2010年3月31日 星期三

FW: NEWSBANK: F-Secure April Fool's: Product Announcement from the Lab


-------------------------------------------
From: Paul Ferguson (RD-US)
Sent: Thursday, April 01, 2010 2:40:29 PM
To: Newsbank
Subject: NEWSBANK: F-Secure April Fool's: Product Announcement from the Lab
Auto forwarded by a Rule


Product Announcement from the Lab

Posted by Mikko @ 05:53 GMT | Comments


F-Secure Labs is launching a new feature in Browsing Protection today.

Web security has become increasingly important over the last few years and we've already developed various protection mechanisms to keep our customers safe against exploits, phishing attacks, and drive-by-downloads. However, there's still more that we can do against some of the most sinister of attacks.

In development for more than two years, we're now releasing completely new technology that will warn our customers whenever they click on a "Rickroll" link.

Never again will our customers unknowingly visit the infamous video of Rick Astley performing "Never Gonna Give You Up".

F-Secure Rickroll Protector

The new feature is called F-Secure Rickroll Protector. The technology is based on advanced image recognition analysis that monitors HTTP traffic for signs of bright red pompadours.

For more details, please follow this link.

 

http://www.f-secure.com/weblog/archives/00001924.html

 

Enjoy. :-)

 

-ferg

 

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

 

FW: NEWSBANK: Sophos technical paper: SEO poisoning attacks


-------------------------------------------
From: Joahnna Hipolito (AV-PH)
Sent: Thursday, April 01, 2010 1:49:06 PM
To: Newsbank
Subject: NEWSBANK: Sophos technical paper: SEO poisoning attacks
Auto forwarded by a Rule


Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware.

 

http://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pdf

 

FW: NEWSBANK:: Google to leave Australia over 'evil' filter (April Fool's)


-------------------------------------------
From: Paul Ferguson (RD-US)
Sent: Thursday, April 01, 2010 8:34:53 AM
To: Newsbank
Subject: NEWSBANK:: Google to leave Australia over 'evil' filter (April Fool's)
Auto forwarded by a Rule


Google to leave Australia over 'evil' filter

 

Google will close its Australian operations, effectively blacklisting the country in response to the Federal Government's "evil" plan to filter the internet.

Goooone

Gooooone for good
(Credit: ZDNet.com.au)

ZDNet.com.au has confirmed that the search engine giant will close its doors on Australia for good, effective immediately, marking the end of four years of its operation here and a long-running battle with the government over its plan to filter the internet.

Known for changing its famous logo to commemorate special occasions, Google's Australian site this morning featured a somewhat blunt statement on how the company viewed its place in the local market (see screenshot).

"We've already left China. That was clearly not a bluff and besides I couldn't take the food anyway," said Google CEO Eric Schmidt. "Oh yeah, and our company motto is always... I mean never ... wait, it's 'Don't Be Evil'. So we just can't be part of it."

Schmidt did however concede that it would be harder to leave Australia than China.

"It's a shame because our Sydney office has really nice views of the harbour. And have you seen our kitchen? I suppose Fairfax will want it now. Well, what's left of it anyway."

When asked for comment, Communications Minister Stephen Conroy was silent for a moment before shouting, "They can't blacklist us ... we've already blacklisted them!"

Stephen Conroy

Conroy was stunned (Credit: Ben Grubb/ZDNet.com.au)

Some Microsoft representatives were on hand outside Conroy's office to offer their thoughts on Google's departure — and to hand out the many "Bing" T-shirts they had brought along.

"Look, we believe in competition, and now that Google is leaving Australia we will be able to compete," a Microsoft spokesperson said.

While it's goodbye to Google for Aussies, the company will retain a local presence, according to Schmidt.

"We expect to continue operations in the region — just not in Australia", said Schmidt. "We'll probably move to another nearby country, like Tasmania or something."

