Late last Friday, Avert Labs became aware of an interesting piece of malware. In this latest social engineering scenario an attacker sends a new “friend request” to MySpace users. When the user clicks on the picture or name of their new potential friend, an overlaid image of what looks like a legitimate Windows “Automatic Update” pop-up box is displayed. Clicking on or near this bogus dialog will result in a request for a file download that is visually disguised as a Microsoft update called “updateKB890830.exe” from a server named “winxpupdate.Microsoft[removed]”.

Instead of an update however, this download contains a malware cocktail containing additional downloaders, several trojans, as well as a remote admin tool. It is advised to be aware of dialogs that have abnormal properties. One such property may be that the dialog disappears when the web browser is minimized. If this is the case the dialog is probably an image rendered within the context of a web browser and is not a legitimate update. McAfee AV users were proactively protected against this threat.

The recent wave of Google “I’m Feeling Lucky” search-spam that Chris Barton blogged about a while ago has added a new flavor to the never ending recipe book of spam.

Typosquatting is the practice of buying up domains that rely on users misspelling well known websites. Large organizations (like Google) will often register these domains to protect their users from accidentally going to possibly undesirable sites. One such domain is gooogle.com (3 o’s).

Yesterday I saw a high volume spam run that used this domain along with the “I’m Feeling Lucky” option that brings you to the first search result.

Interestingly some quick thinking anti-spam people have thwarted the spammers and now the search result redirects to an anti-spam website rather than the pill-pushing website you were supposed to see.

Google has many domains that spammers continue to try to abuse, but our detection methods don’t rely on the domain name… so back to the drawing board for the spammers!!

With Christmas and New Year behind us, it’s not only shops getting ready for Valentine’s Day but Nuwar (a.k.a. Storm) as well. You may receive a Valentine-themed E-mail with subject like “I Dream of you”, “For You….My Love”, “Sending You My Love”, etc. etc. and the body text prompting you to click on a typical Nuwar-style link of http://some.numeric.address . If the link is followed, the user is presented with a page similar to this:

Clicking on the link on that page, or at the image of the heart, will lead to a download of with_love.exe which is, of course, a new variation of Nuwar.

Last night Microsoft released Security Advisory (947563) due to the discovery of a targeted zero-day attack. Microsoft states the following products are vulnerable:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2002
• Microsoft Office Excel 2000
• Microsoft Excel 2004 for Mac

I took a look at previous Office zero-day vulnerabilities that were discovered through active exploitation since the beginning of 2005. As you can see below, there was a seven-month gap in the public disclosure of these vulnerabilities.

Although this bit of trivia is somewhat interesting, it’s difficult to draw meaning from it. It’s possible that the lull exists only in reporting, rather than in the active exploitation itself. Here’s a per-product breakdown of the source of the vulnerabilities:

The last Excel zero-day discovered through exploitation was reported more than 18 months ago.

Generally, I think we can agree that creating FUD is a bad thing. And conversely, dispelling FUD is generally a good thing. But knowing when something is actually FUD, rather than a fear based on valid concerns is kind of a vital part of that equation.

This was a lesson learned the hard way for TV Presenter Jeremy Clarkson, when he published details of his bank account in the Sun newspaper. He had figured that all that could be done with the information was to put money into his account.

Not so!

He awoke one morning to find someone had set up a £500 direct debit to the charity Diabetes UK. He’s sounding quite contrite now, and seems rather adamant about pursuing those who lose the confidential information of others:

“Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”

This month, McAfee Avert Labs will release our third issue of our security journal “Sage,” which in this edition examines regional issues in security and malware in different parts of the globe. Here at Avert Labs we’re reacting to these trends by reorganizing to more effectively deal with those local and regional challenges. In that vein, I’m proud to announce that Guy Roberts has been named as Avert Director of Operations for EMEA (Europe, Middle-East, and Africa). Normally we talk only about security threats and trends on the Avert Labs blog, but this is a special occasion.

Guy will be responsible for all anti-virus and anti-spam operations for all of EMEA. Guy has been working in the AV industry for more than 10 years on products for desktop, gateway, and management and has a broad understanding of customer’s needs. He has also been responsible for turning the McAfee anti-spam technology into an industry-leading messaging solution.

Guy will bring a strong customer focus into the region for Avert Labs as well as continue to help advance our detection and coverage across all technologies!

The SymbOS/Beselo worm is in the wild in Asia. It’s a malware very similar to SymbOS/Commwarrior. The worm travels by both Bluetooth and MMS.

It sends itself out in an MMS to every contact in your phone book, plus a number of randomly generated mobile phone numbers. The MMS messages use no subject line and a handful of short texts in their body.

Where this malware gets interesting is in how it attempts to reuse an old technique to disguise itself so that it will be installed by an unsuspecting user. SymbOS/Beselo pretends to be a harmless media file under the names “beauty.jpg“, “love.rm” or “sex.mp3“.

On Windows, changing an extension will prevent an executable from running. Renaming bad_program.exe to bad_program.bmp will make the file open in MS Paint and not run the program. On Symbian, files are recognized by their file type. Renaming a SIS installation file to beauty.jpg will not open the file in the picture viewer but instead begin the installation process. In the case of SymbOS/Beselo, a user will receive an MMS from someone they know and the attachment could be beauty.jpg. The message says “photo” and it comes from a friend, so the user is likely to open it to see the photo. When the request to install pops up, it’s very likely the user will click OK and be infected.

