Screenshots of the latest Twitter phishing attack

F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Copyright (c) 2007 F-Secure Corporation. All Rights Reserved. tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001911.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Today there's a phishing run underway in Twitter, using Direct Messages ("DMs"). These are private one-to-one Tweets inside Twitter. The messages look like these: <img border="1" src="http://www.f-secure.com/weblog/archives/mhansen1.png" alt="you should change ur photo u took here - did i tell you that ur here" title="you should change ur photo u took here - did i tell you that ur here"> If you follow the link, you end up to a fake Twitter page: <img border="1" src="http://www.f-secure.com/weblog/archives/mhansen2.png" alt="mhansenhome.org"> If you mistakenly give out your credentials, the attackers will start sending similar Direct Messages to your contacts, posing as you. The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these account to post Tweets with URLs pointing to malicious websites which will take over users computers when clicked. Lets have a closer look at the domain mhansenhome.org. The front page seems to be an active Myspace phishing page. Nice. <img width="760" border="1" src="http://www.f-secure.com/weblog/archives/mhansen3.png" alt="mhansenhome.org"> The good news is that Twitter is already filtering these from being posted, although it's unclear if they are also removing already-delivered DMs. Also, the Twitter built-in link shorteners (twt.tl and bit.ly) already detect the URLs as malicious: <img border="1" src="http://www.f-secure.com/weblog/archives/mhansen4.png" alt="mhansenhome.org"> <img border="1" src="http://www.f-secure.com/weblog/archives/mhansen5.png" alt="mhansenhome.org"> On 21/03/10 At 01:41 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Screenshots of the latest Twitter phishing attack tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001910.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com We regularly learn of cases where criminals have gained access to credit card numbers via keyloggers, skimmers or online hacks. Once they have the credit card numbers, they basically have three ways to turn them into cash: <ul><li>Sell them <li>Make fraudulent purchases on them <li>Create real-world cards out of them</ul> To create real-world cards, you need blank cards to start with. These are known in the underground as "blank plastic". And there are online stores for blank plastic. Here are some pictures from one: <img border="1" src="http://www.f-secure.com/weblog/archives/imagine_cards_1.png" alt="cards"> Above: Collection of "blank" Visa and Master Card cards. <img border="2" src="http://www.f-secure.com/weblog/archives/imagine_cards_2.png" alt="cards"> Above: Gold embossing demo. Still missing the hologram sticker. <img border="3" src="http://www.f-secure.com/weblog/archives/imagine_cards_3.png" alt="cards"> Above: Finished product. Notice the card holder's name... PS. Also see our post about <a href="http://www.f-secure.com/weblog/archives/00001651.html">credit card holograms</a>. On 18/03/10 At 03:42 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Blank Plastic tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001909.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com <img border="0" src="http://www.f-secure.com/weblog/archives/stock_trade.png" alt="Online stock trading companies" title="Online stock trading companies"> Buying and selling stock online is big business. It also carries it's own risks. And we don't mean the risk of doing bad investments; we mean loosing access to your trading account because your computer got infected by a keylogger. Take a case of Mr. Valery Maltsev from St. Petersburg. Maltsev runs an investment company called Broco Investments (available online at www.brocompany.com). <img border="0" src="http://www.f-secure.com/weblog/archives/broco.png" alt="Broco Investments"> Unfortunately (to him), Maltsev was yesterday charged by US Securities &amp; Exchange commission. They claim that Maltsev's extraordinary gains in thinly traded NASDAQ and NYSE stocks were not a co-incidence. Apparently Maltsev used malware with keyloggers to gain access to other people's online trading accounts. With such accounts, he could buy stocks at inflated prices, and use his real account to sell the same stock, for instant gains. Quoting from the SEC Complaint: On December 21,2009, at 13:37, BroCo bought shares of Ameriserv Financial, Inc (<a href="http://www.google.com/finance?client=ob&amp;q=NASDAQ:ASRV">ASRV</a>) at a price of $1.51 per share. Approximately one minute later, three accounts at Scottrade were illegally accessed and used to purchase shares of