The upgradation of the UK’s computer crime laws is in progress and one of the new amendments proposed under the Computer Misuse Act is about making the creation and distribution of so called “Hacking Tools” a crime. There are strong criticisms coming from the security industry as many such tools that can be used by bad guys for breaking into a system are also used by good guys to test their systems for security. For example, a network sniffer can be used for eavesdropping as well as for trouble shooting a network. It depends on the context the tool is being used and marking any such tools as “hacking tools” and making them unavailable for distribution can hinder the work of system administrators and vulnerability researchers. These amendments are not in force at present and may be applied later this year.

After much concerns raised by the industry, the government is considering a few of the concerns and is recognizing the “dual use” status of a few such tools. It would need the prosecutor to prove that the author wrote the tool with malicious intend to prove him guilty, but the distribution of such tools may still be considered as crime. The Crown Prosecution Service will look for answers to the following questions for proving someone guilty or not:

- Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorized access to computer material)?

- Is the article available on a wide scale commercial basis and sold through legitimate channels?

- Is the article widely used for legitimate purposes?

- Does it have a substantial installation base?

- What was the context in which the article was used to commit the offense compared with its original intended purpose?

The following sources were used as my primary information source:

The Register, LightBlueTouchPaper and CPS.

IT laws can always be tricky to write and implement, and this law surely will raise many eyebrows. Thought it may help bring bad guys to justice, it will also make legitimate good guys nervous to create new tools and distribute them.

Websites delivering malicious payload either in the form of web exploits or plain old executables masquerading as multimedia or legit applications is not uncommon. In the past year, we must have blogged a dozen times how the popularity of Internet audio and video has turned them into a malware wonderland – from movie infecting worms to dodgy codec installers, yes even on MacOS; and most recently, Puper trojans capitalizing on the Bhutto assassination video. From widespread infection that hit the headlines the next day, to stealthy backdoors and password stealers aimed to stay quiet and reside in your computer for as long as possible.

McAfee’s SiteAdvisor^TM technology performs behavioral analysis looking for suspicious activities in code that resides within the inter-twined nests of exploited sites. Be it rogue administrators or compromised servers, such sites might certainly host safe downloads, but they are far more likely to host something malicious than your average site.

Just before Christmas 2007, when our crawlers detected dodgy behavior that was attributed to a site linked to a nest of exploits, our system quickly escalated it for human review. It turned out to be a variant of W32/Kibik, a stealthy limited parasitic virus that targets only specific files and stays low under most radar. The website tricks the user into downloading a fake media codec, now detected as W32/Kibik.b.

Figure 1. Instruction to download fake media codec

Like its big brother, the new variant is hard to detect as it infects Winlogon.exe by quietly planting the virus in an unused null-ed out segment of the file, and unlike most viruses, does not change the size of the file. It also does not leave a trace in the Windows registry or modifies other files in the computer, but starts each time the system starts up.

W32/Kibik.b retrieves commands from the server hosted at swf1.flashxyx.com. This domain appears to be hosting free games for download, but is (ab)used as a command and control server for W32/Kibik.b.

On each startup, the following several actions are performed once:
1) A network connection is made to swf1.flashxyx.com.
2) At the time of our investigation, the host was active but not delivering any files, but our static analysis shows it can and will download and execute additional files:

Figure 2. Download and execute code in DLL

It goes on to poll the website in 5-minute intervals to retrieve further commands from the controller.

As its actions are relatively low-noise, and was active during the holiday season, few security vendors have detected W32/Kibik.b, as was its older variant.

More details of W32/Kibik.b are available.

Many governmental and civil service web sites call peoples’ attention to chain-letters based on the age-old pyramid scheme. The U.S. Postal Inspection Service gives this definition:

A typical chain letter includes names and addresses of several individuals whom you may or may not know. You are instructed to send a certain amount of money–usually $5–to the person at the top of the list, and then eliminate that name and add yours to the bottom. You are then instructed to mail copies of the letter to a few more individuals who will hopefully repeat the entire process. The letter promises that if they follow the same procedure, your name will gradually move to the top of the list and you’ll receive money — lots of it.

