What makes the Energizer DUO - USB Charger infection so interesting is that it apparently existed for quite some time before anyone even noticed. Security pro Kurt Wismer details how even he was infected by the trojan, despite employing pretty good security practices - including up-to-date antivirus and patches. For Kurt's firsthand account, see: The Energizer Bunny Looks More Like a RAT.

In conjunction with the very real physical threat of tsunamis, folks will need to be on alert for a corresponding surge in tsunami-themed scams. This may include malicious links planted in search engine results for popular keywords such as tsunami, earthquake, chile, and hawaii.

A Big Case of ...OOPS.

#
Ok If I have to I will comment,I love facebook so right now just want to log in if thats ok with you..lol Keep up the good work...
#
I just want to sign in............
#
I just want to log in to Facebook - what with the red color and all? #
#
I was just learning,why would you mess it up?
#
ok cool now can I get to facebook
#
wtf is this bullshttttttttttt all about. can i get n plzzzzzzzzz
#

Reading the comments, linguistically the majority of the "lost loggers" appear to be younger. This would be a generation that grew up with a "Popcorn" button on the microwave. And it begs the quite serious question, if the popcorn button failed, would they know how to pop it any other way? I don't mean using a stove, a pan, and some oil either - but simply the ability to program in the right amount of time?

I ask this because the thread, funny at times but mostly quite sad, indicates that a large number of Web surfers have no understanding of even the very basics of their Web browser. And because they are used to accessing sites via search engines, they aren't at all familiar with the address bar - much less how a URL is formed.

If users don't understand the basics of how a normal URL is formed, how can they ever recognize a malformed URL that points to a phishing site? Likewise, if these users cannot distinguish a valid search engine listing for Facebook from a listing for a blog discussing Facebook, how can they even begin to decipher spamdexing listings?

And if they can't do any of the above, how will those of us in the security industry ever be able to help them understand the sophisticated and highly criminal attacks that are taking place via the Web today? Because while it might be tempting to chuckle at these users' lack of basic understanding of how the Web works, the thing is that most of them probably have jobs. They could even be working in your own enterrpise. And it's your intellectual property that's at stake. And it's these very same users that might be the only thing standing between your sensitive data and those that would steal it.

It's not funny. It's downright scary.

Note that detection names are generic - not all malware blocked by one of these threatnames will be related to the Kneber branch of the Zeus botnet. Following are some of the domain names and IP addresses associated with the Kneber branch of Zeus:

58.218.199.239
59.53.91.102
60.12.117.147
61.235.117.71
61.235.117.86
61.4.82.216
193.104.110.88
95.169.186.103
222.122.60.186
217.23.10.19
85.17.144.78
200.106.149.171
200.63.44.192
200.63.46.134
91.206.231.189
124.109.3.135
61.61.20.134
91.206.201.14
91.206.201.222
91.206.201.8
216.104.40.218
69.197.128.203  
123.30d5546ce2d9ab37.d99q.cn
d99q.cn
524ay.cn
adcounters.net
adobe-config-s3.net
mywarworld.cn
aqaqaqaq.com
avchecker123.com
bizelitt.com
biznessnews.cn
bizuklux.cn
fcrazy.com
fcrazy.eu
boolred.in
brans.pl
britishsupport.net
bulkbin.cn
chaujoi.cn
checkvirus.net
chinaoilfactory.cn
chris25project.cn
client158.faster-hosting.com
cwbnewsonline.cn
cxzczxccc.com.cn
dasfkjsdsfg.biz
dia2.cn
digitalinspiration.e37z.cn
dolbanov.net
dolcegabbana.djbormand.cn
djbormand.cn
download.sttcounter.cn
sttcounter.cn
dred3.cn
dsfad.in
e37z.cn
e58z.cn
electrofunny.cn
electromusicnow.cn
elsemon.cn
fcrazy.info
filemarket.net
flo5.cn
footballcappers.biz
fobsl.cn
forum.d99q.cn
gamno6.cn
gidrasil.cn
gifts2010.net
ginmap.cn
giopnon.cn
gksdh.cn
glousc.com
gnfdt.cn
gold-smerch.cn
goldenmac.cn
google.maniyakat.cn
maniyakat.cn
greenpl.com
grizzli-counter.com
grobin1.cn
inpanel.cn
itmasterz.org
iuylqb.cn
kaizerr.org
keepmeupdated.cn
khalej.cn
kimosimotuma.cn
klaikius.com
klitar.cn
kolordat482.com
kotopes.cn
liagand.cn
love2coffee.cn
majorsoftwareupdate.info
marcusmed.com
mcount.net
mega-counter.com
monstersoftware.info
morsayniketamere.cn
mydailymail.cn
mynewworldorder.cn
newsdownloads.cn
nit99.biz
nm.fcrazy.com
nmalodbp.com
not99.biz
online-counter.cn
pedersii.net
piramidsoftware.info
popupserf.cn
qaqaqaqa.com
qaqaqaqa.net
qbxq16.com
redlinecompany.ravelotti.cn
ravelotti.cn
relevant-information.cn

• Energy & Oil (356% increase)
• Pharmaceutical & Chemical (322% increase)
• Government (252% increase)
• Banking & Finance (204% increase)

Not unexpectedly (for those watching the numbers), the Gumblar botnet dominated in 2009, at 14% of all Web malware blocks compared to Asprox (2%) and Zeus (1%). Overall, 19% all Web malware were direct encounters with data theft trojans and 23% of all Web malware encounters were zero-day threats not blocked by signatures (but picked up by ScanSafe's Outbreak Intelligence). Also not a surprise - malicious PDF's were the most commonly encountered exploit, seconded by Flash.

Overall, Web malware more than doubled throughout the year from an average of 8 encounters per day per customer at the beginning of 2009 to 19 encounters per day at the end of 2009.

The complete ScanSafe Annual Global Threat Report can be downloaded here.

The McAfee report also stated that the malware they observed was targeting Internet Explorer 6. Microsoft has confirmed the vulnerability and released security advisory 979352 regarding the incident. However, it is not clear from the McAfee statement whether Google is among those companies working with McAfee.

Compounding the question, of course, is the delicate matter of forensics. Even with very straightforward Web attacks, the attackers frequently switch out the malcode. In a highly targeted attack, every aspect of the attack can be swapped out for each specific target. On any given day, even with the most routine of compromises, malware and exploits used are often swapped to avoid detection, hamper forensics, or up the ante.

Further, exploits today are hardly static. The exploit that gets delivered is usually entirely dependent on the configuration of the victim's computer. It seems highly improbably that an attack described as "highly sophisticated and highly targeted" would rely solely on a zero day vulnerability in an outdated browser.

Compounding matters, Google discovered the additional corporate victims in the course of their own investigation, which obviously would have taken place after the breach was discovered. These victims were then notified by Google, thus any forensics they would have done would have been well after the fact and likely would not pertain specifically to the attack as it took place live. As such, despite the eagerness of all the fringe investigators, likely the only ones who actually know what zero day exploits were truly involved are the attackers themselves.