We’ve seen the many cases of Spyware-makers being brought to justice and paying hefty fines because of their immoral practices and ill-gotten gains. (We hope to see more of these cases thanks to the work of the FTC, CDT, and Anti-Spyware Coalition)

We’ve seen cases of corporate espionage, like the Israeli couple who are serving time in prison for making spyware and charging companies for their services of spying and stealing data.

We’ve even seen cases of people who used Spyware with the intent of spying on their spouses getting thrown in jail. As was the case in the “Jealous Spyware Husband” who spent £100 on spyware to monitor his wife because he thought she was cheating on him and eventually killed her. He is now serving a life sentence.

But this is the first case I’ve seen where someone may receive prison time because of their negligence for not removing spyware from a PC… In Norwich, CT, a substitute teacher faces prison time because the classroom computer she was teaching with was infected with Spyware and she exposed her 7^th grade students to pornographic images due to the pop-ups that the Spyware was generating. Julie Amero was convicted on Friday, January 5, 2007 of four counts of risk of injury to a minor and faces a maximum sentence of 40 years in prison.

Is it not bad enough that spyware-makers are stealing our identity, capturing our data, annoying us with pop-ups, slowing down our Internet connection, and crashing our PCs? Now they are making their victims liable for the crap that they insidiously put on our computers!

Be careful of worshiping Pandas showing up on your system!! Machines have been getting infected by a piece of malware called W32/Fujacks. The virus files have an icon of a panda holding incense sticks. We have seen several variants of Fujacks since Nov 2006.

Early variants of Fujacks were a worm that spread through network shares with weak passwords and infected executables. Several of the variants can infect web based files like .html, .asp, .php, etc. The infected html files are detected as W32/Fujacks!htm. The html files are infected by appending an iframe tag. When these html file are opened through a browser, they will download another variant of this virus. Recently, we have also seen variants that infect both executables and the html files.

More information around this threat can be found at W32/Fujacks, W32/Fujacks.worm and W32/Fujacks!htm. We at McAfee Avert Labs continue to protect our customers against this threat and remind Internet users to be updated with the latest security patches for their web browsers.

The advice given by Jiangmin and quoted by China Daily was flawed because W32/Fujacks.worm infects trusted HTML files and customers can browse any trusted web page locally or remotely with these infected links. The key to the problem is that these malicious links point to sites exploiting the MDAC vulnerability patched in MS06-014.

For many, Web 2.0 is about democracy, user-generated viral marketing, social networking, and sharing “public goods”. This has led to a large number of audio/video content distribution/sharing sites - such as YouTube for video sharing, Myspace for indie artist discovery, Pandora/Lastfm etc for music discovery/online radio, Imeem/Myspace for social networking, and a gazillion others. With this new “network as a platform” model, Adobe’s Macromedia Flash Player, with its market share at 96% of Internet-enabled desktops in mature markets, is the natural choice for content distribution.

Let us ignore the case of user-uploaded copyrighted content or illegal bootlegging websites for now. While everyone’s talking about AllofMp3.com & YouTube, no one seems to have talked about the incredible amount of copyrighted content that is readily & “freely” accessible through services like online radios that haven’t implemented media delivery via Flash Players/objects securely.

The following are the top 3 issues with the way Flash is used by these content-distribution services:

1. Using HTTP to fetch audio(MP3) or video(FLV) content. Macromedia does provide secure alternatives like Flash Communication Server and the closed-source RTMP protocol (say over HTTPS) to stream sensitive content. However, few sites use it. HTTP allows a simple web proxy controlled by a user to log all the URLs generated by the online radio Flash object. Ironically, most of these sites have highly randomized URLs to deter easy access, but since they appear in clear text on the wire, they can be replayed easily to get the copyrighted original-resolution audio or video.

2. ActionScript driven client-side DRM. This is a bad idea for at least 2 reasons. Firstly, client-side security is a bad-idea in general, since it assumes a well-behaved client. Secondly, the Flash SWF is now an open object format, and SWF decompilers have been available for quite some time now. SWF objects are essentially the various UI content (bitmaps, vectors, etc) packed together, and the ActionScript bytecode that describes the relationship between these components, and the timing & algorithmic information for the Flash movie. So, the decompilers, umm.. not disassemblers, actually give the original highlevel ActionScript source code as was fed to the Flash compiler including the variable/object names etc. All design secrets like the randomization algorithm used for the URLs, passwords, etc are thrown wide open.

3. Using local PIE-SOL objects to store DRM information. Another brain-dead idea. Online radios for copyrighted content naturally have to operate under restrictive licenses. So they implement restrictions that say limit the number of times a listener can skip to the next song in an hour, or prevent the listener from skipping back and replaying the previous song etc. The secure place to store skip counts and other session information is on the server. However, the more popular choice is the local SOL object readable from the Flash object. Unfortunately, the SOL format has also been reverse engineered, and editors are available that can tamper with this information easily. Infact, SOL objects can be deleted to lose all the skip/play counts and other session DRM history and start afresh.

It is important to note that this blog is not pointing out new weaknesses, rather drawing attention to the fact that various simple security best practices for media content distribution are being widely ignored. This leaves libraries of copyrighted content potentially at risk.

