Mozilla came out with an advisory yesterday warning users of compromised files in the Vietnamese language pack for Firefox 2. This was not the work of a malicious hacker or intentional booby-trapping of the files by the author but the result of a careless internal virus infection.

The author of the add-on was accidently infected and every help file (*.xhtml) in the Vietnamese language pack for Firefox was modified by the virus and appended with a script. Any user who installed this language pack would have malicious ads displayed in their browser and could have potentially being infected with other exploits.

The script linked to hxxp://js.k0102.com/[Removed].asp (currently offline) - a remote website based in China. The offending script in the compromised help pages have since been removed by the Mozilla developers.

According to Mozilla’s blog, anyone who downloaded the most recent Vietnamese language pack for Firefox 2 since February 18, 2008 would have potentially got an infected copy. The exact number of compromised downloads cannot be ascertained, but since this affected only users who downloaded the Vietnamese language pack, the numbers could be limited.

When contacted, the Mozilla developers were quick to respond and provided us a copy of the compromised files.

McAfee users are pro-actively detected against this threat. The malicious HTML pages are already detected as the W32/Fujacks!htm virus with the 5174 DAT files that were released way back in 29th November 2007.

Earlier we blogged about Fake MP3s Running Rampant, mostly on P2P networks, such as Gnutella used by Limewire.  I took some time to create a video clip showing what the infection process looks like.  In doing so, hundreds of additional media files were uncovered.  Most leading to the aforementioned site, freemp3player.com, but others leads to different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files, including many different adware packages, such as:

Adware-BB
Adware-Beginto
Adware-Isearch
Adware-Mirar
Adware-SrchExplorer
Adware-Zeno

Domains linked to from the media files include:

mediaprovider . info
missing-codecs . com
seonomad . com
vidscentral . net

While this demo below shows that user’s must accept a EULA before proceeding, others contain no EULA.

– Update May 7 –
Adding some answers for questions that we’ve received.

These “MP3″ files are in fact ASF files that instruct media players such as Windows Media Player to navigate to a specified URL (via the default HTTP protocol handler - ie. default browser).  Not all media players support this functionality.

Our detection rates are based on a segment of VirusScan consumers who have opted-in to reporting their detections to McAfee.  Approximately 500,000 unique systems have reported having these Trojan media files on their PCs over the last few days.  However, the number of those systems that have downloaded the adware installer from fastmp3player.com during this period is less than 10% (< 50,000).

A recent report by the OECD (Organisation for Economic Co-operation and Development) indicated that counterfeit and pirated goods in 2005 could have had a value of up to 200 billion U.S. dollars.

One path to fake goods is via spam, which frequently offers counterfeit medicines and replica watches. A recent post from the French CERT-LEXSI blog caught my attention regarding fake luxury mobile phones selling for absolutely unbeatable prices.

These phones are normally manufactured by Vertu, a British subsidiary of Nokia, and are sold in luxury shops in Monte Carlo, Cannes, or Beverly Hills. On their official top-quality site (www.vertu.com), prices are not mentioned, but by visiting some authorised retailer Web sites I found exorbitant figures. Some mobiles, bedecked in gold and diamonds, exceed $90,000. Really too expensive for me!

Using Google, it’s really easy to find fake sites offering these counterfeit marvels. In fact it is easier to find the fake sites than the authorized ones!

And the prices–assuming you need one of these–are attractive: less than $1,000 for a copy of an original that sells for $97,300.

Regular spam campaigns promote such Vertu “replica” sites. Be vigilant, however, because appearances can be deceiving. Sites are numerous and their common feature is their high-quality, professional look–with black backgrounds that imitate the official site.

These sites are hosted at various providers in various countries (USA, Germany, and Hong Kong). Some of them seem clean; others are known for bulletproof hosting services and their relationship with the Russian Business Network, an alleged cybercrime organization. The registrars are also diverse (Estonia, Russia, and Korea) but more questionable. It is surprising that these do not require any name verification before accepting registrations. But once you know that a lot of spam and malware-related Web sites come from them, their permissiveness is easier to understand. Registrant addresses and e-mails give us an inkling regarding the nationality of their owners: China and Russia.

For the potential buyer, the key issue concerns the risk. The Swiss Watch Industry clearly points out that the buyer is the first victim, because purchasing counterfeits is:

• Agreeing that piracy is OK; the counterfeiter seeks to appropriate somebody else’s hard work and investment.
• Supporting and financing organized crime; links between counterfeiting activities and criminal networks have been established in many cases.
• Accepting underground and child labor.
• Endangering your own health and safety; the risk is real with medicines, aircraft and auto spare parts, medical supplies, and cosmetics.
• Reducing employment and stifling growth; this form of criminality contributes to the reduction of employment, which is estimated to cost more than 200,000 jobs worldwide per year.
• Being liable to criminal sanctions; the buyer may face criminal and financial sanctions. The mere possession of counterfeits is illegal in many countries. Furthermore, penalties could be claimed by legitimate intellectual property rights’ owners. Customs also can seize and destroy illegal items and assess fines.

