Month: April 2010

Microsoft has issued Security Bulletins MS10-109 through 029 — eleven bulletins addressing 25 vulnerabilities in Windows, Exchange and Office.

For further information:

http://www.microsoft.com/technet/security/current.aspx

Tom Kelchner

Scale the wall, comrade. View the peaks of Japan

Sometimes the collective behavior of a lot of people discloses information that isn’t apparent any other way. There’s a big word for it in the social sciences, but I haven’t been able to remember it for about five years.

Chinese net users last weekend apparently discovered the Twitter handle of Japanese adult film actress Aoi Sola (@Aoi_Sola) and the information went viral. A lot of Chinese fans (15,000) signed up to follow her. Aoi Sola is very attractive and best known for her “expansive” treatment of bikini tops

There’s nothing unusual in that in this day and age.

However…

Twitter is blocked by the Great Firewall of China. A lot of the twitters were using simplified Chinese which, according to the Dongguan Times, indicated they were from mainland China. That meant a LOT of people had figured out how to defeat Internet filtering by the Chinese government.

Here’s the account from Danwei.org, a site devoted to “Chinese media, advertising, and urban life.”

“From the Dongguan Times:

“Many netizens are suspicious of the identity of Aoi Sola’s fans, because on the Chinese mainland, many netizens cannot use Twitter. ‘You can’t get on Twitter on the Chinese mainland, did your followers come from Hong Kong or China Taiwan?’

“Because Aoi Sola works in the AV industry, which is adult entertainment, it could cause harm to youngsters’ mental and physical well-being. Therefore, whether it’s Twitter or news about Aoi Sola, all information is forbidden. In order to become a follower of Aoi Sola’s Twitter from the mainland, the fan must use software for ‘scaling the wall.’

“However, for the netizens who left a message on Aoi Sola’s Twitter, many of those used simplified Chinese, [so] most of them were from the Chinese mainland. After Aoi Sola’s Twitter account was ‘discovered,’ netizens claims that many Chinese people are learning to use software to ‘scale the wall.’”

Aoi Sola’s response to all the attention:

“Aoi Sola: I’m surprised.Receive many follow messages & RT from China now.aaaaaaaaahhh,I don’t know,anyway THANK YOU!!”

Danwei.org story here: “AV actress entices Chinese netizens to go on Twitter”

And, check out Google Images: “Aoi Sola” (CAUTION: the Peoples’ Republic of China believes these photos “could cause harm to youngsters’ mental and physical well-being” although the first 700 or so that we looked at showed nothing you can’t see on Clearwater Beach on a warm day.)

Tom Kelchner

Twitter cofounder Biz Stone has announced on the Twitter blog that the microblogging service will begin tweeting advertising.

“We are launching the first phase of our Promoted Tweets platform with a handful of innovative advertising partners that include Best Buy, Bravo, Red Bull, Sony Pictures, Starbucks, and Virgin America — with more to come. Promoted Tweets are ordinary Tweets that businesses and organizations want to highlight to a wider group of users,” he wrote.

Twitter is going to need a source of income to survive, and it certainly comes as no surprise that the organization is moving into something that will “monetize” its traffic and its popularity.

We’re wondering how long it will be before the online pharmacies, botnet operators and rogue security product pushers decide to mimic Twitter’s ads for their own nefarious purposes. Like the search engine optimization techniques that have taken advantage of the big search services, there will be attempts to use the promoted tweets. And there will be countermeasures by Twitter and the rest of us in the anti-malcode world.

So when this starts, use common sense and keep alert for tricky new malicious techniques that will fit into 140 characters. Since Twitter mentioned Best Buy, Bravo, etc. in the blog, those names probably will be some of the first ones (mis)used in mal-tweets. We would expect tweets with links (probably shortened) that lead or redirect to sites selling questionable wares or downloading Trojans or other malware.

Twitter blog here.

Update:

News stories are appearing about Twitter’s move to tweet ads. One statistic that stands out is “$160 million.” That’s the amount of venture capital that Twitter has taken in the last three years.

