The next big [ugly] thing: Trojan shows fake bank balance

A banking Trojan named URLZone (Finjan) exploits a hole in the major browsers on Windows machines to show victims a fake balance on their banking web site as it steals cash and sends it to the account of a money mule, according to Finjan researchers.

Victims will continue to see the fake balance in their accounts and not notice the theft until they obtain their balance at an ATM machine, check with a computer that is not infected or get an overdraft notification.

URLZone, which is loaded onto victims’ computers by malicious .pdf files or JavaScripts, exploits a vulnerability in Firefox and Opera as well as Internet Explorer 6, 7 and 8 browsers. It has been used to steal more than $400,000 from customers of German banks recently, according to Yuval Ben-Itzhak, Finjan chief technology officer.

Ben-Itzhak said “It’s a next generation bank Trojan. This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems.”

Story here.

Rogue downloader uses Firefox warning screen lookalike

Patrick Jordan found this one today:

The rogue Alpha AntiVirus page used to hijack a browser copies the Firefox warning screen:

Firefox atttack 01

Looks like the Firefox warning page (in Internet Explorer), but with a difference. Clicking leads to this:

Firefox attack 02

Which goes to the payment screen:

Firefox attack 3

The AlphaAV lineage:

XP Antivirus (2007)

AntiVirus 2009 (2008)

AntiVirus 360 (end of 2008)

Total Security (January 2009)

Personal AntiVirus (January 2009)

Total Security (2009)

What makes research on these rogues very challenging is the fact that they swap the download web sites about every six hours.

Thanks to Patrick Jordan

Tom Kelchner

Philippine flooding – all Sunbelt hands accounted for

Researchers in the Sunbelt Manila office have reported that the entire staff has been accounted for and flood waters are receding. Half the staff members are in their homes and unable to reach the office. The Sunbelt facility is on the 17th floor and has electricity.

The Sunbelt headquarters in Tampa Bay, Florida, has been in touch with various staff members by email.

Staffer Alejandro Mendoza III sent the following:

Here are some photos taken from my apartment. I am at Pasig Green Park Village and fortunately, my place is on the 3rd flr. Our village near joey, aldous, reggie, reggie and berman

Santos01

When we woke up at around ll am, water is already waist deep. We were not worried at all since the place does not usually get flooded. We no longer have electricity at around 1 pm.

Santos02

By 4 pm, the place is already at chest deep. At this point, things start to get scary. We could no longer go out and evacuate because the water level is higher in the main road so we opted to stay in our apartment. Those who are staying in single story houses began to move to our place.

Inside the first floor of our apt. our place is higher than the road so the water level is still knee deep at this point

Santos03

By 11 pm the murky water has already covered the first floor and cars are now completely submerged. Water level on the street is about 6 feet or deeper. You can only see the trunk of the Chevrolet.

Santos04

By 8:30am 9/27, water is still at shoulder deep. People have to use an air bed as lift-raft to go out and check our other neighbors.

Water slowly subsided and by 8 pm, water is still waist deep.

Aldous de los Santos sent this account at 1:44 p.m. Sept. 28 (local time)

Water in my area has receded this morning.

I plan to come by the office this afternoon to recharge cell phones and laptop computer.

We are fixing and cleaning a lot of things in the apartment. Roads going out are muddy but passable.

I’m saving battery of my laptop that I can only go online from time to time.

I’ll see if I need to get a power generator for the house in case the power will take weeks to be restored since I heard that some areas are still in waters.

We have only little updates on the news since we are saving batteries.

No TV, we can only get updates from the net and radio.

Flood01

(View from los Santos’ apartment during the flooding.)

Flood04

(And when it peaked.)

Tragic flash floods and landslide always happen in PH =(

I only watched from news and visited the place after it has happened, and this is my first time to experience being really involved. I think what I have experienced is still minor compared to other subdivision and provinces. The photos I took are within my area.

I wanted to go to office to take some pictures, since we are in a higher floor, I can get a good view. But I have to stay with my family while the water is high.

