Well, we’ve seen the first of the promised bugs for Apple and Apple products as a part of the “Month of Apple Bugs“. And perhaps unsurprisingly, the first bug is also applicable to Windows as well, being a buffer overflow vulnerability for QuickTime. There’s also some saying that this may be rather difficult to implement.

So in short, this month of bugs that’s supposed to take Mac fans down a peg…also exposes holes in Windows. And maybe it works, maybe it doesn’t. Way to start it off with a bang, there!

As a Mac fan who realizes Apple software is written by humans just like any other software, which will inevitably have the occasional bug, perhaps I’m not the demographic they’re looking to deflate. But really, I think you’d be hard pressed to find even the most rabid Mac fan who believes Apple software is 100% bulletproof. That’s just plain deluded. I think most Mac users at this point are of the opinion that it’s more akin to the risk of mosquito bites in August at Crater Lake, versus in January at the South Pole. There’s just a lot more nasty critters flying around the Windows environs than the OS X environs for the time being.

But even from a strictly researcher perspective, I am curious to see what this month brings up, both in terms of exploits and the discussion around them. Expect to see lots more here on that subject as things progress!

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

End User License Agreements, those infamous instruments of legal pretzelism, have broken the logic barrier and are beginning to collapse into a nonsensical linguistic singularity. A bold claim, you say? I have evidence! This is a direct quote from an adware-related EULA I recently encountered:

Producing a mental experience similar to that accompanying contemplation of the interstellar void or the size of the US national debt, the mind is confounded here not by huge distances or sums, but by raw logical absurdity: lengthy, multi-clause legalese sentences carefully describing, in English, what you should do if you don’t understand English.

…

At least they include the suggestion that you get a translator to help you read it. How thoughtful!

McAfee Avert Labs Blog End Reader License Agreement:
By reading this blog post you agree to accept any unsolicited slithy toves that may result in the wabe, regardless of whether brillig conditions prevail. You additionally release McAfee from any and all liability should your borogoves become mimsy.

As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below.

We caution webpage viewers since this malware can be used by a pornographic webpage which calls itself Adult Tuba, whose design pattern matches with the popular video sharing page YouTube in an attempt to deceive users as shown below:

If users click on any movie links and follow the instructions, they ends up downloading malware as shown below, whose detection and removal is covered under the Puper family:

We caution all internet users from getting infected by these Video Access ActiveX Object sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

It is interesting to see how the password stealing trojan (commonly called PWS) writers think… Over the last few months I’ve been writing about PWS Bankers, since they are one of the most common kinds of malware that targets Brazil, and since I can read Portuguese, I saw lots of improvements in those malwares, including…. multiple redundancies! Today I got something different. On the email that it sends to the malware author to say “Hello World, I am on machine-XYZ”, now it also includes data about browsing activity and even the bookmarks of the user, including the browser used and start page…, interesting huh?

Below is an example of the information sent by the malware:

Browser………….: C:\Program Files\Internet Explorer\iexplore.exe
Win Dir………….: C:\WINDOWS
Internet Protocol…: xxx.xxx.xxx.xxx
Start Page……….: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Date…………….: 1/8/2007
Time…………….: 6:58:03 AM
O.S. …………..: Microsoft Windows XP (version 5.1)
Bookmarks

*************************************************************
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
http://www.microsoft.com/isapi/redir.dll?(edited for length)sba=RadioBar&o1=&o2=&o3
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows
*************************************************************

Yes…he owns your computer and also knows where you surf!

For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.

The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws.

The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. Landon Fuller has posted or referred to temporary fixes for all eight MoAB flaws so far. The fix for the MoAB PDF flaw can be found here. Thank you, Landon!

Please stay secure against the PDF vulnerabilities, as we continue to protect our customers against such threats.

So far, we are used to seeing news about some virus for mobile phones that would send SMS messages, steal contacts database, etc…

Yesterday Apple officially released their (cool) iPhone, and just recently I read about Nokia’s (also cool) N800 model. Why am I talking about these? Well, this time we are not talking about SymbianOS, GEOS or the Palm OS, but MAC OS X (on the iPhone) and Linux (on the N800). All models with full networking connections and with Wi-Fi. What I want to say is that we may find this biennial of 2007/2008 to be a new era of malware for mobile phones, complete with fully functional malwares, because of the same PC-based behavior and functionality…

So, stay tuned!

This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista.

It seems that what we’re seeing in the malware world is also happening in the vulnerability world. Financial motivation, a vast increase in overall traffic with no one incident being particularly huge, and a general feeling of being in the Wild West. Lawlessness and vigilantism seems to be the order of the day. That doesn’t generally lead one to feel like the internet is a shiny, happy place.

But what are we to do about this? Telling people they’re naughty and need to behave, when they’re getting such notoriety or financial gain obviously isn’t going to work. Making the notoriety and money stop coming is a largely futile effort as well, it would seem. Even suing Adware makers, as an example, seems to be reasonably ineffective.

Maybe the key lies in the consumer side of the equation. Maybe as the general populace becomes more aware of what things to avoid, and what things to do to protect themselves, this will become a moot point. The glut of malware and vulnerabilities will be like flies buzzing in our ears - an academic concern rather than a constant state of emergency. I do find it hopeful that people are becoming more aware of security issues, even if we have a very long way to go yet.

Spam containing images, or “image spam” was a major focus of spammers and Anti-Spam vendors during 2006. During the last few years techniques used to detect text based spam, and the computers that were sending it, were effective at detecting almost all spam and spammers were fighting a losing battle getting their spam delivered to inboxes.

