Month: February 2010

If history is any gauge, this is probably the first of several incidents like this.

The Register – which is worth reading twice a day for its insanely funny headlines if nothing else – is reporting that a hacker (hacktivist?), possibly British, who goes by the handle Neo, has gotten his hands on tax documents for about 1,000 companies and is tweeting the salaries of Latvian bank managers and other execs to Latvian TV.

His country, like many, has put into place austerity measures in the face of the global economic meltdown. The Latvian unemployment rate is 23 percent. That’s the scale of the great depression of the 30s in the U.S.!

He revealed:
— Managers at Latvian banks that got state bailouts did not take salary cuts as they were supposed to.
— Senior execs have taken huge bonuses at state-run businesses that have hit bottom.
— Some government officials are taking home salaries of $4,000 per month when school teachers’ pay was cut to $600 per month.

Neo says he’s part of a group called the “Fourth Awakening People’s Army.”

I wonder what the other three “Awakenings” were. Sounds Chinese.

The Register’s head on the story:

“Latvian hacker tweets hard on banking whistle”
“Fat cat pay leaked all over the Baltics”

Love it!

BBC story here.

Tom Kelchner

People looking to take advantage of the savings from the government during these harder financial times are being hit with other financial burdens (Rogue AV software).

Our (environmentally conscious) researcher Adam Thomas heard about a “green” hot water heater that might be a good addition to his Earth-friendly home. So he did a Web search for “GE geo spring water heater.”

What he found wasn’t Earth or anything else-friendly! SEO poisoning galore:

Here’s what the malicious pages deliver:

It’s the SecurityTool rogue that has been making the rounds since October (See Sunbelt Software Rogue Blog entry here.)

Here’s the link to the U.S. Department of Energy program that gives rebates for Energy Star appliances http://www.energysavers.gov/financial/70020.html.

Thanks Adam

Tom Kelchner

VirusTotal.com [http://en.wikipedia.org/wiki/VirusTotal.com ] is a brilliant site that helps both public and researchers alike determine if an executable file they have is potentially malicious or not.

Julio Canto (of VirusTotal fame) has noticed that somebody decided to cash in  on the good name of the site with the following domain:

virus-total(dot)in

Go there, and you’ll see  a message claiming the site is a “free online antivirus scanning service, click SCAN to begin scanning:“

Hit “Scan”, and it isn’t long before this happens:

Yes, we have some Rogue Antivirus advertising in the house, to the tune of “Your computer is infected by viruses” complete with the now familiar fake image of your drives and folders:

Should you download and run the executable file offered up by the site, you’ll end up with the rogue Security Tool on your system.

An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve “infected my PC” – fingers crossed it doesn’t get to that stage

Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!

Chris (Paper Ghost) Boyd

 

Very funny:

The story starts with an guy insulting everyone on the IRC channel. Most people there believed it was rather funny, but it got even more funny. For information: The dangerous hacker is called bitchchecker and the one being hacked and original author of the comments, who is talking here, is known as Elch.

127.0.0.1 is always the IP-adress of the computer you’re currently using, any request there will return to your computer.

Link (some foul language)

Alex Eckelberry
(Thanks, Chaim)

“Operation b49”

Tim Cranton, Microsoft’s associate general counsel posted on the company’s official blog early this morning that Microsoft has shut down the Waledac botnet.

He wrote:

“On February 22, in response to a complaint filed by Microsoft (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.”

The spambot, one of the 10 largest in the world, had infected “hundreds of thousands of computers around the world” and had the capacity to pump out 1.5 billion spam emails per day, he said.

Cranton also said that between December 3 and 21, Waledac sent 651 million spam emails to hotmail accounts. The botnet specializes in advertising a variety of goods and scams including knock-off products, online pharmacies, jobs and penny stocks.

Although the botnet command-and-control was disrupted, Cranton said hundreds of thousands of computers worldwide remain infected. “To help make sure you are not infected by this or other botnets, our advice is to follow the “protect your PC” guidance available at http://www.microsoft.com/protect,” he said.