–Aldous

News today on Philippine flooding. 100,000 homeless and 240 dead.

To help the victims of the flooding, go through the Philippine Red Cross (URL here.)”

Tom Kelchner

A “malware experience,” brought to you by McAfee?

McAfee Avert Labs is advertising its Focus ’09 conference next month in Washington, D.C.. We find one of the 13 sessions offered on the agenda disturbing:

Avert Labs — Malware Experience

Join experts from McAfee Avert Labs and have a chance to create a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware. Of course this will all be done in the safe and closed environment, ensuring that what you create doesn’t actually go out onto the Internet.”

This is unethical. And it’s the wrong approach to teaching awareness and understanding of malware. This would be like your local police giving a crash-course on how to plan and execute the perfect robbery — yet to avoid public criticism, they teach it in a ‘safe environment’: your local police station.

The oldest myth and question in the antivirus business can now be answered thanks to McAfee: ‘Yes, antivirus vendors do create their own malware. At least one of them does it. On top of that they even educate people that are not criminals yet on how to do it!’ Knowing Vesselin Bontchev as a colleague and friend, I’m sure the last word has not been spoken here. Someone has to point out that this is wrong. Very wrong.

I think McAfee just managed to add another point to the ‘why do people write malware list:’

1, Anger issues
2. Fun Factor
3. Espionage
4. The hacker instinct
5. Money Money Money
6. Political agitation
7. The Shakespeare Syndrome: Romance & Drama
8. Sabotage
9. The intellectual challenge and passing the boring time
10. Extortion
11. I just updated my resume with virus knowledge
12. Because McAfee teaches it now in a ‘safe’ environment

See McAfee’s course description here.

Let’s remember that in 2003, the University of Calgary drew fire for offering a similar course.

I have a lot of respect for my colleagues at McAfee. Please, don’t let this happen.

Michael St. Neitzel
VP of Threat Research and Technologies

Update: McAfee has clarified this matter in the curriculum for their upcoming Focus 09 Security Conference. The text now reads: Join experts from McAfee Avert Labs and have a chance to work with a Trojan horse, commandeer a botnet, install a rootkit and experience first hand how easy it is to modify websites to serve up malware.

This is considerably better.

Thoughts on MSE

I’ve hemmed and hawed about saying anything about Microsoft Security Essentials. However, I’m getting requests as to my position on the issue.

Generally, my feelings on MSE are as follows:

  • It is not a Microsoft conspiracy to take over the world, etc. They had to do this in order to beat off Apple, and improve their security posture as a company. They have removed millions of infections using the MSRT tool and they really do need to do something about machines that are not protected — for the good of the rest of us. It is ultimately good for the consumer.
  • It will probably not have a major impact on the big incumbent players, but it will likely have a dramatic effect on the free AV players, like AVG and Avira, because many of their installs come from “experts” installing it on PCs (people like your neighbor, or a family member, who installs it on your behalf). These people will likely move to the Microsoft solution. This will take some time but the risk is there. Nag screens, toolbar installs, misleading messages to upgrade, all efforts to monetize a free product piss off users to no end.
  • The incumbents should not underestimate the wrath that many users have about their products. It’s not all fair — there have been many improvements (especially Symantec, which has done a truly remarkable job with their latest releases). But the anger is there, and you see it all the time on listservs, forums, etc. This emotional reaction may play a part in Microsoft getting traction.
  • The Microsoft product isn’t bad at all, unlike past efforts on their part (like the free antivirus tool in DOS 5, which was a joke). Decent detections, reasonable footprint. However, it does not have email AV functionality and not all the bells and whistles that the suites have. Nevertheless, 2-way firewall functionality is built-in to Windows 7, so that is a lesser issue.
  • The idea that consumers will want a broader, more complete product isn’t totally incorrect. We’ve seen this with the freebie players — there are about 2% of their user base upgrade to the more complete versions. The people with no money will use the free Microsoft product. The people who want to insure a more comprehensive security posture will buy the full suites from Norton, McAfee. Name brand still means a lot in this market (it’s worth noting that our surveys indicate that about 40% of the market has suites, vs. 60% that use a dedicated AV).
  • The OEMs like Dell are going to continue to push suites, because they get a lot of money from Symantec and McAfee for pre-installs. Retailers will go the same way — don’t expect Geek Squad to start installing the free product (at least in-store). There’s a lot of money at stake.
  • This download is not going to come through Windows Update, which is a big deal. Users will need to proactively download it from the Microsoft website or from places like Download.com. It will also not be OEMed, at least in the major markets (possibly in the third world, but that’s just speculation).
  • A lot of people will download it just to remove an infection that their existing antivirus product didn’t catch. This puts the very profitable scan-and-scare model at risk.
  • The one space that will not be significantly affected is the enterprise/SME side. The MSE product is not manageable, and hence is not really usable in environments over 25 users. (Microsoft does restrict usage to home networks only, although realistically most micro-SMEs won’t read the fine print).
  • Sunbelt is not significantly affected by this release. Years ago, Microsoft purchased our development partner at the time, Giant Company, in order to release a free antispyware product. At that point, I decided not to ever be at the mercy of a Microsoft release, and now 90% of our sales come from the enterprise (this does not mean we’re exiting the consumer market, it’s just that we are not going to let this business get “too big to fail” — we have a consumer product, which is well priced and well supported, and we’ll continue to innovate in this area). As regards the enterprise, we have seen Microsoft bundling ForeFront for free in some cases, but it’s not a major issue. Let’s hope it stays that way.

