From the latest Bullguard newsletter:


Malware found in MSN Messenger banner ads

Microsoft has admitted its Windows Live Messenger client displayed banner
ads for several days punting an application blacklisted as a security risk,
The Register reports.

Microsoft has pulled the ads for Errorsafe, a purported security product
labeled by legitimate firms as "scareware" designed to frighten users into
buying a product that actually impairs Internet safety. Microsoft has
promised to review its advertisement approval process in order to prevent
the problem cropping up again.

For a period earlier this week, Errorsafe, which is listed as a security
risk alongside related packages such as Winfixer, appeared as a banner ad
inside Windows Live Messenger.

Worse still, pop-up ads punting the product were served to users running
Windows Live Messenger. These pop-up ads appeared without user interaction.
Clicking on the OK or Cancel buttons in this pop-up window would have
resulted in an attempt to download a malicious ActiveX control without a
user's permission.

Shortly after Microsoft made the admission, other outlets reported that MSN
Groups displayed ads for a separate piece of software widely regarded as
rogue.

Read the full story:
http://www.theregister.co.uk/2007/02...ger_scareware/

Also...



Drive-by pharming poses a risk to up to 50 percent of home users
Online February 20, 2007

A new threat called drive-by pharming has been identified, ZDNet UK
reports.

A security firm has warned that drive-by pharming, in which a cyberattacker
takes control of a user's home router, could allow a malicious attacker to
steal a user's bank details. Anyone who hadn't changed the default password
on their router would be at risk, the security firm claimed.

To execute a drive-by pharming attack, a malicious hacker would have to
create a Web page that contained specially crafted JavaScript code. If a
user who visited the page had enabled automatic running of JavaScript, then
this code would attempt to change the settings in their router. If the
router had no password or was still using the default password it shipped
with, then the JavaScript will send the router a string to change the
domain name system (DNS) settings on the router.

By hacking the router's DNS settings, the JavaScript would redirect it to a
DNS server that was run by the attackers themselves. This would allow them
to serve fake versions of banking sites, which would appear to be totally
genuine and would have a completely genuine URL.

"All you have to do to become a victim is simply visit the Web page that
hosts this malicious code. You don't have to click OK on any dialogue boxes
or accidentally download and install malicious software," an expert said.

Experts have calculated that up to 50 percent of home users could be at
risk.

Read the full story:
http://news.zdnet.co.uk/security/0,1...9285996,00.htm