The announcement of Michael Jackson’s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett’s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson–blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We’ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we’ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story–with much the same results.

With the current news about the deaths of Farrah Fawcett and Michael Jackson, it’s a good idea to remind our readers to beware of blackhat attempts to distribute malware to anyone looking for news.

Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it. The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to websites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!

But another way to attract visitors looking for news is a technique known as search engine optimization (SEO for short, see more here). Blackhats use SEO to inflate search engine results in an attempt to put their results on top of the list and drive more users to fake websites offering “more information” about the current trendy news. When the users click on the fake links, they are susceptible to any kind of attack, spyware or malware installation, or information theft.

A good way to protect against this kind of attack is to use our SiteAdvisor tool, which can be downloaded for free at this site: http://www.siteadvisor.com/. It will help you identify potentially malicious links on your search results.

And again, repeat with me: No, that email will NOT show you pictures of Michael Jackson’s body; it will just install malware on your machine.

With the advent of Web 2.0, social networking websites have become an easy target for online fraud and other identity scams. Lately, we have seen Twitter being used to phish out personal information, as well as MySpace scams and Facebook spams.

With more than 15 percent of the traffic from India, Orkut is perhaps the most popular and widely used social networking website in the country. Phishers have come up with an elegant approach to social-engineer the not so tech-savvy users on Orkut. They have updated the user profiles of several thousands of compromised Orkut accounts, which now link to various phished websites. These lure visiting users into divulging their personal information.

Various phished websites claim to be the “adult” variant of Orkut. The “Orkut Sex” site has been very successful in luring several thousands of Orkut users into entering their credentials into this fake website. The attackers use the harvested details to steal other personal information for monetary gain.

We have observed scores of websites being used in this phishing attack. Here are a few of them:

• http://orkutsexlogi[blocked].tk
• http://s3x[blocked].kilu.de
• http://orkutst[blocked].tk
• http://album[blocked].kilu.de
• http://priya[blocked].freehostia.com

If you have read this far, I probably don’t need to remind you to look carefully before you enter your personal details on the web. Always make sure that you are safe and protected–and keep away from the rip-offs.

Most every day I see AutoRun worms such as this one. You may know the kind, the worms that are designed to replicate onto removable drives. There is certainly no shortage of these little monsters.

Often the worm, although problematic itself, is just the harbinger of potential doom. More malicious malware obtained by these worms can lead to full-blown havoc–or, at a minimum, a very bad day.

So I was thinking of potential new vectors when it hit me–there are a few right under our noses that some people just might overlook. A kind of “can’t see the forest for the trees” scenario.

Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?

A) Most USB devices that you can plug into your computer that have storage

If you answered A, you’re right! (That wasn’t hard, was it?)

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication.

How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”

Now, the truly paranoid (or truly cautious?) administrators have been known to swab glue into the USB connectors so that they seal off access completely. This may not be the best way to solve the problem (think disabling AutoPlay, up-to-date antivirus, enabling a firewall, etc.).

But going down the road to prevention, however, is not the point I’m trying to make. There is already a myriad of advice on the Internet for that. All I am trying to say is that the spread of AutoRuns can go beyond the USB drives we all use to conveniently move stuff around. Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Hopefully, you do already think about these devices as a legitimate way to pass along a worm. In that case, maybe the most you got out of this little blog was some lighthearted entertainment (or at least a break from whatever you were doing).

If you haven’t thought about this vector, though, I urge you to start now and to proceed with caution the next time you are going to offload and share that video, or grab the latest hit song.

That way you can say, “Hold the side of ‘autorun.inf’ with my music, thank you very much.”

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. And, yes, we already detect this malware–as PWS-Banker.gen.i.

Yesterday, we came across to a new variant of a rogue security program. This one is called Malware Doctor, and we detect it as FakeAlert-D Trojan  with our DAT 5635.

The new variant comes from the following web pages:
hxxp://internetware-sa{blocked}.com/
hxxp://mal-ware{blocked}.net

As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.

We also noticed some new features in Malware Doctor. Once installed, it performs a system scan:

Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.

Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only few detections so users will not be very suspicious of it.

Once this Trojan detects a supposedly malicious file, it will pop up a message:

This Trojan even makes use of McAfee’s malware naming convention:

This Trojan also displays information of supposedly known viruses whose information is taken from McAfee’s Virus Information Library.

As of today, the malicious website hosting this Trojan makes use of another AV vendor’s malware naming convention. However, the installer for this Trojan no longer exists on the Trojan’s website.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Keep your AV signatures up to date!

Today we at McAfee Avert Labs released an excellent paper on browser attacks. Written by Christoph Alme, this paper deals with the many complexities of browser security and attacks. From the paper:

Web Browsers: An Emerging Platform Under Attack
“The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success. ”

Other areas the paper covers include:

• The shift in spam to mainly malicious web link usage

• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites

• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website

• Use of malicious video banners placed in advertisement networks

• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site

Download the paper in its entirety here.

Today we released our Spam Report for the month of June. In it we discuss two key findings:

President Obama’s First 100 Days of Spam
Although you might imagine the change of administration in the United States would have a major impact on the Internet, the first 100 days of Obama’s presidency were mostly business as usual in the spam world.

Identifying Spam Trends of the Future
Even though we’ve been told to avoid clicking such links to prevent spammers from learning who we are, many of us forget to be vigilant because the overall detection accuracy of anti-spam products has improved. Recipients may instantly distrust an executable attached to an email, but they often feel unthreatened by a short blurb and a URL.

What does the future of spam hold for us? Spam is all about making money and, as with most businesses, spammer CEOs need to worry about costs and their bottom lines. As long we continue to behave as suckers, spammers will use sophisticated tactics to separate us from our money. Download the full report here.

It is ironic, but the rapid growth rate of malware attacks is partly due to how successful AV technology has become. If AV scanners were not so successful in blocking Trojans and viruses, there would be little need for the bad guys to write new ones. One can even say that malware writers are digging an elephant trap for all computer users because lots of new malware demands a response from AV, which can contribute to the slower operation of computers for all of us.

Figuratively speaking, the primary tools that the bad guys are using to dig their side of the trap and evade detection are packers (like UPX and Petite) and protectors (like Armadillo and Themida). Packers are legitimately used to reduce the size of programs (saving disk space), while protectors are legitimately used to prevent patching, hacking or reverse engineering. For malware production, however, packers and protectors are useful as they can often obfuscate original malware beyond recognition by AV.

Commercial protectors are especially loved by malware writers because they can put a protective envelope on top of, say, their spam-bot and it will be well hidden inside. Additionally, it will now really look more like a legitimate file obfuscated with the same protector. Malware writers use this trick more and more frequently.

As a result, on any average computer, AV can frequently encounter, say, a Themida-packed computer game and a Themida-packed spam-bot. To determine what is what an AV product has to know what is “under” the protecting envelope. Unfortunately, this simply cannot be done very quickly. It takes computing cycles…..

We would urge all developers who use software protection to think twice before doing so. There is an increasing risk that your legitimate files will be blocked by AV software by mistake or that there will be an unpleasant slowdown due to long analysis. Either can cause troubles for users. If you feel that you really must use an obfuscating protector at least digitally sign your files. That would reduce the level of suspicion by introducing traceability to the source.

The point is that software protectors are just not a secure software technology any longer because they have been misused so much. Do not use it if you can avoid it.

A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.

Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts when Windows boots and connects to Baofeng’s online server; then it’s designed to send DNS queries to DNS servers to get the IP addresses of different online servers until it gets an answer. Because of its massive number of online users, it would be a powerful DDOS attack tool if all online Baofeng programs were to send continuous DNS queries at the same time, especially if the authoritative DNS server could not answer the queries.

Several DNS servers of DNSPod (a Chinese domain service provider and registrar) were hit by a DDOS attack on the night of May 18. These DNS servers became inaccessible. The assault was meant to be a targeted attack against one company, but one of the customers of DNSPod is Baofeng.com, whose authoritative DNS server was the server under attack. Because of a design flaw in Baofeng’s media player, all online Baofeng programs started continuously sending DNS queries after the DNS responses previously cached by other servers timed out on May 19. The massive number of DNS queries flooded the network of China Telecom (one of the biggest ISPs in China). As a result, users in parts of China were unable to access websites.

The initial DDOS attack that targeted a specific domain registrar now transformed into a DDOS attack on almost all DNS servers in China, so we can see how a bad design in a program “helped” the attacker(s) amplify the attack.

Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

Today we launched a new web film series, entitled “H*Commerce: The Business of Hacking You.” The film series was created to expose cybercrime as a serious and universal threat that can no longer be ignored. Several of our own Avert Labs researchers lent a hand and their big ol’ brains to the project!

The term H*Commerce (or Hacker Commerce) is defined as the business of making money through the illegal use of technology to compromise personal and business data. Starting today, a new episode will be posted every two weeks here until all six episodes have aired.

The project was originally conceived as a series of standalone episodes, each focusing on different aspects of cybercrime: such as phishing, denial-of-service attacks, online scams, bank scraping, and fraudulent emails. As the filmmakers dug deep into the experience of H*Commerce victims, they realized the film’s focus had to be on the complex stories of real people doing normal online things, only to be horribly violated by ruthless cybercriminals.

Seth Gordon, director of films such as the 2008 theatrical release of “Four Christmases,” and the documentary “The King of Kong–A Fistful of Quarters,” was hired to direct “H*Commerce: The Business of Hacking You.” As Gordon began the research phase of the film, he identified an Oregon woman named Janella Spears, who was a victim of one of the largest and most elaborate email scams on record.

Spears’ story of losing more than $440,000, and the dire effects it had on her family and marriage, became the central theme of the film series. Over the course of the filming, Chris Roberts, a third-party cyberforensic expert, was introduced to Ms. Spears to provide advice on how to clean her system, handle the hackers, and help put an end to the cybercrime scams.

Watch, learn, and arm yourself with knowledge. Check it out at Stop H*Commerce.

In March 2009, we notified our customers on a new variant of the infamous Vundo trojan family which we detected as Ransom-F and raised its risk assessment to a Low-Profiled threat.  It was possibly the first indicators of a shift in the FakeAlert criminal model from instilling fear, to holding information technology resources for ransom but certainly not the last.

Last week, we came across to a new variant of a rogue security program branded by its creators as “System Security 2009″ and detected them as FakeAlert-CO, and some of its past similarly branded cousins as FakeAlert-SystemSecurity.

The updated variants were discovered from a web page hosted on trustedw{blocked}security.com.As most other rogue security programs to date, FakeAlert-CO displays spurious alerts and making fraudulent claims of infections that requires the user to pay a fee to “repair”. Following the trend of Ransom-F, we noticed “new features” in FakeAlert-COthat resembles some common characteristics of ransomware trojans.

Once installed, FakeAlert-CO may either terminates all running user process or prompts the user to reboot.

In either cases, it follows to pretend to perform a system scan and report detections of false and exaggerated threats.

What differs it from older variants, is that the user will no longer be allowed to open or execute any applications including Task Manager, Command Prompt or other system and office applications which are terminated by FakeAlert-CO. A message is displayed to the user to indicate that the files are infected and to resolve the issue, the user must activate FakeAlert-CO at a cost.

The “product” website is made to look fairly professional offering an option to purchase a 2-year license, or lifetime support license at a “discount” and even comes with 30-day money back guarantee!

You may be paying for the “best” possible support option, but you can’t trust a “product” that holds your system for ransom.

Uninstalling the System Security “product” will not be an option for the typical user, as there is neither an uininstaller function nor will the “Add or Remove Programs” in the control panel be allowed to be opened via the usual means.

However, the reported infected files are intact, and are not modified in any way. If the user boots into Safe Mode, FakeAlert-CO is not started automatically and system tools and applications can be executed and accessed normally.

Affected VirusScan users may remove this threat using the latest DATs and engine.

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

On April 30, an exploit targeting a zero-day vulnerability in the Baofeng media player was published on the Internet. The proof-of-concept exploit had more than enough details for others with malicious intent to create more malicious variants.

Baofeng is a widely popular media player in China, and it plays many common media file formats. May 1 to 3 was the May Day weekend in China. One can imagine many Chinese users surfing the net or searching for their favorite video clips could be hit by this vulnerabililty during the holidays.

Because this vulnerability exploits an ActiveX component, attackers may inject malicious code via common means such as SQL exploits, or they can simply upload malicious web content onto certain websites. Once users browse these web pages, attackers may execute arbitrary code on the users’ computers via the flawed ActiveX component.

Currently, the vendor has confirmed this flaw and the following versions are reportedly affected by this vulnerability:

•  Build versions: 3.09.03.30，3.09.03.25，3.09.04.17，3.09.04.27.

A patch has been released for this vulnerability. Affected users should immediately contact the vendor for the security update.

McAfee VirusScan has proactively detected this exploit as the JS/Exploit-BO.gen Trojan since as early as the 4679 DATs (January 20, 2006).

Today I came across a program that claims to be an installer for the VLC media player. Innocent, right? Guess again. For starters, the installation file was different from that supplied by the legitimate VLC media player site.

At Step 3 of the installation I saw this dialog box:

The translation of the message from French is, “HELP US IMPROVE OUR SERVICE. To obtain your activation code call [number removed]. To receive your code in SMS send the keyword CODE to [number removed].” This is a case of SMS fraud!

As usual, we shouldn’t install programs from sources that we don’t trust. In our case, we know from Step 3 of the installation that we’re dealing fraudsters. So why continue with the installation?

We detect this Trojan as Ransom-E, updated in the 5597 DATs.

LuckySploit is an exploit framework that’s been in the news recently. As drive-by-downloads go, it lurks behind iframes and foists malware upon unsuspecting users.

One LuckySploit attack we analyzed downloaded the FakeAlert-BY Trojan. So if you visited a Web site today then saw this…

… then you are, unfortunately, infected with FakeAlert-BY, and possibly thanks to LuckySploit.

We detect the LuckySploit downloader as JS/Downloader-BNL in the 5580 DATs, to be released on April 10. We’ve had detection for FakeAlert-BY  since the 5545 DATs, released on March 6.

Please update your AV signatures and stay secure!

Microsoft recently reported a new worm found to be exploiting the MS08-067 software flaw in the wild.  Even though our products already detected it generically as W32/IRCbot.gen.a, we decided to take a closer look and make sure we proactively detect all components that the worm might be dropping or downloading.

When run, W32/IRCbot.gen.a copies itself to <system folder>\netmon.exe.  It then drops a rootkit as <system folder>\drivers\sysdrv32.sys (MD5: 0e219b74e2c68a34ca09d8fe114f6d11) and hooks the Windows tcpip.sys driver to remove the outbound connection limits in Windows XP Service Pack 2 and newer. We successfully detect this rootkit as Generic Rootkit.g trojan.  It then follows to establish an outbound connection with a remote IRC server using following credentials:

• PASS h4xg4ng
• NICK [00-USA-XP-9215671]
• USER SP2-ojd, followed by the name of the infected computer.

This worm exploits the MS08-067 vulnerability indeed, and uses a download-and-execute shellcode which behaves in an identical fashion as Conficker’s exploit, with only some differences in implementation. It is encoded using a simple 1-byte XOR key and looks like any other standard PEB shellcode which loads API libraries (i.e. urlmon.dll) and executes URLDownloadToFile() to download malware from already infected systems into new targets. Unlike Conficker which injects a downloaded DLL into running Windows processes, this worm downloads and installs a 66.scr executable file instead.

As mentioned, the Conficker worm uses an exploit derived from the “ms08_067_netapi” Metasploit module to spread itself.  The Metasploit framework has become a popular platform for security tools development and automation. As we can see, the latest version of Metasploit is not only used by whitehatsfor vulnerability assessments and penetration testing, but also for malware development. The W32/IRCbot.gen.a worm is not an exception, it has remote language detection taken from Metasploit’s “smb_fingerprint()” routine implemented in the “smb.rb” module, as well as dcerpc service connection testing code located in the “client.rb” module. By using these routines,  new worm can conveniently determine which operating system and service pack it is targeting to achieve a better infection success rate. The way how W32/IRCbot.gen.a ordered the attack packets is identical to Metasploit’s MS08-067 module  (ms08_067_netapi.rb):

Both Conficker and W32/IRCbot.gen.a uses open source tools similarly to their advantage to make their work much easier.

We went on to investigate additional sites where the worm is connecting to and the payload that it is trying to download. Packet sniffer logs shows that it accesses at least two other remote servers:

• hxxp://98.1[infected].42:443/n
• hxxp://74.2[infected].90:88/jueo.exe

While the first server is not showing any technical activity at the time of research, the second server is still active and hosts additional malware that is installed into infected machines:

Well, hello Donbot ! Upon investigation, the downloaded malware (MD5: 916DB2E2C2D1ED7AF89DD8EBB9C7D84C) detected generically as Generic.dx appears to be a component of an active botnet called Donbot (also known as Bachsoy). Components of Donbot typically create a proxy on infected machines and may be used to relay spam and HTTP traffic. Except for a few, most AV vendors seem to have detection for this malware.

Until recently, Donbot has been a relatively minor player in the lucrative spam business, but it certainly looks like the Donbot authors have decided to expand the potential of their botnet . While other botnets - namely Cutwail and Rustock continue to dominate the distribution of spam, Donbot is making an eager attempt to get a bigger share of the spam revenue pie as one of the top 5 most active botnets worldwide. Clearly, worm authors are focusing on growing their botnets as they might not get another chance like the MS08-067 exploit in a long time.

This would also serve as yet another reminder that there could well be many computers on the Internet that are still not installed with the latest security updates - more than 5 months since the release of the MS08-067 patch.

Have you ever read an article on the web where you just had to Google a certain term or phrase to learn more about it, or even just to satisfy your own curiosity? The answer is likely yes, and it’s probably a frequent occurrence. That’s what malware distributers have figured out. Here’s an example. A news article about disgraced financier Bernard Madoff made mention of his 55-foot yacht; a 1969 Rybovich. Wow, I bet that’s a spectacular yacht. If you wonder what one looks like, perhaps you might do a quick search for “1969 Rybovich.” One may think such a casual search would be harmless. Think again. It turns out Malware distributors have honed in on the yacht phrase and the top Google results are malicious URLs. We first noticed this on the evening of April 1 when we first read the story and were curious - and our first take was “Wow, they are fast”.    We watched the evolution of the number of google results that presented malware over the course of April 2. The last we checked - even one of the blogs off of my.barackobama.com was utilizing this yacht to lure users.

The search results don’t look so threatening, but if you are to click on the first few URLs, you’ll find differently. Each of these URLs is a rouge anti-virus URL that will distribute malware. Here are a couple of examples…

These two examples should arouse suspicion by now, especially if you’re looking for yachts, but anyone acting in haste, or succumbing to further curiosity will be taken to the malware delivery upon clicking where prompted, and frequently it’s already been delivered even if you don’t click.

This example is quite typical of what you’ll see next when you click, a fake malware scan that delivers the malicious goods. It looks just like an MS scanner!!!

