Changes to the Webroot ThreatBlog


Over the next few days, you will begin to see some changes to the Webroot ThreatBlog.  As the company has grown, so has the need for our threat research to be delivered in a clearer, more concise manner.  We have worked long and hard on the new blog, including adding new content like the ThreatVlog, as well as highlighting the individuals behind all the great threat research done here at Webroot.

So with all that, we want to welcome you to the brand new Webroot ThreatVlog.  It is more than a URL update, but a whole new look to help you better stay updated on the digital threats out there, and just how to stay protected.

To better help you, here are a few updated links to help you.

New web URL:
RSS feed update:

New ‘Hacked shells as a service’ empowers cybercriminals with access to high page rank-ed Web sites

By Dancho Danchev

Whether it’s abusing the ‘Long Tail’ of the Web by systematically and efficiently exploiting tens of thousands of legitimate Web sites, or the quest to compromise few, but high-trafficked, high page rank empowered Web sites, compromised shell accounts are an inseparable part of the cybercrime ecosystem.

Aiming to fill in a niche in the market segment for compromised/hacked shells, a newly launched service is offering a self-service type of underground market proposition, whose inventory is currently listing over 6000 compromised/hacked shells internationally.

More details:

Continue reading

New Rogue “Antivirus System” locks you out of safe mode

By Tyler Moffitt

Recently we’ve seen a new fake security product running around that has made improvements to the standard rogue. Typical rogues are annoying, but relatively easy to take care of. Previously, all you had to do was boot into safe mode with networking and remove the files and registry entries (or install Webroot). Support forums everywhere use safe mode with networking as the “go to” mode for virus removal as non-core components are not loaded at start up and it’s easier to isolate problems. In the vast majority of the rogues we see, they are not loaded in the few modules which start up in safe mode. Antivirus System does, however, and it also applies some new and improved social engineering tactics to fool you into thinking it’s a real program trying to help you.

Continue reading

“The implications are huge!” – The Master Key Bug *UPDATED*

By Nathan Collier and Cameron Palan

Android Master KeyLast week, Bluebox Security reported they’d found a new flaw with the Android OS, saying “The implications are huge!”. The bug, also known as the “Master Key” bug or “bug 8219321”, can be exploited as a way to modify Android application files, specifically the code within them, without breaking the cryptographic signature. We call these signatures the “digital certificate”, and they are used to verify the app’s integrity. Since the bug is able to modify an application and still have the certificate appear valid, it is a big deal. Continue reading

Android.Bankun: Bank Information Stealing Application On Your Android Device

By Nathan Collier

There’s one variant of Android.Bankun that is particularly interesting to me.  When you look at the manifest it doesn’t have even one permission.  Even wallpaper apps have internet permissions.  Having no permissions isn’t a red flag for being malicious though.  In fact, it may even make you lean towards it being legitimate.

There is one thing that thing that gives Android.Bankun a red flag though.  The package name of instantly makes me think something is fishy.  To the average user the word ‘Google’ is seen as a word to be trusted.  This is especially true when it comes to the Android operating system which is of course created by the search engine giant. Continue reading

Top 5 Fake Security Rogues of 2013

By Tyler Moffitt

We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money. Continue reading

Adobe Flash spoof leads to infectious audio ads

By Tyler Moffitt

We’ve seen quite a few audio ads infecting users recently. We think it’s a good idea to go over an in-depth look at how they infect your computer and how to remediation them.

As you can see in this first picture, this is another Adobe Flash spoof that launches its signature update window.

audio ads1

You might not be able to see, but the “f” is a little off on the tiny icon at the top left. Either way it looks quite legitimate. It doesn’t matter what option you check; once you click “NEXT” you’ll get this next window.

audio ads2

So far this seems completely official and harmless. It even takes it’s time progressing the loading bar. However, once you click “Finish” everything closes down and the computer reboots. The command force quits all applications so you won’t have time to save anything or cancel the shutdown. Once the computer reboots there is no final closing message from “Adobe”, but everything seems normal for a few minutes. After about three to five minutes the computer slows down to a crawl and Audio ads start playing in the background. By now users start to worry about foul play with their computer so here’s a look at what’s going on at this point.

audio ads3

The audio streams are not being run by an audio application or an internet browser session, but instead a hijacked “svchost.exe” that’s using 88.25% CPU. If we take a look at its network communication we find that it’s establishing and closing over a hundred different connections at once. This is why the audio ads aren’t coherent and are basically just multiple advertisement streams all at once which makes for quite an annoying sound. You can give it a listen by clicking below.

The motivation is for this virus, other than being very obnoxious, is that the hundreds of IP addresses being resolved from the PC will generate a tick on the visit counter and generate ad revenue.

To remove this sample is actually quite simple. Since this starts as soon as the computer starts if you take a look at the startup entries you should find something similar to this.

audio ads4
Software Modem and Utility Suite are the culprit. If you read the full command they are located in appdata and point to two randomly named DLLs called “qogrpr.dll” and “ntrti.dll” This is extremely suspicious.
All you need to do is delete the files in appdata and then remove the run keys from startup. The full registry key and directory location from are below.

“qogrpr”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\qogrpr.dll\”,GetGlobals”

“ntrti”=”\”C:\\Windows\\System32\\rundll32.exe\” \”C:\\Users\\”youruserfolder”\\AppData\\Roaming\\ntrti.dll\”,NewMember”

As always, you can install Webroot SecureAnywhere and we’ll remove it with ease.

audio ads5

That’s it for this variant of the Audio ads. There are also other variants that use rootkits to infect the MBR. Please contact Webroot Support if additional assistance is needed in remediating this infection.