Blog post here.

When are governments going to start going after spambots?

Why is it that governments across this planet aren’t doing this? The spam from botnets makes up 90 percent of Internet traffic. How much worse does it have to get? If Microsoft and security companies can shut these things down why don’t law enforcement agencies have the priorities and funding to do it?

Here’s a link to a NetworkWorld story from 2003 – THAT’S SEVEN YEARS AGO – that tried to estimate the alarming cost of spam WHEN IT ONLY COMPRISED 30 PERCENT OF THE BANDWIDTH!

It is the height of absurdity that governments of Australia, France and China are wasting time with controversial and ultimately doomed Internet anti-pornography initiatives and ignoring the botnets that threaten to totally fill the Internet bandwidth. They must believe that going after porn is an easy hit, popular with the electorate. Sure, some people are very offended by it and nobody with the exception of Playboy Enterprises Inc. spends any money defending it. If those folks who are so alarmed by Internet pornography are going to see it without actually going looking for it, it’s probably going to hit their inbox from a spambot!

And a whole lot of people go looking for it: http://internet-filter-review.toptenreviews.com/internet-pornography-statistics.html

Tom Kelchner

Be careful if you’re using Twitter Search to find topics of interest, as multiple spambots are pasting links to rogue antivirus sites all over the place at the moment.

Example:

It goes without saying that the icons used for said accounts are extremely NSFW (Not Safe for Work), so if you’re using Twitter at work while making use of search you may want to disable images for the time being. Not all the keywords deployed are related to XXX-type material – indeed, the search that revealed the above was simply “free games.”

Click any of the links (various bit.ly URLs too numerous to mention) and you’ll be bounced around to a number of URLs before settling on

my-securesystem(dot)in (domain just established today.)

Where you’ll be presented with a familiar sight:

If you do end up with something similar to the above on your desktop, don’t panic. Just hit CTRL + ALT + DEL and you’ll close your browser (you may lose the information in your tabs, but it should be easy enough to get it back). Should you accept the download of the executable file and run it, you’ll end up with a fresh version of Security Antivirus (Sunbelt Rogue Blog description here) on your system which isn’t really a good thing:

Take care in Twitterland…

Paper Ghost (Chris Boyd)

 

(Swell tee-shirt available too!)

Thanks to Bruce Schneier for drawing attention to this one on his blog: http://www.schneier.com/blog/archives/2010/02/remotely_spying.html

A security researcher named Stryde Hax has blogged about his research into the public-facing web presence of Mike Perbix, a network technician at Lower Merion School District near Philadelphia. Perbix probably set up the system to turn on web cams in students’ laptop computers which is at the center of the federal lawsuit filed earlier this month. (See Sunbelt blog “FBI will investigate Pa. school district webcam spying”)

Hax writes on his blog: “Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.”

Apparently Perbix made a promotional video about LanRev remote monitoring software and in which he discusses using it to monitor students as well as setting it to a special remote administration mode that makes the monitoring invisible to those being monitored.

(Side note: here’s an example of why you need to put a password on your wireless router)

Perbix recounted using the LanRev software to recover a stolen computer:

“As a prime example, we initially attempted to recover a stolen laptop that reported back to us its internet address and DNS name. The police went to the house and were befuddled to find out the people we knew had the laptop was not the family that lived there…well, we eventually found out that they were the neighboring house and were borrowing the unsecured WI-FI.”

He concludes his very detailed blog post:

“What amazes me most is that the family and lawyer filing the suit appear to have… no digital forensics going in, and no enterprising student hacker ever jailbroke a laptop and proved this was going on. The greatest threat to this investigation now is the possibility that the highly trained technical staff at LMSD could issue a LANRev script to wipe digital forensic evidence off all the laptops. This is why it is imperative for affected parents to have the hard drive removed from their children’s laptops and digitally imaged before the laptop is connected to a network. With enough persistence, and enough luck, we may eventually learn the truth.”

