Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.

Yesterday’s release of Windows 7 brings with it a different playground for malware.

PPStream is a multimedia player used widely throughout Asia, as in hundreds of millions of users. As such, it is interesting when crashes for widely used client-side software are reported as "exploitable" on various blogs and PoC sites.

We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but some of the classic characteristics of the Waledac trojan/worm -- the email/spam engine, AES encrypted/bzip2 compressed P2P peering listing, DDoS capabilities, http C&C contact, email harvester, and credential stealing functionality.

In another "duh!" moment, it was discussed that government workers and contractors probably should not be sharing their drive contents using P2P software. In a recent hearing, U.S. lawmakers discussed sensitive content like "FBI files, medical records, Social Security numbers and even a file containing information about a safe house location for [the U.S.] President" that was accessed over LimeWire.

The gang serving up malicious downloaders from a couple of servers just spiced things up, changing streamviewer and softwarefortubeview to "onlinemovies.40008.exe" to the list of obnoxious files served from 64.20.38.172. Av detection is very low.

Over the past couple of months, the Waledac spam/botnet effort seemed to be dwindling. A large software company attempted to take credit for cleaning up the "ecosystem" of Waledac with their cleanup tool release.

In the meantime, Waledac's presence on systems started to change and appear in lower volumes, flying under the radar of many groups. The ThreatFire community saw Waledac code injected into svchost processes and prevented by ThreatFire in low volumes, bundled with other attacks.

You're going to have to wait for it to come out. And if you don't, you may be sorry you didn't wait.

The group pushing blackhat SEO tactics to abuse the most popular networks, including digg.com, blogspot.com and others, continues to prey on those interested in upcoming movie releases.

Symantec’s Security Intelligence Analysis Team has collaborated with Nmap contributor Ron Bowes to aid in the development of an Nmap script that is able to detect hosts infected with W32.Downadup.C by enumerating the peer-to-peer (P2P) protocol used by the worm.

Sometime between March 4 and March 6, 2009, the authors of the Downadup worm pushed out a significant update to a portion of the Downadup network. Symantec Security Response engineers captured the update in one of their honeypots and quickly responded with definitions to protect against the threat.