Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS. 

Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.

URLs that were attacked include:

http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu

The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.

While Dmitri Alperovitch wrote his blog entry about the recent DDoS attack against Twitter and some other platforms hosting accounts of a pro-Georgian blogger nicknamed cyxymu, I browsed the Internet, searching for malicious websites taking advantage of this topic.

In second place in my google search request, I was attracted by a link proposing to add the blogger to my friends. This link was a lure redirecting me on a site promoting a fake anti-virus product.

Once again, we did not have to wait long before encountering such sites taking advantage of the news.

Agreement and collaboration have been two of the greatest challenges the security community has faced from the very beginning. In an effort to address this, The Industry Connections Security Group (ICSG), a new offering from the IEEE, allows like-minded companies to come together to solve industry or business problems that center on information security. Industry Connections is a program under the IEEE that allows for a fast start-up toward industry collaboration. It also offers the support and infrastructure of an established and well known brand—the IEEE itself. This effort will allow the group to focus on the work of security standards and problem solving, rather than being slowed down with issues such as incorporation or intellectual property matters. McAfee is proud to be a founding member of this effort.

The ICSG is a group of computer security organizations that will work together on common goals and industry issues. The key focus of our collaboration is to solve security issues. In the past few years, attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. ICSG was established, under the umbrella of the IEEE Standards Association (IEEE-SA) Industry Connections program, out of the desire by many of us in the security industry to pool our experience and resources in response to the systematic and rapid rise in new malware being introduced to the market. The bad actors have been able to leverage the underground economy and scale their efforts, they have access to specialist tools and services, and they collaborate and communicate effectively—whereas the security industry has been generally responding to threats as individual entities.

Although there has been some ad-hoc cooperation in the industry in areas such as malware and phish URL sharing, this cooperation has not been standardized or documented in a format that lends itself to systematic improvement in operational efficiency or visibility, or review by people outside the vertical industries. It is this collaborative and communicative gap that the ICSG looks to close. ICSG has been established to look at and deal with a wide variety of security issues in a forum that allows us to engage all types of industry verticals. We also anticipate that we can work with other efforts to help drive security standards in other areas.

ICSG currently has one team, the Malware Working Group, looking at malware, but the organization will add more as needs evolve. Malware growth has been meteoric for the last several years. As such, the Malware Working Group’s primary goal is to solve some of the malware-related issues the industry faces today. The initial focus will be to establish more intelligent ways of sharing malware samples and the information associated with them to make the computer security industry more effective at combating this ever-evolving threat.
The initial members of ICSG are McAfee, Microsoft, Symantec, Sophos, AVG, and Trend Micro. A number of other individuals have been involved in reviewing the initial document produced by the Malware Working Group, from a variety of companies involved in computer security. If you are looking to join or need info, contact us at:

• joinICSG@ieee.org, joinICSGMal@ieee.org, IndustryConnections@ieee.org

Procedures and policies that have been adopted can be viewed here. Information about the Malware Working Group can be found here.

We generally classify email messages pretending to be from a family member of a (often African) dignitary or from a desperate young woman as scams. In the first case, the sender sometimes explains that following the death of an influential dignitary a large sum of money is blocked in a bank account somewhere. With the recipient’s help and using his or her financial backing for a money transfer, the sender says that it would be possible to release the money. Substantial compensation is offered to whoever agrees. In the second case, the unknown beauty becomes a friend with the victim and suddenly has a terrible money problem.

For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.

In Eastern Europe senders remain discreet and hide their wealth. But in some African countries such as the Ivory Coast, many crooks work openly. After reading a news item on this subject at the France24 observers web site, I searched the French Skyrock social networking platform and discovered the photos and videos from their exploits. Each crook has his own blog entries and is attached to a gang web page were each member is listed in a friends list. They are plenty boastful. Among the group names, we have:

• les banquiers arabes (the Arab bankers)
• la banque africaine (the African bank)
• les boucantiers de la Cote d’Ivoire (The Ivory Cost boucantiers)
• les plus riches (the richest)
• etc.