These rip-off schemes reached the Internet a long time ago. Chain letters are now disseminated over the Internet. These rely on copying and e-mailing your contacts rather than the established paper method. Many antispam products are dedicated to intercepting them. Today, people dreaming of “making money fast” can easily find the software that claims to help them do just that by some efficient Internet searching.

These programs supposedly facilitate making secure payments. The below image shows the result of one of these programs (seemingly of French origin) - an e-mail spam attachment for worldwide distribution:

The basic principle is as follows:

• Via Paypal, somebody decided to enter the chain and send 5 Euros to the participant on the top of the list. His e-mail address is displayed when you run the software,
• After payment, the recipient is supposed to send back a registration key that modifies the configuration by entering the details of the gullible caller at the fourth place and thus altering the list of previous participants,
• Having done this, the updated file must be sent out to as many people as it is possible to entice more victims and gradually push the sender to the top of the list.

Looking at this sample, I asked myself whether we should detect this file or not: it is not dangerous to the computer, it is not a malware nor an adware and the people sending the 5 Euros are acting on their own accord. My personal opinion was thus:

• It is dishonest. And it is not only my opinion but the one mentioned by many government agencies,
• Chain letter and pyramidal schemes are illegal in many countries,
• It seems this program is of French origin and the French laws forbid these
  schemes (article L122-6),
• It uses Paypal and Paypal forbids the use of their system for such activities.

To ultimately battle these types of programs we really need, as usual, to be suspicious whenever someone propose that you can get rich quick!!!

We detect this Potentially Unwanted Program as Scheme-Ultrate.

On January 2, 2007, we posted the first DAT files (4930) of the new year. On that day, the public count of threats detected stood at 221,935. Fast-forward to December 31, when we released the last DAT (5196) of 2007, and the public count of threats detected finished at an almost unbelievable 357,820.

That’s a total of 135,885 unique threats that we at Avert Labs identified throughout 2007. But let me put that into further context:

• 372 new detections per calendar day in 2007

• 527 new detections per business day in 2007

• One driver written every 4 minutes in 2007

• 38% of all detections were added this year.

• 25,438 more detections were added this year than in 2005 and 2006 combined. (Those two years totaled 110,447.)

Scary numbers any way you break them down. One could almost say that malware creation has reached epidemic proportions. As many who read this blog already know, the number of sample files we receive per day to analyze is increasing in record numbers–some days, we can get upwards of 2,000 samples per hour from various sources. We are seeing more malware than ever before, even though the lifespan of most malware is decreasing! The average lifespan of malware with criminal intent may only be 5 to 7 hours. Most of it is static and obfuscated. Much of it is stealthy. Never forget that it is almost completely financially motivated these days. Just think of where Pablo Escobar, Al Capone, or even Tony Montana would sink their money today–into malware.

Data security and the security industry itself have seen many changes throughout 2007. Technologies such as virtualization and RFID will have an enormous impact on data security, posing new challenges (and some of the same old ones) to the industry as we move forward to secure these new vectors.

Well, Zango is at it again, making news with distasteful distribution tactics. They were one of the first groups to get into distributing themselves surreptitiously on MySpace, now they’ve caught on to the growing popularity of Facebook by coupling it with a Facebook App called Secret Crush.

It’s not particularly shocking that this has taken place, it was really just a matter of time given Zango’s previous activities.

My first thought in these situations is how to sum up the situation briefly so it can be used as an explanation how to avoid getting burned by these things. The first problem in this scenario is that it’s sending you to a 3rd-party website to download additional software. This is a huge red flag to me as a security-conscious person, period. But more than that, there’s something much less obviously problematic that really bothers me.

Facebook is quickly becoming full of Apps that require you to send it to X number of friends before you can have their enticing toy. This is, plain and simple, a sleazy social engineering tactic. What do they have to gain by such a scheme? Even if it’s not specifically malware or adware, I avoid these things like the plague. At the very least, I don’t want to be encouraging people to pursue social engineering to achieve App-popularity.