In an update yesterday, he discusses Perbix role:

“The impression we both got was of a man who was charged with enormous responsibility, worked very hard, was very adept, and was fanatical about protecting kids and the assets he was charged with managing. I don’t have all the facts yet, but the impression I got was of someone who was trying to build a state of the art capability and revelled in the promise of technology. If I had to put my finger on what when wrong here, I would say that someone cared too much. Personally I’m much more interested in who this capability was distributed to, and its persistent pattern of access, than I am in the person who built it. If you’re reading this, please, let us not participate in a rush to judgment especially against a guy who worked this hard. Yes, he built the capability. Yes it was used. But if it was abused or simply misguided, that remains to be proven.”

. . .

Hax describes himself on his blog: “I am a consultant with the Intrepidus Group, {of New York city} a proactive security firm known for launching the first proactive anti-phishing service, phishme.com. I have a wide ranging security background, from reverse engineering to penetration testing. In my spare time, I find things on web servers that were never meant to be found.”

Tee shirt available here:

http://www.zazzle.com/lower_merion_school_district_scandal_parody_tshirt-235568003500926676

Tom Kelchner

I love this U.S. Geological Survey site web site and I just have to do a blog piece about it. I guess we could use the topic of “denial of availability risk” as the computer security category. It’s kind of like the tail wagging the dog, but, what the heck.

It came to my attention when David Kennedy Manager of Risk Analysis at Verizon Business mentioned an earthquake and referred to the USGS data in a Twitter post.

I’ve been a lunatic about nearly every field of science since, oh, about the fifth grade, so I look at this every day. The map indicates quakes on a world map with color and size-coded squares. Red squares indicate quakes in the last hour, blue in the last day and yellow in the last week. Larger squares indicate stronger quakes.

I felt an Earthquake once. It was the level 4.4 April 23 quake in Lancaster County, Pa. I was working on my computer in the second floor of my in-laws home in a very rural,  very quiet place in Northeastern, Pennsylvania. The little wood-frame house seemed to flex. I went downstairs and ask if anyone else had felt it. They hadn’t. The thrilling experience was apparently covered up by sound from the television.

I found a description of it on the USGS site.

“This earthquake was centered near Marticville. It caused minor damage at Conestoga, where a garage shifted 1.3 cm off its foundation; plaster fell from a ceiling; and cracks formed in windows, concrete basement walls, and a cistern.”

“One foreshock occurred 5 days earlier and many slight aftershocks occurred. Aftershock data suggested a north-northeast fault dipping steeply east, with reverse, right-lateral slip consistent with a horizontal east-northeast axis of maximum compression. The geometry of the 1984 rupture conforms to the strike of Jurassic dikes and associated faults in the epicentral area.”

Whoa I actually lived through “the strike of Jurassic dikes!”

                             . . .

The amazing thing is how MANY quakes there are on the map. Of course a lot of them are pretty minor events, like my 1984 experience. Still, the site does draw your attention to the earthquake risk that some people on Earth do face, like in nearly every point of land that the Pacific Ocean touches.

How could you use this? Since an earthquake can cause disruptions to utilities — including Internet and electrical service and maybe all life in general as we’ve seen in Haiti — if you’re looking for a location to set up shop or a company offering off-site backup services, you could double check locations with this site. USGS even has a map of all the recorded quakes that caused damage in the U.S. since 1750:

http://earthquake.usgs.gov/earthquakes/states/us_damage_eq.php

I’d say by the looks of that, if you are really paranoid about this issue, relocating to North Dakota, Wisconsin or Iowa would be a good bet.

Here at Sunbelt Software headquarters in Clearwater in the southern part of Florida we’ve been earthquake free for the last 250 years too. YESSSS!

USGS Latest Earthquakes in the World here: http://earthquake.usgs.gov/eqcenter/recenteqsww/

Tom Kelchner

You know what would be a bad file to run on your PC?

This:

(Translation: “give it a name (that you want)” in a southern Slavic language, probably Croatian.)

