Distinctive Chinese algorithm found in Trojan used in Google attack

John Markoff, writing in the New York Times, has reported that SecureWorks researcher Joe Stewart found a distinctive algorithm – only ever published on Chinese web sites – used in the Hydraq Trojan which installed back-door malcode used in the attack on Google. Hydraq also is called Aurora.

The code was used for error-checking of transmitted data.

Google said last week it was thinking of withdrawing from China after attacks from that country on it and more than two dozen other companies. The attacks on Google were aimed at the Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property.

NYT piece here.

Tom Kelchner

Donations via text messages will be the next spam scam

The American Red Cross (short code 90999) has reported that as of Sunday they had collected $22 million via text-message donations for the victims of the Haiti earthquake. Totally, the organization collected $103 million at that point.

Cell phone users are able to make $10 donations by dialing the Red Cross’s short code 90999 and the contribution will be billed to their cell phone bill.

Given this high profile, you can be sure there will be a load of spam and other social-engineering mechanisms in the future aiming to tap this convenient new technology.

Story here.

Using Internet Explorer? Here’s how to improve its security against Aurora attacks

Microsoft late yesterday issued Advisory 979352 with security advice for those using the Internet Explorer browser. A worrisome unpatched vulnerability in some versions of IE has been linked to the “Aurora” attacks against Google and more than two dozen other companies.

In short:

1. If you’re using IE 6 or 7, upgrade to IE 8.
2. If you’re running Windows XP with Service Pack 2, upgrade to Service Pack 3.
3. Turn on Data Execution Prevention if it is not already on.

The high profile attacks last week were all on corporate targets and Internet Explorer 6. Proof-of-concept code that exploits the vulnerability in Internet Explorer 7 on XP and Vista has been made public, but there are no known attacks, Microsoft said.

Jerry Bryant, writing on the Microsoft blog, seemed to suggest that the company would release an out-of-cycle patch (which is to say before the February patch Tuesday):

“We want to let customers know that we will release this security update as soon as the appropriate amount of testing has been completed. While we cannot yet give a date of when that will be we will keep customers updated.”

The computer security response teams in France and Germany have called on users to switch to a browser other than Internet Explorer until the vulnerability is patched. Although that might be a fairly easy fix for consumers, enterprise users often need Internet Explorer to communicate with IE-only applications or sites.

The U.S. Computer Security and Response Team Vulnerability Note VU#492515 can be found here.

Tom Kelchner

Russian language rogue: Antivirus360.FRWL

(FRWL stands for “From Russia With Love,” according to Patrick)

Russian and German language fake codec pages and one online scanner scam page.

Antivirus360 FRWL_fakecodec

Antivirus360 FRWL_OSS

And, it has an adware twist: install the adware and get your rogue security product free!

Pay by SMS short code. Offer only good for mobile phone users from Russia, Ukraine, Lithuania, Latvia, Kazakhstan, Azerbaijan, Kyrgyzstan and Germany.

Thanks to Bharath and Patrick.

Tom Kelchner

IE vuln linked to attacks on Google, others

France, Germany advise switching browsers

The governments of France and Germany have urged users to stop using Microsoft’s Internet Explorer browser until the company fixes the security vulnerability that has been blamed, at least in part, for the attacks from China on Google and more than two dozen other companies. The attacks on Google were aimed at the Gmail accounts of dissidents and Google’s source code.

The German Bundesamt für Sicherheit in der Informationstechnik (BSI) issued a statement Jan. 16 that running IE in protected mode and disabling active scripting could improve the browser’s security but could not completely prevent exploitation. They recommended that users switch to an alternative browser until Microsoft patches the flaw.

The French computer emergency response group Centre d’Expertise Gouvernemental de Réponse et de Traitement des Attaques informatique (CERTA) issued the Jan. 15 advisory. “Le CERTA recommande l’utilisation d’un navigateur alternatif.” [CERTA recommends using an alternate browser.]

