Today marks the launch of the official podcast of McAfee Avert Labs - AudioParasitics!!!!

A podcast with attitude, irreverence and difference. One day we may discuss disclosure, another day zero-day trends, yet another it might be new rootkit functionality. No matter. Rest assured that AudioParasitics will be there to beat that issue into submission with its two opinionated hosts (myself and the multi-talented Jim Walter) and a variety of the security industry’s finest minds.

Check us out at the AudioParasitics home page and also subscribe through iTunes.

In 1991, in Australia, Roger Riordan from Cybec discovered a new variant of the Stoned virus. The new threat was a boot sector virus, which infected the hard disk’s master boot record and the floppy disk boot sector. When researchers discovered that the virus contained a destructive payload triggering on the 6th of March each year, it gained the name Michelangelo. (The Italian Renaissance artist was born on March 6, 1475.)
Before Michelangelo, viruses were usually discreet and confined to the antivirus-specialist world. In March 1992, however, this virus changed the way the world looked at malware. With this newcomer, viruses really came into the public eye.
In March 1992, antivirus researchers knew of about 1,000 viruses, and payloads in those days frequently used a trigger date. I remember that March 13, 1992, was a Friday; that was the day when Jerusalem activated its payload. Today malware have different goals. When they spread, their payloads are generally not destructive but discreet. Their aim now is to earn money for their designers, and not show up only one day in the year.

Looks like the Backdoor-DKV (aka IrnBot) author is getting smart–at least that’s what he thinks. Apparently he added some RE-avoiding mechanisms to his super-hyper-extra-modular lame bot. Which, by the way, does not prevent in ANY way the analysis of the bot. Fun, fun, fun! (For us, that is.�

StickyKeys is an accessibility feature to aid handicapped users. It allows the user to press a modifier key, such as the Shift key, and have it remain active until another key is pressed. StickyKeys is activated by pressing the shift key or a modifier key five times in sequence and a beep is sounded. Sounds innocuous, right? Dead wrong!

Apparently, Windows Vista does not check the integrity of the file that launches StickyKeys “c:/windows/system32/sethc.exe” before executing it. Which means you could replace it with another executable and run it by depressing the shift key five times. A popular replacement is “cmd.exe.” After replacement, one could invoke this command prompt at the login prompt without the need to authenticate as shown in the below screenshot.

Once launched, it is possible to execute explorer.exe without authenticating and get a full desktop running under the credentials of the NT Authority\system account. And from this point on an attacker has full access to the system.

This legacy backdoor method is not something new–Win 2000 and XP are also vulnerable. Applying the latest Windows updates insures that “sethc.exe” is protected by Windows file protection. In Vista replacing system files is a more difficult because of Trusted Installer. However, running the following two commands nullifies this.

takeown /f c:\windows\system32\sethc.exe
cacls c:\windows\system32\sethc.exe /G administrator:F

To execute the above commands successfully, it requires an administrator to be logged in; but a determined attacker can always find workarounds to exploit this built-in backdoor. In fact once a command prompt is obtained via this method, we can use it to create a new user, add this user to the administrators group via the net command and then use this account to rightfully log in using the following commands.

net user USERNAME /add
net localgroup administrators USERNAME

One can always argue that an attacker actually needs access to the machine to be able to pull this off. Of all the unauthorized system access incidents that organizations reported last year, roughly 27% were by internal employees. And it is this threat from within (disgruntled or naughty employees) that poses the greatest computer security threat to organizations today.

Another alarming feature of this backdoor is that an attacker can use this method to bypass login on terminal servers and workstations with the remote desktop enabled. Since no third-party tools are being installed on the system and we are using Microsoft’s own files to achieve this, it will be difficult to detect for a typical administrator.

Perhaps one can uninstall the Accessibility Tools feature, which is installed by default to avoid this fairly simple, yet potentially serious built-in backdoor. And don’t forget to hit the shift key five times and see what pops up on your desktop.

The Securities and Exchange Commission (SEC) announced in a press release on March 8 that it has suspended trading in securities of 35 pink sheet companies that have been the subject of recent stock spam campaigns.

Stock spam has increased in volume in recent times and now represents a significant percentage of what we see each day. In 2006 alone we saw more than 300 different stocks being spammed. The nature of this type of spam allows spammers to use images to hide the information on the stock they are promoting without the need for any URLs or filterable content in the body making it harder to detect. The following is a recent example of a stock spam image:

The decision to suspend these securities from being traded is the biggest action ever taken by the SEC against stock-spammed companies and is a result of “Operation Spamalot,” which aims to “protect investors” from losing money to the spammers. It is good to see something being done about this variant of spam but I wonder if this going to work. Is stock spam finished?