During the second quarter of 2005 spammers began to develop a technique of including an image rather than text to carry the spam message. This type of spam started to increase in complexity and volume, and by the start of 2006 image spam accounted for up to 30% of all spam. By October image spam had increased up to 40% of all spam and by the end of 2006 image spam accounted for up to 65% of all spam. With a 100% increase in image spam, which is typically 3-4 times the size of text based spam, there must have been a lot of extra junk clogging up the tubes of the internet last year.

At the start of the year image spam consisted primarily of ‘pump and dump’ stock spam. This was more suited to image spam as it did not require recipients to click on a link. By the end of the year image spam was advertising ‘pump and dump’ stock, pharmaceuticals, fake degrees, counterfeit software, loans, mortgages and other kinds of junk usually associated with text based spam.

Image spam, like text based spam, is continually changing and although many of the images appear to be the same at first glance, in most cases each image is unique. Even the older image spam used techniques to avoid detection such as random background noise in the image file, random image file names, random subject lines and ‘hash buster’ message bodies were added to disguise the spam. Some image spam used animated gifs and some used multi-layer image files to hide the spam message in the image.

Over the year McAfee developed a large number of methods to detect image spam accurately. Analyzing the actual content of the image is very slow and CPU intensive, and spammers have already started to obfuscate the text in the spam to prevent OCR techniques from classifying the image (for example by using wavy or broken text as in the examples above.) McAfee Anti-Spam does not analyze the actual ‘picture’ as this is slow and not currently necessary to detect the spam. Instead McAfee Anti-Spam uses a number of techniques to detect image spam, some are based on the (mostly botnet) computers used to send the spam and some are based on analysing the content of the spam message. Current McAfee Anti-Spam detection rates for image spam are around 99%+.

The trend of image spam seems certain to continue in 2007 as spammers continue to build up their botnets and hone the tools used to distribute this type of spam.

Further blogs regarding image spam and some of the techniques used to detect it are planned for the coming weeks/months.

Ransomware has been recently associated with attacks on enterprise networks. For the expertise required to first penetrate well-guarded corporations; and for the risk that there must always be at some point, contact between the malware author and the victim to facilitate the transaction, perhaps it is understandable that cyber extortionists would rather do it once, but do it well.

In July 2006, a series of the Ransom-A trojan infections widely reported in mainstream Chinese media led to the arrest and prosecution of an engineer in Guangzhou, China, allegedly responsible for writing and distributing the trojan. The modus operandi was simple - run a website hosting free software, which turns out to be a trojan that hides the victim’s document files. What follows is the request for a fee to recover the “lost” data. According to a press release by Ministry of Public Security of China, the 34 year-old was financially in trouble and profited in total US$500 from extortion through “the first reported ransomware in China”.

More recently, McAfee Avert Labs followed the developments of Ransom-C, reportedly spammed widely as an e-mail attachment. A Chinese article published by Beijing CERT on Christmas Day covered, in some detail, e-mail communication between one of the victims and the malware author. Unlike the former, the Ransom-C author apparently has put in slightly more effort with its “customer service”. The e-mail communication starts off with a decent description of the file system and data recovery process, then offers the victim an “Enterprise” option for full recovery or a cheaper “Family” edition for partial recovery. Sounds like your helpful and knowledgeable sales or support representative! Only in spite of the “kind” offer, most data are gone for good as the trojan did not hide them, but had deleted them. They aren’t really interested in giving a resolution.

Our investigations had led to the discovery of a more sophisticated criminal operation associated with this threat. Numerous legitimate websites, possibly hacked, were found hosting and installing the ransomware onto users surfing upon it with an exploit targeting vulnerable versions of Internet Explorer. To make it robust, legitimate hyperlinks have also been spoofed to point to a download link for the trojan. Most of these websites were hosting financial news, medical information, personal webpages, and such - well, you’ve got the idea, they are targeting the masses at where you least expected; and clearly in a very organized manner.

China has a relatively new, but one of the fastest growing, Internet population in the world. Between high risk targeted attacks on corporations and profiting from a massive pool of unsuspecting Internet users, it’s not a tough choice for the virtual gold miners. It will get interesting when we start seeing these organized folks get busted.

We’ve seen the many cases of Spyware-makers being brought to justice and paying hefty fines because of their immoral practices and ill-gotten gains. (We hope to see more of these cases thanks to the work of the FTC, CDT, and Anti-Spyware Coalition)

We’ve seen cases of corporate espionage, like the Israeli couple who are serving time in prison for making spyware and charging companies for their services of spying and stealing data.

We’ve even seen cases of people who used Spyware with the intent of spying on their spouses getting thrown in jail. As was the case in the “Jealous Spyware Husband” who spent £100 on spyware to monitor his wife because he thought she was cheating on him and eventually killed her. He is now serving a life sentence.

But this is the first case I’ve seen where someone may receive prison time because of their negligence for not removing spyware from a PC… In Norwich, CT, a substitute teacher faces prison time because the classroom computer she was teaching with was infected with Spyware and she exposed her 7^th grade students to pornographic images due to the pop-ups that the Spyware was generating. Julie Amero was convicted on Friday, January 5, 2007 of four counts of risk of injury to a minor and faces a maximum sentence of 40 years in prison.

Is it not bad enough that spyware-makers are stealing our identity, capturing our data, annoying us with pop-ups, slowing down our Internet connection, and crashing our PCs? Now they are making their victims liable for the crap that they insidiously put on our computers!