 

http://www.zdnet.com.au/google-to-leave-australia-over-evil-filter-339302180.htm

 

 

Obviously it’s April 1st already in Australia. :-)

 

 

-ferg

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

 

FW: NEWSBANK :: Hey, Norton: why does Security Scan behave so much like the malware I remove?


-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Thursday, April 01, 2010 8:01:52 AM
To: Newsbank
Subject: NEWSBANK :: Hey, Norton: why does Security Scan behave so much like the malware I remove?
Auto forwarded by a Rule


Hey, Norton: why does Security Scan behave so much like the malware I remove?

http://www.blogcdn.com/www.downloadsquad.com/media/2010/03/norton-ss-fail.jpg

Don't get me wrong. I don't hate Symantec by any stretch. In fact, I rather like Norton Antivirus 2010 -- it's their second really solid effort in a row after a string of releases I was less than enthusiastic about. What I don't like, however, is their free Security Scan.

Why? Because it behaves very much like the fake alert malware which causes my customers so much grief.

For starters, it piggybacks on the installers for other programs. Sure, it's usually opt-out, but since it's also checked off for installation by default it usually ends up coming along for the ride. If this really is worth installing, leaving the checkbox blank and let customers opt-in instead (as Chrome does during the Avast! installer).

Once it goes to "work," Security Scan tells me my son's system doesn't have a security product installed. That's untrue, of course, and the same thing fake alert programs do. NSS might not recognize
Immunet Antivirus, but it's been doing a great job protecting the laptop from threats.



And then there's that big, nasty threat count. However, apart from Super Mario Forever (hey, my son's 5 and he loves it) being noted as a trust risk, nearly all of the 131 "threats" were actually cookies. No trojans. No keyloggers. No rootkits. But Security Scan doesn't make that distinction -- it just shows me a giant red circle with an X in the middle and tells me Your Computer is at Risk! Just like fake alert malware.

When I click the fix now button, what happens? I'm whisked away to a page where I can purchase Norton instantly -- very similar to the way rogues ask you to activate protection now to remove "infections." To make it worse, there's loud audio as some woman tells me their scan "may have uncovered some problems with [my] PC." Highly annoying.

When you launch Security Scan, there's a big ad offering full protection from Norton 360 since NSS offers detection only. Just like fake alert malware. Security Scan also seems to pop up throughout the day to repeatedly remind me about all these threats -- again, just like fake alert malware does.

When I exit Security Scan, I'm reminded that there are still "threats" on my computer. That I'm at risk. I'm asked if I'd like to get protected (on a nice, shiny button) or say no thanks (in unattractive plain text).
Once again, just like fake alert malware.

http://www.blogcdn.com/www.downloadsquad.com/media/2010/03/fake-av-asdf.jpg

The image above is from an actual rogue antivirus program (one which has been around for ages). It's real, bona fide malware -- and Norton Security Scan sure appears to use similar tactics to encourage purchases.

Other antivirus providers -- Avast!, AVG, Avira, Immunet, and even Microsoft -- have found that providing actual protection for free is a great way to do business. Norton Security Scan might, in fact, do something useful, but it's nothing more than a bothersome scare tactic as far as I'm concerned.

 

http://www.downloadsquad.com/2010/03/30/hey-norton-why-does-security-scan-behave-so-much-like-the-malw/

 

 

outbind://12-00000000A1F11A1B688C5340B7B544F7DA8F58E6A42C2B00/cid:171170416@07062007-11FD

 

Juan Pablo Castro | xSP, Latin America Region

Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico

Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture


-------------------------------------------
From: Rolf Rennemo (PM-US-CTS)
Sent: Thursday, April 01, 2010 7:48:25 AM
To: Simon Ko (RD-US-CTS); Paul Ferguson (RD-US); Juan Castro (SAL-LA);
Jenifer Olaco (AV-PH); Jill Yang (RD-TW)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture
Auto forwarded by a Rule


Simon,

 

We should be able to detect by Atlas and feedback once the pattern is out.

