Month: December 2009

Jerome Segura, a Security Analyst at ParetoLogic of Victoria, B.C., Canada, just posted a nice piece on computer security practices with a different perspective in his “Malware Diaries” Blog.

He begins his list of security tips by considering four classes of users:

— pre-baby boomers
— early and late baby boomers
— 70’s – 80’s users
— 90’s to present

then makes further distinctions by level of security knowledge and awareness:

— extra-cautious (paranoiacs)
— those who somewhat understand
— those who are over-confident
— security conscious folks.

His “ABCs of online security” is a list of 11 practices that could create a sound security consciousness for everyone, but especially for all those non-technical home users out there.

“- Today’s computers are connected to the Internet and are therefore much more at risk than their ancestors.

“- The Internet is fun but also dangerous.

“- People don’t know what they do and can easily be duped.

“- The more cool stuff, the more risks.

“- The right choice of software and hardware can protect your computer but will not make it 100 percent safe.

“- Updates should be applied religiously.

“- If you aren’t sure about something, check it. Files and Websites can be analyzed prior to opening.

“- Computers are not demons but they can be zombies.

“- Browsing to a site (ANY site) can infect your computer.

“- Backups are your best friends.

“- Virtual Machines are an acceptable way to have an affair (and get infected) behind your computer’s back.” (I think he means “an acceptable way to experiment with potentially malicious sites and files.”)

There’s always been a tendency among the technoroti to look down their noses at non-technical users. Personally I don’t think there has been enough effort put into public education on computer security. It’s way too common to blame the victims and that just doesn’t work. The money they spend for rogue anti-malware products and the cash siphoned out of their bank accounts help fund the criminal groups that prey on all of us.

When it comes to computer security, we’re all in this together.

The U.S. Computer Emergency Readiness Team (US-CERT) has a great page of security documents for all levels of users: http://www.us-cert.gov/cas/tips/

Sunbelt has two white papers that dig into the details of the two biggest threats on the Internet today. They’re written for non-technical users:

Malicious spam:
http://www.sunbeltsecurity.com/dl/What_s%20%20in%20your%20spam%20bucket.pdf

Rogue security products:
http://www.sunbeltsecurity.com/dl/Is%20it%20a%20real%20anti%20malware%20product.pdf

Tom Kelchner

Gunter Ollmann, VP of research for Damballa security firm in Atlanta, has blogged about the underground service industry that has sprung up to support botnet and malware groups. He found “botnet support” and “malware quality assurance” sites. There’s 24×7 support with ticketing systems.

One site features forums, a variety of services (including distribution), hacking tools and remote access Trojans.

The bad news is that the cybercrime underground is so well developed that it can support such related businesses.

The good news: wow, what a great place for law enforcement agencies to set up sting operations and distribute utilities with back doors and key loggers. Legitimate AV companies can leave out of their detections the Fed’s spyware and the dark side will be forced to come up with their own anti-spyware scanners. Then the Feds can get into polymorphic code and fast flux and rogue security applications. It would be a whole alternative universe!

Gunter Ollmann blog here.

Update 12/31:

It didn’t take long for the next development in this story to appear: “Virus Scanners for Virus Writers.” It’s the second entry in Brian Krebs new blog “Krebs on Security“

Krebs, who wrote the popular “Security Fix” column in the Washington Post for 15 years, left that post this week.

Tom Kelchner

Hong Kong-headquartered security firm Network Box reported that an analysis of web-based threats showed that phishing doubled in a month, probably because of the number of potential victims — people shopping on line in December.

Network Box said that its analysis of web-based threats showed that 57 percent of the threats in December were phishing attacks. In November they pegged that number at 28.3 percent.

The company predicted that the increase in Phishing would continue into January.

Story here.

Tom Kelchner

From a site that is hacked and serving phishes:

What’s mildly interesting is the types of phishes — “speciality phishes” that are not your typical banking/finance scam.

These are phishes that are highly targeted, in this case at email systems of tiny Hamiltom College (not the first time I’ve seen this), the religious site cfaith.com, Saginaw Valley State University, and Villanova.