Be careful of worshiping Pandas showing up on your system!! Machines have been getting infected by a piece of malware called W32/Fujacks. The virus files have an icon of a panda holding incense sticks. We have seen several variants of Fujacks since Nov 2006.

Early variants of Fujacks were a worm that spread through network shares with weak passwords and infected executables. Several of the variants can infect web based files like .html, .asp, .php, etc. The infected html files are detected as W32/Fujacks!htm. The html files are infected by appending an iframe tag. When these html file are opened through a browser, they will download another variant of this virus. Recently, we have also seen variants that infect both executables and the html files.

More information around this threat can be found at W32/Fujacks, W32/Fujacks.worm and W32/Fujacks!htm. We at McAfee Avert Labs continue to protect our customers against this threat and remind Internet users to be updated with the latest security patches for their web browsers.

The advice given by Jiangmin and quoted by China Daily was flawed because W32/Fujacks.worm infects trusted HTML files and customers can browse any trusted web page locally or remotely with these infected links. The key to the problem is that these malicious links point to sites exploiting the MDAC vulnerability patched in MS06-014.

For many, Web 2.0 is about democracy, user-generated viral marketing, social networking, and sharing “public goods”. This has led to a large number of audio/video content distribution/sharing sites - such as YouTube for video sharing, Myspace for indie artist discovery, Pandora/Lastfm etc for music discovery/online radio, Imeem/Myspace for social networking, and a gazillion others. With this new “network as a platform” model, Adobe’s Macromedia Flash Player, with its market share at 96% of Internet-enabled desktops in mature markets, is the natural choice for content distribution.

Let us ignore the case of user-uploaded copyrighted content or illegal bootlegging websites for now. While everyone’s talking about AllofMp3.com & YouTube, no one seems to have talked about the incredible amount of copyrighted content that is readily & “freely” accessible through services like online radios that haven’t implemented media delivery via Flash Players/objects securely.

The following are the top 3 issues with the way Flash is used by these content-distribution services:

1. Using HTTP to fetch audio(MP3) or video(FLV) content. Macromedia does provide secure alternatives like Flash Communication Server and the closed-source RTMP protocol (say over HTTPS) to stream sensitive content. However, few sites use it. HTTP allows a simple web proxy controlled by a user to log all the URLs generated by the online radio Flash object. Ironically, most of these sites have highly randomized URLs to deter easy access, but since they appear in clear text on the wire, they can be replayed easily to get the copyrighted original-resolution audio or video.

2. ActionScript driven client-side DRM. This is a bad idea for at least 2 reasons. Firstly, client-side security is a bad-idea in general, since it assumes a well-behaved client. Secondly, the Flash SWF is now an open object format, and SWF decompilers have been available for quite some time now. SWF objects are essentially the various UI content (bitmaps, vectors, etc) packed together, and the ActionScript bytecode that describes the relationship between these components, and the timing & algorithmic information for the Flash movie. So, the decompilers, umm.. not disassemblers, actually give the original highlevel ActionScript source code as was fed to the Flash compiler including the variable/object names etc. All design secrets like the randomization algorithm used for the URLs, passwords, etc are thrown wide open.

3. Using local PIE-SOL objects to store DRM information. Another brain-dead idea. Online radios for copyrighted content naturally have to operate under restrictive licenses. So they implement restrictions that say limit the number of times a listener can skip to the next song in an hour, or prevent the listener from skipping back and replaying the previous song etc. The secure place to store skip counts and other session information is on the server. However, the more popular choice is the local SOL object readable from the Flash object. Unfortunately, the SOL format has also been reverse engineered, and editors are available that can tamper with this information easily. Infact, SOL objects can be deleted to lose all the skip/play counts and other session DRM history and start afresh.

It is important to note that this blog is not pointing out new weaknesses, rather drawing attention to the fact that various simple security best practices for media content distribution are being widely ignored. This leaves libraries of copyrighted content potentially at risk.

 “Give me $1 to unsubscribe”

That’s basically what the latest Russian spam says.  Let me get one thing straight for anyone that’s not had their coffee yet. Never pay spammers, ever. All the smart spammers have suckers lists. You have been warned! Etc Etc…

International spam has been a growing problem for a long time and with a world-wide network of spam traps, we see (and deal with) a lot of local spam. This rather interesting specimen group landed in the lap of a researcher this afternoon because it was a little out of the ordinary.

Andrey Slabosnickiy from Rostov-on-Don was insightful enough to invite one of our international spam-traps to unsubscribe from his general database for a buck. 

Take a look at the original

and our English translation.

By providing many ways to make the unsubscribe payment (Web Money, Yandex, SMS, or Money@Mail.ru) Andrey will be leaving quite a money trail for the local authorities to follow should they wish to do so, though I doubt they will given the state of local anti-spam laws. Shame, we’d be happy to help

Overnight we’ve seen a rash of new variants of Downloader-BAI being seeded.  Within a few hours time, over 20 new variants have been released.

This trojan can choose from the following list of subjects:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Naked teens attack home director
• A killer at 11, he’s free at 21 and kill again!
• British Muslims Genocide
• 230 dead as storm batters Europe

and the following attachment names:

• Read More.exe
• Full Clip.exe
• Full Story.exe
• Video.exe

The large number of variants underscores a topic that’s been discussed much lately - The biggest trend in malware is a sort of buck-shot approach.  Create a very large number of different variants in a short span of time, hoping to gain at least a few extra hours in which to be undetected by at least some traditional AV scanners.  This reminds us again of the need to have a multi-layered defense.  Even something as simple as filtering EXE files at the gateway would have made this seeding event a non-issue.