 

Rolf

 

From: Simon Ko (RD-US-CTS)
Sent: Tuesday, March 30, 2010 11:33 PM
To: Paul Ferguson (RD-US); Juan Castro (SAL-LA); Jenifer Olaco (AV-PH); Jill Yang (RD-TW)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Hi Jen and Jill,

 

It appears we still have 7 undetected. Do we know when AM team will detect these? Once they detect them, is our WRS backend capable of picking up this hot off the oven AV pattern?

 

Simon++

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:22 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Correction:

 

We already detect: 18bc32bb8a8d5a85cdafad5a4ecc4c73

 

…as:

 

Trend Micro TSPY_Keylog

Trend Micro (Cons.)     TSPY_Keylog

Trend Micro (CPR) TSPY_Keylog

 

Trend Micro lpt961.zip  2010-03-31  03:00

Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15

Trend Micro (CPR) lpt960.zip  2010-03-30  22:45

 

-ferg

 

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:19 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Unfortunately, this is very bad – detect nothing, even though some have been out there for over a year”

 

35f5478e190cc6614a6a5d4f1f380855  Undetected

663267d3ed4af3582ea57ba03fb0da92  Undetected

18bc32bb8a8d5a85cdafad5a4ecc4c73  Undetected

7231b6c5ca6addd905db7677200833e2  Undetected

80ee23ede41504b1a83654334148306f  Cannot Obtain Sample

994ffae187f4e567c6efee378af66ad0  Undetected

5e289e10a2f3fe6b3080825f5dbf588f  Undetected

bae0fb25bcf05a5da7fde8dce759ee0d  Undetected

4cf8307cac714fe4f2cbc5d46f5cf243  Undetected

3f4ad41f10ec18a7f27f2339ee500dda  Cannot Obtain Sample

 

I am forwarding all obtained samples to AV_Query for processing now, and also trying to obtain the missing samples.

 

-ferg

 

 

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 10:51 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Checking…

 

-ferg

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

From: Juan Castro (SAL-LA)
Sent: Tuesday, March 30, 2010 10:48 PM
To: Newsbank
Subject: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Hi All,

 

Do we have detections for the binaries mentioned in the Visa security alert?

 

http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf?Mar292010

 

Filename

Size

MD5

bpkhk.dll

489,984

35f5478e190cc6614a6a5d4f1f380855

bpk.exe

1,090,560

663267d3ed4af3582ea57ba03fb0da92

bpk.exe

401,408

18bc32bb8a8d5a85cdafad5a4ecc4c73

bpkr.exe

747,520

7231b6c5ca6addd905db7677200833e2

fstsmtp.exe

1,560,661

80ee23ede41504b1a83654334148306f

xxx.exe

Unknown

994ffae187f4e567c6efee378af66ad0

SMTPListener

Unknown

5e289e10a2f3fe6b3080825f5dbf588f

dll32.exe

438,272

bae0fb25bcf05a5da7fde8dce759ee0d

ToolKeylogger

2,007,040

4cf8307cac714fe4f2cbc5d46f5cf243

ToolKeylogger

6,432

3f4ad41f10ec18a7f27f2339ee500dda

 

Regards

 

Juan

 

outbind://12-00000000A1F11A1B688C5340B7B544F7DA8F58E6A42C2B00/cid:171170416@07062007-11FD

 

Juan Pablo Castro | xSP, Latin America Region

Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico

Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK:: Oracle Releases Critical Patch Update for Java SE and Java for Business


-------------------------------------------
From: Paul Ferguson (RD-US)
Sent: Thursday, April 01, 2010 4:37:46 AM
To: Newsbank
Subject: NEWSBANK:: Oracle Releases Critical Patch Update for Java SE and Java for Business
Auto forwarded by a Rule


Oracle Releases Critical Patch Update for Java SE and Java for Business

added March 31, 2010 at 08:45 am

Oracle has released a critical patch update to address 27 vulnerabilities in Java SE and Java for Business. These vulnerabilities are in the following components: ImageIO, Java 2D, Java Runtime Environment, Java Web Start, Pack200, Sound, JSSE, and HotSpot Server.