Hamilton.edu:

cfaith:

SVSU

and Villanova

Alex Eckelberry

It’s the time of year to make predictions. I only have one: in 2010, governments around the world will BEGIN to increase their efforts to do something about the massive malware threat that every Internet user on the planet faces.

It’s going to be controversial and difficult legally and technically. It’s going to cost serious tax money, political capital and diplomatic work to counter this crime wave that is like nothing the world has ever known.

At this point, 90 percent of email is spam, organized crime groups commonly siphon cash from the bank accounts of individuals and businesses on other continents, search engines are regularly harnessed to lure those browsing the web into purchasing fake security products and malicious applications are being created faster than legitimate software.

China has made two huge, stumbling attempts. One, Green Dam-Youth Escort, unfortunately was mixed up with state censorship and sullied by a sleazy company whose idea of software development was “borrowing” a U.S. company’s code. The other, China’s attempt to require “on-paper” domain registration and limiting them to registered businesses, possibly could make it harder to set up malicious sites, but, it too is drastically flawed.

The U.S. Federal Trade Commission has had some noteworthy successes against spammers. European governments are seriously going after digital pirates and Nigeria has arrested a few dozen 419 scammers and promises a lot more.

So, there is motion.

There is no shortage of predictions this month.

Other people in the computer security sector have been making a lot more predictions and posting them. I thought it would be interesting to sort them by topic and compare them. I’ve summarized them as briefly as possible and listed the URLs of the original texts at the bottom of this blog post.

Application level attacks
— Adobe software, especially Acrobat Reader and Flash, will become top hacking targets. [McAfee]

Banking Trojans
— Banking Trojans will become more sophisticated. [McAfee]

Botnets
— Fast flux botnets will increase [Symantec]
— Botnet controllers will switch to less vulnerable methods for command-and-control (such as peer-to-peer networks). [McAfee]
— Botnets are becoming more self-sufficient. [WebUser]
— “Malware will not evolve.” Botnets will not get any more sophisticated, there will be no mass outbreaks and highly targeted attacks will remain on the fringe. [Cooper/Verizon]
— There will be a shift in botnet-related crime from black markets to grey markets with more partner programs for DoS attacks and malware distribution. [Kaspersky]

CAPTCHA
— CAPTCHA technology will improve. Businesses in emerging economies will hire people to defeat it and generate accounts for spammers. [Symantec]

Cyber crime
— There will be more successes in the fight against all forms of cybercrime in 2010. [McAfee]
— Breaches will increase, especially against mid-sized businesses. [Cooper/Verizon]
— Microsoft’s legal efforts will pay off with at least one major arrest. [Cooper/Verizon]
— China will continue to be blamed for everything. [Cooper/Verizon]

File sharing networks
— There will be a shift from attacks via the web and applications to file sharing networks. [Kaspersky]

Malware development
— Malware will become more sophisticated and remain one step ahead of increasingly sophisticated security programs that will be developed to deal with it. [Kaspersky]

Operating system exploitation trends
— Mac and mobile malware will increase. [Symantec]
— HTML 5 and Google Chrome OS will make opportunities for malware writers. [McAfee]
— Google Wave will be exploited extensively but Google’s Chrome OS will not. [Kaspersky]
— Specialized malware will increase (i.e. ATMs, voting machines, public telephone voting connected with reality television shows and competitions). [Symantec]
— iPhone and Android (and related third-party software) will be malware targets. [Kaspersky]
— Nothing significant will happen to non-PC devices such as telephones, PDAs and Macs. [Cooper/Verizon]

Phishing
— Spear phishing will increase. [McAfee]
— URL-shortening services will be used extensively for phishing. [Symantec]

Reputation-based security
— Reputation-based security will come into prominence. [Symantec]

Rogue security software
— Rogue security software vendors will expand their distributions. [Symantec]
— There will be a decrease in the number of rogue security product schemes. [Kaspersky]

Social engineering
— Social engineering will become the primary attack vector. [Symantec]
— There will be an increase in the level of security consciousness among consumers. [Cooper/Verizon]