Alex Eckelberry

IRS NOT!

Don’t go there:

Fake IRS spam4

The Zeus Trojan is being spread through a major spam campaign under the guise of a notice from the IRS. Spam emails contain a subject line of “Notice of Underreported Income.”

If users follow a link in the spam or open an attachment they get infected with the Zeus Trojan.

CERT advisory here.

Tom Kelchner

Sunbelt Philippine Office Closed by Flooding

Here at the Sunbelt headquarters in Tampa Bay, Florida, we’ve had limited contact with the staff in our research office in Manila, Philippines, about the flooding situation there from Tropical Storm Ondoy (also called Ketsana).

Our Manila office is in an area affected by flooding, but is on an upper floor and not damaged. One researcher is in the office and is attempting to coordinate communications. He reported Sunday that he hadn’t heard from eight of the 15 staff members.

On Saturday, the Philippine Weather Bureau recorded 341 millimeters of rainfall (nearly14 inches) in six hours. The storm caused the worst flooding in more than 25 years. The government has declared a “state of national calamity” in 27 provinces. Pasig City a suburb of Manila has been hard hit by flood water from the Pasig River.

On Sunday, Michael St. Neitzel, VP for Threat Research and Development received the following email from Philippine research group member Francis Montesino:

“I’m bunking in the office since the apartment I live in is still inaccessible. Our office building/area is not greatly affected, but it seems our main Internet line as well as our phone line is down. Internet connection is slow as of the moment. I might be the only one reporting to the office tomorrow, though I plan to do some volunteer work early in the morning before doing some actual work.”

Montesino said that he had not heard from eight of the 15 research office staffers. Those that were in contact had reported they were unable to get to the office because of high flood waters.

Also on Sunday, researcher Aldous de los Santos reported that “our subdivision and other nearby subdivision are submerged in flood waters. =( Only roofs can be seen in most houses. We (including our neighbors) camped in our 2nd floor of our house for two nights now. The ground area is where our cars are parked and where the sala and kitchen are located and it’s submerged.

We did not evacuate our houses since it did not reach our 2nd floor area. But, from view in my house, only roofs of my neighbor’s houses can be seen. The water is subsiding already. Hopefully tomorrow, we can start fixing our things. My car was completely submerged for more than 24 hours.

We have 9 cars affected within place. We did not know that this can happen. We are all surprised. The water did rise very fast and we are not thinking that it can be high as house’s roof or our ground floor’s ceiling. There are many other nearby areas affected. I have surveyed the area by swimming out of my place to acquire some food.

