The Legacy Sunbelt Software Blog

The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said.

The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems.

The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent.

Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel.

The report also said:

“Discussions with Federal law enforcement agencies, commercial security intelligence service providers, and commercial incident response companies reveal the effectiveness of existing signature-based anti-virus and intrusion prevention systems is diminishing in the face of the rapidly evolving malicious code environment and the prevalence of custom-designed, signature-defeating malicious code.

“Consequently, an approach not fully dependent on those systems must be considered, with particular emphasis on user privilege reduction, application white listing (only allowing known software and libraries to execute on a system), and heuristic detection.”

VIPRE MX-V technology can cover you on the “heuristic detection” front.

FBI Intelligence Note here.

Tom Kelchner

A lot of major players in the anti-malware world issue periodic reports — very long .pdf files that not enough people have the time to read. News reporters jump on the reports, and write stories about the trends the researchers are seeing. They’re extensively reported. It isn’t a bad system. If by chance you read the original reports, you’ve probably noticed they’re getting better and more comprehensive.

Microsoft just made public a monster 232-page intelligence report on the state of security for the first half of 2009 with a load of historic perspective. It could just about serve as a textbook for a short course in security for the average Internet user.

McAfee also issued a nicely done Third Quarter Threats report.

Here are some highlights from the two that have been generating news:

— Microsoft’s monitoring of more than 400 million PCs (via Malicious Software Removal Tool) showed that 55.5 percent of attacks for the half year were aimed at unpatched vulnerabilities in Microsoft Office applications. Most of the holes the malware was targeting were in unpatched Office installations, some as old as 2003. In many cases, victims had upgraded their operating systems, but neglected Office updates. Other highly targeted applications were WinZip, Internet Explorer, Adobe Reader and RealPlayer.

— Software piracy results in infected computers because people running pirated operating systems don’t upgrade them. China, Brazil and France have higher piracy rates and fewer people who use Windows Update, Microsoft says.

— Web threats are getting worse. Distributed denial-of-service attacks for extortion are back, the proportion of spam in email has reached 92 percent and 13 million computers were taken over by bots in the quarter, according to McAfee. The U.S. is the country with the most bot-infected computers.

— There is a growing body of malware that tries to steal login credentials from online game players, including those who play Maple Story, Lineage and World of Warcraft. Malicious operators are after players’ virtual goods, which can be sold. Gamers are warned to avoid logging in on computers they can’t trust. They also are warned to avoid game cracks and cheats, since those are often Trojanized.

— The number of infections from worms has increased and there were 20 percent fewer infections from rogue security software.

Want more details?

Microsoft Security Intelligence Report Vol. 7 January through June 2009 here.

Third Quarter 2009 McAfee Threats Report here.

Tom Kelchner

Update: November 5

An excellent point:

From: M D Meridian

Long story short: Windows update is NOT the same as Microsoft update.

Microsoft update gets you Windows AND Office updates; Windows update gets you only Windows updates.

Even Microsoft sometimes, much too often, uses one term for the other, and vice versa.

Clear this up with users and a lot of the “neglect” will go away.

Yes, I learned this the hard way.

cordially, md

Good article by Dancho:

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the “on demand DDoS” business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise “vertically integrating” in order to occupy as many underground market segments as possible, all of which originally developed thanks to the “malicious economies of scale” (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

More here.

Alex Eckelberry

The Sunbelt Blog has been shortlisted as a finalist and made it through to the public vote of the Computer Weekly Blog awards! Vote for us!

We’re in the IT Security category along with ten other finalists here.

Tom Kelchner

Interesting form of reputation hijacking.

Alex Eckelberry

Marcin Kleczynski, CEO of Malwarebytes, has posted a detailed accusation, presenting evidence that IOBit is stealing the Malwarebytes database.

Iotbit, a Chinese company based in Chengdu, provides a number of PC utilities, including an antimalware product called IOBit Security 360. According to Kleczynski:

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:Nothing MuchAnti-SpywareMalwarebytes’ Anti-Malware v1.39Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

There’s quite a bit more here.

Stealing AV signatures is not a new phenomena — AV companies have battled this type of thing for years. In this case, it looks to be quite blatant, based on the evidenced presented.

Alex Eckelberry

Update: IOBit responds.

BlockScanner, a new variant of the Winisoft family, uses an old-school fake DOS screen to scare people.

Those of you who remember some of the DOS GUIs may have a moment here.

Alex Eckelberry

The short answer is “no, although Windows 7 is probably a little safer.