So what about that 1969 Rybovich? What about further curiosity based Googling? Next time you find yourself conducting such a search, do so with caution. Consider if the search result URLs all look similar. In this case, that is first red flag of caution. When you click to go to a link; does the content look like what you expected or is there some unexpected prompt to click? This is red flag number two. One shouldn’t even proceed onto red flag number three to see the fake malware scan. Already you’re taking a dangerous path that is not going to show you anything about Madoff’s yacht.

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

• fssm32.exe: 428,032 bytes (Muster.c trojan)
• IEUpd.exe : 45,056 bytes (Muster.c trojan)
• setup.exe : 13, 1072 bytes (Muster.c trojan)
• PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
• ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

A lot has already been written about Conficker. There had been excellent analysis reports published by SRI, The Honeynet Project and others. Vinay Mahadik and I would like to present some findings on the network aspects of the Conficker.C behavior. 

We setup a small testbed that had a machine infected with Conficker.C in a controlled environment; and another Linux box that was customized for packet mangling. This enabled us to intercept or mangle the packets exchanged between the infected machine and the outside world. We monitored the activity of the infected host over several days. We classify the test into two phases: Pre- April 1st and the April 1st phase.

During the Pre- April 1st phase we observed the following.

Conficker.C gets the current time from some of the popular websites. This involves sending a DNS query to the name server to resolve the IP address of the website which is followed by a HTTP GET request to that IP address. The below figure illustrates an attempt made to craigslist.org:

Conficker.C also sends UDP and TCP probes to locate its peers. We observed fairly aggressive and simultaneous UDP & TCP scans. The volume of the UDP scans was particularly high - roughly 2-3 UDP queries per second and seems to taper down as we got closer to April 1st. As most of the randomly generated IP addresses were not live or did not have the targeted ports opened, there were a large number of ICMP messages received – port unreachable , host unreachable, time-to-live exceeded.

“April Fooling Conficker.C”

In the April 1st phase, we intercepted and manipulated the HTTP date check query responses, so that for every website that Conficker.C queries, it gets a response with a date stamp of April 1st, 2009. The local system time was also set to April 1st. By controlling the only 2 date check sources, we managed to fool the malware into thinking it was indeed April 1st! Soon after, we observed numerous DNS queries for the generated domain names.

There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

Vinay Mahadik reverse engineered the 95+ conversations, across some 50K+ UDP peer discovery packets, and found some patterns in both the requests and responses. These patterns are valid for both the pre- April 1st and April 1st UDP scans. Based on this, we have incorporated a new heuristics into our latest Network Security Platform Signature set 5.1.16.15, or 4.1.46.16.

McAfee Network Security Platform (Intrushield) customers can observe the following alerts.

• WORM: W32/Conficker.C Activity Detected
• HTTP: Suspicious Time Check Detected

The figure below illustrates the alert viewer drilled down by a Source IP that has generated the “WORM: W32/Conficker.C Activity Detected ” alert.

 (Both Vinay Mahadik and Ravi Balupari have contributed to this research blog)

Hello, it is now April 1st for at least Asia Pacific and Europe. We’ve been blogging and posting various resources about ways to protect against the Conficker worm up to its “activation day”:

•  “More Comments Regarding Conficker“
•  “W32/Conficker: Much Ado About Nothing?“.

The day has finally arrived.

McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven’t observed any significant activities on the domains that it is polling for thus far. Even so, please remain vigilant and watch this space for any further updates to the current status.

On measures to protect yourself and your organisation against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.

What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.

What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.

Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.

When I wrote a scanner plug-in this week for an old directory traversal vulnerability–CVE-2008-4419–I wondered whether there are vulnerable HP LaserJet printers online that can be controlled from the Internet. To find out, I used Google. The search listed almost 50 results, and I found that almost all of these printers are not patched, even though HP has provided firmware updates to resolve this vulnerability. An attacker could leverage this unicode-encoded directory traversal vulnerability to read configuration files or cached documents, and gain read access from the Internet to important internal information.

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.

So please harden your network gateway or firewall to restrict access to these devices. Don’t give everyone on the Internet a chance to use your printer, and patch the vulnerable LaserJets to prevent the potential information disclosure.

To download the HP firmware updates and upgrade instructions, click here.

McAfee Avert Labs will now produce more detailed documentation on prevalent threat families. The “Combating Threats” document series is designed to arm security staff within organizations with more information concerning prevalent threat families as well as to provide additional mitigation steps that can be taken. The first two documents in this series, “W32/Virut Family” and “Finding W32/Conficker.worm,” are now available via our blog, prior to our “Combating Threats” web page going live.

UPDATE MARCH 17th

Apologies for the busted links yesterday. All seem to be resolving fine now.

For years, the Japanese word processor Ichitaro has been attacked by malware authors exploiting flaws in the application. So it is no surprise that in the last week we discovered in the wild specially crafted Ichitaro document files exploiting a new vulnerability.

This time, the crafted file (detected as the Exploit-TaroDrop.g Trojan) drops and runs the Generic Dropper Trojan, which is responsible for dropping the BackDoor-DNW Trojan. The last attempts to connect “lightsut.com:80” and opens a backdoor to give attackers remote access to compromised machines. McAfee proactively detects Generic Dropper, which prevents users from being infected with BackDoor-DNW even with a non-patched copy of Ichitaro.

Detection alert of Japanese McAfee VirusScan Enterprise

The patch for this vulnerability has already been published by JustSystem. Ichitaro users should apply the update as soon as possible.

Users should always take care while surfing the Internet and reading mail, and today maybe more than usual: Another spam run from the Waledac botnet is on the loose, this time misusing the good reputation of the news agency Reuters. After the “President Inauguration,” “Valentine Scam,” and the “Economic Crisis,” this time the social-engineering trick is a “Terror Attack” in your city. Mails with subjects such as “Why did they explode bomb there?” or “Why did it happen in your city?” are being sent out by the botnet right now.

Again the bad guys are using geolocation services to better target their audience. As described in my earlier blog, they are using the city name of the user visiting the fake website and inserting this name into the website itself. So the “breaking news” gets even more attention, because when an attack happens in your home town, everyone would be anxious and curious, right? The screenshot below is an example what a user from New York would see; other users would see the same message but with their local city being “attacked”:

The website claims that a “dirty bomb” exploded in the user’s city and that at least 12 people have been killed. A video from Reuters is presented but “You need the latest Flash player to view video content. Click here to download.” It’s another example of the time-worn missing-codec trick. The needed “update” named main.exe or save.exe is in fact the real malware.

The fast-fluxing website also includes a malicious IFRAME that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection.

The Waledac/Storm authors try to keep their botnet running and always craft new social-engineering tricks to fool unsuspicious users to follow their lure. As always, the best advice is to not click links in spam mails. And the malicious IFRAME pointing to a drive-by infection is another good reminder that “curiosity killed the cat.”

Last week I blogged about how the community forum of Democrats.org was being abused to help manipulate Google’s search results; to lead people to malware.  It appeared that by the end of last week, Democrats.org began the cleanup process of removing all the bogus posts, which seems to have been completed as of this time.  Google’s cache shows that other popular sites were hit as well, including my.barackobama.com and Microsoft’s silverlight.net, which were cleaned up sometime before the end of last week.

In looking a little more at the spammed phrases, it appears as though there are likely multiple groups behind these attacks, perhaps with different agendas.   Some of this is obvious from the formatting of the spam.  The terms themselves also vary, some appear in more dictionary style, while others are more focused on current events, and others still are rather uncommon.  The uncommon terms (including typos) lead me to speculate that at least some terms originated from compromised systems.  There may be a circular nature to this, where unsuspecting victims become infected with one piece of malware, only to have their search terms harvested, analyzed, and subsequently used to entice other victims, but again this is speculation at this point.

Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

Always practice “safe surfing,” which is the first step in keeping your computers clean, and keep your anti-virus signatures updated.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.   Shortly thereafter it appeared that Google took action against that attack.  In deed a Google spokesperson confirmed that idea.

Today, Brian Krebs blogged on a separate story, but mentioned that while searching for a related term (pifts.exe), Google returned a poisoned link high on the results list.  After doing a little searching I discovered that the relevant term did seem to appear on Google’s top 100 search terms for a brief period.  However, the other terms I checked on Google Trends did not yield high ranked poisoned links as before.  But, I did come across a potential source for the page rank manipulation aspects of these attacks;  www.democrats.org, which is “Paid for by the Democratic National Committee “, and linked to from www.barackobama.com.

It turns out that this high-ranking website has a community blog feature that allows anyone to create a blog and post whatever they want.  Attackers have flooded this forum with bogus posts and thousands of links for more than a month.

Blog spam such as this is not anything new.  However, this highlights one significant effect of such spam and underlines the cause and effect relationship of security on the web.

Web searches are immensely useful and quite powerful.
Web 2.0, where a community of users contributes content for the betterment of the community can be a great thing.
But combined, a bad apple (or thousands) doesn’t just hurt the community; it can hurt a significant portion of the Web itself.

The other day I blogged about Google Trends being abused to serve malware.  The attackers were not only targeting the most popular search terms, but also manipulating Google’s page rankings to appear high up on search results.  It appears that Google may have squashed those attacks, at least at the moment.

The pages that were coming up while searching Google seem to be purged from Google’s index.  The pages may still be found on other search engines, though not ranked as high.  This is also visible in stats I started gathering yesterday.

I took the top 100 search terms for each day of this week and ran a Google search on each term.  I then considered the top 10 search results for each term, looking for poisoned links with high rankings.  Admittedly it would have been better to gather the search results on each day, rather then running the test several days after the fact, but none the less the limited results do suggest that Google took some recent actions.

The following graph shows significant activity prior to mid-day yesterday.

We can assume the attackers will be looking at new and creative ways to circumvent any countermeasures that may be in place.

Search safe.

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

– Update Feb 24, 10:15 PDT –
Microsoft has released a security advisory for this issue (CVE-2009-0238):
http://www.microsoft.com/technet/security/advisory/968272.mspx

Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.
 –

A Trojan exploiting an unpatched Microsoft Excel vulnerability has been reported from the field. McAfee Avert Labs has confirmed that Microsoft Excel 2007 and 2003 are affected. Other versions may also be impacted.

McAfee DAT files identify known malicious Excel spreadsheet files as Exploit-MSExcel.r Trojan, and dropped files as BackDoor-DUE Trojan in the 5534 DATs.

As with the initial Exploit-PDF.i threat, current attacks are very targeted and limited. When succesfull, it installs a backdoor that attempts to connect a remote site port 80 and waits for commands.

The mitigation for this infection is to block unknown TCP connections. However, one of the best protection methods is to remain vigilant against Excel files from untrusted sources or sent at an unexpected time until a security update is available.

For the unaware, Wine is an application that enables users to run Windows applications on Unix-like computers. Like many users, I use Wine on my Linux machine to run a couple of Windows applications I cannot do without. I could run these applications on a virtual machine, or even dual-boot with Windows and Linux, but running them in Wine is just easier.

Although running Windows applications in Wine has its advantages, it also comes at a price: bringing Windows malware into Linux. I’m aware that it isn’t Wine’s responsibility to distinguish between a malicious and a nonmalicious file, and that Wine shouldn’t have any problem running a malicious file; however, I had this morbid curiosity to see how well today’s malware would fare running on Wine, and so began an experiment using the following setup:

• Ubuntu Linux 8.04 [comes with Gnome desktop environment]
• Wine 1.0 [run as a nonroot user with default settings]

I decided to choose samples that displayed a cocktail of malicious behavior, and so I chose the following:

File Infectors

W32/Philis is a file infector that apart from appending its code to other executables downloads and drops other malware.

This malware ran without throwing any errors in Wine. It immediately dropped files in the “Windows” and “Windows\System32″ folders and executed these dropped files. It then attempted to connect to a preconfigured site, and downloaded more malware successfully. It also began infecting executables in the Wine directory and created a registry run key for the malicious file.

The screenshot below shows the clean “CProcess.ori,” the original file 35KB in size, and “CProcess.vir,” the infected file 131KB in size.

It’s worth mentioning that the autostart registry key the file infector created will not work under Wine, so applications will not be able to autostart when the Linux machine is booted up. Also, this file infector didn’t seem to infect ELF files. But I’m guessing that a file infector that blindly appends/prepends its code to other files shouldn’t have any problem corrupting ELF files.

Autorun Malware

W32/Autorun.Worm.CP is an autorun worm, which drops autorun.inf in the root of removable drives.

This malware also ran without any errors. It dropped both the malicious files and the associated autorun.inf file in the C:\ drive and attached removable devices, and created a registry run key.

The screenshot below shows the created Autorun.inf file, along with the malicious files that were created in the root of the removable device.

The registry run key created by the malware won’t work in Wine, however. As long as the malicious file is running, any new removable devices connected to the machine will get infected, thus making a Linux machine the origin of an infection.

Although it is difficult for malware to autostart in Wine, it is not impossible. Malware can be written to find out if it is running in Wine. It can then either download a Linux binary onto the machine and/or simply add an autostart entry for itself in the Linux desktop environment’s common autostart locations, using the nonroot user’s credentials.

IRC Trojans

IRC/Contact malware drops files and connects to a preconfigured IRC server. This IRC Trojan, when ran in Wine, connected to the preconfigured IRC server. From the IRC server I was able to connect to the bot, and control it. Though the control was limited, I was still able to list the files under the Wine directory, get system information, download files to the Linux machine remotely, etc.

The screen shot below shows my logging into the infected Linux machine and issuing commands:

Click here for larger version of the image.

The screen shot below shows the infected machine responding to the “getinfo” command issued from the IRC channel:

Click here for a larger version of the image.

This IRC Trojan was very simple in features, but I’m guessing that with a complex one, an attacker shouldn’t have any problem scanning the subnet for an exploit and sending a payload to infect Windows machines.

Keyloggers/Password Stealers

Apart from this, I tried running a couple of password stealers and keyloggers, but I couldn’t find one that worked well. I’m guessing they couldn’t get a hook to the keyboard.

Although stealing information using a Windows malware in Wine is difficult, an infected Linux machine can still contribute to a DOS attack or be the origin of an infection as suggested earlier.

Scareware

This class of malware displays falsely exaggerated scan reports and tricks users into buying them. They utilize extreme social-engineering tactics combined with obfuscated Java scripts that check for exploits on the machine.

Although I didn’t run the Scareware installer in Wine, I did browse through a site that ran a JavaScript to pop up a window informing me that my “Windows” machine was infected, and requested that I install the malicious file.

Screen shots below:

Click here for a larger screen shot.

It is important to note that if the user had set the file association for Windows executables with Wine, then simply double-clicking the downloaded file would run the malware.

Mitigation Techniques

• Never run Wine applications as root.
• Wine maps the root directory, the user’s home directory, CD ROMs and removable devices found, and these mappings are listed in “~/.wine/dosdevices/”. Consider deleting these except the link to your drive_c.
• Do not set the file association for Windows executables with Wine. This would enable the running of Windows executables in Wine by simply double-clicking them.
• Administrators should think twice before installing Wine on a Linux server. These machines are seldom turned off, and so the problem that a malware faces in Wine with respect to autostarting its code when the machine boots up, I mentioned this earlier, would become void.

A new spam run is on the loose, misusing the global economic crisis as its social-engineering vector. Consumers looking for a bargain should take care, because the bad guys exactly want to fool people trying to save some money these days. Spam mails promoting bargains, which could help in the recession, are hitting the inboxes right now.

When users follow a link in such spam mails–but please don’t do that!–a website like the one below appears:

After the Valentine’s Day theme, the malware authors behind the Waledac botnet changed their lure to promote free coupons, pretending to “save” consumers a lot of money. The text states: Exclusive sale coupons and deals at over 100 000 stores in <City>, <Country>. You can find these amazing sale offers and coupons ONLY HERE! You can download free online and printable coupon list. In our list there are most popular stores, restaurants and companies in <City>, <Country> with discounts up to 95%. We help you to survive this crisis! The coupon list is named “couponslist.exe,” “sale.exe,” or “print.exe”–and, in fact, is malware.

In economically hard times, the malware authors do not rely only on clever and timely social engineering, they also include a malicious IFRAME in the website that refers to malicious code trying to exploit unpatched computers with an additional drive-by infection. Furthermore, the website is craftily designed. The bad guys are using geo-location services to better target their audience. So when someone connects to the website, it determines the geographical location on the fly and presents the actual location in the website texts. When a victim sees coupons for exactly his town, this will increase the demand for the bargain list.

As a last piece of advice we can only stress again that consumers should always take care with offers that look too good to be true–even more so in the hard times of a global economic crisis. Please also refer to our predictions for 2009 “Cybercrime, Online Threats, and the Recession.”

Needless to further remind everyone, zero-day attacks are the preferred choice of cyber criminals and will continue to be so in 2009. If the recent W32/Conficker.worm (MS08-087) and Exploit-XMLhttp.d (MS08-078, MS09-002) were not good enough to prove our point, here is another one.

At the turn of 2009, malicious PDF documents were discovered to be exploiting a 0-day vulnerability affecting Adobe Reader 8,x and 9.x. In parsing a specially crafted embedded object, a bug in the reader allowed the attacker to overwrite memory at an arbitrary location. The attacks, found in the field, use the infamous “HeapSpray” method via JavaScript to achieve control of code execution (see below):

In the above image, the eax register is specially crafted to point to the malicious shellcode that installs a trojan. When successful, the attack installs a backdoor to enforce remote control and monitoring on infected systems. Further characteristics of this backdor and detection details are posted at http://vil.nai.com/vil/content/v_153842.htm

While the distribution of this exploit thus far appears to be targeted, new variants are expected as more information is made public. As with the Conficker experience, the lack of good patch management is a very worrying trend that deserves more attention from IT security practitioners. Adobe is expected to release a patch very soon:

http://www.adobe.com/support/security/advisories/apsa09-01.html

An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild.  Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code. The modus operandi bears close resemblance to the zero-day attack using word documents, we blogged about in December 2008.

The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.

Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.

The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.

For those who have not patched their machines, we suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.

The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075.

Here’s another twist in regionally targeted attacks: A new Trojan (pretending to be a toolbar installer) is spreading that bundles the legitimate toolbar for the German social network “StudiVZ” with a variant of Backdoor-CEP. Among other malicious activities, the backdoor is capable of recording a user’s screen, taking screenshots, and logging keyboard strokes. At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it’s being observed through a sandbox or a debugger.

Behind the curtain, however, a lot of non-kosher things happen. The installer injects parts of the bundled malicious code into running processes or starts a legitimate process in suspended state, and then unmaps its content and remaps different, malicious content to the process before resuming it again. The malicious code is hard to detect because it is decrypted and injected into memory and never written to disk.

After the toolbar’s installer has finished, it automatically runs an instance of Internet Explorer to open http://studivz.net, which is the social network’s login site. With the newly installed toolbar clearly visible now through additional controls and logos on top, the user’s next step will most probably be to log into the social networking site.

At this point the backdoor has already infected a number of running processes in memory and installed a callback to capture and save any keystrokes.

