The comments are normally suggestive, claiming that the link will take users to a legal Web page with pornographic content. You can see an image here: http://www.flickr.com/photos/panda_security/3548358349/

However, when users click the link, they are taken to a page that spoofs the original and which is really designed to download malware. On this page, users will be prompted to download a file in order to be able to view the video. If they take the bait, users will really be downloading a copy of the PrivacyCenter fake antivirus http://www.flickr.com/photos/panda_security/3548358229/

This malware, when run on a computer, pretends to scan the system, supposedly detecting dozens of (non-existent) viruses. It then offers users the chance to buy the paid version of the antivirus to clean their computers. The ultimate aim of cyber-crooks is to profit from the sale of this ‘Premium’ version. http://www.flickr.com/photos/panda_security/3548362019/

“The technique of using malicious comments on YouTube is not new in itself. What is alarming however, is the quantity of links we have detected pointing to the same Web page. This suggests that cyber-criminals are using automated tools to publish these comments”, explains Luis Corrons, Technical Director of PandaLabs.

- Capturing network traffic.
- Downloading any type of file, including malware.
- Updating itself.

This worm also adds itself to the list of authorized applications in the
Windows XP firewall.

It spreads by exploiting the MS04-011 Microsoft vulnerability. It does
this by generating random IP addresses which it then scans looking for
computers with port 445 open. If it finds a vulnerable system, it
downloads a copy of itself.

This worm also spreads by copying itself to all mapped, shared and
removable drives on the system.

Autorun.IYQ is a worm that makes a series of modifications to the
Windows registry, with the following effects:

*       It prevents a session being started up in safe mode.
*       It blocks writing to removable devices, preventing files from
being copied to the device.
*       It prevents numerous files corresponding to security programs
from being run.
*       It disables several services in the Windows Security Center.

It adds two new entries at the start of the contextual menu for the
drives in My computer, which point to a copy of the worm. You can see an
image here: http://www.flickr.com/photos/panda_security/3551641322/

Joleee.F is a worm that spreads through an email advertising
pharmaceuticals. You can see an image here:
http://www.flickr.com/photos/panda_security/3550986733/

It connects to the Internet to download a series of addresses to which
it sends spam and consequently, tries to infect the recipients.

This worm also creates a series of copies of itself on infected
computers.

While 63% of parents declared concern for the online security of their children, in particular relating to the threats to which they are exposed (contact with strangers, access to inappropriate content, etc.), none of them expressed among their main concerns the risk that their children could be involved in illicit activities on the Internet.

However, some 67% of the young people surveyed admitted to having tried, on at least one occasion, to hack into friends’ instant messaging or social network accounts, etc. Similarly, 20% confirmed that they had sent compromising photos of friends over the Internet or published them on the Web without prior consent.

The survey also revealed a significant amount (17%) of adolescent users who claim to have advanced technical knowledge and are able to find hacking tools on the Internet. Of these, 30% claim to have used them on at least one occasion. When asked why, 86% said that curiosity had led them to investigate these public tools.

According to Luis Corrons, Technical Director of PandaLabs, “The advanced knowledge that many adolescents acquire through free tools and content available on the Web can often lead them into activities which are sometimes even illegal. We have found cases of teenagers using Trojans to spy on their partners, hacking school servers to see exam papers or even stealing the identity of friends or colleagues on social networks”.

While there are many initiatives aimed at educating and promoting awareness of threats on the Web, there are far less that focus on detecting and addressing illegal behavior.

“We should encourage young people to use the Internet as a channel for personal development, teaching them to use it in a healthy and responsible fashion. It is important to help them avoid participating in dubious activities which are made all the easier thanks to the anonymity afforded by the Web”, urges Corrons. “Even though the percentage is very low, we still come across too many cases of adolescent cyber-criminals, such as the recent high-profile case of the 16-year-old creator of worms for Twitter. We estimate that just 0.5% of these are detected by the corresponding authorities. Those who are drawn into hacking out of curiosity, may well end up discovering the financial potential of this activity, and becoming criminals themselves.”