That being said, there are a number of security measures that apply to any operating system, that are vital to a layered defense. Windows XP is only a secure operating system if it is updated regularly and operated by users who have some understanding of Internet security. Below are the four vital security practices to go with Windows XP:

1. Install operating system and application updates promptly.

Malware that exploits newly discovered vulnerabilities begins circulating within days, if not hours, of the public disclosure of those weaknesses. Patches (or workarounds) are generally issued as quickly as the software company can deliver them. There may be significant delays. The dark side often is ahead of the curve with “zero-day” exploits, those that take advantage of previously unknown exposures. It is vital that patches are installed as soon as there are available.

The most important updates will be those for the Windows operating system, Adobe applications, Microsoft Office and Internet Explorer or other browsers. These are the most commonly used things on computers worldwide, thus the most widely available and cost-effective targets of malicious operators.

The number one cause of compromised machines is lack of current updates. Microsoft issues patches on a regular basis on the second Tuesday of each month. (Information here.) Adobe has begun issuing updates on the same day.

2. Updated anti-virus applications are your first line of defense.

Having a good anti-virus application running on desktop machines and network can protect the small enterprise from a vast number of threats, including the most recent ones: banking Trojans, rogue security products and bot-associated malware.

Very small businesses with a few machines probably need little more than VIPRE desktop installations and possibly the Sunbelt Personal Firewall (Sunbelt info here.)

Small, medium and large businesses with Internet-facing networks might consider VIPRE Enterprise. (Sunbelt info here.)

VIPRE can stop previously unidentified malware by using MX-V advanced “behavior-based” scanning to spot its malicious behavior in a virtual environment before it infects the machine.

3. To add one more layer of defense, enterprises should consider doing online banking from a dedicated machine that is isolated from networks and not used for any other purpose (especially the exchange of email.)

Many of the banking Trojans that were used to illegally transfer $40 million from the bank accounts of small- and medium-sized businesses in the last five years were installed when someone clicked on an attachment or malicious link in an email. (Story here.)

Also in the last few years there have been numerous spear-phishing campaigns targeting company financial personnel whose machines are used to log onto online banking sites. In some of these, the banking Trojans or their downloaders arrived in email messages with malicious attachments disguised to look like legitimate accounts-receivable correspondence.

4. Providing employees with computer security training can reduce the risk of attacks based on social engineering.

Every day an uncountable number of people are using the Internet for the very first time. Unless they have some kind of instruction, they will quickly fall victim to social engineering gimmicks. These trigger malicious applications that arrive by email or are downloaded from hacked or malicious web pages. New scams begin circulating almost on a daily basis and are aimed at millions of users through email spam originating in botnets or hacked social networking accounts. Employers need to educate employees, especially new ones, about Internet safety and give them a way to keep up with new threats.

The Sunbelt Blog and the threat index on the VIPRE agent interface provide daily updates on the threat landscape for experienced and inexperienced Internet users.

Double clicking on the Threat Index graphic takes users to the Sunbelt web site and a description of the most current threats that are making news:

White papers on security

On the Sunbelt web site, we also have white papers, some written for inexperienced Internet users, in the Sunbelt Research section.

Two of them, especially written for new users are:

“How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product”

“What’s in your spam bucket?”

Thanks Stephen in Victoria, BC, Canada, for asking.

Thanks Alex

Tom Kelchner

What’s in your spam bucket?
(Don’t look, delete it!)

The rules for staying safe from malicious email:

1. Do not open emails from strangers. Delete them and you will be safe.
2. Do not click on links in emails from strangers or open the attachments. You should have deleted them before you saw the links.
3. Do not buy anything or take any action based on something you got in an email from a stranger. You should have deleted the email before you read the pitch.
4. For email that has been forwarded to you by your friends, see Rule 1.

Today I checked out several dozen spam emails that I received in order to illustrate the threats that come with 90 percent of email traffic these days. Yes, an estimated 90 percent of email today is spam. Your ISP or employer may filter a lot, but you’re still going to get some of these “everyday” threats.

Read it here.

Tom Kelchner

We’ve been seeing a fair amount of these lately — what appears to be one spam gang using google, ebay and other “normal” looking domains as spam links in unsolicited email.

Example URLs:

alwaysbrighttimes.com
bestcallson.com
childshine.com
chocolatemoneyonline.com
chooseguide.com
cliffsnotesap.com
ebaydirectmarketing.com
ebayphonestore.com
etherealticket.com
exclusivecollar.com
freegoogleworld.com
getgoogleonline.com
goodeasymoney.com
googlemapit.com
greatsonoran.com
hatefulcap.com
humorousskate.com
insidetheiris.com
kiddemand.com
messageorder.com
rezvhome.com
rezvnation.com
smartworldradio.com
superbigsky.com
supergooglesearch.com
supernoteson.com
tenneseeworld.com
thankfulrule.com
theperfectbook.com
uninterestedlist.com
yournotecards.com

The patterns are always junkcname.domain name.junktext.