ASRV at prices ranging from $1.545 to $1.828 per share. While this was happening, BroCo sold shares of ASRV at prices ranging from $1.70 to $1.80 per share, finishing at 13:52. By trading shares of ASRV within minutes of unauthorized trading through the compromised accounts, Maltsev and BroCo grossed $141,500 in approximately fifteen minutes, realizing a net profit of $17,760. Here's the stock chart for Ameriserv Financial. You can clearly see the unusually high trading levels on December 21st. <a href="http://www.google.com/finance?client=ob&amp;q=NASDAQ:ASRV"><img border="0" src="http://www.f-secure.com/weblog/archives/asrv_stock.png" alt="Ameriserv Financial, Inc "> </a> SEC claims that overall, Maltsev made more than $250,000. More details in the original <a href="http://www.sec.gov/litigation/complaints/2010/comp21452.pdf">SEC Complaint</a> (PDF file) And this is not the first time we've seen this. There was a very similar case in 2006, where Mr. Jevgeny Gashichev was running a fake Estonian company called Grand Logistics <img border="1" src="http://www.f-secure.com/weblog/archives/grand_logistics.png" alt="Grand Logistics"> His tactic was almost identical: he used keyloggers and phishing attacks to gain access to stock trading passwords, inflated the price of a penny stocks and cashed in. <img border="0" src="http://www.f-secure.com/weblog/archives/aripaev_grand_logistics.png" alt="Aripaev"> SEC claims that Gashichev made more than $350,000. Again, more details in the original <a href="http://www.sec.gov/litigation/complaints/2006/comp19949.pdf">SEC Complaint</a> (PDF file) On 17/03/10 At 01:50 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Online stock trading is risky tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001908.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Over the years, we have multiple times posted examples of what kind of booby-trapped document files have been used in targeted (espionage) attacks. For example: <ul><li><a href="http://www.f-secure.com/weblog/archives/00001672.html">Targeted examples</a> <li><a href="http://www.f-secure.com/weblog/archives/00001735.html">New set of bait files</a> <li><a href="http://www.f-secure.com/weblog/archives/00001688.html">H1N1 Themed Targeted Attack</a> <li><a href="http://www.f-secure.com/weblog/archives/00001862.html">Intelligence Sector Hit by a Targeted Attack</a> <li><a href="http://www.f-secure.com/weblog/archives/00001406.html">Targeted Malware Attacks Against Pro-Tibet Groups</a> <li><a href="http://www.f-secure.com/weblog/archives/00001859.html">On-going Targeted Attacks Against US Military Contractors</a></ul> However, we've rarely shown how these documents were delivered to the targeted, i.e. what the emails looked like. For that kind of information, we can recommend you to visit a blog called <a href="http://contagiodump.blogspot.com/">Contagio Malware Dump</a>. This blog, run by Mila &amp; co analyses targeted attacks in detail, typically showing the original spoofed emails that started the attacks. Some good examples below &mdash; some of them are quite convincing. Would you have opened the PDFs? <img width="759" height="469" border="1" src="http://www.f-secure.com/weblog/archives/contagio_targeted_attack_email_1.png" alt="contagio malware dump"> <img width="690" height="634" border="1" src="http://www.f-secure.com/weblog/archives/contagio_targeted_attack_email_2.png" alt="contagio malware dump"> <img width="627" height="624" border="1" src="http://www.f-secure.com/weblog/archives/contagio_targeted_attack_email_3.png" alt="contagio malware dump"> More at: <a href="http://contagiodump.blogspot.com/">contagiodump.blogspot.com</a> On 16/03/10 At 02:56 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z What do the Targeted Attack emails look like? tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001907.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com An Estonian virus writer has been sentenced to jail in Harju, Estonia. The author of the <a href="http://www.f-secure.com/v-descs/allaple_a.shtml">Allaple</a> virus family, 44-year old Mr. Artur Boiko pleaded not guilty. Nevertheless, he was found guilty and sentenced to 2 years and 7 months in prison. Allaple is a complex worm using polymorphic encryption. It spreads over network shares and by modifying local HTML files. When such HTML files are uploaded to public websites, they spread the infection further. Apparently Mr. Boiko had been in a car accident and had ended up in dispute over his insurance claim with <a href="http://www.if-insurance.com">If Insurance</a>. As a result, his worm launches DDoS attacks against these sites: &nbsp;&nbsp;&nbsp; www.if.ee &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;(website of the insurance