 “Give me $1 to unsubscribe”

That’s basically what the latest Russian spam says.  Let me get one thing straight for anyone that’s not had their coffee yet. Never pay spammers, ever. All the smart spammers have suckers lists. You have been warned! Etc Etc…

International spam has been a growing problem for a long time and with a world-wide network of spam traps, we see (and deal with) a lot of local spam. This rather interesting specimen group landed in the lap of a researcher this afternoon because it was a little out of the ordinary.

Andrey Slabosnickiy from Rostov-on-Don was insightful enough to invite one of our international spam-traps to unsubscribe from his general database for a buck. 

Take a look at the original

and our English translation.

By providing many ways to make the unsubscribe payment (Web Money, Yandex, SMS, or Money@Mail.ru) Andrey will be leaving quite a money trail for the local authorities to follow should they wish to do so, though I doubt they will given the state of local anti-spam laws. Shame, we’d be happy to help

Overnight we’ve seen a rash of new variants of Downloader-BAI being seeded.  Within a few hours time, over 20 new variants have been released.

This trojan can choose from the following list of subjects:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Naked teens attack home director
• A killer at 11, he’s free at 21 and kill again!
• British Muslims Genocide
• 230 dead as storm batters Europe

and the following attachment names:

• Read More.exe
• Full Clip.exe
• Full Story.exe
• Video.exe

The large number of variants underscores a topic that’s been discussed much lately - The biggest trend in malware is a sort of buck-shot approach.  Create a very large number of different variants in a short span of time, hoping to gain at least a few extra hours in which to be undetected by at least some traditional AV scanners.  This reminds us again of the need to have a multi-layered defense.  Even something as simple as filtering EXE files at the gateway would have made this seeding event a non-issue.

We all get the odd spam, depending on the effectiveness of your spam filter of course! Most of them look the same at face value, some text describing the product the spammer is pushing, maybe an image, and a link for you to click on. Take the following spam we have been seeing recently, it looks normal to the naked eye, but hidden beneath the html are some new tricks a spammer is trying out!

These guys will try absolutely anything to get around anti-spam filters. In this case the spammer has decided to do some magic with the link in the spam.

I’ll reproduce what the spammer did with a link to our own Avert Labs website of http://www.avertlabs.com (this is not the link that was spammed) to save you clicking on to any undesirable websites. The link in the spam was in the following format:

http://0×00000cd.227.0000000000000000210.0×000000000074
If you click on it you will be taken to: http://www.avertlabs.com. So how do all these funny looking numbers, characters and dots get me to that website you might ask. Well, the link is actually an IP address (http://205.227.136.116), but instead of writing it in decimal numbers the spammer has opted for a mixture of octal, hexadecimal and decimal numbers with a few extra zeros for good measure. The following table shows the different numbers a spammer could mix to obfuscate the IP address for avertlabs.com.

This leaves the spammer with many different variations of the link, a few examples are:

http://0315.0343.136.0×74
http://0xcd.227.0210.0×74
http://0xcd.0xe3.136.0164
http://0315.0xe3.0210.0×74

Web browsers understand all the different number systems used here and don’t mind extra zeros so the links work perfectly well no matter what combination of the above you use. So with an arbitrary number of zeros the spammer can create an infinite number of different links.

http://000000000000315.00000343.136.0×0000074
http://0×00000cd.227.0000000000000000210.0×000000000074
http://0×0000000000cd.0×0000000000e3.136.000000000164
http://00000315.0×0000000e3.000000210.0×000000074
http://0×0000cd.0×0000000e3.0×0000088.0×0000000074

This is the latest in a long list of methods we have seen spammers use to obfuscate URL’s in spam. What will they think of next?

It’s been a few days since our last post on the subject of Downloader-BAI, and the massive seeding is still continuing with dozens of new variants each day.

The first interesting bit in this event is watching the authors of this malware cobbling separate pieces together. Some time this weekend, this Downloader trojan was being found in the droppings of a mass mailer, W32/Nuwar@MM which had previously been tied to a couple of other Downloader trojan familes. So now, being tied with a mass-mailer as well as a mass seeding, this trojan has become more self-sustaining in its distribution. It’s unlikely, at this point, that this will be dying down completely any time soon.

Another thing that’s particularly notable, from a technical perspective, is that this collection of trojans is coordinating itself by way of a peer to peer network. This is something we’ve been seeing malware authors playing with more and more lately, with this one arguably being the most successful. W32/Nugache and the “Phatbot” variant of W32/Gaobot both attempted coordinating by P2P through Gnutella cache servers, but they were very limited in the number of bots that could be in a given botnet. Malware authors seem to understand that having any single point of failure means that at some point, they will in fact fail and have to rebuild their botnet. By having a “headless” botnet, they can self-heal more effectively.