For example, jrvds.getgoogleonline. com/gcbswsy/hwnvsw:

All are used as a redirect to get you to a spam site.

You can comfortably blacklist these domains to reduce spam traffic.

Alex Eckelberry

Not everyone may realize this, but it’s worth noting that all Microsoft Signature PCs (name-brand computers sold at their online and retail stores) include Microsoft Security Essentials pre-installed.

Microsoft isn’t making the mistake of competing with their own OEM customers in the PC business. However, for their new PC re-selling initiative, they are hand-selecting a number of PCs from major manufacturers (Dell, HP, Lenovo, Sony, Toshiba, Asus and Acer), and creating “Signature” editions.

These special editions are pre-built with standard Windows components (IE 8, etc.), but also include Windows Media Center, Internet TV for Media Center, Microsoft Security Essentials, Bing 3D Maps, Zune 4.0 and all the major Live components.

Consider the Toshiba NB205. If you buy it from Microsoft, you’ll get Microsoft Security Essentials. If you buy the exact same PC from Toshiba at the same price, you’ll get Norton Internet Security pre-installed.

PC vendors get significant dollars from security companies (these days, primarily McAfee and Symantec) to pre-install antivirus software — reportedly anywhere from $8–$12 per unit. Now, that may seem like a pittance, but this is big money for a PC maker, already living on razor-thin margins. There is enough of an advantage to being part of the Microsoft reselling effort that the PC makers will let go of some of these pre-bundling deals.

This is also a nifty way for Microsoft to potentially get around anti-trust issues. They don’t include Apple products (Quicktime, iTunes). They don’t include non-Microsoft security applications. But it’s because it’s their own product they are selling on their own stores.

This is a development worth keeping an eye on.

Alex Eckelberry
(Hat tip to Colleen)

I think this year was the best ever in terms of costumes (in case you didn’t know, Halloween is a major tradition here where we basically take over the city — for example,  2003, 2005,2006, 2007, 2008, and so on).

Robert’s posted some pics on his Flickr stream, feel free to take a look.

Alex Eckelberry

A federal judge in U.S. District Court for the Northern District of California in San Jose awarded Facebook almost $711 million in its action against infamous junk mail king Sanford Wallace. According to the court action, Wallace and two associates got access to Facebook accounts with phishing emails and used them to send spam that advertised pornography and gambling web sites.

U.S. District Judge Jeremy Fogel ruled that Wallace was responsible for 14,214,753 violations of the CAN-SPAM Act and awarded Facebook $710,737,650. Fogel also said he would ask the U.S. Attorney’s Office to prosecute Wallace for contempt of court.

Facebook brought the suit last March.

We applaud this court decision, in spite of the fact that Facebook probably won’t collect much of the settlement. Wallace was hit with a $4.1 million FTC action in 2006 and a court order to pay MySpace $234 million after a trial last year. At least, it should take one major, blatant spammer to bankruptcy.

Short of a very radical change, as in Eugene Kaspersky’s idea for ending the anonymous use of the Internet or serious government involvement across the globe, the reduction of spam just isn’t going to happen.

Various sources have put the prevalence of spam in email at 85-90 percent for the last few months.

Story here.

Tom Kelchner

Don’t.

http://twitter.com/spam/status/5236330687

Tom Kelchner

There are at least two Facebook “change-your-password” scams circulating in spam. Here’s the first one. It tries to lure you to a malicious site to steal your Facebook login information.

A second one comes with an attachment that installs the Bredolab Trojan.

That story here.

Tom Kelchner

In the October 21 issue of the Sunbelt Security News, Editor Larry Jaffe ran a brief little survey that ask readers just four questions:

— Do you feel your privacy has been compromised since the advent of the Internet?
— Do you make use of any software that makes you anonymous or incognito when you surf the web?
— Do you feel your personal information is secure online?
— Do you change financial site passwords on a regular basis?

Here is a tabulation of the responses from nearly 600 people:

— Do you feel your privacy has been compromised since the advent of the Internet?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you make use of any software that makes you anonymous or incognito when you surf the web?

Yes: 33 percent
No: 49.4 percent
Not sure: 17.6 percent

— Do you feel your personal information is secure online?

