National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

We have just released “Mapping the Mal Web,” our third report revealing the riskiest and safest web domains to surf and search.

For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent of the domains posing a security risk.

For those domains for which we had 2,000 or more download tests, we measured the percentage of those tests that were risky. Romania (.ro, 21.0 percent), China (.cn, 18.6 percent), and the generic .info (15.2 percent) were found to be most risky, leading by the fourth place finisher, .biz, by a wide margin (6.8 percent).

This report also shows how much the Registrars can achieve when they try. Last year Hong Kong (.hk) was the most risky domain to surf. After taking appropiate actions, their efforts paid off: With just 1.1 percent this year, they have dropped to 34th place. Congratulations to everyone involved!!

That’s enough numbers for now. Get the full report here or find a summary over here.

The report is available in several other languages from the McAfee home page, and to help you avoid risky sites I strongly recommend our free SiteAdvisor.

We recently alerted our readers to spam campaigns using the H1N1 vaccination program to prompt recipients to open the mail. And we have frequently mentioned that crooks love to take advantage of news, disasters, and other events.

Now that the final draw for the FIFA World Cup in South Africa next year has taken place, it is time to remind you that sports events are no exception to the rule. I’ve already found some examples.

The first is a fake lottery. In this case, the source claims the recipient has won a large sum of money from the South African Football Association. After contacting the lottery manager, the victim of the scam will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. Don’t expect to ever see a payment.

The second example is a “watch live games online” offer. Can you guess it’s a fake? The victims pay to download an HD video player, but they receive only a rogue security product (a.k.a. scareware).

When a sport makes the headlines, there are always fans who want to take part. We’ve also encountered fake club offers that are dedicated solely to collecting subscriptions.

As June 2010 approaches we’re certain these scam offers will increase in number and in professionalism. You must be especially vigilant if you plan to buy tickets online for the South Africa games. Go to fifa.com, use a reputable travel agent, or contact your football/soccer association directly. Don’t assume unsolicited online offers are genuine.

In September, The Times of London wrote that New Scotland Yard had tracked down and closed more than 100 sites so far, with as many as 20 based in Britain. These fraudsters were only the pioneers of an Internet crimewave that will rise as the World Cup approaches.

Here is a screenshot I took today on the official FIFA website. (Prices for the various categories are in US dollars.) The site explains that only one location–fifa.com–will sell tickets and that only a few other companies will sell authorized packages.

Compare the real thing with this suspicious site I also found today. It offers different prices for the same categories:

Don’t be disappointed before your team starts to play. Shop carefully if you plan to buy tickets!

Facebook has changed the rules again. Should you be concerned?

On December 9 Facebook rolled out a new feature that was previously announced via an open letter from Facebook founder Mark Zuckerberg. This feature asked users to review their privacy settings to give them more control over who can view the content they publish on the popular social networking site. This change has upset some of Facebook’s users because they see this as an effort by Facebook to get users to make public more of the information that they post. Further, that information will be indexable by search engines such as Bing, which has announced that it will allow searches of status updates posted to Facebook and Twitter. This is a big change for most users, whose current settings may be restricted to family, friends, or groups they’ve joined.

Should users be worried? That depends on what type of information is being posted. Regardless of the privacy policies or the amount of data available to search engines or other users, the ultimate arbiter of what is posted and shared is each user. The service is called social networking for a reason.

Here’s the point: Although users do need to make sure they are aware of the privacy policies of the sites they enjoy and how that information might be used by others, ultimately the users themselves control what is posted online and what applications are installed in their profiles.

If you do not want to share information, do not post it. Once your data gets picked up by search engines, it’s virtually impossible to have it removed. It becomes part of your online brand forever.

Following the latest Captcha techniques used by the W32/Koobface worm, it seems that malware authors have turned to Santa for help to deliver the nasty surprise which awaits Facebook users. The infection drops other Trojans, such as FakeAlert, and leaves the user in trouble.

It all begins with a post on a user’s Facebook wall. If the user clicks on the link, he or she sees a fake video player with a Christmas greeting, as shown below.

A fake message states that to view the video the user must download the latest version of Adobe Flash. If the user clicks “install,” the malware runs a variant of W32/Koobface on the user’s system.  Further, the user’s browser is redirected to more harmful sites harboring malicious files that automatically execute on the infected system.

Among the malicious files that are downloaded and executed are FakeAlert Trojans, which display a fake message stating that the system is infected with various viruses and that the user should buy a product to remove them.

I suggest you avoid installing anything that results from clicking video links related to any Christmas greetings.

The United States is still a safe haven for spammers. With U.S. anti-spam legislation doing very little to thwart spammers and the McColo takedown having only a short-term effect, we have found that due to low-cost and reliable hosting and anonymous domain registration, our country remains the world’s top source for spam.