These Socially Transmitted Apps are the Web 2.0 equivalent of Chain Letters and I want no part of it.

“If its free and worth abusing, discovery time is the variable these days.”
(Or rather… spammers are the bane of free services…)

Our labs trapped many thousands of spam overnight that are abusing the Windows Live SkyDrive Beta service launched in August last year (or rather it’s the new name for Windows Live Folders…). The service allows you to upload up to 1Gb of files and share them with anyone via weblinks. The trapped pill spam promises the usual assurances:

We sell only fda prescription medicine through our fully licensed
pharmacy. orders are overseen by licensed accredited physicians.

http://hostname.bay.livefilestore.com/..Long-url…/adv-filename.html

{english textual bayes poison}

The payload is an html file with just one line of HTML at the moment, that redirects your browser to the current incarnation of spammers pill-serv:

<html><body><script language=JavaScript>window.location.replace(
"http://top10epharms.com“)</script></body></html>

We’d expect this to change to obscured script or meta redirection in the not to distant future.

It’s not just spam either, the technique has also been spotted in the labs on blogspot splogs too.

So what makes services like these worth abusing and attractive to spammers?

• Unique urls
• Domains relatively safe from blacklisting
• Link longevity
• abuse handling issues
• Features - host *almost anything*
• Great Price
• Someone else pays the hosting costs

It’s a great value proposition for abuse isn’t it? Well not really, it the same proposition as just about ever other file sharing service out there, this one just got hit, big, suddenly. Another interesting point is the number of times we trapped each url was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded. We’ve seen a few small scale spam using SkyDrive service dating back to November last year but were on an much smaller scale to last nights campaign. I’m sure it won’t be too long before it’s used to host other unwelcome content types I’d like to see more of these online file storage offerings malware scanning downloads too.

They have a pretty good terms of service document that this spammer is clearly in breach of. I will be honest and say that I am not going to fill out an online abuse form for every individual url though! SkyDrive folks - feel free to get in touch if you’ve not had enough reports

If you try SkyDrive be sure to leave feedback and suggestions here and here, it looks very neat so far.

In early days, security concerns around computer hardware and the data on these systems were mainly taken care of by ensuring good physical security around them. Lock these systems in a room with restricted access and the systems and data was mostly secure. Options to steal the data were mostly around breaking into the area physically, which is quite difficult. Things had to change and it changed. Networking was changing the way we used to look at computers and was making the data available even though it was kept somewhere on a remote system. This was a major leap in computer science, but was also changing the security scenario of computers. Admins started getting less bothered about physical security and were more concerned in safeguarding data from being stolen though the interconnectivity of these systems. There was a big paradigm shift from physical to network security. History is almost repeating itself again, thought this time making it even tougher. Physical security is gaining importance again, without making network security any less of a concern.

As devices grow smaller and other devices not really seen as “traditional computers” like mobiles and others storage capable devices become more popular, the physical security of such devices become important again. Mobile phones these days can easily store 2-8 GBs of data or more. This could include business critical emails, identity, credit card information or family pictures. As these devices are small, they can easily be lost, stolen and pilfered. Most of these devices run sophisticated enough operating systems, often with wireless capabilities and Bluetooth as well, making other application and network issues applicable to them as well. Not only such handheld devices, even traditional equipments are more vulnerable to physical security these days as most of the concentration is on securing the systems from network or application attacks.

We cannot easily go back to the early day of strong physically secure locker rooms with handheld devices! Good user education and software related protections have to be applied for making data less likely for getting into the wrong hands. These devices may even need to be running tracking systems in addition to data protection to safeguard the device itself as well as the data.

- Tracking systems that can provide the location of the device such as GPS or tracking through mobile service provider may need to be inmplemented for any mobile device carrying sensitive data.
- Only required data should be kept on these devices. Always keep moving the important but less used data onto a more secure system. Back it up!!
- The data should always be kept locked with strong passwords.
- Most critical and important data should even be kept encrypted.
- Have data theft prevention software that performs data wiping - “eradicate it before it falls in enemy hands”. Software that can wipe the data on the basis of some event that gets triggered when the hardware is in wrong hands.
- Unless required, keep all kind of connectivity like wifi and Bluetooth turned off on such handhelds.