ZDNet story here.

Tom Kelchner

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of WordPress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access.

“It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote.

He also said that a script that downloads from the networkads.net site attempts to install a malicious ActiveX browser plugin which runs in Internet Explorer. VIPRE detects it as Trojan.Win32.Generic!BT.

A spokesperson for Network Solutions said an investigation is underway and the hack may be related to a malicious WordPress plugin.

Krebs blog here.

Update: unsecured passwords caused WordPress blog takeovers

Network Solutions has found the vulnerability – passwords stored in plain text – that caused the issue and secured it.

Shashi Bellamkonda said on the company blog:

“As part of the resolution, we have had to change database passwords for WordPress. Normally, this does not impact functioning of the blog, but in some cases if you have custom code with manually-embedded database passwords (in files other than wp-config), this will require changes.

“As a precaution, we’re also recommending that all customers using WordPress should log into their account to change their administrative passwords. Also review all the administrative access accounts and delete those that you do not recognize. If you feel you are still experiencing issues and need help please contact us at Listen NetworkSolutions.com.”

Blog post here.

Expanded story at the Register: “Network Solutions mops up after mass WordPress breach”

Tom Kelchner

Every once in a while, you find some odd piece of text in a piece of malware.

Debugging the TDL 3 rootkit yields some interesting results. Here are messages that dump in the debug window at various times:

Fri Apr 9 09:02:37.495 2010 (GMT-4): You people voted for Hubert Humphrey, and you killed Jesus
Fri Apr 9 09:03:01.900 2010 (GMT-4): Ah Lou, come on man, we really like this place
Fri Apr 9 11:53:08.715 2010 (GMT-4): Dude, meet me in Montana XX00, Jesus (H. Christ)
Fri Apr 9 12:18:27.522 2010 (GMT-4): I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke

If you’re a movie or TV buff, you might recognize these:

Fear and Loathing in Las Vegas: You people voted for Hubert Humphrey, and you killed Jesus

Fight Club: — Ah Lou, come on man, we really like this place and I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke.

Brake my wfie, please: Dude, meet me in Montana XX00, Jesus (H. Christ)

Alex Eckelberry
(Thanks, Chandra)

Aiming for one billion Twitterers by 2013?

Twitter’s International Team Lead Engineer Matt Sanford has blogged on the company’s site that Twitter is seeing growth of over 60 percent in registrations outside the U.S.

After setting up a Spanish language capability in November, the microblogging service saw a huge surge in registrations in Latin America, Sanford said. Sign-ups in India also spiked early in the year after several politicians and Bollywood movie stars began Tweeting.

The service was thought to have 75 million users at the end of January (“New Data on Twitter’s Users and Engagement” ) and documents obtained from Twitter by a hacker and published in 2009 showed that the company had plans to sign up one billion users by the end of 2013.

Several sources have estimated that at the end of 2009 1.7 billion people ere using the Internet.

Twitter Blog: “Growing around the world”

Tom Kelchner

Adobe has announced that it will release an updater along with Adobe Reader and Acrobat versions 9.3.2 and 8.2.2 on patch Tuesday next week.

On the Adobe blog, Steve Gottwals wrote: “…we have been testing a new updater technology with select beta customers since our October 13, 2009 quarterly update. The purpose of the new updater is to keep end-users up-to-date in a much more streamlined and automated way.

“During our quarterly update on January 12, 2010, and then again for an out-of-cycle update on February 16, 2010, we exercised the new updater with our beta testers. This allowed us to test a variety of network configurations encountered on the Internet in order to ensure a robust update experience. That beta process has been a successful one, and we’ve incorporated several positive changes to the end-user experience and system operation. Now, we’re ready for the next phase of deployment.”

Users can set an “Automatically install updates” control or not, as they wish.

Blog entry here.

Given the attention that malcode creators have lavished on Adobe products recently, an updater to go along with regular “patch Tuesday” updates will certainly help us all have a good “end-user experience.”

