March Madness madness

The March Madness that has become the description of the National Collegiate Athletic Association (NCAA) basketball tournament in the U.S. begins March 18. In recent years it’s turned into something of a national event with office pools, Americans glued to any source of information about the college games and, unfortunately, a spike in malware targeting corporate networks. Since most of the early NCAA games in the tournament take place during business hours, cyber criminals work hard to infiltrate corporate networks by tricking workers who are surfing the web looking for scores, live updates and streaming tournament coverage.

In 2007, research firm Challenger, Gray and Christmas of Chicago estimated that more than 22 million workers followed the tournament by checking scores online during work hours. Although live streaming is available on legitimate sites, some fans will undoubtedly become impatient while searching the web for instant updates and will be directed to a host of malicious websites through poisoned Google search results. These sites will look legitimate and some may even provide updated game results, but the threat is that they will also expose work-based computers to viruses, phishing attacks and other malware embedded in web pages, banner ads and fake video streaming downloads.

Sunbelt’s anti-malware researchers offer the following “5 Tips for Responsible Web Surfing” in order to limit the risk of falling prey to malware attacks:

— Make sure your antivirus and Web filtering programs and Windows patches are up to date
— Do not click on links on untrusted sites or email offers – rather, enter URLs directly into your browser
— Do not download any application or program from an untrusted source in order to view video feeds
— Do not provide passwords or other personally identifiable account data from your other Web-based accounts for any reason when attempting to watch games – legitimate sites should not require this
— Be cautious when you follow search engine results for top news stories or score updates

Tom Kelchner

U.S. cyber crime loss spiked in ’09 to $560 M

Here’s an ugly trend.

The U.S. Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) has reported that complaints of cyber crime losses in the U.S. more than doubled from $265 million in 2008 to $560 million in 2009.

The increase was much higher than previous year-over-year figures. The Center’s web site carried the following annual numbers:

IC3

The IC3 annual report said that the group received 336,655 complaints in 2009, an increase of 22.3 percent increase over 2008.

Types of complaints included:
— Thieves pretending to represent the FBI: 16 per cent
— Non-delivery of merchandise: 11.9 per cent
— advanced fee fraud scams (also called 419 scams): 9.8 per cent

IC3 said 146,663 complaints were referred to local, state or federal agencies
— non-delivery of merchandise or payments:19.9 per cent
— identity theft: 14.1 per cent
— credit card fraud: 10.4 per cent
— auction fraud: 10.3 per cent
— computer fraud or hacking: 7.9 per cent.

IC3 report here.

News story in Register here.

Tom Kelchner

Big Safari fix

Apple yesterday released a huge Safari update that fixes 16 vulnerabilities – six for Windows versions and ten for Mac OS X and Windows. The update, Safari 4.0.5, makes fixes in Tiger, Leopard, Snow Leopard and Windows versions.

This is probably pretty significant. In November, the TheInquirer.net of the UK carried a piece about browser vulnerabilities that rated Firefox and Safari as the ones with the most vulnerabilities:
— Firefox 44 percent of total browser vulnerabilities
— Safari 35 percent
— Internet Explorer 15 percent
— Opera six percent

Story here: “Most web apps are broken.”

The 4.0.5 update fixes problems in ColorSync, ImageIO, PubSub, Safari and Web Kit, many of which could allow the execution of malicious code.

The last major update, Snow Leopard (Mac OS X 10.6.2) , came out in November. Apple distributed a beta version of Mac OS X 10.6.3 to its development community last week.

Vulnerabilities fixed included:

ColorSync (CVE-2010-0040)
ImageIO (CVE-2009-2285, CVE-2010-0041, CVE-2010-0042 and CVE-2010-0043)
PubSub (CVE-2010-0044)
Safari (CVE-2010-0045)
WebKit (CVE-2010-0046 , CVE-2010-0047, CVE-ID: CVE-2010-0048 , CVE-2010-0049 , CVE-2010-0050, CVE-2010-0051, CVE-2010-0052, CVE-2010-0053 and CVE-2010-0054)

Apple Support statement here.

Tom Kelchner

Many Zeus botnet C&C servers taken down

Swiss security blog Abuse.ch has reported that the worst Zeus botnet hosting ISP was taken off line yesterday, cutting the botnet’s number of servers from 249 to 181 – including the six worse ones.

