Month: November 2009

Patrick came across a new Trojan today that uses the CloneCashSystem site (WHOIS registration date Oct. 2).

Patrick’s note:

“My iframedollars downloaded a Trojan from a VX Catus site dl.guarddog2009.com/bookmark.exe.

“The 3 kb Trojan’s only function is to change the users start page to: join. clonecashsystem com/track/NjU1ODMuMjYuMzEuMzUuMC4wLjAuMC4w, which is one of those free report sites. It tries to get you to buy a get-rich-quick scheme.

“The start page is similar to the old CWS hijacking start page Trojans. I have named it Trojan.StartPage.CloneCashSystem.”

[NOTE: only go to the URLs mentioned here with caution.]

Thanks Patrick

Tom Kelchner

Update 11/9: We changed the description of CloneCash in the blog post since it is merely a site pointed to by iframedollars/virut. Patrick wrote the following after further investigating:

“The CloneCashSystem is really only free videos of how to make money on the Internet and not a scam, however, its URL is used in a TrojanStartPage with the file coming from a malicious site.

“The bookmark.exe has changed now to using join.123cashsurveys.com as the StartPage Hijacking.

“Due to the change and as I now have over 100 sites that could end up being used and may come under 3 business aliases, I have changed the threat from Trojan.StartPage.CloneCashSystem to Trojan.StartPage.SSSPP

“For eternal use the SSSPP will stand for Schemes, Scams, Spams, and Pyramid Plans. “

Our researcher Patrick Jordan ran one of the installers from seriall.com, which is an old fake serial crack site where one can get infected waaaaay too easily. It created a run32.dll which functions as a redirector. When a victim of this searches for the string “remove spyware,” his infected computer re-directs to the web page of security firm Webroot. Clicking on the “Business” tab will take the browser to a redirect site.

On the left is the Webroot page redirect from an infected box and the right is the same action from a clean box.

The sites that it redirects to are typical info-stealing sites with a cheap pay-per-click search pages.

Sunbelt already detects the installer and dll as Trojan.Win32.Generic!BT

Just to clarify: this is not a Webroot issue, the Trojan simply redirects a victim’s browser to the Webroot page to give an appearance of authenticity before redirecting it on to a malicious site.

Thanks Patrick

Tom Kelchner

Researcher Ben Laurie has posted a note on his blog “Links — Ben Laurie blathering” alerting the world to a man-in-the-middle attack against Secure Socket Layer.

“In short, a man-in-the-middle can use SSL renegotiation to inject an arbitrary prefix into any SSL session, undetected by either end,” he wrote

Laurie said he and fellow researchers have a patch to SSL that bans renegotiation.

Blog post here.

Patch here.

Tom Kelchner

Update

“It’s a protocol-level flaw,” Chris Paget, chief technology officer at H4rdw4r

Computer World story “Scramble on to fix flaw in SSL security protocol” here.

Update 2

It never rains but it pours. Transport Layer Security has the problem too:

“Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities.”

This was blogged by security researchers Marsh Ray and Steve Dispensa today. They work for PhoneFactor , a two-factor authentication company.

TLS and SSL are widely used by online retailers and banks for secure web transactions.

Ray and Dispensa findings here.

A web developer from Amsterdam, who goes by the name Yvo, discovered a way a user could get access to other domains when logged into Facebook or Myspace. After he notified the two sites, the holes were patched.

Here’s Yvo’s description:

“…Adobe (Flash’s developers) introduced a ‘crossdomain.xml’ file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain=”*”) to access its domain data.”

His blog post here.

Yvo, we’re glad you found it before anyone else did.

Tom Kelchner

phoenix-groupco.net

You don’t need a job this badly.

Thanks Patrick

Tom Kelchner

The FBI has said it is investigating thefts in the last five years of more than $100 million from small and medium sized businesses that fell victim to spear-phishing attacks which siphoned funds from their bank accounts. There are more of the attacks reported each week, they said.

The attacks typically involved malware sent by email that installed key loggers and targeted someone in the company who could initiate fund transfers. The criminals used the key loggers to capture the victim’s banking log-in information then initiated fund transfers to money mules, generally in amounts below $10,000 – the level that triggers currency transaction reporting. The mules transfer the funds to the criminals via Western Union or other international money transfer systems.

The phishing emails were sent from groups or people known to the victims so they wouldn’t be inclined to consider them fraudulent.

Among other measures, the FBI suggests removing the company organization chart from web sites in order to preclude spear-phishing emails that target company financial personnel.

The report also said:

“Discussions with Federal law enforcement agencies, commercial security intelligence service providers, and commercial incident response companies reveal the effectiveness of existing signature-based anti-virus and intrusion prevention systems is diminishing in the face of the rapidly evolving malicious code environment and the prevalence of custom-designed, signature-defeating malicious code.