And if these considerations don’t stop you, remember you run the risk of not receiving the goods you pay for; instead you might have your banking details stolen and reused in future malevolent activities. None of the sites I visited yesterday offered a secure Internet payment system; one of them housed a hidden Iframe linked to a known password-stealing Trojan.

There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

So, on a bright Friday morning here in Brazil, I was analyzing an interesting piece of malware. Well, this piece of malware was sending encoded data to gooqle-analytics.com…hmmmm maybe trying to get infection statistics?

We have seen this before…but something wasn’t quite clear… it seemed that this was all that the malware was doing… hmmmm ok… checking a little closer, I could see the traffic generated… it was encoded traffic… not common for Google Analytics…

A little more research revealed that there was a dll injected in the svchost process, and analyzing this packed dll revealed that its purpose was to steal information and send to gooqle-analytics… but what the heck? Is Google stealing my info? NOT!!! As some of you noticed reading this blog, I did not misspell the name… it was sending the info to gooqle-analytics.com, and not google-analytics.com…

This gooqle thing domain is hosted on a IP in Italy…yea…bad,bad gooQle…!

I was not at all surprised when I first saw the Trojan named anticnn.exe, because I’ve followed recent events between China and the Western media. I am not going to offer any political comments on the conflict between these parties; however, the appearance of this malware well illustrates how information warfare works and further proves that this kind of nonmilitary, nongovernmental battle has become an increasingly common phenomenon.

The Chinese “hacktivists” obviously have no intention of hiding their origins. The file has the flag of the People’s Republic of China as its icon. Upon execution, the red flag is displayed in the lower-right corner of the desktop. After a user clicks the flag, a window with a picture of Mao Zedong pops up with the message “It is a red flag action: using rational action to express your patriotism. That attack target is www.cnn.com.”

The file connects with www.cnn.com and keeps sending HTTP GET requests. The Chinese “hacktivists” seem to believe that as long as there are sufficient participants they will be able to succeed in their attack.

McAfee has detected this malware. I remain concerned, however, that anti-virus detection can prevent only those users who are unaware of the situation from getting involved in this event. Eventually this Trojan could be widely distributed via spam, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. This attack looks like it will be hard to stop if many “infected” users intend to get this tool and run it intentionally.

Just one day later, we came across another tool designed for the same purpose. The difference with this tool is that it does not have a hard-coded target address. Instead, it allows users to manually input a target’s IP address or DNS name, and TCP port. Obviously, the organizers do not wish to name their target too early. In the setup program’s readme file, it says the attacker will inform the target a half-hour before the attack will be launched. Another interesting point: The tool developer states in the readme file that the tool has no backdoor inside. That makes me ask, Should the average user trust the developer’s claims?

Commonly in conversation with family or friends I am asked questions that begin with statements such as “Well, I had this computer virus…” Further into these conversations after asking some additional questions of my own, I become more convinced that the person believes they had a virus. From the descriptions provided I am often inclined to suspect classes of malware and potentially unwanted programs that are commonly referred to as FakeAlerts and rogue security software are responsible.

I have come across many of these types of programs disguised as anti-virus or anti-spyware products that generate false warnings of malware that is supposedly present on the system:

Fake alerts are typically trojans that generate false warnings of spyware on the computer. These alerts are most often displayed as a balloon pop-up from the systray. The fake alerts will typically encourage the user to download or install a rogue security software product by means of “detecting” bogus infections on the system and frighten the user into buying the rogue software in order to clean the fictitious malware that that was discovered.

I am continually surprised at the prevalence of these types of applications and how many computer users install and use these so I thought it might be useful to post some tips that may help with identifying traits that are commonly associated with these types of scams.

Use Responsible browsing practices:
Trojans typically spread manually, often under the premise that they are beneficial or wanted. To do this often times similar techniques such as those used in product marketing are involved. Responsible browsing practices can include identifying when propaganda is used to persuade one into believing something, doing something, or buying something. This is not solely indicative of something malicious in nature, however being able to tell when these methods are utilized can sometimes help one to know when to ask more questions about the motivation or intentions for the use of the tactic.

Do some quick research:
If something does flag ones attention it may be worth the effort to do some quick investigation. Use a well known search engine and enter search terms such as the name of the product you are being asked to purchase, the title of the dialog being displayed, the name of the malware that is being detected, etc. Try to avoid pages that are sponsored by the target of your investigation. Look for third party opinions or reviews. This may help provide some additional counterpoints that may help with an objective analysis of the software in question.

Are there any secondary indications of an infection?
Look for the presence of the files being identified by the software as malicious. Often these files will not exist on the system at all. Sometimes however these types of programs will write the fake files to the system so that it can later detect them as malicious.

Check the time and date stamps on the files. Are they similar to that of the time the program was installed or ran a scan?