Abuse.ch wrote: “As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddenly disappeared from the ZeuS Tracker.

“I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. “

“Massive Drop in Number of Active Zeus C&C Servers” here.

Tom Kelchner

You don’t want to go looking for Corey Haim videos

Hollywood celebrity Corey Haim has died in typical tabloid fashion: “under investigation.” And we all know that celebrity death equals Internet scams by the boatload.

There are a number of spam runs currently circulating on video sharing sites such as Youtube, ready to catch out the curious and the unwary. Shall we take a look?

Haim1

“Suicide or killed! Watch Corey Haim first found dead”

Classy. Visiting mycelebzone(dot)com will pop open a Hotbar prompt, which you need to install to “see the content”:

Haim3

Instead of ghoulish pictures of a deceased celebrity, the end-user will find himself looking at a ghoulish spamblog linking to fake links of ripped movies.

Oh, they’ll have Hotbar, ShopperReports and BarDiscover onboard too. What a value add!

Elsewhere, sites claiming to have horrible images such as Celebrity-autopsies(dot)com will drop you onto surveys and quizzes to be filled in, courtesy of a dancing Michael Jackson:

Haim6

To see the content, all you have to do is sign up to a ringtone service that charges the low price of £9.00 / $15.00 per week – I know a bargain when I see one, and this probably isn’t it.

There are various other links floating around on video sharing sites, all of which should be avoided like the plague. There probably isn’t much on them that would be of use to you, unless you enjoy the sensation of gaining nothing while lining the pockets of spamblog merchants.

Paper Ghost

Rogue security products are the new black

Well, it looks like rogues are going to be in style this season.

Our good friends at McAfee AV have predicted that the 400 percent increase in rogues (also called “scareware”) they saw in 2009 will continue this year. The loss to victims will be on the order of $300 million they also estimated.

Here at Sunbelt, we’re seeing a huge increase in rogue detections as well – nearly 30 percent increase in just the last three months. We list 1,965 rogues in our VIPRE detections and we’re detecting a constantly increasing number of them. VIPRE and CounterSpy installations report these detections to the Sunbelt ThreatNet. Just pulling some fast numbers out of ThreatNet, I found a 29 percent increase in VIPRE and CounterSpy detections when comparing the daily average for February against that of December.

In the event you’ve been living in a cave (with no Internet service) for the last two years, rogues are thieving malicious programs that pretend to be legitimate anti-malcode products. They are real money makers for organized and disorganized criminals who work through the Internet.

Sadly, security people have been working for most of 20 years to raise the public consciousness about malicious code and the need to run anti-malcode protection. About the time the message really began to sink in, the slimeballs of the world started distributing fake security programs that impersonate the graphic interfaces of legitimate products and use names that have a legitimate look to them.

The scammers behind the rogues often distribute them by using botnets to send vast amounts of spam, advertising a variety of products. When a victim clicks on a link in the spam message, he’s taken to a malicious web site that pops up a window in his browser telling him in the most frightening terms possible that his machine is infected. The pop-up window also conveniently offers to download a product to clean his infected machine for a variety of prices, some as high as $99.99. If the victim bites on the offer, he purchases a piece of useless software that does nothing. Obviously, if you run across one, don’t buy it.

Rogues also are being peddled through search engine optimization scams. The rogue distributors use botnets to game search engines like Google into presenting their malicious sites in the top search results for the most popular, up-to-the-minute search terms. When victims click on the links that show up in search results, they’re taken to the malicious sites that pop up the alarming warnings.

If you run into an application that you think might be a rogue, you can check its name against the Sunbelt Rogue Blog: http://rogueantispyware.blogspot.com/

Here’s a link to one of our blog entries from last month about one such SEO poisoning:
“SEO poisoning not in well, but it’s aiming for the water heater”

Tom Kelchner

Twitter starts Direct Message phishing filtering

Twust and Safetwy

Del Harvey who leads Twitter’s Trust and Safety team blogged yesterday that the social networking/micro-blogging service has begun filtering all links in Twitter Direct Messages to stop phishing:

“Since these attacks occur primarily on Direct Messages and email notifications about Direct Messages, this is where we have focused our initial efforts. For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications.”

Twitter blog piece here.

