Sometime last week, a program called CopyBotwas released, most likely by a gamer, to allow the duplication of any object inside the virtual world of Second Life. This includes clothing, land, and other items, which gamers actually purchase for their in-world avatars. These items can be bought using a currency called Linden dollars; gamers use real-life currency in order to acquire the virtual currency. Currently, $1 is equivalent to L$250.

With around 1 million Second Lifegamers, it’s no wonder another attack has been launched, this time by a perpetrator who released a spinning gold ring that replicates itself once touched by an avatar. The said attack, known as grey goo, caused the game to experience severe lag and eventually lose connection to the server. Linden Lab, maker of Second Life, even took the game offline briefy to clean the field.

Targeting online games is no longer new. As evidenced by by the numerous variants of TSPY_LINEAGE and TSPY_WOW that similarly attack online games, there is a considerable amount of money involved here.

While Linden Lab is trying to provide the needed resources of their growing number of users, the challenge is not there; it is in keeping their virtual world safe from goons and thieves.

Read more here.

Just a few days after we had an emergency release of OPR 3.939.00 due to the massive effect of TROJ_STRAT.GG and WORM_STRAT.GG onslaught, we have sensed another severe seeding of Trojan and Worm Strats in our honeypots. This causes Trend Micro to release an urgent Bandage pattern to protect its customers from these critters. These critters have been given the detection names TROJ_STRAT.GN and WORM_STRAT.GN.

Interestingly and annoyingly, the accessed url of both variants is on the same domain and just differs on the directory location within the domain. Nevertheless, the generic pattern for STRAT variants has also been improved and modified to pro-actively detect future variants of these bugs.

Self-confessed adware maker and distributor Zangowas sanctioned by the US Federal Trade Commission (FTC) and ordered to pay $3M in fines over years of bad Internet advertising habits.

However, as the implementation of the sanction draws near, Zangostill continues with its advertising malpractice. This is according to spyware experts Ben Edelman and Eric Howes.

As part of the settlement, Zangohas agreed to furnish straightforward end-user license agreements (EULAs) on all its software. Yet, experts have not seen any changes on any of the company’s software EULAs. Might be that Zangois trying to rake the moolahs as much as it can before it starts paying fines.

Read more here.

A website, shown below, is currently hosting a trojan which drops several malicious files on the users system.

The site disguises the trojan dropper as “Smart Messenger” a new way to instantly Text and Picture SMS FREE!.

The malware author/s really put on a lot of work in the social engineering of this malware. From the website that is hosting it to the malware installation in the system.

The website hosts a zip file named SMSS406.zip which contains three files

• LICENSE.TXT - License file of the supposed “Smart Messenger v4.06″. This is an added social engineering trick to add credibility to the trojan.
• setup.exe - The actual trojan (detected by Trend Micro as TROJ_GLITCH.IRC).
• smss.hlp - a help file for the supposed “Smart Messenger v4.06″. (It doesn’t really contain anything)

When a user is fooled into executing setup.exe in his system, he gets a messagebox containing a License Agreement for Smart Messenger, this makes the user believe that he is installing a real application that will help him score free text and picture sms. The user is even given an option to either install the application or not as shown in the picture below.

If the user chooses “YES” in the options the setup will continue to execute which will lead to either of these two pop up messageboxes.

Which suggests to the user that there has been an error in the installation of Smart Messenger, but in reality, setup.exe has already dropped several files in this directory

• %system%driversetctmp

NOTE: %system% is the windows system directory

Among these are two exe files named

• MSTask.exe
• smss.exe

The file setup.exe then adds a registry key to make the file MSTask.exe autoexecute on every startup of the system. If an IRC client is installed, it also tweaks registry settings to make sure that the file smss.exe is executed upon running an IRC client software.

Checking my network, I noticed that a connection to an IRC server has been made with these credentials

• Channel: #f00bar
• Nick Name: kg1kk9

All related files and website link has already been sent to the service team for proper actions.

I guess I don’t have to say this but I’ll say it anyway, be careful with what you download on the net. Especially if it came to you through IM messages or e-mails. Just don’t execute any file from the net, unless you’re absolutely sure that it is what it says it is, otherwise you might be running a malware that will eat up your network.

Two new variants of Zlob–TROJ_ZLOB.BEV and TROJ_ZLOB.BEW–have just turned up. Once again, these new variants pose as codec installers that can be downloaded from legitimate-looking websites, moviecodec(dot)net and tvcodec(dot)com.

Don’t let the websites’ professional-looking design fool you. These websites do not contain any codec installers at all. Rather, the files that they are offering you for download are nothing more but TROJ_ZLOB variants.