Power/electricity has been cut-off since Saturday when water is beginning to rise, I’m not sure how long are they going to restore or put it back since houses are still in waters. I will try to get a power generator. But, looks like there will be lots of people buying stuffs since appliances and others things were washed out.

I heard that even large malls are affected. The Ortigas area where our office is located has been affected too, I haven’t surveyed yet. As of this afternoon, the Ortigas Ave. Ext. is not passable because water is very deep for bus/cars or people to pass thru. Transportation is very difficult. So, I did not bother to go farther place. It’s going to be difficult for me without my car. =(

I haven’t talked with the other guys since communication is difficult too. Cell phones are useless on all cell network providers yesterday. I think is becoming to be okay as of this afternoon. Since our landline is not working, my DSL is down. I’m using HSDPA to connect to the internet. We have lots of things to do tomorrow when the water completely subsided. Need to clean the place and picking up our things that are washed out. My car needs to be towed and repaired. Not sure if it is repairable though. I hope insurance will cover it. It may not be serviced very soon since there are lots of affected cars and they will be bombarded with cars that need to be checked and repaired.

Well, any kind of help here will be appreciated. I’m not sure how the other guys were affected but this is my story (so far) =(”

According to news reports, the country’s government is estimating that 435,000 people in Manila and provinces north of there are homeless.

St. Neitzel said: “We’re very concerned about our staff members in Manila and we’re attempting to establish communications with them. We’ve had limited contact via the Internet. From news reports, it appears that the floodwaters have begun to recede, however, many people are homeless and, in at least one Manila suburb, the flood waters were still a serious threat on Monday.

“If anyone would like to help the victims of the flooding, we encourage them to go through the Philippine Red Cross (URL here.)”

Research staff in Clearwater will be picking up the duties of the Manila staff until they can get their office back on line.

News story here.

GMA News (Manila TV station) report here.

Tom Kelchner

“Twitter is dead”

Robert X. Cringely’s blog “Notes from the Field” carried a piece under that head today.

Cringely (is that his real name?) has a writing style that can only be described as a breathless, rapid-fire series of snarls. I appears that his basic outlook is: “I don’t like it. It’s new.”

But, I digress.

Anyway, his blog piece predicted that Twitter, in spite of an infusion of $100 million in capital (bringing its paper worth to $1 billion), is doomed. It makes no profit and is trying to find a business model.

The reason it’s doomed: “spammers and scammers have their hooks into Twitter.”

Cringely also, apparently hates the celebrity culture connection: “More than 3 million people now hang on every 140-character belch that comes from the keyboard of Ashton Kutcher,” he writes.

He does acknowledge that the number of people subscribing to it is growing very rapidly.

Like a lot of things in the American culture, there is a lot about Twitter that isn’t apparent. Yes, it appears to be a trivial plaything that’s become a serious security exposure. However, so is email, file sharing and most of the web.

I’m sure Cringely would slash any academic study of how Twitter is being used – he doesn’t seem to like academia either – but when those papers start to emerge I believe we’re going to see something very different. There are serious, business-related uses for Twitter. That’s the only way I have ever used it:

1) A computer security research group manager I know, who is curmudgeonly as Cringely, was an early adopter. I read his security news Tweets several times a day and I know that a lot of his company’s customers read them too.

2) A few minutes after this piece I am now writing appears on the Sunbelt blog, it will be Tweeted out to subscribers.

Robert X. Cringely’s snarl blog here.

Tom Kelchner

Virus Bulletin conference news headlines

The worst part about going to a mega-conference like Virus Bulletin 2009 is the vast amount of stuff there to see and do, all the food that you overeat and the late nights you spend drinking too much beer with other professionals in your field. The best part is… well… pretty much the same things.

When you’re trying to choose presentations and tracks and find the right room that they’re in it’s hard to get an overall view of the conference: what were the big stories?

Here’s our compilation of the news headlines from the VB 2009 conference. It’s not like being there, but, maybe you can take your laptop to a brew pub, read these and pretend you’re in Geneva. Prost!