Here is one example:

According to 419 AFF, losses from advance fee fraud in 2007 by companies and individuals reached US$4.3 billion.

In France, one naive victim recently lost €1 million!

Last year, Janella Spears of Oregon is reported to have lost $400,000 (£270,000) after falling under the spell of one such criminal. Here is her account:

The naive are numerous, and cybercriminals know it. We must remain vigilant.

The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry below.

If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.

McAfee detects all files that have been compiled with the infected Delphi program as W32/Induc. Some customers have contacted us suspecting that this result is a false positive, but this is known correct detection from McAfee.

This virus does not have a malicious payload. It just spreads through the compiled executables.

“FREE” is by far the most commonly used term in spam mails. The word free is such a striking term that any layman, without the knowledge of these tricks of the trade, can get into the trap of cloaked mails sent by the spammers.

Here are a couple of the most often used sentences in spam mails:

•  We are letting you try it for FREE, you just pay the shipping costs!
•  FREE Download without limits!
•  Get your Free Trial Now!
•  Take FREE exotic vacations!
•  Get Free trial bottle!

This barrage reminds me of the maxim “appearances can be deceiving.” This adage becomes true in a scenario in which an innocent user falls pray to these eye-catching spam mails and then regrets it later.

Coming back to the main topic of broadcasting for “free,” we are observing a trend wherein spammers abuse social networking websites quite frequently by creating fake accounts to host spam.

The most common trend these days is spammers inserting spoofed URLs associated with social networking and social bookmarking sites such as Blogspot, Yahoo Groups, and Google Groups to host porn, health, replica watches, acai power slim, and many others categories of spam on them. Thus it becomes a big challenge for these social networking sites to moderate any abusive or spammy messages on their networks.

A recent and classic example of how the bad guys (spammers) take advantage of some really cool features provided by these networking websites will leave you amazed. Have a look at the following sample, which will give you a better understanding of these types of spam mails.

“Get your Free Trial Now” is a hyperlink to “google.com/reader/view/user/…” Clicking it will redirect you to the web page, where the spammer has created a fake profile on social networking websites. The actual spam is in the form of an image that is again hyperlinked to the main spam website. Basically the spammers have abused the “sharing items” feature to their advantage and are spreading spam.

The feature-sharing items allows you to share all your reading-list contents with the public.

Why is the spammer using a different approach altogether rather than simply placing the spam URL in the mail?

It’s very easy for anti-spam filters to cut out mails with URLs that have been recently created and are hosting spam. An example to this would be URLs with .cn domains hosting meds spam most of the time.

Due to a seeming inability to filter and remove their content, spammers abuse social networking websites far more than any other free web-hosting site. We advise our customers to be cautious about such mails and refrain from clicking any URLs in them.

We’ll finish with some more typical examples of how spam looks on social networking websites.

Pharmacy

Replica Watches

Acai Power Slim

There is a light at the end of the tunnel—risk and compliance technologies and standards are relieving auditors and businesses in this age of increased electronic accountability. On the heels of our integration of SolidCore’s technology, researchers from McAfee Avert Labs have laid out the compliance challenges facing organizations, and the new standards that can save thousands of hours, in the latest edition of the McAfee Security Journal.

Organizations Suffer from Audit Fatigue

Of the many compliance obstacles facing organizations, the sheer volume of audits is perhaps the most oppressive impediment to returning to “business as usual.” With more than 400 separate sets of requirements facing organizations internationally, global institutions can face more than 40 diverse mandates. Failure or noncompliance is not an option, as reputational damage and severe consequences levied by regulatory agencies can have severe financial consequences for businesses.

In a McAfee-sponsored survey, one organization estimated that to prepare for their PCI audit, the company spent 1,000 hours in one week to configure audit settings. Another organization spent more than 18,000 hours to prepare for external audits in one year. Even when faced with such overwhelming compliance demands, more than 51 percent of organizations surveyed still used spreadsheets to execute audits.