The December report also reveals:

• “Twitter job” spam, which has been going on for months, is on the rise. It’s a scam that tries to get people to create Twitter accounts and send spam to their followers for money.
• This season’s Christmas-themed malware is focused on the recession, advertising fake luxury goods and brands that are “on sale” through email
• One year after the McColo ISP shutdown, spam has risen beyond the levels before McColo was taken offline
• January 1, 2010, marks the sixth anniversary of the CAN-SPAM Act of 2003, but spam levels have reached record levels in the six years since the legislation passed

Read the report in its entirety here.

As outlined in our recent report Mapping the Mal Web, the People’s Republic of China’s top-level domain (.cn) is currently one of the riskiest domain names to surf due to numerous malware downloads and other risky sites. However, this state of affairs may now change for the better:

On December 11 the China Internet Network Information Center (CNNIC), the state network information center of China, released an update regarding its auditing of domain name registrations. As of today, domain name applicants must submit a formal paper-based application when making an online application to the registrar. This includes the original application form with business seal, company business license, and a photocopy of the ID.

This change will make the .cn domain very unattractive for criminals and fraudsters who are looking for domains for which they can register anonymously, preferably paying with stolen credit card information. This would be a great step in making the domain name space of .cn a safer place. And if these measure are implemented as announced, it would in fact make China a leading example in the fight agains fraudsters on the Internet.

I do hope that one small part of the announcement suffered just a bit in translation:

“3. From the day of the submission of online application, if CNNIC does not receive the formal paper-based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted.”

I hope this means the application, not the domain, will be deleted after being in service for just five days. If not, this has the potential to become “Domain Tasting 2.0.”

Much malware comes with a kernel rootkit component. Subverting the Windows kernel is indeed the best way to conceal malicious activities on infected systems. To achieve this, many types of malware load malicious device drivers that enjoy full access to all kernel objects. However, this technique is somewhat noisy, and loading a new driver is not really stealthy.

At McAfee Labs we recently ran across a W32/IRCBot.gen.ac sample that uses Direct Kernel Object Manipulation (DKOM) to hide itself without loading a new driver. This technique seems impossible at first sight because modifying kernel memory pages from userland is not allowed. However, W32/IRCBot.gen.ac takes advantage of an undocumented function exported by ntdll.dll that provides debugging functionalities at the kernel level.

NtSystemDebugControl(), despite being undocumented, has been known for many years. It provides simple functions such as reading from and writing to any location within the kernel memory. And this is exactly what a piece of malware needs to manipulate kernel objects.

W32/IRCBot.gen.ac starts by checking what version of Windows it’s running on. This technique won’t work under Windows Vista or Windows 7. If the infected machine is not running Windows XP, W32/IRCBot.gen.ac gives up and doesn’t try to hide itself.

If it does find Windows XP, W32/IRCBot.gen.ac opens the current process’ token to ensure it has the SeDebugPrivilege, which is required to call NtSystemDebugControl().

To find the process list in the kernel memory, W32/IRCBot.gen.ac retrieves the address of the global variable PsInitialSystemProcess, which points to the EPROCESS structure of the system process.

W32/IRCBot.gen.ac can now find the process list in memory and go through it to find its own process. It then removes itself from the process list by calling NtSystemDebugControl() to write to kernel memory.

The malicious process is no longer visible in the Windows Task Manager or other tools such as Process Explorer. However, monitoring TCP connections will quickly reveal the presence of an offending process whose name can’t be found.

Rootkit Detective also detects processes hidden via DKOM.

Accessing kernel memory from userland is really bad, but it appears this hole has been plugged in later versions of Windows. Using this method of calling NtSystemDebugControl() to access kernel memory is not trivial, and we don’t expect this technique to be used widely. And this is a good thing because according to Artemis, Windows XP is still the most widely deployed operating system in corporate environments. My colleagues Igor Muttik and Dmitry Gryaznov, and Joel Yonts of Advanced Auto Parts demonstrated this during McAfee’s Focus 09 conference.

Nevertheless, I offer another reminder that the bad guys never hesitate to exploit any feature, whether documented or not, as long as they can gain control over innocent machines.

Log into privileged user accounts only when required, and keep your anti-virus software up to date!

Adobe just posted a new Security Advisory (APSA09-07, CVE-2009-4324) for the latest critical vulnerability in Adobe Reader and Acrobat 9.2 (and earlier). The flaw lies within a JavaScript function specific to the PDF Reader. Adobe plans to release a patch by January 12, 2010, to resolve the issue. The zero day is already being exploited in targeted attacks. A Twitter post indicates that an exploit module was added to the MetaSploit framework, as well; so it’s only a matter of days until this exploit will become widespread–as the various exploit toolkits are “enhanced” with support for this latest vulnerability.

The screenshot below illustrates the inner workings of one such malicious PDF file, showing the JavaScript obfuscation layer on top of the actual exploit code.

McAfee customers are protected through both the DATs (as “Exploit-PDF.ag” in 5834) and through Gateway Anti-Malware (”BehavesLike.PDF.Suspicious.Z”). If you don’t really need JavaScript in PDF documents (and if you do, please leave a comment to this blog–we’re curious to know), you can mitigate this issue until the patch is available next year by disabling JavaScript in Adobe Reader and Acrobat as described in the Adobe Security Advisory.