Tuesday, February 16, 2010

Hotmail Users Look for Answers in Dangerous Places

An outage of the Windows Live ID service affected a large number of MSN users today including users of the popular Hotmail email service. Hotmail is one of the largest web based email outlets and not surprisingly news of the outage spread quickly as users were not able to access their email.

Those hoping to find more information on Google may have ended up with more than they bargained for. Blackhats have once again worked their magic to infect users looking for news related to the outage. In fact, 8 out of the top 10 results for “hotmail service unavailable” returned dangerous URLs.

At the time of writing Google Trends shows this as one of the top searches of the day. Other dangerous searches include “hotmail down” and “hotmail not working” both of which also returned malicious URLs that can cause a visitor’s computer to become infected with malware.

As an added twist, some results direct users that revisit the same page to a fake download site. The user is asked to download hotmail_down.rar, but not before entering their credit card information.

eSoft has detection for many of these sites and is flagging any new sites into their appropriate security category to protect SiteFilter users.

Saturday, February 6, 2010

IRS Tax Avoidance Scam

Today, eSoft is alerting customers to a new targeted email scam.  This newest twist to the common IRS email scam seems to be targeted to organizations, notifying the recipient of a tax evasion complaint being filed against the company.  Opening the file infects the user's machine with dangerous trojans that monitor the infected machine, report back to the attacker and download other malicious payloads.

An example of the fraudulent email is below, which prompts the user to open "balance report" attachment.  Because the attachment appears to be a Word file, most users will readily trust the file and proceed to open the file to find out more.

The file is actually in Rich Text Format (RTF) and contains a hidden executable.  Upon opening the file, an error is reported and the user is asked to double click to restart Word.  Doing so will open the executable as shown below, with most unsuspecting users allowing the malicious file to run.


Two processes are started and added to Windows startup to run on subsequent boots, microsoft.exe and wks.exe.  These processes send data back to the attacker using HTTP connections to their call home destination.  eSoft is flagging these sites as Malicious to protect any victims of this attack.

These call home destinations are even disguised as a Google search page to evade detection by web filtering companies and automated systems which may detect the site as a search engine.


At the time of writing, Virus Total reports only a 25% detection rate on the most recent samples.

Users should be very cautious with any unsolicited emails, particularly those containing an attachment.  The IRS will never email you if they need to contact you, and any emails appearing to come from them are very likely malicous scams.  As noted on the IRS website, "The IRS does not initiate taxpayer communications through email."

Tuesday, February 2, 2010

Fake Firefox Update Pages Push Adware

Since its’ release on January 21st, the newest version of the Firefox web browser has received a great deal of attention. In just a short time it has achieved over 30 million downloads. Adware pushers are capitalizing on the success of Firefox, packing ad serving software in with the program in an effort to increase their reach.

Purveyors of spyware and adware will try to take advantage of well known programs, illegitimately bundling their software into the install of the popular software. These programs are also commonly referred to as Potentially Unwanted Programs (PUPs) whose content is not necessarily malicious, but is almost never wanted by the user. These types of software are often used to collect information about the user without the users’ knowledge or consent.

The latest example is found on the fake Firefox download site below.  The page is cleverly disguised with the appearance of a legitimate Firefox download site and could easily fool many users hoping to upgrade. 

Taking a closer look reveals clues to the fraudulent page. While the page advertises version 3.5 the newest version is actually 3.6.  There are also misspellings such as “Anti-Pishing” in the title of the security section.

Victims of this scam install the “Hotbar” toolbar by Pinball Corp, formerly Zango.  Not only are users subject to the annoying toolbar, they're also barraged with pop-up ads and host to a new Hotbar weather application running in the system tray.

It should be noted that the owner of the fake Firefox site above is most likely not associated with Pinball Corp and only using its pay-per-install ad network for fast cash. Pay-per-install affiliate programs reward referring sites that generate installs of their programs, with Pinball paying as high as $1.45 per install. 

Always take caution installing any software and ensure the software is downloaded directly from the publisher whenever possible.  Users looking to upgrade Firefox should go to the real download site at http://getfirefox.com.

Blocking the Spyware and Malicious Sites category protects eSoft SiteFilter customers from this site and others like it.