Following recent allegations from the USA, Germany and lately from Australia and New Zealand that government and military networks have been attacked out of China and an earlier warning from the German Federal Office for the Protection of the Constitution (Verfassungsschutz) in february that an increased activity in hacking attempts out of China has been detected, it is now China who steps forward and claims they “have suffered ‘massive’ losses of state secrets through the Internet”.

According to a Reuters news the Vice Minister of Information Industry Lou Qinjian said that China’s computer networks were riddled with security holes and that the United States and other hostile powers where exploiting those for “political infiltration”.

While I’m definitely not in any position to judge on who did what to whom, this is starting to look like a contest for the title of ‘Least Secure Government IT Systems’.

Germany’s Federal Criminal Police Office (the BKA) announced today that they busted an internation group of phishers, arresting 10 persons and seizing a number of computers together with other evidence. From the press release it’s evident this is a group that has been harassing the world with phishing emails containing Downloader-AAP as an attachment.

Downloader-AAP is ranked first in the list of ‘Top Corporate User Malware’ in our Avert Labs Threat Library. For many months there have been several waves a week of phishing emails sent with new variants of this downloader, that when executed would install some keylogging trojan. The emails typically look like a receipt sent from some company with details supposedly be found in the attached .zip. Some of these emails even claimed to have come from german law enforcement agencies, stating you’ve been caught sharing music, content from your hard disk has been confiscated using the ‘Bundestrojaner’ and the protocol is attached. Like in the example below:

I sincerely hope this is the last we’ve seen from this group.

The other day I learned that apparently Vergon had done a “hack my command” on me!!!  I found this trojan interesting in that it plays an mp3 for you to listen to as it goes about its havoc wreaking on your machine.  The file itself has an icon visually similar to that of the default media player shell registration for an mp3 file extension.  When executed it plays an MP3 called Lagu for you to listen to that has already been copied to the system directory.  If the poor sound quality of the extremely compressed audio does not get on your nerves rest assured this little guy is busy coping itself to various locations on your computer as well as instructing your command shell to execute a batch script adding a new account with administrative privileges the next time it is launched.

Although the batch operations can be interrupted with some quick reflexes and a punch of CTRL-C, one may quickly find that attempting to launch various tools like taskmgr and regedit are quickly terminated.  Familiarity with Microsoft operating systems can be of help restoring ones system to a usable state.  It seems to me that the best idea would be not to run something like this in the first place.  Trusting a file based on the visual representation of its icon does not seem to be the best of ideas.  My favorite setting for the ‘hide extensions for known file types’ folder option is off.

More information on this threat can be viewed at our virus information library.
http://vil.nai.com/vil/content/v_143106.htm

This one forced me to take a panicked look at my calender to check the date, yes, it’s still the year 2007

Confirming posts in various forums there is indeed a part of the production of Medion MD 96290 Laptops, that were sold at the Food Discounter Aldi in Germany last week, that are infected with the Boot Virus Stoned.Angelina. In a document on their danish website (in danish) Medion describes the incident and provides instructions how to remove the virus.

To make it clear, the name of the virus has got absolutely nothing to do with any famous Hollywood Star! Stoned.Angelina is a Boot Virus that infects the bootsector of floppies and the MBR of hard drives, it doesn’t actually have a payload and was first discovered early in 1994. That was a time when the descriptions of the few viruses known where still in a printed Virus Encyclopaedia…

How it could happen to get the Laptops that have Microsoft Vista preinstalled infected with this ancient boot virus remains a bit of a mystery. The only way to infect a hard disk with a boot virus is by actually booting from an infected floppy. Nothing I’d expect to be done nowadays when installing Vista…

One lesson should be taken from this incident: The old viruses are not going away anytime soon. Looking at some customer’s reports of viruses found, there still is the occasional Parity.b, Form.a and Tequila that is found. Some weeks ago even an image of a floppy disk infected with an Amiga virus had been posted in an emulator usenet newsgroup.

Browsing my webmail account on one of the biggest providers in Italy I was hit by this popup message:

The cause of the javascript popup was the banner at the top of the page, urging me to download and install the SystemDoctor software.

I’m familiar with the brand, it’s an application that claims your computer is full of errors and then asks you to buy the registered version to clean them.

To verify, I followed the link and installed the software which found 375 “severe errors” on a crystal clean Windows XP installation, including marking as “critical error” files dropped by the installer itself, perfectly legitimate registry keys etc. Asking for money to remove imaginary errors is, I would say, questionable behavior.