US-CERT encourages users and administrators to review the critical patch update and apply any necessary updates to help mitigate the risks.

 

 

http://www.us-cert.gov/current/index.html#oracle_releases_critical_patch_update10

 

 

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

 

FW: NEWSBANK: Conficker fizzled a year ago, but headache remains


-------------------------------------------
From: Kristen Verdi (MKT-US-C)
Sent: Thursday, April 01, 2010 2:14:10 AM
To: Newsbank
Subject: NEWSBANK: Conficker fizzled a year ago, but headache remains
Auto forwarded by a Rule


Conficker fizzled a year ago, but headache remains

by Elinor Mills

 

A year ago, a variant of the high-profile Conficker worm was all set to stir, programmed to begin receiving update instructions on April 1, with potential consequences being anybody's guess.

 

Those fears were unfounded as the worm's worst impact appeared to be that it installed malware that displays fake antivirus warnings.

The time bomb failed to blow up, and the buzz died down. But a year later several variants of the worm are still around and growing, albeit slowly--causing problems for unsuspecting Windows users.

 

Conficker caused major headaches for CNET TV associate producer Jason Howell a few weeks ago at the SXSW Interactive show as he tried to edit and publish the Buzz Out Loud podcast.

 

Howell said that Conficker must have been hiding on a TriCaster video production device, which was running Windows, that Howell was using at the conference on loan from the manufacturer, NewTek. He inserted a USB thumb drive into the device and saw a window pop up for a split second before disappearing. "I thought that was weird," he said in an interview on Tuesday.

 

Then he put the thumb drive into his work laptop and got a warning from the antivirus software on the machine that Conficker was installed on the thumb drive. He had the software delete the malware from the USB before it could infect his laptop.

 

To confirm his suspicions, Howell re-inserted the thumb drive into the TriCaster device and back into the laptop several times and got the warning each time. The problem did not stop there. When he tried working on the TriCaster machine the system began crashing, he said.

 

"The only way to get Conficker off was to re-install the partition from the disk image," Howell said. "I had to wipe out the proprietary software and start from scratch."

Three hours later or so, he was finally able to get the Buzz Out Loud program up on the CNET Web site.

 

"NewTek cautions people not to install Windows software on the devices because it interferes with the hardware," which is likely what Conficker was doing, he said.

Howell was able to protect his systems, but many other people get infected and don't realize it. And it's popping up in some unexpected places. For instance, Spanish-based Panda Security found Conficker, along with malware related to the Mariposa account data stealing botnet and a Lineage password-stealing Trojan, on a brand new Android-based Vodafone HTC Magic smart phone in early March.

 

The ABCs (and E, too) of Conficker
The version of the worm with the April 1, 2009, trigger date, Conficker.C, is dying off, dropping from a high of nearly 1.5 million infections at the time to fewer than 220,000 now, according to Symantec estimates.

 

However, two earlier versions--Conficker.A and Conficker.B--are on an estimated 6.5 million computers, Symantec said.

 

Conficker.A, also known as Downadup, exploits a vulnerability in Windows that Microsoft patched in October 2008. Conficker.B added the ability to spread through network shares and via removable storage devices like USB drives, through the AutoRun function in Windows. Conficker.C blocks the computer from security services and Web sites, downloads a Trojan and reaches out to other infected computers via peer-to-peer networking.

 

A subsequent variant, dubbed Conficker.E, was released on April 8, 2009, but deleted itself from infected systems on or after May 3, 2009, according to Symantec.

To stay Conficker-free, computer users should keep their antivirus software up-to-date--a move that saved CNET's Howell--and install the latest security patches for Windows and other software.

