Once again it looks like it’s older version of phpbb that got injected by JS_SMALL.QT (discovered by Advanced Threats Research Program Manager Ivan Macalintal). Unfortunately if you’re going to use phpBB you have to make sure you upgrade after they’ve released yet another security fix (which they tend to to often sometimes ).

Visitors to a compromised site got redirected a couple of times to other sites and then will see a popup asking to install an ActiveX Object.

When the ActiveX Object gets installed these trojans also gets installed on the victims computer:

• TROJ_DNSCHANG.CS
• TROJ_ALUREON.AE
• TROJ_ALUREON.AH
• TROJ_ALUREON.AI

According to Trend Micro these trojans are evil:

These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.

Read more at Trend Micro.

Post from: The Antivirus blog

At Google, we take the safety of our users very seriously, and we work hard to ensure that your accounts are secure. As part of those efforts, we recently compiled some tips on our blog to help protect you from “phishing,” which is an attempt to fraudulently collect passwords, credit card numbers, and other sensitive information: http://googleblog.blogspot.com/2008/04/how-to-avoid-getting-hooked.html

This information is important because any online account can be targeted by phishers, including online advertising accounts.

There are reports of phishing attempts that falsely appear to be from adwords-noreply (a) google.com. These fraudulent emails ask users to update their billing information, take action on a disapproved ad, edit their account, or accept new AdWords terms and conditions. Please remember that Google’s AdWords team will never send an unsolicited message asking for your password or other sensitive information by email or through a link.

If you need to change your account information, such as your billing details or your password, always sign in to your AdWords account from the main AdWords login page at https://adwords.google.com and make the changes directly within your account.

We’ve included more information below on how to avoid phishing. If you have any questions, please don’t hesitate to contact us at adwords-support (a) google.com.

Sincerely,
The Google AdWords Team

As always it’s important to make sure your logging in at the correct site (in this case google.com).

Post from: The Antivirus blog

We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

My guess is that this security fix is related to this post, but that’s just my guess.

Read more in the Wordpress blog or go directly to the download page to get the latest version.

Post from: The Antivirus blog

Microsoft stated in their advisory:

Hosting providers may be at increased risk from this elevation of privilege vulnerability.

But no explanation was provided.

Since IIS is a popular platform for may web hosting companies we may see targetted attacks on hosting companies (and their clients web sites) . If you work for or run your own hosting company you may have to keep an eye on your SQL server.

Read more at McAfee AVERT Labs Blog.

Post from: The Antivirus blog

This javascript injection is createing a directory called 1 in your wp-content directory. So to find out if your blog has been hijacked you should search for a directory called that. This directory will be full of infected files containing links to other infected files so you need to remove them all if your blog has been infected.

If you blog gets infected, then all your blog pages will be filled with links to other infected pages.

TrendLabs is giving this advice to blog owners:

As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this sites useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.

Post from: The Antivirus blog

The manipulation works like this. The unsuspecting user visits one of the auction pages at eBay which contains an embed (and hidden) Shockwave file. The user is redirected to a .aspx file in Russia, which means that the user is doing business with someone he can’t identify . So be alert when you do business on eBay. Make sure you’re still at the eBay site at all times!

Post from: The Antivirus blog

Shoemoney.com says:

First I want to say I have never seen any evidence of a fresh 2.3.3 install of Wordpress.

The issue most likely comes from either a previous exploitable file still existing in your Wordpress install directory or from someone who has already hijacked your admin cookie. You see there were some wicked exploits in earlier versions that allowed people to hijack your admin cookie which authenticates you (keep me logged in).

So the advice is to always keep your installations up to date, change passwords regularly and to remove old files used in previous version of your installation. This is not only true for Word press, but for all installations on your server like for example phpBB.

A good idea is also to keep a backup on your database at some other location then your current server. Wordpress got a few good plugins that can email your database to you on a daily basis, or if you can you should setup so your web server is sending a backup of your entire site to some remote FTP account.

Post from: The Antivirus blog

This video will show you how it looks like on the users side:
March 2008 - Mass Hack Demo from Schmooog on Vimeo.If you got a forum using phpBB you have to make sure you’re using the latest version. Back in 2004 another mass hack of phpBB occurred so this is not the first (and absolutely not the last time) the users of phpBB forums learn the hard way how important backups are.

Post from: The Antivirus blog

The virus map found on the main page is constantly updated with the latest threats you need to look our for. You can also “zoom in” on your region to see what’s going on in your part of the world.

Thanks to our friends at Trend Micro you can also scan your computer for viruses completely free by visiting this page.

More features and articles on how to protect yourself will be added shortly and I really hope that you like the new and improved antivirus page from Xavier Media .

Post from: The Antivirus blog