Most notable of all with this event, with Downloader-BAI and Nuwar, is the social engineering tactics being used in this seeding. W32/Nuwar gained quite a bit of notoriety during the holidays, for its variety of holiday-specific subject lines. Now Downloader-BAI is being seeded with a list of subject lines, the majority of which are intended to ruffle feathers or cause concern in certain specific countries, for example:

• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• 230 dead as storm batters Europe.
• Radical Muslim drinking enemies’ blood.
• Sadam Hussein alive!
• Russian missle shot down USA satellite
• Russian missle shot down Chinese aircraft
• Sadam Hussein safe and sound!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• Hugo Chavez dead.
• Fidel Castro dead.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War Begin”.

Personally, I find messages making outlandish claims something to be deleted without further ado. (Especially those messages that have file-attachments, and whose spelling is rather suspect) But for some reason this tactic is still proving successful. None of these techniques are particularly new or innovative, and if one were employing basic security measures this could be avoided. But due to the combination of huge numbers of new variants and social engineering tactics, it’s working for these miscreants.

As one who often talks to less technically inclined people about internet security issues, I find myself telling people to use “common sense” a lot. A conversation with my Dad (who’s moderately technically savvy) really brought home to me how little this concept has permeated the Internet Culture.

Most folks get that you need to regularly update your AV software. Some folks have even grasped that updating your application/OS software regularly is a very good thing. And yet there are still an astounding number of people who fall victim to social engineering techniques like we’ve been seeing with Downloader-BAI which we discussed yesterday, and which has pretty much been used since the dawn of computer viruses and phishing.

Memorizing lists of Do’s and Don’ts can be a bit daunting for people, so I’ve started advising people to look at their computer like it was their house. People can “come to your house” by email, via web-sites, by comment spam, by portable media or storage devices, whatever. Just like people can come to your real house by ringing your front door-bell, using the door-knob, crawling in a window, etc. Regardless of how the technology changes, the metaphor is the same.

• Would you trust someone who came to your house purporting to be from your bank, asking for your personal and financial details?
  Few banks would actually go to this length, especially because it would be so easy for someone to impersonate a bank official. (I know this isn’t always the case but it’s still a perfectly sound rule to follow)
• Would you open packages you weren’t expecting, especially if it was addressed strangely or vaguely, or smelled or looked funny?
  People rarely hesitate to open attachments which look like they could contain something scary or titillating, but I imagine most folks would find it extraordinarily off-putting if they got a package on their doorstep that had no return address and promised snuff film footage or pictures of their neighbor’s wife naked.
• Would you leave your house unattended and unlocked?
  Granted, there are places in the world where this is still a reasonable thing to do, but most of us live in areas with enough population that this is considered unsafe even (or especially) if we are home. And yet many people don’t update their application/OS software, don’t put password-protection on their wi-fi connections, and don’t have a firewall. These are essentially the doors, windows and locks of your computer - the things which allow people to get in and out of your system. With these left wide open, people are free to come and go as they please, taking or leaving whatever they want.

Is this incredibly simplistic? Yes. Do most people need to understand protocol filtering and white-listing? For the average user, no. Most folks can get by well enough, or would at least be much safer than they are now, if they just understood the most basic security concepts.

Used by anti-phishing technology, a list of suspicious URLs is maintained by Google and publicly available on the Internet. It is the Google blacklist: http://sb.google.com/safebrowsing/update?version=goog-black-url:1:-1

On his blog, Michael Sutton who analyzed this link, explains it is used by the Google Safe Browsing for Firefox extension which is now part of the Google Toolbar for Firefox.

On January 5th, the Register announced that this public list contained confidential information like peoples’ usernames, passwords or session tokens. They wrote the problem had been corrected. Last Monday an Internet security firm reconfirmed the problem they first discovered on the 3rd of January.

As I am interested in identity theft risks, I played with my favorite Internet search engine. Unfortunately it was not difficult to find copies of some lists that were spread before Google removed the offending data.

Online we are more and more requested to enter our personal data. One day we make an error and inadvertently some of our sensitive information can be stored or even sent to a hacker and perhaps used by him. This post demonstrates that this data can easily become publicly available on the Internet. All the more reason to be vigilant.

In case anyone was wondering what that new graphic in the upper right hand corner of the blog is, let me share some exciting news! The McAfee Avert Labs Security Blog has been nominated for a Codie Award for Best Technology Blog! Simply being named a finalist by the Software & Information Industry Association is a huge honor for us.

The Codie Awards recognize 72 categories of outstanding products and services through a unique combination of journalist and peer review. This year’s 367 finalists represent technology and business excellence, passion and success and were chosen from more than 1,200 nominations submitted by more than 600 companies—breaking the record set in the 2006 awards. Over 219 individuals in the trade press, consulting, educators, IT specialists and other neutral specialists were involved in reviewing the entries.

The Software & Information Industry Association (SIIA) is the principal trade association for the software and digital content industry. SIIA provides global services in government relations, business development, corporate education and intellectual property protection to more than 800 leading software and information companies.

Final voting will begin February 12 by SIIA voting members at http://www.siia.net/codies/2007. Winners will be named on April 17 at the gala event, which will take place at the Palace Hotel, San Francisco, CA.

Shout-Outs and props to all the researchers at McAfee Avert Labs because it is their content and research that drives the blog. Thanks as well to all our readers!
Wish us luck!!!!