A stock spam campaign usually lasts a few days, or, at most, weeks. The examples given in the SEC’s press release were stocks that were being spammed in September, December, and January but the trading suspensions will last for just ten business days from 9:30 a.m. starting the 8 March.

In the past two days we have observed at least 14 different stocks being spammed and only one of which appeared on the SEC’s list of 35. I think the idea has some merit but it will ultimately fail unless the spammed stocks can be suspended on first sight of spamming activity. A 10-day suspension from the first day of a stock spam campaign could ruin the spammers chances of increasing the price of the stock, thus rendering the spam useless. These spammers are obviously interested in making a quick buck, so if you take this ability away then the spammers are likely to stop.

The SEC is also going after the people profiting from stock spam and has recently frozen $3 million belonging to an Eastern European cyberring in an online stock manipulation case. If anything it is good that these high-profile actions will heighten awareness of the risks of investing as a response to spam but you have to spare a thought for legitimate pink sheets companies that get targeted by spammers. How much damage is it doing to them?

It would seem MI5 has thwarted an alleged Al-Qaeda plot to attack a major colocation provider in the United Kingdom. It was not supposed to be threatened by way of any kind of cyberterrorism, but by infiltrating and bombing the facility from the inside. There are three important points here:

1. A significant number of security problems are due to employees and contractors, not outside parties.
2. It’s equally important to have physical security considerations as well as those for “cybersecurity.”
3. Don’t allow a single point of failure.

The first two are relatively straightforward and are generally pretty well covered. When it comes to the very small (single employees) and very large (major utilities or service providers), people often take things for granted.

It’s a sad fact of life but disasters happen. Whether they are intentional, accidental, or natural disasters, “stuff” just happens.  It’s a wise idea to plan for this worst-case scenario. You don’t want any one employee, process, program, facility, or external company to be so irreplaceable that it could significantly impact your business should it suddenly cease to operate normally. It’s important to have a plan of action in case the worst should happen, so that you’re prepared if something does come to pass.

Is there any one employee whose actions are so important that it would take you a considerable amount of time to recuperate if that person decided to move to the opposite end of the globe tomorrow? Do you understand what each of your employees do well enough to accurately assess that? If not, now is a good time to figure that out and plan for redundancy if necessary.

Is there any one facility that provides something so important to your business that if it was taken out of commission tomorrow your business would be taken out of commission too? If so, can you provide redundancy or protection commensurate with its importance?

This reminds me of a joke that was popular among the tech-support folks of a popular utility software many, many years ago; it regards folks who didn’t make regular backups of business-critical data:

“At what point did your data become important to you?”

Here is a logfile section from a piece of hosted mass-mailing software. It’s unprotected currently (otherwise I’d have shown you more) and it would appear that anyone can submit it a job to be spammed at around 300,000 addresses per minute. The topics covered by this mailer’s log are quite varied, poetry competitions to PS/3s and advertising solutions for dating leading obviously to debt four days later.

As you can see from the dates, this one has been about for a while.

The server is also running a commercial mailer software with click-tracking abilities on a separate port that is no doubt blocked by almost all corporate networks, so we assume that they are focused on the consumer-at-home demographic. This is undoubtedly a small-time operation in comparison to the usual suspects we discuss. They are sending to smaller and more targeted lists and are probably a lot closer to the thin-blue-line definition of spam, too.

It’s not uncommon for us to study the contents of bulk-mailing tools for tell-tale traits in the style of the mail it sends–making it trivial to repute the tool’s behaviour independently of the content. Leaving the tools open to the world this time was a very nice gesture, though.

We examined a phishing email in our lab recently that was interesting from a social-engineering perspective. Phishing attempts commonly impersonate financial institutions. In these cases a phisher seeks to cause alarm with an official-looking email warning of supposed cancellations, fees, or some other negative consequence in an attempt to push victims into “confirming” their account information on the imposter’s Web site, which is linked in the message.

In this case the email purported to be confirmation of puchase for a trial membership on an adult Web site. Included was a login and password, account number, and a link to the site. The message also cited possible recurring charges. The adult site the email claimed to originate from and link to does actually exist; however, the actual URL associated with the linked text pointed to a now-defunct account on a commercial hosting service in Asia.  Additionally, the name of the billing service referenced for the recurring charges is also a real online e-commerce billing company.