The author of this variant of Backdoor-CEP seems to be particularly interested in the credentials of StudiVZ; the Trojan also makes periodic connection attempts to a host located in Germany. Fortunately for McAfee customers, the malicious installer is blocked by Artemis and is blocked at the (former Secure Computing) Web Gateway.

Following our warning, last week, of the possible scams related to the approaching Valentine’s Day, it’s no surprise that today we’ve seen another new Valentine theme come up–hosted on the fast-fluxing Waledac botnet. If a user were to follow the link in these spam emails–and please don’t do that!–a web site like the following would appear:

A picture with two adorable Shih Tzu puppies is wishing a Happy Valentine’s Day. The text of the lure is advertizing a “Valentine Devkit” named loveexe.exe or start.exe. And regular readers can guess it already: This is a social-engineering trick to convince users to download the real threat. Don’t click the link to the executable or you will end up with malware.

A close look into the website’s source code doesn’t currently reveal any additional drive-by infections nor downloads (but that can change quickly), as seen in past Waledac (or “Storm”) themes. Coverage of this particular malware variant is in the 5522 DATs, plus blocked by Artemis, plus blocked at the (former Secure) Web Gateway as well.

As the recession continues and unemployment rises, we foresee the top cybercrime trend for 2009 as the continued exploitation of the financial crisis to scam people with fake financial transactions services, bogus investment firms, and fraudulent legal services.

A related trend will be cybercriminals targeting people looking to advance or change their careers through further education. McAfee® Avert® Labs researchers have seen major spikes in diploma and advanced-schooling scams that have coincided with major corporate workforce reductions in the car manufacturing, chemical, and technology industries.

Our Main Threat Predictions/Trends for 2009:

• Threats on Social-Networking Sites. Cybercriminals no longer deliver threats only via spam. They are taking advantage of Facebook, MySpace, and other popular social-networking sites. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional ways of malware distribution such as email.

• Personalized Threats Speak Your Language. McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

• Malware Targets Consumer Devices. McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

• Security Software Scams. The malware underworld is using mainstream practices in an effort to “sell” security software that is either misleading or outright fraudulent. McAfee expects this trend to continue.

• Abusing Free Web-Hosting/Blogging Services. Websites such as Geocities, Blogspot, and Live.com allow anyone to create a public website for free, without the authentication necessary when purchasing a domain-name website. This gives spammers the opportunity to run their underground business with minimal expense. Spam from do-it-yourself social-website-hosting providers arrives at its destination with far greater frequency than links pointing to domain names assigned by legitimate registrars. With little to no threat of punishment for their hosted content, and the new restrictions on short-term domain tasting, the attractiveness of free bandwidth offered by these sites will undoubtedly draw greater focus from malicious parties.

• More Targeted Phishing and Corporate Blackmailing. Botnets, a.k.a. zombie computers, that spread into corporate networks and financial datacenters will increasingly be used to gather sensitive information that can be used for blackmail or sold on the underground market.

• Browser-Based Attacks. Cybercriminals will increasingly attack via web browsers as they are the least-protected and, therefore, easiest way to transfer malware.

• Security Breaches of Confidential Data. Information that is managed by partner and subsidiary companies of bigger companies will be exposed more frequently, forcing an overhaul of data-security practices.

• An Increase in Localized Phishing Campaigns. Online scammers will increasingly target specific communities, especially on college campuses, where professional-looking emails claiming to be associated with the school’s financial or scholarship department will be blasted to all the students at the school. This is a significant danger to people who are just becoming responsible for their own finances.

• More Scams Involving Home Businesses. “Legitimate” home business scams generally involve either a pay-up-front and do-it-yourself kit, or a pay-to-play shell game of training and certification. We’ll see more of it on television, and the same infrastructure that supports diploma spam and confidence fraud will adjust to the new unemployment reality and will offer people some new bait on the old check-cashing scam.

• Increase in Forging and Abuse of Free Email Services. The free email services have started to allow accounts to send mails with arbitrary “from” addresses. This has increased the usability of these services significantly to businesses, but has also increased the “abusability” by spammers.

• McColo: The Effects of a Takedown. Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we expect to see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN.

• New Businesses to Replace Lost McColo Hosting. Hosting companies will be set up in countries that are eager to embrace a burgeoning Internet market and will offer services to replace the disrupted command and control centers formerly hosted by McColo. These may be used as pawns by entities that perceive strategic value in sculpting the battlefield of the future.

In conclusion, McAfee recommends that you keep your security software up to date, implement layered defenses, and educate yourself on the trends of the day. Download our February Spam Report and 2009 Threat Predictions to read further and in more depth on these trends and issues. Remember: The cybercriminals read the same news that we do.

As the tradition of Valentine’s Day approaches, so does another tradition: Valentine’s Day-themed spam that leads to malware. At McAfee Avert Labs we think everyone by now should know not to click on unlikely links to “love letters” and similar attractions. But we go on doing so. I guess love really does make us blind.  

By looking at the number of times we see the word valentine in spam, we can see how the spammers pump up the volume in the run-up to February 14. The following graph shows results for the month of January.

The current wave of Valentine’s Day spam contains links to domains that carry the Waledac Trojan. We are currently monitoring about 100 of these infected domains. Each of the domains is fast-fluxed, so there are hundreds of nameservers and thousands of IP addresses involved. (For more on Waledac, see the recent post from my colleague François Paget.)

Many of the Waledac techniques and features are very similar to those of the well-known Nuwar/Storm Trojan. At this time last year Nuwar was pumping out Valentine’s spam that looked like this:

And today Waledac spam looks like this:

Subjects such as “Deeply in love with you,” “I Knew I Loved You,” and “I Love Being In Love With You,” followed by a short URL in the body are typical of these attempts, which point to sites that offer a little Valentine’s malware. By all means send love notes to your honey before and on Valentine’s Day, but don’t fall for these transparent, annual attempts that lead only to tears.   

(Thanks to my colleagues Kevin McGhee and Dmitry Gryaznov for their contributions.)

Malware continues to increase at a rapid rate. With the DAT-5516 release, scheduled for 4 February, the number of drivers in the DATs will pass 500,000. Half a million is a huge amount. I remember my first antivirus program, back in the ’80s, that had a count of about 80. I don’t recall the exact number, but it’s easy to place it into perspective. We add way more on a daily basis now.

However, our current count is not an absolute number of detected malware files; this can confuse many people. Drivers can be written very specifically, say one driver for one sample, but that’s not very effective. Most drivers are written to generically detect many samples. For example, one driver can detect 50 or as many as thousands of malware files. Therefore, the number of detected malware files is way higher then the half-million number reflected in the DATs. For another look at the complexity of counting malware detections, please see François Paget’s blog as well.

Initially VirusScan would focus just on true self-replicating viruses, mainly 8-bit (.com/.exe), MS-DOS viruses as well as boot viruses, which were prevalent then–and some still are today. Malware has evolved into many areas including, but not limited to, VBA, VBScript, JavaScript, 32-bit (pe-type .exe binaries) mass-mailers, 32-bit file infectors, mobile malware, adware and password stealers, and others. Nowadays the majority of malware is static Trojans.

There has also been a big shift by the malware authors. The first malware authors were hobbyists, writing to to prove it could be done, but today we mainly see malware that’s going after the money–password stealers, etc. Malware is often developed in professional environments, much like a business project with a plan.

Although there is malware for operating systems such as Mac OSX and the various Linux/Unix versions, most malware is still targeted at Microsoft Windows and its applications.

China’s use of zombies for spam is down, but the country now leads the United States in McAfee’s February Spam Report, available here for download.

The United States has long been the leading supplier of spam, but with the overall amount of spam decreasing, China is catching up. It’s not clear what China is doing, but the vast amount of computers that have been controlled by zombies are no longer being used for that purpose. One certainly has to wonder what they are being used for.

Additionally, in Switzerland (owner of the .ch domain), we have seen a big increase in the amount of spam offering “cheap” software.

Clearly, money and profit are still the driving forces for malware and spam these days.

An innovative social-engineering technique in which the virtual world meets the real world was described recently by SANS analyst Lenny Zeltser. The original post can be found here.

Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stateed that the owner could visit a certain website to get more information and pictures about the offense.

Upon visiting this website, the innocent victims were requested to download a toolbar [PictureSearchToolbar.exe], which claimed to let them search for more pictures of their vehicles. However, what this toolbar really does is download malicious files from the Internet; those files in turn downloaded more malware.

Here’s a screenshot of the website:

McAfee detects the original toolbar [PictureSearchToolbar.exe] as Vundo.dldr!1231E9AC from DAT Version 5516 onward, while the dropped and downloaded files are already detected as Vundo Trojan.

Recently, xiaonei.com (a Chinese social-networking site, similar to Facebook) fixed a cross-site scripting (XSS) vulnerability known as “HTTP Response Splitting.” This flaw occurs when a web application does not properly filter carriage returns and linefeeds (%0d%0a). This allows an attacker to split the HTTP response header like so:

HTTP/1.1 200 OK
…
Set-Cookie: _de=a\r\n\r\n
<script>alert(/XSS/);</script>; domain=.xiaonei.com; expires=xxxx
Set-Cookie: login_email=null; domain=.xiaonei.com; path=/; expires=xxx
Content-Type: text/html;charset=UTF-8
Connection: close

Please note the boldfaced section. If you have some programming background, you would know that “\r” is a carriage return (ASCII code 0×0d) and “\n” is a line feed (ASCII code 0×0a). An attacker can input %0d%0a%0d%0a in a URL. If a web application does not filter %0d%0a%0d%0a and outputs them to the HTTP response header, they will be converted to \r\n\r\n as in my boldfaced section above. Although the HTTP response header is an integrated header, it is divided by \r\n\r\n. Because \r\n\r\n represents the end of the HTTP response header, the content after it will be handled by the web browser as the content of a web page, and the attacker’s JavaScript code will run. This is an old attack method, but it can still be found in websites today.

The %0d%0a problem can also allow exploits in other situations. For example, it can be used to divide the T-SQL in SQL-injection attacks such as “select * from testable%0d%0aexec xp_cmdshell ‘command.’ ” It also can be used to make commented code run. For example, if you have this code in a web page:

<script>
// alert($_GET["var"]);
</script>

The alert line has been commented. But when an attacker provides this to it:

var=%0d%0aalert(’xss’);

the code will become this:

<script>
// alert(\r\n
alert(’xss’);
</script>

And an XSS attack has been created.

So web programmers: Don’t forget to filter %0d%0a in your code.

Today, we at McAfee Avert Labs released our 2009 Threat Predictions. Amongst the findings are:

Threats Hide in the Cloud
Miscreants have also transitioned to the Internet “cloud” as their main delivery vehicle and take advantage of the attractions of Web 2.0. McAfee expects this trend to continue throughout 2009, eventually displacing more traditional vectors of malware distribution.

Personalized Threats Speak Your Language
Threats will continue to take evasive action against security measures. One example is the existence of single-use binary files, which are an attacker’s equivalent of a single-use credit card number used by consumers when shopping online. These binaries help to create a vast sea of threats, which will make it harder for victims to describe their assailants, and make it harder for defenders to catch them. Additionally, McAfee expects to see the continued expansion of malware in languages other than English. Cybercriminals have come to realize that by diversifying into a global market they can access even larger pools of valuable identity and confidential information.

Malware Targets Consumer Devices
McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames, and other consumer electronics. This trend will continue due to the almost unregulated use of flash storage across enterprise environments as well as their popularity among consumers.

The Rogue Web and Malvertising
Last year McAfee also saw the malware underground use mainstream practices in an effort to “sell” software that was either misleading or outright fraudulent. McAfee expects this trend to continue as cybercriminals still see a lucrative market in this area.

McColo: The Effects of a Takedown
Spam traffic took a tremendous dive in volume when ISPs pulled the plug on spam host McColo Corp., the source of up to 60 percent of worldwide spam. In 2009, we will see a continued shift in organizations, from passive support of law enforcement to an active role of working collaboratively with ISPs and global Internet entities such as ICANN. Together, these organizations will shine the public light on these malicious actors and shut down their access to network and systems infrastructure.

Download the full report from our whitepaper page here.

Fake alert malware prey on innocent victims by displaying misleading scan alerts. They trick the user into buying fake antivirus, to fix such falsely exaggerated scan reports. This class of “scareware” software depends on extreme social engineering tactics and comes bundled with Backdoors, Password Stealers, Downloaders, Droppers, Browser Helper Objects, etc.

Each of the above class of malware are used either in the distribution of the fake antivirus itself or in the propogation of other kinds of malware once the fake antivirus is installed on the victim’s machine. Working towards a common goal - extorting money from an innocent victim - these scareware applications have added a new class of malware to their armory - rootkits.

Apart from hiding the scareware’s files, rootkits ensure that access to genuine security vendors’ sites is disabled. The rootkit we noticed, named “tdss[random characters].sys” was blogged about by Computer Associates recently and was associated with the AntiSpywareXP2009 scareware. We, however, noticed that this rootkit was protecting rogue components belonging to WinWebSecurity scareware. This implies that:

1. The same author of the rootkit is supplying his code to multiple scareware vendors for money, or
2. The same group is creating and distributing multiple fake antivirus.

McAfee AV, will detect & clean this rootkit component from DAT version 5496 onwards. However, a user stuck with a machine that does not have antivirus with updated signatures, will have to clean this rootkit manually.

If you are a Windows user, apart from the usual safe computing practices that include using a firewall, an updated Windows operating system and an antivirus software, consider the following steps to minimize the chances of getting infected by such scareware:

1. Install a backup software, which can revert your system to a previous known uninfected state
2. Browse the Internet from sandbox software
3. Install and browse the Internet from a Virtual Machine

On a final note, the Federal Trade Commission has recently won a restraining order against Innovative Marketing and ByteHosting Internet Services - companies responsible for marketing the scareware applications WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. However, we will have to wait to see if this move actually has any impact on curbing the distribution of scareware.

In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.

Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:

Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b.

This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique I have explained here and here.

Once again, be vigilant and do not unwisely follow a link you may have received via email or find upon a search!

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0×6f8917c2, 0×6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0×40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.

Today we at McAfee Avert Labs released the first of our new monthly publications: the “McAfee January Spam Report.”

Within its pages you will find excellent information on current spam trends, campaigns, and maybe even some “winners and losers.” Some of the highlights of the January issue include:

Political Spam
Tax Relief Junk Mail
Unemployment and Diploma Spam Increases
Christmas E-Cards

As well as some 2009 spam predictions! Definitely worth the download and read. Watch for our February issue in about four weeks. All spam reports, as well as other white papers, are available from our whitepaper download area here.

Google’s code-hosting project is the latest free service to be abused by web spammers. We’ve seen one or two previously, but over the holidays the situation appears to have got much worse. They are creating lots of new projects with the following type of website on:

Clicking the image will take you to today’s fake codec download site. Repeated clicks will take you to an adult site [both NSFW, you have been warned!].

The difference between this and the MSN Spaces abuse that is now about a year old is that Google appears to automatically index code projects, so any Google-Jedi can generate a good list (Google Search–again, don’t click the links) to start with.

Or the fact that the image is linked from http://bestsextube dot net/video.gif all the time might also be useful to know. The icing on the cake, though, is the link to somewhere/in.cgi … I’ll come back to this later.

The porntube site is also host to a number of other related sites such as fake anti-anything software:

The codec download site, which is in Latvia, also hosts a number of related sites:

The Google Code project owner has a few other projects of a similar nature, too.

A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year later it’s still being abused by spammers [ spamhaus award. ] I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safe browsing together, but it appears not to find anything wrong with the clickable links, though it did catch on after some redirection took place.

…perhaps I should start consulting on this sort of thing

Anybody suffering deja-vous? “/in.cgi should ring an alarm bell or two. If not, check out my colleague Micha’s blog on traffic management. He explains what happens to those clicks! This is campaign “6.”

Happy new year to all!

LinkedIn is a popular social networking site where you can manage business contacts online. Since you can set up a profile with links to your own website, it seems to attract criminals’ attention as well. A Google search reveals that several hundred fake LinkedIn profiles from nude “Kirsten Dunst” to nude “Hulk Hogan” exist already. The rogue profiles look all alike, with a picture of the celebrity and three links to the parts of the “nude video” like shown in the following picture.

This is exactly the lure - don’t follow these links! The linked websites contain obfuscated script code which decodes to a simple browser redirection. This obfuscated script code is proactively detected by McAfee as “Exploit-IFrame.gen.c” already.

If you’d follow the link (don’t do that!) to see how deep the rabbit hole goes, you will end up with a Traffic Management System like described in this Avert Labs blog entry. On every reload the server-side application will point to a different domain.

So when an unsuspecting user gets tricked to follow the lure, he will end up on different malicious websites trying the classical social-engineering tricks of either the “missing video codec” or of showing a fake AV scan and telling that the user his computer was infected with malware and offering a “free” AV scanner software, which in fact is the real threat. So beware when following links, even on trusted Web 2.0 platforms like LinkedIn. Especially when they promise some nude celebrity videos.

The current crisis in Gaza between Palestinians and Israelis marks a renewal of web defacement activities. Various Morocco hacker groups have been pointed out by the press; the best known is “Team-Evil,” which just hacked the Ynet Israeli news site.

This weekend, I read various French posts speaking about ethical hacking and “e-jihad” operations made by “pacifist hackers” motivated only by their political ideology. However, reality is sometimes different from perception, and one hacker may conceal another.

On New Year’s Day various web sites were hacked by people introducing themselves as “Morocco & Gaza Hackers” or the “Team Cruel Boys” group.

On the defaced page, one attacker–whose email address is m0×0m_at_hotmail.fr–introduced himself as “M. SoOoSo.” His message seems clear: “I’m not a saboteur, and I didn’t hack this site as an act of sabotage.” At first glance, this guy could gain some sympathizers of the Palestinians’ cause.

But the story is not so simple. A week before, on Christmas Day, I heard about a phishing attack against Orange.fr, a French Internet Provider. Using a mirror site, hackers tried to intercept user names and passwords to access emails and personal data.

Speaking with the discoverers of this identity theft attempt and looking at the code, I noted the stolen data were sent to the same m0×0m email address. Moreover, the PHP script was named soooso.php. What a curious coincidence!

A second email address pointed to another possible Moroccan. As result of some searches I made today, I would not be surprised if this second guy (if it is not the same as the first) was also involved in some fake auction operations.

Of course I can prove nothing, but it would not be the first time we have heard hackers claiming to be ethical “white hats” who are really engaged in criminal activities.

The Web’s classical social-engineering trick of the “missing video codec” tries to lure people into clicking on links or download and install an executable which pretends to be the missing application which is needed in order to watch the movie. The animated picture below is such an example: at first glance, it looks like a typically embedded video which is unable to load. The “picture” states that you’d have to click on it in order to see the movie. And here the lure begins - in this blog entry, we’ll follow it down and outline what kind of traffic management backbones are deployed for malware campaigns nowadays.

In our example the animated image is hosted on a popular blog platform and the link points to a suspicious Flash sample. As a quick analysis reveals, the Flash is compressed and additionally contains some obfuscated JavaScript code to hide its real intention. The script code redirects to another location.