McAfee security company CTO George Kurtz commented on the gravity of the attack on the company’s blog yesterday in a piece titled “Dealing With ‘operation Aurora’ Related Attacks:”

“I believe this is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations. While the malware was sophisticated, we see lots of attacks that use complex malware combined with zero day exploits. What really makes this is a watershed moment in cybersecurity is the targeted and coordinated nature of the attack with the main goal appearing to be to steal core intellectual property.”

Kurtz didn’t exactly call for Microsoft to issue an out-of-cycle patch, but came close:

“It will be interesting to see if this vulnerability forces and out of cycle patch update.”

McAfee blog piece.

Tom Kelchner

Symantec sees large drop in spam from domains in China

Samir Patil has blogged on the Symantec site that the company’s Symantec Probe Network has registered a DECREASE in spam from domains registered in China since early December. He reported that .cn spam fell from 30-50 percent daily to about 20 percent.

“It appears that the drop is due to the recent enhancement in domain registration procedures introduced by China’s Internet Network Information Center (CNNIC). On December 11, CNNIC announced a new registration procedure for .cn domains,” he said.

In December, China announced that those registering domains in the country would be required to do so using paper forms. Also, only businesses registered by the state would be allowed to register domains.

Spammers commonly used sites registered in China for Canadian pharmacy spam campaigns.

This is great. Maybe the one thing that spammers can’t do is something as low-tech as filling out paper forms.

I’ll be interested to see:
— if the Chinese authorities can lower that 20 percent figure further
— what countries the spammers will move to
— if any other government tries the same approach.

Tom Kelchner

Hacked sites used to redirect to malcode

We continue to find hacked sites popping up on web searches for Haiti relief donations-related strings. Among other things, we’ve found a rogue security product being pushed. VIPRE detected that one as Rogues.Win32.FakeVimes.

The below sites all redirect to scan-now24.com (registered Dec. 28), which we recommend blocking:

Haiti fraud 2

Thanks to Adam Thomas

Tom Kelchner

Haiti hazards: more dangerous web searches

Many of the malicious sites we’ve found that are using the disaster in Haiti as bait direct to the domain “scan-now24.com.” We recommend blocking it.

At one point, the first link in Google search results led to a site pushing a rogue security product.

A lot of the malicious sites that turn up on these searches are rapidly being taken down.

7.0 earthquake haiti
7.0 earthquake in haiti
charities for haiti
clinton haiti relief
donations for haiti
going to haiti to help
haiti and earthquake
haiti breaking news
haiti deal with devil
haiti disaster relief
haiti earthquake 2010
haiti earthquake aid
haiti earthquake bbc
haiti earthquake damage
haiti earthquake info
haiti earthquake photos
haiti earthquake relief
haiti earthquake updat
haiti earthquake video
haiti earthquake wiki
haiti pact with devil
haiti poorest country
haiti population 2009
haiti relief red cross
haiti text donation
haitiearthquake time
hotel montana haiti
how can i help haiti
how can we help haiti
how to help in haiti
map of haiti and usa
montana hotel haiti
montana hotel in haiti
national palace haiti
pat robertson on haiti
population of haiti
port au prince haiti
red cross haiti text
rush limbaugh haiti
rush limbaugh on haiti
sakapfet haiti news
salvation army haiti
texting haiti to 90999
the haiti earthquake
tsunami warning haiti
volunteers to haiti
where is haiti located
wyclef jean yele haiti
yele haiti earthkeepers
yele haiti foundation

Legwork by Adam Thomas

Tom Kelchner

Best advice on avoiding Haitian relief fraud

Major natural disasters in populated areas on Earth bring horrible hazards to those living there. With the global reach of the Internet now, those who would like to help the victims with donations share some risk as well.