Submit the file to an online scanning service such as VirusTotal and see if established anti-virus programs detect them.

These are just a few simple examples from the quick and easy do-it-yourself malware research guide!!

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.

In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.

We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.

On the Internet, various websites allow us to measure a different aspect of the threat.

For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:

Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.

Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:

1. Observing DNSBL queries
   Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers.
2. Watching IRC traffic
   It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands.
3. Checking Behavioural Characteristics
   As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command.
4. Searching for malware hashes on P2P networks
   With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time.
5. Watching attack traffic
   Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.

To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

A recent article in The Register seems to imply that if you’ve got out-of-date security software, any fraudulent charges to your accounts could suddenly be your liability. The advice given by the British Bankers’ Association includes much more than just the state of one’s security software; this could just as easily include misaddressing a check or falling victim to a phishing attack, among other things. On the other hand, it’s highly unlikely it would ever be worth the bank’s effort to invoke this clause.

From the Banking Code of the British Bankers’ Association

12.11 If you act fraudulently, you will be responsible for all losses on your account. If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow Section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.)

These two sections offer quite a few bullet points about how not to be a victim of identity theft or financial fraud.

12.5
• Do not keep your checkbook and cards together.
• Do not let anyone else use your card, and do not tell anyone else your PIN, password, or other security information.
• Your bank or building society will never ask you for your PIN. If you are in any doubt about whether a caller is genuine or if you are suspicious, take the caller’s details and call us.
• If you change your PIN, you should choose your new PIN carefully.
• Try to remember your PIN, password, and other security information, and securely destroy the notice as soon as you receive it.
• Never write down or record your PIN, password, or other security information.
• Always take reasonable steps to keep your card safe and your PIN, password, and other security information secret at all times.
• If your card issuer takes part in a secure online payment system (such as Verified by Visa or MasterCard SecureCode), consider signing up either at their Web site or whenever you are given the option while shopping online. This involves your registering a password with your card company; you will be asked for the password whenever you shop at an online retailer taking part in the scheme. You should keep this password secret.
• Never give your account details or other security information to anyone unless you know who they are and why they need them.
• Keep your card receipts and other information about your account containing personal details (for example, statements) safe and get rid of them carefully.
• Take care when storing or getting rid of information about your accounts. People who commit fraud use many methods, such as “bin raiding” (a.k.a., dumpster diving) to get this type of information. You should take simple steps such as shredding printed material.
• Be aware that your mail is valuable information in the wrong hands. If you don’t receive a bank statement, card statement, or any other expected financial information, contact us.
• You will find the APACS Web site a helpful guide on what to do if you suspect card fraud.

12.9
• Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.
• Keep your passwords and PINs secret.
• We (or the police) will never contact you to ask you for your online banking or payment card PINs, or your password information.
• Treat e-mails you receive from senders claiming to be from your bank or building society with caution and be wary of e-mails or calls asking you for any personal security details.
• Always access Internet banking sites by typing the bank or building society’s address into your Web browser. Never go to an Internet banking site from a link in an e-mail and then enter personal details.
• Follow our advice: Our Web sites are usually a good place to get help and guidance on how to stay safe online.
• Visit www.banksafeonline.org.uk for useful information.

But wait, there’s a caveat: They won’t invoke this willy-nilly:

12.12 Unless we can show that you have acted fraudulently or without reasonable care, your liability for your card being misused will be limited as follows.

This code would be far too difficult and costly to implement in most cases. It would have to be a particularly large sum of money involved in the fraud, enough that it might be deemed worth the cost of an investigation, alienating a customer, and courting a heap of bad PR.

Although this is all good advice from the BBA, it looks like the assertion that people will suddenly be financially liable for having out-of-date security software is just a case of spreading FUD.

It is interesting to see how the password stealing trojan (commonly called PWS) writers think… Over the last few months I’ve been writing about PWS Bankers, since they are one of the most common kinds of malware that targets Brazil, and since I can read Portuguese, I saw lots of improvements in those malwares, including…. multiple redundancies! Today I got something different. On the email that it sends to the malware author to say “Hello World, I am on machine-XYZ”, now it also includes data about browsing activity and even the bookmarks of the user, including the browser used and start page…, interesting huh?

Below is an example of the information sent by the malware:

Browser………….: C:\Program Files\Internet Explorer\iexplore.exe
Win Dir………….: C:\WINDOWS
Internet Protocol…: xxx.xxx.xxx.xxx
Start Page……….: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Date…………….: 1/8/2007
Time…………….: 6:58:03 AM
O.S. …………..: Microsoft Windows XP (version 5.1)
Bookmarks

*************************************************************
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=IStart
http://www.microsoft.com/isapi/redir.dll?(edited for length)sba=RadioBar&o1=&o2=&o3
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=CLinks
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=hotmail
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windowsmedia
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=windows
*************************************************************

Yes…he owns your computer and also knows where you surf!