Hailing from somewhere in the Balkans – and called “Best Virus”, according to the folder it comes in – it ensures anybody on the receiving end will have endless amounts of fun – and by “fun”, I mean “endless amount of eye rolling horror.”

Designed to be sent via IM, chatrooms or pretty much anywhere else people will randomly accept and run executables, “Best Virus” bravely shrugs off the conventions of “stealth hijacking” so prevalent in recent years in favour of something a little more overt:

Yes, your desktop has vanished. Yes, there’s an annoying (and mostly unkillable) popup wishing you “Happy hacking”. Yes, you now have about six thousand command prompt boxes filling your Task Bar.

Depending on whether the already unstable file decides to work as intended or not, you may find certain processes killed and Windows Live Messenger given a quick trip to the scrap yard as your session is terminated. It may attempt to disable Task Manager, but during testing this didn’t seem to happen all the time.

Upon next login a popup box informs you that you were logged out of Windows Live because “Windows Live Messenger was logged in at another location.” However, this message doesn’t necessarily mean you’ve been phished, as there are number of reasons it can appear if using Windows XP. While I didn’t see any evidence of logins being stolen, go ahead and change your password if it makes you feel safer.

The good news is you can stop the endless popups and general bad day you’re having by holding down the power button until it switches off or pulling the plug. The bad news is that isn’t really recommended as sometimes – if you’re unlucky – it can do strange things to your PC. The Windows boot process can be a sensitive thing sometimes…

Thanks for the language help Dimiter.

Chris Boyd

Sources on a number of forums tell me that a certain application is going to be released into the wild in a few days, promoted heavily via sites such as Youtube to attract as many potential victims as possible. I thought it might be beneficial to get a head start on the bad guys and get word out before they hit their big green “Go” switch.

What is it? I believe the following screenshot can answer that question:

Yes, anyone with a hankering for CSI: Spyware will be able to get their fill when the so-called “FBI Fingerprints Scanner” goes live. As you’ve probably guessed, it’s a fake program designed to be tied up with whatever horrible infection file(s) the creator desires. It relies on hooking you with “stolen” FBI login credentials to access the (entirely fictitious) database. The supposedly stolen login details come bundled with the application, in case you were wondering.

As fake applications go, it’s not too shabby – the wannabe FBI impersonator enters the login details, and is then asked to upload an image of a fingerprint scan into the system to see if there’s a match. In reality, you can use an image of just about anything:

I don’t know about you, but I start to question the legitimacy of any fingerprint scanner that accepts pictures of dancing bananas.

The program has a collection of FBI Most Wanted profiles built in, and it’s likely that more profiles will be added as time goes by.

I think we’ve sufficiently warned you about dabbling with this application – ensure any family members with a fondness for “secret FBI tools” are warned to steer well clear when it finally arrives sometime in the near future…

Chris Boyd

Virus Bulletin is reporting that a recent survey it conducted found that about one out of five people are still using the dangerously-out-of-date version six of Microsoft’s Internet Explorer.

There are probably a number of reasons for this:
— They are using IE6 at work with legacy systems that require IE6 (or IT never got around to updating the company’s browsers.)
— They are using IE6 at home and don’t know that IE6 is frighteningly insecure.
— They are using IE6 at home and don’t know that there is such a thing as an update to browser software.
— They are using IE6 at home and don’t know there is such a thing as computer security.

VB said: “The browser has come in for heavy criticism due to numerous security flaws and its use of outdated technology. Indeed, in January both the French government and the German government issued advisories to computer users recommending that they switch to a different web browser, after it was discovered that IE 6 contained a serious security flaw that could be exploited by hackers and cybercriminals.”

They also wrote: “In VB’s poll, 15% of respondents said they were running the browser at work, indicating that, for many organizations, upgrading is not a priority – whether that is for reasons of compatibility with legacy applications or simply due to a lack of urgency in their IT departments.”

Another story that is in the top of the news today has some numbers that show just how insecure IE6 is when it comes to drive-by downloads of malcode.

Security blogger Brian Krebs, writing about a new free tool that will stop drive-by downloads, quoted SRI International researchers who have created the Block All Drive-By Download Exploits (BLADE) freeware.