 

Right now, the worm isn't really doing much more than spreading to new machines and lurking. It's a waiting game for law enforcement. Computer owners may not realize they have the worm on their machines, but security researchers know it's out there and are monitoring the Internet for signs of it coming to life, said Vincent Weafer, vice president of Symantec Security Response.

 

The infections are primarily on computers in emerging markets, like Asia and Latin America "where there is a higher degree of software piracy," he said in an interview on Tuesday. Pirated software can't be updated, so computers running counterfeit copies of Windows will remain unpatched, he said.

 

"Effectively, nothing has happened to these (infected) machines," Weafer said. "But that doesn't mean it won't happen...it's still a significant botnet (network of infected bots) sitting out there."

 

Most botnets are used to send spam and they are more effective if they operate under the radar so they can't be shut down. Conficker made a huge splash in the news, and it's likely that its creators have abandoned it and that it will eventually fade away, Weafer predicted.

 

"This is such a high-profile botnet that it makes it very toxic to use," he said.

 

http://news.cnet.com/8301-27080_3-20001449-245.html?tag=nl.e703

 

 

 

Kristen Verdi | Social Media Marketing Manager

10101 N. De Anza Blvd., Cupertino, CA 95014

Office: 408.863.6473 | Mobile: 408.332.4426

 

 

 

 

 

 Trend Micro on Twitter

 Trend Micro on Facebook

 Trend Micro on YouTube

 Trend Micro on SlideShare

 Trend Micro blogs

 

FW: NEWSBANK: Journalists' E-Mails Hacked in China


-------------------------------------------
From: Oscar Abendan (AV-PH)
Sent: Wednesday, March 31, 2010 8:09:52 PM
To: Newsbank
Subject: NEWSBANK: Journalists’ E-Mails Hacked in China
Auto forwarded by a Rule


Source: http://www.nytimes.com/2010/03/31/world/asia/31china.html?src=un&feedurl=http://json8.nytimes.com/pages/world/asia/index.jsonp

 

 

BEIJING — In what appears to be a coordinated assault, the e-mail accounts of more than a dozen rights activists, academics and journalists who cover China have been compromised by unknown intruders. A Chinese human rights organization also said that hackers disabled its Web site for a fifth straight day.

 

The infiltrations, which involved Yahoo e-mail accounts, appeared to be aimed at people who write about China and Taiwan, rendering their accounts inaccessible, according to those who were affected. In the case of this reporter, hackers altered e-mail settings so that all correspondence was surreptitiously forwarded to another e-mail address.

The attacks, most of which began last Thursday, occurred the same week that Google angered the Chinese government by routing Internet search engine requests out of the mainland to a site in Hong Kong. Google said the move was prompted by its objections to censorship rules and by a spate of attacks on Google e-mail users that the company suggested had originated in China.

Those cyberattacks, which began as early as last April, affected dozens of American corporations, law firms and individuals, many of them rights advocates critical of China’s authoritarian government.

The victims of the most recent intrusions included a law professor in the United States, an analyst who writes about China’s security apparatus and several print journalists based in Beijing and Taipei, the capital of Taiwan.

“It’s very unsettling,” said Clifford Coonan, the China correspondent for Variety magazine, whose e-mail account was rendered inaccessible last week after Yahoo detected that someone had gained access to it remotely. “You can’t help but wonder why you’ve been targeted.”

In an e-mail exchange, Dana Lengkeek, a Yahoo spokeswoman, declined to discuss the incidents, citing company policy. “We are committed to protecting user security and privacy and we take appropriate action in the event of any kind of breach,” Ms. Lengkeek said.

Kathleen McLaughlin, an American freelance journalist in Beijing who sits on the board of the Foreign Correspondents' Club of China, said the group has confirmed that 10 journalists, including herself, had their accounts compromised.

Like the others, said she received a message from Yahoo on Thursday indicating that her account had been disabled because, according to an automated message, "we have detected an issue with your account."

