackhole exploit kit serving an exploit for Adobe Reader and Acrobat.

Victims who use any of the vulnerable versions of these two software and no AV solution are automatically saddled with an information-stealing Trojan.

The Trojan variant in question is now detected by 28 of the 43 AV products used by Virus Total, but at the beginning of the spam campaign even those who had AV software installed were not safe, as the malware was detected by only three of them, Webroot warns.

Users are advised never to follow links offered in unsolicited emails, no matter how legitimate they look. Check your Facebook account for "activity you have missed" if you must, but do it by logging in through the legitimate login page.

Bogus Apple invoice leads to Blackhole, banking malware

If you receive an invoice seemingly coming from Apple that apparently shows that your credit card has been billed for $699,99 (or a similar preposterously huge amount of money) because you bought postcard, don't click on any of the embedded links no matter how curious or alarmed you are.

The bogus invoice looks good enough to fool many (click on the screenshot to enlarge it):



"The link 'View/Download' ends in download.jpg.exe, while the 'Cancel' and 'Not your order' URLs end in check.php," shares Graham Cluley. "The smart social engineering bit is that, whether you are simply curious what this is about or furious about this unauthorized charge, you are still likely to click one of the links."

A click on the former link will automatically download the malware, while a click on the latter ones will take the victims to a bogus IRS page warning them that they are using an unsupported browser.

But this is simply a smokescreen designed to puzzle the user while the Blackhole exploit kit works furiously in the background, trying to exploit a host of Oracle Java, Adobe Flash Player and Adobe Reader vulnerabilities.

If it succeeds, the victims' computer is infected with a variant of the Zeus / Zbot banking Trojan. If not, they are offered a download of the latest version of their browser. The offered file is named update.exe and is also a Zeus Trojan variant.

Backdoor in the latest version of vsftpd

Chris Evans, author of vsftpd announced that the master site for vsftpd was compromised and that the latest version of vsftpd (vsftpd-2.3.4.tar.gz) was backdoored.

The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there's no attempt to broadcast any notification of installation of the bad package. So it's unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness.

The official download was promptly moved to Google App Engine.

WordPress users endangered by Trojanized plugins

Three popular WordPress plugins have been Trojanized by unknown individuals and made available for download, warned WordPress yesterday.

"Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors," explained Matt Mullenweg. "We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory."

If you use the WordPress platform and have updated one of these plugins in the past two days, you are at risk. You have to upgrade them again - WordPress has pushed out their new, safe versions.

Also, if you have an account on WordPress.org, bbPress.org and/or BuddyPress.org, don't be surprised to find a reset password message the next time you login into your account.

Trojan Hiding In Legitimate Security Software

An interesting tactic for hiding a Trojan has recently been spotted by Symantec researchers.

Instead of using entirely their own malicious code, the malware authors have decided to take advantage of the code belonging to the KingSoft WebShield browser protection software (part of the KingSoft Internet Security solution).

"The interesting part of this package is in its configuration, which allows an opportunity for malicious intent," explains researcher Éamonn Young. "Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package."

And so they did. The new package contains the legitimate software and its support components, but also two configuration files that practically modify it into the Trojan.

Once the apparently legitimate software is installed and running, one of these files makes it so that the home page is changed to one of the designated URLs - which house advertisement link farms - and locked so that the user can't change it.

The other one makes sure that if a user wants to visit one a number of popular domains listed in it, he is also redirected to one of the aforementioned designated URLs.

The authors of the malware are likely to be Chinese, and so are the targeted users. The misused legitimate software is manufactured by Chinese software developer Kingsoft, and all the websites - the advertisement link farms and the domains from which the user is redirected - cater to Chinese users.

Another interesting thing about this Trojan is that deletes all Quick Launch icons except for the Internet Explorer one. And if there isn't one, it creates it. Since the whole package works as they want to only in Internet Explorer, this is a rather (too) obvious way to make sure the user uses only that browser.