We all get the odd spam, depending on the effectiveness of your spam filter of course! Most of them look the same at face value, some text describing the product the spammer is pushing, maybe an image, and a link for you to click on. Take the following spam we have been seeing recently, it looks normal to the naked eye, but hidden beneath the html are some new tricks a spammer is trying out!

These guys will try absolutely anything to get around anti-spam filters. In this case the spammer has decided to do some magic with the link in the spam.

I’ll reproduce what the spammer did with a link to our own Avert Labs website of http://www.avertlabs.com (this is not the link that was spammed) to save you clicking on to any undesirable websites. The link in the spam was in the following format:

http://0×00000cd.227.0000000000000000210.0×000000000074
If you click on it you will be taken to: http://www.avertlabs.com. So how do all these funny looking numbers, characters and dots get me to that website you might ask. Well, the link is actually an IP address (http://205.227.136.116), but instead of writing it in decimal numbers the spammer has opted for a mixture of octal, hexadecimal and decimal numbers with a few extra zeros for good measure. The following table shows the different numbers a spammer could mix to obfuscate the IP address for avertlabs.com.

This leaves the spammer with many different variations of the link, a few examples are:

http://0315.0343.136.0×74
http://0xcd.227.0210.0×74
http://0xcd.0xe3.136.0164
http://0315.0xe3.0210.0×74

Web browsers understand all the different number systems used here and don’t mind extra zeros so the links work perfectly well no matter what combination of the above you use. So with an arbitrary number of zeros the spammer can create an infinite number of different links.

http://000000000000315.00000343.136.0×0000074
http://0×00000cd.227.0000000000000000210.0×000000000074
http://0×0000000000cd.0×0000000000e3.136.000000000164
http://00000315.0×0000000e3.000000210.0×000000074
http://0×0000cd.0×0000000e3.0×0000088.0×0000000074

This is the latest in a long list of methods we have seen spammers use to obfuscate URL’s in spam. What will they think of next?

It’s been a few days since our last post on the subject of Downloader-BAI, and the massive seeding is still continuing with dozens of new variants each day.

The first interesting bit in this event is watching the authors of this malware cobbling separate pieces together. Some time this weekend, this Downloader trojan was being found in the droppings of a mass mailer, W32/Nuwar@MM which had previously been tied to a couple of other Downloader trojan familes. So now, being tied with a mass-mailer as well as a mass seeding, this trojan has become more self-sustaining in its distribution. It’s unlikely, at this point, that this will be dying down completely any time soon.

Another thing that’s particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network. This is something we’ve been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the “Phatbot” variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet. Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a “headless” botnet, they can self-heal more effectively.

Most notable of all with this event, with Downloader-BAI and Nuwar, is the social engineering tactics being used in this seeding. W32/Nuwar gained quite a bit of notoriety during the holidays, for its variety of holiday-specific subject lines. Now Downloader-BAI is being seeded with a list of subject lines, the majority of which are intended to ruffle feathers or cause concern in certain specific countries, for example:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• 230 dead as storm batters Europe.
• Radical Muslim drinking enemies’ blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down Chinese aircraft
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War Begin”.

Personally, I find messages making outlandish claims something to be deleted without further ado. (Especially those messages that have file-attachments, and whose spelling is rather suspect) But for some reason this tactic is still proving successful. None of these techniques are particularly new or innovative, and if one were employing basic security measures this could be avoided. But due to the combination of huge numbers of new variants and social engineering tactics, it’s working for these miscreants.

As one who often talks to less technically inclined people about internet security issues, I find myself telling people to use “common sense” a lot. A conversation with my Dad (who’s moderately technically savvy) really brought home to me how little this concept has permeated the Internet Culture.

Most folks get that you need to regularly update your AV software. Some folks have even grasped that updating your application/OS software regularly is a very good thing. And yet there are still an astounding number of people who fall victim to social engineering techniques like we’ve been seeing with Downloader-BAI which we discussed yesterday, and which has pretty much been used since the dawn of computer viruses and phishing.

Memorizing lists of Do’s and Don’ts can be a bit daunting for people, so I’ve started advising people to look at their computer like it was their house. People can “come to your house” by email, via web-sites, by comment spam, by portable media or storage devices, whatever. Just like people can come to your real house by ringing your front door-bell, using the door-knob, crawling in a window, etc. Regardless of how the technology changes, the metaphor is the same.

• Would you trust someone who came to your house purporting to be from your bank, asking for your personal and financial details?
  Few banks would actually go to this length, especially because it would be so easy for someone to impersonate a bank official. (I know this isn’t always the case but it’s still a perfectly sound rule to follow)
• Would you open packages you weren’t expecting, especially if it was addressed strangely or vaguely, or smelled or looked funny?
  People rarely hesitate to open attachments which look like they could contain something scary or titillating, but I imagine most folks would find it extraordinarily off-putting if they got a package on their doorstep that had no return address and promised snuff film footage or pictures of their neighbor’s wife naked.
• Would you leave your house unattended and unlocked?
  Granted, there are places in the world where this is still a reasonable thing to do, but most of us live in areas with enough population that this is considered unsafe even (or especially) if we are home. And yet many people don’t update their application/OS software, don’t put password-protection on their wi-fi connections, and don’t have a firewall. These are essentially the doors, windows and locks of your computer - the things which allow people to get in and out of your system. With these left wide open, people are free to come and go as they please, taking or leaving whatever they want.

Is this incredibly simplistic? Yes. Do most people need to understand protocol filtering and white-listing? For the average user, no. Most folks can get by well enough, or would at least be much safer than they are now, if they just understood the most basic security concepts.