News reports of the Richter 7.0 (that’s bad) earthquake not far from Port Au Prince, Haiti, were quickly followed by warnings about predictions that fraudulent operators would soon be trying to take advantage of the expected donations for relief efforts.

The amount of discussion is enormous. The number-one topic on Google Trends this morning was “the earthquake in Haiti.” A search for the phrase “Haiti earthquake relief,” turned up over eight million hits.

It is important to remember that a huge number of people in Haiti desperately need help. Just think twice about who you are giving money to.

How to cope:

The FBI has issued a news release with great basic tips:

— Don’t respond to spam emails on the topic and do not click on any links in them.
— Think twice about those claiming to be survivors or officials asking for donations by email or social networking sites.
— Confirm the legitimacy of any nonprofit group before making a donation.
— Avoid clicking on email attachments that purport to be photos of the disaster area.
— Make contributions DIRECTLY to known organizations and avoid donating to those who claim to be collecting FOR that organization.
— Do not give personal or financial info to those asking for contributions.

Joel Esler said last night on the SANS Internet Storm Center diary:

“…we are already seeing a bunch of domains being parked in relation to the Haiti disaster, and we are going to attempt to keep an eye on them all to warn our readers of anything possibly misaligned.”

SANS Chief Research Officer Dr. Johannes Ullrich also discussed the safe way to make donations using SMS short codes via Twitter in his daily five-minute Internet Storm Center StormCast podcast this morning.

The US-Computer Emergency Readiness Team carried a piece on the search engine poisoning that can be expected: “Haitian Earthquake Disaster Email Scams and Search Engine Poisoning Campaigns”

Tom Kelchner

Russian creativity at its best: fake CCTV streams

The Russian news site rt.com is reporting that police in Moscow have arrested the heads of a business that installed security cameras throughout the city that were streaming pre-recorded pictures instead of real-time video.

StroyMontageService has been accused of fraud after a routine check of some of Moscow’s 80,000 public CCTV cameras revealed the scam. The cameras were streaming pre-recorded video from May to September last year. The contractor was paid based on the number of cameras that were operational.

In addition to wonderful traditions of obscenities and humor, the Russian culture has given the world some fabulous stories of creativity. This is one of them.

Russia, like the U.S. is a big country based on a frontier culture to some extent. We had a wild-wild west; they had a wild-wild east. A frontier makes people think in different ways.

I suspect the police caught on to the scam when video from the cameras was showing daylight-lit street after the sun went down. In September the days would be getting short in Moscow.

Just imagine the moment they discovered it: “Hey Ivan. Look out the window. Now look at the monitor. Weird, huh?”

Story here: Moscow cameras streamed false pictures

Tom Kelchner

Google might leave China

Google has said it will stop censoring search results to please the government of China and may leave the country entirely.

The search giant said its decision was based in part on a recent wave of hack attacks from China on it and more than 30 other companies, mostly in Silicon Valley. The attacks were largely based on spear phishing and exploited the Adobe .pdf vulnerability (which was patched yesterday) to plant Trojans. An investigation by Google showed that the attackers were trying to download information from the Gmail accounts of Chinese dissidents and steal source code.

Google, which opened operations in China in 2006, has been facing a constant barrage of pressures from the Chinese government to censor search results and otherwise limit the access that 300 million Chinese Internet users have to politically-sensitive information.

The company only handled one in three search requests in China and has been steadily losing market share to the Chinese Government search site Baidu.

Google and the authoritarian government of China are opposites.

Google has the concept of free access to information in its very source code. The entire point of an Internet search engine is to provide access to ANY information that a user goes looking for.

The government of China has several millennia of traditions of authoritarian control and isn’t going to change any time soon. Its “one-child” policy means that 40 million Chinese guys will never be able to marry by 2020. And no one is even discussing how many female geniuses have been lost to China through gender-based abortions or sale (oops, sorry) adoption to couples in other countries.