Tom Kelchner

Northwestern Bank Online – Orange City is compromised and should not be visited until it’s clean.

Embedded in the side is a malicious iframe, as you can see in this screen shot:

(Testing the site with Wapawet doesn’t work, since it chokes on the javascript emulation. However, the iframe is malicious.)

Alex Eckelberry
(thanks Francesco)

Update 4/10: The site appears clean now.

…”click here to view”.

Yes, it seems almost anything is a target for money generating survey spam.

In this case, we start with a Youtube video:

And we finish with this:

Even better, these “fill in a survey to see the content” websites now pop up an additional message as you try to leave the page:

“Help keep this content free.  Please take one minute to complete a SPAM-free market research survey to gain access to this special content.”

Free? They’re preventing the end-user from reading the content unless they sign away their personal information to third party advertisers, while generating affiliate revenue for the owner of the webpage.

I suppose we should be thankful the Youtube link just took us to a spam site, instead of some sort of Malware install…

Christopher Boyd

There could be a denial-of-availability risk to the enterprise in the new anti-piracy law passed by the British Parliament yesterday. Employees using company machines to swap pirated files could trigger a suspension of Internet service.

The law is aimed at repeat offenders, however, employee misuse of company resources or botnet takeovers of machines for use as file-trading servers are a significant threat. At minimum, unintentionally offenders will have some paperwork to deal with when their ISP lets them know they’re in violation.

Recent measures to cut down on piracy have been horrendously controversial – to the point that a Pirate Party has begun a (disorganized) organizing effort in several countries. Somehow the argument that “all information wants to be free” doesn’t answer the question: “who’s going to pay for the creation of all that music, video and software?” And “oh, they charge too much anyway,” isn’t really a recognized legal concept.

The Indian film industry, usually known as Bollywood, has been making a lot more films than its U.S. counterpart for decades but only makes a tiny fraction of the profit in large part because of world-wide piracy that began in the VCR days (You know, those pirated DVDs in every flea market and ethnic convenience store everywhere on Earth.)

In light of the new UK law, it might be a good idea for those in the jurisdiction to revisit company acceptable use policy, maintain good anti-malware and check logs of outbound traffic for uncharacteristically high volumes.

Details of the legislation and its passage here: “U.K. Approves Crackdown on Internet Pirates”

Tom Kelchner

Microsoft has put the PC-using world on notice that next Tuesday there will be 11 bulletins released addressing 25 vulnerabilities in Windows, Exchange and Office.

Jerry Bryant, Group Manager of Microsoft’s Response Communications, said: “I also want to point out to customers that we will be closing the following open Security Advisories with next week’s updates:

— Microsoft Security Advisory 981169 – Vulnerability in VBScript could allow remote code execution.

— Microsoft Security Advisory 977544 – Vulnerability in SMB could allow denial of service”

Advance notice here.

Tom Kelchner

Search terms that are censored in China:

“Tibet”
“Tiananmen Square protests”
“Carrot”

Apaprently “carrot” has a Chinese character that is the same as the surname of President Hu Jintao.

The New York Times has run a great story by Shiho Fukada about Internet censorship in China, where the effort to control the content seen by 384 million Internet users who have 181 million blogs is like “herding cats.”

“This is China’s censorship machine, part George Orwell, part Rube Goldberg: an information sieve of staggering breadth and fineness, yet full of holes; run by banks of advanced computers, but also by thousands of Communist Party drudges; highly sophisticated in some ways, remarkably crude in others,” Fukada wrote.

Apparently there is some push back by Chinese citizens.

Interesting read.