SRI made public statistics from 5,154 drive-by download infections that were blocked by BLADE. “…because the tool allows the exploit but blocks the installation of the malicious payload, the group has been able to collect a great deal of interesting stats about the attacks, such as which browsers were most often attacked, which browser plug-ins were most-targeted, and so on.”

Exploits blocked were in:

— Firefox: 730 (14%)
— IE8:  900 (17%)
— IE7:  1202 (23%)
— IE6:  2322 (45%)

Clearly, the bad  guys behind the drive-by sites are going after IE6

AND, keep in mind, drive-by downloads are just one type of exploit that can take advantage of an insecure browser.

IE6 is a Web development pain

IE6 is not only a horrible security risk, but the browser – which first came out in 2001 – is a pain for Web developers to write pages for. So, a group of developers are taking the situation in hand and adding a notice to their sites to tell IE6 users to upgrade. As a matter of fact, they’ve put up a web site (IE6NoMore.com) which offers code that can be downloaded so OTHER developers to do the same. The code presents a notice which looks like this (in English):

IE6NoMore.com offers these notices in seven languages and says they are going to offer similar ones shortly in Arabic, Thai, Chinese, Farsi, Hungarian, Dutch, Polish, Danish, German, Hebrew and Russian.

I think these folks are serious.

Site IE6NoMore.com here: http://www.ie6nomore.com/

Virus Bulletin story here: “Nearly 20% still running IE 6”

Tom Kelchner

The U.S. Federal Trade Commission has sent letters to nearly 100 organizations telling them that their sensitive information – including customer and employee personal data – is available on peer-to-peer networks. The data could be used for identity theft or fraud.

The groups that received the letters included schools, local governments, large corporations and small businesses. The FTC urged in the letters that the recipients review security practices or practices of contractors

FTC news release here.

Tom Kelchner

The FBI has said it will be checking to see if any federal wiretapping or computer-related laws were broken by a Pennsylvania school district in connection with an incident in which someone turned on the webcam in a school-issued computer and spied on a student in his own home.

The incident occurred in Lower Merion School District, located in Montgomery County near Philadelphia. The county district attorney also is investigating.

Last week, a student filed suit in federal court after facing disciplinary action as a result of information collected from the web cam on his school-issued Apple laptop. In the complaint, he alleges that school officials confronted him with a photograph of him engaging in “improper behavior” that was taken in his home.

The school had installed the webcam spyware on the 2,300 laptops issued to high school students in order to help find the machines if they were lost or stolen. Only two employees were authorized to activate the cameras.

Preserving privacy gets tougher and tougher as technology develops. Perfectly legitimate information systems are full of personal information or access to it — such as this case — and search technology it is getting better and better. It just makes it too easy for employees to snoop or officials to misuse the systems. Guarding privacy is a serious job involving licensing agreements, procedures for employees who access data, intrusion prevention and hopefully encryption.

This story is about a serious insider threat. Only two people were supposed to have access to the technology to turn on the web cams and it was only to be used only to find lost or stolen machines. Instead, according to the suit, the system was used by someone for some kind of enforcement action that wasn’t spelled out to the students and their families in advance.

The result is a FEDERAL criminal investigation and a FEDERAL lawsuit in addition to a possible action in county court. That is tremendously damaging to the school district’s reputation, is probably going to cost the district a load of money and is probably going to cost some people their jobs.

It’s easy to get paranoid about the cameras and government monitoring systems that seem to expand with each year. About five years ago a security researcher I knew began saying: “there’s no privacy. Get over it.”

I had hoped he was just being pessimistic. I’m not too sure any more.

Oh yea, for the other 2,299 students in the Lower Marion School District: a piece of duct tape over the web cam in your school computer is a good lo-tech remediation.

Story here: “F.B.I. Queries Webcam Use by Schools”

Update 02/23:

Absolute Software of Vancouver, BC, Canada, the maker of the tracking software the school district used, has condemned the “vigilantism” that resulted in this brouhaha.