So the questions of the day are: “Should web service provider police their ads? Should they make sure paid banners are safe for their viewers? And will this trend of malwae writers using paid ads to distribute malcode continue?”

After luring unsuspecting users into its trap with Labor Day postcards and NFL kickoffs, Nuwar (a.k.a. Storm Worm) has now switched to “free games” bait:

or

 If you’re gullible enough to follow that link, it will take you to a convincingly enough looking Web page loaded with games images and an unpleasant surprise–a cocktail of exploits and downloaders:

So if you’re not running an on-access anti-virus product, you’re already in trouble. Anyway, the page itself looks like this (complete with broken images):

It promises “1000+ free games,” but whatever icon you click you get nothing but Nuwar in a file named ArcadeWorld.exe.

I’ve found that more and more Trojans/worms/viruses/hackers are using ARP spoofing to inject miscellaneous code into Web pages. They’re able to do this using the following technique:
1)     An attacker scans a subnet, finds a vulnerable host, and hacks into it.
2)     The attacker installs a Trojan on the victim’s host.
3)     The Trojan sends spoofed ARP packets to gateways and other computers on the same subnet.
4)     When the other hosts on the subnet receive the spoofed ARP packets, they begin routing traffic through the victim’s host.
Here is a diagram depicting the network before ARP spoofing:
[gateway] <-> [host]
Here is a diagram depicting the network after ARP spoofing:
[gateway] <-> [victim’s host] <-> [host]
5)     The Trojan software installed on the victim’s host relays traffic to/from hosts on the subnet and inserts malicious code into HTTP responses. The malicious code injected into HTTP responses is designed to exploit Internet Explorer and to download and install Trojan software. The installed Trojan software might repeat the same process, further penetrating the network.

So, although your Web server may not have been hacked, your users might still fall victim to browser-based attacks carried out by the injection of malicious code via ARP spoofing. The best way to protect against this is to configure static ARP table entries for gateway devices on all hosts. I recommend that all network and server administrators do this.

What could be better than getting paid to travel to the beautiful city of Vienna, Austria, spending the first half of the week perusing museums and admiring the local baroque architecture, then spending the latter portion listening to the many experts of the anti-malware industry presenting on their most recent work and threat landscape? I’m sure many of you can think of better alternatives, but for a computer geek who enjoys history, it rarely gets better than this. 

The day is nearing an end as the sun is beginning to set on this historic city and day 1 of VB2007. The first day adjourned with many interesting presentations ranging from use of automaton in the world of Malware (for the purposes of good and evil), growing use of malware in virtual worlds (MMORPG and Second Life), to low-level malware techniques (rootkits and patching). 

The three day conference will be busy for our McAfee Avert Labs researchers as we have at least one speaker presenting each day in the VB2007 conference agenda. 

• Patching. Is it always with the best intentions? by Alex Hinchliffe 
• What a waste – the AV community DOS-ing itself by Joe Telafici and Dmitry Gryaznov 
• An analysis for the problem of terminating hidden orphan processes on Windows NT by Ahmed Sallam (presented by Dmitry Gryaznov) 
• Apple media files and iPhone by Marius van Oers 

Just last week we blogged about the capture of an international group of phishers responsible for the repeated attacks by the trojan Downloader-AAP.  Thinking that it may be the last we see of the trojan we received some samples of yet another new variant today.

As ususal the trojan seems most prevalent in Germany.  This time the trojan purports to be a billing payment from an European Online Casino organisation.  There is a link inside the message which hosts the Downloader-AAP trojan.  If the user clicks on the link the Downloader will download Spy-Agent.ba

Most interesting about this variant is that there is no attachment to the message received by the user like previous variants but a URL inside it’s message body which points to the Downloader-AAP trojan.  

The following is a sample of the message that has been spammed out.

This is a clear indication that this trojan is still alive and active and that there could be other members of the phishers that have not yet been caught.

There are and always will be different views on security information disclosure ethics. Thus I will not argue in one direction or the other. I will instead bring up a case as a “food-for-brain” example.

Would you trust someone that auction for a CD that “will make a hacker of you in only a few hours“?

What if the same guy sells free tools to “steal usernames and passwords” and “Sniff out AOL conversations“. For only 7.99 pounds you can also buy a “Easy virus construction” kit and “Ready Made Virus“.

Would you really believe it’s all “for educational use only on your own pc to test for any flaws in your system“?

Is this in any way educational, or is just another shortcut to help script kiddies to vandalize the internet? Is this really a good idea?