*       Me miro boracho en video que me tomaron en youtube (I see myself
drunk in a video on youtube).
*       Esta es mi casa de suenos!! (this is my dream house)
*       Mira que pedo andaba ayer en la fiesta (look how drunk I was at
yesterday’s party)
*       No me acuerdo si me dormir con esta vieja??no se que hacer? (I
can’t remember if I slept with this woman yesterday. I don’t know what
to do)
*       Santo Dios creo que eres tu!!!! (Oh my God, I think it’s you!)

These messages include an attachment which is a copy of the worm. On
running the file, users are infected with a copy of the worm.

BckPatcher.C on the other hand, is designed to modify the desktop
background, the Windows Explorer background and the folder icons.
Additionally, every time files with certain extensions are executed
(DLL, EXE, JPG or RAR) the worm is run instead of the applications
associated to those extensions.

BckPatcher.C spreads through shared, mapped and removable drives, copying itself to them.

You can see images of the modifications carried out by the worm here:
http://www.flickr.com/photos/panda_security/tags/bckpatcherc/

The Boface.BJ worm reaches computers in a different way: through email
messages with attachments, Internet downloads, files transferred via
FTP, IRC channels, P2P file-sharing networks, etc. Users are unaware of
the infection.

Once the PC is infected, it takes approximately four hours to trigger
its payload. It does so when users access log into their Facebook
account. Then, it uses the network to send them a message, including the
affected user. http://www.flickr.com/photos/panda_security/3528707512/

On clicking the link users are directed to a page that resembles YouTube
(called “YuoTube”) in which a video “should” be displayed. However, in
order to do so, users are asked to download a player. If users accept,
the fake antivirus is downloaded.  Image here:
http://www.flickr.com/photos/panda_security/3527896167/

Once the download is accepted, the fake antivirus is installed on the
computer. It then starts sending users messages informing them their PC
is infected and telling them they should buy a solution. Here is the
interface displayed by one of the fake antiviruses:
http://www.flickr.com/photos/panda_security/3528707634/

This new trend underlines how cyber-crime is becoming increasingly professional. Previously, cyber-crooks would use malicious SEO (Search Engine Optimization) or “blackhat SEO” techniques to improve the ranking of their pages among popular search engines. Now they are beginning to use their own search engines which lead users directly to pages designed to infect or defraud them.

One such malicious search engine, detected by PandaLabs, has already received around 195,000 visits.

These search engines operate as follows: When users enter a word to find, the engine returns just five or six results. Clicking on any of these results will redirect the user to a Web page created specifically to distribute malware. The pages may include content such as pornographic videos, which ask users to download the latest version of “Web media player” in order to watch the clip. However, the file downloaded is really the adware WebMediaPlayer. These pages are also being used to distribute fake antivirus programs. You can see an image here: http://www.flickr.com/photos/panda_security/3504323344/

This technique is known as social engineering, and basically involves infecting users by enticing them to click a link or run a malicious file.

“We started searching for words and issues frequently exploited by cyber-crime, in this case swine flu, or celebrity names such as Britney Spears or Paris Hilton and this took us to pages created to distribute malware. But then we found that even searching for our own names would throw up results that were really malicious pages,” explains Luis Corrons, Technical Director of PandaLabs. “Strangely though, there is the occasional normal result among all the malicious ones. Perhaps this is to bolster the illusion that this is a genuine search engine”.

To avoid falling victim to these attacks, PandaLabs advises users only to use trusted search engines, and to be wary of websites offering sensational videos or unusual stories.

“If on this kind of website you are asked to download a codec or any other kind of program to watch videos, there is a strong chance that it is really malicious code”, warns Corrons.

For images illustrating this new trend, click here: http://www.flickr.com/photos/panda_security/tags/adwarewebmediaplayer/

“The purpose of this tool is to trick users into believing they are infected with various malware strains and offer them a paid version of the fake antivirus to remove them. This way, malware creators profit from their infections,” explains Luis Corrons, Technical Director of PandaLabs.