Absolute said the district was using LANRev software, which most school district customers use for power management. Absolute acquired the LANRev technology last year and calls it a “legacy” product. The software includes a feature called Theft Track, which allows investigators to switch on a laptop’s camera to photograph thieves when computer is stolen. The company said it would update its Absolute Manage product shortly and disable the Theft Track feature.

According to the Lower Merion school district, the IT staff has switched on the camera of missing computers 42 times this school year and recovered 18 machines.

The 16-year-old student whose parents brought the federal suit said he was accused of selling drugs and taking them by his principal after the webcam in his computer was turned on. He claimed the recorded images showed him eating candy.

ComputerWorld story here: “Software maker blasts ‘vigilantism’ in Pa. school spying case”

Tom Kelchner

If you’re curious about the content of my recent talk on the exploits, hacks and phish attacks based around console gaming http://sunbeltblog.blogspot.com/2010/02/are-threats-to-gamers-being-taken.html  (specifically, the Xbox 360 console) but don’t have time to listen to the whole Sector.ca presentation – no problem.

I recently did an interview with John Leyden of The Register about just that topic, and you can see the results in a three page article here.

It covers the main points of the talk in detail, and will hopefully give you a better idea of some of the threats out there in console land. There’s a lot more out there than just what I talk about, of course (and as the article notes, I barely touch on PC related gaming threats of which there are many) but it’s a great place to start if you’re interested in the subject.

Chris Boyd

Security blogger Brian Krebs on Friday wrote a column on the spreading infections from the Kneber botnet, which apparently caught a lot of peoples’ eyes. The question has come up “does VIPRE protect me against Kneber?”

Kneber is simply a name that Netwitness gave to a variant of Zbot (also called Zeus.) It is not new. Our detections for some of the earliest variants date back to late 2006.

VIPRE detections for Zbot/Zeus/Kneber have been in place for some time. They actually are very good detections — among the top in the AV industry.

Krebs column here.

Update 02/22:

The DaniWeb site is carrying a story on this that suggests where the name “Kneber” came from:

“The reason some folks have nicknamed it Kneber is that the malware domains involved in this particular branch of the Zeus botnet have “Hilary Kneber” listed as the domain registrant. Of course, Hilary Kneber is likely a completely made-up name” comments Mary Landesman, senior security researcher at ScanSafe.

DaniWeb story here.

Update 02/22 12 p.m. EST

Here are some more good details about the Kneber/Zbot/Zeus history from Dancho Danchev on ZDNet:

01. Why the name Kneber botnet?

The name Kneber comes from the email used to register the initial domain, used in the campaign – HilaryKneber@yahoo.com. What’s particularly interesting about this email, is the fact that it was also profiled in December, 2009’s “Celebrity-Themed Scareware Campaign Abusing DocStoc” analysis, linking it to money-mule recruitment campaigns back then.

02. My time is precious. In short, what is the Kneber botnet at the bottom line?

It’s a mini Zeus crimeware botnet, one of the most prevalent malicious software that successfully undermining two-factor authentication on the infected hosts (Report: 48% of 22 million scanned computers infected with malware), and is slipping through signatures-based antivirus detection (Modern banker malware undermines two-factor authentication) due to the systematically updated binaries.

Story here.

— Tom Kelchner

Representatives of computer companies and governments meeting at the EastWest Institute security meeting in Brussels said that an industry culture of obscure jargon is preventing the world’s two billion Internet users from putting security measures in place to protect themselves.

The group met to figure out how to protect computer users from massive abuse, fraud, online theft, vandalism and espionage.

The New York Times story carried the following quotes from those at the meeting:

“The malicious and criminal use of cyberspace today is stunning in its scope and innovation,” — Dell Services President Peter Altabef.

“If you don’t demystify security, people become anxious about it and don’t want to do it…. There are some people in the profession who to some degree enjoy the mystification of what they do, that it’s not penetrable. It’s almost a sense of superiority,” — former U.S. Homeland Security Secretary Michael Chertoff

“We use a lot of complex terminology where it’s not needed. We don’t encourage people to think enough,” — Steve Purser, head of Technical Competence at the EU’s European Network and Information Security Agency.