But in the view of the Chinese government it works. It’s only been in the last human lifetime that it ended turmoil and out-of-control human reproduction that resulted in famines and periodic mass die offs of millions.

And to put this further in perspective, China is a very big place. There are more Internet users in China than there are people in the U.S. That’s a lot of people to control whether by a democratic or non-democratic system.

What’s the point for computer security? The attacks were based on a known vulnerability (Adobe .pdf hole) that had a known workaround. The technique – spear phishing – has been around for years.

Somebody in China just went after the low-hanging fruit.

New York Times story here.

Tom Kelchner

Lethic gone: another botnet bites the dust

McColo (Nov. 08), Torpig (May 09), MegaD (Nov. 09), Lethic (Jan 10)

The Darkreading.com site is reporting that researchers with communications security firm Neustar, of Sterling, Va., working with ISPs has taken over the command-and-control servers and shut down the Lethic botnet. The owners of the Lethic network specialized in diploma, pharmaceutical and replica spam. It is believed that Lethic was responsible for 10 percent of spam.

Other recent botnet takedowns include:
— McColo (Nov. 08),
— Torpig (May 09),
— MegaD (Nov. 09)

Story here.

Tom Kelchner

Month of Russian Bugs

 
MoRB

Ok, I made up the name “MoRB” and our analyst Dimiter, who is from Bulgaria, took a stab at the translation.

Russian security firm Intevydis has said it will release Jan. 11-Feb. 1 previously undocumented vulnerabilities in popular commercial software products including:

— IBM DB2 (local root vulnerability)
— iMysql (buffer overflows)
— Lotus Domino and Informix databases
— Novell eDirectory
— Sun Directory
— Sun Web Server (pre-authentication buffer overflows)
— Tivoli Directory
— Zeus Web Server

Evgeny Legerov, founder of the Moscow firm, told prominent security blogger Brian Krebs that responsible disclosure has, for him, proven to be a waste of time. He said one of the vulnerabilities he will release is be a bug in Realplayer that he told the vendor about two years ago.

“Month of _____ bugs” has been a controversial gimmick that a number of security researchers have used in the last few years. It involves the release of information about software vulnerabilities before they are fixed in order to publicize the slow pace that vendors usually follow patching bugs that have been brought to their attention.

Generally, researchers follow the dictates of “responsible disclosure,” which is to inform the vendor of the security flaws in their software and wait a “reasonable” period of time before publicizing the details.

Brian Krebs piece here.

Tom Kelchner

 

Florida in the cold

SUNbelt software has “sun” in its name and its location in Clearwater, Fla., is considered a significant recruiting tool. As probably everyone on the planet knows, Florida, the UK and most of Europe have been having what is modestly referred to as a “cold snap.” It’s different here though. This place is generally described as “semi-tropical. Here are some observations about Florida in the cold:

— Temperatures are in the low 30s in the morning, there are still leaves on the trees and outdoors it smells like Pennsylvania in October.

— Just because you have a heating system in your massively air-conditioned house doesn’t mean it actually does anything.

— People who have moved here from Rochester, N.Y., believe they are being cheated.

— The fish are cold and aren’t biting. Not that you’re going to go fishing in 30-degree weather with a 15-knot breeze anyway.

— If it gets cold enough, cats will sleep on top of dogs.

— If it gets cold enough, people will sleep with their dogs, some of which will have cats on top.

— Large warm men are valued by women at night.

— South of Clearwater, the cold temperatures mean that the non-native iguanas are falling out of the trees, sometimes on your windshield.

— Malcode still works in the cold.

Tom Kelchner

Consistent Computer Virus Malcode names

InfoSecurity, a great site for computer security news, just put up a story asking the very old question: “Why don’t AV vendors name malcode consistently.”

The lead on the piece was: “…Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn’t match up, leading to an admission that users will inevitably be confused by the results.”

Great observation, sort of.