She said she contacted Yahoo but has yet to receive an explanation of what happened. “Someone is clearly targeting journalists,” she said. “It makes me feel very uncomfortable.”Yahoo, which in 2005 sold its China operations to the Chinese e-commerce company Alibaba, has faced criticism for cooperating with government security officials in the past. In 2004, Yahoo turned over data that officials used to help prosecute several dissidents. One, a journalist named Shi Tao, was later given a 10-year sentence for leaking a secret propaganda directive.

Although the company owns a 39 percent stake in Alibaba, Ms. Lengkeek, the Yahoo spokeswoman, stressed that Yahoo no longer has operational control over the China business.

Unlike Google and Microsoft, the company maintains servers in China, a factor that has driven many privacy-conscious Chinese away from Yahoo's e-mail services.

Computer security experts say infiltration of Yahoo’s e-mail service once again highlights the challenges that Internet companies face in protecting their customers from hackers.

Paul Wood, a senior analyst at the Symantec Corporation, said a growing number of malignant viruses were tailored to specific recipients, with the goal of tricking them into opening attachments that would insert malware onto their computers. Mr. Wood said his company, which designs anti-virus software, now blocks about 60 such attacks each day, up from 1 or 2 a week in 2005. “They’re very well crafted and extremely damaging,” he said.

A report issued by Symantec on Monday found that nearly 30 percent of attacks originated from computers in China; about 20 percent of those came from Shaoxing, a relatively obscure city in Zhejiang Province previously known for winemaking.

Mr. Wood and other experts point out that attacks appearing to come from a certain location can just as easily be emanating from computers infected with botnets, a virus that allows them be controlled remotely by other computing systems.

It is this kind of rogue software that is probably responsible for crippling the Web site of Chinese Human Rights Defenders, a group that has been an assertive critic of China’s human rights violations. Since last Thursday, the group’s Chinese-language site has been overwhelmed by hackers flooding it with junk requests, a tactic known as denial of service. Although the site has been attacked before, the attacks did not last more than a few hours.

Renee Xia, the international director for the human rights group, said the assault began the same day the American company that is host to its site, Go Daddy, announced that it would stop registering domain names in China. “Maybe it’s a coincidence, but we don’t think so,” Ms. Xia said.

Google Finds New Cyberattack

SAN FRANCISCO — Google said Tuesday that it had discovered a cyberattack aimed at Vietnamese Internet users around the world. The attack was less sophisticated than those that originated in China and appeared to be aimed at Chinese human rights activists.

Google said the attack may have infected the computers of tens of thousands of people who downloaded Vietnamese keyboard language software.

An earlier version of this article referred incorrectly to the year in which Yahoo turned some data over to Chinese officials, and also to the company's relationship to Alibaba, the Chinese e-commerce company. The data was handed over in 2004, not 2006. In 2005, the company sold its China operations to Alibaba.

 

 

 

Gelo Abendan| Technical Marketing Team

TrendLabs Manila, Trend Micro Inc. 

Office: +63.2.995.6200: YM: ocamabendan

 

FW: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

-------------------------------------------
From: Jamz Yaneza (RD-US)
Sent: Wednesday, March 31, 2010 4:56:12 PM
To: Paul Ferguson (RD-US); Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture
Auto forwarded by a Rule

Looks like we have all but 2 of these.
4 are already in pattern,
another 4 pending detection.