company) &nbsp;&nbsp;&nbsp; www.online.if.ee &nbsp;&nbsp;&nbsp;(customer online interface of the insurance company) &nbsp;&nbsp;&nbsp; www.starman.ee &nbsp;&nbsp;&nbsp;(website of a local ISP) The DDoS attacks were quite serious &mdash; see <a href="http://isc.sans.org/diary.html?storyid=2451">this post</a> from ISC Diary in 2007. We detected several variants of Allaple during 2006-2007. The problem is that this is not a botnet &mdash; these worms have no command and control channel. The infected machines will attack their targets until they are cleaned. There are still thousands of active, infected computers today around the world, and they are still attacking. And the worm is still spreading further. <img width="494" height="338" border="1" src="http://www.f-secure.com/weblog/archives/allaple.png" alt="Snapshot from F-Secure interface showing new samples on 11th of March 2010"> Snapshot from F-Secure interface showing new samples on 11th of March 2010 Boiko was sentenced to prison, where he has already been awaiting his trial for 19 months. He was also sentenced to pay the following sums to cover losses: To If Insurance: 5.1 Million Estonian Kroons (about 330000 Euros or 450000 USD) To Starman ISP: 1.4 Million Estonian Kroons (about 91000 Euros or 130000 USD) More info (in Estonian) from <a href="http://uudised.err.ee/index.php?06196827">ERR Uudised</a> On 11/03/10 At 11:20 AM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Allaple Virus Author Sentenced tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001906.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com F-Secure has an additional blog that launched today. It's called <a href="http://safeandsavvy.f-secure.com/">Safe and Savvy</a>. <img width="260" height="85" border="0" src="http://www.f-secure.com/weblog/archives/Safe_and_Savvy.png" alt="Safe and Savvy" /> You'll notice that the name is pink. That's part of our new brand but it also reflects the authorship. Safe and Savvy's contributors are the female employees of F-Secure (mostly). Hetta, Marja, Annika, Alia, Melody-Jane, (and Jason) have already gotten started. Read more of <a href="http://safeandsavvy.f-secure.com/2010/03/09/get-savvy-and-get-free-internet-security/">Hetta's latest post</a> to learn about six free months of our Internet Security 2010. <hr> On 10/03/10 At 05:29 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Be Savvy, Get Six Months of Internet Security tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001905.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com I wasn't sure I'd see <a href="http://support.microsoft.com/kb/976002">this Browser Choice update</a>: <img width="610" height="195" border="0" src="http://www.f-secure.com/weblog/archives/KB976002.png" alt="KB976002" /> I set my computer's Regional Options for the United States even though it's physically located in Finland (I'm an American after all). Regional settings might trump my IP address, I thought&hellip; but it seems not. I manually ran Microsoft Update and was provided access to KB976002. Cool. If you're located outside of Europe and are wondering what's this is all about, <a href="http://news.bbc.co.uk/2/hi/8524019.stm">read this</a> from the BBC. Microsoft is offering alternative browser options to European Windows users to settle an anti-trust lawsuit. The update component points users to <a href="http://www.browserchoice.eu/">browserchoice.eu</a> &mdash; from where they can select from 12 different web browsers. On a somewhat not completely unrelated note: Microsoft Security Advisory (<a href="http://www.microsoft.com/technet/security/advisory/981374.mspx">981374</a>) was published yesterday. "Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7." The vulnerability could allow for remote code execution. Once again, that browser choice link is <a href="http://www.browserchoice.eu/">browserchoice.eu</a>. Share it with your family and friends. Signing off, Sean <hr> On 10/03/10 At 05:00 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Select Your Web Browser(s) tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001904.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com ATM skimmers are installed like this: <img width="736" height="516" border="1" src="http://www.f-secure.com/weblog/archives/skimmer-install.gif" alt="Skimmer install"> Video source: <a href="http://www.spiegel.de/netzwelt/web/0,1518,682345,00.html">Spiegel.de</a> &amp; German Federal Criminal Office (Bundeskriminalamt) On 10/03/10 At 12:06 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z How are ATM skimmers installed? tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001903.