The text of the email follows:

“Dear Louise,
Thank you for your subscription to Z Pornstars.
Your subscription number is 0107006601000011329
Please include your subscription number in all correspondence.

URL: http://www.zpornstars.com/members/
[actually linked to http://[removed].dothome.co.kr/]

Your username is: Mileref
Your password is: gere446

You have been billed as CCBILL Ltd. for the amount of $9.95 for 5 days (trial) then $39.95 recurring every 30 days. If you selected an automatically rebilled option, your subscription will automatically be renewed for your convenience until you cancel.”

What’s interesting is that the phisher is luring the victim with dual motivations, the second being more emotional than pragmatic:

1. Threat of monetary charges (negative incentive)
2. “What? I have an account at an adult site? Hmm, maybe I’ll just go look around a bit before I cancel it.” (positive* incentive)

Though it’s no longer possible to examine the actual imposter phishing site, it’s easy to speculate that the phisher would set it up so that the victim had to “confirm billing information” either way (whether they were trying to cancel immediately, or wanting to actually peruse pornography).

* Depending on personal taste and/or morals, the idea that one has an account on an adult Web site could serve as an additional negative incentive. In any case, it is interesting to see such deft use of an emotional motivator.

MySpace bills itself as a “place for friends.” Increasingly, it is becoming an unhealthy breeding ground for the scum of the internet luring surfers to sexually explicit web sites or playing with the trust of users to obtain personal information that could lead to identity theft.

With the sophistication of attacks used by malware these days on the rise, the bad guys are continuously looking for newer infection vectors. Every new attack is tailored to the attacker’s needs in terms of choosing who the targets will be, the social engineering techniques employed to lure the victim and as well as which exploit would be used.

And the latest target is unsuspecting fans of the French rock band MAMASAID who upon visiting a MySpace account promoting the music group get a trojan JS/SpaceStalk installed on their computers via a known insecure feature in QuickTime called HREF Tracks. The technique used here does not rely on vulnerability but rather on a feature present in the QuickTime player that allows for links to be opened automatically when the movie is run. This link could be misused to point to malicious websites hosting exploit code.

A hex view of the rigged QuickTime file shows that it will automatically execute JavaScript script hosted on an external website when the movie is played.

Once executed it transmits personal information of the visiting MySpace user to the attacker. As the website being communicated is normally controlled by the malware author, any script being downloaded and executed can be remotely modified and the behavior of these new scripts altered to perform further malicious actions.

Very few people hesitate to view a movie file. And given that QuickTime is a popular application used on the web, the return on investment for malware authors make it an attractive target using it as an infection vector.

A detailed analysis of this interesting infection vector can be viewed at Didier Stevens’s blog. A silver lining in the whole murky episode is that McAfee customers are proactively protected from the JS/SpaceStalk threat since the 4958 dats dated 02/07/2007

The SEC have continued their hard line actions against stock spammers discussed in my recent blog and are now targeting phishers.

The US Justice Department have issued a press release about three Indian men who have been indicted on charges of conspiracy, fraud and aggravated identity theft stemming from a high-tech, international fraud scheme designed to hijack online brokerage accounts for profit. In one example a scammer purchased 32,000 shares of stock in a company at prices from $2 to $3.20 per share with his own online brokerage account. The same day the scammers logged into an unsuspecting investor’s account and illegally acquired 26,000 shares of the same stock at prices from $2.84 to $3.40 per share, causing the stock’s trading volume to rise to more than nine times its 15-day average. Then in 22 transactions within a few hours they sold 30,700 shares yielding a substantial profit.

These guys have been buying stocks at a cheap price with their own personal online brokerage accounts, then logging into other people’s accounts with login details they have previously phished and buying huge amounts of the stock in order to inflate the price. When they are happy with the stocks inflated price the scammer sells or “dumps” the shares they have legitimately purchased.

This is a further insight into the negative effects of the phishing campaigns we prevent on a daily basis. It is not unusual for us to see phish emails for online brokerage accounts like the image below taken from a recent one.

To the unsuspecting recipient this might look like a legitimate email from Etrade, but clicking on the image in the email brings you to a fake etrade login page at a .jp domain. Even the link could be confused for a legitimate etrade.com link because of the way the phisher has crafted it:

http://global.etrade.com.memberdir.id645850717.phishdomainhere.jp/member.do

Clicking on this link would bring you to phishdomainhere.jp rather than etrade.com.
This is yet another reminder of the dangers of phishing and how these scammers can use a simple username and password for an online account to make a lot of money at your expense.