Used by anti-phishing technology, a list of suspicious URLs is maintained by Google and publicly available on the Internet. It is the Google blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1

On his blog, Michael Sutton who analyzed this link, explains it is used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox.

On January 5th, the Register announced that this public list contained confidential information like peoples’ usernames, passwords or session tokens. They wrote the problem had been corrected. Last Monday an Internet security firm reconfirmed the problem they first discovered on the 3rd of January.

As I am interested in identity theft risks, I played with my favorite Internet search engine. Unfortunately it was not difficult to find copies of some lists that were spread before Google removed the offending data.

Online we are more and more requested to enter our personal data. One day we make an error and inadvertently some of our sensitive information can be stored or even sent to a hacker and perhaps used by him. This post demonstrates that this data can easily become publicly available on the Internet. All the more reason to be vigilant.

In case anyone was wondering what that new graphic in the upper right hand corner of the blog is, let me share some exciting news! The McAfee Avert Labs Security Blog has been nominated for a Codie Award for Best Technology Blog! Simply being named a finalist by the Software & Information Industry Association is a huge honor for us.

The Codie Awards recognize 72 categories of outstanding products and services through a unique combination of journalist and peer review. This year’s 367 finalists represent technology and business excellence, passion and success and were chosen from more than 1,200 nominations submitted by more than 600 companies—breaking the record set in the 2006 awards. Over 219 individuals in the trade press, consulting, educators, IT specialists and other neutral specialists were involved in reviewing the entries.

The Software & Information Industry Association (SIIA) is the principal trade association for the software and digital content industry. SIIA provides global services in government relations, business development, corporate education and intellectual property protection to more than 800 leading software and information companies.

Final voting will begin February 12 by SIIA voting members at http://www.siia.net/codies/2007. Winners will be named on April 17 at the gala event, which will take place at the Palace Hotel, San Francisco, CA.

Shout-Outs and props to all the researchers at McAfee Avert Labs because it is their content and research that drives the blog. Thanks as well to all our readers!
Wish us luck!!!!

This Monday, I was surprised after I read news reports of Vinton Cerf’s participation in the “Who Will Run the Internet?” panel at the World Economic Forum in Davos, Switzerland.

As reported on BBC.news, up to a quarter of the computers on the net may be used by cybercriminals in so-called botnets. They add Mr. Vinton Cerf said : “of the 600 million computers currently on the internet, between 100 and 150 million were already part of these botnets”.

For ZDNET, the Internet guru predicted and is quoted as saying that “a quarter of all PCs currently connected to the internet — around 150 million — could be infected by Trojans which covertly seize control of a computer and its broadband connection, handing control of both to remote criminals”.

These figures are phenomenal and somewhat conflicted:

• In January 2005, I discussed less than 10 million infected machines.
• In January 2006, professor Merrick Furst from the Georgia Tech’s College of Computing explained he was pretty sure at least 7 percent of the Internet was infected. For him typical numbers of conscripted machines ranged from around 75 million to 100 million.
• Now, in January 2007, the new figures seems to be between 100 and 150 million.

I do not deny these latest figures, but I question whether they correspond to 25% of PCs currently connected to the Internet.

Visiting the World Economic Forum blog, I found an entry posted after the panel ended. It is explained that “botnets (infected PCs under the control of bad guys) represent over 10% of the PCs connected to the Internet.”

I agree more with this percentage, although it is no less worrying!

This last week I was among those at the “secretive conference” of security folks, ISPs and law-enforcement agents to discuss bots. Much like at last year’s VB conference, there was much discussion about the need for more cooperation and information-sharing between bot-fighters. Not just within the three groups but within each of the individual disciplines. People within all of the three groups were clear that none of us have all the pieces of the puzzle, and that in order for us to truly make a dent in the growth of bots and botnets, we need to share more of our information with each other.

There has been much made of turf wars within the bot herder community, but the more notable thing in terms of fighting these bots is actually how much they’re cooperating. We know they’ve been pooling resources to code their bots, but apparently they’re also sharing botnet resources quite widely (for instance, to take down a particularly robust website that they wish to attack).

There was a significant sense of frustration from all concerned about the lack of resources for the Good Guys, versus the rewards for the bot herders. Often an iron-clad case will be given to the relevant authorities, only to have the case go nowhere because the bot herders are minors and/or from a non-cooperative country.

The good news in all this is that, while things may look dim at times, events like these can and do create a lot of good connections in important places. It’s about getting the right information to the right people to not only take down isolated pieces of the puzzle, but larger and more significant chunks of the gangs behind this crimeware.

Over the past month we have seen a significant increase in Casino related spam. On one day alone recently it reached over 10% of all spam we saw on that day.

It appears that some U.S. online gambling companies have turned to spam in order to get more customers in Europe since the U.S. government brought in tough legislation aimed at making internet gambling illegal. The Legislation makes it illegal for firms to handle money obtained from online gaming by prohibiting the use of credit cards and electronic fund transactions. The bill was signed by President Bush in October sending the industry into chaos. Several firms went into administration and many well known UK internet gaming companies such as PartyPoker and 888.com have already stopped operating in the U.S.

One spam campaign has been translated into several European languages including German, Dutch and Italian. The website being spammed is localised in at least 5 European languages but the telephone number on the website is from the U.S. and is answered by someone with an American accent!

In contrast another spammer has been taking a different approach and explicitly advertising that “USA players are welcome”.