“Koobface, Twitter Attacks Growing More Sophisticated”

Attacks and scams aimed at Facebook, Twitter and other social networking sites are continuing to evolve.

Ivan Macalintal, Trend Micro senior threat analyst

“Penis pill spam: The hard figures”

Male enhancement pill spammers selling unlicensed prescription medication, including Viagra, are largely connected with partnerka, the Russian affiliate of spam and malware distributors. Samosseiko found 124,000 “Canadian pharmacy” sites and estimates the groups make $1,600 each day per spam run.

Dmitry Samosseiko, Sophos

“Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected “

Bot infections in enterprises have grown from 5-7 percent last year to 7-9 percent this year according to a study of 600 botnets. Most of the bots were little-known varieties.

Erik Wu, Damballa

“Internet companies face up to ‘malvertising’ threat”

Internet providers needs to make more of a coordinated effort to protect Internet users from malvertising.

Eric Davis, head of Google’s anti-malvertising team

“In search of a standard for displaying security threat levels”

Anti-malware vendors should create a standard way of assigning computer and Internet threat levels.

Bryan Lu, Fortinet project manager

“Hijacking Windows System Restore for cybercrime profits”

Creators of the Win32/Dogrobot malware have created a sophisticated rootkit technique to hijack Windows System Restore. They use it to steal billions of dollars in gaming credentials and virtual property in China.

Chun Feng, Microsoft anti-virus researcher

(Podcast) “VB 2009: Stefan Tanase on Web 2.0 Threats and Anti-Social Networking”

Digital Underground podcast Dennis Fisher interviews Stefan Tanase, senior security researcher at Kaspersky Lab about social networking site threats as well as Web 2.0 privacy and security concerns.

Stefan Tanase, Kaspersky Lab senior security researcher

As you’ve probably figured out, I didn’t get to go. Maybe I can bum the conference proceedings from somebody then watch the Youtube videos on my laptop in the Dunedin House of Beer.

Tom Kelchner

Old school stuff: Sunbelt mentioned in rogue code


“Mystic Compressor…Greetings to Sunbelt – only they know my name ;)”

What this means:

1. Somebody wrote the Trust Warrior rogue and distributed it.
2. Sunbelt researchers analyzed it and put it into VIPRE signatures earlier this month, calling it “Trust Warrior.”
3. The malware writer checked to see if anti-virus applications were catching his rogue – noticed that VIPRE did detect it.
4. He rewrote the code — probably to avoid detection — and added the line about Sunbelt
5. Since Sunbelt’s naming convention for rogues is to use the name they’re given, the malware writer was flattered that we used the name HE gave his creation.

Sunbelt uses the names that show up on the rogues’ graphic user interfaces to make it easier for victims to know what they’ve been infected with.

Sunbelt Rogue Blog description of Trust Warrior here.

This is some old school stuff that dates back to the beginning of the anti-virus industry. Back then the AV companies began the practice of making up different names than the ones given by the virus writers to deny them the satisfaction of seeing THEIR virus name in the news. The first AV researcher to describe a virus got to name it.

In 1995, an AV analyst even managed to rename a virus and add insult to the game. The first Windows 95 virus contained really sloppy code and the first AV researcher to analyze it gave it the name “Boza.” Boza is a lightly fermented drink made with cornmeal, sugar and wine yeast in the Balkan countries. It’s also a euphemism in those countries for something that’s a mess or all mixed up.

I guess you had to be there.

See S!Ri.URZ blog entry here.

Thanks to MAD

Tom Kelchner

What’s new?

There were three stories today with interesting variations on familiar themes:

1. Razer USA, maker of popular gaming accessories, discovered that its web site had been compromised and visitors who were trying to download mouse or keyboard drivers were getting infected copies. They shut down their site and began cleaning out the malware, which turned out to be an obscure Trojan that Trend calls WORM.ASPXOR.AB.