You can find images of this fake antivirus here:
http://www.flickr.com/photos/panda_security/tags/coreguard2009/

Kobcka.A is a Trojan designed to send spam messages to various email
addresses. It also sends its creator information about the infected computer, for example, the operating system version.

The Trojan uses stealth techniques (through a rootkit) to make detection
more difficult. It affects the productivity of the computer, the network to which it’s connected or other remote sites.

EvilHot.A is a Trojan that modifies the user’s logon password that was active at the time of the infection. Once run, the Trojan displays a series of messages and crashes the computer (you can see an image here: http://www.flickr.com/photos/panda_security/3512463150/)

It then tries to connect to a Web page to download some files.

With Panda Cloud Antivirus, Panda Security is introducing a new protection model that utilizes a thin-client agent and server architecture which processes and blocks malware more efficiently than locally installed signature-based products. By moving the entire malware scanning and determination process to the cloud and applying non-intrusive interception techniques on the client architecture, Panda Cloud Antivirus is able to provide advanced protection against new and unknown viruses with a lightweight thin-client agent that barely consumes any PC resources.

Traditional antivirus products for PCs rely on multiple locally installed technologies which intercept each file at different layers (entry vector, file system and execution) and scan them using various techniques (antivirus, heuristics, intrusion prevention, behavioral analysis, etc.). This process results in heavy usage of local PC memory and CPU resources, negatively impacting performance. The Panda Cloud Antivirus thin-client agent introduces a new philosophy for on-access asynchronous cloud-scanning. It combines local detection technologies with real-time cloud-scanning to maximize results while minimizing resource consumption. This optimized model blocks malicious programs as they attempt to execute, while managing less dangerous operations via non-intrusive background scans.

Panda Cloud Antivirus includes local and remote antivirus, anti-spyware, anti-rootkit, heuristics and goodware cache, while only consuming an average of 17 MB of RAM and 50 percent of the PC performance impact as compared to the industry average.

Utilizing Panda’s proprietary cloud computing technology called Collective Intelligence, Panda Cloud Antivirus harnesses the knowledge of Panda’s global community of millions of users to automatically identify and classify new malware strains in almost real-time. Each new file received by Collective Intelligence is automatically classified in under six minutes. Collective Intelligence servers automatically receive and classify over 50,000 new samples every day. In addition, Panda’s Collective Intelligence system correlates malware information data collected from each PC to continually improve protection for the community of users.

“We truly believe that Panda Cloud Antivirus represents a quantum leap in protection over the traditional approach to antivirus architecture,” said Juan Santana, CEO for Panda Security. “Panda Cloud Antivirus offers consumers a truly install-and-forget solution that delivers the industry’s fastest protection against the newest malware with literally half the performance impact. We’re excited to make it available today for free, which is Panda’s way of paying back to the community and growing our Collective Intelligence network so that we can deliver even greater protection to all customers.”

On reaching users’ computers, SillyBAT.A passes itself off as a system folder. It creates a key in the Windows Registry with the text: “Tu has sido derrotado de nuevo por VenoM, Burn in Hell” (You have been defeated by Venos again, Burn in Hell).

This worm creates files with the Windows library extension. The name begins by COM followed by several random characters. Inside the file is the following sentence: “Quémate en el infierno te desea el verdadero Dios ‘Lucifer’” (The real God, ‘Lucifer’ wants you to burn in hell).

To avoid detection, SilliBAT.A terminates and modifies security programs running on the system. Additionally, it is designed to display an error message with the following text: “la fuente de voltaje de no es suficiente para el correcto funcionamiento del ordenador, vete a quemar al Infierno un rato e inténtelo mas tarde” (there is not enough power supply for the computer to work correctly. Go to hell for a while and try again later). It then blocks the computer and displays a background image with the text: “VenoM” (you can see an image here: )

This worm spreads through P2P networks, passing itself off as shared files of programs such as eMule, Ares, etc.

“Funnily enough, at the end of the file this malicious code includes a sentence that seems to explain the reason for sending the worm: “Dedicado a todos los grupos ‘Metal y Rock’ que es a lo único que merece llamarse Musica” (dedicated to all the bands of ‘Metal and Rock’, this is the only real music), explains Luis Corrons, technical director of PandaLabs

Rimecud.B is designed to obtain information from the forms stored in the Internet Explorer and Firefox browsers.