The new location points to a so-called “Traffic Management System”. In this case, if you load the URL several times, the destination rotates and after too many retries you will be always redirected to the homepage of Google. The system remembers your IP address on the server-side for a certain time period. After that time, or when you just use another IP address, you will again see the redirections when visiting the URL.

The redirections are based on a typical HTTP “302 Found” response with a new location from the server where the traffic management system is installed. Another example, which also used Geo-Location, was outlined in this Avert Labs Blog post where a downloader trojan contacted such a system and based on the country, different malware binaries were downloaded.

Such traffic management systems nowadays are configured via web-based administration interfaces. Typically the links for the “incoming traffic” look like http://www.example.com/in.cgi?three or http://www.example.com/in.cgi?default where “three” or “default” stands for different campaign IDs inside the system. A typical rule could look like shown in the following picture.

The administrator is able to define rules for “incoming traffic” which results in different “outgoing traffic” based on different restrictions. For example, the Geo-Location could be used to redirect visitors from a particular country to one location while visitors from another country will be redirected to a different location - just think of localized campaigns targeted to the spoken language in these countries. So users from the United States will not be redirected to a french phishing web site and vice versa.

These traffic management systems can also use more complex rules based on network ranges and the referrer - so lets say that only visitors with a referer from Google will be redirected to a malicious web site as long as the IP address of the visitor doesn’t come from well-known network ranges belonging to security companies.

Why do that? This way, only users searching for the website will get to the malicious redirect, while the websites’ owner or administrator, who usually does not search for it but directly enters the URL into the browser, will see the normal website with no oddities. This helps the attacker to keep the infection under the radar for a longer time.

Other trafic management systems, like shown in the above picture, also feature different logins into the web interface - for the administrator, the “sellers” and the “buyers”. This particular system has different views for sellers of traffic - that is, infected web sites containing an IFRAME that points to the trafic management system -, and buyers of traffic - e.g. the people who run exploit servers and try to install malware on unpatched computers, thus looking for potential victims. Such traffic management systems can be in between the infected web sites and the exploit servers. As you can see in the above picture also payment options can be configured, so the more traffic a seller redirects to a buyer, the more money is paid. With such systems in between, the campaigns can be easily exchanged or the “traffic” can be sold to new buyers which try to install their malware.

So the classical starter, the “missing video codec” trick, can end up in quite a complex system managing modern malware campaigns. Visiting or following a malicious ressource nowadays means that you are redirected based on a complex server-side management system.

The last major event of the year has just ended: The 25th Chaos Communication Congress’ Closing Ceremony just took place. Now in its 25th year, making it one of the oldest annual IT security conferences on the planet, more than 4,000 visitors crowded the BCC in Berlin, making it difficult to get into the talks, much like at Defcon some years ago.

For the talks: As always there was a healthy mix of technical, culture, and society-related topics (the full schedule can be found here;) surprising was the low number of local speakers talking about security problems or releasing tools. This may be related to a lot of confusion about the impact of recent German legislation banning “hackertools.” Recordings of all talks will eventually be available here.

Some of the highlights of the conference (yes, with four days and three parallel tracks I’m certainly missing some that should be mentioned) were Security Failures in Smart Card Payment Systems, by Steven Murdoch; Fabian Yamaguchi’s talk about TCP DoS Vulnerabilities; SWF and the Malware Tragedy, by BeF and fukami; FX of Phenoelit talking about the State of Attack/Defense of Routers (start watching your infrastructure, folks!) and finaly the conference highlight, a talk about creating a rogue CA Certificate, by David Molnar, Marc Stevens, Benne de Weger, Arjen Lenstra, Dag Arne Oswig, Jacob Appelbaum, and Alex Sotirov. By taking advantage of known (and widely ignored) weaknesses of md5-signed certificates and bad implementation of a CA, they were able to create a Rogue CA Certificate, trusted by all browsers–OUCH!

A very interesting note concerning the Rogue CA talk: They didn’t give out any details on what they were planing to talk about until just before the talk itself. As they were afraid that someone or some company might try to gag them and prevent the talk from happening, they were discussing the content with affected parties only under NDA. Meaning: They made the other party sign the NDA, not the other, usual, way around!

This year there were a number of talks about mobile phone (in)security and about the GSM network in general, an interesting trend to follow in the next months/years. And at the very end a vulnerability affecting many Symbian-based phones, trivial to exploit manually, had been released: SMSCurse (I’ve got no working link at the time of this writing). It basically crashes the SMS messaging on a phone and may require factory reset to restore it, depending on the phone.

I took this as an opportunity to create a current backup of my phone–how old is your latest backup?

Have a Happy and Safe New Year!

Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties.

For example, we observed following icons:

Other resources:

File Descrption:

• Auto-reader Module
• Reader_Module
• Adobe Reader HSMC
• Adodb_SSL_reader

Translation:

• English
• Spanish
• Korean

CompanyName:

• Adobe
• ADOBE

These crafted resources, as well as the malicious code, are the result of server-side polymorphism to attempt to evade detections by Anti-Virus software. McAfee Avert Labs detects the current wave of the downloader as BackDoor-DSG.dldr trojan, and dropped files as BackDoor-DSG with DAT 5474 or later.

The infamous DNSChanger family again got into focus earlier this month, due to the fact that the latest variant is able to inject DHCP “Offer” packets containing rogue DNS server IP addresses into the network traffic. Therefore one infected computer in a network could pose a risk for all the other hosts using DHCP. In this blog entry, we want to outline what risk such network changes would pose.

Rogue DNSChanger servers can typically be found in the range 85.255.112.0/20 of “UkrTeleGroup”, formerly known as “Inhoster”. The oldest malware description in the McAfee Threat Library using these suspicious DNS servers is dated back to 2005 (see DNSChanger.a for more information). Scanning the whole network unveils more than 400 running DNS server instances at the moment. That is, ten percent of the whole IP range consists of nothing other than DNS servers. The whole network is believed to be even bigger, but not all servers in this range are answering to DNS requests at the moment.

A very serious issue with computers using these rogue DNS servers located in the Ukraine is that they resolve a number of security-related domains differently than a benign DNS server would do it. For example, DNSChanger-affected computers could access and surf to ‘www.microsoft.com’ without any changes, but are not able to download the latest updates from ‘download.microsoft.com’.

The 400+ DNS servers resolve the domain name to ‘127.0.0.1′, which just means the computer tries to download the patches from the “localhost” address meaning that the bad guys successfully blocked access to important updates. However other security related domains – including ‘download.mcafee.com’ – are blocked like shown in the following screenshot:

The behavior is entirely controlled by the attackers’ DNS servers. These could even redirect existing domain names to servers hosting crafted content (Phishing) or servers dynamically modifying real content. Once your DNS settings are under control, the bad possibilities are unlimited. The criminals controlling these servers could also limit their attacks to regional locations or do their business from “dusk till dawn” to stay under the radar.

The good folks at the “Internet Storm Center” have suggested blocking or at least monitoring the entire range several times, starting first early 2006 because of the bad stuff coming out of this space. If you are a home or small business user and don’t want to route into these Ukraine based network, you could simply block access at the router level like shown in the screenshot below. Many popular “Small Office / Home Office” devices feature such an ACL (Access Control List) feature.

Enterprise customers should force all clients within their network to only use the default DNS server(s) and block access to non-trustworthy servers at the gateway level to ensure no one externally controls your DNS. Internet Service Providers could also mitigate the risk for their customers by dropping connections to these rogue DNS servers and additionally force their customers to only use the ISP’s controlled DNS servers.

From fake online banking to regionally targeted celeb porn - that’s just two days in the life of a “FormSpy” (a.k.a. “Infostealer”) malware campaign. In the past few days a spam run started to promote a fake “Bank of America” web site, announcing a change of the online banking’s interface to its “customers.” For these “customers” to be able to have a quick look at the “demo” page, a preview link is provided as shown in the sample spam mail:

Innocent users that follow the lure by clicking the link are presented a fake banking web site which uses the well known missing-codec-trick that is used to convince users into downloading an additional component for a website or video to work. This time it is an apparent update for “Adobe Flash Player” which they require you to install for their “demo page” to work. The update of course isn’t any legit software but a trojan instead.

We have taken a concise look under the trojan’s hood - it not only installs a rootkit but also collects private information from the infected computers. This information is leaked to a server using HTTP POST requests and in the end may either be sold or used to spread the attacking party’s malware further.

The embedded rootkit is written to harddisk once the trojan is executed - the rootkit driver’s Portable Executable header can be seen in the screenshot below.

Among this private information are POP3, IMAP and FTP server credentials but also credentials for the popular “ICQ” instant messenger. See below for a screenshot of the malware’s pseudocode:

The trojan moreover is capable of receiving and executing commands from the malicious host that it phones home to, so the malware’s behavior may change and “improve” anytime.

The list of commands currently understood by this variant of the trojan is as follows:

• “VER” - sets a “version” key underneath the Windows Registry path “HKEY_CURRENT_USER\Software\Microsoft\InetData” to a particular string
• “EXE” - updates itself by downloading a new version, storing the resulting executable to the Windows path. The filename is randomly chosen, depending on the current time
• “DL” - downloads an executable from the Internet (but doesn’t run it)
• “DL_EXE” - downloads and runs an executable from the Internet
• “DL_EXE_ST” - downloads an executable from the Internet, adds its path to “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” and executes it
• “REBOOT” - forces the computer to reboot

An additional spam run targeting Swiss Internet users has been reported by the “Reporting and Analysis Centre for Information Assurance MELANI” just yesterday. The mail, written in German language, promotes a Swiss adult web site hosting celebrity videos. Subjects include “Bl*wj*b with Madonna” or “Britney Spears in front of porn camera – scandal“. When following any link contained in the mail, the user is directed to one of many different malicious domains showing pages similar to the one seen below.

Just like with the fake banking web site mentioned above, the videos presented on this celeb page are told to not work without a codec - too bad! This time the user is bribed with a high definition video plugin named “Adobe Player HD plugin”. Again, this of course isn’t a missing codec but rather a trojan aimed at downloading further malware. Noteworthy about this downloader is it’s contacting a web server with a traffic management system installed - contextual to the user’s Geo-Location, different malware is delivered. While, for instance, a user from Germany will be sent a file called “de.exe”, …

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:33:58 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****.com/de.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

… a user from Switzerland will get “305.exe”:

HTTP/1.1 302 Found
Date: Wed, 10 Dec 2008 15:39:48 GMT
Server: Apache/2
Set-Cookie: …
Location: http://***-*****/305.exe
Vary: Accept-Encoding,User-Agent
Content-Type: text/html

By comparing the malware currently spread by the malicious host, Swiss residents are delivered a variant of the same “Infostealer” family as seen in the “Bank of America” spam campaign shown above. Users from Germany are delivered a spam bot instead. So spam mails are sent from victims in one country, and information being stolen on computers of victims from another country.

The “FormSpy” (a.k.a. “Infostealer”) malware is blocked by Artemis as “Generic!Artemis (trojan or variant)”, additional coverage is in the 5461 DATs.

Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users. Even if you’ve been online for years, it can sometimes be difficult to spot new tactics being used to e-mug you.

While it’d be nice to think that common sense will always protect you, common sense alone has shown to be only marginally effective against the evolving online fraud syndicate. The FBI’s 2007 IC3 summary reported over 200,000 complaint submissions of online fraud, up from the mere 16,000 complaints received when the program began in 2000. Of the complains received, the typical kind of scam that would give your common sense a chance to flex - Nigerian 419 scams - represented only a mere 1% of all complaints, suggesting very few people are falling for these anymore. Instead, the new big-ticket item in the underworld of fraud is phishing. Phishing is considered by the FBI as “foremost” among email based scams, and seeks to illicit information about a person’s identity – such as credit card and social security numbers, and other information which can be used to commit crimes of identity theft. Phishing is a smoke and mirrors trick designed to fool you into thinking you’re logging into your bank or credit card’s website, when in reality you’re using a mock-up site designed to steal your personal information.

Online fraud and identity theft crimes consisted of over 17% of the total complaints received in 2007. It’s no surprise that online fraud is growing given how lucrative fraud scams can be. In 2007, over $239 million was lost by those reporting complaints to IC3. This set a new record for financial loss, and yet the number of actual complaints was at a three-year low. The complaint count was similar to that of 2004, yet in 2004, only $63 million had been lost to scammers. This suggests that scammers have become much more efficient than they used to be. Today’s criminals clean people out of more money, and do it with less effort.

It’s no surprise too that 32% of these scams were perpetrated using a website, and 73% involved email correspondence. It’s relatively inexpensive to deploy a phishing site kit on hundreds of hacked or free web servers and then send out millions of email messages to hook the few unsuspecting individuals who fall for the bait. While a specialist in the field might recognize the site to be a forgery, the average computer user has only a few basic instincts to know whether they’re safe.

Most Internet users will apply some form of common sense rules when visiting a website. The most valid question they can ask is, “does the URL in my address bar match that of my financial institution?” Simply applying this one basic rule can thwart a majority of phishing attacks. Applying the wrong types of common sense assumptions can be dangerous. Replies from victims such as, “the website looked real to me”, and “the link in the email looked right” are not uncommon, and are usually the result of being taught a few bad habits.

Scammers are working actively to outsmart their victims, but what the victims might not know is that there is another factor also working against them: their financial institution. Even after years of knowing how phishing sites operate, many banking and credit card institutions continue to teach their customers bad habits by conditioning them in ways that poison their common sense. None of this is done maliciously, of course, but somehow their webmaster never got the memos about phishing. Some of the bad habits your financial institution might be teaching you include: 

Click This Link

After years of knowing this is a bad idea, many legitimate websites are still sending email messages to their customers with clickable links. Clickable links have been abused by phishing scammers since the beginning because they allow you to craft a web address that displays the legitimate institution’s website URL in the email, but will take you to the scammer’s mock-up website when you click on it.

Using clickable links in correspondence conditions the customer to fall victim to these types of scams, and causes them to ignore the URL in their address bar. 

Email sent from your company should never instruct a user to click on a link. Instead, instruct them to simply visit your website. If you must provide a URL, provide it in plain text and keep it simple.

Paste This Link

Almost as bad as clickable links is the practice of instructing a customer to copy and paste a link into their browser. This is another common bad habit that has been exploited by scammers to steal your personal data. Many scammers simply remove the leading www prefix, or the http:// protocol prefix to avoid filters from seeing the URL in their email. This conditions the customer to assume the link is valid because it’s not clickable, and might also prevent them from visibly confirming the URL.

Email sent from your company should never provide a URL so complex that it must be copied and pasted. Provide only the main URL to your website, which the customer should be able to identify with. Anything overly complex should be linked to from the website once they get there.

Multiple SIgn-On Domains

A customer can only know if they’re visiting a legitimate website if the URL in the address bar matches. Many large banks, however, have taken on the poor practice of using multiple domains, and sometimes even using outsourced, third party URLs, to sign customers in. This confuses their customer and conditions them to disregard the URL in the address bar, since they’ll never know if it’s right or not.

Your company should use a single sign-on page and only one domain name for a customer to identify with. Like the entrance to a concert or other special event, your website should funnel everyone through one central line. This will avoid confusing your customer about which domains you’ve registered; most customers don’t know how to look this information up.

Multiple Sign-On Pages

In addition to using multiple sign-on domains, many companies use different sign-on pages to log into different types of accounts, or present different pages depending on where the customer is navigating. This desensitizes the user to the look and feel of your website, making them more likely to miss the variations in counterfeit websites, which might have otherwise raised a red flag. 

The customer should not depend on whether a website “looks” real, however when they are desensitized to the layout and branding of your sign-on page, you increase their likelihood of falling for a scam. It is said that bankers are the best at spotting counterfeit currency because they work with the real thing all day. Your customers can be taught to spot a forgery simply by using one central sign-on page. This page should also have a simple URL that the user can become familiar with. All other pages on your website should link to this one sign-on page.

Log In To Verify Your Account

Scammers have used various forms of fear mongering for years that have tricked victims into logging in to verify account details. Some of these scams include informing the victim that their account is suspected of fraud, that the account has been suspended, or that they will need to verify their information to avoid an account lock. All of these notifications advise the victim to make an urgent effort to log in.

When a customer is under duress, they are more likely to skirt their normal common sense checks to address the problem. Companies engaging in this same practice cause their customers to get into the habit of responding to these types of urgent notifications, increasing their chances of falling victim to a bogus one. If a notification is urgent enough to warrant an account lock, it is important enough to be delivered to the customer via telephone, and with proper verification procedures to identify your company to the customer. Sending urgent messages via email is only inviting trouble.

Security Images

Many websites employ security images to convince the user that they can feel safe logging in so long as they see a teddy bear, a train, or some other image they choose from a library when creating their profile.  As phishing scams become more complex, scammers’ websites can easily start acting as proxies to the legitimate website. This isn’t in widespread use yet, but a few isolated incidents have been seen, and the technique is easy to craft: when you enter your username into the phishing site, the site turns around and queries the legitimate website for your security image. It can then display the security image to the customer to gain their trust.

Security images and other enhancements are an added layer of security, but your customers should be aware that they can be easily spoofed. Instruct your customers to rely on the website URL, rather than a security image, and to only use the security image as an added means of verification.

In addition to these bad habits, many companies avoid addressing the problem entirely, and teach their users that they can protect their account by employing policies such as strong passwords or usernames requiring a digit. Security questions are another common layer added to websites that don’t do much to them more resilient. None of these techniques will necessarily have any affect in strengthening security against a phishing attack, because the customer is providing the information directly to the scammer’s mockup site. Even revolving security questions can be easily phished when the scammer is familiar with the questions prompted by the institution.

Identifying legitimate correspondence is the first line of defense a customer has in avoiding a scam. The best thing you can do as a company is to inform your customer that you will never prompt them to click on or paste a link, never instruct them to enter their credit card number online, and familiarize them with the only website URL they should ever associate with your company.

Unfortunately, many websites still teach bad habits. Large banks continue to use multiple website domains, rather than centralizing all of their sites under a single web address. Other companies have abandoned common sense entirely and send email closely resembling existing phishing scams, complete with hot links and urgent requests. Facebook was recently slammed in the tech community for sending clickable links to their users prompting them to verify information in their account. They’re not alone, however, as many other popular online institutions have been known to follow similar practices.

In July, we published findings that SPF/DKIM usage was declining among the Fortune-500 companies. Of the 500 wealthiest companies, less than half were implementing the simple, free anti-forgery countermeasures to protect users from spoofed email. You can read more about this at this link.

Businesses can’t prevent their customers from being scammed, but they can help to educate and condition them to recognize legitimate correspondence. The first step in doing this is to encourage sound practices when visiting your website. By helping your customers avoid becoming victims, you’re helping to avoid headaches that will ultimately become yours, and ensure that your customers remain satisfied ones, likely to return.

Following the recent release of this year’s McAfee Virtual Criminology Report, I had the opportunity to talk with diverse European journalists. They asked me for some concrete examples of the malicious Internet “offers” that the economic crisis has produced.

