Well, we’ve seen the first of the promised bugs for Apple and Apple products as a part of the “Month of Apple Bugs“. And perhaps unsurprisingly, the first bug is also applicable to Windows as well, being a buffer overflow vulnerability for QuickTime. There’s also some saying that this may be rather difficult to implement.

So in short, this month of bugs that’s supposed to take Mac fans down a peg…also exposes holes in Windows. And maybe it works, maybe it doesn’t. Way to start it off with a bang, there!

As a Mac fan who realizes Apple software is written by humans just like any other software, which will inevitably have the occasional bug, perhaps I’m not the demographic they’re looking to deflate. But really, I think you’d be hard pressed to find even the most rabid Mac fan who believes Apple software is 100% bulletproof. That’s just plain deluded. I think most Mac users at this point are of the opinion that it’s more akin to the risk of mosquito bites in August at Crater Lake, versus in January at the South Pole. There’s just a lot more nasty critters flying around the Windows environs than the OS X environs for the time being.

But even from a strictly researcher perspective, I am curious to see what this month brings up, both in terms of exploits and the discussion around them. Expect to see lots more here on that subject as things progress!

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

End User License Agreements, those infamous instruments of legal pretzelism, have broken the logic barrier and are beginning to collapse into a nonsensical linguistic singularity. A bold claim, you say? I have evidence! This is a direct quote from an adware-related EULA I recently encountered:

Producing a mental experience similar to that accompanying contemplation of the interstellar void or the size of the US national debt, the mind is confounded here not by huge distances or sums, but by raw logical absurdity: lengthy, multi-clause legalese sentences carefully describing, in English, what you should do if you don’t understand English.

…

At least they include the suggestion that you get a translator to help you read it. How thoughtful!

McAfee Avert Labs Blog End Reader License Agreement:
By reading this blog post you agree to accept any unsolicited slithy toves that may result in the wabe, regardless of whether brillig conditions prevail. You additionally release McAfee from any and all liability should your borogoves become mimsy.

As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below.

We caution webpage viewers since this malware can be used by a pornographic webpage which calls itself Adult Tuba, whose design pattern matches with the popular video sharing page YouTube in an attempt to deceive users as shown below:

If users click on any movie links and follow the instructions, they ends up downloading malware as shown below, whose detection and removal is covered under the Puper family:

We caution all internet users from getting infected by these Video Access ActiveX Object sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

It is interesting to see how the password stealing trojan (commonly called PWS) writers think… Over the last few months I’ve been writing about PWS Bankers, since they are one of the most common kinds of malware that targets Brazil, and since I can read Portuguese, I saw lots of improvements in those malwares, including…. multiple redundancies! Today I got something different. On the email that it sends to the malware author to say “Hello World, I am on machine-XYZ”, now it also includes data about browsing activity and even the bookmarks of the user, including the browser used and start page…, interesting huh?

Below is an example of the information sent by the malware:

Browser………….: C:\Program Files\Internet Explorer\iexplore.exe
Win Dir………….: C:\WINDOWS
Internet Protocol…: xxx.xxx.xxx.xxx
Start Page……….: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Date…………….: 1/8/2007
Time…………….: 6:58:03 AM
O.S. …………..: Microsoft Windows XP (version 5.1)
Bookmarks

*************************************************************
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
http://www.microsoft.com/isapi/redir.dll?(edited for length)sba=RadioBar&o1=&o2=&o3
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows
*************************************************************

Yes…he owns your computer and also knows where you surf!

For many, the Portable Document Format (PDF) has become the de-facto standard for exchanging documents. In using PDFs, some wish to sidestep the risks of malware-prone Microsoft Office documents. But with the announcement of six new PDF-related vulnerabilities in several security forums last week, we should all now be more careful with PDFs.

The first five of these new vulnerabilities have to do with the Adobe Reader plugin. Attacks that exploit these flaws may result in one of more of these results: HTTP-response splitting, cross-site scripting, session forgery, session riding, denial of service, memory corruption, or code execution. This scary list of attack results notwithstanding, a user would have to open a malicious web URL for an attack to occur. Adobe has issued Adobe Reader 8 that remedies these flaws.

The sixth new PDF vulnerability is also the sixth of the Month of Apple Bugs (MoAB) installment. If a malicious PDF document crafted to exploit this flaw were opened by a user, it would corrupt memory and could lead to code execution. Landon Fuller has posted or referred to temporary fixes for all eight MoAB flaws so far. The fix for the MoAB PDF flaw can be found here. Thank you, Landon!

Please stay secure against the PDF vulnerabilities, as we continue to protect our customers against such threats.

So far, we are used to seeing news about some virus for mobile phones that would send SMS messages, steal contacts database, etc…

Yesterday Apple officially released their (cool) iPhone, and just recently I read about Nokia’s (also cool) N800 model. Why am I talking about these? Well, this time we are not talking about SymbianOS, GEOS or the Palm OS, but MAC OS X (on the iPhone) and Linux (on the N800). All models with full networking connections and with Wi-Fi. What I want to say is that we may find this biennial of 2007/2008 to be a new era of malware for mobile phones, complete with fully functional malwares, because of the same PC-based behavior and functionality…

So, stay tuned!

This just hasn’t been a great year for the security of applications or responsible disclosure, has it. First we have the Month of Apple Bugs (which is finding a number of application-specific vulnerabilities), then we have a raft of Adobe product vulnerabilities. Now we have VeriSign offering a substantial bounty for people to poke holes in IE7 and Vista.