“China’s Censors Tackle and Trip Over the Internet”

Tom Kelchner

If you like downloading or installing programs on your PC related to XBox gaming, you might want to take note of this writeup. There’s a DIY kit in circulation that allows an attacker to create a website claiming to be an XBox Live application for your computer. We’ve grabbed the kit and had a poke around inside to see how this operates – all it takes is two pages of HTML, a fake graphic and a Java archive to set this one in motion. This is the kit in question:

Upon visiting any site related to this scam, the end-user will see a blank webpage with nothing other than a Java notice and a fake Softpedia award at the bottom of the screen:

After a second or two, things become a little more lively with a splash page claiming “the application is loading”:

At this stage, the end-user will be presented with the following Java Application Digital Signature Permission Screen:

Note that they list the publisher as “Microsoft”, which is always going to make potential victims a little bit easier to trick into hitting the Run button. As a counterbalance, notice also the message in large text that reads “The application’s digital signature cannot be verified. Do you want to run the application?”

The smart answer, of course, is “no”.

If the end-user hits “Run”, the applet will download whatever file it’s configured to grab then execute it. At this point, things have gone horribly wrong for all concerned (apart from the creator of the fake application page).

If we download the file offered up by the above prompt separately, we can see that the end-user installs a file that looks a little bit like an art program.

It isn’t an art program.

After running the above file, the end-user will find “Crypted.exe” in their Temp folder. This is actually something called Trojan-PWS.Win32.Fignotok.A, a password stealing program that targets applications such as Firefox, Steam, DynDNS and various IM clients.

It’s worth remembering that the DIY kit allows the attacker to change the infection file offered up by the applet to be anything they desire. Talking about unsigned applets and hijack files is making me feel a little bit 2005, but I guess what goes around comes around.

* ALWAYS be cautious when presented with an unknown application. Don’t just run it; go Google it first and see if anyone else even mentions it.

* In the same spirit, be very wary of unsigned applications on random websites you’ve never heard of.

* Anyone can grab an award badge from a website and claim they’re the “Best thing ever”.

We detect the executable launched by the applet as Trojan.Win32.Generic!BT. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

Christopher Boyd .

Hong Kong-based security firm Network Box reported that Korea was the country of origin for 31.1 percent of the malware on the Internet in March. In February the country only pumped out 8.9 percent, leading researchers to theorize that there has been a huge increase in infected machines there pushing out phishing spam.

Network Box includes phishing in its calculations of monthly malware statistics. They also include North and South Korea as one country in their categories, but say the lack of public computers in the North means that South Korea is the country of origin for the bulk of the statistic.

The US was second on the list at 9.34 percent.

See InfoSecurity story here: “Korea reigns as king of malware threats”

Tom Kelchner

I could talk about how The Matrix was a pretty big deal for me back in the day, or how The Matrix Online is (to date) the only MMORPG I ever liked enough to pay a monthly subscription for, or how I think people doing Kung Fu in bullet time is still the best thing ever.

Mostly, I’ll just show you this:

And this:

Is there a glitch in the Matrix? You bet. Unfortunately it seems the website of one of the actors from Reloaded / Revolutions (Harry Lennix, who played Commander Lock) has been hacked and is now, bizarrely, the scene of some Cyber Kung-Fu gone wrong as two warring factions go to, er, war.

First the site was compromised by the initial defacer seen in the Google search result. Fast forward a few days and now it’s been “Rehacked” (though not Reloaded) by another individual. Clearly, something is going on here. But what?

Well, it turns out the middle act of the story is where all the action is. For a short period of time, the site said:

snazzy, you are NOT skiddie.. you are FAKE ******g kiddie!
now go to your mom and get the money for this login and give it to me.

Yes, it appears Defacer A didn’t deface anything – merely purchased (or attempted to purchase) the already compromised site from Defacer B, then went on to brag about how they’d hijacked a “famous actor”. Cue Defacer B reclaiming their territory and making sure everybody knew about it at the same time.

Whoops.

The host has been notified, but for now we’ll just have to ponder the irony of a defacement involving an actor whose character never believed in the ability of a man who could hack reality…

Christopher Boyd

A year-long international investigation concluded in the last few weeks with 700 police in Romania launching raids and taking into custody 70 people from three gangs. Those arrested were part of a four-year long wave of Internet auction fraud that victimized 800 people and netted over $1 million (US).