Fake working-at-home opportunities
The most visible offers are not new; they are only more numerous. They involve fake recruitment sites proposing working at home, which promises to be well paid and less time consuming than an office job. In fact, these are offers for mule jobs, like the one I described last year.

No doubt these offers attract all types; but when it becomes hard to find a job, the offer can also appeal to honest people.

Fake banking services
Less well known and increasing, fake bank sites flourish over the ‘Net. These are not mirror sites used in phishing attacks; these sites are created solely to attract people searching for a financial institution that can help. When an authentic bank denies a loan, for example, what could be more natural than to search for a more welcoming business.

The next screen captures offer examples of two live websites among the 20 or so I discovered last week.

�

Fake investment firms
As we watch our investments decline in value, many of us are on the lookout for a high return. Would you welcome an 850 percent profit guaranteed within 24 hours?
 

These investments are beneficial–at least for the crooks who promote them. With scams like these, it’s not necessary to catch people by the hundreds to make a nice sum of money. But if you invest here, you’ll never again see your tied-up capital.

Fake legal services
Cybercriminals know the economic downturn can lead to more people going to court after a dispute with a banker or employer. Watch out for dubious legal offers.
 

Here, too, the “service” will ask you for a cash advance before starting the job, one which will never be honored.

In searching for scam sites I have found many other ripoffs, but I hope you are already convinced: Taking advantage of people who are already victims of financial problems is truly scandalous. Yet this is a reminder, as if proof were still necessary, that today’s crooks have no misgivings about abusing the most vulnerable among us.

We have lost count of how many blogs we have written this year that have anything to do with zero-day threats or unpatched vulnerabilities.

Today, many Internet users in China have reported an infection, presumably from browsing the web using a fully patched version of Microsoft Internet Explorer 7.x. My colleague Xiaobo Chen and I investigated the incident and found it to be an active exploit containing downloader shellcode that installs the Downloader-AZN Trojan (proactively detected as New Malware.n since 2005 when scanning with heuristics enabled).

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.

Fortunately, the 5404 DATs proactively detect the Downloader-AZN Trojan, but there could be other variants. Additional coverage is going into today’s DATs to detect the malicious web scripts as Exploit-XMLhttp.d or Exploit-XMLhttp.c Trojan.

Details about this vulnerability, as well as exploit code, are known to be publicly available.

More information on this situation will be posted as it becomes available.

Today McAfee released its Virtual Criminology Report, our annual study of global cybercrime. We found that cybercriminals are targeting their scams to play off of the economic recession, and governments need to be doing more collaboration to face the problem.

The economic downturn affected cybercrime scams almost immediately. As soon as banks started struggling and mergers and acquisitions became commonplace, we started seeing an immediate increase in banking scams asking users to ‘update their account information’ before the bank changed hands. With almost all of today’s malware being financially motivated, even cybercriminals are looking for more business in tough economic times and are really stepping up their game.

This represents an evolution in the trend of cybercriminals getting smarter and faster about what they do. When news of a specific banks going under hits, scams and malware utilizing that messaging will emerge the very next day. The same happened with threats throughout this year’s presidential race as well as post-election; when President-Elect Barack Obama messaged malware emerged as early as November 5.

The environment of fear and anxiety in consumers that is being caused by the downturn also provides opportunity for cybercriminals to lure consumers into what they think are ‘internet sales marketer’ positions, where they are actually unknowingly assisting in criminal activity as money launderers. We have been seeing an increase in the number of these job postings and recruitment emails promising job seekers will ‘get rich quick.’ The scams are also strategically worded to place high on Google job searches, and are of course designed to look like legitimate job postings.

It is more important than ever that computer users educate themselves in safe searching and safe computing habits. Technology alone cannot solve the problem. Education alone cannot solve the problem. Both combined, however, can enable us all to use the Internet the way we want.

Download your copy of the report here.

Educate. Advocate. Protect.

Earlier today SANS posted an excellent blog on a recent variant of a DNSChanger Trojan. There are some significant implications to this threat, but before I go into those, here’s a brief rundown of the main DNS-changing Trojan tactics used to date:

1. Modify Windows Hosts file to map specific domain names to specific IP addresses (McAfee classifies these Trojans as QHOSTS Trojans, more of a precursor to DNSChangers
2. Modify Windows registry settings to reference specific (rogue) DNS servers [DNSChanger.f]
3. Create a scheduled task under Mac OS X to reference specific (rogue) DNS servers [OSX/Puper]
4. Exploit cross-site request forgery vulnerabilities in routers to overwrite the DNS server configuration offered to local area network clients [DNSChanger.f]

We’ve now seen a new tactic, which has the potential of impacting most devices on the local network–independent of the operating system or device (Windows, Linux, Internet-capable MP3 players,  digital picture frames, refrigerators, you name it). The tactic involves serving the rogue DNS server configuration over DHCP, the protocol responsible for distributing dynamic IP addresses, as well as other information, including DNS settings.

Here’s a scenario:

• Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
• Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
• Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
• Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.

The same applies to any local area network (LAN) where multiple system connect via DHCP.

This is significant for several reasons:

1. The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware.
2. Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.
3. Locating a poisoned system on a sizable network is often a difficult task.
4. Noninfected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and a random chance that the infected system will be able to “poison” the DCHP offer.

For those interested in the details, this DNSChanger variant drops the legitimate ArcNet NDIS Protocol Driver in the drivers directory:

• %WinDir%\system32\drivers\ndisprot.sys

The Trojan uses this driver to inject DHCP Offer packets containing the rogue DNS server IPs.

Variants using this functionality are not known to be widespread at this point, though even a single infected system could potentially impact hundreds of other systems on the LAN. Though it’s awkward to check, users could examine their DNS settings to see if they have been impacted. For example, type the following from a Windows command prompt:

ipconfig /all

For insight into some of what the DNSChanger gang is after, see this post.

Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.

Here is your itinerary:

Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system

The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.

Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.

On our example tour,

• http://best[blocked]tube.net

When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.

Upon execution, the downloaded file pops up a fake error message, as shown below:

The malware continues to execute and drops

1. Browser helper objects
2. Fake/rogue anti-virus application downloader

Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images.

Before injection of the URL:

A compromised browser–after injection of the malicious URL:

Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.

The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.

The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.

At this point, users see a bogus alert from the fake application.

Scanning through the report generated by the fake app reveals that this report is exaggerated and false.

The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.

Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.

As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.

A new variant of Koobface (a worm that spreads over Social Networking sites) was recently making the rounds on Facebook.  Users reported receiving spam messages, such as:

When a user follows the link, they’re redirected to one of many different compromised hosts, which displays a fake error message that the version of Flash is out of date.  Next the user is prompted to download/open flash_player.exe, a new Koobface variant.

If the user choose to install the executable, a fake error message is displayed.

Facebook is already aware of this threat and is purging the spammed links from their system.  But with dozens of Koobface variants known to exist, the situation is likely to get worse before it gets better.  It’s important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms.  The safe-computing practice created more than 10 years ago still applies today, which is not to open any unexpected email attachments, even if they are from someone you know.  Only in this context, it must be expanded to the following:

The upcoming DAT release contains detection for the new Koobface variant, while users of McAfee Artemis Technology are already protected in real-time against this threat.

As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup.   This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results.  Search terms are directed to find-www.net.  This enables ad hijacking and click fraud.

Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

You may have read in the press recently about landfill ISP McColo being de-peered. Spam is just part of this story, though probably the most visual and media friendly, please don’t see this ongoing situation as mostly spam related. Spam is simply the most visible tentacle of this octopus.

Our esteemed blogmaster Ed has been moaning about getting something on the blog about it & I wanted to dig out something meaningful for our readers so I contacted a close partner of ours and got some real mailserver stats.

Quite the haircut I’m sure you’ll agree.

You can read my previous blog about bots calling home to mother-ships (often via proxies) if you’re interested as to why this had such a sudden and dramatic effect.

Enjoy the lower load averages while they last though

This is no reason to rest however, we’re still as busy as ever in the labs and we’re watching as intently as ever. The child porn sites are already on a transatlantic move for instance and we’ll be calling our colleagues at the IWF today for sure.

It is very exciting to see that finally AMTSO published two documents on its Website (http://www.amtso.org/documents/cat_view/13-amtso-principles-and-guidelines.html):

• AMTSO Fundamental Principles of Testing
• AMTSO Best Practices for Dynamic Testing

These documents were posted by AMTSO for public comments as RFC versions back in August 2008. Most of the comments from http://blog.amtso.org actually got reflected in the final text so AMTSO did incorporate many different opinions in its standards, which is a good thing!

The most important thing about these standards is that there is now hope that the quality of anti-malware reviews will improve over time because vendors and testers can work more closely together for the benefit of all computer users.

Here is what Jeff Green, Senior Vice President of McAfee Avert Labs said about this event: “While there have been many great security software reviews in the past, many poor reviews reviews have confused or misled people. We are glad to see that Anti-Malware Testing Standards Organization has taken this problem by the horns and formalized the principles of fair testing. This is a significant milestone that should skew the balance towards fair and scientific testing, providing users with a true viewpoint on the security protection vendors provide.”

Let’s hope that there will be more standards from AMTSO and they would look as good as those just published.

Two weeks ago, I wrote a blog about “clickjacking,” the method of using invisible links to malicious web sites. Users click on what appear to be legitimate buttons, for example, but are actually taken to sites they can’t see. I think clickjacking will be combined with other vulnerabilities to attack users, who will be unaware that they are at risk. Protecting users from this attack vector is very important.

I have some advice for how you can protect yourselves from this new threat. For Firefox users, I suggest the latest version of the NoScript add-on for Firefox 3. You can find it here. For IE users, unfortunately, I haven’t found a patch. But I can recommend a good article that talks about clickjacking in multiple web browsers. You’ll find advice on what you can do with IE, Safari, Chrome, and Opera. Some web browsers allow users to disable the IFRAME element, but that will affect normal functions because some sites use IFRAME. You’ll need to take care if you are not using Firefox and NoScript.

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko's open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Last week, along with 1,200 other attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. In my opinion it was a great success; here are some on-the-spot comments.

On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime, I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets. “The cybercrime industry is still booming,” the speakers explained. “It moves about US$100 billion per year and is the most successful sector of organized crime, growing 40 percent per year.”

Fortunately, the criminals do not win all the time. A supervisory special agent attached to the FBI Cyber Division gave us proof in the next session. Through example of “Alonzo X,” we learned how the police forces work to catch cybercriminals. Organizing and offering to sell parts of his botnet consisting of approximately 100,000 infected computers, Alonzo was responsible for sending thousands of spam between 2004 and 2007.

During this track, we learned that, as they do for drug rings, the FBI investigators infiltrate criminal operations. And they are sometimes on the horns of a dilemma: To help the inquiry, do they have the right to use for themselves a botnet they purchase and can they send themselves spam? We also learned how it was sometimes possible to calculate the fine by considering the expense for a computer repair ($200) and multiplying that amount times the number of infected computers. The police’s role is also to inform the victims that their computers are infected. It is not an easy task when you have a worldwide network of thousands zombie machines. Someone in the audience asked the agent how much Alonzo earned; the response was approximately $80,000 per year.

In the third track I attended, participants learned about the views of the U.S. Department of Homeland Security. To introduce his talk, Brett Lambo, the Director of the Cyber Exercise Program, gave us a brief outline of the situation: Today malicious insiders and cybercriminals have both the capabilities and the intent to use the Internet as a playground. Other nations, which also have the capabilities, may have the intent, while terrorist groups may have the intent but do not possess capability. Then, Lambo explained America’s cyberinfrastructure serves as a vital link among 17 critical infrastructure and key resource sectors, as well as providing a fundamental element of all emergency response operations at the federal, state, and local government levels. Since 85 percent of the critical infrastructure in the United States is owned by the private sector, this unity between the cyber response community in the government and private sector will be essential to effective protection and defense.

On Monday afternoon, I was busy with my own session: “Malware on Second Life–Myth or Reality?” As businesses begin to embrace virtual worlds, there’s more and more money involved. I conducted some research on this platform to demonstrate that Trojans, worms, phishing, and counterfeiting activities were not a myth. Here’s one incident I found: Two teenagers, 15 and 14 years old, have been convicted for virtual theft in the Netherlands. They had stolen a virtual amulet and mask in the multiplayer RuneScape game by forcing another player to transfer the items under the threat of violence. One defendant was sentenced to 200 hours service, the other to 160 hours. Yes, threats in virtual worlds are a new cause for concern.

One of the Wednesday events was the talk by colleagues George Kurtz and Brian Kenyon (”Hacking Exposed Live 2008.”) The conference room was just large enough to accommodate all the people wishing to see the live demonstration of today’s most advanced attacks and exploits. Perhaps some attendees found this report too technical. For my part, I thank the authors for the 140-page booklet they offered to all the participants.

Also that day I could not miss the report by Joe Telafici (one of my managers and vice president of operations for McAfee Avert Labs) on the “Economics and Finances of Cybercrime.” After a well-documented threat report that demonstrated the business sense of cybercriminals, Telafici explained that we had to “change the equation” by reducing rewards and making the web harder to use for criminals. “We need a multifunctional, cross-discipline, standards-based approach at fixing the protocols and applications [TCP/IP, DNS, SMTP, HTTP(S)] that make up the Internet,” he concluded.

I started Thursday by participating in the Craig Schmugar track on “Sō’shəl Ěn’jə-nîr’ĭng.” Social engineering is one of the most successful tactics attackers can use in committing cybercrime–by enticing a potential victim into performing a distinct action. After some examples, my Avert colleague explained that crimeware defense strategies were rarely discussed in public. First, they concern the trade secrets of the anti-malware industry; and, second, they could help criminals in their bad work if they were circulating. Social engineering defense, however, is a bit different. Schmugar discussed social engineering characteristics (source, destination, circumstance, content type), inspecting metadata (freshness of content, file names, extensions, path, ADS, web domain and site names), considering static binary properties (container, file size, icon, use of “obscure” functionality and digital signatures) and considering the environment (service names and description, registry references).

Also on Thursday, the Dmitri Alperovitch talk grabbed my attention, and I did not hesitate to congratulate him after his presentation. The subject was “Organized Online Criminal Enterprises: Profile of Who, Where, and How.” Alperovitch offered an impressive list of criminals from Eastern countries (with supporting photos) involved in all sorts of cybercrime. It is easy to understand why the Alperovitch presentation now available on the Internet has many deleted sections. Seemingly, the crooks are all Russian or Ukrainian; and of course they use WebMoney. His example of stock manipulation was also very explicit. With some professional spammer tools and an Internet application able to manage “Exact Buy/Sell signals,” Alperovitch demonstrated that it is not difficult for a crook to make money. In his example, the “buy” flag for a peticular penny stock was fixed to $3.45 and the “sell” flag was set between $3.90 and $3.95. When the spammer launched his campaign, the stock cost about $3. The whole deal took just 8 hours, from purchase to sale. By manipulating 100,000 shares, the profit reached $50,000.

Now I am heading home to France preparing to inform my family about all the interesting and festive events I saw. See you next year at FOCUS’09!

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware - Emergency DAT cut and testing in progress. ETA of 2 - 3 hours.

HIPS - Generic buffer overflow should provide coverage.

Intrushield - Partial existing coverage. Additional emergency sigset releasing today.

Foundstone - Emergency signatures being released today.

V-Flash - Emergency signatures being released today.

MNAC - Emergency signatures being released today.

VirusScan Enterprise BOP - Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

I am in Las Vegas for the McAfee Focus ’08 conference, and I just heard that French President Nicolas Sarkozy suffered, in September, a case of online bank fraud on one of his personal accounts.

Authorities said hackers were not aware of the identity of the owner of the account. We know only that they removed small amounts of money (an anonymous well-informed source told Agence France Press it was for opening mobile phone accounts). Perhaps by taking small amounts the crooks wished to ensure the validity of the stolen information and wished to verify the victim’s lack of concern. But they couldn’t have picked a worse target. The entire French police force is chasing them.

It is difficult to imagine my president as victim of phishing, but anybody can be attacked by crimeware while browsing the Internet via a not well protected computer. Remember, it is not necessary to visit inappropriate web sites to catch malware. In December 2007, for example, I explained in this blog that the site of the French embassy in Libya was affected by an IFRAME injection.

The most probable origin of Sarkozy’s identity theft is “carding.” As I wrote in May, dump tracks lists are for sale by the thousands, and many hacked credit card readers are on the market. Perhaps one of them involved Sarkozy’s credit card during one of his numerous foreign travels.

Relating to this fraud, Luc Chatel, secretary of state for consumer affairs, said there has been a 9 percent increase in Internet banking crimes this year in France.

[This entry was updated on November 3.]

Lately, the topic of “clickjacking” has gained popularity in discussions on the Internet. It is a new type of web attack. I decided to find out what it’s all about.

I found an online video from OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman and Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits-–ClickJacking.” I also found a demo of this attack here.

In the videos they describe only parts of the vulnerability, but we can learn enough to gain a basic idea of what clickjacking is.

To explain, I’ll use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via cross-site scripting. The area of B will also need to be so big that the user can easily click its content. The attacker places a button in B that leads to any action he wants. Then the attacker places some buttons on page A that will attract users. The location of the buttons in B must match the buttons in A so when users appear to click a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML and does not require JavaScript, so disabling JavaScript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich-media Internet application today. Adobe has released a security advisory and provided a workaround.

We will continue to watch for new information about this vulnerability.

Issue 5 of the publication formerly known as Sage has been released. This issue we take aim and tackle the rather murky subject of social engineering. We have nine excellent articles for you from some of our finest researchers as well as two academic experts. Some of the topics covered include:

The Origins of Social Engineering
Social Engineering 2.0 - What’s Next?
Vulnerabilities in the Equities Markets
The Future of Social Networking Sites
Typosquatting - Unintended Adventures in Browsing

Many aspects of social engineering are dissected and investigated as well, some not found anywhere else! Definitely worth the download and read.

Available here.

Q: How do you want to build a client base for your phishing kits?
A: Give the popular ones away for free. Yes FREE, and as blatantly as possible, with one-click satisfaction, right on the homepage of a web site.

I suspect that this is a shareware-style, lead-generation setup–as the phishing kits appear to be of relatively poor quality. (So poor in fact that I expect the most experienced brands to be sending takedown notices for them before the phishing emails were actually sent.) Some of the kits also appear to have encoded parts indicative of being backdoored, too–I guess they gotta pay the hosting bill somehow!

Kudos to the host in Germany for taking down the site next day; you know who you are.

