Kovter becomes almost file-less, creates a new file type, and gets some new certificates

Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter’s persistence method and some updates on their latest malvertising campaigns. New persistence method Since June 2016,…

4

Upatre update: infection chain and affected countries

Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015,  we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families. Upatre’s malicious actions vary, but…

3

Extracting the fare

When malware is found lurking on a system, quite often it isn’t acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain — for instance, hijacking a browser’s search results, or using rogue security software to extract payments from affected…

0

Are you beta testing malware?

This post is part one of two. Popular games are often used by malware writers as social engineering bait as documented in previous blogs (“Dota Players Own3d” and “Keeping Kerrigan From Infection”). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files:…

0

Keep your Facebook friends close and your antivirus closer

Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on…

0

Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation

About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day (CVE-2011-0611) was reported by Adobe in a recent advisory (APSA11-02). It all started with spam emails enticing users to…

0

Trojan downloader Chepvil on the UPSwing

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week.  The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I. The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd…

0

How to defang the Fake Defragmenter

We are tracking the trails of this fake “System Defragmenter” software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers. The fake system defragmenter family (FakeSysdef) is…

0