Gaming mouse-maker Razer hit with infected firmware

2. In China, someone has been sending spear phishing email attachments to the journalists and activists who are expecting to cover the 60th anniversary of the Chinese Communist revolution Oct. 1. The emails were from a fictitious economics editor named “Pam Bouron” who was asking the recipient to help her arrange interviews when she visited Beijing. As usual in China, it wasn’t clear if the malefactors were government agents, patriotic vigilantes, criminals from Russia, criminals from the U.S. or none of the above.

Chinese cyber attacks target media ahead of anniversary

3. There was a piece on computer security practice on the front lines written by a company security manager under a pseudonym. “J.F. Rice” complained of managers in his company purchasing equipment without the slightest thought for security. In this case, managers replaced printers with “multi-functioning devices” (MFDs — printer plus fax plus scanner plus email, plus bells plus whistles.)

So what’s to worry about? Turns out the MFDs contain an old version of Microsoft Windows operating system and run on the company network. And, of course, nobody thought of patches, security updates or AV protection when they signed the contract with the distributor or planned the budget.

Also, when the MFDs process documents, they create temporary files then erase them. The text of those documents, of course, remains on the hard drives until it’s over written. And when they’re disposed of, will that information have really gone away? Noooo. There’s a potential compliance issue.

Security Manager’s Journal: Security is left out of another decision till too late

The point? Evil never sleeps.

No really. Malware threats and exposures evolve constantly, incessantly, prolifically. Expect that.

Tom Kelchner

$88K libel judgment follows woman’s three-year Internet harassment of swim coach

The Internet has put an incredible amount of power, for good or ill, in the hands of anyone who can operate a computer. Occasionally there is a news story about that power that just makes your jaw drop.

A Connecticut high-school science teacher and swim coach was awarded an $88,000 judgment by a civil court after the mother of a swim team member persistently harassed her by email for nearly three years.

Teacher and coach Mary Anne Bojko, 44, of East Hartford, Conn., won the judgment against Laurie Lima, the mother of the women’s swim team captain Rachel Lima. Bojko and Rachel got along well.

Laurie Lima falsely accused Bojko of telling swim team members to keep secrets from their parents. She often would send 30-40 email messages per day, accusing Bojko of being abusive and said she was “one step away from a pedophile.” Lima emailed the accusations to other teachers, school administrators, state legislators and the governor’s office.

Bojko was forced to stop coaching two years after she took the job and take two paid leaves of absence from her teaching job.

Judge Julie Aurigemma, who ruled that Lima had libeled Bojko and was responsible for intentional infliction of emotional distress, called the attacks “malicious, outrageous and evil”

Bojko grew up in East Hartford and was on the high school swim team when it was coached by her father.

Story here.

Tom Kelchner

Social networking: there REALLY is no privacy! I mean none. REALLY!

A class project for a computer science class two years ago at Massachusetts Institute of Technology used “friend” links to determine if Facebook users were gay. In a similar project, a researcher at the University of Texas at Dallas was able to determine Facebook users’ political affiliation. At the University of Maryland in College Park, Md., researchers used a number of information-gathering techniques on Facebook, Flickr, Dogster and BibSonomy and were able to extract significant personal information of users.

At MIT, the “Project Gaydar” student researchers Carter Jernigan and Behram Mistree, are working on an article for a professional journal about their Facebook research. It looked at the genders and sexual preferences of a subject’s online friends and predicted if the subject was gay. Using information about people they knew, the program worked for men, though less well for gay women.

Jason Kaufman, a research fellow at the Berkman Center for Internet and Society at Harvard University said, “Potentially everything you ever do on the Internet will live forever. I like to think we’ll all learn to give each other a little more slack for our indiscretions and idiosyncrasies.”

Project “Gaydar” story here.

If that information is going to live forever, social networkers might consider using an alias. Or just have a really diverse group of friends.

Tom Kelchner

VB Geneva: A tough job, but someone has to do it…

Our report from the VB conference, by Sunbelt VP for Product Development Mark Patton:

Sunbelt Software is sending a small army to the Virus Bulletin conference in Geneva, Switzerland this year. We’re a sponsor!