Aside from the fact that the mentioned companies are competitors, pulling in-the-wild malicious code from different continents, the answer(s) to that question:

1. The process of finding and analyzing malicious code and writing detections for it (and NOT writing false positives) moves very fast. Although AV companies have been trying to use consistent names since they drew up the 1991 Computer AntiVirus Researcher Organization’s New Virus Naming Convention, there simply isn’t enough manpower to do it 100 percent because:

2. There has been a vast explosion in the amount of malcode that is in circulation. Possibly more than 20 million new variants just last year.

InfoSecurity ran a story immediately before the story we’re discussing here, reporting PandaLabs figures for 2009. PandaLabs estimated that 55,000 new pieces of malcode were detected each day of 2009. That’s 20 million in the year — more new malcode in one year than all the preceding 20 years. (story here.)

3. One might also ask why “users” need consistent names at all. If they want to look for information on a piece of malcode their scanner has found, well, the scanner found it and has probably given it a name, however generic. If they’re infected and their scanner hasn’t spotted the malcode, that means it’s probably new and doesn’t HAVE a name. In that case, they’re going to have to send a sample to their AV company to have it put in detections. If they want to compare the detections of different AV companies, the way to do it is get a sample or an MD5 hash of the suspect file and run it in VirusTotal.

4. In the face of the onslaught of malicious code, many anti-malware companies have begun moving to behavior based detection: detecting malicious code by scanning for malicious sections of code or running it in a virtual environment to detect malicious activity. This has resulted in “generic” or “batch” names for detections.

If a piece of code under test is trying to shut down anti-malcode scanners, find other computers through directory shares, put an auto-start line in the Windows Registry and phone home the fact that it has installed itself on a specific computer – well, it probably isn’t JUST a cute little animation of a kitten. If it walks like a duck and quacks like a duck…

One enormous advantage of this new technology is speed. Yes, we could write an individual detection for several tens of thousands of traces and scan for each one of them, or, we can simply have VIPRE scan for malicious functions and activities and save a lot of time. As a consequence, 18.69 percent of all VIPRE detections reported through ThreatTrack in December were Trojan.Win32.Generic!BT. Yep, they were files trying to do Trojan-like things, and we quarantined them. We just didn’t spend the month trying to give each one of them a name.

Tom Kelchner

Patch Tuesday: What MS is not patching

Microsoft told the world yesterday that it will host a rather slim “Patch Tuesday” next week with only one bulletin for a vulnerability in Windows. Microsoft said it’s considered critical on Windows 2000 but low for all other platforms.

“As we will show in our release guidance next week, the Exploitability Index rating for this issue will not be high which lowers the overall risk,” Jerry Bryant wrote on Microsoft’s Security Response Center Blog.

The single patch will come as a relief to recession-shrunken IT staffs that have had to deal with numerous fixes for the past few months, including the mammoth Tuesday release in October when they faced 13 security bulletins.

One outstanding vulnerability that made the news in November that WON’T be patched Tuesday is the denial-of-service vulnerability in the Server Message Block (SMB) protocol.

In a November 13 advisory, Microsoft said: “This vulnerability cannot be used to take control of or install malicious software on a user’s system. However, Microsoft is aware that detailed exploit code has been published for the vulnerability. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.”

Tom Kelchner

Patch Tuesday: Adobe Acrobat/Reader .pdf fix expected, but not much from Microsoft

Adobe has said for some time now that it will issue a patch for the .pdf vulnerability in Reader 9.2 and Acrobat. 9.2 on Patch Tuesday next week. The company had acknowledged that there is active exploitation of the weakness going on and advised users to turn off JavaScript capabilities.

Adobe also has said it will put out a beta version of Reader with an automatic update feature sometime in January then include the updater it in the next version release. The updater can be set to download updates automatically or on a controlled basis with notifications.