Data that can roam with us in our pockets is less physically secure, but good user education and software can at least keep it from getting misused, if not able to prevent it from getting lost.

Unlocking your iPhone so that you can install third party applications can be fun. Using the Installer.app application on the iPhone and its default repository you can install utilities, games, and other applications. By adding additional repositories to the Installer, it is possible to gain access to a much greater quantity of software.

Occasionally, if you’re not careful you can end up installing malicious software from a bad repository. This happened to a number of iPhone owners a few days ago.

An application calling itself “iPhone firmware 1.1.3 prep” claims to be a tool to prepare your iPhone for the upcoming iPhone update. It actually installs another separate legitimate utility. The damage occurs if you already had the utility installed and you want to remove the false firmware update “prep” tool. Uninstalling the fake tool just uninstalls the real utilities.

Information from the STE Packaging repository site and its owner details how the “prep” tool functions and how it was distributed. Users who added the jmwiki.com repository site to Installer.app were offered the “prep” tool and two other similar packages. It was determined that the malicious repository and applications were created by an 11 year old. The child’s parents were informed and the repository was taken down.

Phone modification (changing the OS, reflashing, unlocking, etc.) can sometimes be dangerous. While corrupting a firmware upgrade for a mobile device might be possible, it is not surprising that someone has created much simpler malicious installation files. On the Symbian platform we have seen quite a few malware, such as SymbOS/Skulls and SymbOS/Appdisabler, that disable or overwrite legitimate applications upon installation.

Users can avoid such problems by:

• Acquiring software only from trusted sources
• Installing only official firmware updates

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

I’ve been fascinated by a couple articles by Cory Doctorow on the difficulties inherent in the popularity of Social Networking sites like Facebook, and the differences between “Myware” and “Spyware”. There’s a lot of food for thought here, primarily regarding the difficulties in assessing another entity’s intent.

As someone who tries to assess intent for a living, I’m immersed in this difficulty on a daily basis. Even if an application developer has a perfectly legitimate intent, the person who is using the application may have another purpose entirely - is the program built such that it can prevent such unauthorized use? This sort of dilemma is what led to the classification of “Potentially Unwanted Programs” - either a program’s original intent falls too far into the grey area or we see an instance where a clearly helpful administrative application is being used in a way that is clearly malicious in intent.

Instances like the XCP Sony DRM rootkit and Sears’ use of the Comscore application really underscore the problem. From the companies’ perspective, they’re doing something perfectly reasonable and harmless to the user. People who find these applications on their machines may feel otherwise, and they may feel that the applications’ actions are inadequately documented or simply intrude too far into the user’s privacy.

The privacy line gets even thinner and more blurry with Social Networking sites, where a certain lack of privacy is inherently part of the equation and generally considered desirable. You can share personal information, pictures, music taste, etc. with all your friends, in one simple, efficient maneuver. It seems perfectly reasonable and simple, given the assumption that “friendship” is a simple black and white matter. Few things in life are ever so simple.

A friend of mine recently joined a Social Networking site, thinking it would be all about that simple, efficient sharing maneuver. She put all her contact information up, and made it viewable only by her friends. What harm could there be in that? (I talked her into removing it a few minutes later.) Fast forward to a few days later, when she received a friend request from someone in her past that she’d had reason to fear for her physical safety with, once upon a time. She had absolutely no desire to be in contact with this person, but there was no way for her to completely block this person from viewing her profile, and for various reasons she felt unable to reject the request directly. She’s more or less given up on this site as a result of that incident. Thank goodness she’d already removed her contact info!

There really is no simple solution to the problem of the thin, blurry line of privacy. There’s no silver bullet that will magically make everyone’s internet experience totally warm and fuzzy. I think the most important thing to take away from this is that we need to constantly be vigilant about maintaining our right to privacy, and to push companies to give us the granularity that lets us decide when and with whom we’ll share our information.