Tom Kelchner

New sniffer soon coming to a server near you

This little gem is probably one of those diagnostic tools that — like BackOrifice and Metasploit Framework — in the right hands is a good diagnostic tool and in the wrong hands is a bad diagnostic tool:

http://www.serversniff.net/index.php

“ServerSniff.net – Your free “Swiss Army Knife” for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.

“Tools for webmasters and developers:

“Benchmarks and informations about servers, routing, IP-Stacks, encryption, security, nameservers and domains.

“Tools for powerusers:

“For powerusers ServerSniff.net offers computing Hashes for strings and files and simply a lot of information about servers, ssl-encryption, domains etc.

“ServerSniff.net gathers only public information about servers and networks from publicly available sources or from asking the servers directly.”

It doesn’t exactly build confidence when you find that the ServerSniff “terms of use and acceptable use policy” is a dead link: http://beta.serversniff.net/terms_of_use

Terms of use

Thanks Alex.

Tom Kelchner

Update 03/11:

Alert reader “Guest” pointed out a link where terms of use are available: http://beta.serversniff.de/terms_of_use. Looks like it might have been a typo.

Consoles for old games come with new malcode

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)com

If you like videogame consoles, you may be a fan of emulators (programs that ape long dead consoles, allowing you to play old games on your PC – we’ll avoid the murky legal minefield that comes with this practice and instead focus on the malware).

Below is a Playstation 2 emulator – no really, it is. Would they lie to you?

Fkps22

Probably best not to answer that question.

Download and run any of the above files – all hosted at movieutilitesonline(dot)com – and you’ll probably be wondering where the alleged emulator is that is “by far superior to all other PS2 Emulators released before it.”

A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen, which is – as you’ve probably guessed from the name – a Trojan downloader.

In some cases, people have reported this particular attack resulting in rogue antivirus appearing on the compromised system – however, during testing nothing was downloaded onto the PC. This doesn’t mean it won’t happen, of course – and you’ll still have the downloader onboard. Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been used in everything from fake codec scams to rogue AV hijacks in previous months, and is probably going to stick around for quite some time.

Paper Ghost

LifeLock will pay $12 million for false claims

LifeLock, Inc., the company that GUARANTEED it would prevent customers’ identities from being stolen (for $10 per month) has agreed to pay fines totaling $12 million because the claims it made to promote its protection services were false, according to the U.S. Federal Trade Commission.

The company will pay $11 million to the FTC and $1 million to the attorneys general of 35 states. It is one of the largest FTC-state coordinated settlements, the commission said. The FTC will use the $11 million from the settlement and make refunds to consumers.

The FTC said in its release:

“The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

“New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.”

The FTC also said the LifeLock told customers that their personal data that it held was stored securely and encrypted, but it wasn’t.

FTC release here.

A federal judge ruled against LifeLock in a court action in California last year after credit reporting agency Experian sued them. Credit customers can place a free 90-day credit alert on their accounts through credit agencies. LifeLock was charging their customers $10 per month to place the alerts – which cost Experian huge amounts of money.

Story here.

Tom Kelchner

Cute (and malicious)

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can’t say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

Oast1

This is what the end-user will download onto their system – an executable claiming to be a .gif:

Oast2

Should they run the file, two things will happen. The first is that a rather charming image will appear on their desktop (courtesy of a hidden file called “Out.exe” which is dropped into the User Account Temp folder) – all part of the general ruse to make them think that yes, they really have been sent a “funny picture”:

Oast4

The second is a little more sinister – an entire hidden directory (called tmp0000729b, dropped into the Windows Temp folder) arrives unannounced, laying the groundwork for an IRC invasion:

Oast3

Yes, anyone blessed with the “vision” of those little angels is now part of a collection of IRC drones. If the end-user should hover their mouse over the seemingly empty system tray, they’ll actually discover the mIRC Daemon running in a hidden state:

Oast5

As is typical for an IRC related hijack, everything is hidden away to keep the end-user from suspecting anything is wrong. Hidden mIRC tools, and seemingly deserted IRC channels are the order of the day. Shall we open up the mIRC client and play a little game of “Now you see it, now you don’t” in reverse?