Social networking services
— Social networking third-party applications will be targets for fraud. [Symantec]
— Social networking sites will face more sophisticated threats as user bases grow. [McAfee]
— An increased number of applications on social networking services will be exploited because of the level of trust between friends. [McAfee]
— Facebook, Google, Twitter, TinyURL and other services will gain more control over criminal content. [Cooper/Verizon]

Spam
— More organizations will begin selling unauthorized email address lists to spammers. [Symantec]
— Spam volume will fluctuate. [Symantec]
— Instant messaging spam and attacks will increase. [Symantec]

Virtualized environments
— Virtualization will not be a target. [Cooper/Verizon]

Windows 7
— Windows 7 will be a major hacking target. [Symantec]
— Windows 7 (though not IE8) will be more robust than expected. [Cooper/Verizon]
— New vulnerabilities in Windows 7 as well as third-party software (i.e. Adobe and Apple) will be the main cause of exploitation. Although, if Win7 is secure, it will be a quiet year. [Kaspersky]

Kaspersky Lab 2010 cyber threat forecast
http://www.kaspersky.com/news?id=207575980

McAfee
http://mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf

Symantec
http://www.symantec.com/connect/blogs/don-t-read-blog

Verizon business services (Russ Cooper, creator of NTBugtraq)
http://securityblog.verizonbusiness.com/2009/12/15/2010-security-predictions/#more-434

WebUser (UK):
http://www.webuser.co.uk/news/blog/cammjones/436323/what-will-the-web-bring-in-2010

Tom Kelchner

Adam Lambert may have stolen the show, but Sunbelt Software was at the American Music Awards too.  You can see pictures here.  John-Erich Mantius, who runs global consumer software here, was representing us. 

(Finally got around to blogging this, yeah, I know I’m late…) 

Alex Eckelberry

Atif Mushtaq, a researcher at FireEye security company, has coordinated a global effort to take down of one of the top 10 botnets – Mega-D.

PC world said the botnet controlled 250,000 machines in a massive network that was responsible for nearly 12 percent of world spam according to Message Labs statistics.

Mushtaq and those working with him coordinated their efforts with Internet service providers to isolate the Mega-D command-and-control servers in Israel, Turkey and the U.S.

The researchers shared their information with U.S. federal law-enforcement agencies and said the federal agencies should begin similar research and takedowns on a full-time basis.

Story here.

“Top 10 botnets and their impact” (December 9)

Tom Kelchner

Researchers examining the directories of the URLs of some of the latest Koobface runs may stumble upon a Christmas greeting, directed at the security community:

Alex Eckelberry
(with thanks to a researcher who prefers to remain anonymous)

Twitter was disrupted Thursday night by attackers who hacked Twitter’s domain name servers and rerouted Twitter traffic as well as posting their own banner on the micro-blogging services page. The service returned to normal by Friday morning.

Technology blog Mashable, attributed the attack to a group claiming to be the “Iranian Cyber Army.” Judging by the graphic they left, it appeared to be a hacktivist attack.

Story here.

Twitter blog.

Defacement graphic here.

Tom Kelchner

Our researcher Adam Thomas came across a new piece of ransomware today, an encryption trojan via our old “friends” iframedollars. It encrypts the files on your hard drive very rapidly if you’re unfortunate enough to be victimized by it.

It arrives through drive by downloads from malicious web sites. It’s also packaged with other malware.

1. The victim receives a message that the system is shutting down due to “Unrecognized disk driver command.”

2. His system is then re-booted to safe mode and a message is displayed: “Windows has recovered from a serious error. Some files can be corrupted. Disk checking is strongly recommended.”

3. Attempting to access a file, the victim receives the message “Unable to open the file due to data corruption”. The repair file button downloads Data Doctor 2010, which of course runs in trial mode. It does, however, offer to repair one (1) file for you so you know it is “legitimate.”

And, the pitch: pay $89.95 for a lifetime license. Additionally, these slime have the audacity to tack on a $1.50 activation fee.

