Computer News & Safety – Harry Waldron Rotating Header Image

April, 2011:

ESET – Android Mobile Security product

It is becoming more critical to protect mobile phone security and ESET (a leading security and AV firm) has just developed a new beta version as noted below

ESET – Android Mobile Security product

QUOTE: As I have blogged about the Android platform a recurring comment has been “When will ESET have protection for my Android?” Well, I still don’t know when it will be available for sale, but for those who understand the risks involved with running beta software, have backed up all of their data on their Android devices and want to give it a spin, you can download the beta at

Also at that site is a link to provide feedback and bug reports!  By the way, for those of you like me who have a CDMA device (Verizon, Sprint, etc.) the SIM features do not work exactly right yet.

President Obama Birth Certificate and FAKEAV attacks

Major news stories like the Royal Wedding are often used to trick users into selecting links that will automatically download malware.  Please be careful on anything you select.

President Obama Birth Certificate and FAKEAV attacks

QUOTE: You probably saw that whole “Obama birth certificate” thing yesterday. You’re also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up. Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).

McAfee Virus Scan DAT 6329 False Positive

A workaround has been published for this false positive affecting SAP connectivity software.

McAfee Virus Scan DAT 6329 False Positive

QUOTE: McAfee Labs have issued an alert that McAfee VirusScan DAT file 6329 is returning a false positive for spsgui.exe. This is impacting SAP telephone connectivity functionality

McAfee have a work around for the issue documented in KB71739

MSRT – Second release during April 2011 to fight Afcore botnet

Microsoft released a special Malicious Software Removal Tool update on Tuesday to better eradicate the Afcore botnet.  This is described below:

MSRT – Second release during April 2011 to fight Afcore botnet

QUOTE: The 4th Tuesday of the month is also a Patch Tuesday, though lesser-known. Microsoft issues non-security updates on almost every 4th Tuesday of the month, but this month has a surprise addition: An extra edition of the Malicious Software Removal Tool.  The updates released today fix a variety of problems and Microsoft is, as typical, vague about them. One addresses application compatibility problems; two are “reliability updates”; and two more “resolve issues” in Windows.

The last update is the MSRT. Microsoft always releases an MSRT on the first Patch Tuesday of the month, but this may be the first time they have released a second. This version is part of an ongoing effort to take down the Afcore botnet. Win32/Afcore’s authors released new variants at about the time of the last MSRT release 2 weeks ago. The new MSRT also includes updates for other malware families.

SONY Playstation Network compromised by hackers

Sony is currently evaluating it’s PSN services to determine the scope of a recent security breach by unauthorized users.

SONY PSN Service Outage

SONY PSN Blog to track future developments

SONY PSN Service Outage FAQ

QUOTE: Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please check should you have any additional questions.

Facebook – Avoid the New “Messenger” Application

Trend Micro reports that a new application called “Facebook Messenger” is being presented to users. Please avoid this malicious attack and be careful of any link or application presented to you in this social networking environment.

Facebook Events, Credits, and Passwords Being Used for Attacks

QUOTE: Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.  This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

FAKEAV – Advanced DLL-based attacks return in the wild

Trend Micro documents that DLL based FAKEAV attacks are circulating in the wild and that these infected systems are challenging to clean.

Fourth Generation FAKEAV DLL Based attacks return in the wild

QUOTE: One of the early generations listed in the paper can be recalled as the DLL-based FAKEAV (4th Generation) — a FAKEAV group that uses a DLL file to perform all the malicious routines, primarily to avoid being terminated easily. A few months ago, however, we saw this particular generation again making its rounds in the wild, one of which we detect as TROJ_FAKEAV.BTV

Trend Micro – Reasearch report on FAKEAV Threat

Fake Blog for Kate Middleton offers Fake AV malware

Sunbelt documents a fake blog site related to the Royal Wedding is actively loading FAKE AV attacks.

Fake Blog for Kate Middleton offers Fake AV malware

QUOTE: When she isn’t waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog. She also wants you to check out her movie clip. Unfortunately, this movie clip can’t be viewed unless you update your version of Flash. Alarm bells ringing yet?   I’m not entirely convinced legit installs of Adobe Flash Player come from this inappropriate site, but in the mad dash to see some rich people larking about with money you’ll actually end up with AntiVirus AntiSpyware 2011 on your computer.

Microsoft – How to submit suspicious malware entries

Microsoft recently updated procedures for submitting suspicious entries for evaluation as follows:

Microsoft – How to submit suspicious malware entries

QUOTE: When you suspect that a file or a program is malicious, you can send the file to the Microsoft Research and Response team for analysis. Malicious files or programs (malware) may include viruses, spyware, worms, and adware.  You can use one of the following methods to send malware files to Microsoft for analysis:  

* Web-based submission
* Submission by Microsoft Customer Support Services
* Prompted Submission

SQL Injection Attacks – Corporate need to address weaknesses

SQL Injection attacks are a method where attackers can seed malware on a vulnerable site that may not be programmed with effective controls.  Sometimes input strings can be manipulated allowing unauthorized objects to be written to a public area on the server.  These objects can then be scripted in attacks so that users are redirected unknowingly to other malicious websites.  Corporations can address this will tools that identify vulnerable sites and having their developers strength controls to prevent automated attacks and seeding of malware.

SQL Injection Attacks – Corporate Need to address weaknesses

QUOTE:  SQL injection vulnerabilities have really been around for ages – the first reference I can remember of was Rain Forest Puppy’s article for Phrack 54 “NT Web Technology Vulnerabilities” that was published back in 1998 (yes – SQL injection is almost 13 years old!). However, as we can see from the examples that happened recently (and from many other cases – just take a look at the mass SQL injection attacks that are performed automatically by malware these days) SQL injection vulnerabilities are unfortunately here to stay.

So are the bad guys any better? Unfortunately, the answer is YES. When I get my hands on, I always try to analyze server side scripts that the bad guys use – these are usually scripts running on their C&C servers that help them control infected machine, issue and schedule tasks and so on.  So, if the bad guys can do it, we should be better to – so please use couple of minutes to educate your developers about the dangers of writing insecure code.