The other day, I came across a malware that attempts to hide its infection not in that technical but in the very unique way.

“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.

A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.

How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.

As you can see, this sys file has names like “MyDDKDevice” and “HelloDDK”, and is designed to dump many debug messages and which looks to be a typical test sys file compiled from a sample code in the layman’s guidebook for learning device driver programming. In fact, if you search on these words, you will see lots of web pages describing device driver programming. It is not that easy to tell why authors have created a sys file this way. However, regarding the efforts on hiding backdoors in help files, I don’t think bad guys have bored with creating a sys file from the scratch but more like tricking users that this is innocent.

One of the likely scenarios planned by the malware authors is this. Victims may notice the existences of this suspicious file UpgraderUI.exe and the registry key, and then they will delete the file and registry key. Then they would think they have removed this backdoor successfully. Even if they find the file and the registry key is coming back again and again on each reboot, users will not able to find any other suspicious files. Users will never imagine that the sys file is malicious or the infection to the file imepaden.hlp.

I don’t know if these deception techniques really work, however you might want to add help files to your checklist if your machine is suspected to be infected. McAfee VirusScan with DATs 5861 or later detects and cleans those infected help files and backdoor files.

In recent weeks, various cybercrime attacks have disrupted the computer systems that allow nations to manage their national greenhouse-gas emissions quotas and their possession of carbon assets according to international agreements (the Kyoto Protocol and the European system). One quota is the right to emit the equivalent of one ton of carbon dioxide during a specified period.

The initial attack targeted the Danish CO₂ quota register that was shut down on January 12. The Danish authorities took this decision after registry users received a fake email purporting to originate from the Danish Energy Agency and redirecting the recipients to a mirror site to steal their credentials.

It seems the attackers renewed their attempt last week by sending similar emails to carbon financial services in 13 European countries. Here, too, the goal was the theft of usernames and passwords to gain access to the national CO₂ quotas management systems. This caused another quota-market closure.

Using these credentials, hackers–instead of manufacturers, governments, and brokers–would in theory be able to sell and buy quotas. During the past 18 months, fraud on the CO₂ market has caused a tax loss of €5 billion. Such access would also be useful for the biggest emitters of carbon dioxide; those countries could manipulate the international quotas to reduce their penalties. The following graphic, from Europol (the European Law Enforcement Agency), explains how such fraud can occur.

One thing is sure, the people behind these attacks cannot be simple hackers. They are likely in the pay of rogue states that reject rules-based international trade.

This guest post was written by Benjamin Edelman, Assistant Professor at Harvard Business School and an advisor to McAfee.

Last week I revealed troubling transmissions by the Google Toolbar: Even when a user specifically “disable[s]” the Google Toolbar, and even when the Toolbar disappears from view, the Toolbar continues tracking users online behavior—including specific web pages visited and specific searches run on other search engines. To Google’s credit, after I posted my article Google promptly fixed these nonconsensual transmissions—but big questions remain. How did this bug slip through Google’s internal testing? What happens to the data Google collected without user consent? And why was Google collecting this data in the first place?

Rethinking Disclosure
I’ve recently begun talking to all the Google Toolbar users I can find. Checking their PCs, I see that they usually have Google’s “Enhanced Features” turned on—meaning Google is tracking their every page view and every search. But they usually don’t know about that tracking. Why not? They were told—but not in a way they understood or remembered.

For one, Google discloses its tracking in a “bubble” pop-up that appears immediately after Toolbar installation. By all indications, the installation is complete, and users just want to get back to work—not answer more questions or make more decisions. This suggests a first principle: Seek consent when users are inclined to make an informed decision. This should be an integral part of an installation, not an afterthought.

Beyond the timing of disclosure, the substance of disclosure is also crucial. Google’s current installation says Enhanced Features will “tell us [Google] what site you’re visiting by sending Google the URL.” What exactly does that mean? Will Google track “sites” (such as “nytimes.com” for the New York Times) or “URLs” (referencing specific articles and searches)? Remarkably, Google’s disclosure is internally inconsistent: Google uses the terms sites and URLs interchangeably, when in fact the concepts are quite different. Certainly that’s improper. Disclosures should be clear, precise, and entirely accurate.

Communications professionals have expertise to offer. To make a disclosure clear, it should appear in a dedicated screen with a title, layout, and format that emphasize what’s important. Headings, topic sentences, and sentence structure can help users understand. How does Google stack up on these fronts? Unfortunately, Google seeks permission for Enhanced Features in a screen entitled “Introducing Sidewiki”—a marketing pitch for a new feature, hardly alerting users to the serious privacy matters that follow. Better alternatives would be “Important Privacy Decision” or “Set Your Privacy Preferences”—identifying the crux of the question and introducing the material that follows. This crucial screen should seek to inform, not to persuade. Most of all, it should be designed by policy professionals and communication professionals—not marketers.

