Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries.

Umesh continues his discussion of fake AV sites, showing how the attackers are getting more sophisticated and introducing random changes to the attacks.

University websites are becoming a preferred vector for different types of spam. The vast number of sub-domains, each of them likely managed by a different group which may not have professional IT/Security skills, make them an easy target.

Just a few days back, I published a post discussing the popularity of fake antivirus websites in 2011. As I mentioned in the blog, attackers are continually creating new domains and websites promoting their fake software using various obfuscation techniques to hide their code from detection by IDS, IPS, antivirus etc.

Great post from Umesh, continuing his discussion of the obfuscation used to try and hide malware sites from prying eyes and to sneak their payload through to unsuspecting browsers.

Last Thursday, I wrote about Facebook Likejacking. Today, similar pages were brought to my attention. They use Likejacking to spread through user profiles using much more aggressive spam techniques.

The pages look like they come from Facebook. The teaser is a video that should be watched "only if you are 16 or older". The play button hides a Facebook Like widget.

More info on lifejacking from Julien Sobrier at Zscaler Research, with some current in-the-wild examples of what you'll see.

Spammers love to use hidden Facebook "Like" buttons to spread their spam quickly, a technique called Likejacking.

Click through to Julien's article for a handy bookmarklet that can uncover hidden "Like" buttons, as well as a video showing how it works.

We have written a couple of previous blogs which focus on an in-depth analysis of PDF exploits as this is yet another techniques used by attackers to package malicious code and avoid antivirus detection. We have also written in the past about different decoding filters used to hide the malicious code inside PDF files. In this blog, we will examine yet another in the wild PDF exploit which has hidden it’s malicious code under different objects. We will also identify the final payload used to carry out the attack.

A great analysis of a real life, in-the-wild PDF exploit.

Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software by displaying fake security warnings such as “Your computer is infected” etc. End users are clearly not educated about such attacks, as the campaigns remain highly successful. Below is a short blog analyzing a recent infection on a friend’s machine to illustrate the problem.

Fake AV remains an effective way to distribute malware. Remember - if your browser suddenly pops up a window claiming to have found a virus DO NOT CLICK ON IT!

It’s no surprise to see Facebook becoming a primary focus for spreading malware. Attackers are leveraging Facebook as a means of reaching end users, delivering links in order to convince victims to click on them. The links deliver malware that allow attackers to access sensitive information or take control of a victim machine, Recently, I found such an incident where Facebook was used to spread a known Trojan.

With a user-base the size of Facebook, it's a tempting target for malware authors.

At least 150 computers used by the French government were breached after hackers used highly targeted spear-phishing emails to plant malware that monitored the machines for weeks before being discovered, according to published media reports.

A solid "defence in depth" approach is needed to combat these kinds of attacks:

Firstly, decent anti-malware on the email gateway. Granted, these kinds of attacks can be difficult to detect when they are very specifically targeted, but in many cases it's going to stop it dead, especially if the payload is actually included in the email content.

Second, a strong browser security offering can prevent the infection being delivered (if the email contains a link to the malware). If a system is already infected, outbound scanning of web traffic can prevent the bot from ever being able to contact a command & control server, rendering it inactive as well as flagging the infection.

While the arrival of IPv6 is likely to eliminate the usefulness of traditional IP-based blacklists, it is also likely to reduce the issues that arise from port-scanning of open relays and other vulnerabilities," Wood explained. "The IPv6 address space is so large it wouldn't be scalable from the bad-guys perspective – the returns will diminish over time.

The linked article is about how with a vastly expanded address space, it's going to become difficult for anti-spam providers to continue to block junk mail based on the source address. I think the hidden message here is that content analysis, while mentioned, is about to become a whole lot more important. Anti-spam solutions that rely too heavily on "reputation" are in danger of becoming irrelevant.

It's also interesting to note that the anti-spam vendors quoted in the article are in favour of enterprise customers not accepting mail on IPv6 connections. The cynic in me feels this is less about security, and more about the vendors not being able to provide an IPv6 product.

I think this is being blown a little out of proportion - even with a native IPv6 connection, it's still going to be possible to reverse resolve the address block and see that it belongs to (for example) an ISP providing cable modem connectivity. Yes, reputation filtering will need to change a little, but they'll still be able to do it.

Getting to the part I've quoted above... I think Paul Wood (from Symantec.cloud) has forgotten how things work "from the bad-guys perspective". Vast quantities of spam are generated via botnets. How hard is it going to be to deploy a new function out to all those zombies for them to do the IPv6 port scanning? This way it's costing the spammer nothing; they've offloaded the time intensive part to someone else.

If anything I think this article really highlights the need for effective security on the endpoints. Real-time analysis of inbound web content can stop the bots from being deployed in the first place. Examining outbound traffic can identify systems that are already infected and stop the command & control communication.