The graph above shows the significant increase in casino related spam it the last month. While there were some campaigns over the 6 month period shown, they are now more frequent and higher in volume.

Gee, I really feel like someone important these days. I’ve gotten 2 offers to join the bot economy this week alone!

The most recent one was an email entitled “extra money fast and easy” offering me an “entry level opportunity in the field of financial services”. It starts right off sounding distinctly fishy and unprofessional:

We are a small and relatively Software Development and Outsourcing Company specializing in enterprise application development, system integration, corporate networks and other software solutions for business, finance, and for various types of problems. The company based in Ukraine but at this time we open new office in Bulgaria.

After some description of what they purport to do as a “company”, it then goes on to give a fairly good description of what all will be transpiring:

If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and check payments and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income.

The next paragraph is where we get a particularly odd incentive:

Our financial professionals work with clients to help them achieve their many financial goals such as saving on taxes.

Why yes, taking a cut of stolen funds is certainly one way to make untaxed income. The downside of this being that these mules are the ones who’re most easy to apprehend and prosecute.

Another message I got the other day was via IM, coincidentally while I was at the ISOTF meeting. This one was discussing the other end of the bot economy:

I sell things, adena, characters, a time of a card
Pin codes the Internet of providers and mobile operators.
In online games WoW.Lineage2
ICQ dispatch is cheaper than at all…
So ICQ numbers 5-6-place numbers cheaply.

The first part of the email seems to have been in Russian, but it didn’t come through well, so I’m only including the translation which was included at the end. The first and third lines seem to be dealing with online game credentials. I’m not wholly sure what’s meant by “time of a card”. He also offers ISP and mobile passwords, along with hacked ICQ accounts. He’s a veritable one-stop shop for identity theft!

Clearly they’re not being particularly picky about the recipients of these offers. Yet another illustration of how bot herders are using the shotgun approach. The first email was actually sent to my work address. You’d think they’d exclude AV company addresses from these things…

Today I saw a note on ZDNet regarding the malicious usage of the new Microsoft Vista Speech Command. The basic idea is that if you create an audio file, lets say an .mp3, with commands, and someone opens a webpage that hosts this file, the OS will play it and may execute the commands. So if you record the command ‘Start, execute, CMD, shutdown -r’ , and a person enters on the webpage that plays this mp3, the computer will restart. Funny, huh? But just remember that this is not something really new. I remember last year, when I was chatting with a friend, and suddenly some out of order letters appeared in the chat room, like “hey, I was skdhgkahgjfag, then…” , and she thought that something was really wrong with her computer, like malware or something. Turns out that later, after AV scanning, etc… she figured out that her microphone was on and the speech recognition was on too, so for some of the sounds that she was saying at the time, out load or to her family, Windows was trying to ‘help’ her to write it…:)

I don’t really think that this Vista speech command is so bad after all, but, just like any other service, if you don’t need it, disable it!

While various bits of North America have seen wintry flurries in the past fortnight, those in computer security have seen a flurry of four Microsoft-related zero-day exploits.

The first three of these flaws affect Microsoft Visual Studio:

• Microsoft Visual Studio .CNT Buffer Overflow
• Microsoft Visual Studio .HPJ Buffer Overflow
• Microsoft Visual Studio .RC Vulnerability

The fourth flaws affects Microsoft Word:

• Microsoft Word 0-Day Vulnerability IV

All four flaws would allow a remote attacker to execute arbitrary code on a vulnerable machine. For an attack to occur in all four cases, user interaction is required; e.g., a user would have to visit a Web site that hosts a malicious file or open a malicious file locally.

With Microsoft’s next Patch Tuesday falling on February 13, these flaws will remain un-patched for at least two more weeks. So stay warm this winter, and insulate yourself from these zero-day exploits too!

There have been numerous stories recently covering unpatched Microsoft Word vulnerabilities. For reference, the CVE designations for these vulnerabilities are:

• CVE-2006-5994
• CVE-2006-6456
• CVE-2006-6561
• CVE-2007-0515
• CVE-2007-0621 (Microsoft has stated that this is not a new, but related to CVE-2006-6456)

Recently McAfee Avert Labs added detection for Exploit-MSExcel.h, an Excel document that was submitted from the field. This exploit is consistent with other targeted zero-day attacks and is believed to be contained.

Microsoft has confirmed that this exploit targets an unpatched vulnerability. According to Microsoft’s Security Advisories Archive (Microsoft Security Advisories are released in advance of patch releases, not to be confused with Microsoft Security Bulletins), the only Excel-related security advisory in the past 20 months, was patched in MS06-037. Numerous other Excel-related patches have been released during this time.

Update Feb 2, 2007 at 7 pm PST
Microsoft Security Advisory (932553) has been released and CVE-2007-0671 has been assigned. Microsoft describes this vulnerability as affecting the following products:

• Microsoft Office 2003 
• Microsoft Office XP 
• Microsoft Office 2000
• Microsoft Office 2004 for Mac

From the advisory:

Workarounds for Microsoft Office Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

• Do not open or save Office files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Office file.

McAfee Avert Labs has confirmed Microsoft’s testing; not opening malicious Office files successfully mitigates this threat.

From time to time we see malware writers claim or ask for recognition of their malware. They usually leave messages in the virus body for the AV companies to see. They might ask for jobs, or offer help to detect something–you will never understand a malware writer’s mind.

Today I was analyzing YAB (yet-another-bot) and found the following message in the virus body:

“ATTN ANTIVIRUS EMPLOYEE: If you’re going to name my very nicely coded modular bot, at least give it the proper name of ‘[Name Removed]Bot.’ Lots of love, Author of [Name Removed]Bot.”