223ad6770c4ff635083b70391d3c04de Abbey[1].Co.Uk.zip
f34e8ce8e373796a30dc7e0730c4ed9e Bank of Israel (2008).rar
799c1ba68e87a33aa225655931996f1f BankofAmerica[1][1].Com.zip
76282eea7ab203c51b05c660577a4002 Cahoot[1].Co.UK.zip
880a57f271d4d46da92738e3962e49b1 E-Gold[1].Com.zip
fa1a96c0b1927177b2ca2c8bd6c5e970 HSBC[1].Co.Uk(CC Info).zip
376bd1c17baa77a870e12747338fe64a HaliFax[1].Co.Uk.zip
a190290c4643d95fb87537856474e84f LloydsTSB[1].Com.zip
0c23bed37791a123e7635cef153d21f9 MoneyBookers[1][1].Com.zip
c5d10b25075e4298bf098dc253a408e6 New paypal.rar
ad7e3dd00939eb5e8d56092aaa0e24bc Padeel.rar
499626e041c80bdec9f80be29364b1b7 PayPal[1][1].Com(T).zip
5eec8797fc8174bf432ddce192d1b1d4 PayPal[1][1].Com.zip
89e94a1843c25dc6424cf542573a4b01 UsaBank[2008].rar
36be827f4ee6e494ee1935556ab3a2a7 Wachovia[1].Com.zip
e1ba19f799d604656ebd4dd9c8228913 Westren nion 2008.rar
62f99023b12214ecac05cdf0ad0b82fe ibank.barclays.co.uk2008.rar
ee89d38f27deb6c94391c764913d9490 scams-orange.zip
afcef45174c5b1ec54db3e8bccfd285a usa.visa.com.rar
6c9030c9c5af0b9343ef72eb458641fd www.Free.Fr.rar
66671d90a86f618522a64caba5bc91a8 www.ebay.co.uK2008.rar
dbfb0c80bada183e47ae031ebb535116 www.paltalk.com.rar

There is an interesting back story to this incident, too: All roads of further investigation lead back to France. The details of which have been with the national police for some time now (thus the delay in posting).

YouTube is an excellent resource for video sharing: Users can upload, view, and share video clips. It’s also not novel to find a legitimate web site being used as a vector to spread porn-spewing malware. We blogged earlier about fake video embedded in blogspot domains and attackers capitalizing on sensational news hitting the media. This time attackers are promising free adult video on YouTube to assault unsuspecting users.

Attackers are using fake profiles that contain a video link to YouTube to kick-start an infection. This profile contains a link pointing to:

http://superelection[blocked].info

The preceding web site is infamous for various U.S.-election-related spam and hosts a cocktail of exploits that attempt a drive-by installation on the victim’s machine. The site also attempts to social engineer the victim by promoting a fake codec that installs the Puper Trojan. We have identified multiple profiles connecting to various exploit-serving sites hosting the fake codec. The attackers have been successful in promoting this attack by posting the YouTube links to various forums. With numerous visits to this YouTube link so far, the chances are good that a number of users have fallen victim to this attack.

We advise all Internet users to follow safe browsing practices and keep their systems patched. Meanwhile we at McAfee Avert Labs will continue to protect our customers against such attacks.

1. SNS websites introduced
With the Web 2.0 trend, more Social Networking Services (SNS) websites have become very popular. For example Facebook and Myspaces are well-known.

You can keep contact with others via SNS websites; you can find many many friends. Many people participate in small games, virtual applications and so on. Those SNS websites have millions of unique visitors per day. It is a platform used to share files, music, information and so on. Also the platforms are used to spread viruses and worms. If a attacker spread a virus, trojan or worm via SNS websites, then many many users can be infected in a short time, which could be disastrous.

In the following sections I will talk about how to reduce the threat that comes along with SNS websites.

2. SNS website lead to threats
Nowadays, more attackers utilize SNS websites. They can easily create a zombie network via an SNS website vulnerability. They can use harvested private information for financial gain.

3. General attack ways
Attackers maybe used the following methods of attack:
a) Exploit a server vulnerability
For example: buffer overflow, weak password, database vulnerability and so on.
b) Exploit a script vulnerability
For example: SQL injection, Cross-site scripting, upload file problem and so on. In general, Cross-site scripting attacks have a wide use. A CSS worm can be get million of user cookies in one hour; and also lead million of users to an infectious virus.
c) Exploit an ActiveX vulnerability
If an ActiveX vulnerability is present, attackers are likely to target it. In general, attackers exploit ActiveX overflow vulnerabilities to install malware.
d) Used of Social Engineering Fundamentals
It’s well-known that Users of SNS websites trust each other, so Social Engineering Fundamentals work well on SNS sites.

4. Attacks Case
a) Facebook and Myspace have had ActiveX-related vulnerabilities in the past.
b) In 2006, MySpace was hit by a XSS Worm. The worm uses a malicious QuickTime video.

Following the public advisory of a zero-day attack published by JustSystems and McAfee® Avert® Labs on August 26, an official security update is now available from the vendor at: http://www.justsystems.com/jp/info/pd8002.html.

The protection has also been available to McAfee customers in the 5368 DATs since August 22. As Avert Labs continues to update our protection for ongoing attacks, Ichitaro users are highly advised to patch this vulnerability as soon as possible.

The debate of full disclosure vs. responsible disclosure vs. nondisclosure has been going on for years, and we have discussed it several times in blogs and even in one of our earliest AudioParasitics podcast sessions:

- http://www.avertlabs.com/research/blog/?p=270
- http://podcasts.mcafee.com/audioparasitics/AudioParasitics-Episode7-5-2007.mp3

We would like to highlight the importance of responsible disclosure such as this. In case of a new attack, restricted information and protection must be made available to all affected users just sufficient to detect and protect against the latest security compromises. All information must be released without compromising the security of affected users, and while providing ample time for affected vendors to verify the issue and inform their customers. No details must be given that would allow the bad guys to discover and exploit the vulnerabilities; however, keeping the existence of a known vulnerability secret leaves users unprotected and uninformed.

As our vulnerability research colleague Rahul Kashyap puts it in his blog, “our mission is to protect our customers and the Internet community at-large, not to create hype and FUD by giving the world a chance to exploit unpatched flaws! Failing to disclose to anyone leaves the good guys in the dark–but supporting irresponsible disclosure gives the bad guys night vision.”

Ichitaro zero-day vulnerability response:

People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

SOHO routers log every connection and DHCP lease but these logs are flushed once the router is rebooted. If an attacker has access to the administrative console of the router (thanks to the default password), once their nefarious actives have been carried out, a simple restart of the router will erase all tracks.

The extent to which an unsecured Wi-Fi connection can be abused is purely left to imagination of the attacker. Putting on my Dr.Evil hat, here are couple of wicked acts a Wi-Fi hacker could commit and get away undetected using an unsecured network.

• Download child pornography
• Download copyrighted movies and music via P2P
• Download Warez and abuse your bandwidth
• Send bomb hoaxes, terror or threatening emails.
• Send spam (sexual aids, pharmacy or money laundering scams)

Any of the above acts could lead to law enforcement authorities knocking on your door. This is not mere speculation and many unsuspecting people have fallen victim. To quote a high profile example, in the recent serial bomb blasts in India, terror emails that took responsibility for the blasts were sent from unsecured Wi-Fi connections. And it was the unfortunate owners of the unsecured Wi-Fi connection that were subjected to police questioning and house arrest.

In addition to using an unsecured Wi-Fi network for malicious purposes, an attacker can also use it to steal personal information for identity theft. For example:

• Infiltrate and break into internal machines
• Modify DNS settings on the router to point to a rouge server.
• Sniff Wi-Fi traffic for usernames and passwords

The above discussed scenarios are neither speculation nor an exhaustive listing of different ways for abusing unsecured Wi-Fi networks. These scenarios are being enacted by criminals everyday around the world.

Now why would want to be an unwitting host to criminal activities emanating from your IP address or make yourself vulnerable to identity theft? Be a responsible Netizen and please secure your Wi-Fi connection now!

After I read the Chris post on our blog that dissected the darksides domains, I wondered about the Russian Business Network and its state of health.

This year, the posts and white papers circulating on the web portray new protagonists like AbdAllah, Atrivo, Directi or EstDomains. Like their RBN senior branch, these Internet network providers are strongly suspected to protect many actors in the malware/phishing/fraud world.

In February 2008, a ShadowServer foundation document explained that many domains had moved from RBN to AIH (AbdAllah Internet Hizmetleri). Like me, many researchers saw here a revival of RBN. But as it is assumed by some French bloggers, it was only a migration from customers, from one bulletproof hoster to another.

2 weeks ago, in the last Jart Armin controversial paper, the St Petersburg entity was hardly mentioned. Various networks previously known as RBN bastions were listed as core component of the Atrivo California-based family of companies (you can read the Brian Krebs post to be convinced).

In October 2007, after the media got in the Russian ISP in the spotlights, their representative Tim Jaret forcefully denied the accusations. He said that his company investigated abuse complaints and took care of them if there was a violation of law. Now, Emil Kacperski, the Atrivo founder hands out the same message. He assures the company works very hard to clean up his image and respond to abuse reports and then proceed to any corrective action when necessary. But some people don’t believe them!

One thing is sure, each time a report discloses a lax ISP, many unscrupulous customers looking for discretion, cover or camouflage, are disrupted. As I said before, we have seen some of them moving to AbdAllah or Atrivo. I should not be surprised if they started searching for a new refuge! All the more probable that bad advertising arrived to the ears of many attentive backbone providers bring about Atrivo to lose peering from all sides. At least it is something!

Today several researchers announce the dissolution of RBN and with the Atrivo and Directi disclosures, we gave new kicks into the anthill. But all these criminals who pay for dedicated server and protection from takedowns due to abuse complaints are still busy. For that reason, the criminal business network is still living even if it changes sometimes in name and management.

Inspired by Igor’s post (and whilst Terry is dancing in doorways) I’ve taken some time out from my current project and beaten a path through the tangled web of service providers, registrars, resellers and registrants of the domain name system supporting the darker side of the web.

This investigation originally started when Garth from Knujon pointed out that Directi have some shill registrars on their books (Whilst I was enjoying the Kaiser Chiefs @ Rock en Seine in Paris no less). I then read Brian Krebs post about Atrivo being one of the best known dangerous networks around… He finished with a teaser note about ESTDomains. So guessing whats coming next I’m going to jump the inter-networking gymnastics that binds EST with Atrivo/Intercage/(cernel|inhoster)/Etc, privacy services and others and start at the far end of the story and expose a secret about a not-so-little Indian company called Directi and shine a light on the almost invisible but vital service that powers the domain registration core of the largest group(s) of bad-actors on the web today.

Let me provide some bullet points about the Directi Group of companies to get you up to speed.

• Directi are a privately owned Indian company with a reported turnover in excess of $300M USD.
• Directi own LogicBoxes the maker of a product used to manage the registrar relationship with registries.
• Directi own the reseller Resellerclub.com, and the registrar Answerable.com amongst others.
• Directi own skenzo.com a domain typo squatting monetization service.
• Directi’s Logicboxes are responsible for over 3.5M domains, about 45K resellers across 50+ ICANN accredited registrars.
• LogicBoxes has no acceptable use policy (AUP) for their service.

That last point is the weak link in the chain. Directi’s Logicboxes provide domain registration automation services under contract but without an AUP, and to organizations that have an un-holy tie to organised crime at that.

LogicBoxes is a software product or turnkey ASP solution but some simple tests (that I’m deliberately withholding for now) prove that it’s software combined with a backend service and Directi are involved at every stage of the game via it’s service-layer even though it looks on the face of it like they aren’t.

(If you don’t understand the cats-cradle of knotted string that holds the domain name registration system together then blame John Levine as he has admitted it’s all his fault and this slide explains it all, “apparently” ).

So on the the murky world of Registrars also being Resellers and why:
ESTDomains, Dynamic Dolphin, to name but a few are huge Directi resellers, and as ICANN accredited registrars also customers of LogicBoxes too. But as Garths and Brian’s posts show there are also many other “shill” registrars and unanswered questions too. However between them they provide a disproportionate amount of domains that are used for illegal activities and most have a path back to Directi’s logicboxes service. I’d estimate the total to be north of 100,000 domains by now, everything from Social networking spam through illegal pharmaceutical supply to botnet command and control.

There is a metric truckload of publicly available evidence for anyone that still doubts the darkness of their hats take a look at the URIBL listings for the last 5 days for ESTdomains. All the linked domains are sites you do not want to click as they contain spam landing pages, fake anti-mailware, porn with fake codecs amongst other things. Why on earth a legitimate registrar would not monitor uribl’s published information and act on it is completely beyond me.

ICANN don’t help the situation by accrediting registrars without a verifiable legitimate address and well publicized & working contacts. We have procurement and vendor qualification processes that’s a real pain some times excellent IMHO, I’ll ask someone to send them a copy

Our friends at Spamhaus have plenty to say about ESTDomains too on many listings, take a look at their nameserver listings for starters SBL53320 SBL53319. Searching ROKSO will reveal a whole lot more. As for Atrivo, it’s a rats nest of issues; A rats nest that would do well to fall off the internet. For more information on the internet-gymnastics I jumped over take a look at this great pdf from hostexploit.com. Keep in mind though that some of the feeder transit networks may be owned or run by the same gang and just exist for redundancy.

The ESTDomains that I’ve investigated first hand have generally fallen into two camps, one where they are registrar directly and one where PublicDomainRegistry is mentioned in the whois, the latter being the “shill” sorry I mean “white labeled Registrar” for the previously mentioned Directi company “resellerclub dot com“. The fact that PrivacyProtect.org is Directi’s whois privacy service (pasted from here) for resellers just makes matters worse.

Don’t get me wrong, Directi have a clue, register a domain directly with a Directi owned registrar and break the AUP and they will act well as any registrar must. I’m specifically talking about the other services they provide to the criminal corners of the web.

It would appear too that the ESTDomains portfolio has had their privacy protection revoked too, this is definitely a step in the right direction. (Breaking news this evening from El Reg and knujon, nice work guys) However, these guys move pretty fast and recently EST moved their privacy needs to their own protectdetails.com domain.

So finally I have to ask those making money by providing the core services Bhavin Turakhia & Divyank Turakhia from Directi, you clearly know the score, so when will you completely stop supporting the illegal acts of EST, DD and other very obvious darkside entities and kick the bad apples out?

Before anyone from a registry or registrar starts the classic “Smith & Wesson” rant think about this, “Smith and Wesson” don’t sell maps or cars, drive you to the forest, apply your camouflage, help with your ICANN accreditation or load your gun for you

One of the features included with Google’s new Chrome web browser is the ability to show suggestions for navigation errors. This feature is intended to replace certain traditional 404 error messages with the additional option to search Google’s web search engine for phrases that are parsed out of the incorrectly entered web address that returned the 404 message.

In the past an issue with this has brought to light when a similar technology was first introduced with the Google Toolbar 5 browser plug-in.

The HTTP method GET is frequently used to pass form data from one page to the next for further processing. When using the GET method this data is appended to the URL delimited by a preceding question mark character.

Ex..
http:// [somewebsite] /accountinfo.php?user=Jdoe&session=12345678

In the above example accountinfo.php would be passed the parameter USER containing a value of JDOE as well as a parameter SESSION containing a value of 12345678.

To help explain some of the privacy concerns that may be associated with a 404 hijack lets take a scenario in which a web server is undergoing maintenance and a URL that normally would display a valid web document is returning a 404 error.

In this case a user is logged into [somewebsite] as user jdoe with a session ID of 12345678. After logging in the user selects the account information option on [somewebsite] and is directed to http:// [somewebsite] /accountinfo.php?user=Jdoe&session=12345678

In this example [somewebsite] is under maintenance and the server hosting the accountinfo.php document is generating a 404 message.

The Chrome browser instead of displaying the 404 message generated by [somewebsite] will display a custom error that contain links to search links that redirect to Google’s web search.

A side effect of hijacking the original 404 while maintaining the original URL is that if any of these links that are clicked or when the search button is pressed the browser will send the above mentioned data (USER containing a value of JDOE as well as a parameter SESSION containing a value of 12345678) to google.com as part of the referrer field of the HTTP headers of the created query.

In this case the user may not have intended or be fully aware that the user and session values are transmitted to Google’s servers.

>>>>>>>>>>>>>>>>>>>>>>>>>Update Sept 4, 2008<<<<<<<<<<<<<<<<<<<<<<<<<<<

It has been reported by one of our fellow McAfee researchers that when the Google 404 page is initially rendered an image file is requested from Google (exact path may very depending on localized build of Chrome). This http request also contains the referrer value referenced in the initial post. The result of this discovery is that no action is actually required from the end user for the information to be sent to Google. By the time the Goggle 404 page is displayed the information has already been transferred to Google.

When I see my son playing online computer games I am worried!

I am worried not because he spends too much time in front of a computer - it is the abundance of security issues that surround contemporary online gaming that makes me uneasy. I just had to do something about that.

So what I have tried to do is list the security problems related to online games and humbly suggest some possible solutions. The result is a research white paper that has just been posted on our Web site:

 http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_online_gaming.pdf.

If you are interested in topics like game-related money-laundering, virtual terrorist attacks, stolen virtual identities, game-related malware, virtual viral outbreaks - I dare you NOT to click the link!

The growth of computer attacks that steal user data is disturbing. The graph below shows this alarming trend. What is probably not commonly known is that approximately 40-50% of these attacks specifically target online gamers!

A recent story about a gaming malware that infiltrated the International Space Station is a good indication how serious the problem actually is.

I do believe that most attacks on virtual life can be rendered impossible or uneconomical. Equipped with our current knowledge in security there are no good reasons why our children and their virtual avatars should suffer inside the games from spam, phishing, adware, spyware, Trojans, viruses, worms, and other malware— all those bugbears that currently plague our real day-to-day lives.

During the BlackHat conference, security researcher Dan Kaminsky revealed full details on the DNS cache-poisoning vulnerability that has been all over the media the last couple of weeks. Later on the day he received an award for the “Most Overhyped Bug.”

Was that award really justified? I think not.

DNS cache-poisoning vulnerabilities are nothing new. Such vulnerabilities have been known for more than 10 years. But now we live in a different time: The threat landscape has changed significantly, and there are gangs of criminals trying to get their Trojans installed on as many machines as possible, stealing as much information as they can. We have seen just this year that they would go as far as hacking hundreds of thousands of web pages just to distribute malware. It is safe to assume that they would take advantage of a vulnerability that allows them to route unsuspecting victims to their web sites, and this vulnerability allows them to do just that. And a lot more. Just combine the DNS vulnerability with other vulnerabilities and features, such as routing the emails of the “forgotten password” feature on web sites to them, to steal login details. No one takes seriously their being able to perform all the attacks that require them to act as a man-in-the-middle, because it’s so hard to do.

Considering all this, I don’t think it was overhyped. As of today there are probably still thousands of unpatched DNS servers. So stop shouting “hype,” go patch!

McAfee Avert Labs proudly released a new version of it’s core technology late last week. The 5300 Scan Engine is the most recent major release, and boasts significant performance optimizations in terms of scan and initialization times - in addition to a 42% improvement in memory usage. As the number and types of malware continues to grow at an ever increasing rate, Avert has worked hard to include functionality in the engine to enable better detection. Features such as more effective emulation techniques and cutting edge Fingerprinting technology continue to enable our anti-malware researchers to be ahead of the game in terms of generic detections as we field thousands of new samples on a daily basis. In addition to a number of other features, we’ve added support for a few more platforms including Solaris 10 on Intel x86 and x64. Customers have tested the new engine out in the field over the last few months in it’s Beta form, and it is now the final version available for elective download from our site.