Since Kingsoft WebShield works as it usually does, the user might not spot that there's something wrong with his computer right away upon installation of the tainted package. And even when he finally gets suspicious about the constant redirection,

Save as Draft

it will take a while before he learns how to deinstall it since the uninstaller has been omitted.

All in all, the authors of this improvised Trojan have manufactured an annoying but not very dangerous piece of malware. Unfortunately, it seems to me that it is only a matter of time until someone changes the configuration files again and the users are redirected to more malicious sites.

Android Trojan with botnet capabilities found in the wild

A new, more sophisticated Trojan for Android devices has been spotting lurking on third-party Chinese Android app markets - the first ever piece of Android malware that has the capability to receive instructions from a remote server and thus become part of a botnet.

Dubbed "Geinimi", the Trojan is attached to (obviously compromised) versions of legitimate applications - mostly games such as Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

So far, it has only been spotted being distributed through third-party Chinese app stores. Versions of these applications on the official Google Android Market have not been compromised.

When the affected application is installed on the device, it requires the user to give more permissions that it would usually need. Geinimi them kicks into action, harvests the device's location coordinates, the IMEI and IMSI (unique identifiers for the device and the SIM card), and transmits that information to a remote server via a number of hard-coded domain names.

Until now, the server hasn't been spotted sending instructions to the Trojan, so its final purpose is not yet clear.

It is known, though, that it can download and prompt the user to install an app, prompt him to uninstall an app, and transmit a list of all the installed apps on the device to the aforementioned server.

Lookout's researchers say that Geinimi also uses obfuscation techniques to hide its activities, so it will be more difficult to spot.

But users in general should suspect their devices of being infected by mobile malware if the phone presents unusual behavior such as automatic SMS sending to unknown recipients, automatic phone calls, stealthy installation of unknown applications, etc.

An occasional check of outbound calls and SMSs and of installed applications should become a habit for users.

Malicious Kodak Galleries used for serving Trojan

A variant of a highly specialized Trojan has appeared on fake sites mimicking Kodak Gallery pages, where potential victims are urged to download software that would supposedly allow them to watch the offered slideshow, but actually creates a folder with configuration files and copies a few executables into the System32 folder.


But before doing that, it actually does show the users a slideshow of car pictures, which acts as a smokescreen in order to hide the malicious activity.

Further research by Sunbelt's experts reveals that the fact that the pictures are of a car might not be so random. The Bayrob Trojan - of which this is a variant - has had a history of targeting eBay users, especially those buying motors and cars since that means that bigger amounts of money are involved. The Trojan spoofs various eBay pages and tries to trick the users into parting with their money.

This particular variant has a very low detection rate, so be careful when checking out links that you find on forums or receive in spam e-mails - or even in e-mails and instant messages seemingly coming from a friend.

CYBER BANKING FRAUD: Global Partnerships Lead to Major Arrests

Just when you thought you could get away with cyber crime just becoz of anonymity online? Think again.

Law enforcement partners in the United States, the United Kingdom, Ukraine, and the Netherlands announced the execution of numerous arrests and search warrants in multiple countries in one of the largest cyber criminal cases ever investigated.

Using a Trojan horse virus known as Zeus, hackers in Eastern Europe infected computers around the world. The virus was carried in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the malicious software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.

The hackers used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.

On 30 Sept 2010, New York office arrested 10 subjects related to the case, and they are seeking 17 others. Those arrested are charged with using hundreds of false-name bank accounts to receive more than $3 million from victimized accounts.

In all, the global theft ring attempted to steal some $220 million, and was actively involved in using Zeus to infect more computers.

More details here:
http://www.fbi.gov/page2/oct10/cyber_100110.html

"Girl killed herself" Facebook scam returns

If the title of the "Girl killed herself, after her dad posted This to her Wall" Facebook page sounds somewhat familiar, it is because almost two months ago the very same sentence came up popped up on many a user Wall, in connection with a supposed Trojan infection.

There must be something in the title that made a lot of impact, because here it is - trotted out for another scam.