Oast6

Taken at face value, the above screenshots shows the victim sitting in an empty IRC channel. However, a quick highlight and…

Oast7

…there they are, sitting beneath a pair of Admins in a #Music room.  You can set mIRC to accept and ignore certain types of files by default, and here the client is indeed set to disallow .exes, .dlls .bat and .scr files but allow normal files such as .wavs, .jpegs, .gifs and MP3s. The victim is placed into numerous #Music rooms like the one above on various IRC servers, so it’s a possibility the intention here is media sharing by way of compromised PCs.

Detections aren’t great at the moment (11/42 in VirusTotal)virustotal.com/analisis/9618c83546c16ae1dab70ca0d2e594c2dd41f622820d92e7bc9e22f2b3bc9f38-1267769547

We detect this as Trojan.Win32.Generic!BT, and as for the domain?

Oast8

Yeah, we’ve got it covered. If you do happen to see the three angels appear on your desktop, you might want to disconnect from the Net and go get your PC cleaned up – all the Holy Water in the World won’t fix this one…

Paper Ghost

Energizer USB charger infected with Trojan

Hmmm. A new vector for malware: USB battery chargers. Wonderful.

The U.S. Computer Emergency Response Team (CERT) is warning that Energizer DUO USB battery chargers have been found infected with a Trojan that loads backdoor malware on a victim PC along with its battery monitoring software.

The charger copies a .dll file named UsbCharger.dll in the application’s directory and another named Arucer.dll in the Windows system32 directory. USBCharger sets a registry entry to autoexecute Arucer.dll when Windows starts.

Arucer.dll is a backdoor that communicates through TCP port 7777.

The charger has been sold worldwide for three years.

CERT notes that the Trojan contains Chinese language text.

Sunbelt detects it as Trojan.Arugizer.

CERT Vulnerability Note VU#154421 here.

PCWorld news story here.

Tom Kelchner

Five years ago today on the Sunbelt Blog

“Is Spyware Real?”

March 4, 2005: Sunbelt Software CEO Alex Eckelberry blogged his disagreement with comments made by AV pioneer Eugene Kaspersky about a new thing called “spyware.”

Alex quoted him as saying: “The term spyware is basically a marketing gimmick… Just to separate new ersatz-security products from traditional ones, just to push almost zero-value products to the security market.”

The Sunbelt CEO explained that spyware was real and traditional AV vendors were ignoring it: “The term ‘spyware’, obviously, is a broad term encompassing lots of different categories of malware. Really, what people mean when they say spyware is ‘adware’ — stuff that loads your machine up with junk ads, turns it into the equivalent of an electronic toaster, and makes your life hell.”

He also pointed readers to a March 1, 2005, PCWorld review that found that Sunbelt’s CounterSpy anti-spyware product caught 85 percent of a test set of 81 adware and spyware samples.

Today, five years later, more than 47,000 detections (of the total 13 million detections) in the VIPRE and CounterSpy signature database are classified as “adware.”

Sunbelt now sells a range of full-blown anti-malware products. They do much better than 85 percent detections and have VB100 certification as well.

Sunbelt Software has grown a bit in five years. VIPRE version 4.0 just shipped and the office space that held the entire company in 2005 is now mostly our server room.

Read 2005 blog post here: Is Spyware Real?

Tom Kelchner

Search engine bait and switch

Our good friends at F-Secure AV company have blogged about a new and significant malcode-delivery technique: publishing a web page with a .pdf file on it then changing the .pdf link to something malicious after search engines index the page.

What they found delivered a rogue security product (but of course.)

Nice work F-Secure.

FSecure blog piece here.

Yes, it’s one more creepy thing on the Internet, as if we need any more. The lesson for us all:
— be aware that it is possible,
— keep alert for the mechanism
— keep your AV protection running and updated. (Shameless plug: VIPRE version 4.0 came out this week. Check it out here. )

Tom Kelchner

Patch Tuesday coming next week

Microsoft has issued an advance notification for Patch Tuesday next week. The company said it expects to issue two patches, one for Windows and one for Office. Both are intended to patch vulnerabilities that could allow remote code execution and both are rated “important.”

Microsoft Security Bulletin Advance Notification for March 2010 here.

Tom Kelchner

Chat with malcode

It’s time for your daily dose of “spot the fake program / avoid the fake program”.