It seems that what we’re seeing in the malware world is also happening in the vulnerability world. Financial motivation, a vast increase in overall traffic with no one incident being particularly huge, and a general feeling of being in the Wild West. Lawlessness and vigilantism seems to be the order of the day. That doesn’t generally lead one to feel like the internet is a shiny, happy place.

But what are we to do about this? Telling people they’re naughty and need to behave, when they’re getting such notoriety or financial gain obviously isn’t going to work. Making the notoriety and money stop coming is a largely futile effort as well, it would seem. Even suing Adware makers, as an example, seems to be reasonably ineffective.

Maybe the key lies in the consumer side of the equation. Maybe as the general populace becomes more aware of what things to avoid, and what things to do to protect themselves, this will become a moot point. The glut of malware and vulnerabilities will be like flies buzzing in our ears - an academic concern rather than a constant state of emergency. I do find it hopeful that people are becoming more aware of security issues, even if we have a very long way to go yet.

Spam containing images, or “image spam” was a major focus of spammers and Anti-Spam vendors during 2006. During the last few years techniques used to detect text based spam, and the computers that were sending it, were effective at detecting almost all spam and spammers were fighting a losing battle getting their spam delivered to inboxes.

During the second quarter of 2005 spammers began to develop a technique of including an image rather than text to carry the spam message. This type of spam started to increase in complexity and volume, and by the start of 2006 image spam accounted for up to 30% of all spam. By October image spam had increased up to 40% of all spam and by the end of 2006 image spam accounted for up to 65% of all spam. With a 100% increase in image spam, which is typically 3-4 times the size of text based spam, there must have been a lot of extra junk clogging up the tubes of the internet last year.

At the start of the year image spam consisted primarily of ‘pump and dump’ stock spam. This was more suited to image spam as it did not require recipients to click on a link. By the end of the year image spam was advertising ‘pump and dump’ stock, pharmaceuticals, fake degrees, counterfeit software, loans, mortgages and other kinds of junk usually associated with text based spam.

Image spam, like text based spam, is continually changing and although many of the images appear to be the same at first glance, in most cases each image is unique. Even the older image spam used techniques to avoid detection such as random background noise in the image file, random image file names, random subject lines and ‘hash buster’ message bodies were added to disguise the spam. Some image spam used animated gifs and some used multi-layer image files to hide the spam message in the image.

Over the year McAfee developed a large number of methods to detect image spam accurately. Analyzing the actual content of the image is very slow and CPU intensive, and spammers have already started to obfuscate the text in the spam to prevent OCR techniques from classifying the image (for example by using wavy or broken text as in the examples above.) McAfee Anti-Spam does not analyze the actual ‘picture’ as this is slow and not currently necessary to detect the spam. Instead McAfee Anti-Spam uses a number of techniques to detect image spam, some are based on the (mostly botnet) computers used to send the spam and some are based on analysing the content of the spam message. Current McAfee Anti-Spam detection rates for image spam are around 99%+.

The trend of image spam seems certain to continue in 2007 as spammers continue to build up their botnets and hone the tools used to distribute this type of spam.

Further blogs regarding image spam and some of the techniques used to detect it are planned for the coming weeks/months.

Ransomware has been recently associated with attacks on enterprise networks. For the expertise required to first penetrate well-guarded corporations; and for the risk that there must always be at some point, contact between the malware author and the victim to facilitate the transaction, perhaps it is understandable that cyber extortionists would rather do it once, but do it well.

In July 2006, a series of the Ransom-A trojan infections widely reported in mainstream Chinese media led to the arrest and prosecution of an engineer in Guangzhou, China, allegedly responsible for writing and distributing the trojan. The modus operandi was simple - run a website hosting free software, which turns out to be a trojan that hides the victim’s document files. What follows is the request for a fee to recover the “lost” data. According to a press release by Ministry of Public Security of China, the 34 year-old was financially in trouble and profited in total US$500 from extortion through “the first reported ransomware in China”.

More recently, McAfee Avert Labs followed the developments of Ransom-C, reportedly spammed widely as an e-mail attachment. A Chinese article published by Beijing CERT on Christmas Day covered, in some detail, e-mail communication between one of the victims and the malware author. Unlike the former, the Ransom-C author apparently has put in slightly more effort with its “customer service”. The e-mail communication starts off with a decent description of the file system and data recovery process, then offers the victim an “Enterprise” option for full recovery or a cheaper “Family” edition for partial recovery. Sounds like your helpful and knowledgeable sales or support representative! Only in spite of the “kind” offer, most data are gone for good as the trojan did not hide them, but had deleted them. They aren’t really interested in giving a resolution.

Our investigations had led to the discovery of a more sophisticated criminal operation associated with this threat. Numerous legitimate websites, possibly hacked, were found hosting and installing the ransomware onto users surfing upon it with an exploit targeting vulnerable versions of Internet Explorer. To make it robust, legitimate hyperlinks have also been spoofed to point to a download link for the trojan. Most of these websites were hosting financial news, medical information, personal webpages, and such - well, you’ve got the idea, they are targeting the masses at where you least expected; and clearly in a very organized manner.

China has a relatively new, but one of the fastest growing, Internet population in the world. Between high risk targeted attacks on corporations and profiting from a massive pool of unsuspecting Internet users, it’s not a tough choice for the virtual gold miners. It will get interesting when we start seeing these organized folks get busted.