Of course, we will NOT put the author’s name on the bot, so it will remain just a regular bot.

This marks the first year that Avert Labs has a direct presense at RSA. We will be running some very cool demos at the McAfee booth and answering questions about our research happenings. Some of the demos include password-stealing trojans, a botnet in action, and the coolest drive-by rootkit installation ever!!! Make sure you stop by booth 1730 and say “Sup Dawgs!”

We also know how hard it can be to try and catch a cab around the Moscone Center, so on Tuesday and Wednesday we will be offering free rides from RSA to any nearby location in San Francisco. Just look for the black Mini Coopers displaying the McAfee logo!

Accepting an e-mail implies that the message transfer agent (MTA) has accepted responsibility¹ for performing onward delivery. This has legal implications in some countries nowadays. In most cases the legal requirements will include keeping an archived copy of every e-mail that passes through the network. Given that it is estimated that 65 percent to 90 percent² of all e-mail today is spam, companies can end up archiving terabytes of spam!

Unfortunately most MTAs today will queue and accept first, then dequeue and scan before onward delivery. This leads to many people opting for something called accept-and-drop in an effort to reduce spam. If the e-mail is found to be spam after accepting it, it is simply discarded. Under some legislation this could be considered illegal. Even worse is the case of a false-positive, resulting in a legitimate e-mail being discarded.

In order to effectively combat spam, it is necessary to stop the spam before it enters the network.

Read the rest of this entry »

Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.

The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.

The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.

Yes the rumors are true. We have confirmed sightings of the highly anticipated but never duplicated McAfee Mini-Cooper!

Remember to stop by our RSA booth, check out the demos and get free rides in the McAfee Mini-Cooper!!!!

There’s a video making the rounds that was made by Michael Wesch, an assistant Cultural Anthropology Professor at Kansas State University. It’s an inspiring look at the wonders of Web 2.0. In one particular scene, he discusses a few things that we will need to rethink in light of this revolution: copyright, authorship, identity, ethics, governance, privacy, commerce, etc.

He’s entirely right.  And the time to do that is now.

Throughout the history of computing, and perhaps of human history itself, we’ve had opposing forces–power vs. security, connectivity vs. trust. A new tool comes out, and it increases our ability to do something–say, automate tasks in a word processor or connect to people in a new way. People quickly learn how to use this tool for malicious purposes, and then rules get put in place to keep people from using it maliciously.

The Internet is a relatively new tool that has been widely used for malicious purposes, but it’s not something as simple as using a word processor. People access the Internet with countless common protocols and countless applications for each, with more appearing every day.

The main component of security is that trust must be earned. People establish credentials, or you get to know them, before you let them at your personal and financial data–things that could be used against you for malicious purposes. Most people don’t truly understand how to use a computer, much less know how to verify credentials. And then there are those who are so excited by the opportunity to connect that they don’t even bother to try. (How many of you MySpace users have people on your friends’ list that you’ve never met in person or even had an entire conversation with?)

What we have now is power far beyond most people’s abilities or desire to comprehend. It’s reaching a critical point where that ignorance can not only cost you your reputation, but also your money and your freedom. This message just isn’t reaching the people who need to hear it: the ones who are least apt to understand how to protect themselves, the people who are unlikely to be reading these technically oriented articles.

It’s when we can rethink the message enough to get it put on the back of cereal boxes that we’ll actually make a difference in this situation. When we can make this simple and compelling enough to explain it to a six-year-old, as Richard Feynman might have said, we can look forward to a decrease in the malicious use of the Internet.

On the heels of my Zero-Day Excels Over Word blog, McAfee Avert Labs is currently investigating a new Word exploit.  Preliminary analysis shows that this is a different issue than those referenced in my last blog:

This new exploit may be somehow related to MS06-027 and the DAT files proactively detect this new threat as a variant of Exploit-MS06-027 since June 2006.  This threat appears to exploit Word 2000.  Again, this is preliminary analysis.  We are working with Microsoft to confirm the history of this vulnerability and will update the blog when we have more information.

Like many of the recent Word exploits, this appears to have been used in a very limited and targeted attack.

Update Feb 9, 1:30pm
Microsoft has acknowledged this issue.  They state that it is limited to a Denial of Service attack on Word 2000 and that code execution is not possible.

Denial of Service is clearly not as critical as other recent issues.  Looks like this targeted attack was flawed.

Update Feb 14, 4:30pm

Further analysis shows this is likely not limited to denial of service.  See Exploit Targeting Unpatched Word Vulnerability Spotted (Follow-up)

Today, Xinhua News Agency reported the arrest of several suspects believed to have been behind the creation and propagation of the W32/Fujacks file infector worm a.k.a infected files with the Panda icon.

In the article, the official Chinese media cited an announcement from the Public Security Department of the Hubei Province naming 8 suspects including a 25-year old believed to be “WhBoy”, the infamous nickname that is embedded in most variants of W32/Fujacks.

Xinhua’s article in Chinese:

http://news.xinhuanet.com/legal/2007-02/12/content_5731540.htm

Throughout 2006 and continuing into 2007, McAfee Avert Labs has been closely monitoring the trends of cyber criminal activities in Asia. W32/Fujacks, amongst other profit-motivated multi-vector attacks, spiked in 2006 and looks to be a trend that will continue in 2007.

See the full-size graph here.

Between Q3 and Q4 2006, we saw a spike in the number of reported variants of Asian password-stealers and related trojans and file infectors. We blogged about this phenomenon with W32/HLLP.Philis variants in November 2006. What is really beyond these raw figures however is the increasing sophistication of Asian malware threats.