“Consequently, an approach not fully dependent on those systems must be considered, with particular emphasis on user privilege reduction, application white listing (only allowing known software and libraries to execute on a system), and heuristic detection.”

VIPRE MX-V technology can cover you on the “heuristic detection” front.

FBI Intelligence Note here.

Tom Kelchner

A lot of major players in the anti-malware world issue periodic reports — very long .pdf files that not enough people have the time to read. News reporters jump on the reports, and write stories about the trends the researchers are seeing. They’re extensively reported. It isn’t a bad system. If by chance you read the original reports, you’ve probably noticed they’re getting better and more comprehensive.

Microsoft just made public a monster 232-page intelligence report on the state of security for the first half of 2009 with a load of historic perspective. It could just about serve as a textbook for a short course in security for the average Internet user.

McAfee also issued a nicely done Third Quarter Threats report.

Here are some highlights from the two that have been generating news:

— Microsoft’s monitoring of more than 400 million PCs (via Malicious Software Removal Tool) showed that 55.5 percent of attacks for the half year were aimed at unpatched vulnerabilities in Microsoft Office applications. Most of the holes the malware was targeting were in unpatched Office installations, some as old as 2003. In many cases, victims had upgraded their operating systems, but neglected Office updates. Other highly targeted applications were WinZip, Internet Explorer, Adobe Reader and RealPlayer.

— Software piracy results in infected computers because people running pirated operating systems don’t upgrade them. China, Brazil and France have higher piracy rates and fewer people who use Windows Update, Microsoft says.

— Web threats are getting worse. Distributed denial-of-service attacks for extortion are back, the proportion of spam in email has reached 92 percent and 13 million computers were taken over by bots in the quarter, according to McAfee. The U.S. is the country with the most bot-infected computers.

— There is a growing body of malware that tries to steal login credentials from online game players, including those who play Maple Story, Lineage and World of Warcraft. Malicious operators are after players’ virtual goods, which can be sold. Gamers are warned to avoid logging in on computers they can’t trust. They also are warned to avoid game cracks and cheats, since those are often Trojanized.

— The number of infections from worms has increased and there were 20 percent fewer infections from rogue security software.

Want more details?

Microsoft Security Intelligence Report Vol. 7 January through June 2009 here.

Third Quarter 2009 McAfee Threats Report here.

Tom Kelchner

Update: November 5

An excellent point:

From: M D Meridian

Long story short: Windows update is NOT the same as Microsoft update.

Microsoft update gets you Windows AND Office updates; Windows update gets you only Windows updates.

Even Microsoft sometimes, much too often, uses one term for the other, and vice versa.

Clear this up with users and a lot of the “neglect” will go away.

Yes, I learned this the hard way.

cordially, md

Good article by Dancho:

With the average price for a DDoS attack on demand decreasing due to the evident over-supply of malware infected hosts, it should be fairly logical to assume that the “on demand DDoS” business model run by the cybercriminals performing such services is blossoming.

Interestingly, what used to be a group that was exclusively specializing in DDoS attacks, is today’s cybercrime enterprise “vertically integrating” in order to occupy as many underground market segments as possible, all of which originally developed thanks to the “malicious economies of scale” (massive SQL injections through search engines’ reconnaissance, standardizing the social engineering process, the money mule recruitment process, diversifying the standardized and well proven propagation/infection vectors etc.) offered by a botnet.

More here.

Alex Eckelberry

The Sunbelt Blog has been shortlisted as a finalist and made it through to the public vote of the Computer Weekly Blog awards! Vote for us!

We’re in the IT Security category along with ten other finalists here.

Tom Kelchner

Interesting form of reputation hijacking.

Alex Eckelberry

Marcin Kleczynski, CEO of Malwarebytes, has posted a detailed accusation, presenting evidence that IOBit is stealing the Malwarebytes database.

Iotbit, a Chinese company based in Chengdu, provides a number of PC utilities, including an antimalware product called IOBit Security 360. According to Kleczynski:

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:Nothing MuchAnti-SpywareMalwarebytes’ Anti-Malware v1.39Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

There’s quite a bit more here.

Stealing AV signatures is not a new phenomena — AV companies have battled this type of thing for years. In this case, it looks to be quite blatant, based on the evidenced presented.

Alex Eckelberry

Update: IOBit responds.

BlockScanner, a new variant of the Winisoft family, uses an old-school fake DOS screen to scare people.

Those of you who remember some of the DOS GUIs may have a moment here.

Alex Eckelberry

The short answer is “no, although Windows 7 is probably a little safer.

That being said, there are a number of security measures that apply to any operating system, that are vital to a layered defense. Windows XP is only a secure operating system if it is updated regularly and operated by users who have some understanding of Internet security. Below are the four vital security practices to go with Windows XP:

1. Install operating system and application updates promptly.

Malware that exploits newly discovered vulnerabilities begins circulating within days, if not hours, of the public disclosure of those weaknesses. Patches (or workarounds) are generally issued as quickly as the software company can deliver them. There may be significant delays. The dark side often is ahead of the curve with “zero-day” exploits, those that take advantage of previously unknown exposures. It is vital that patches are installed as soon as there are available.