The VB conference is for the hard-core AV guys, so we sent CEO Alex Eckelberry, Chief Technical Officer Eric Sites, Anti-Virus Technologies QA Manager Casey Sheehan, Malware Response Manager Dodi Glenn and me.

We also sent Business Development Associate Tracy Koppenhoefer and Chad Loeven, our VP of Business Development. Chad, Alex and Eric know about 90 percent of all the expense-account-toting attendees, so there’s never a shortage of dinner invitations. And when I say “dinner”, I mean beer drinking.

We are arriving a day early to recover from jet lag, but instead of wasting the day shopping for watches, we are trying to get a tour of the world-famous Conseil Européen pour la Recherche Nucléaire (CERN) Large Hadron Collider – a particle accelerator ring 16 miles in diameter and 100 meters below ground. They accelerate atoms to the speed of light and smash them together to see what kind of fragments fly off. It’s too bad Mike Neitzel isn’t with us – no doubt he could talk them into starting it up and smashing some atoms while we watched. But then again it might accidently create a Black Hole that would destroy the Earth and that would ruin the rest of the trip…

There are lots of websites that explain what this thing is. Here is one.

The rest of the week we’ll be attending the conference, networking with other AV guys and of course going to “dinner.”

Thanks to Mark Patton for the travel log and thanks to Curt Larson for the headline.

I asked them to bring me a Higgs boson refrigerator magnet.

Tom Kelchner

Microsoft going after ad hackers in civil court

Microsoft has filed civil suits in King County Superior Court in Seattle against businesses believed to be responsible for placing advertising that hides malware – sometimes called “malvertising.”

The court action was brought against: “Soft Solutions,” “Direct Ad,” “qiweroqw.com,” “ITmeter INC.” and “ote2008.info.”

Bringing the suits gives Microsoft’s attorneys the power to request subpoenas to get contact information from ISPs or other businesses and possibly identify the defendants.

Story here.

According to other stories out there today, we suspect the trail just might lead to a click-fraud group named the Ukrainian Fan Club by way of the Bahamas. Texas-based security firm Click Forensics connected the recent malicious ads that delivered rogue security products on the New York Times web site to a botnet that was once based in servers in the Bahamas – called the Bahama botnet. The recent “Facebook Fan Check virus” also is connected to the same group, they said.

Ukrainian Fan Club/Bahama botnet story here.

Tom Kelchner

“Chat-in-the-middle” phishing attack uncovered

Researchers at RSA security research group said they’ve discovered a “Chat-in-the-middle” phishing attack in which a thief uses a chat channel to extract banking Web site security information from victims. Bank customers are lured into entering their usernames and passwords on a normal phishing site, then a phony live-chat support window opens and a fraudulent operator tries to extract even more banking credentials.

The researchers said they only found one instance of it and didn’t expect it to become widespread since it would be a time-consuming way for phishers to get information. They said they notified the one bank whose customers were targeted.

Thinking one step into the future, however, this technology could be exploited by thieves behind phishing scams recruiting “work-at-home” operators to take information from victims on chat, then relay it to them. Money mules and human captcha breakers are already providing similar “services.”

And, if you REALLY want to put on the tinfoil hat, consider the possibility of groups on the dark side recruiting “work at home” operators to provide all three services… with training courses and annual conferences at a resort in Odessa… and certification bodies… (God, I gotta stop reading this stuff!)

Story here: “’Chat-in-the-Middle’ Phishing Attack Attempts to Steal Consumers’ Data via Bogus Live-Chat Support

How does an ISP shut down 500,000 bot-infected machines?

The Internet Engineering Task Force has released a draft of its document “Recommendations for the Remediation of Bots in ISP Networks” (Text here.)

This is one of those important routine things with the potential to fix a big problem that nobody is really writing about. ISPs are in the position to do something about botnets, but the process is a lot more complicated than you might think.