Yes: 23.2 percent
No: 49.3 percent
Not sure: 27.6 percent

— Do you change financial site passwords on a regular basis?

Yes: 48.2 percent
No: 51.8 percent

Sunbelt Security News here.

Tom Kelchner

Malicious spam. Don’t go there. Zeus Trojan.

Tom Kelchner

Update October 28, 2009

The FDIC has posted a consumer alert about this here.

Number of infected web pages is increasing significantly

Dasient web security firm of Palo Alto, Calif., published some dismal numbers on its blog today. The number of infected pages on the web increased significantly in the third quarter and more than a third of infected sites that are fixed are quickly reinfected, they said.

The company said its malware analysis platform found more than 640,000 infected sites with a total of 5.8 million pages in the quarter. They compare that to the three million infected pages that Microsoft reported in the first quarter of the year.

The attacks:

— JavaScript (54.8%)
— iFrame (37.1%)
— “other” (8.1%. )

Needless to say, with that preponderance of JavaScript malware, if you haven’t updated your Adobe Reader and Acrobat installations recently, you might do so.

Dasient blog here.

Tom Kelchner

Three of the biggest malware threats that were around during Halloween 2008 remain highly active in the public domain 12 months later, according to data collected by Sunbelt Labs. Trojan-Downloader.Zlob.Media-Codec, Trojan-Downloader.braviax and Explorer32.Hijacker all remain in Sunbelt’s top 10 malware list one year on, with reported instances of the latter two increasing in overall share since October 2008.

Muktadir Khan, Sunbelt Software European sales engineer said: “We advise users to be vigilant and to ensure their antivirus applications are fully up-to-date with the latest definition files and the latest application version installed.

“Users should avoid opening any attachments, even from trusted sources, without first running a scan on the file. An effective, updated antivirus and malware solution such as Sunbelt Software’s VIPRE will ensure machines remain protected from a variety of attacks.”

Classic Threats to Watch Out For

Based on reported activity over the last two Halloween periods, Sunbelt Software has identified some common types of Halloween-themed attacks. Users should remain especially vigilant for new variations of these common themes.

• The Dancing Skeleton – This one is based on emails that lure Halloween lovers to web sites where they can download an application that puts the image of a dancing skeleton on their desktop. Users do indeed get the dancing skeleton along with the Storm Trojan. The Halloween.exe is part of a malicious botnet that allows remote attackers to access and control infected computers, accessing personal information and sending yet more infected spam.

• Halloween Gift Cards – These are the modern-day replacement for gift vouchers. For the last two years, emails have made the rounds offering a free $250 or £250 Halloween gift card when users sign up for a new credit card. This is really a scam to harvest personal and financial information for criminal use at a later date.

• The Big Halloween Sale Email – Stores are using Halloween as a topical hook, like they do bank holidays, to boost sales in these challenging economic times. Enterprising scammers have been picking up on this tactic with phishing emails purporting to be from trusted brand names, or offering unbelievably good deals. Clicking on a link usually takes you to an infected web site and a Storm Trojan downloader.

• The Halloween Party Invite – Another email-based attack, this one purportedly invites you to a Halloween-themed party. If it’s from an unknown source, it’s almost certainly a malware attack, either trying to entice you into clicking a link for more information or to open an attachment with the full invite enclosed. Even if it’s from a known source, approach with caution.

Tom Kelchner

We expect our spy agencies to… well… spy, but somehow it’s a little disquieting when you discover they might be spying on YOUR blog posts and Tweets.

Wired has broken a story that the investment agency of the CIA and other U.S. spy agencies, In-Q-Tel, has put money into a company that monitors social media: Visible Technologies of Bellevue, Wash. (page here.)

On the company page, the pitch for their services includes:

“Listening to your customers is a critical first step in deploying an effective social media strategy and successfully managing your brand online. Listening to social conversations helps you get acquainted with online consumers, monitor their perceptions about your brand and competitors, spot potential issues, and can help identify authentic brand influencers and advocates.”

Visible Technologies monitors Flickr, YouTube, Twitter, Amazon, hundreds of thousands of web 2.0 sites and millions of posts on blogs every day, according to Wired. Since Facebook is closed, it does not monitor them.

Their customers get feeds based on key words with scores indicating how positive or negative the items are as well as how influential the writer is.

The spy agencies want to boost Visible’s foreign-language capabilities so they can monitor international discussions of issues, Wired said.

I think anyone using the Internet should certainly know there isn’t the slightest shred of expectation of privacy there. If your tinfoil hat is overheating, you can set up accounts using aliases.

Wired story here.

Tom Kelchner

Update
(thanks Alex)

Paper here.