The user sees it on a friend's Wall, follows the link to the page, where a warning about possible inappropriate content pops up. After getting it out of the way, another pop-up window appears, in which the user has to prove that he is human and not a bot:

Unfortunately for him, this simple test is there to hijack his clicks and use them to post the unfortunate message on his Wall, in order to spread the scam further.

In the end, the user is asked to participate in one of several surveys offered so that he is finally allowed to access the content he wanted to see. But, tough luck, the only thing that will actually happen if he does complete a survey is that the scammers will try to make him sign up to premium rate services.

I know it is sometimes difficult to resist the lure of an interesting caption, but you must learn that things like these are rarely (if ever) benign.

ZBot removal tool

ZBot (also known as Zeus, ZeusBot or WSNPoem) is a Trojan engineered to steal sensitive data from compromised computers.

While ZBot focuses mainly on the online banking details that users input on financial organizations’ pages, it also monitors system information and steals additional authentication credentials.

The latest variants can also gather the history of the visited Web sites and other data users provide online, while also capturing screenshots of the their’ desktop.

ZBot is distributed mainly via spam campaigns and Web pages which host its malicious payload, usually under the guise of a popular legitimate application.

Once onto the system, ZBot modifies the files and folders’ structure, adds registry keys, injects code into several processes (such as winlogon.exe or svchost.exe) and adds exceptions to the Microsoft Windows Firewall, providing backdoor and server capabilities. It also sends sensitive information and listens on several ports for possible commands from the remote attackers’ command-and-control center.

This allows cybercriminals to manage the Trojan in order to download and execute additional malicious payloads on or take control over the system, its actions including, without being limited to restarting and shutting down the affected computer.

BitDefender has created a ZBot Removal Tool which checks users’ computers, detects and eliminates most of the ZBot variants spotted in the wild.

Single Trojan Accounted For More Than 10 Percent Of Malware Infections In First Half 2010

Top two threats both exploit the Windows Autorun feature, BitDefender study say.

When something works, hackers keep doing it. And as a vehicle for delivering malware, Microsoft's Autorun.INF utility is still working just fine, according to researchers at BitDefender.

In a study issued earlier this week, BitDefender reported that the top two malware offenders during the first six months of 2010 -- Trojan.AutorunINF.Gen and Win32.Worm.Downadup.Gen -- both exploit Autorun.INF.

Trojan.AutorunINF.Gen alone accounted for 11 percent of all the malware infections detected by BitDefender in the first half, according to the report.

"The autorun technique is massively used by worm writers as an alternate method of spreading their creations via mapped network drives or removable media," BitDefender says.

Initially designed to simplify the installation of applications located on removable media, the Windows Autorun feature has been used large scale as a means of automatically executing malware as soon as an infected USB drive or an external storage device has been plugged in, the report states. Unlike legitimate autorun.inf files, those used by miscellaneous malware are usually obfuscated, the researchers say.

"Before the arrival of the second service pack for Vista, Windows-based operating systems would follow any autorun.inf file instructions and blindly execute any binary file the autorun file pointed to," the report says. "Because of the risk the users were exposed to, Microsoft subsequently deactivated the autorun feature for all the removable devices except for the drives of type DRIVE_CDROM4."

MBR worms made a comeback in early 2010, with upgraded viral mechanisms, BitDefender states. Late January saw the emergence of Win32.Worm.Zimuse.A, a deadly combination of virus, rootkit, and worm.

Regionally, China and Russia are the world's top malware distributors, the report says. "During the last six months, China [31 percent] has been the most active country in terms of malware propagation, followed by the Russian Federation [22 percent]. Both countries are known for their lax legislation regarding cybercrime, as well as for the plethora of 'bulletproof hosting' companies," such as the Russian Business Network, which has been officially terminated but remains extremely active in practice, the researchers say.

PayPal remains the top phishing target in the world, acting as the subject for 53 percent of attacks, BitDefender says. PayPal's parent, eBay, finished second with 16 percent.

Spam continues to be a problem for most companies, according to BitDefender. Most spam messages are used to sell pharmaceuticals -- in fact, medicine-related spam jumped from 50 percent to 66 percent in the first half, according to the report.