The IETF’s draft lists detection methods for finding bot-infected machines, including:

— analysis of specific network and/or application traffic flows (such as traffic to an email server),
— analysis of aggregate network and/or application traffic data,
— data feeds received from other ISPs and organizations (such as lists of the ISP’s IP addresses which have been reported to have sent spam),
— feedback from the ISP’s customers or other Internet users

They note that scanning their IP space for unpatched and vulnerable hosts could help reduce the risks of bot infections, but port scanning could leave network services hung. Also, firewalls and host-based intrusion detection could interpret the scans as precursors to attacks.

Notifying owners of infected machines is another huge can of worms. E-mail notices could end up in the spam bucket, ignored or could be spoofed by botnet operators for further social engineering. Ground mail and phone calls are expensive and very time consuming given the millions of bot-infected machines in the country.

It SEEMS like ISPs could just shut off infected machines and let the owners figure it out in their own sweet time. Considering that some people might have telephone service only through a voice-over-IP network, shutting off their ability to make 911 calls could be fatal. It also could be a business-fatal legal liability for the ISP.

The draft says a possible solution to the shutdown and notification quandary is the “walled garden.”

“Placing a user in a walled garden is another approach that ISPs may take to notify users. A walled garden refers to an environment that controls the information and services that a subscriber is allowed to utilize and what network access permissions are granted. This is an effective technique because it could be able to block all communication between the bot and the command-and-control channel, which may impair the ability of a bot to disrupt or block attempts to notify the user.

“While in many cases the user is almost guaranteed to view the notification message and take any appropriate remediation actions, this approach can pose other challenges. For example, it is not always the case that a user is actively using a computer that uses a web browser or which has a web browser actively running on it.

”In one example, a user could be playing a game online, via the use of a dedicated, Internet-connected game console. In another example, the user may not be using a computer with a web browser when they are placed in the walled garden and may instead be in the course of a telephone conversation, or may be expecting to receive a call, using a Voice Over IP (VoIP) device of some type. As a result, the ISP may feel the need to maintain a potentially lengthy white list of domains which are not subject to the typical restrictions of a walled garden, which could well prove to be an onerous task, from an operational perspective.”

The Australian Internet Industry Association is working on similar guidelines (Text here.)

Tom Kelchner

Dissing Kanye West is now a Web growth industry

Celebrity + public misbehavior = hours of Internet craziness

There is probably no one ANYWHERE on planet Earth who has not heard about Kanye West’s interruption of Taylor Swift’s acceptance speech for Best Female Video at the MTV Video Music Awards ceremony Saturday night. The world’s reaction to the story has become a story in its own right:

— President Obama, speaking off the cuff just before an interview with CNBC’s John Harwood, called West a “Jackass.” Almost instantly several people sent out the story on Twitter, in spite of the fact that such banter is normally considered off-the-record. AND, of course, Jay Leno picked up on THAT. Washington Post story here.

— There are now (Thursday morning) 21 fan-dubbed videos of the oft-used scene from the 2004 movie “Downfall” of Hitler histrionically complaining about West. (YouTube.com search “Hitler Kanye West.”) MSNBC picked up THAT story (“Hitler finds out Kanye West disses Taylor Swift at the VMAs”)

— The latest (today anyway) is http://kanyelicio.us/ On this site you type in a URL and the page appears with an overlaid picture of Kanye West and a message dissing the site. Story here: “Kanye West Disrespects Our Website

There probably hasn’t been such a reaction to public misbehavior since the “Korean Dog Poop Girl” of 2005. She is now part of the definition for “Internet vigilantism” on Wikipedia. I’ll imagine Kanye will join her shortly.

Oh, yea. West did apologize according to about a hundred stories everywhere.

Tom Kelchner

Turn off USB drive AutoPlay in Vista and WinXP

When Windows 7 arrives Oct. 22, it will have AutoPlay disabled on USB devices. AutoPlay has been disabled in the Win7 beta version for some time, but Microsoft just posted information about disabling it in Windows XP and Vista.

Microsoft support page here.

The Conficker worm and other malware have the capability of infecting flash drives then spreading to other machines.

After disabling AutoPlay on the drives (it still operates on CD and DVD drives), users will be able to open a folder and browse the contents of the USB drives.

Story here.

Tom Kelchner