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Microsoft schedules <a href="http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx">its security updates</a> on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an <a href="http://www.adobe.com/support/security/bulletins/apsb10-07.html">out-of-cycle security update</a> two weeks ago. That update should now be applied if you haven't already done so. Why? Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (<a href="http://blogs.technet.com/mmpc/archive/2010/03/08/cve-2010-0188-patched-adobe-reader-vulnerability-is-actively-exploited-in-the-wild.aspx">Microsoft also</a>). Our sample was submitted by a European financial organization and the file name includes a reference to the <a href="http://en.wikipedia.org/wiki/G-20_major_economies">G20</a>. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G. It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly. Looking through our sample management system, we see a growing number of targeted attack files. There were <a href="http://www.f-secure.com/weblog/archives/00001676.html">1968 files in 2008</a>. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe. And how about the first two months of 2010? Well, so far the number is 895, which will more than double last year's number if the current pace continues. The percentage targeting Adobe Reader continues to rise. Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks: <img width="650" height="475" border="0" src="http://www.f-secure.com/weblog/archives/targeted-attacks-2008-2009-2010.png" alt="Targeted attacks 2008, 2009, 2010 (Jan/Feb)" /> Updated to add: A couple of readers noticed that our graph's 2009 percentages were slightly off &mdash; it's been corrected. On 09/03/10 At 03:30 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z PDF Based Targeted Attacks are Increasing tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001902.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com As "<a href="http://www.f-secure.com/weblog/archives/00001857.html">JiLsi</a>" &mdash; one of the online criminals from <a href="http://www.f-secure.com/weblog/archives/00001679.html">Darkmarket</a> &mdash; was sentenced last week to almost five years in prison, we have received some media queries on the case. In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka �a&#287;atay Evyapan) looked like when they were posting to the Darkmarket forum. So I went back to my notes and dug up example posts from the guys, complete with their avatar icons. Perhaps these are interesting for our blog readers too. <img width="698" height="572" border="1" src="http://www.f-secure.com/weblog/archives/darkmarket_matrix001.png" alt="Darkmarket matrix001"> <img width="668" height="222" border="1" src="http://www.f-secure.com/weblog/archives/darkmarket_JiLsi.png" alt="Darkmarket JiLsi"> <img width="666" height="238" border="1" src="http://www.f-secure.com/weblog/archives/darkmarket_cha0.png" alt="Darkmarket cha0"> <img width="650" height="606" border="1" src="http://www.f-secure.com/weblog/archives/darkmarket_matrix002.png" alt="Darkmarket matrix"> Cheers, Mikko On 08/03/10 At 11:19 AM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Darkmarket Avatars tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001901.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Somebody is trying to pose as us. If you see an email like the one below, please ignore it: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;From: security@f-secure.com &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Reply-To: securitysupport@hotxf.com &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Subject: Security Maintenance.F-Secure HTK4S &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Date: Fri, 5 Mar 2010 18:11:05 -0000 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;To: undisclosed-recipients:; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Dear Email Subscriber, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Your e-mail account needs to be improved with our new &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;F-Secure HTK4S anti-virus/anti-spam 2010-version. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Fill in the columns below or your account will be &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;temporarily excluded from our services. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;E-mail Address: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Password: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Phone Number: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Please note that your password is encrypted &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;with 1024-bit RSA keys for increased security. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Management. &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Copyright 2009. All Rights Reserved. Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either. <hr> On 05/03/10 At 10:26 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Desperate Phishing Attempt tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001900.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Just when we thought <a href="http://www.f-secure.com/weblog/archives/00001899.html">SEO using Flash</a> was as interesting as SEO poisoning can get, it seems it's getting even sneakier&hellip; Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF. <img border="0" src="http://www.f-secure.com/weblog/archives/joe_corvo_3hrsago.PNG" alt="Joe Corvo" height="294" width="700" /> And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file. <img border="0" src="http://www.f-secure.com/weblog/archives/joe_corvo_pdf.PNG" alt="Joe Corvo PDF" height="457" width="553" /> Three hours later&hellip; Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache. <img border="0" src="http://www.f-secure.com/weblog/archives/joe_corvo_3hrslater.PNG" alt="Joe Corvo, 3hrs later" height="101" width="541" /> But is it really a PDF this time around? <img border="0" src="http://www.f-secure.com/weblog/archives/joe_corvo_html.PNG" alt="Joe Corvo HTML" height="711" width="476" /> It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF: <img border="0" src="http://www.f-secure.com/weblog/archives/jaypolhill_pdf.PNG" alt="Jay Polhill PDF" height="710" width="496" /> At least for a few hours before it becomes&hellip; <img border="0" src="http://www.f-secure.com/weblog/archives/jaypolhill_html.PNG" alt="Jay Polhill HTML" height="525" width="496" /> It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam. Response post by &mdash; Christine and Mina On 05/03/10 At 07:00 AM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z The Morphing PDF tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001899.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Another day, another news, and well&hellip; another SEO poisoning stint. <img border="0" src="http://www.f-secure.com/weblog/archives/pdf_google.PNG" alt="PDF Google" height="404" width="611" /> Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files&hellip; Then, we saw something: <img border="0" src="http://www.f-secure.com/weblog/archives/isitpossibletobehappy_swf.PNG" alt="isitpossibletobehappy swf" height="66" width="624" /> Ok, could be a one time thing, so we checked the other sites: <img border="0" src="http://www.f-secure.com/weblog/archives/olympiccoverage_swf.PNG" alt="olympiccoverage swf" height="82" width="623" /> And in the usual geeky fashion in the lab&hellip; we got excited. When decompressed, the SWF contains this: <img border="0" src="http://www.f-secure.com/weblog/archives/swf_code.PNG" alt="swf code" height="69" width="622" /> Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior. The SWF is of course the key to getting to: <img border="0" src="http://www.f-secure.com/weblog/archives/pdf_scandownload.PNG" alt="pdf scandownload" height="373" width="700" /> <img border="0" src="http://www.f-secure.com/weblog/archives/pdf_secantidownload.PNG" alt="pdf security antivirus download" height="284" width="558" /> <img border="0" src="http://www.f-secure.com/weblog/archives/pdf_roguescan.PNG" alt="pdf rogue scan" height="509" width="700" /> It seems that the bad guys want the malicious URLs to be hidden inside the SWF. Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon. The malicious URLs are now blocked via our Browsing Protection and malicious files are detected. Response post by &mdash; Christine and Mina On 04/03/10 At 10:06 AM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z SEO Poisoning Sites Use Flash for Redirection tag:www.f-secure.com,2010-03-21:%2Fweblog%2Farchives%2F00001898.html F-Secure Antivirus Research Team weblog\@PLEASE-REMOVE-THIS.f-secure.com Remember Microsoft's <a href="http://www.f-secure.com/weblog/archives/00001892.html">action against 277 Waledac domains</a> last week? Well, that's one way of going after a botnet&hellip; Another way of shutting down a botnet? Arrest the botmasters! Three Spanish citizens have been arrested for running the "Mariposa" botnet. The three reportedly have no criminal records and have limited hacking skills. Mariposa is a Butterfly Kit based botnet, and the kit is no longer for sale. Details are available from the <a href="http://news.bbc.co.uk/2/hi/technology/8547453.stm">BBC</a> and <a href="http://www.theregister.co.uk/2010/03/03/mariposa_botnet_bust_analysis/">The Register</a>. Kudos to those involved in the arrests. On 03/03/10 At 04:43 PM 2010-03-21T13:41:54Z 2010-03-21T13:41:54Z Another Bot Bites the Dust? XML::Atom::SimpleFeed 2010-03-21T13:41:54Z Weblog of F-Secure Antivirus Research Team F-Secure Antivirus Research Weblog