As per my previous blog, many websites offer free video online in an attempt to install malware on user’s systems without their knowledge. Here we have one more which claims to offer a Video Access ActiveX Object (VAX), which is a new way to access free multimedia content on the Internet. The webpage attempts to look more professional by including information like an introduction to ActiveX, EULA and download link as shown: below.

We caution webpage viewers since this malware can be used by a pornographic webpage which calls itself Adult Tuba, whose design pattern matches with the popular video sharing page YouTube in an attempt to deceive users as shown below:

If users click on any movie links and follow the instructions, they ends up downloading malware as shown below, whose detection and removal is covered under the Puper family:

We caution all internet users from getting infected by these Video Access ActiveX Object sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

End User License Agreements, those infamous instruments of legal pretzelism, have broken the logic barrier and are beginning to collapse into a nonsensical linguistic singularity. A bold claim, you say? I have evidence! This is a direct quote from an adware-related EULA I recently encountered:

Producing a mental experience similar to that accompanying contemplation of the interstellar void or the size of the US national debt, the mind is confounded here not by huge distances or sums, but by raw logical absurdity: lengthy, multi-clause legalese sentences carefully describing, in English, what you should do if you don’t understand English.

…

At least they include the suggestion that you get a translator to help you read it. How thoughtful!

McAfee Avert Labs Blog End Reader License Agreement:
By reading this blog post you agree to accept any unsolicited slithy toves that may result in the wabe, regardless of whether brillig conditions prevail. You additionally release McAfee from any and all liability should your borogoves become mimsy.

As we see every year, Christmas season is a great opportunity for a new virus to spread by email using “Christmas” as a reason to read the email. We just had a post here on Avert Labs blog about one a few days ago. If it was just the spammers, we could understand, since they live to do that, but today I got an email from my bank, stating that I could start to send Christmas and New Years virtual cards through their website! I immediately thought that it was a phishing scam, so I decided to check the link. It was indeed a new url created by the bank, something like www.christmascards[insert Bank Name here].com.br, where you could select up to 4 different Christmas / New Years cards and send to your friends… This just happened hours ago… I bet that I will start to receive some Xmas virtual cards and I also bet that those will not be from my friends . So you do not get me wrong, I like virtual postcards, but here, this strange marketing campaign will make things real easy for the bad guys, since the real bank sent a mass mail to all customers telling them that they can send those cards from their website. Now, what do you think will happen when the bank customers start to receive fake virtual postcards on behalf of the bank, with attached malware??

In the “good old days” spammers aggressively scanned the Internet for open relay servers to send spam. Open relays are out of fashion these days. So much so that the Open Relay DataBase is shutting down due to changes in spammer tactics.

Today’s spammers, in collusion with malware authors, infect thousands of machines on the Internet turning them into spam relay zombies. These zombie machines connect to a web server controlled by the spammer, which provides a constantly updated live feed of email addresses and content to spam. The content could be anything from pump-and-dump stock spams, online pharmaceutical drugs or the usual penis enlargement. Each individual zombie machine is capable of sending hundreds of spam emails per minute depending on the bandwidth available. Example: Spam-Maxy, Spam-Loot

And with more machines having access to broadband and ADSL connections, it provides a fertile breeding ground for this unholy alliance of malware authors and spammers to take advantage of.

At McAfee Avert Labs Bangalore, we sampled emails that were captured by our honeypot this quarter. The following chart shows the content of the email messages captured during in-house live testing of malware:

Only 11% constituted executable attachments. 2% were mails containing infection notifications or captured cached passwords that were meant for the trojan author. The rest, some 87%, was spam. A high percentage of this spammed content was image spam and ASCII art; techniques that spammers have effectively used to subvert traditional detection by anti-spam vendors.

Although we have seen malware-controlled spam networks in the past, most notably the W32/Bagle and W32/Sober families, the complexity and sophistication seen in the W32/Stration and Spam-DComServ trojans of today, demonstrate the alarming advancements made by these digital miscreants. McAfee Avert Labs continues to keep a close watch on these recent developments in the spam world.

As we know there are many websites offering videos of celebrities for free where its major viewers are youngsters.

Here we have a webpage “www(dot)leaked[REMOVED]videos(dot)com” which by its title looks to have a large collection of celebrity videos. The user visits the site, follows the instructions, then ends up installing a worm instead of watching celebrity videos.

The webpage displays “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object” attempting to get the user to install “missing plugins” for Media Player as shown below:

If user clicks on the (Click Here) hyperlink in the browser they will end up downloading a program called mpg2-3.0.1.exe, as shown below:

Upon execution, mpg2-3.0.1.exe displays the fake error message box shown below and installs a worm called Nugache.

We caution all internet users from getting infected by these fake online video sites found while surfing the web as we continue to protect our customers against such social engineering attacks.

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?