We will be auto-updating our Enterprise level customers at the end of the month in an effort to deliver the best detection and performance possible. Subsequently, Avert will no longer support the 5200 Engine after January 31, 2009.

Last night we blogged about fake invoice spam carrying malware.  Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices.  Messages may appear as follows (other spam campaigns may appear different):

—————————–
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
   or
Subject: Online order for flight ticket [number]
Body:

Hello,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
[name]
[airline]

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).
—————————–

As with previous campaigns, the executable is a new variant of Spy-Agent.bw.  Once again, Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

There has been a lot of hush-hush recently regarding a DNS security issue finding by Dan Kaminsky. Industry wide coordinated effort led by Dan ensured that patches were released by multiple vendors. Even though the technical details of the issue were not yet made public by Dan, an inadvertent leak by Matasano Security blog seems to have given out a lot of the information regarding the issue. At this time I cannot confirm that the findings published on the leaked (and subsequently removed) blog are in fact the same details that Dan is to make public at Black Hat, but the scenarios described in there are a very serious threat to the Internet at large. As has been discussed on a number of follow-on blogs and articles, the threat emerges from two different issues with DNS protocol.

1. Prediction of Source Port and Transaction ID: DNS primarily uses UDP packets to send questions and receive answers. The image below depicts a very simple scenario where a Client is trying to look up the IP address for www.bob.com.

Also, a DNS question (request) and answer (response) UDP packets have the following simple structure.

The Client will accept any packet as an answer to its question as long as the packet is coming from the DNS Server, the source & destination ports match the destination & source port of the question packet, and most importantly the Transaction ID and Question match its question. An attacker can spoof such an answer packet as long as he can pretend to be the DNS server and also guess the source port (SP1) and transaction ID (TID1) (the destination port is usually 53). The attacker also needs to make sure his spoofed answer packet reaches the Client before the actual answer packet from the legitimate DNS Server. The image below depicts a very simple attack scenario.

2. Additional Resource Records:  When a DNS server replies to a question, it can also include additional information in the answer to make future process efficient. A typical answer to a question such as “What is the IP for www.bob.com?” from Client DNS server to bob.com DNS server may look like the following image.

So the next time when Client DNS server needs to know the IP for another of bob.com domain, such as mail.bob.com, it will send a question directly to either the DNS server at 1.1.1.254 or 1.1.1.244.

Combining above two issues is what makes it more interesting. If an attacker is successful in predicting the source port and transaction ID (as in Issue 1 described above), and also inserts the additional information into the spoofed answer packet with the DNS servers pointing to the IP of his evil DNS server (as in Issue 2 described above), he can control the traffic directed for bob.com domain. Below is an image showing such a spoofed answer packet. 

Although everything looks simple in theory, the two important keys to successful exploitation lie in the process for guessing the source port and the transaction IDs. In reality a large number of attempts are required by an attacker to guess the source port and the transaction ID of a DNS question before an answer from legitimate DNS server is received by the victim. Some of the DNS implementations do not completely randomize the transaction IDs. They may also use the same source port to connect to the same destination DNS server to resolve a series of questions within a short time period.  Such patterns can be identified by an attacker by sending recon probes to the victim name server to lookup for domains controlled by the attacker. This combined with other strategies such as the birthday attack make it possible to guess the source port and transaction ID in a relatively short number of attempts.

It should be noted that both DNS clients and server are vulnerable to these issues although the potential impact of a successful exploitation is greater when a DNS server cache can be poisoned. If you would like to know whether your DNS server is vulnerable you can check out Dan’s DNS CHECKER or follow some of the suggestion on Sans Dairy. McAfee customers with McAfee Network Security Platform (formerly IntruShield) line of products are protected by the following attack signature id 0×40303200 that was released in sigset4.1.30.4 and sigset 3.1.67.3.

In closing, I think these are very serious issues in DNS protocol and not necessarily the only issues that Dan will be presenting at Black Hat. I guess we can wait a few more days to get complete details.

The need to pay attention to security never goes away. Fortunately, operating system vendors continue to improve their platforms, and they have made great progress in security. Traditional stack or heap overflows have become more difficult to exploit. However, we cannot become complacent because it’s clear that hackers have transferred their attention to third-party software. Some popular applications have become targets for viruses and Trojans. Just recently, many vulnerabilities were found and exploited in several popular programs: Real Player (CVE-2007-5601), Yahoo Messenger (CVE-2007-5017), Adobe Acrobat Reader (CVE-2008-2641), and Flash Player (CVE-2007-0071). All of these were found to have remote code-execution vulnerabilities, and actual exploits can be found on the Internet. So although the majority of users has installed the latest operating-system patches, they are still at risk to be attacked via third-party vulnerabilities.

A few days ago, I witnessed an actual exploit occur at a friend’s home. He was running Microsoft Windows Vista, and the attack was targeted at RealPlayer. His mistake was that he had disabled the User Access Control functionality of Vista because he did not like the alerts. So he didn’t get any warning prompts except when a message box showed that RealPlayer would close before the malicious code ran. I then saw many cmd.exe and other suspicious processes start. Windows Vista has the best security so far in the Windows family; nonetheless, all of this happened.

Watching this attack made me think of enterprise security. Businesses cannot pay attention only to operating system vulnerabilities. They need to pay attention to third-party software as well. Currently securiy in third-party software is no better than that in operating systems. So the best practice I can recommend is to use risk and compliance software to scan and find third-party software that doesn’t match enterprise policy. The final step is to update or delete these applications.

Last week, a friend, working at the French CERT-IST, alerted me to some web sites that, although they have direct access or a logon via a Google search, did not display the same result in spite of a unique visible URL. Let me explain…..

In the first case, we arrive on the normal (or official) page, but when surfed to via a Google search, we arrive at a false blog page proposing alternative and even malicious choices and links. This technique is commonly called cloaking. Its goal is to modify the content of a webpage depending on visitor parameters or browser history.

Let’s me first give you an example. Using IE, I enter in the address bar an attacked URL. I directly reach the site:

Using Google, I search for the same site:

I then follow the link and…. Surprise! I arrive on a fake blog page named for the site I searched however it is not the expected one; it is a rogue advertising page.

If I wait on the page and do not browse any proposed link for a few minutes, the normal web page is then displayed in place of the fake one. But if I chose any of these links, I am taken to some very suspicious advertising sites.

To achieve this deception, the main page contains a mere instruction line that launches a malicious javascript, with a long unescape sequence.

When decoded (today, for this job, I used facilities offered at
http://scriptasylum.com/tutorials/encdec/encode-decode.html), I discovered the link to reach the others “recipes” of this attack in an obscure subdirectory.

Using Google, I found this file architecture was not unique. Today more than 80 sites are affected by this attack, luckily these malicious files are detected by McAfee as Exploit-PHPBB.b

It seems this attack benefits people being paid through “pay per click” and/or people behind some rogue software like fake anti-viruses or naughty encounters. For sure, it is a profitable business!!

As early as 2006 the IP addresses revealed by Fiddler were pointed as suspicious. Two years after, they are still alive and still hosted at Global Net Access, LLC and ISPrime Inc, two American companies.

Various URLs visible in the Fiddler web session contain affiliate IDs. Calls at findwhat.com makes one think that the MIVA pay-per-click search engine company is the one involved in this story. As each new page loads, this server records the affiliate ID. This makes it possible for him (the affiliate) to get paid for each click. Consequently, it should it easy to unmask it! 

At this point we can say that nobody seems in a hurry to stop this cloaking party. It looks like many people do well out of it! 

Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver file  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm

On July 1 we released the results of our S.P.A.M (Spammed Persistently All Month) Experiment, in which 50 people from around the world surfed the Web unprotected for 30 days. By taking part in the experiment, participants were given permission to go where most Internet users would not dare, in order to discover how much spam they would attract and what the effects would be. Go everywhere we have told you not to go. Click everything we told you not to click. We then studied the daily blogs and analyzed the spam itself and confirmed that spammers are as active as ever; they are increasingly using psychological tricks to lure Internet users to part with their contact details, identity information and cash. The experiment (the first of its kind) clearly shows that spam continues to evolve, utilizing more local languages and cultural nuances, as well as becoming much more targeted in a bid to avoid detection.

Our brave and bold participants were assembled from 10 countries and by the end of the 30 days they received more than 104,000 spam emails–that’s an average of 2,096 messages each, the equivalent of approximately 70 messages a day.

Many of the spam messages received were phishing emails: emails that pose as a trustworthy source to criminally acquire sensitive information such as usernames, passwords, and bank account details. Other emails carried viruses, and many allowed malware to be silently installed on the computers by persuading participants to surf unsafe web sites. A number of participants noted a decrease in their computer’s processing speed, as well as an increased number of pop-ups.

The Global ‘Spam League’:

1. United States 23233
2. Brazil 15856
3. Italy 15610
4. Mexico 12229
5. United Kingdom 11965
6. Australia 9214
7. The Netherlands 6378
8. Spain 5419
9. France 2597
10. Germany 2331

To read more about the participants experiences, go here
and make sure you download the ‘Global Spam Diaries’ as well.

There mustn’t be much going on in the world today as the Nuwar spammers have moved from jumping on real news of natural disasters and current affairs to creating their own fictional events! This high volume spam campaign is using some wacky subjects to lure people into clicking on the links:

Subject: Britney found hanged in locker room
Subject: White House hit by lightning, catches fire
Subject: Oprah found sleeping the streets
Subject: Eiffel Tower damaged by massive earthquake
Subject: Donald Trump missing, feared kidnapped
Subject: Lastest! Obama quits presidential race

This clever social engineering technique plays on peoples inquisitiveness in news of natural disasters and celebrities. The emails also follow the simple format of some text and a link that looks fairly harmless to the uneducated user.

All the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video (that’s actually just an image) it tries to download a .exe file. This is detected as BackDoor-DNM and the spam is also currently detected with our Anti-Spam products.

So it goes without saying.. NEVER click on links in an email unless you are sure of its origin, keep your Anti-Virus software up-to-date and if you have a website make sure its properly secured so you’re not hosting stuff like this.

There has been some debate in anti-phishing circles over what a hosting service provider should do when taking down a phishing site. It boils down to one of three basic actions the victims witness.

• Redirect the hits to the brands legitimate site - This in my opinion is a dangerous thing to do on many levels and any brand requesting this action will feature on a follow-up shortly.
• Remove the site and throw the 404 error - Just stopping the site working and having the browser present a standard error is the standard check-box reaction & minimal effort.
• Use the hit as an opportunity for education - This is by far my favored option (even though I’ll play devils advocate when it’s discussed). Once a victim has fallen for a phish email, help them to help themselves in the future with some easy to understand education.

Education has to be appropriate, I’m not suggesting at “click time” is a good time for presenting the user at the Anti Phishing Phil game for instance. (Phil is great though if you’ve never seen it). “In your face” education at click-time is a topic close to the heart of the APWG, they will present their advice on the topic very soon.

So back to the raison d’être of this blog, a 10 gallon hat tip to AT&T for this great vishing takedown. [Listen to the mp3]*. They’ve raised the bar with this one and deserve some hearty kudos. I can’t think of a better way of dealing with a vishing number. The continuous unavailable tone has no place here since it’s easily confused with mis-dialing ^{(Homer mp3)}. They have replaced the disconnected service with a great education statement and sound advice too if the caller thinks that they were a victim.

^{* The quality is much better on the phone, I used our conference bridge to record the example.}

Last night our researchers identified similarities between the recent Adobe Flash exploits and a known (patched) vulnerability: CVE-2007-0071. At first, this appeared to close the case, but there was a report of a patched version of Flash falling victim to one of these attacks, and we’ve seen an SWF file referencing a missing file named WIN 9,0,124,0i.swf, which also suggests that the latest version of Flash is the target of that file.

The exploits that we have captured from the field do not appear to exploit the latest version of Flash. We continue to hunt for missing 9,0,124 exploits and will post an update should one be discovered. In the meantime, it’s best to update to the latest player, if you haven’t yet done so.

Yesterday, when analyzing a variant of a FakeAlert trojan, I saw something funny, a confirmation that when analyzing malware it is rather common to stumble across interesting stuff

So, we received a file named 4nlSkgZm.exe, which of course is a really dodgy filename, but we’ll pretend we didn’t notice . When I tried to run this file on my goat machine, it of course started installing itself and displaying the usual “you are infected” popups, but it also decided to be even more clear in telling me I was infected:

What happened? Well, nothing too fancy: the malware replaced my existing background with a dropped image, and then set my current screensaver to “blackster.scr” that was dropped too. It is interesting to note that the “blackster.scr” is a legitimate screensaver, and we are sure that the original author would never even imagine that his funny creation could be used like this!

All in all a rather effective method of scaring the victims of this threat

I was at the APWG CeCOS II conference in Akasaka, Tokyo, Japan the last two days. It was encouraging to see many members from not only academics, security vendors, and anti-phishing groups but also many law enforcement agencies including Interpol, Kyoto Prefacture Police amongst others. There were also several presentators from the Online Gaming community.

Having such a diverse turn-out certainly helps push the greater awareness of a multinude of cyber crime issues. It was very encouraging to see everyone are agreeing on better co-operation in shutting down rogue sites, tracking the bad guys and protecting the users. There was also the video crew from NHK, to bring the CeCOS message across to Japanese TV viewers.

Dr. Uchida-san from The Institute of Information Security and Steve Sheng from Carnegie Mellon University (CMU) also presented a different angle of the issue, from the psychological and educational aspects. Both of which compliment the policy and technology countermeasures.

Shinsuke Honjo and I gave a presentation on Monday to highlight on how malware authors are now going all out to attack on victims from all cultures. They can craft spam, phishing sites or malware to target diverse cultures and groups of Internet users in the Asia Pacific region. It was interesting for us to have our research corroborated with data from other speakers at the event. Terence Park, researcher from KrCERT/CC, in particularly demonstrated how a Korean document viewer was used as a bait, to install a password stealer. This was another classic example of how malware authors, can be using different localized techniques to get their victims.

Overall, the message that seems to be very consistent throughout are - co-operation and education. In tackling a global issue like cyber crime, these are both important factors not only in tracking and prosecuting the criminals, but also in better protecting Internet businesses and users.

Here’s a quick update to the earlier post on a new unpatched Adobe Flash vulnerability.  Through looking for sites serving these SWF exploits we’ve found a connection with recent mass hacks.  Hacked sites reference an external script, just as they have for quite some time.  But, the external scripts now reference an SWF file.  This SWF file references another SWF file named: WIN%209,0,124,0i.swf (WIN 9,0,124,0i.swf), which seems to be off-line.  While we can not confirm this last SWF file attempts to exploit this new vulnerability, Symantec mentioned the same domain serving the exploit earlier.  SANS also mentions another domain, and 2 presumed exploits, named WIN%206,0,79,0ff.swf (WIN 6,0,79,0ff.swf), and WIN%206,0,79,0ie.swf (WIN 6,0,79,0ie.swf) also off-line.  These file names suggest 3 things.

1) Different exploits are crafted to exploit different versions of Adobe Flash, in this case 9,0,124,0 and 6,0,79,0.
2) Versions of the exploit may also exist, or be under development, to target other operating systems, as the aforementioned file names begin with WIN.
3) Exploits exist for both Internet Explorer and Firefox, as the file names end in “i”, “ie”, or “ff”

Thus far we’ve identified 2 particular domains involved in mass hacks that are also believed to have served these Flash exploits.  Combined, Google yields approximately 250,000 page results when searching for those references (ie. compromised sites that link to scripts that link to flash exploits).

Again this threat is still under analysis, more details to follow.

It’ll come as no surprise that there are a bunch of domain registrars that are effectively supporting criminal gangs by not acting on reports of domains run for evil deeds and criminal activities. (Or as we say: They don’t wear a glowing white hat!)

I was chatting on email with Garth Bruen from KnujOn the other day and we agreed that it’s been well known for a long time in the industry that certain registrars are “black hat” and he questioned what was being done about it and pointed me at a story they had worked with the Washington Post on the subject of their top ten documented here: http://www.knujon.com/registrars/#the_list.

For a different data source (and one that looks very much like our own ) URIBL’s “hall of shame” has been on line for ages and can be viewed here: http://rss.uribl.com/nic/

I don’t take these things at face value but I’ve been aware of this issue for a couple of years and have even stood up at an APWG conference and shook my finger at registries and registrars in the room after an early presentation on double-flux and made sure they knew only they could help fight it.

Well it looks like Garths article and PR worked, the wheels of power at ICANN have turned and they have told the worst registrars to act!

So my hat tip for the month of May has to go to Garth, Cool.. Nice one… and congratulations!

ICANN state

“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”

I suspect however that the “inaccuracies” relate to the accuracy of whois information and if that is the case I suspect that the registrars will simply start their own privacy services.

NB: Privacy and anonymity are different things if your a LEA (Law Enforcement Authority) within your jurisdiction, but to me the humble lower middle-class sysadmin (Hi @SRS) and those outside of their primary jurisdiction they are effectively the same impenetrable barrier. We repute against domains registered with privacy services because statistically speaking (in the filtering metric truck-loads of email world) they are used as anonymity services more than privacy.

Competition time: Just for fun, I’m going to open a book on the first registrar to expire date and put a black McAfee Baseball Cap up for grabs. (We engineers don’t get much SWAG, let alone give it away). Just leave a message with the registrar you think will stop trading (or be disaccredited by ICANN) first and the date you think they will be gone on.

^{Employees of McAfee, KnujOn and ICANN need not apply, I’m the judge and my decision is final!}

Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these.

In the United Kingdom the term “Postcode Lottery” refers to situations where public services are available to certain postal districts where these districts are carved up by government authorities according to the first 4 characters of the post code (Our equivalent of the American Zip code*). In densely populated areas it is entirely possible for one end of a street to be lucky in a postcode lottery and the other end to be unlucky.

So, postcode Lotteries in the UK are generally bad news. They always get press attention. For instance the national health service (NHS) local trusts will provide a superior premium drug in one area but not in another creating what is known as a Postcode lottery. Prescription charges is another good example.

The remote money fraudsters are taking a very different view!
According to the bottom-feeders a Postcode Lottery is a competition you can win!

Sample below from my yahoo account. Notice the rotten spelling and the possible macro replacement issues, incidentally we call these PBCAK issues internally (Problem Between Chair And Keyboard)

Subject: National Postcode Lottery

National Postcode Lottery

Attention:-

Winner We bring to your notice the winning letter from Nationale Postcode Lottery {United Kingdom Promotion Company} held on the 8th of May, 2008 through Internet ballot System among 10,000 Microsoft users.Subsequently, your email address attached to ticket number 24.2.6.37.15.45 won contract sum of 800,000.00 Pounds ,winning number 100364,ref number XX/0999/171ESP and BATCH: 1211504/MIU.

We request you to pay serious attention to this notification by contacting the claims department with claim information and procedures of claim.

