Month: November 2009

Infosecurity magazine is quoting Manchester, England, news sources as reporting that the Metropolitan Police Central e-Crime Unit has arrested a man and a woman and charged them with distributing the Zbot Trojan.

Infosecurity wrote: “the Zbot trojan has become one of the most virulent trojans in recent months with Sunbelt Software reporting incidences as 25% up during October compared to the month before.”

Zbot uses a wide variety of social engineering tricks to spread through a variety of methods, including spam email and Web downloads. It created a large botnet that collects information about victim’s credit card, banking and social network logins.

Story here.

Tom Kelchner

Our Sunbelt Sales Director Debbie Graves alerted us to a great blog piece about the state of computer security from securosis.com. It falls firmly into the “glass half full” camp (by a toe length, anyway.) It’s a great read.

The blogger, “Rich” raises an interesting point about organizations hiding the real cost of losses.

He also is a master of the long, breathless and funny sentence. Example:

“If the industry was failing that badly all our bank accounts would be empty, we’d be running on generators, our kids would all be institutionalized due to excessive exposure to porn, email would be dead, and all our Amazon orders would be rerouted to Liberia… but would never show up because of all the falling planes crashing into sinking cargo ships.”

And his point…

“Security, and security professionals, aren’t failing. We lose some battles and win others, and life goes on. At some point the world feels enough pain and we get more resources to respond. Then we reduce that pain to an acceptable level, and we’re forgotten again.

“That said, I do think life will be more interesting once losses aren’t hidden within the system (and I mean inside all kinds of businesses, not just the financial world). Once we can tie data loss to pain, perhaps priorities will shift. But that’s for another post…”

Blog piece here: http://securosis.com/blog/

Thanks Debbie, thanks Rich at Securosis.com

Tom Kelchner

The FBI is warning that its agents are investigating a growing number of spear phishing attacks on legal firms and public relations companies.

Criminals are turning to those two industries because of the large amount of highly confidential information on company networks, often with details of international negotiations.

Spear phishing is a term for malicious email that specifically targets a company or person in the company. Trojan horse programs, usually carrying rootkits, are emailed as attachments. The emails also could contain links to web sites that download malcode that makes data accessible. Victims who click on the attachments to open them or follow the links, trigger malware that gives intruders access to the company network.

The investigators believe that international organized crime is involved in the attacks and are suggesting that companies consider removing sensitive documents from storage accessible by the Internet.

New York Times story here.

Tom Kelchner

The U.S. Senate Committee on Commerce, Science and Transportation today is looking into deceptive “loyalty” discount programs – those that offer discounts and coupons to customers for a monthly fee. Marketing companies Webloyalty, Affinion and Vertrue and the retailers Continental Airlines, FTD and Classmates.com that let them charge customers’ credit cards, are in for a closer look.

The Committee is investigating reports that the marketing companies’ charges are showing up on credit card accounts of people who never ordered the service. Shoppers commonly encounter the marketing companies’ pitch in pop-up-windows when they make online purchases. The ads only ask for e-mail addresses, hiding the details of the monthly charges in small print. The retailers then supply the marketing companies with credit card information.

The committee has been investigating the businesses for six months. Recently Webloyalty and Affinion said they would change their advertising to require customers to submit the last four digits of their credit cards to confirm that they want to become members.

Also expected in the hearing today are the results of a study the committee has completed which includes how much money the retail partners are paid by the marketing companies.

These “enrollment” schemes can be really tricky. I inadvertently got roped into two of these things in the last three years. I like to think of myself as being pretty savvy after researching and writing about malware and the Internet underground for 15 years, but they got me. Yep, twice: once on a software company web site and another with a travel and reservation site. They’re good.

CNET story here.

Tom Kelchner

The expected hacks for Windows 7 activation have been publicized and utilities called “RemoveWAT” and “Chew-WGA” are circulating.

They join the grimy world of cracks and key-gens – oft-Trojanized applications that defeat activation passwords or other security on legitimate software. It’s an ugly world on the sites that distribute them. We go there.

WGA stands for “Windows Genuine Advantage” Microsoft’s antipiracy software. The company replaced that with “Windows Activation Technologies” (WAT) in Windows 7. Thus the names of the cracks.

Trojanized versions of RemoveWAT and Chew-WGA soon will be available on websites and file-sharing networks near you. Look for them (or maybe we should say “look out for them.”)

Computerworld story “Hackers outwit Windows 7 activation” here.

Tom Kelchner

After working with the folks at Highprofits.com and Fliqz.com we’ve sorted out the trail left by scammers behind Trojan.StartPage.SSSPP.

Basically, it was a two-step click-fraud operation that centered on changing (victim) Web users’ home pages to redirect to Highprofits.com sites (including fliqz.com.) Those visitors who (unwillingly) went to Highprofits.com sites as a result made money for the iframedollars/virut gang.