SymbOS/Beselo relies on users’ possible unfamiliarity with how appplications are installed on Symbian phones. Viewing media files(jpg, rm, mp3, etc.) on Symbian does not usually require installing addtional software and definitely doesn’t require one to install from an MMS message.

A colleague of mine from McAfee Avert QA and I have just returned from a summit in Bilbao, Spain where more then 40 experts gathered together for almost two full days. Security researchers, QA people from many AV companies, independent AV testing bodies and magazine reviewers were present. The purpose of the meeting was to form a non-profit organization that would work towards improving testing standards for anti-malware products. We want to give help to everybody who is eager to be involved in the area of testing anti-malware security solutions. Helping computer users is what we do on a 24×7x365 basis and we very much want to promote quality independent testing because bad tests mislead, confuse, and frustrate everybody.

The necessity to create such an organization rose due to occasionally seeing AV reviews that compared apples and oranges or, sometimes, not even saying what kind of fruit were compared! It would be beneficial for everybody if there were some minimal requirements for the tests. For example, an ability to contact the reviewer is very important and so is publishing the testing methodology. If there were many competent independent testing bodies it would be ideal but, unfortunately, contemporary anti-malware tests require big well-equipped research labs and it takes literally years to set them up. Neither the governments nor academic institutions have had much success on this front so far.

The delegates agreed on the name of this organization. Many suggestions were considered – such as “The Bilbao group”, “CATS” (Computer Anti-Malware Testing Standards) and “iTOSS” (International Testing of Security Software). In the end we all settled on a rather simple and straightforward name. The formal press release will follow soon where the name and the participants will be announced.

We all also worked together on a charter of this newly formed body and it was mutually agreed upon. I would expect a Web site to be set up soon and the charter published there.

We set up temporary committees - they will be in charge of organizing future meetings, establishing new contacts, and drafting the standards. The plan of action is to meet several times a year and seek agreement on the ways to objectively compare anti-malware security solutions, taking the output of the working committees as working drafts.

The idea is to have the organization open for the anti-malware companies, the academic institutions, testing bodies, magazine reviewers and everybody, who would wish to participate in improving the standards of testing for security software.

I could hear objections along the line - “How can we trust AV industry to set standards of how they themselves should be tested? Can say, car manufacturers be allowed to set their own testing standards?” I would reply that, firstly, the security software makers are vitally interested in the existence of comparative tests - they show us our strengths and weaknesses and only then can we better decide where to invest our resources in order to improve protection and increase the number of users. Secondly, the spectrum of security software is getting wider all the time (heuristics, generics, sandboxing, behavioral protection, herd-intelligence, HIPS, NIPS, etc. - new technologies are being constantly added) and traditional focus of testing on scanning piles of files (sometimes very old piles) is stifling innovation. Improvements in AV testing are urgently needed and involving the developers of the new technologies in the discussions sooner rather then later should benefit everybody. And finally, independent testers are already represented in the new organization and it will be them actually running the tests – nobody can force them to do what they disagree with.

It was a pleasure to work together with so many talented people and I really do hope that our joint efforts would not only improve testing standards but would also stimulate innovation in testing methodologies and in the security technology.

Avert Labs will keep you updated on the developments.

In April 2007, moving a Soviet statue from the centre of Tallinn to a suburb sparked anger within the country’s Russian community. They got organised and then requested and received the support of their compatriots. What developed was a form of “cyber demonstration”. Today, an AFP press release (French Press Agency) announces the first arrest regarding this crisis:

“Dmitri Galushkevich is the first hacker to be sentenced for organising a massive cyber-attack against an Estonian web-page,” Gerrit Maesalu, spokesperson for the regional prosecutor’s office in north-east Estonia, told AFP.

Galushkevich, a 20 year old Russian, pled guilty. He was fined 17.500 kroons (1,100 euros or $1,600USD) for piloting between April 25 and May 4 an attack against the Reform Party of Estonian Prime Minister Andrus Ansip.

A Japanese trojan author was arrested by the Kyoto Police on 24th Jan. According to the press (in Japanese), the author is a graduate student living in Osaka and is alleged to have made the so-called “Harada virus” ( Del-500 trojan and Uploader-AH trojan).

McAfee Avert Labs has identified more than 70 variants of the trojan family which have been distributed to the Japanese P2P network called Winny for years. Once users download and run files, the trojan attempt to delete any potential pirated content such as movie, picture, and audio files that might have been downloaded from the P2P network.

The earlier variants of the trojan show the picture of an unidentified man, the so-called “Harada”, upon infection with the messages criticizing the illegal use of the P2P application for exchanging pirated content. The suspect followed the fashion and teased P2P users, however, this time he used a famous animation picture instead. Ironically, as a result he was arrested on suspicion of violating copyrights law in that he made the trojan showing the copyrighted work without asking the permission (Unfortunately, there are no laws in Japan to punish malware writers at this time).

We, as of yet, do not know how far the suspects have gone in creating the successive trojan variants. Those trojan suspected to have been made by him have the same structure as the others in the family, written in VB, and have the contact information of “Harada” in the end of the trojan files.

Anyway…. hopefully this will give rise to a discussion on creating laws to punish malware writers in Japan.