Both W32/HLLP.Philis and W32/Fujacks are more than the usual file infectors. These are multi-vector threats, usually including an aggressive downloader that updates itself frequently, can infect both executable and non-executable files over insecure media such as open network shares and USB drives, thus slipping through the cracks of loosely managed IT policies. Once successful, trusted media files can be further infected with malicious code or hyperlinks through PE file infection, web-based exploits over HTML or media files targeted against unpatched and vulnerable applications.

This approach of attacks on multiple system and user vulnerabilities at multiple layers dramatically increases the criminal opportunities for these malware authors. Indeed, we have seen a comparable rise in number of associated password-stealer variants reported - a considerable source of revenue for the worm seeders.

The lack of law enforcement in China in cyber crime has often been attributed for the rise in malware threats propagating from this region. It is encouraging to see the start of what appears to be the end of the first major case of cyber crime in China with these arrests. At the same time, enterprises need to consistently review and tighten up their current IT strategies to protect against the sophisticated attacks of today.

Š

Alright, maybe it is not exactly research related but I think it’s pretty cool. We previously announced that McAfee SiteAdvisor has been acknowledged by the U.S. Department of Commerce with its “Recognition of Excellence in Innovation” honor. The award was presented by the Honorable Robert Cresanti, U.S. Under Secretary of Commerce for Technology, for the technology’s innovative approach to making the Internet a safer place to search and surf for consumers.

A couple of pics below from the McAfee RSA booth:

That is McAfee’s CTO Christopher Bolin (in the middle) receiving the award from Under Secretary of Commerce Cresanti with McAfee’s Interim CEO Dale Fuller to the left.

Huliq has a nice writeup of it available here.

Are spammers losing their touch? By looking at the (lack of) volume of Valentine-related spam we are seeing, I would vouch that this could be the case. Besides the usual little bit of boring malware masquerading as an innocent Valentine message, nothing otherwise to even awaken the anti-spammer asleep in front of his/her desk.

Maybe they’re low on money. This will explain the amount of stock spam we saw this week. Or maybe it is the fact that as of Valentine’s day, it is possible to buy Viagra over the counter without prescription in the UK - that old pill spam might not be as exciting a proposition as before.

Then there is the turf wars. Is it the case that spammers just got that old adage the wrong way around: Make War, Not Love? Maybe that is the case, for with every war, there come soldiers, and with the soldiers, prostitutes. Does that explain the increase in escort and prostitute spam lately? Or do they think that the anti-spammers have no Valentines and need alternative fulfillment?

Or maybe they are just laying low, building up their arsenals for the next big run. Well, if that is the case we’ll be waiting and they can have a bouquet of black roses as well.

Earlier today Symantec posted a description for Trojan.PPDropper.G.  The vulnerability mentioned in the description has been assigned CVE-2007-0913.  SANS added it to their missing Microsoft patches table.

However, McAfee Avert Labs’ testing shows this issue was patched today in MS07-015 along with the Office Zero-Day reported by McAfee on February 2 (CVE-2007-0671).  This testing suggests Trojan.PPDropper.G may in fact be a PowerPoint version of the Office zero-day exploit used in Exploit-MSExcel.h.

We will post an update when we have more definitive information.

Update Feb 14,  2007
Microsoft has confirmed that this is patched in MS07-015 and related to CVE-2007-0671.

In a previous blog post I warned that we should be increasingly cautious with PDFs because more and more PDF-related flaws are being released. Security experts at RSA 2007 echoed last week that corporate threats seem to be “moving to Adobe”.

Today is Microsoft’s February Patch Tuesday. Microsoft issued six critical-rated and six important-rated patches. And one of the critical flaws being addressed by those patches – you guessed it – relates to PDFs. The MS07-010 bulletin states that a specially crafted PDF file could trigger an integer overflow in the Microsoft Malware Protection Engine. This would allow remote code execution; in one attack vector, no user interaction is required for exploitation. More information about this flaw can be found on the McAfee Threat Center site.

Do we have another PDF-flaw trend fitter or what?

This is an update to the update on CVE-2007-0870.

A few days ago I blogged about a new Word vulnerability that was used in a targeted attack (I know, it’s hard to keep these straight). Later that day Microsoft stated that the vulnerability was limited to denial of service, rather than remote code execution, and the blog was updated accordingly.

Well, since then our researchers continued to look at the issue, as did Microsoft’s. Today, McAfee Avert Labs’ analysis shows that this vulnerability is likely not limited to denial of service and that remote code execution may in fact be possible. Microsoft has also acknowledged that the vulnerability may not be limited to denial of service. Word 2000 and Word XP are believed to be vulnerable, though exploiting this flaw is non-trivial.

I suspect that a Microsoft Security Advisory for this issue will be released soon.

In related news, the team is currently analyzing proof-of-concept Excel files that were posted publicly today as “Microsoft Office Excel 2003 XLS File Denial Of Service”.

Update Feb 14, 6:15pm
A short while ago Microsoft did indeed release Microsoft Security Advisory (933052).

As we know, proper marketing is crucial for any product to grow. In the case of online activity, several potentially unwanted programs (PUPs) like Adware-MemWatcher, Adware-Look2Me and Adware-Apropos have come up with different strategies. These latest strategies include monitoring a user’s browsing habits to better know the user’s interest and according to that, display various pop up ads.

Here is a case where a PUP named Malwarewipe is getting marketed by a trojan called Puper. The strategy begins with Puper dropping its supporting fi