Password Reset Email is New Facebook Virus

Facebookers Alert! There is an email circulating with an attachment stating itself as the new password prompting you to open it, pls ignore the email and delete it.

Security firm MX Lab said in a blog post Tuesday it has detected a new Bredolab variant masking itself as the "Facebook Password Reset Confirmation." According to MX Lab, the From address in the email is shown as "The Facebook Team ", but this address is spoofed.

The attachment has the name Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe. The part between _ and .zip at the end is choosen randomly and contains letters and numbers.

The trojan is known as Trojan.Downloader.Bredolab.AZ (BitDefender), Bredolab.gen.a (McAfee) or W32/Obfuscated.D2!genr (Norman) and is only detected by 14 of the 41 AV engines at Virus Total, MX Lab researchers said.

The body of the email is as follows:

Hey [random user name] , Because of the measures taken to provide safety to our clients, your password has been changed.

You can find your new password in attached document.

Thanks,
The Facebook Team

According to MX Labs, Bredolab is a trojan horse that downloads and executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions).

This email has also been documented to be a hoax here.

I would recommend that you read about other recent popular Facebook scams as well:

• Five Facebook, Twitter Scams to Avoid
• Five More Facebook, Twitter Scams to Avoid.

Click here to get a more technical rundown of this trojan.

Windows 7 - Improve your experience with these 77 tips

Windows 7 is set to debut on October 22, 2009.

These 77 tips will enhance security, performance, and functionality for this new operating system:

http://technet.microsoft.com/en-us/magazine/2009.10.77windows.aspx

QUOTE: Windows 7 may be Microsoft’s most anticipated product ever. It builds on Windows Vista’s positives, and eliminates many of that OS’s negatives. It adds new functionality, too—all in a package that is less resource-hungry than its predecessor.

At a Glance:
■ Make Windows 7 faster
■ Get more done with Windows 7
■ The best Windows 7 shortcuts
■ Securing Windows 7

The dangers of exposing information on social networking sites

Here's an interesting podcast by Dr. Herbert Thompson, the Chief Security Strategist at People Security, discussing on why we should practice regular identity hygiene checks on social networking channels to prevent leaking sensitive information that can be used in identity theft (e.g email account password reset).

Fake Facebook, Fake Video, Fake CAPTCHA

Watching videos on Facebook is a popular activity, so it's not surprising to find dozens of fake copycat sites being used to infect unsuspecting viewers with malware.

Here's one fake Facebook site with a malicious JavaScript that uses the old "Flash Player upgrade installation" trick — but with a slight twist.

Read on to see how this is accomplished.

Conficker Eye Chart (at a glance)

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites. Need some refresh your memory? Read these previous posts.

Here is a cool website to test if your computer is infected with this malware.

However if you are using a proxy server, you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Researcher: Hackers Hijack Some Facebook Apps

Full time Facebookers take note.

A number of games and other applications built to be used on Facebook.com have been hacked so that users are quietly sent to sites that try to install malicious programs, a security researcher has found.

A number of the applications Thompson named in his research -- including one called Pass-it-On, and another called City Fire Department -- are no longer available on Facebook.com.

Full report here.

Fake Anti-Virus Programs Hijacking Computers

Cyber criminals are becoming more aggressive in attempting to sell fake anti-virus programs known as rogueware. In addition they are now combining rogueware with ransomware, hijacking users' computers and making them useless until victims purchase fake anti-virus programs, according to a new report by PandaLabs.

The fake program that PandaLabs detected, called Total Security 2009, is being offered to victims for about $120. Victims can also buy "premium" tech support services for an additional $29. Users who pay the ransom receive a serial number that releases all files and executables, allowing them to work normally and recover their information.

The fake anti-virus, however remains on their systems. PandaLabs has published a list of serial numbers that victims can use to unlock their computers, along with a video explaining how the scam operates.

Previously, when computers were infected by this type of malware, users would usually see a series of warnings prompting them to buy a paid version of the programs. The new method of selling rogueware blocks users' attempts to run programs or open documents, falsely displaying a message informing them that all files on their computers are infected and the only solution is to buy fake anti-virus.

"Users are often infected unknowingly - in most cases through visiting hacked Web sites. Once a computer is infected, it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge," said Luis Corrons, technical director of PandaLabs.

"Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake anti-virus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake anti-virus."

Free Security Tool Detects Malicious URLs On Twitter

The popularity of embedding shortened URLs into Twitter, Digg and other social media sites is being threatened by hackers who use the anonymity of these URLs to hide malicious websites.

AVG Technologies has released a free tool called LinkScanner that can detect the presence of malicious web pages. LinkScanner works by testing the destination of each URL in real time and does not use blacklists that quickly become outdated.

"People click with the intention of going to a specific site, but the link can be easily hacked to send people to a site containing Trojans, spyware, rootkits and other malware instead."

AVG says malicious web pages are the latest way that hackers and spammers deposit malware onto computers in order to steal passwords or recruit computers into botnets.