I’ve seen a number of fake charity sites crop up over the last week or so, and the cynic in me knows it’s that time of year again. Christmas is a time of joy and happiness, good will to all men, peace on earth, and thank whoever you believe in you’re not a turkey! It’s not restricted to the Christmas period but, at this time of year, we are more likely to think of those less fortunate and that is exactly the feelings the fraudsters are trying to exploit with fraudulent sites purporting to help needy children who are abandoned, distressed, endangered, exploited, homeless, hungry, sick or suffering.

The websites I’ve seen so far are very professional with a fairly high amount of graphical content (flash and html versions no less) and a good amount of verbiage designed to make the reader feel upset, guilty, sentimental, or otherwise relieved of a tear or two. Much of the layout and content on one of these fraudulent sites was directly copied directly from a legitimate charities websites with simply a name and a logo changed. These websites are as bad as some of the leaflets that drop through your door, but they cost less, well at least in the short term.

Q:Can you tell the difference?

I’ll save the answer until later. So how many real charities use compromised machines to host their websites or botnets to send their email? Not one! Here is a sample of the spammed image from one of the recent campaigns. (Doesn’t it look a bit like the recent stock spams?) I expect the quality of the email content to improve in the future however.

Please be very wary of any donation opportunities appearing via email, just as you would if a stranger was knocking at your door, cap in hand. This FTC site has some good advice on responsible donating.

A:The Red one was the fraud site.

Many of you have heard about the Nigerian Email Scam (aka 419 Fraud) that proliferates through email traffic and usually sits waiting in your Inbox or Junk Mail folder for the next victim. Many do not know, however, that the scam has been successful for over a decade now since the 1990’s and gets its origins as far back as the 16^th century.

The Nigerian Email scam is a derivative of the Spanish Prisoner Con where a victim is told about a Spanish prisoner that is extremely wealthy who needs somone’s help in getting free. This so-called prisoner is relying on the con artist to raise enough money to free him. The con artist approaches his victim with the story and allows him to help with a portion of the fundraising with the promise of high reward and financial gain. There was even a Hollywood movie called The Spanish Prisoner made in 1997 based on this plot.

The first instances of the Nigerian Scam were seen in the early 1990’s. Back then, it was delivered via postal service or fax. Over ten years later, its main method of delivery is email and to this day there are still people falling victim to the scam. Losses are estimated in the billions of dollars. Brian Ross of ABC News has recently completed an interesting investigative report following the trail of these Nigerian con artists.

To add insult to injury, there is an immensely popular song and music video in Nigeria whose lyrics flaunt the success of the scam (“you be the mugu², I be the master”) and ridicule Caucasians’ greed (“Oyinbo³ people greedy, I say them greedy”).

“I Go Chop Your Dollar” (video)

I Go Chop Your Dollar (lyrics)
I don’t suffer no be small
Upon say I get sense
Poverty no good at all, no
Now I’m make I join this business
419¹ no be thief, it’s just a game
Everybody they play ‘em
If anybody fall mugu², ha! My brother I go chop ‘em

Chorus

National Airport now me get ‘em
National Stadium now me build ‘em
President now my sister brother
You be the mugu² , I be the master
Oyinbo³ I go chop your dollar, I go take your money disappear
419¹ is just a game, you are the loser I am the winner
The refinery now me get ‘em,
The contract, now you I go give ‘em
But you go pay me small money make I bring ‘em
You be the mugu², I be the master… now me be the master ooo!!!!

When Oyinbo³ play wayo, them go say now new style
When country man do ‘em own, them go the shout bring ‘em, kill ‘em, die!
Oyinbo³ people greedy, I say them greedy
I don’t see them tire that’s why when them fall enter my trap o!
All day show them fire

1. Nigerian criminal code that the scam violates
2. Nigerian Pidgin for “fool”
3. Nigerian Pidgin for “Caucasians”

As per reader’s feedback on my earlier blog “404 not just “File Not Found“, they wanted more information regarding how a Potentially Unwanted Program, called “System Doctor”, gets installed. So I will emphasis more on this programs behavior in this post.

System Doctor tries to fools users by utilizing images that are similar to a legitimate product from PC Tools called “Spyware Doctor” as shown below:

Installation on the victim’s machine is via an ActiveX control, as shown below, which needs user’s interaction:

Upon installation, System Doctor scans the user’s system and displays an “Error Message” box as shown below:

If the innocent user clicks on the “Repair Now” button he will redirected to another page, where they are asked for credit card details:

In my previous blog it was incorrectly reported as “Spyware Doctor” instead of “System Doctor”. Through further research and discussion, the software is in fact “System Doctor”, a rogue software product that attempts to leverage its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor as per discussion with PC Tools.

We caution web users from entering their card details and CVV number into these masked doctors seen while surfing web as we continue to protect our customers against such social engineering attacks.

This weekend brought us yet another XSS vulnerability in MySpace being used to modify users’ profiles for malicious ends. Much like in the Windows virus space, we’re apparently past the phase of MySpace worms being used purely for notoriety, and well into the phase of worms for profit.