Microsoft apparently isn’t planning much for Patch Tuesday. The company’s Advance Security Bulletin Notification only lists one item – a patch for the various flavors of Windows. Only the fix for Microsoft Windows 2000 Service Pack 4 is rated as “critical.” For all other versions, the severity rating is “low.”

Security Advisory for Adobe Reader and Acrobat here.

Microsoft’s Security Bulletin Advance Notification for January 2010 here.

Tom Kelchner

Data Doctor 2010 encrypted files: we have a tool for that

Our analyst Dimiter Andonov has developed a tool to decrypt files encrypted by Data Doctor 2010 that at least one blog reader found very useful:

george
Can vipre recover mp3 and jpg files that were encrypted by this very annoying ransomware?
Today, 5:11:00 AM

[This user is an administrator] Tom Kelchner
Hi George.

We have a tool available to do just that. Go to:
http://www.sunbeltsecurity.com/DownLoads.aspx

Today, 11:16:12 AM

george
You are the best! It’s working great…just to find a way to make a batch out of it for the thousands of files that need it.
THANKS
Today, 2:11:33 PM

How to use dd2010_decrypter.exe to do batch processing:

1. Place the encrypted files in a directory (i.e. c:encrypted_files)

2. Copy dd2010_decrypter.exe into another directory and FROM THAT DIRECTORY, run the following command:

for %f in (“c:encrypted_files*.*”) do dd2010_decrypter.exe %f %f.decrypted

All files in the encrypted_files folder will be processed and the new decrypted files will have the same name but their extension will be “.decrypted.”

CAUTION: be sure you put ONLY files that are to be decrypted into the target directory before you run dd2010_decrypter.exe

Our Dec. 18 blog post Data Doctor 2010 will make you sick

Thanks Dimiter.

Update 01/07:

We’ve just posted a page with detailed directions for using the Data Doctor 2010 file decrypter:

http://www.sunbeltsecurity.com/DownLoads.aspx

Update 01/08:

Our good friends at F-Secure have posted a very good, detailed analysis of Data Doctor 2010. It can be found at: http://www.f-secure.com/weblog/archives/00001850.html

Tom Kelchner

Cybersitter sues China, others, for $2.2 billion in Green Dam fiasco

California software company Cybersitter LLC, has sued the People’s Republic of China and seven computer manufacturers in U.S. Federal court for stealing 3,000 lines of its Internet filter software code and using it in last year’s Green Dam fiasco in China.

The suit, “Cybersitter v. the People’s Republic of China,” was filed in U.S. District Court, Central District of California (Los Angeles). It also names Acer, Lenovo, Sony Corp., Toshiba, Asustek Computer Inc., Benq Corp. and Haier Group as defendants.

Last spring, The Chinese Ministry of Industry and Information Technology issued the requirement that all computers connected to the Internet in the country run Green Dam Youth Escort filtering software to allegedly protect users from pornography and other objectionable content. However, bloggers familiar with China who read through the Green Dam black list found that it contained about 2,700 words related to pornography and about 6,500 “politically sensitive” words. (See our June 16 blog entry: “Green Dam = Spyware”)

The ministry had bought the rights to the Green Dam application for one year through a no-bid $6 million purchase from Jinhui Computer System Engineering Co. of Zhengzhou.

Cybersitter said last June that code from its software was used extensively in Green Dam-Youth Escort and sent cease-and-desist letters to the U.S. PC manufacturers who were expecting to install it for the Chinese market. Cybersitter is now suing China and those companies.

Greg Fayer, Cybersitter’s attorney said in a news release today: “This lawsuit aims to strike a blow against the all-too-common practices of foreign software manufacturers and distributors who believe that they can violate the intellectual property rights of small American companies with impunity without being brought to justice in U.S. courts. American innovation is the lifeblood of the software industry, and it is vital that the fruits of those labors be protected at home and abroad.”

Cybersitter news release here.

Bloomberg news story here: “China Faces U.S. Piracy Suit for Web-Filter Software “

Tom Kelchner