Here's the SMS report just now:
35f5478e190cc6614a6a5d4f1f380855 Undetected
663267d3ed4af3582ea57ba03fb0da92 Undetected
18bc32bb8a8d5a85cdafad5a4ecc4c73 SPYW_PERFLOG
7231b6c5ca6addd905db7677200833e2 Undetected
80ee23ede41504b1a83654334148306f No Sample
994ffae187f4e567c6efee378af66ad0 SPYW_PERFECT.AN
5e289e10a2f3fe6b3080825f5dbf588f Undetected
bae0fb25bcf05a5da7fde8dce759ee0d SPYW_PERFECT.AS
4cf8307cac714fe4f2cbc5d46f5cf243 SPYW_PCSPYKEYLOG
3f4ad41f10ec18a7f27f2339ee500dda No Sample


Cheers,
Jamz

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:35 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Second correction:

We also detect: bae0fb25bcf05a5da7fde8dce759ee0d

Trend Micro SPYW_PERFECT.AS
Trend Micro (Cons.)     SPYW_PERFECT.AS
Trend Micro (CPR) SPYW_PERFECT.AS

Trend Micro lpt961.zip  2010-03-31  03:00
Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15
Trend Micro (CPR) lpt960.zip  2010-03-30  22:45


I think that's it, though.

FYI,

-ferg


From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:22 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Correction:

We already detect: 18bc32bb8a8d5a85cdafad5a4ecc4c73

...as:

Trend Micro TSPY_Keylog
Trend Micro (Cons.)     TSPY_Keylog
Trend Micro (CPR) TSPY_Keylog

Trend Micro lpt961.zip  2010-03-31  03:00
Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15
Trend Micro (CPR) lpt960.zip  2010-03-30  22:45

-ferg


From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:19 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Unfortunately, this is very bad - detect nothing, even though some have been out there for over a year"

35f5478e190cc6614a6a5d4f1f380855  Undetected
663267d3ed4af3582ea57ba03fb0da92  Undetected
18bc32bb8a8d5a85cdafad5a4ecc4c73  Undetected
7231b6c5ca6addd905db7677200833e2  Undetected
80ee23ede41504b1a83654334148306f  Cannot Obtain Sample
994ffae187f4e567c6efee378af66ad0  Undetected
5e289e10a2f3fe6b3080825f5dbf588f  Undetected
bae0fb25bcf05a5da7fde8dce759ee0d  Undetected
4cf8307cac714fe4f2cbc5d46f5cf243  Undetected
3f4ad41f10ec18a7f27f2339ee500dda  Cannot Obtain Sample

I am forwarding all obtained samples to AV_Query for processing now, and also trying to obtain the missing samples.

-ferg

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 10:51 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Checking...

-ferg

--
"Fergie", a.k.a. Paul Ferguson
 Threat Research,
 CoreTech Engineering
 Trend Micro, Inc., Cupertino, California USA

From: Juan Castro (SAL-LA)
Sent: Tuesday, March 30, 2010 10:48 PM
To: Newsbank
Subject: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

Hi All,

Do we have detections for the binaries mentioned in the Visa security alert?

http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf?Mar292010

Filename
Size
MD5
bpkhk.dll
489,984
35f5478e190cc6614a6a5d4f1f380855
bpk.exe
1,090,560
663267d3ed4af3582ea57ba03fb0da92
bpk.exe
401,408
18bc32bb8a8d5a85cdafad5a4ecc4c73
bpkr.exe
747,520
7231b6c5ca6addd905db7677200833e2
fstsmtp.exe
1,560,661
80ee23ede41504b1a83654334148306f
xxx.exe
Unknown
994ffae187f4e567c6efee378af66ad0
SMTPListener
Unknown
5e289e10a2f3fe6b3080825f5dbf588f
dll32.exe
438,272
bae0fb25bcf05a5da7fde8dce759ee0d
ToolKeylogger
2,007,040
4cf8307cac714fe4f2cbc5d46f5cf243
ToolKeylogger
6,432
3f4ad41f10ec18a7f27f2339ee500dda

Regards

Juan


 
Juan Pablo Castro | xSP, Latin America Region
Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico
Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

2010年3月30日 星期二

FW: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture


-------------------------------------------
From: Paul Ferguson (RD-US)
Sent: Wednesday, March 31, 2010 2:35:01 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture
Auto forwarded by a Rule


Second correction:

 

We also detect: bae0fb25bcf05a5da7fde8dce759ee0d

 

Trend Micro SPYW_PERFECT.AS

Trend Micro (Cons.)     SPYW_PERFECT.AS

Trend Micro (CPR) SPYW_PERFECT.AS

 

Trend Micro lpt961.zip  2010-03-31  03:00

Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15

Trend Micro (CPR) lpt960.zip  2010-03-30  22:45

 

 

I think that’s it, though.