The most important updates will be those for the Windows operating system, Adobe applications, Microsoft Office and Internet Explorer or other browsers. These are the most commonly used things on computers worldwide, thus the most widely available and cost-effective targets of malicious operators.

The number one cause of compromised machines is lack of current updates. Microsoft issues patches on a regular basis on the second Tuesday of each month. (Information here.) Adobe has begun issuing updates on the same day.

2. Updated anti-virus applications are your first line of defense.

Having a good anti-virus application running on desktop machines and network can protect the small enterprise from a vast number of threats, including the most recent ones: banking Trojans, rogue security products and bot-associated malware.

Very small businesses with a few machines probably need little more than VIPRE desktop installations and possibly the Sunbelt Personal Firewall (Sunbelt info here.)

Small, medium and large businesses with Internet-facing networks might consider VIPRE Enterprise. (Sunbelt info here.)

VIPRE can stop previously unidentified malware by using MX-V advanced “behavior-based” scanning to spot its malicious behavior in a virtual environment before it infects the machine.

3. To add one more layer of defense, enterprises should consider doing online banking from a dedicated machine that is isolated from networks and not used for any other purpose (especially the exchange of email.)

Many of the banking Trojans that were used to illegally transfer $40 million from the bank accounts of small- and medium-sized businesses in the last five years were installed when someone clicked on an attachment or malicious link in an email. (Story here.)

Also in the last few years there have been numerous spear-phishing campaigns targeting company financial personnel whose machines are used to log onto online banking sites. In some of these, the banking Trojans or their downloaders arrived in email messages with malicious attachments disguised to look like legitimate accounts-receivable correspondence.

4. Providing employees with computer security training can reduce the risk of attacks based on social engineering.

Every day an uncountable number of people are using the Internet for the very first time. Unless they have some kind of instruction, they will quickly fall victim to social engineering gimmicks. These trigger malicious applications that arrive by email or are downloaded from hacked or malicious web pages. New scams begin circulating almost on a daily basis and are aimed at millions of users through email spam originating in botnets or hacked social networking accounts. Employers need to educate employees, especially new ones, about Internet safety and give them a way to keep up with new threats.

The Sunbelt Blog and the threat index on the VIPRE agent interface provide daily updates on the threat landscape for experienced and inexperienced Internet users.

Double clicking on the Threat Index graphic takes users to the Sunbelt web site and a description of the most current threats that are making news:

White papers on security

On the Sunbelt web site, we also have white papers, some written for inexperienced Internet users, in the Sunbelt Research section.

Two of them, especially written for new users are:

“How to Tell If That Pop-Up Window Is Offering You a Rogue Anti-Malware Product”

“What’s in your spam bucket?”

Thanks Stephen in Victoria, BC, Canada, for asking.

Thanks Alex

Tom Kelchner

What’s in your spam bucket?
(Don’t look, delete it!)

The rules for staying safe from malicious email:

1. Do not open emails from strangers. Delete them and you will be safe.
2. Do not click on links in emails from strangers or open the attachments. You should have deleted them before you saw the links.
3. Do not buy anything or take any action based on something you got in an email from a stranger. You should have deleted the email before you read the pitch.
4. For email that has been forwarded to you by your friends, see Rule 1.

Today I checked out several dozen spam emails that I received in order to illustrate the threats that come with 90 percent of email traffic these days. Yes, an estimated 90 percent of email today is spam. Your ISP or employer may filter a lot, but you’re still going to get some of these “everyday” threats.

Read it here.

Tom Kelchner

We’ve been seeing a fair amount of these lately — what appears to be one spam gang using google, ebay and other “normal” looking domains as spam links in unsolicited email.

Example URLs:

alwaysbrighttimes.com
bestcallson.com
childshine.com
chocolatemoneyonline.com
chooseguide.com
cliffsnotesap.com
ebaydirectmarketing.com
ebayphonestore.com
etherealticket.com
exclusivecollar.com
freegoogleworld.com
getgoogleonline.com
goodeasymoney.com
googlemapit.com
greatsonoran.com
hatefulcap.com
humorousskate.com
insidetheiris.com
kiddemand.com
messageorder.com
rezvhome.com
rezvnation.com
smartworldradio.com
superbigsky.com
supergooglesearch.com
supernoteson.com
tenneseeworld.com
thankfulrule.com
theperfectbook.com
uninterestedlist.com
yournotecards.com

The patterns are always junkcname.domain name.junktext.

For example, jrvds.getgoogleonline. com/gcbswsy/hwnvsw:

All are used as a redirect to get you to a spam site.

You can comfortably blacklist these domains to reduce spam traffic.

Alex Eckelberry