February 7th will be a fun day indeed if you love the smell of Malware in the morning.

GFI SandBox 4.0 will make advanced malware analysis quicker and easier, and comes with a new Malware Determination Engine which will provide users with risk levels of “Low”, “Medium”, “High” or “Known” for each potential malware sample.

More over at Dark Reading.

Christopher Boyd

Of course, one doesn’t need to go hunting for a YouTube page for the URL. Here it is: http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld.

Users visiting the page can readily download and extract the compressed file Pro Evolution Soccer 2012 Keygen. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn’t actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.

http://tinyurl(dot)com/64ad4m is actually http://lnkgt(dot)com/7RM, a survey page that users must answer before their password is given to them.

Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it’s a rootkit: ZeroAccess, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. Take a look.

Do note that the MediaFire URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).

The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!

Jovi Umawing (Thanks, Matthew)

The Microsoft Security Response Center (MSRC)

We’ve received a lot of questions from customers about April 1, 2009 and the latest Conficker variant discovered earlier this month, Worm:Win32/Conficker.D (also known as Conficker.C or Downadup.C by some other companies). I wanted to let you know that we’ve put some new information up aboutConficker.D today from our work with our partners in the Conficker Working Group.

We hope this new information helps you better understand the current situation. While any malware attack is cause for concern, customers who continue to follow the  guidance we’ve always given, such as: apply security updates, update security software signatures and clean infected systems, should look at the latest version of Conficker like other malware attacks: a manageable cause for concern.

Since we announced our work with the Conficker Working Group and the $250,000 reward, a new version of Conficker was released, Conficker.D. Systems infected with Conficker.D are systems that were once infected with Worm:Win32/Conficker.B. This new version, Conficker.D, does not spread by attacking new systems.

The April 1, 2009 date that has been talked about recently refers to the date when these systems infected with Conficker.D will start trying to contact domains on the Internet, presumably for new instructions. This is identical behavior to what these systems did when they were infected with Conficker.B. What’s different between Conficker.B and Conficker.D is that the domain generation algorithm that I talked about in my February 12, 2009 posting has been changed. The new algorithm generates a larger pool of possible domains than the original one. You can get more details on this over at the Microsoft Malware Protection Center (MMPC) weblog.

While Conficker.D will start trying to contact a new pool of possible domains on April 1, 2009, we at Microsoft and our colleagues in the Conficker Working Group will continue doing what we’ve been doing throughout: working together on a daily basis to share information and take coordinated actions to help disrupt Conficker. In fact, we’ve already been taking actions against Conficker.D like we have againstConficker.B.

Just like we’re staying constant and focused in our actions against Conficker, all of us encourage customers to stay constant and focused in their actions: ensure your systems are updated with MS08-067, keep your security software signatures updated, and clean any systems you identify that are infected with any version of Conficker.

My colleagues over in the Microsoft Malware Protection Center (MMPC) have more detailed information onConficker.D on their weblog. Also, some of our partners in the Conficker Working Group have posted some information about Conficker.D and the importance of staying constant and focused in combating it. A sampling of some of the information our partners have posted includes:

· F-Secure

· Secureworks

We’ll all be here working to protect customers from Conficker and other threats on April 1, 2009, just like we are today, and we will continue to be here after April 1, 2009. And of course, we’ll update our weblog as we have new information and our partners will do the same.

Thanks.

Christopher

*This posting is provided “AS IS” with no warranties, and confers no rights.*

Newer versions of scareware family Antivirus2009 warn users in a fake Windows alert that files in the “My Documents” folder are corrupt. The program them directs the victim to download a program called “FileFixerPro” to fix the supposedly corrupt files.

In fact, this version of Antivirus2009 encrypts or scrambles contents of documents in that folder, so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder.

A number of security forums have chronicled the rise of this nasty development in scareware evolution. This thread, over at the “devshed” Web development forum, includes cries for help from a number of people who have apparently had their documents scrambled by this threat.

There is good and bad news here. The good news is the nice folks over at BleepingComputer.com, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won’t help get a victim’s documents back.

But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder.

This is the first time I’ve ever heard of scareware being bundled with so-called “ransomware,” but to some extent, purveyors of these scareware programs have been holding host systems hostage for several years now, bombarding users with incessant and increasingly deceptive messages about non-existent threats on the user’s system, prompts that only stop once the victim has relented and agreed to pay a license for the scareware program.

This is an alarming new feature for scareware, which is one of the fastest-growing families of online threats out there today. According to a report released today by the Anti-Phishing Working Group, an industry consortium aimed at tackling cyber crime, the number of new rogue security programs increased 225 percent from 2,850 in July to 9,287 in December.

Alas, there is even more bad news: The crooks behind this scam could begin incorporating more robust encryption.

“If they had used a strong encryption method, such as something based on openssl toolkit, there wouldn’t be a prayer of decrypting the files without paying,” Lanstein said.

By Brian Krebs

The authors of the latest variant of the Conficker worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.

Conficker.C shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on April 1 to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.

The authors of the code are “strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains,” he said.

A self-described “cabal” of companies, including Microsoft, Symantec, and a host of domain registration providers, have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

Now that Conficker.C is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, “it’s unknown at this point whether (boosting the domains) is an effective sidestep around the cabal’s actions,” he said.

The worm, also called Kido or Downadup, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.

The second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Conficker.

Experts are urging computer users to apply the Microsoft patch and update their antivirus software. And this week, Enigma Software Group and BitDefender announced free Conficker removal tools.

Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 reward for information leading to an arrest in the Conficker case.

Symantec has more technical and historical details on Conficker on its Web site.