Yesterday Romanian Police released information on the raids which were organized by prosecutors at the Directorate for Investigating Organized Crime and Terrorism. The police served 101 warrants in 12 Romanian cities.

The suspects are charged with incidents in which money was stolen from victims in Austria, Canada, Denmark, France, Germany, Italy, New Zealand, Spain, Sweden, Switzerland and the United States.

The FBI and Secret Service from the U.S. assisted in the investigations, they said.

Last month FBI Director Robert Mueller said in a speech at the RSA conference that his agency had worked with the Romanian National Police to arrest more than 100 Romanian suspects in the past 18 months.

The auction fraud included phony sales of electronics equipment, luxury cars, airplanes, motorcycles and laptop computers as well as fake gold and platinum Rolex watches.

Gary Warner’s blog “CyberCrime and Doing Time” has great coverage including links to videos and Romanian-language sites.

Tom Kelchner

VIPRE Enterprise Premium was winner of Security Products magazine 2010 GovSec Award in the IT Software Security category.

Sunbelt Software CEO Alex Eckelberry’s comments: “Sunbelt created VIPRE Enterprise Premium to provide a superior security solution for small and large enterprises, including state, local, and federal government networks that would prevent the spread of malware capable of threatening critical infrastructure and systems. This award highlights the fact that Sunbelt’s VIPRE Enterprise Premium delivers reliable endpoint protection against the evolving threat landscape and ensures the maintenance of a strong and secure network.”

The magazine announced the winners at the 2010 Government Security Expo & Conference to recognize outstanding products in the government security space.

VIPRE Enterprise Premium is an advanced anti-malware engine that merges the detection of viruses, worms, spyware, Trojans and bots into a single, efficient and powerful system. VIPRE draws its data from the world-class research of its Sunbelt Labs malware research and analysis division. It is the fastest engine on the market today that uses the fewest resources, due to its proprietary technology that helps it keep up with the evolutionary nature of malware creation and attacks against the endpoint.

Sunbelt Software news release here.

Tom Kelchner

Rob VandenBrink has written a piece on the SANS web site Diary (“The Many Paths to Security Awareness”) with an interesting take on the very large topic of computer security awareness.

“Security Awareness does not mean the same thing to everyone in a company,” sums up his point.

“From a Security Awareness perspective the blanket term ‘end user’ grows to encompass many audiences – not only folks with basic desks and phones, but developers, senior managers, salespeople, engineers, health-care professionals, all kinds of people with different concerns, different goals, and a different set of reasons/excuses for exceptions to one thing or another,” he wrote.

Rob’s piece also offers a link to a survey that’s trying to find out what phase of security people from various “audiences” are trying to bolster.

There often is a feeling among technical people that user education is pointless because “they never get it.” It’s hard to argue with that dismal assessment in the face of the fact that possibly more than a fourth of those connected to the Internet have no functional security on their machines (Netherlands-based SurfRight December survey ). The success of every form of social engineering and spam advertising also speak pretty badly about the level of “clue” on the Internet.

But, cursing the darkness never works and lighting a few candles might help a lot of people. Every day there are tens of thousands of new Internet users going on line for the first time. They need to learn about the threats out there and precautions they can take. Rob seems to be investigating the possibility that people on every level of every type of organization are contributing to that effort.

On the Sunbelt Blog we’re aware of those “audiences” as we try to present stories of all levels to our readers, from the very specific descriptions of rogues and all the malicious stuff that Chris Boyd finds in the gamers’ world to summaries of BIG new stories of the day, such as Google and its wrestling match with the censorship issues of the government of the Peoples’ Republic of China.

Always in the backs of our minds are the less technical “home users.” We realize that isn’t a really precise term, but everybody seems to have a mother, aunt, uncle or child that IS one. For them we also write a daily summary http://www.sunbeltsecurity.com/ThreatLevel.aspx that tries to describe the latest threats.

