Friday, February 17, 2012

The Highlander Bot

Luis Corrons of PandaLabs has recently found an interesting take on a trojan malwarebot.

As with most malware, the attack begins with a suspicious email inviting the recipient to click a link to review an order confirmation for a bogus order.  The reader, even if aware that the order is bogus, may follow the link anyways to see where it leads.  In a typical course of action, the link asks for the reader to download a piece of software to view the order, which is in fact the infection.  And, as with most infections, it will steal user data & send it back to its controllers.

The interesting twist is the Highlander angle: in a nod to the movie's premise of "there can be only one," the bot actually removes any other infections it finds.  In that manner, it ensures that it has complete control of the infected PC without having to compete with other pieces of malware.

Avoiding this type of infection involves exercising care in following links from emails.  Generally, if a vendor sends you a suspicious email, call the company to handle the situation and that way, if it is indeed a piece of phishing email, they will tell you.  Alternatively, avoid following links to the vendor's website; instead, open up your web browser and navigate to the vendor's site, then log in as you ordinarily would.  As always, ensure your anvivirus and antimalware software are up to date, and do not hesitate to contact your IT provider if you receive something suspicious.

Thursday, February 16, 2012

The DNSChanger vs the FBI

In the ever continuing battle against malware, the FBI may be shutting off some DNS servers around the country on March 8, 2012.  DNS servers are used to translate recognizable site names (like into IP addresses, which are read by your computer.

The problem is that some hackers in Estonia have managed to infect close to half a million PCs in the US with a DNSChanger attack.  By taking control of DNS, the attackers could then direct web traffic from the infected PCs to any sites of their choosing, often to malicious sites designed to spread more infections or gather personal data.

The FBI fought the attack by replacing the hackers' rogue DNS servers with legitimate ones, but the problem is that the court order keeping the legitimate servers online may expire.  If the legitimate servers are taken offline, infected PCs will then lose internet access.

As always, it is our recommendation to ensure your antivirus software is up to date and running.  Additionally, run Windows Update regularly to ensure that the latest security patches are installed.  Lastly, if at any point in time you attempt to visit a website and it redirects you to a suspicious website, contact your IT professional immediately.

Thursday, February 2, 2012

"Validate your Mailbox" email scam

We have been notified that several health care providers and organizations have been targeted with an attempt to infiltrate the health care networks via an email scam.

The suspect messages are entitled "Validate your mailbox" and invite the reader to click a link inside the message.  The link leads to a site requesting account login information, including a username and password.

Please be advised that if you receive one of these messages, delete it immediately and remove it from your Deleted Items folder as well.  Do not read or open the message, or click on the link.

As always, we recommend not clicking on links in unsolicited email messages and encourage all email users to call your IT provider if you have any questions or confusion about a suspicious message.