Before the August 28 official release of Apple’s OS X Snow Leopard, cybercriminals are already hitchhiking on this to proliferate their malicious activities. Earlier today, Advanced Threat Researcher Feike Hacquebord discovered several fake sites that supposedly give Mac users free copies of the newest version of the Mac OS, Snow Leopard. However, accessing these malicious sites land users to a DNS changer Trojan detected by Trend Micro as OSX_JAHLAV.K. Once executed, OSX_JAHLAV.K decrypts codes, which include a script that downloads ...

A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June. The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as: allincorx bigdron cikaredo civilizxx comeandtryx deribrowns draxxtermania givendream hitrowzone jumborad ltdkeeper operationelx oxxadox paxxtiger rednetx rstdeals simplexdoom sinisteer tdenuwas tniredrum ufapeace If infected, a victim's Web ...

Today Trend Micro researchers discovered a spoofed (fake) version of the popular Russian social networking site vkontakte.ru. Visitors of the spoofed site risk exposing their personal login credentials to a third party. Vkontakte.ru is roughly the Russian equivalent of Facebook and is very popular in Russian-speaking countries. According to the site itself it has more than 35 million users. Alexa ranks the site as the second most visited site in Russia. The infamous UkrTelegroup rogue DNS servers resolve domain name www.vkontakte.ru ...

Aside from the new Twitter component we've also seen Koobface download a new component with the filename dns.exe, whose main purpose, it seems, is to modify the system’s DNS registry settings. It is accomplished by inserting 213.174.139.72 (IP of the rogue DNS server) into the values of NameServer and DhcpNameServer found in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{Device ID} What this system modification does is, every time a website is visited, the domain of the website is resolved by asking the rogue DNS, ...

While this is completely unrelated to any particular malware, there is a rather disconcerting DNS cache-poisoning vulnerability that has surfaced which deserves the attention of any and every organization on the planet that operates their own DNS servers. The importance of determining if you are vulnerable, and getting the vulnerability fixed quickly, is becoming more important as each day passes. This is due not only to the criticality of the vulnerability, but also due to some of the "colorful" background in ...