Step 1 – The gang offered a Trojan downloader (Trojan.StartPage.SSSPP) on a crack site that redirected victims’ home pages to various Highprofits.com sites.

Step 2 — The gang had become an advertising affiliate of Highprofits.com and the visitors that were sent to the Highprofits.com sites as a result of the Trojan, carried the gang’s affiliate ID (in URLs). So, the gang was getting paid for all the visits.

We said Friday that the Highprofits.com sites were infected with Trojan.StartPage.SSSPP. As a result their site was blacklisted. As it turned out, at no time were Highprofits.com sites or Fliqz.com ever infected or hosting any malware to infect visitors.

Based on Sunbelt research, Highprofits.com was able to identify the affiliate ID that belonged to the gang and ban it as an affiliate.

Glad Sunbelt could help. Sorry about the blacklist thing.

Tom Kelchner

(Patrick and Alex too)

A recent blog post referenced the following URLs as being potentially involved in “scams”:

67.221.34.202
1. Fliqz.com
2. M0v1.biz
3. Realsimplemedia.com

Further research indicates that these sites are not directly involved in scam activity and are clean.

We will continue our research and if anything changes our view, will post an update.

This:

Takes you to this:

Thanks Anupam, Stu and Alex

Tom Kelchner

Computer security blogger Dave Piscitello of Hilton Head Island, S.C. (“The Security Skeptic”) ran an interesting piece: “Nine ways to mitigate malicious domains.” It’s a list of proposals that ICANN has collected from the security community that it will consider for new rules for top level domain applicants. It’s an effort to help prevent the establishment of malicious web sites.

ICANN is taking public comments at: http://www.icann.org/en/public-comment/

Dave said the suggestions under consideration are:

— Vetting registry operators to filter out criminal organizations. (Recommended by the Anti-Phishing Working Group and others.)

— Demonstrated plan for the deployment of Domain Name System Security Extensions. This would require written plans for signing zone files and delegations (domain names registered in its top level domain.).

— Prohibition of redirection by top level domains. (ICANN’s SSAC, the ICANN Board of Directors) “…applicants must return negative responses when a DNS query is made to a non-existent domain and must not synthesize (redirect) queries for error resolution or advertising purposes.”

— Removal of orphan glue records. “Orphaned glue records frequently point to name servers that host malicious domains. This measure requires applicants to explain the policy they will enforce to ensure that a name server record in a delegation will not persist in the TLD zone file when the parent domain name is deleted from the zone.”

— A requirement for detailed Whois records.

— Centralization of zone file access. Presently, applications must contract with top level domain registries to get FTP access to zone files.

— Documented registry level abuse contacts and procedures.

— Participation in the Expedited Registry Security Request process to help ICANN and registries to maintain security during an incident.

— Establishment of High Security Zones Verification.

See Dave’s blog piece here.

Thanks Dave

Tom Kelchner

Today Patrick added the fourth Trojan.StartPage.SSSPP to VIPRE detections. There’s a new one about every two to three days, he said.

Thanks Patrick

Tom Kelchner

It’s a whopping day for news about Intel, Motorola and HP:

— Intel is going to settle its legal differences with A.M.D for $1.25 billion.

— There are significant rumors that Motorola wants to split into three companies to pay down debt.

— It’s been announced that Hewlet-Packard will acquire network equipment maker 3-Com for $2.7 billion. HP thinks the move will help it compete against Cisco and with customers in China.

“Intel Pays A.M.D. $1.25 Billion to Settle Legal Disputes”

“Motorola Said to Explore Dividing Into 3 Companies”

“Hewlett-Packard to Acquire 3Com”

Tom Kelchner

Palo Alto Networks of Sunnyvale, Calif., issued its Fall, 2009, Application Usage and Risk Report (“An Analysis of End User Application Trends in the Enterprise”), analyzing traffic patterns on more than 200 worldwide networks. The Palo Alto researchers document massive growth in social networking and collaborative applications for business since their last report in April.

The use of blogs and wikis increased 39 times with total bandwidth use for those two activities increasing 48 times.

The report said there was a 192 percent increased in Facebook use. Facebook Chat, which began in April 2008, was the fourth most commonly detected IM application. It beat out AIM, IM and Yahoo!

The use of SharePoint, especially SharePoint documents, increased 17 times since April.

Palo Alto found a 252 percent increase in Twitter sessions since its spring Risk Report.

Report here.

Red phish, blue phish, this is a new phish:

From: Mobile IDisk [noreply01@me.com] [mailto:noreply01@me.com]
Date: November 8, 2009 5:25:10 PM CST
To: [*****]
Subject: **Your subscription expires tomorrow…*

Welcome,

Just a reminder to renew your MobileMe subscription by November 08,
2009 PDT to avoid interruption of service.

*To renew your service, log in to MobileMe, select Account, and click
Account Options.*Then click the
* Login* box for your subscription. When you’re done, click Billing
Info and make sure your credit card information is up to date. It
takes only a few minutes, and your credit card won’t be charged until
the day before your renewal date.

