CA Security Advisor Research Blog

Italy: Prime Minister Subject of Spam?

Rossano Ferraris — Mon, 29 Jun 2009 09:42:00 GMT

Spammers have used the recent political controversy that surrounds the Italian Prime Minister Silvio Berlusconi to lure and trap Italian speaking people via an email spam (see Figure 1 and Figure 2). Italian people who love gossip about public people may be particularly susceptible to this type of email. Figure 1 - Spammed Email The English translation is: “Have you seen what our Prime...

Malware finds refuge in school

Aaron Faloon — Mon, 29 Jun 2009 03:37:00 GMT

This week in CA Research Labs as we were receiving new variants of the popular Bancos Trojan we were able to make a successful attempt at tracing one of these variants back to its distribution point. This distribution point is a web server located in the state of New Jersey in the United States of America. The web server is associated with a local school in the area and is used to host it’s...

Malware using the _OLD_ New Executable file format

Zarestel Ferrer — Tue, 23 Jun 2009 05:20:00 GMT

It is surprising to see 16-bit Windows-based malware now that we have 64-bit technology. Recently we encountered a malware that uses the 16-bit New Executable file format and we detect it as Win16/Tanglinko.A. ...

Fake Microsoft Updates coming back?

Rossano Ferraris — Tue, 16 Jun 2009 09:22:00 GMT

It’s been awhile since I saw a fake update email which looked like it came from Microsoft security laboratories. Some people complained to me about a strange email that asked the user to update their machines because of a recent outbreak of the well-known Conficker worm (see Figure 1 and Figure 2). Figure 1 - Fake Email (part 1) Figure 2 - Fake Email (part 2) Let’s take a look at the...

Koobface Re-Activated!

Ricardo Robielos III — Tue, 16 Jun 2009 05:17:00 GMT

Social networking sites are extremely popular these days and, not surprisingly, the latest variant of Win32/Koobface is still taking advantage of this popularity by using these sites as an attack vector. A variant of Koobface is currently active (as of this posting), sending massive spam messages in several social networking sites such as FaceBook.com, MySpace.com, Friendster.com, Hi5.com,...

Prevalence of Mac Threats

Methusela Cebrian Ferrer — Mon, 15 Jun 2009 04:27:00 GMT

“A picture’s worth a thousand words” – Chinese proverb Figure 01 – Visualizing OS X threat internet distribution For the past couple of days, I have noticed...

Different Strategies of Win32/FakeAV

Mary Grace Gabriel — Fri, 12 Jun 2009 05:57:00 GMT

CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV. I encountered an interesting sample of Win32/FakeAV recently, because it is not the usual Rogue Antivirus applications we come across in our labs. This time around, this...

Invitations from Fruspam

Ricardo Robielos III — Thu, 11 Jun 2009 07:56:00 GMT

A new Email is circulating disguising itself as a legitimate email from Twitter, Hi5, Amazon and Hallmark. This email has an attachment containing a mass mailing worm and also has the capability to propagate via Peer to Peer (P2P) application such as Limewire, Tesla, WinMX, FrostWire and Grokster. We detect this mass mailing worm as Win32/Fruspam variant. Sample Emails are the...

Wire Transferred Malware

Kenneth Yu — Wed, 10 Jun 2009 08:02:00 GMT

Recently, we have received several emails that seem to target specific companies, advising them on the progress of a wire transfer that they have supposedly followed up on. Figure 1 below shows a sample email. ...

We’ve Got Your Postal Tracking Number!

Ricardo Robielos III — Tue, 02 Jun 2009 00:53:00 GMT

Recently at CA Research Labs we have received many spammed emails containing a malicious attachment. This spam disguises itself as a notification email from the United Parcel Service of America (UPS), advising you that the package you sent could not be delivered. The email contains the following Body: Hello! We were not able to deliver postal package you sent on the 14th of May in time because...

The Allure of Social Networking

Methusela Cebrian Ferrer — Mon, 01 Jun 2009 00:54:00 GMT

According to the Nielsen report Global Faces and Networked Places “social networking has been the global consumer phenomenon of 2008. Two-thirds of the world’s internet population visits a social network or blogging site and the sector now accounts for almost 10% of all internet time”. The report also suggests that interest in social networking has surpassed the popularity of emails. From an...

Trojan Downloaders – Crimeware perpetrators

Zarestel Ferrer — Fri, 29 May 2009 01:53:00 GMT

Trojan downloaders have become one of the main malware categories to dominate CA’s malware collection this year. Most of the malware is very small, some may say lightweight, and its only purpose is to download other malware. Multiple Downloads If a system is infected with malware that has “downloader” capabilities, it’s highly likely that the malware will fetch some more to...

Windows Shortcut .LNK - Another Misused File Format

Methusela Cebrian Ferrer — Thu, 28 May 2009 02:44:00 GMT

Amidst the bulk of malicious executables we deal with everyday, there’s an interesting attack vector using Windows Shortcuts - referred to as LNK files due to their file extension of .LNK. These are small files that contain information such as the name and path of the target program it represents. Additionally, LNK files can also store information about the file attributes of its target program,...

Spyware Protect 2009 copies malware descriptions

Zarestel Ferrer — Thu, 28 May 2009 02:19:00 GMT

Rogue security software often use skins to change its Graphical User Interface (GUI). This is so a new version can be easily created once the previous version is easily recognizable as fake security software. Sometimes the GUI is a replica of legitimate security software to trick unsuspecting users. Aside from GUIs, rogue security software also illegally copy malware descriptions from the...

Double Jeopardy with Privacy Center

Zarestel Ferrer — Wed, 20 May 2009 04:25:00 GMT

...