What is it this time? Well, if you have family members who are into webcams and chatting you might want to point them to this writeup because a new challenger has entered the ring:

Fkcam1

Yes, “Chat Cam” is a rather smart looking (and entirely fake) program designed to make end users think they’re taking part in a large community of webcam owners. Clearly, the creator had the recently launched Chatroulette in mind when they made this one (if you’re not familiar with it, Chatroulette is a site where you jump from webcam chat to webcam chat over and over again, all within one large community of strangers. In practice, you tend to mash the “Next” button endlessly as one “chat” after another fails to materialise). This is what Chatroulette looks like – you’ll notice the similarity as we move further into the writeup:

Fkcam0

Meanwhile, this is what  our “Chat Cam” looks like when you fire it up – notice how slick it is, along with the well crafted options it gives the user to play with:

Fkcam2

Fkcam3

Did you notice the “online users” count at the bottom of those two screenshots?  Here it is again. Notice anything?

Fkcam5

That’s right – it changes randomly, which is a particularly convincing touch. Note that Chatroulette also displays the number of users online in the top right hand corner. Hit the “Start a chat” button, and the application dumps you into a pretend conversation with any one of a large selection of usernames stored in the program database. It has a very similar feel to the Chatroulette chatbox:

Fkcam6

Unsurprisingly, the webcam never loads – and the chat never gets beyond the first line or two of text. The fake bot “disconnects”, and the user is left to go right back and hit the “Start chat” button all over again. What’s particularly interesting here is that it apes the actual Chatroulette experience brilliantly – for me, anyway. When I tried it out a couple of days ago, every single chat I jumped into was a carbon copy of the above screenshot.

Of course, everything above is purely academic by this point – end users are doomed the moment they fire up the executable, as it’ll have been wrapped up tightly with a random infection file. There seems to be a bit of a trend for fake webcam apps mashed up with infection files at the moment – in particular, programs that do something similar to the above but loop fake “webcam footage” (usually ripped from Youtube videos) are very popular on underground forums.

Whatever you do, be wary of programs trying to cash in on the popularity of webcam chats with strangers – as you can see, fake a/s/l information is the least of your worries…

Paper Ghost

The Internet as a moral ground

“…in that space one can easily indulge in depravity, lies, vulgarity…”

Here’s a sort of comment about the Internet that you don’t see much in the news.

The Russian government news service RiaNovosti is reporting that Patriarch Kirill of Moscow and All Russia (head of the Russian Orthodox Church), told school students in Moscow that “Nowadays the Internet is a kind of laboratory where an individual should be formed and where a character should be sharpened.”

“He also said the Internet has become ‘an examination on our authenticity, an enormous power challenge’ as in that space one can easily indulge in depravity, lies, vulgarity, and the desire to lash out with aggression and impunity,” the news service reported.

Story here: “Internet is examination for human race – Patriarch Kirill”

Created 1991, RiaNovosti traces its history back through various Soviet/Russian government news agencies to the 1941 Soviet Information Bureau. That bureau, (Sovinformburo) was set up by the USSR Council of People’s Commissars and the Central Committee to provide international news and coverage of military events and domestic life.

Its web site includes links to Pravda.ru’s space-aliens-land-in-Russia-type tabloid fare as well as pro-government news in eight languages. The “Strange but True” section is a scream (http://en.rian.ru/strange/)

Check out the piece: “Two-headed calf born in Estonia” A two-headed animal, once seen as a predictor of impending war, is now viewed as an omen foretelling an improving economy — at least according to the farmer who owns it. Maybe the U.S. Federal Reserve Board should get one.

Tom Kelchner

U.S. Census Bureau warning of phishing scams

The U.S. Census Bureau is warning of phishing and other scams that are using the 2010 Census as bait. Here is the warning from the bureau’s web site:

If you are contacted for any of the following reasons — Do Not Participate. It is NOT the U.S. Census Bureau.

Phishing:

‘Phishing’ is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, social security numbers, bank account or credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email and it often directs users to enter sensitive information at a fake web site whose look and feel are almost identical to the legitimate one.

Other Scams:

— The Census Bureau does NOT conduct the 2010 Census via the Internet

— The Census Bureau does not send emails about participating in the 2010 Census

The Census Bureau never:

— Asks for your full social security number

— Asks for money or a donation

— Sends requests on behalf of a political party

— Requests PIN codes, passwords or similar access information for credit cards, banks or other financial accounts.

More Census Bureau info on scams here.

Tom Kelchner