Three Steps to a Better Audit

Organizations that embrace IT as the path to solving compliance issues should follow three key steps to combat audit fatigue:

1. Establish a governance committee: By connecting executives with operational realities, a governance committee can help focus compliance spending where it will be used to its fullest
2. Automate the IT audit process: By investing in risk evaluation and auditing technology, companies can automate the vast majority of once-manual, time-consuming tasks, better ensuring ongoing compliance and reserving IT energy and spending for strategic priorities
3. Adopt a well-built framework: By adhering to a consistent framework throughout an organization, IT can consolidate the number of separate audits it must conduct

SCAP Leads the Way in Next-Generation Audit Standards

The emergence of the Security Content Automation Protocol (SCAP) signals a change in traditional risk and compliance architecture. Using SCAP-compliant products, companies can now eliminate the need for vendors to issue updates when new policy or regulatory mandates are decreed. By immediately integrating new changes in policy, SCAP improves vulnerability detection, asset management, risk monitoring and response, threat publishing, and more. As more technologies support the continuing evolution of audit demands and evolving infrastructures, the more automated the audit process will become.

To learn more about McAfee’s insights into the status of risk and compliance technologies, read the newest edition of the McAfee Security Journal.

I like to pick on malware writers, especially the dumb ones as you can see here. Sometimes they’re just too big a target to ignore.

The latest round is with Brazilian malware writers again. As you are aware, some days ago the Delphi virus was discovered; we detect it as W32/Induc. So today I got a Brazilian PWS-banker malware that was infected with–guess what?–the W32/Induc delphi virus! What an irony.

Back in 2007, I wrote about something quite similar here. And, surprise, it was another Brazilian PWS-banker malware.

So, please, malware writers, repeat after me: “I must install anti-virus software. I must install anti-virus software.”

Today, you can buy a customized Brazilian PWS-banker malware for about US$50. That may explain why it is so cheaply made.

It has now been widely reported that Apple’s latest operating system, Snow Leopard contains the ability to identify two families of Mac malware–OSX/Puper and OSX/IWService–when the infectious DMG files are downloaded and mounted as part of the infection process.

There are a number of ramifications of such a move that could be discussed, but the intention of this post is to call out the possibility of this being a catalyst for more Mac malware to be created.

As previous noted on our blog, the growth rate of malware (notably PC malware) is partly due to the success of defenses; the bad guys react and pump out more and more malware in an effort to circumvent those defenses. Apple’s inclusion of malware identification into the OS could certainly be a catalyst for a more intense game of cat and mouse with virus authors, an ironic scenario should this come about.

Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected.

Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.

Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed.

We have been reporting about FakeAlert Trojans before – you may remember some products named:

- “Virus Remover 2007”
- “Win AntiSpyware 2008”
- “AntiVirus VIP”
- “AntiSpyware Pro2009”
- …

To name just a few, but let’s look at this “2010” example:

Before you think about buying a new product or testing a trial version, you should:

- Use McAfee SiteAdvisor to get a rating of the page you’re looking at.
- Type the product name into your favorite search engine and have a look.
- Check comparative reviews – don’t believe in the awards posted on the page.
- Still unsure? Go to the next store and buy a box. There are no FakeAlert products available as box in a store. They sell online only.

If you are already running an AntiVirus product from a known vendor and you get annoyed by popups, bogus alerts or have a different issue, contact the Technical Support first.

Quote from the bottom of the screen:

According to security experts, most spyware types are not detected by antiviruses because they are disguised as legitimate software installed with the user’s consent.

Actually, ‘PC Antispyware 2010’ is a perfect example for such a “malicious software disguised as legitimate software”.

Of course, we and other major security companies do add detection for those Fake Alert products as Trojan.

McAfee SiteAdvisor rates this page as RED.
McAfee VirusScan detects the installer as Generic FakeAlert.d!gen
McAfee Secure Gateway detects Trojan.Dldr.FraudLo.sxm