Thanks for being a MobileMe subscriber. We’re looking forward to
another great year. .

[The phishing site has been taken down]

Copyright 2009 Apple Inc. All rights reserved.

Thanks Laura

Tom Kelchner

Techcrunch has done an interesting story about the businesses that came up with the big popular social games: things like Farmville, Pet Society and Mobsters.

The three companies that behind these and other social games — Zynga, Playfish and Playdom — have about 100 million subscribers and are making $300 million per year just from the sale of virtual goods. Making money is great, but there are some referral schemes that they offer that can get you hooked into services that will cost more than $100 per year. So, you better read the fine print.

See story: “Social Games: How The Big Three Make Millions” here.

And for a slightly darker view: “Zynga CEO Admits to Being a Scammer” here.

And for a REALLY dark view: “Scamville: The Social Gaming Ecosystem Of Hell” here.

Tom Kelchner

Maybe they just misspelled it:

It blocks other AV, redirects your browser and nags you about phony malware infections until you pay it $99. McAfee might be our competitor, but we know that ISN’T their business model.

McAfee blog story here.

Tom Kelchner

It’s irritating when CEOs post self-aggrandizing posts that read more like press releases than substance.

So I’ll just link to our braggart press release and not actually post the text in the blog.  Hopefully I’ve avoided autophobia.

Alex Eckelberry

If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is.

Security firm Cenzic ( http://www.cenzic.com/company/ ) has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities.

Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks.

They said 87 per cent of web applications their researchers looked at “had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions.”

On the server side, they said Apache, Citrix, F5 Networks, IBM, PHP, SAP, Sun and Symantec all ran software with vulnerabilities.

On the browser side, they said Firefox (44 percent of the vulnerabilities) and Safari (35 percent) had the most flaws. Internet Explorer had 15 per cent and Opera six percent, they said. They apparently didn’t review Google’s Chrome. They added that Firefox vulnerabilities were patched much quicker then Internet Explorer.

Story here.

Tom Kelchner

Web security firm Websense is reporting that the servers of web advertiser media-servers.net has been compromised and is serving visitors malcode that exploits Microsoft and Adobe vulnerabilities. Thousands of sites have been compromised over several months with the result that visitors get served an auto-loading script, the Websense researchers said.

Patches have been available for the vulnerabilities involved, so, only unpatched machines visiting the site will be compromised.

Websense researchers also said that the malware involved is only detected by two of the 40 anti-virus companies: F-Secure (Suspicious:W32/Malware!Gemini) and Sunbelt (Trojan.Win32.Bredolab.Gen.1 (v)). The detection is based on behavioral analysis by F-Secure’s DeepGuard, and Sunbelt’s VIPRE technology.

Story here.

Tom Kelchner

University of Tampa senior Gretchen Cothron has launched a nonprofit organization called “Screaming for Sunshine” to help investigate wrongful convictions.

Cothron is an honors student, with a major in criminology and minor in law and justice.

Last year, she completed a project to demonstrate the necessity of recording interrogations during investigation, which isn’t required in Hillsborough County. Last month she presented her findings at the National Collegiate Honors in Washington, D.C.

After her work last year, she moved into an honors fellowship “…researching a statistical formula to see how eyewitness testimony, faulty forensic science and false confessions contribute to wrongful convictions,” according to the University of Tampa web site.

“Cothron has presented her preliminary findings at the Southern Criminal Justice Association’s annual conference and is presenting an extension of the same project at the American Society of Criminology’s annual meeting in November,” the UT site said.

“Cothron hopes to practice criminal appellate law after law school to help fund her real passion, a nonprofit she has formed called Screaming for Sunshine to assist with investigations of wrongful convictions.

“Florida leads the nation in the number of death-row exonerations,” Cothron said, “and there has to be countless others.”

Cothron’s nonprofit site here.

Story here.

For the tip on this, thanks to Glenn S. Dardick, Ph.D., Associate Prof. of Information Systems at Longwood Univ. in Farmville, Va. He’s also the Director of the Association for Digital Forensics, Security and Law and editor of the Journal of Digital Forensics, Security and Law.

USA Today’s Byron Acohido is reporting that the Conficker and Taterf worms continue to spread.

Conficker is building a botnet, propagating through network shares and devices that use USB ports.

Taterf, the product of a malware tool kit, is aimed at stealing log-in information from on-line games. The malicious operators sell the log-in information to others who steal compromised gamers’ accounts for virtual goods which can be sold to other gamers.

Standard precautions can prevent the two from infecting machines: running a good anti-malware application and keeping current with updates and patches. Turning off the “autorun” feature in Windows also can stop the propagation through USB ports.

USA Today quoted Sunbelt Chief Technology Officer Eric Sites in the story. He told them “The sad fact is worms and viruses would be wiped out if everyone used best security practices.”

Story here.

Tom Kelchner