 

FYI,

 

-ferg

 

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:22 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Correction:

 

We already detect: 18bc32bb8a8d5a85cdafad5a4ecc4c73

 

…as:

 

Trend Micro TSPY_Keylog

Trend Micro (Cons.)     TSPY_Keylog

Trend Micro (CPR) TSPY_Keylog

 

Trend Micro lpt961.zip  2010-03-31  03:00

Trend Micro (Cons.)     cvsapi959.zip     2010-03-30  03:15

Trend Micro (CPR) lpt960.zip  2010-03-30  22:45

 

-ferg

 

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 11:19 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Unfortunately, this is very bad – detect nothing, even though some have been out there for over a year”

 

35f5478e190cc6614a6a5d4f1f380855  Undetected

663267d3ed4af3582ea57ba03fb0da92  Undetected

18bc32bb8a8d5a85cdafad5a4ecc4c73  Undetected

7231b6c5ca6addd905db7677200833e2  Undetected

80ee23ede41504b1a83654334148306f  Cannot Obtain Sample

994ffae187f4e567c6efee378af66ad0  Undetected

5e289e10a2f3fe6b3080825f5dbf588f  Undetected

bae0fb25bcf05a5da7fde8dce759ee0d  Undetected

4cf8307cac714fe4f2cbc5d46f5cf243  Undetected

3f4ad41f10ec18a7f27f2339ee500dda  Cannot Obtain Sample

 

I am forwarding all obtained samples to AV_Query for processing now, and also trying to obtain the missing samples.

 

-ferg

 

 

 

From: Paul Ferguson (RD-US)
Sent: Tuesday, March 30, 2010 10:51 PM
To: Juan Castro (SAL-LA)
Cc: Newsbank
Subject: RE: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Checking…

 

-ferg

 

--

"Fergie", a.k.a. Paul Ferguson

 Threat Research,

 CoreTech Engineering

 Trend Micro, Inc., Cupertino, California USA

 

From: Juan Castro (SAL-LA)
Sent: Tuesday, March 30, 2010 10:48 PM
To: Newsbank
Subject: NEWSBANK :: Visa Data Security Alert - Key Logger: Key Stroke and Screen Capture

 

Hi All,

 

Do we have detections for the binaries mentioned in the Visa security alert?

 

http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf?Mar292010

 

Filename

Size

MD5

bpkhk.dll

489,984

35f5478e190cc6614a6a5d4f1f380855

bpk.exe

1,090,560

663267d3ed4af3582ea57ba03fb0da92

bpk.exe

401,408

18bc32bb8a8d5a85cdafad5a4ecc4c73

bpkr.exe

747,520

7231b6c5ca6addd905db7677200833e2

fstsmtp.exe

1,560,661

80ee23ede41504b1a83654334148306f

xxx.exe

Unknown

994ffae187f4e567c6efee378af66ad0

SMTPListener

Unknown

5e289e10a2f3fe6b3080825f5dbf588f

dll32.exe

438,272

bae0fb25bcf05a5da7fde8dce759ee0d

ToolKeylogger

2,007,040

4cf8307cac714fe4f2cbc5d46f5cf243

ToolKeylogger

6,432

3f4ad41f10ec18a7f27f2339ee500dda

 

Regards

 

Juan

 

outbind://12-00000000A1F11A1B688C5340B7B544F7DA8F58E6A42C2B00/cid:171170416@07062007-11FD

 

Juan Pablo Castro | xSP, Latin America Region

Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico

Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437