Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware.

Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).

The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use. The second sample, on the other hand, is a spoofed PayPal email that features transaction details. Curious users who click these details are then directed to the webpage hosting the rogue Flash update file.

Read the rest of this entry »

DORKBOT, also known as NgrBot, is not a new threat. In fact, it was seen in the wild as early as 2011. Yet last week, DORKBOT made the news for spreading via Skype spammed messages, and has now reached than 17,500 reported infections globally. So what is DORKBOT, really?

A worm with multiple propagation routines

DORKBOT typically spreads in several ways: social media (such as Facebook and Twitter), instant messaging applications (Windows Live Messenger, mIRC, and now Skype), and via USB drives.

In propagating via social media and instant messaging applications, DORKBOT variants initially connect to the website http://api.wipmania.com/ in order to get the affected system’s IP address and location. This is done in order to pick the appropriate language to be used for propagation via instant messaging applications or social networks. However, in the Skype attack, the DORKBOT variants (WORM_DORKBOT.IF and WORM_DORKBOT.DN) checks the system locale in order to select the language.

Here are some of the messages used, based on our analysis:

• lol is this your new profile pic
• hej to jest twój nowy obraz profil?
• eínai aftí i néa fotografía profíl sas?
• это новый аватар вашего профиля?))
• سؤال هي صورتك ؟
• moin, kaum zu glauben was für schöne fotos von dir auf deinem profil
• hej er det din nye profil billede?
• hej je to vasa nova slika profila
• hey is dit je nieuwe profielfoto?
• hei zhè shì ni de gèrén ziliào zhàopiàn ma?
• tung, cka paske lyp ti nket fotografi?
• hey c’est votre nouvelle photo de profil?
• hey é essa sua foto de perfil? rsrsrsrsrsrsrs
• ¿hey esta es tu nueva foto de perfil?
• ni phaph porfil khxng khun?
• hej detta är din nya profilbild?
• hey è la tua immagine del profilo nuovo?

Read the rest of this entry »