Nice work Adam

Update: Jan. 6, 2010:

A blog reader has asked if we have a way to decrypt the files that Data Doctor 2010 encrypts. We have posted a tool that will do that. Go to: http://sunbelt-software.com/support/dd2010_decrypter.rar

Update 01/08:

Our good friends at F-Secure have posted a very good, detailed analysis of Data Doctor 2010. It can be found at: http://www.f-secure.com/weblog/archives/00001850.html

Tom Kelchner

Laptop computers captured from insurgents in Iraq contained software that enabled them to intercept video feeds from the unmanned drones that are seeing expanded use in the Middle East, according to the New York Times.

The drones, used by the U.S. military to monitor insurgent activities in Iraq and Afghanistan, also can be used to deliver air-to-surface missiles.

Thursday, the Wall Street Journal broke the story that insurgents were using Sky Grabber, open source software that costs $26, and a satellite dish to intercept the transmissions. Sky Grabber was designed to download satellite transmissions of movies and music.

Pentagon officials said transmissions from the drones can be encrypted, however, unencrypted feeds have been commonly used when troops on the ground with older laptops or handheld controllers need direct feeds from the drones or piloted aircraft. The military knew that the unencrypted signals could be intercepted, but made the decision not to encrypt local links for the sake of economy.

The U.S. military has been expanding its use of the video feeds to troops and is rapidly upgrading their equipment to take the encrypted transmissions.

Story here.

Tom Kelchner

The Internet Storm Center blog just ran a piece about a malware vector that hasn’t been discussed enough: the Google Cache.

An ISC blog reader named Greg recounted that he was browsing for information, found a site that was down and pulled up the Google cached page to get what he wanted.

The site was down because of a malware infection and the cached page, with hidden iframes intact, sent him to a malicious site that offered a rogue security product.

ISC blogger Daniel Wesemann wrote “The badware is currently delivered through the domain todolust-dot-com. The EXE changes about twice per hour, and has very low AV coverage (Virustotal). Microsoft and Sunbelt are currently the only two AV tools on Virustotal that do not seem to be perturbed by the rapid morphing of the EXE, and keep catching it reliably.”

ISC blog here.

Dancho Danchev wrote about the cached-malware vector two years ago.

Tom Kelchner

Yesterday we blogged about the most recent rogue security product in the WiniGuard family, TheDefend. Patrick Jordan had observed that a new clone was appearing about every two days. Overnight the pace picked up and loyal blog reader Fatdcuk let us know about yet another. He left us a comment: “SysDefence went live about 3 hours ago. They’re flying off the conveyor belt today.”

Patrick analyzed it and plunked it in the WiniGuard family, and our detections, as SysDefence.FakeSmoke.

The GUI is identical to TheDefend except the name.

Thanks Fatdcuk. Thanks Patrick.

Tom Kelchner

China is putting in place rules that would require a formal paper-based application system for those seeking domain name registration. The change would allow only businesses that have been licensed by the state to register domains. Ostensibly the move is to stop the distribution of pornography and other “bad stuff,” but some observers believe it’s simply one more attempt on the part of the Chinese government to stifle critical political comment.

It would seem as though this process could clean up one of the world’s worst domains for malicious Web sites, but there are some big, big loop holes, the usual percentage of corrupt officials being an obvious one.

Researchers at Trend Micro also found a very large vulnerability in the system. The process allows applicants to register domains immediately, but gives them five days to submit their documentation. So, malicious sites will be able to operate in the notorious .cn domain for five days before obtaining a new five-day domain. Five days is a long, long time for the Internet criminal underground.

Sunbelt researcher Patrick Jordan said he’s observed that some rogues and other malware use an elaborate system to point to a new malicious download site every few hours, often in a cycle as short as 6-12 hours.

Story here.

Trend blog here.

Tom Kelchner

The Wall Street Journal carried a piece about the theft of valuables from luggage and the luggage itself at airports. An increase seen in the last five years is being blamed on the bad economy and reduced security caused by cost-cutting measures. Airlines are not liable for the thefts under existing rules.