The ugly reality is that computers are not simple and computer security is very technical and ever-changing.

Personally I don’t think very many technical people have the “sense of superiority” that Chertoff mentioned. A huge number of them have mathematical, detail-oriented minds and they simply aren’t good communicators. There are fabulous communicators in the computer security space, but, it takes a “big picture” mind set to communicate well. It takes a “little-tiny-detail” mind to write code, run networks and keep security systems running.

The best we can do is to keep trying through:

— industry wide consciousness that we NEED to explain things to non-technical people
— company blogs written for the common user
— resource pages with easy-to-understand materials about security
— organizations such as the various Computer Emergency Response Teams (CERTs) and non-profit organizations
— security-awareness days and PR events
— graphic user interfaces, help screens and manuals written with inexperienced users in mind

Companies, organizations and government agencies should hire professional communicators, teach them computer security and have them write/tweet/blog/speak to teach kids and the “home user” what they need. Hey, the newspaper business is going the way of the buggy-whip industry. There are loads of great journalists out there looking for a new career.

That’s how I got here.

Story here.

A great resource for “non-technical” people can be found at US-CERT’s site: http://www.us-cert.gov/nav/nt01/

And the National Cyber Security Alliance site StaySafeOnline.org: http://www.staysafeonline.org/

Tom Kelchner

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla.

The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.”

The exploit works against Firefox v 3.6 on Windows XP and VISTA.

If Legerov hasn’t given Mozilla details of the hack, as one would under the rules of responsible disclosure, it raises the question: “who does he sell his software to?”

There don’t seem to be any more details of the vulnerability available. Expectations are that the exploit will be more widely available in the wild shortly. Vulnerability research firm Secunia gives general sort of advice for users:

“Solution

“Do not visit untrusted websites or follow untrusted links.”

Story here.

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode.

Now, back to our story.

Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice.

Raff demonstrated the flaw by using the download manager to download a copy of Windows calculator.

He has notified Adobe of the problem but not publically disclosed the finer details vulnerability.

Raff’s blog post here.

News story here.

Update 02/23:

Fixed: “Security update available for Adobe Download Manager” here.

Tom Kelchner

“Dammed thieves. Stole our logo. I suppose we should be flattered, though.”
— A.E.

Old rogue, new package:

AntivirusProtectionCenter
av2009.exe :
crc6:7f3d73762762
crc8:003091628c68decc
md5:d71d1e303ab963fdae76936ba52a05b7

AMC.exe :
crc6:1d6922972762
crc8:003005cfbb91b729
md5:e5555754fd758fc2be1374796f9433e2

Hash’s different from their PersonalAntiMalware added 2/16/2010

opener_.exe :
crc6:8ee75c08081d
crc8:00dc55e5aaa82efa
md5:5bb290cd1eb419ca98ca1f31273f7219

“It’s the same gang that had the code saying ‘hello Sunbelt software’
They are watching us.”
— P.J.

Thanks Alex. Thanks Patrick. Thanks Bharath.

Tom Kelchner

Herndon, Va., forensics firm NetWitness has said that the Zeus botnet has breached the networks of nearly 2,500 organizations in nearly 200 countries, including 10 U.S. federal agencies. NetWitness researchers said many victims are Fortune 500 companies in energy, finance and high tech sectors.

NetWitness based its conclusions on information from a 75-gigabyte collection of data that they intercepted. It was information the botnet had stolen in one month.

The Zeus botnet, which started in 2008, is believed to have 74,000 machines infected.

Researchers said the group behind Zeus also had machines infected with Waledac and had changed instructions in the botnet several times in order to find and steal different types of data.

The botnet controllers, using servers in Germany and the Netherlands, had breached networks in 196 countries including Egypt, Mexico, Saudi Arabia, Turkey, and the U.S.

Story here.

Tom Kelchner