This malicious code is distributed through P2P networks, and copies itself to the folders of programs such as:

- Ares
- Bearshare
- DC++
- eMule
- eMule plus
- iMesh
- Kazaa
- LimeWire
- Shareaza

Rimecud.B also spreads through MSN Messenger. To do so, it sends a copy of itself to the contacts connected at that moment.

Finally, it copies itself to the removable drives, such as USB memory sticks, MP3 players, etc.

EggDrop.AA, on the other hand, spreads through the Internet and copies itself to the system directory.

It creates a file server on the user’s PC it later tries to connect to, allowing remote intruders to monitor the infected computer through IRC channels.
The intruder can configure the server and carry out the following tasks:

*       Start up an HTTP proxy server.
*       Restore information about the infected system.
*       Start up an FTP server.
*       Upload and download files through FTP.
*       Modify and delete the Registry settings.
*       Search, rename and delete files.
*       Search for passwords i.e. Outlook passwords or passwords of games (WOW, Conquer Online) or information stored in Internet Explorer.
*       End the processes specified
*       Turn the system off or restart it.
*       Enable or disable the services running on the infected computer.
*       Create or modify user accounts.
*       Execute programs

“This worm allows the attacker to manage the user’s computer as if he had physical access to it, with all the risks this involves,” comments Luis Corrons

The amount of spam detected between January and March 2009 has increased slightly with respect to the same period in 2008, when spam accounted for 89.88% of the email received by companies.

With respect to the different types of spam, the amount of junk mail related to false job offers has increased, probably due to the current economic crisis.

“Cyber-crooks have been exploiting the desperate situation of those looking for work to offer enticing jobs. Their real aim however is to recruit money-mules, i.e. trick people into laundering money through their bank accounts”, explains Luis Corrons.

The USA continues to figure as the leading source of spam in Q1 2009, accounting for 11.61% of the total, followed by Brazil (11.5%) and Romania (5.8%).

Most of this spam was distributed through networks of zombie computers known as botnets. These are computers that have been infected by bots, which allow hackers to take remote control of the system for a host of malicious activities, mostly the sending of spam. When several computers are exploited in unison, they are referred to as botnets. In the first quarter of 2009, around 302,000 computers were newly infected and turned into zombies every day.

“The reason for such frenetic activity is that the lifespan of the infections is very short, as the authorities, the ISPs and even users themselves, rapidly detect that their systems are being used maliciously”, says Corrons.

“It is not the first time this type of blackmailer Trojans appear, however, the way in which payment is requested (SMS) is new,” explains Luis Corrons, technical director of PandaLabs.

For more information about this malware strain, go to the PandaLabs
blog: http://pandalabs.pandasecurity.com/archive/Ransomware-Reloaded.aspx

AVAAntiSpyware, on the other hand, is an adware aimed at selling users a
fake antivirus. This adware, like all of its kind, simulates a system scan, detecting several malware variants which are really not on the computer.

It then displays a window in which users can purchase a “Premium” version of a product to delete the supposed malware, or continue unprotected.  If users decide to continue unprotected, the malicious code starts displaying warnings and windows informing users they are infected, so they purchase the Premium version.

However, if users decide to purchase the pay version, they will be asked
to pay a “reasonable” sum. The only difference on activating the pay product is that false detection warnings will disappear in subsequent scans. Images at:
http://www.flickr.com/photos/panda_security/tags/avantispyware/

Finally, Waledac.AX is a worm that is distributed through the SMTP mail protocol. It sends two types of mails, one to infect victims and another by the way of advertising messages or spam. Below are some of the subjects used:

Can your health problems be solved
Give you lover new intimate feeling.
Which one of enlarhing products really work?

Additionally, it is distributed through different Web pages, one of which offers an application that supposedly allows users to read third-party SMSs. On downloading the application, users actually download the worm onto their computer.

This worm is also designed to steal passwords and email addresses, which
it encrypts and sends to different IP addresses.