While Web-borne malware remains strong, cybercriminals are moving more toward Web 2.0 exploits, focusing on social networks, such as Facebook and Twitter, while also expanding their attacks on instant messaging systems, the researchers say.

Trojan disguised as a toolbar for Facebook

A Facebook toolbar is just what you need to make your sharing and connecting with friends easier, says in an email supposedly coming from "Facebook.com":

If you decide to click on the download link, the downloaded file ("toolbar.exe") will present itself with an icon of a black ball with "darkSector" written on it. That should be enough to raise suspicion, and a look at the file properties should be in order:

Sure enough, the properties reveal a positive jumble of information that has no connection whatsoever to Facebook (HijackThis is a well-known piece of security software from Trend Micro).

But, even if you wanted to download HijackThis, this isn't it. Symantec detects the file as a dropper Trojan, and recommends everyone to take this simple little step to check every file that looks suspicious for any reason and whose provenience you doubt - oftentimes, the attackers won't even bother to properly disguise the file they are sending, or will do it badly.

Gray Powell, the lost iPhone and malware

The story of the day is Gray Powell and the lost iPhone. I searched for him on Google and I was really surprised to see that 4 out of 10 results from Google’s first page were links to malware.

If you click on any of those links, here is what you get:

Then you receive the classic "Your computer is infected" window that proved to be so lucrative for malware writers. The window looks like a real Windows application and many people get confused and run the malware.

I’ve downloaded and scanned the malware on virustotal.com. Here is the report. Basically, only 10 from all 41 antiviruses from VirusTotal detected the malware. That’s only 24.4%, a pretty low detection rate for a malware that appears on the first page of Google results for a hot topic. I think many people already got infected by this.

The malware writers are pretty inventive, I think they’ve made an automated tool that automatically reads Google’s Hot Trends page or Twitter’s trending topics and generate pages containing malware with those terms/searches in the title and some description around it. Gray Powell is #13 on Google’s Hot Trends page right now.

It’s a very dangerous technique and I think Google should do something about it, otherwise a lot of people will get infected. Lately, Search Engine Optimization is being widely used for distributing malware. Pay attention before you click any of Google’s results. Don’t just read the page title and description, but also check the URL!

Trojan disguised as Google Chrome extension

The announcement that Google Chrome is now the third most widely used browser wasn't lost on cybercriminals. They follow the crowd, and that explains the recent appearance of a bogus Google Chrome extension that purportedly enables access to documents from emails.

Malware City reports that the offer of downloading the extension comes to the users via email. If the user follows the link, he is taken to a look-alike of the Google Chrome Extensions page, where the "extension" is provided for download.

But, one obvious indication that the file is not what it supposed to be is the extension of the file - instead of .crx, the file in question sports an .exe extension:

It turns out that it's a Trojan that messes with the Windows HOSTS file in such a way that every time the user wants to access Google and Yahoo webpages, he is redirected to malware-laden clones of the search sites.

New Mac Malware Variant Detected

Yesterday, Elinor Mills published an interview transcript in which hacker Marc Maiffret said, "[T]he Apple community is pretty ignorant to the risks that are out there." Today, one of those risks was made much harder to overlook, with a new variant of malware getting identified.

Intego, a company that deals exclusively in Mac security, announced in a press release that it's "discovered a new variant of a malware for Mac, called HellRTS, which, when installed on computers running Mac OS X, opens a backdoor that allows remote users to take control of infected Macs and perform actions on them."

It's possible that HellRTS is about to become rather common, too, given that Intego found it being distributed on more than a couple online forums.

The good news for Mac users/Maiffret critics is that Intego hasn't yet encountered a single HellRTS-infected Mac in the wild, so it's possible that the malware won't ever represent any sort of real threat.

One last note: Maiffret doesn't appear to bear even the faintest connection to Intego, so there's no need for anyone to worry too much about the timing of his comment and Intego's apparent substantiation of it.