This worm (JS/QSpace) uses an intended function of QuickTime movies to use JavaScript code to open additional URLs. The additional URL in this case is a JavaScript file which modifies the user’s MySpace profile to include the malicious movie.

This boils down to two primary problems:

1. QuickTime will load external URLs without user consent
2. MySpace will embed or modify content without user consent, even from external sites

The MySpace part of the equation seems pretty straight-forward to address. Couldn’t something be set up to verify that a human is actually intentionally modifying content, especially if done in bulk?

The QuickTime issue being an intended feature makes this a bit trickier. It seems painfully naive to me, for a feature like this to be added with no precautions put in place to prevent malicious use.

One of the biggest reasons movie files are becoming increasingly popular as distribution methods for malware is that between newly discovered vulnerabilities and features like this, the “return on investment” for malware authors using these file-types is sky-rocketing. Very few people hesitate to view a movie file unless the context it comes in is incredibly suspect (and that’s mostly to avoid getting canned for watching porn at work, or getting the snot scared out of you by the car ad with the zombie that jumps out at the end).

But really, never mind the zombie. There are much more disturbing things potentially lurking in videos now.

The most common use of the popular HTTP error code, 404 is to communicate that the client was able to reach to the server, but the server could not find the requested file. To a naive user this pretty much means “Let’s move on!”

We present the following information to warn users of a social engineering attack currently in vogue with several malware authors. McAfee Avert Labs recently evaluated a website called 404dnserror(dot)com. At the time of writing this blog, the website throws a “fake” 404 file not found page. But a closer look at the error page, as depicted below, shows that the server tries to install an ActiveX control and the installation message communicates that page is not available as it’s blocked by an adware/spyware. It also proposes to install a security product called “System Doctor” to remove this adware/spyware.

Further analysis of System Doctor reveals this is actually a flavor of the “WinFixer” application that claims to fix registry and hardware errors or to clean adware/spyware.

We caution web users of these “fake” error codes seen while surfing web and continue to protect our customers against these attacks.

____________________UPDATE DEC, 6 2006_________________________________

“On 5 December 2006 we incorrectly reported that “Spyware Doctor”, published by PC Tools was involved in this scam resulting in the publication of fake error codes to induce end users to download their software (in the above blog titled “404 Not Just “File Not Found”"). It has since come to our attention through further research that the software in fact was “System Doctor”, a rogue software product which attempts to trade off its similarity to the Spyware Doctor name. The blog entry has since been corrected. PC Tools and Spyware Doctor have no affiliation with System Doctor.”

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Alright, back to the doom and gloom!

A little background info - BuddyProfile.com is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before - When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on BuddyProfile.com which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

1. Popular site, frequented by a large number of kids
2. Allows users to add their own HTML content
3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.

It would seem MySpace is looking at the possibility of expanding to China, while at the same time Chinese websites are experiencing a significant amount of traffic in malware comment-spam. It seems to me, unless MySpace gets significantly more involved in making sure the possibility of the XSS vulnerabilities that were used by previous malware are covered, this could be a recipe for disaster. This is a potentially huge source of revenue for the people at News Corp, but also for adware affiliates and malware distributors.

But really, MySpace isn’t the only one that needs to take note of this. It’s really time for Web 2.0 to have a paradigm shift.
These websites were started by individuals, and intentionally left to be developed and made great by its user base. They’re all highly customizable, letting you include an incredible amount of your own content. On the one hand this is a brilliant idea, and has made the internet a much more compelling “place”. (Or is that “tube”?) On the other hand, no one gave much thought to security as these places were being built up. The news has been liberally littered lately, with stories about various user-driven sites being used to distribute malware.

Without this change of direction, it could be that within a couple years these sites may become functionally unusable - they’ll be crushed by the very thing that made them revolutionary.

I, for one, hope this does not come to pass.

Hackers are trying to use the good reputation of Wikipedia to lure unsuspecting users into executing malware. The very openness of Wiki that allows users to freely add or edit available content has made it an attractive target for virus authors to plant malicious code in articles. A POC worm targeting Wiki was discovered earlier in August of this year.

In a recent incident, an email was mass spammed to German computer users requesting them to download a security fix for a new variant of the infamous Blaster worm. The email was crafted to supposedly appear from Wikipedia, complete with an official Wikipedia logo. The email directed users to a fixed Wikipedia article which included a link to malware hosted on an external site.

Editors at Wikipedia were quick to fix the misleading content in the article. However since Wiki stores all previous revisions to an article, the attacker was able to direct users to the archived pages via the spammed email. Wikipedia administrators had to finally erase all old versions of the article to resolve the issue.

As malware authors continue to improve social engineering techniques, public community sites like MySpace, Orkut, Wikipedia et al will have to adapt and modify their policies with regards to posting and editing content. One can take a cue from webmail providers like Hotmail and Yahoo that have implemented mandatory virus scanning of attachments, to have all content scanned by an antivirus before being posted. This will help prevent mischief makers from creating toxic pages.