So, good job Rob. We’ll look for the results of the survey.

Tom Kelchner

“Shadows in the Cloud” hang over the otherwise sunny PRC

A spokesperson for the Chinese Foreign ministry has tried to minimize a report from investigators in Toronto that hackers based in China breached computers of the Indian Government and others and downloaded classified material.

The Information Warfare Monitor and the Shadowserver Foundation extensively documented an eight-month investigation that revealed a network of infected government and military computers. The net was controlled from servers in China and stole a variety of classified documents. They posted their 52-page report, “Shadows in the Cloud: investigating cyber espionage 2.0” today on scribd.com

“Shadows in the Cloud” describes the researchers’ findings that hackers based in Changdu, China, penetrated the systems of the office of the Dalai Lama, Indian government, Indian military and agencies of the United Nations.

They wrote in the report: “We have no evidence in this report of the involvement of the People’s Republic of China (PRC) or any other government in the Shadow network. But an important question to be entertained is whether the PRC will take action to shut the Shadow Network down. Doing so will help to address long-standing concerns that the malware ecosystems are actively cultivated, or at least tolerated, by governments like the PRC who stand to benefit from their exploits through the black and grey markets for information and data.”

The Chinese government denied any involvement and tried to minimize the investigation. In a story on the Peoples’ Daily online – the news outlet of the Chinese Communist Party – Jiang Yu, a spokesperson for the Chinese Foreign Ministry, said “Some reports have, from time to time, been heard of insinuating or criticizing the Chinese government…I have no idea what evidence they have or what motives lie behind.”

“Hacking is an international issue and should be dealt with by joint efforts from around the world,” she said.

“China refutes hacking accusation, urges int’l cooperation”

Urging “International Cooperation” when China gets caught red handed must be the standard formula at the Foreign Ministry.

The People’s Daily site carried a “related reading” list of earlier denial stories, including one from as far back as 2007 in which Jiang Yu’s response was “Hacking is an international problem that torments China, too. We are ready to strengthen cooperation with other countries, including the US, in countering Internet crimes.”

“Chinese military scholar denies fresh hacking allegation”

If you have something on a computer you think the Chinese government might be interested in you might SERIOUSLY harden your network and consider some very good encryption. And user education about spear phishing wouldn’t hurt.

Tom Kelchner

A blog contributor who goes by the name of “jeremy” has continued to research the possibilities inherent in the recently discovered .pdf-file weakness that could enable the execution of code. Jeremy posted earlier this week that he had created a proof of concept .pdf file that could spread to other .pdf files on a system or network (which makes it a worm).

“Within the proof of concept I infected a single benign PDF file from another PDF file, but this proof of concept could easily be modified to recursively traverse a users computer directories to find and infect all PDF files on that users computer and/or accessible to that user at the time of execution with any payload of my choosing.” He wrote on the SudoSecure.net site.

He also wrote: “This should really make you think twice even before you open up PDF files that have resided on your computer for years, as they could soon be utilized against you if an attacker chose to do so.”

Stevens chose the responsible disclosure route after he found the “feature” of .pdf that allowed running executables. Foxit pushed out Foxit Reader 3.2.1 to patch the problem Sunday. Adobe Reader pops up a warning, so, at least the process is visible.

When we blogged about it last week we suggested:

“It would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.”

Jeremy wrote about some other malicious possibilities: “Well I can think of some really nasty phishing attacks this style of attack could be utilized for. Just think if you landed on one of the oh so common web exploit packs or if the PDF was crafted to look like an official banking document that provided instructions to verify your information by entering it into the targeted URL. Hmm since arguments can be passed here is another thought. The PDF document itself could be an official looking banking document with a form embedded that allowed a user to fill out his or her information within the PDF document itself. At the bottom of the form a submit button calling the Launch action to execute Firefox or Internet Explorer while passing the information via URL arguments to an attackers happy to receive, parse, and store server. ”

The .pdf weakness was publicized by Didier Stevens on his blog last week.

Tom Kelchner