A user seeking more information should be able to review a further document with appropriate details. Here, too, accuracy and precision are crucial, and Google’s current approach falls crucially short. Google’s statement makes no mention of these Toolbar transmissions until Page Five. Even there, Google’s text contradicts itself, both explicitly and through unavoidable interpretation of Google’s statements and omissions (details). Equally striking is Google’s defective formatting: Google loads its privacy notice in a browser window with no menu or toolbar—hence no ability for users to copy, search, save, or print these important materials. These design decisions are ill advised. Disclosures should be user friendly and should encourage users to take the time to understand them.

For these sensitive transmissions, which continue every time a user runs a web browser, disclosure need not occur just once. When a program has such important privacy consequences, it should remind users of its effects from time to time, employing an alert or message to make sure users are still onboard. A periodic reminder—perhaps once per quarter, or whenever Google Toolbar auto-upgrades to a new version—would help users remember what’s installed.

Improving the Substance of Privacy Protection
Good privacy means more than disclosure. Through sensible adjustment of data collection and retention practices, software developers can dramatically reduce the privacy implications of their services.

For one, companies should reexamine what data they collect in the first place. Do many users actually want the features purportedly justifying detailed tracking? When it comes to Google Toolbar, I have my doubts: I don’t think many users want to know page-level PageRanks. Nor does Google Sidewiki feature a quantity or quality of comments sufficient to justify the significant privacy intrusion. My guiding principles: Provide genuine value, and put users’ interests first. Collect data only when there is a compelling immediate reason, in the user’s personal interest, to do so. An amorphous benefit, such as improving service or building a community, is not good enough.

Systems should transmit as little information as possible to satisfy a user’s request. Consider two alternative approaches to tell a user the PageRank popularity of a site. In a first system, the user’s computer sends a server the full URL of the user’s request, and the server returns the PageRank of that specific page. Alternatively, the user could send just the domain name at issue, and the server could return a list of popular URLs and PageRanks on that domain. With the right system of wildcards and aggregation, the latter approach need not use much more bandwidth, and it’s a modest and reasonable increase in complexity. But the privacy benefits are dramatic: In the first system, the server learns each user’s every page view, whereas the second keeps specific page views confidential.

Finally, companies should limit data storage and its use with specific, firm commitments. Key questions: How long will data be retained? Who will have access and for what purposes? Although these questions sound obvious, they’re easy to overlook. Tellingly, you won’t find answers in Google’s Toolbar Privacy Policy, and even Google’s main Privacy Policy is silent on key details.

The Big Picture
My basic goal: Build privacy into the system. Collect less data, and collect data only when it’s actually in the users’ interest. Make sure users truly know what they’re accepting and why. Treat privacy protection as a valuable objective in its own right, not merely a hurdle standing between a company and a desired business opportunity. This may be tough medicine for those who seek to profit from tracking users in ever-greater detail, but it’s the right thing to do.

As a rule, we don’t do product plugs on this blog for obvious reasons. This is the place for research and data on threats and responses. But we’re going to make an exception to bring you a video from Dave Marcus, the guy who keeps the McAfee Labs blog running, and runs a couple dozen other things besides.

The charts. The glasses. The necklace. The patent wall. The hair! (Sorry ladies, he’s taken.)

Now we return to your regularly scheduled data feed. That is all.

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!

The combination of search engine optimization with sporting and holiday news continues to fascinate me. Oh, and did I mention malware and malicious websites? They always make for interesting bedfellows.

The Olympics have been getting massive coverage, of course, and St. Patrick’s Day is just around the corner. We can count on these events to provide cybercriminals with plenty of search engine manipulation possibilities and social engineering lures.

I ran a few basic Google searches and got pretty much what I expected: malicious sites and malware links. Starting with some basic Olympics-based searches, first for Olympic Games Wallpaper:

For this search three of the top five results lead to malicious links (not good). The next search moved onto Olympics-themed screensavers (which historically are heavily abused):

In this case two of the 10 results on the first page lead to malicious websites–actually less than I expected. But look what happened when I added the word download to my search:

In this case five of the 10 results on the first page were now malicious or questionable. Quite interesting. When I added an -s to download my results “improved” to six malicious entries!

Next I moved on to the theme of St. Patrick’s Day for wallpaper and screensavers. Lo and behold, just about the same types of results:

Just shy of half the results on the first page lead to some very nasty sites indeed for wallpaper. Next I also searched for themed screensavers:

Again, just about half the results on the first page lead to malicious links. That’s not surprising but certainly not good. Just remember this trend: news, sporting events, and holidays are common abuse targets for cybercriminals. Be suspicious when searching for info in any of these areas (and in many others). Safe-searching technologies such as SiteAdvisor are more important than ever.

Today’s cybercriminal is smart and prepared. Let’s all be smarter and better prepared.