Computer users can become infected by clicking on a link, viewing an image, or sometimes just hovering their mouse over a banner. To avoid detection, hackers typically infect a specific web page for less than 24 hours before moving on.

Adobe to patch exploited Acrobat flaw

Software firm Adobe announced on Thursday that the company plans to plug a critical security hole in its Acrobat and Reader software, a hole which is currently being used to compromised PCs.

Calling the attacks "limited," the company stated in a blog post that the current exploit can be blocked by disabling Javascript or, for Windows Vista users, if data-execution protection (DEP) is turned on. The vulnerability will be fixed as past of Adobe's regularly quarterly update scheduled for Tuesday, October 13, the company said.

"There are reports that this issue is being exploited in the wild in limited targeted attacks," the company said on its Product Security Incident Response Team (PSIRT) blog. "The exploit targets Adobe Reader and Acrobat 9.1.3 on Windows."

In May, Adobe moved to a quarterly patch schedule for its popular Adobe Acrobat and Reader software, citing criticism from security researchers. Yet, despite the fact that attackers are increasingly targeting popular third-party applications, such as Adobe's, companies are less quick to patch issues in the software, compared to fixing flaws in core operating system components, according to a report published last month.

In its latest advisory, Adobe credits Chia-Ching Fang and the Information and Communication Security Technology Center in Taiwan with helping disclose the vulnerability.

Webmail phishing attack only the beginning

In the wake of the news reports this week of the large-scale webmail phishing attacks, much of the coverage has surrounded the compromise of email accounts which, according to the numbers, affected a massive amount of webmail users.

However, what has been glossed over is the potential impact on the other aspects of the victims' online lives. The bad guys likely now have more than just access to users' email accounts, they have access to a host of other online services the victim uses.

"A user's unique email address is often used to authenticate a number of web sites, including social networking sites and Instant Messaging on a public IM network," said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec. "If your email address has been compromised, not only should you change the password there, you should also change it on any other site that uses that email address as a log in ID."

Once the bad guys have email account information and the will to take over a related social networking accounts, all they need to do is try the password reminder links from the login pages. They can then not only use your email to spam, they can also gain access to other personal information stored online.

Over the last year, MessageLabs Intelligence has tracked a number of phishing attacks using Instant Messaging whereby the bad guys collected real IM user account information and passwords and used them to send commercial messages to everyone on the user's buddy list. An invitation to view a funny video or embarrassing pictures by clicking on a link in an IM was the bait and the landing site would then ask the victim to log in with their IM user name and password. For public IM networks, the user name is often the same as the web-based email account.

Phishing isn't the only way the bad guys can gain access to webmail accounts. MessageLabs Intelligence has been aware of an increase in the number of "brute-force" password breaking attempts, where dictionary attacks are used against online webmail accounts to break in, perhaps using POP3 or webmail to conduct the attacks. Users with simple or weak passwords are the most vulnerable. On the website, an attacker will be asked to solve a CAPTCHA puzzle to prove they are a real person. CAPTCHAs can be easily bypassed using a variety of CAPTCHA-breaking tools.

Statistics of the Hotmail phishing attack

Bogdan Calin from Acunetix examined the passwords published after the Hotmail phishing attack, came to several conclusions and published some basic statistics.

After analysis, we have statistics of the "The top 20 most common passwords" and "Password length distribution" from the list. See here.

Email Password Leak Swells - Includes GMail, AOL and YahooMail

Yesterday, when reports indicated that the passwords to certain Hotmail accounts had been published, we tried to play it safe by suggesting that all Hotmail users change their passwords.

Now, we're just going to recommend that everybody revisit those settings, as it seems that the passwords to Gmail, Yahoo, and AOL accounts have also been leaked.

The list was posted on the same site - pastebin.com - as the Hotmail-related one. (Although we should note that pastebin.com's owner doesn't appear to be in any way responsible for the spread of the info.)

Also, in case you were wondering, "BBC News has confirmed that many - including Gmail and Hotmail addresses - are genuine."

So be a little overcautious and change the passwords (and security questions/answers) to all of your email addresses.

10,000 Hotmail Account Passwords Published Online

People with Hotmail accounts - and particularly people with Hotmail accounts beginning with the letter "a" or "b" - should change their passwords as soon as possible. A list containing about 10,000 account names and passwords has been published online.

Apparently the information was posted on pastebin.com on the first of this month. Tom Warren reports that the original post was deleted at some point, but people still managed to view it and spread the data around. So now an unknown number of hackers, scammers, and other bad guys may have the ability to access certain accounts.

What's more, even though the published list only covered email accounts starting with "a" and "b," the fact that everything was in alphabetical order implies that other lists exist. Or the existence of a complete set seems no less likely than the proven existence an incomplete one, at any rate.

So again, change your password if you use Hotmail and haven't done so already. Pick a different security question (and answer), too, while you're at it, and maybe check your outbox for suspicious messages in case your account's been abused.

Microsoft's promised in a statement that it's investigating the problem, so hopefully the source of the account info leak will be identified and plugged, at least.