A spokesman for the Portland, Ore., airport said baggage thefts are up about 50 percent this year and a prosecutor in the Queens County, N.Y., district attorney’s office said “There’s been a tremendous increase in the last five years. It’s pretty bad—a lot is getting stolen every day.”

Laptop computers, iPods and electronic game systems are among the most popular items with thieves.

“Carousel thieves” – outsiders who simply steal other peoples’ baggage and walk out of the airport with it – are one threat. The other is theft by employees who take valuables from luggage, sometimes to sell on eBay. The insiders often switch routing tags to reroute the victim’s bags and confuse investigators.

Tips for avoiding losses:

— Don’t put valuables like jewelry or electronics equipment in luggage. Small items are the highest risk.

— If you can’t take valuables in carry-on luggage, ship them. You can insure items with shipping companies.

— Luggage locks are no protection. They’re easily opened.

— Report thefts immediately to the airline you’re flying on and the U.S. Transportation Security Administration.

— Put colorful tape or ribbons on your luggage to make it easily visible.

— For those who travel a lot with laptops: be sure valuable information is encrypted. Although most thefts are simply for the equipment, it isn’t out of the realm of possibility that thieves could try to exploit the contents of your hard drive if they can figure out a way to make money.

Story here.

Tom Kelchner

Project Honey Pot has reported that sometime in November it received its one billionth spam message.

“Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims. Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004,” they said.

Their very well-written report contains a load of other information as well, like the fact that most of the spam in the world probably originated in the U.S., though the bot-infected machines that spew it out can be anywhere.

The report also said: “we’ve seen the word ‘Viagra’ spelled at least 956 different ways.”

Report here.

Tom Kelchner

Rogue anti-virus vendors yesterday used search engine optimization techniques to poison the Google search that resulted from visitors clicking on the Google Doodle – the art that periodically appears above the edit box on the Google front page.

The Doodle, a rendering of the Esperanto flag, was intended to draw attention to the fact that it was the 150th anniversary of the birth of Polish linguist L. L. Zamenhof who invented the Esperanto language.

Half of the sites that appeared as top hits in the Google search had been hacked and redirected visitors to malicious sites that presented scareware warnings and tried to sell rogue anti-virus products.

A researcher at Barracuda Labs was quoted as saying that malicious operators have been working hard recently to steal FTP login information. Getting access to Web sites via FTP would allow them to post code that would redirect visitors to other sites that would download the malware.

ComputerWorld story here.

Tom Kelchner

 

Friday we blogged about the three generations of the WiniGuard family of rogue security products that began in October of 2008. Friday, the 50th rogue in that line appeared. Analyst Patrick Jordan noted that there appeared to be a newly named clone added to the “genealogy” about every 48 hours. He’s been right.

Monday we found GuardPCS and today we found TheDefender. Its associated web site was registered Dec. 4.

Fraudulent operators behind the rogues seem to be doing two things to confuse Internet users and lure them into purchasing this worthless scare ware:

— “Borrowing” content from legitimate anti-virus company web sites, such as certifications and management team pages, for their own web pages.

— Distributing their rogues with different names and with redesigned graphic interfaces. They usually have web sites associated with the new name. They look like authentic security products, but, as the song said they “take the money and run.”

See our earlier blog entry about the WiniGuard family of rogues.

Thanks Patrick

Tom Kelchner

New rogue borrows massively from AV company sites

Our friend M.N. Bharath drew our attention to this web site associated with the new System Adware Scanner 2010 rogue security product. Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.

It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!

Compare the names on the Smart Systems Technologies rogue page. http://sysadscanner.com/about.php

with AVG’s: http://www.avg.com/us-en/management-team

If that isn’t enough to raise your suspicions, check out the Engrish on this page: http://sysadscanner.com/why.php

Thanks M.N.

Tom Kelchner

Don’t go there. There are a lot of rogue downloaders hiding in those links.

Thanks Adam

Update, 5 p.m. EST

Yahoo CEO Carol Bartz, speaking at the UBS Media and Communications Conference in New York, said the Tiger Woods sex scandal was a better traffic generator than the death of Michael Jackson, according to the ZDNet blog.

Tom Kelchner