Update: A detailed anaylsis of this threat can be viewed at the McAfee Avert Labs Threat Library. Trojan Nordex: http://vil.nai.com/vil/content/v_140856.htm.

Ever wondered how a trojan infected computer gets its orders to spam? Take a peek with me into one trojan’s junkmail activities. The following account is happening as I type, and shows that some image spam is not unique even though it appears to be random.

The smtp sending trojan first phones home for its task list, via http on the smtp port (25). Port 25 on the host machine is running Apache/1.3.37 — this is a very unusual place to find apache running.

The task list looks like this:

$GET "http://example.com:25/outtask/urlTask8_c_2.txt?id=MAGID-ID-STRING&flag=1"
10
12|http://serv2.example.com/outtask/tasks/task_12_letter_1162390208.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

20|http://serv2.example.com/outtask/tasks/task_20_letter_1162390209.txt|
http://get.example.com:8091/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

22|http://serv2.example.com/outtask/tasks/task_22_letter_1162390209.txt|
http://get.example.com:8092/cgi-bin/cgi2.cgi|
http://serv2.example.com/report2.cgi|1||
http://mail.example.com:8888/cgi-bin/put|

^{(line breaks and spaces added for readability)}

The response it got is in the following format:
“tasknumber|spam-text URL|Address-list URL|Report address|1||Report address2|”

So in the example above, the bot got 3 tasks. We’ll take a look at the first one in more detail….
Read the rest of this entry »

It was only a matter of time, but the first security ISV has publicly announced a product that bypasses PatchGuard. Authentium, announced today that their Authentium ESP Enterprise Platform can bypass PatchGuard. In a world where less than 1% of known threats exploit the kernel in a way that PatchGuard will block, and where only 15 of 264 (less than 6%) Microsoft vulnerabilities from 2004-2006 would have been protected by PatchGuard, according to our calculations, I’m not sure whether to laugh or cry.

Patchguard is an attempt to close a software hole with more software. As Joanna Rutkowska has amply proven, there is no software-only solution to the rootkit problem. Hardware solutions, like Intel’s Vanderpool or AMD’s Pacifica are required to harden PatchGuard to the point it cannot be broken, but they will not be widely spread in the field for years to come. And in closing one small hole, it’s opening a host of others, like those addressed by the behavioral, anti-rootkit technology, and HIPs features we, and other vendors, have been working on for years. Arguably, our solutions are not immune to this same problem, the difference being that instead of one solution from a newbie security vendor, consumers today can deploy multiple solutions from many seasoned vendors to create a layered defense strategy, even at a desktop level.

So in the meantime, MS is going to try to put their fingers in the dike of PatchGuard holes, which are more valuable to security vendors than to malware authors, who can just avoid the kernel structures MS is trying to protect. In many ways, this is the final manifestation of the logical conclusion I came to when Greg Hoglund first announced his NT rootkit: We are, and always have, been locked in an arms race with the malware authors and hackers. Microsoft has just taken away our most effective weapons.

Microsoft is putting McAfee, Authentium, Symantec, Sunbelt and the rest of the security community in the interesting position of having to tell our customers that we can’t protect them beyond a reactive AV signature without “hacking” their operating system. So if we can’t protect them, and Microsoft can’t protect them (and won’t let us), what are consumers and enterprises to do? Right now, security vendors and Microsoft are in a very public standoff. It will be interesting to see what happens when Microsoft’s own customers chime in on this issue. What do you think?

Many people know http://zone-h.org/ as a web site that monitors defacements. This morning, I visited the site to search some defaced French governmental web sites. Indeed, attacks against French sites have been increasing since this country passed a bill making it a crime to deny that the Ottoman Turkish empire committed genocide against Armenians in 1915.

Browsing the site, I was surprised to be targeted by a Trojan when I visited some mirrored pages. I am sure that many people, correctly protected or not, do not imagine that they could catch malware from this site.

I just contacted the site founder and co-founder to alert them (see their response below). I would have hoped that they would have be able to modify their mirroring techniques, but at minimum, it would seem necessary to alert people before they open an infected mirrored web page.

Response from zone-h.org:

— QUOTE —Hello,unfortunately there is nothing we can do as some defacers are linking, from the defaced webpage some external pages against which, our internal server antivirus cannot perform any sanitation.

Best regards

Roberto Preatoni

— UNQUOTE —-

Make sure your security technologies are up to date if you are going to browse their site!!!!!!

Well, more accurately from my hotel room here in Montreal, because the floor is full of people moving chairs and taking down booths . Rob Lemos asked me yesterday why so much of the data presented here at VB seems dated, which is not really surprising as papers are due months before the show for editing and printing, etc. That being said, there is a certain amount of self-censoring that goes on - you don’t want to show all your cards to either the competition or the malware authors. But I thought today was a fascinating display of just how relevant the conference was this year.