Mr.Jose Bolton
Tel: +44-871-nnn-0525
Fax: +44-700-nnn-0445
Email:divineagent@sify.com

Congratulations once again from our members of staff and thank you for being part of our promotional program.

Yours Sincerely,
Mrs. Stefian Smith
National Postcode Lottery

—————————————————————–
Find the home of your dreams with eircom net property
Sign up for email alerts now [advert removed]

Hardly a political issue, I’m sure you’ll agree. 419 plain and simple. But we’ve seen that email address a lot recently. Time for a good old fashioned LART’ing!

^{*The full 7 character UK postal code is very accurate, it refers to the handful of mail a postie can deliver, approximately 10 houses or thereabouts.}

When analyzing malware, it is not uncommon to stumble across interesting situations. Recently, I have been analyzing a variant of a FakeAlert BHO. This threat isn’t notable; it displays “alert” pop-ups when correctly installed, and prompts users to download a fake anti-spyware product.

However, when analyzing it, I noticed that this BHO was trying to access a file named “f***youspilberg.bat” located in the root folder of my research machine. Of course, with such a name, I immediately got interested and started to dig deeper to see what was going on.

After removing the inevitable compression layer, I was quickly able to locate the file access operation inside the FakeAlert’s code; specifically, it resides inside the DllRegisterServer export function, which is used to initialize BHOs.

After analyzing the code, I saw that the routine which contains the file access operation will perform checks on the existence of this file and the file creation date, returning TRUE if the checks are OK or FALSE otherwise. This again increased my curiosity.

So, I resumed analyzing the code that follows the invocation of the routine which performs the check on the f***youspilberg.bat file:

We can see now that if the checks on the file are succesful, the next block of code will be bypassed. What is that block of code? Why do we want to bypass it? After looking further, I found that block just checks for the presence of VMWare. If VMWare is detected, then no other operation occurs and the FakeAlert silently exits.

Glueing this all together, our code becomes:

Now we have all the pieces. If the f***youspilberg.bat file is found, then the anti-VMware check is skipped. Otherwise, we need to verify that we are not running inside a VMware box. The VMware check is performed to prevent analysis in a safe environment, but why bypass such a check if the f***youspilberg.bat is present?

We can only guess. It is probable that the authors of this FakeAlert needed to test their creation, and they have probably decided to use VMware for their testing. By placing f***youspilberg.bat in the root of their VMware image, they could do the testing without being caught by their protection mechanism.

But the real question is, What did “Mr. Spilberg” do to the authors of this malware to arouse such antagonism? Maybe they don’t like the return of Indiana Jones? Or are they scared of E.T.?

Malware authors make use of any opportunity to spread malware. Using hot topics is one of the methods to attract users to click on malware files. Recently, we received a specially crafted Microsoft Word file, detected as the Exploit-MSword.b Trojan, which launches a clean Word file to deceive users while in the background it drops a downloader.

The contents of the launched clean is an article about the earthquake in China.

And here is the source for the Word file:

We also received the following Trojan files:

“Earthquake Information.doc.scr”
“photos about earthquake of Sichuan.exe”

This is not the first time that tragic topics are used in malware infections, and users need to keep in mind that malware authors will keep using this method.

This week’s news brings another report about arrests of people involved with Crimeware. This story is particularly notable due to the large number of individuals being charged, and because it’s been jointly announced by U.S. and Romanian authorities. Many people involved with gathering information on and prosecuting online criminals have complained about the lack of cooperation from certain countries, but this certainly shows that progress is being made in that arena.

One thing I thought was especially interesting in the report was the description of the process that was allegedly being used by the people involved:

According to the indictment, the Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack. Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information. The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet chat messages. The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys. Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs. The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point-of-sale terminals that the cashiers had determined permitted the highest withdrawal limits. A portion of the proceeds was then wired to the supplier who had provided the access-device information.

This strikes me as a wonderful illustration of the resources that are now being put into the process by criminals. This isn’t a simple operation with some lone kid in his basement; this involves a network of people gathering information and testing, and relatively expensive card-writer hardware.

In March I blogged about a round of mass Web site compromises. Since then there have been several other instances discovered, as well as a couple of smoking guns. The net net is that the bad guys are using automated tools to find and attack Web applications that are vulnerable to SQL-injection attacks. Many of these applications are homegrown and thus there is no patch or hotfix for administrators to install. This means that simply removing the injected malicious code won’t last long.

Just now I was reviewing the latest batch of hacked sites, and I noticed pages that were previously compromised and “repaired,” only to be compromised again. The entry point for these attacks must be closed in order to thwart future attacks. This means that underlying code must be audited and improper input validation must be corrected. And given that many Web administrators install out-of-support freeware and shareware applications, we can expect many sites to remain vulnerable for a very long time.

McAfee’s Foundstone Hackme Shipping Tool can be a useful resource for those in need of a better understanding of how common Web application attacks occur and how to properly code against them.

Almost two years ago in 2006 Debian decided to clean up their OpenSSL implementation. They found a few lines of code that were causing Valgrind and Purify to complain about access to uninitialized memory. Without a major investigation into the purpose of the suspect lines of code they were simply removed. All basic tests continued to pass with the lines of code removed and Purify and Valgrind both stopped complaining about the improper memory access. The change was forgotten and everyone believed that the OpenSSL implementation was working just fine.

For the purposes of all the OpenSSL algorithms there was no deficiency. Encryption and decryption and hashes would be calculated correctly. The problem was that the PRNG used for generating keys by the OpenSSL library had been crippled when those critical lines were removed back in 2006. This was not discovered until just this week when Luciano Bello discovered that without those lines the only ‘random’ data used to seed the PRNG was the PID of the OpenSSL process. On many Linux systems the PID is limited to a positive signed 16 bit value. This means there are only 32,767 possibilities. When new keys and certificates were generated by OpenSSL they relied on this number to provide all of their entropy.

The consequence of this bug is that from September 2006 until May 2008 there were only 32,767 possible keys that could be generated by OpenSSL. Several individuals have generated “black lists” of every possible key that this OpenSSL implementation could generate. According to some reports this entire list can be generated in a couple hours. This weakness affects any key generated by OpenSSL including SSH and DNSSEC keys among others.

Many machines will fail to be updated in a quick manner after the discovery of this vulnerability. There are already many botnets which spread by simply brute forcing common username and password combinations over SSH. It will probably not be long until some of these networks are modified to start attempting RSA authentication using the faulty OpenSSL keys. These attacks will not take long to develop and have the potential to compromise large numbers of machines. It is important for administrators to note that even if they replace and upgrade the OpenSSL package they must recreate and replace any keys or certificates generated by the broken OpenSSL kit.

The moral for developers is to always be sure you understand the impact of your code changes. This goes extra for critical libraries like OpenSSL. Minor and seemingly inconsequential changes can leave major problems festering undetected for years. There may also be some changes in the way that Debian developers work with the developers of other related software packages like OpenSSL. Hopefully increased communication between the development teams in the future can prevent this kind of bug from recurring.

Following the big noise that the latest mass injection of sites with malicious Javascripts infecting many computers via a number of exploits I decided to take a look at the trail that was left behind, which has proven to be an interesting exercise!

A few days ago I noticed a large number of websites that were misbehaving and I came across many pages that would fire up the usual ActiveX alert on my Internet Explorer 7 after loading a Javascript called (on this occasion) addr.js … Not surprisingly these were mostly based in China and here is a snippet of code that most of you would probably recognise by now.

So far nothing new, the Javascript function you can see above, designed by Dean Edwards to obfuscate HTML code, it has been discussed in many posts and this is a popular method for a web developers to “hide” sensitive source code on their pages. It is unfortunately also a popular method to hide malicious code too. and the example above does just that, in fact here are some interesting parts of the decoded version from the above example:

try{if(navigator.userAgent.toLowerCase().indexOf(”ms”+”ie 7″)==-1)

This will check if version of Internet Explorer is 7 and the script will then load the following IFRAMES depending on some other factors such as GMT, ActiveX, presence of Real Player version etc.

<iframe style=display:none src="http:// :///ms.gif">
<iframe style=display:none src=":///xl.gif">
<iframe style=display:none src="http:// :///bd.gif">
<iframe style=d'+'isp'+'lay:none src="http:// :///r'+'eal.g'+'if">
<iframe style=d'+'isp'+'lay:none src="http:///r'+'eal_new.g'+'if">
<iframe style=display:none src="http:// :///lz.gif">

As we can see 6 IFRAMES are hidden in the code, and they will load various pages with exactly the same exploits (with minor variations) that were used in the recent mass injection a couple of weeks ago.

So you might ask now, what’s new about that? Well, what is worrying is the fact that the pages loaded by the IFRAMES will attempt to grab some fake GIF (image) files that are in fact hiding more Javascript code but this time the code is obfuscated by yet another commercial tool called HTMLSHIP.

The following snippet is an example from one of the pages hiding a RealPlayer Exploit:

As you may have noticed this is pretty much un-readable but here is the important part of the code de-obfuscated using one of my favourite tools, the Caffeine-Monkey implementation of the Mozilla Browser engine from Ben Feinstein and Daniel Peck at SecureWorks.

----------

Above we can see the CLSID for the RealPlayer ActiveX Control.
And below we can see some of the code used to exploit the vulnerability described here.

----------------

So far I have seen a few variations in the domains used to host the various exploits involved as well as in the names for the Javascript file and we will be monitoring these for changes to see if it will be used more extensively in the future.

As of today the samples I discovered are still not detected by any AV … Well except one that is…

An additional note is the fact that the techniques used in obfuscating malicious Javascript on webpages are becoming more sophisticated and more difficult to signature for conventional AV Engines.
Nowadays there are a large number of tools similar to the ones mentioned above allowing malware authors to obfuscate with ease.

A quick parallel with binary files and their respective packers (compressors, protectors, encryptors and so on) this is not a new technique but as I said things are becoming more sophisticated just like with UPX vs the likes of Armadillo, ASProtect and others.

To hide or not To hide

In an Ideal world the people making this commercial protection software available should have no need to hide code in such convoluted ways and perhaps, in the case of web-design people should be more aware of other practices to make code secure and safe for copyrights and/or trademark reasons. For example server-side scripting, or using Ajax and Java for servlets.

If I was to embark in the task of leeching the code of a particularly interesting web-page and I understood the inner workings of scripting languages such as Javascript or the Microsoft implementation for IE’s JScript I would not be stopped by such trivial means of hiding the code that can be easily reverted to the original look with a few clicks and the latest version of a browser engine like the Mozilla Java-Script C engine.

Many Ideas are being brought forward in the field of packing and how to counteract the incredible rise in malware variants caused by it. Perhaps people making legitimate software and writing legitimate HTML code for web-pages should start coming to terms with the fact that “Security through Obscurity” has failed miserably to deliver and that, the cleaner their products the easier it will be for all of us to identify suspicious illegal software/code making the task of identifying the bad guys a little less daunting….. however this is far from an ideal world
Errr…. Linux anyone?

Mozilla came out with an advisory yesterday warning users of compromised files in the Vietnamese language pack for Firefox 2. This was not the work of a malicious hacker or intentional booby-trapping of the files by the author but the result of a careless internal virus infection.

The author of the add-on was accidently infected and every help file (*.xhtml) in the Vietnamese language pack for Firefox was modified by the virus and appended with a script. Any user who installed this language pack would have malicious ads displayed in their browser and could have potentially being infected with other exploits.

The script linked to hxxp://js.k0102.com/[Removed].asp (currently offline) - a remote website based in China. The offending script in the compromised help pages have since been removed by the Mozilla developers.

According to Mozilla’s blog, anyone who downloaded the most recent Vietnamese language pack for Firefox 2 since February 18, 2008 would have potentially got an infected copy. The exact number of compromised downloads cannot be ascertained, but since this affected only users who downloaded the Vietnamese language pack, the numbers could be limited.

When contacted, the Mozilla developers were quick to respond and provided us a copy of the compromised files.

McAfee users are pro-actively detected against this threat. The malicious HTML pages are already detected as the W32/Fujacks!htm virus with the 5174 DAT files that were released way back in 29th November 2007.

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

So, on a bright Friday morning here in Brazil, I was analyzing an interesting piece of malware. Well, this piece of malware was sending encoded data to gooqle-analytics.com…hmmmm maybe trying to get infection statistics?

We have seen this before…but something wasn’t quite clear… it seemed that this was all that the malware was doing… hmmmm ok… checking a little closer, I could see the traffic generated… it was encoded traffic… not common for Google Analytics…

A little more research revealed that there was a dll injected in the svchost process, and analyzing this packed dll revealed that its purpose was to steal information and send to gooqle-analytics… but what the heck? Is Google stealing my info? NOT!!! As some of you noticed reading this blog, I did not misspell the name… it was sending the info to gooqle-analytics.com, and not google-analytics.com…

This gooqle thing domain is hosted on a IP in Italy…yea…bad,bad gooQle…!

I was not at all surprised when I first saw the Trojan named anticnn.exe, because I’ve followed recent events between China and the Western media. I am not going to offer any political comments on the conflict between these parties; however, the appearance of this malware well illustrates how information warfare works and further proves that this kind of nonmilitary, nongovernmental battle has become an increasingly common phenomenon.

The Chinese “hacktivists” obviously have no intention of hiding their origins. The file has the flag of the People’s Republic of China as its icon. Upon execution, the red flag is displayed in the lower-right corner of the desktop. After a user clicks the flag, a window with a picture of Mao Zedong pops up with the message “It is a red flag action: using rational action to express your patriotism. That attack target is www.cnn.com.”

The file connects with www.cnn.com and keeps sending HTTP GET requests. The Chinese “hacktivists” seem to believe that as long as there are sufficient participants they will be able to succeed in their attack.

McAfee has detected this malware. I remain concerned, however, that anti-virus detection can prevent only those users who are unaware of the situation from getting involved in this event. Eventually this Trojan could be widely distributed via spam, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. This attack looks like it will be hard to stop if many “infected” users intend to get this tool and run it intentionally.

Just one day later, we came across another tool designed for the same purpose. The difference with this tool is that it does not have a hard-coded target address. Instead, it allows users to manually input a target’s IP address or DNS name, and TCP port. Obviously, the organizers do not wish to name their target too early. In the setup program’s readme file, it says the attacker will inform the target a half-hour before the attack will be launched. Another interesting point: The tool developer states in the readme file that the tool has no backdoor inside. That makes me ask, Should the average user trust the developer’s claims?

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

Inspired by a comment in SANS that domain names bearing “hurricane” and the names of this year’s named storms were already being registered, I decided to look into the matter further.

[For ease, "hurricaneNNNN" represents all the potential named storms. The names that will be used for the North Atlantic storms in the upcoming years can be found here.]

Apparently, there is someone who plans to make DVDs of each potential disaster as all instances of hurricaneNNNNdvd.com for the 2006 named hurricanes are already registered. I guess his business plan doesn’t extend to 2007 however.

The Anticybersquatting Consumer Protection Act forbids the registration of domain names that misappropriate the use of a trademark. State laws and International convention have extended the concept to celebrity names. However, guessing that a storm will become a hurricane and prospecting that idea is just fine. (As long as the WWF doesn’t already have a wrestler named Hurricane already using that name.)

But in line with the concerns raised by SANS of potential fraudulent use of web sites bearing the names of this year’s potential hurricanes, I sought some out. A number of patterned uses have all been registered already, bearing all the names of this year’s and next year’s storm names. Even some of the names for 2008 storms are already registered. A far-thinking entrepreneur might consider registering all 126 names. For, even if a named storm does not turn into a hurricane, that name will become a candidate again six years later.

It turns out that a particular series of sites have been taken, except the registrant misspelled Debby as Debbie and Michael as Micheal. (See related, “typo-squatting.”) I have asked McAfee to register the domain names of hurricanedebbyrelief.com and hurricanemichaelrelief.com. We all sincerely hope that these two domains will expire worthless and the named storms will become just statistics on naval charts, their names to be recycled in 2012. But should the storms present its wrath and hurricane relief become necessary, these domains will be donated and transferred to the Red Cross.

You can see for yourself what other people are thinking. Go to http://www.whois.net/ and start by querying “hurricanealberto” or some variation thereof. Or type in your name and see who is making money off your celebrityhood. The same method would be used to check sites that you might have a question as to its validity, to secure oneself from suspicious or fraudulent websites.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

A few days ago here at Avert Labs we have received yet another interesting malicious file related to the now not-so-famous Tibetan situation. At the beginning it looked like a simple Flash movie, at least judging from the icon.

Executing the file, called RaceForTibet.exe, shows a cartoon with a very skilled Chinese gymnast performing some amazingly convoluted exercise on a “vaulting Bbox” for which the jury immediately scored her a shocking 0! Whilst the gymnast’s performance is “re-wound,” a number of fairly stark photographs of real events, taking place throughout China and Tibet, are shown as a flashback.

As a malware researcher I just could not keep myself from looking further into the file to see if it was anything more than some political movie about events taking place in Tibet and China, especially after several recent posts [1] [2] discussing the Fribet Trojan.

Here are some screenshots of the cartoon that runs using “mini flash-player 2.6”:

For the next step I decided to use our “Rootkit Detective” to check for hidden processes and hooks, and turns out a number of files were silently dropped on my PC!

So here comes the “Pro-Tibetan Movement rootkit”:

As you can see a number of files are now on my system and completely hidden from “user-land”. The original file (RaceforTibet.exe) initially drops a file called “dopydwi.sys” in the %windir%/system32/ drivers folder.

Here is an interesting part of this hidden system driver shown in IDA:

We can now start to see the bigger picture here! The rootkit is actually a keylogger posing as a political message; in fact you can notice above the call to the function “GetKeyboardState“.

Also below we can see the file is creating a device called “ServiceDll”, which will be used to load the driver:

And here we can see the patching of the SSDT, hooking a large number of Windows API functions by changing their address.

The DLL file dropped on the system is going to be used to do the actual keylogging and it’s loaded through the device shown on the first IDA screenshot above.

To complete the picture, a hidden log file kept on the system (dopydwi.log) stores all the information gathered on the compromised machine.

Here is the output of a log file I captured:

[2008-04-10 07:14:53] Ethereal: Save file as [C:\Program Files\Ethereal\ethereal.exe] tibetan-capture
[2008-04-10 09:37:08] Save Image [C:\Program Files\GIMP-2.0\bin\gimp-2.2.exe] sdt-bigj
[2008-04-10 09:45:22] Mozilla Firefox Start Page - Mozilla Firefox [C:\Program Files\Mozilla Firefox\firefox.exe]
www.avertlabs.com
logtest.txt
[2008-04-10 09:46:24] Google - Windows Internet Explorer [C:\Program Files\Internet Explorer\iexplore.exe]
testing search engine

The remote IP where this data is sent to is located in China (humorously enough).

So just when much trouble is taking place, we can also continue to see an increase in attacks carried out by people taking advantage of the media hype and interest raised across the globe over these dramatic circumstances.

Will you watch the Olympic games? Best not if they claim to appear via e-mail as a Flash executable movie!