This morning, Infoworld’s Paul Roberts (http://weblog.infoworld.com/techwatch/archives/cat_security.html) reported on a notice sent from the UK Metropolitan Police (responding to information discovered by Avert staff in Europe) to 3000 British citizens informing them that their computers had been compromised including passwords, credit card numbers, etc. The show today ended with a panel discussion on fighting cybercrime that included representatives from the FBI, several security vendors and a large corporate customer. While most agreed that the trend is getting worse, everyone was in favor both of more information-sharing between vendors and law enforcement, but also more reporting from affected corporations and individuals to law enforcement. While cybercrime is a significant priority at the FBI (after counter-terrorism and counter-intelligence), the more data that law enforcement has, the better their funding opportunities.The real goal here is to increase the risk:reward ratio. Right now cybercrime is so lucrative, so cheap to carry out, and incurs such a low risk of capture (much less of significant penalties depending on the jurisdiction), that it is neither surprising nor unexpected that it is growing.

The other somewhat surreal coincidence was between Randy Abrams’ presentation on Microsoft and competition with the AV industry, and the announcement that MS will be making changes in Vista to reduce EU and Korean concerns over competitive or antitrust issues (http://biz.yahoo.com/rb/061013/microsoft_eu.html?.v=7). Randy’s conclusions, based on his having worked at MS and an AV vendor, was that Microsoft is essentially playing fairly on a technical level, but that their mere presence will affect large AV vendors, like McAfee and Symantec more than the smaller players. He also believes that Microsoft’s success will be largely dependent on the quality of the software and support provided by OneCare and ForeFront. Having watched a number of markets go away after Microsoft’s entry, I am more cynical, and would expect both their sheer ownership of the platform and integration points, if not their access to technical information, to have some non-trivial effect. It sounds like the EU and Korea agree, but time will tell I guess. What is not up for debate is that there is another kid on the block and he’s bigger than all of us put together.

The online gaming industry has matured into a serious business with revenues running into the billions of dollars. As we know, once something gains popularity on the Internet and is profitable, it becomes an attractive target for hackers.

In the early days, game crackers spent quality time breaking cd protection or gaining secret codes to unlock hidden weapons and levels. With the advent of both Online Games and Massively-Multiplayer Online Role Playing Games (MMORPG), official gaming networks now require legitimate cd keys and/or registered accounts to logon and play online. Virus authors responded by unleashing a rash of trojan horse programs masquerading as game cheats or trainers in order to steal cd keys of Online Games. To get a victim to run these trojans, these files were posted on bulletin board systems, internet relay chat channels or on popular gaming site forums. But the intended victim still had to download and execute the trojan for the ploy to work.

So the obvious question was “How to make a self spreading game cd key stealer?” Sdbots and Gaobot with multiplying capabilities via exploits and weak passwords were readily available at that time. It wasn’t long before a module was written and introduced in the bot code to steal game cd keys of popular online games from Electronic Arts, id Software, Red Storm and Valve. Fortuneately most of the bots in the wild these days have dropped this functionality as the popularity of some online games has waned recently.

Massively-Multiplayer Online Role Playing Games like Lineage, World of Warcraft and the Final Fantasy series rule the gaming world today with an insane number of hardcore
gamers competing against each other in the virtual world. Everyday, McAfee Avert Labs receive numerous malware samples designed to steal game account information targeting popular game titles. And in a shift away from trojan horse programs masquerading as game cheats, we are seeing a trend where virus authors are writing old school viruses like W32/Bacalid, W32/Detnat and W32/Philis that target popular role playing games.

Are these guys doing it for the love of the game? Nope.. sounds too good to be true. Underground RMT (Real-Money trading) groups thrive in dealing with stolen game accounts and operate mostly out of Asia. And with a player’s stolen account information, their virtual assets can be transferred to another players account or simply auctioned off and sold for real money. This phenomenon is currently region specific but could easily reach menacing proportions similar to the threats plaguing online internet banking.

There's been a few articles today about a method to hack ATMs which have not had their default administrative passwords changed. This shouldn't be entirely surprising for a number of reasons. We already know some ATMs are also vulnerable to viruses and voting machines can be hacked, etc. Good security practices are good security practices regardless of the specific operating system being used. The hacking incidents mentioned above, in particular, are caused by the same basic conditions that have led to the prevalence of things like bots and password-stealers. In the case of the voting machines and password-stealers, important data kept unencrypted is easy to steal or manipulate. In the case of ATMs and bots, using easy-to-guess passwords makes it very easy to add or subtract things from your machine.

People seem to get lulled into complacency because their particular machine or operating system isn't in common usage, regardless of whether the OS is on a laptop/desktop machine or on another sort of device. Security through obscurity will only get you so far, especially when your device has something of monetary value on (or in) it.

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting f