Month: March 2010

The number for the rest of the world might be 26 percent

There is a story making headlines on the computer security news sources today about estimates that 4.4 percent of Chinese Internet users have no anti-virus software, up from 3.9 percent last year. That’s about 17 million machines. The numbers came from surveying by the China Internet Network Information Center (CNNIC) and China’s National Computer Network Emergency Response Technical Team (CNCERT).

CNNIC said it estimated that 384 million people in China use the Internet

Story here.

I went looking for figures for the rest of the world. Similar surveying doesn’t exactly pop out of Google, but I did find one story.

Netherlands-based security company SurfRight released results of a study they did in December. “32 Percent of Computer Users Still Infected, Despite Presence of Anti Virus Program”

They scanned 107,435 machines and found that 28,607 had no up-to-date AV: that’s 26.6 percent without functional anti-virus software.

Of course, SurfRight didn’t break out the group that has no AV installed at all as opposed to those who have it but haven’t updated it.

In any case, they all should be installing VIPRE.

Tom Kelchner

Good God! A 419 scam email from someone in grade school!

From: FBI AGENT [mailto:hal-eduserv@att.net]
Sent: Wednesday, March 31, 2010 7:34 AM
Subject: FBI AGENT

Hello honest people………

We got your contact from our Microsoft data-base system. This is to inform you all that have lost money to Scammers in Africa, Europe and USA. We hear by inform you there is quick opportunity for you mostly on lottery. My name is FBI brad Martins I assure you am doing all I can to get your lost money back in 2 days . I know what scam means. I work with the global scam Fither in CA 93535.we have all the global scam computer to trace all Scammers Name and location. Reply back to us. We just caught a scammer now, and we found some money with him, we are returning it back to those involves. This mean your money will be refund back to you.Get back to the FBI through this email for immediate response scamtrack2010@gmail.com

Thanks Larry.

Tom Kelchner

Spyware/DDoS malware combo

Google’s security team member Neel Mehta has blogged about yet one more spyware attack on Google users from Asia. This time forces in Vietnam apparently are trying to spy on and stifle dissent from those opposed to the expansion of bauxite mining in the country’s central highlands. The dissenters are opposed to the environmental impact, the involvement of Chinese in the venture and the displacement of people who live in the mining area. Bauxite is the ore that aluminum is extracted from.

Chinese attempts to spy on dissident’s Gmail accounts made headlines in January. At that time, Google said it would pull its operations out of China because of a wave of hack attacks from China on it and more than 30 other companies, mostly in Silicon Valley. The attacks were largely based on spear phishing and exploited an Adobe .pdf vulnerability to plant Trojans. An investigation by Google showed that the attackers were trying to download information from the Gmail accounts of Chinese dissidents and steal source code. (Sunbelt Blog: “Google might leave China” )

The malcode that Google just found infects Vietnamese language keyboard software that has been downloaded worldwide. Mehta says the spyware also is capable of participating in distributed denial of service attacks against bloggers opposed to the mining.

Mehta advised those who think they may be infected to run scans on their machines since the malcode is in the detections of leading AV vendors.

“New technology like our suspicious account activity alerts in Gmail should also help detect surveillance efforts. At a larger scale, we feel the international community needs to take cybersecurity seriously to help keep free opinion flowing,” he said.

Google Security Blog here.

Tom Kelchner

Apple has issued Security Update 2010-002 (Mac OS X v10.6.3) that fixes 100 enumerated vulnerabilities in:
— Mac OS X 10.5
— Mac OS X 10.6
— Mac OS X Server 10.5
— Mac OS X Server 10.6

The 400 MB+ download takes a while, so, be prepared.

Info here: http://support.apple.com/kb/HT4077

Tom Kelchner

It seems I prompted an exploration of infection related search terms in Google Trends over on the Forbes.com Firewall blog. “Malware” is becoming a sort of catch-all term for end-users, slowly replacing the various types of Ad/Mal/Spyware classifications.

Article here – worth checking out the comment by Andy Hayter, Anti-Malcode Program Manager of ICSA Labs, too. Of course, I like to think I might have contributed in some small way to certain search terms going the way of the Dinosaur…

Christopher Boyd

Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering.

“With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).”

“…preventing Adobe Reader from creating new processes blocks this trick,” he said.

“In this case, Foxit Reader is probably worse than Adobe Reader, because no warning gets displayed to prevent the launch action. My PoC PDF requires some changes for Foxit Reader, because ultimately, the executable doesn’t run. But that’s probably due to some variation in the PDF language supported by Foxit Reader.”

Stevens has made available a proof-of-concept sample and said he notified Adobe’s product security incident response team.

Until this is solved, it would be a good idea to READ any notification that pops up when you open a PDF file and DO NOT let yourself be social engineered into disregarding warnings about launching executables.

Stevens’ blog piece here.

Thanks Trip.

Tom Kelchner

Update 04/02:

Foxit issued an update to fix the problem (Foxit Reader 3.2.1): http://www.foxitsoftware.com/downloads/index.php

Update 04/06:

The patch fixed Foxit’s vulnerability to the POC code written for it, but now it’s vulnerable to the POC exploit written for Adobe! Story here.

MS10–018

If you’re using Internet Explorer versions 6 or 7 it wouldn’t be a good idea to miss this one. “Actively exploited” for drive by down loads from malicious web sites sums it up.

There’s something in it for IE8 as well.

See our post yesterday: “Microsoft out-of-band patch tomorrow” 

Tom Kelchner

There are a couple of programs in circulation at the moment designed to steal Steam account login credentials. People can have a lot of money invested in Steam purchases (if you purchase PC games online Steam is probably the best digital delivery service around), and it isn’t really the greatest thing in the world to have one stolen.

Steam is a popular thing to have in webcafes, and the company behind it actually support this in a very big way. These particular infection files would cause the most trouble on the networks of netcafes with minimal security in place, allowing chancers to install files with a USB stick, let the stealer grab account logins then come back later to collect the passwords.

This is what the first one looks like:

There’s a number of clues that the above is 100% fake – for starters, it’s based on the old style Steam login which may tip off a clued-up gamer. Secondly, the spelling is all over the place: “Please re-login with you’r correct login informations for being safe from hackers”.

Oh dear. “Copyrighted” doesn’t do them any favours, either.

I suppose the creator knew he wouldn’t get very far with the above, because there’s a second version and it’s a lot more impressive, sadly:

Looking absolutely identical to the real thing, only a clued-up webcafe Admin type guy would save the day at this point, either by having the network locked down or by running security software that detects the threat. Once the account details are entered, they appear in a .txt file wherever the logger happens to be running on the PC at the time:

Poor old Fakey Mc Fakename can wave goodbye to his account.

We detect both of these as Trojan-PSW.Win32.Steam.z – you can see the most recent count on VirusTotal here.

Christopher Boyd

There seems to be an established procedure used by government officials who want to censor Internet traffic: begin requiring Google and ISPs to filter pornography then sneak in filtering of the politically sensitive material of your choice.

Maybe we should give this a name: how about “porn filter law bait and switch?”

In China’s Green Dam fiasco last summer, the web filter that was required on new machines (before the whole idea broke down) was supposed to protect good Chinese Internet users from sex and violence. When various researchers took apart the Green Dam files, however, they found that 1.) it ripped off a lot of code from a U.S. company and 2) two thirds of the strings it was set up to filter were politically sensitive words and not sex and violence issues at all.

Australian Communications Minister Stephen Conroy is taking the same tack: He’s furious that Google is opposed to the Internet filtering scheme he’s proposing. It starts with sexually related web sites (which present photos of flat-chested women allegedly preferred by pedophiles), but his blacklist also includes material that would screen discussions of sexual health matters and EUTHANASIA. Conroy is a strong opponent of euthanasia.

Inquirer story here: “Australia attacks Google”

Tom Kelchner

Facebook is working on filtering a piece of nuisance malware that poses as a “Facebook antivirus” application that — when it’s installed — puts several dozen photos on a victim’s Facebook wall and tags their friends in them. Once their friends click on the “tagged” photo, they are offered the fake anti-virus.

Spellings include: “F’acebook Antivirus,” “Facebook Antivirus” and “Antivirus in Focebook”

Facebook Insider said Facebook is filtering the fake tags and gives instructions for removing tags of ones self from friends’ photos.

Story here: “Warning: Facebook Antivirus Will Virally Spam Your Friends”

Tom Kelchner

Today, our friends at Trend Micro blogged about a new attack vector using Microsoft Word documents. We saw this as well last week, and have written a detection for the dropped trojan.

It’s not just a “lawsuit” that’s being spammed, we also picked up another form of this attack in our honeypots over the weekend:

When you open the Word document, you see a “PDF”, but it’s actually not. It’s a JPG, which links to an executable.

In Word 2007, it’s kind of like the Amish virus: The user has to really want to get infected.

Latest VirusTotal detection here.

Alex Eckelberry

Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited.

“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution,” Microsoft said in its Security Advisory 981374 earlier this month.

“In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability,” they said.

The vulnerability is enumerated as CVE-2010-0806

Advisory here.

Tom Kelchner

It seems Larry Hryb, Director of XBox Live Programming, had his account taken over at the weekend. However, there are a number of faintly hysterical headlines claiming he was “hacked” along with “are you next?” taglines (such as this one), and I thought it might be useful to look at the methods the team behind the attack might have used and how you can lessen the chance of something similar happening to you.

First of all – let’s see what happened to “Major Nelson” (as he’s better known). His Live account was hijacked, and numerous offensive messages were posted to the Biography section. Here’s a screenshot:

As you can see, “Code of Conduct” is in his speech balloon and Name / Location are, er, somewhat colourful. At one point it also said “Any account $100 PayPal!!!!!!!!”

Where this tale becomes interesting is the fact that the attacker has put an endless stream of information about himself onto the Net. The homepage of his crew hosts a video that reveals his Skype address, AIM account and – more seriously for him – a name and address that the URL is registered to (his Facebook page is supposedly all over forums, and he seems to have a history of console scamming dating back to at least 2008). While the information could be false, everything about this so far screams “script kiddies” and generally speaking they don’t tend to think about faking Whois data.

Script kiddies or not, they still managed to compromise the account of a Microsoft Exec. How did they do this? Well, I talked about some of the methods used in relation to grabbing XBox Live accounts in Canada last year – while there’s no way to know how they did this yet, we can explore a few of the possibilities available to the account compromisers out there:

1) Phishing. This is usually the number one method for grabbing XBox Live accounts – fake XBox Live logins are a dime a dozen, and they also tie into fake XBox Live Generator programs (that claim to give you “free money” but actually steal your account details). Sometimes people will send phish links or requests for logins from compromised accounts, too:

Now, I can’t imagine Major Nelson running a fake generator and I don’t think he’d fall for a random phish. What IS interesting here is that Stephen Tolouse (the Director of Policy Enforcement) said the following on Twitter:

“Looks like this was very specific and very targeted to Major. I’ll look into the details and report back later.”

Could it have been a spear phish? It seems doubtful, given the way the individuals behind the attack have placed all sorts of personal data online for investigators to follow. Stranger things have happened, however.

2) Social Engineering. There are a number of options available here, but more often than not an attacker won’t try to Social Engineer the victim; they try to fool the support staff on the other end of the helplines. Of course, this is the one place where the victim is somewhat helpless – if the support staff falls for an individual calling up pretending to be you, there’s not a lot you can do about it.

Having said that, individuals that attempt these kinds of calls usually run into a brick wall if you take some precautions. Entering some false information into the personal info boxes for the questions attackers are most likely to know the answers to works wonders (though it goes without saying you need to remember what information you’ve put into the account!):

If you’re curious about the EMail address having underscores in it, there is a theory that support staff the world over will see an EMail address show up on their system with what appear to be letters “missing” and think it’s protected by some fancy pants security system. Of course, it isn’t – but if the attacker is trying to squeeze your EMail address out of the support staff and they can’t even read it back to them properly then great.

3) Live Account Password Reset. The other method is the old classic – guess the secret answer to the Live account password reset question. A good tactic here is to have a totally nonsensical (but memorable!) answer to one of the common questions. As you can see, my mother has an interesting birthplace:

I also appear to live in Rwanda, which is probably going to confuse the attackers a little bit more. It’ll be interesting to see if Microsoft release any additional information on this high profile compromise, although you probably don’t need to start worrying just yet about the safety of your XBox Live details. As long as you steer clear of phishes, strange programs advertised on Youtube, messages from people you don’t know and apply a little common sense in relation to the information you enter on contact forms you’ll probably be fine.

Christopher Boyd

Well, this is unfortunate. In the UK, we have something called “The Big Issue”, which is a magazine designed to help the homeless get back into society via a legitimate income. It sells around 300,000 copies a week and is listed as the third-favourite newspaper of young British people aged 15 to 24, according to Wikipedia.

At this moment in time, The Big Issue website is playing host to a French Paypal Phish – they have a zipped copy of the Phish uploaded to the server, and a live Phish directory too:

Here’s the live Phish:

Should the end-user enter their Paypal login, the next screen they see asks them to “Update their Paypal account” with valid card details:

Checking out the Fiddler log reveals something interesting:

Googling for that particular name reveals it has appeared in a couple of Paypal related Phishes previously, all at the tail end of 2009.

We’ve notified the host, and hopefully the Phish will be offline soon. Making ill gotten gains through the website of a magazine designed to help generate income for the homeless is in pretty poor taste, even for a scammer.

Christopher Boyd

Cracks in the Great Firewall of China

Slashdot.org had a brief story this morning about pro-Google comments of Chinese Web users that were carried on the ChinaSMACK web site.

ChinaSMACK was registered in June 2008 by a California-based proxy service and it has a lot of friends:

It hosts a lot of pro-Chinese government comments, but a few interesting critical ones as well. Some shed a little light on Chinese government censorship methods:

— “I just know that on this piece of land that is the mainland, any media company, whether internet or newspaper, cannot be independent, because the Party manages the media.”

— “Many Chinese netizen comments have been deleted or hidden and most comments that remain visible clearly support the government or are critical of Google. You can see this in the translated comments from NetEase above.”

“On KDS, a popular Shanghai BBS discussion forum, I was able to find some comments in support of Google or critical of the government before they were deleted. KDS moderators first deleted posts with many replies before deleting the smaller posts with fewer replies. Many posts were deleted while I was still collecting comments from them.”

— “First, I don’t believe what the ZF (government) says, and this has nothing to do with whether or not I like Google, it only relates the ZF’s behavior. Next, I like Google, because the value of their first page of information [search results] is higher than Baidu. I am a consumer, don’t care about whatever dog fart politics, nor would I think of everything from a political perspective, but from a consumer’s perspective, I like Google, and no longer having Google I think is really regrettable.”

— “There are only two types of people who will be happy: 1, wumao, 2, Baidu.” (ed. Note: “wumao” are government employees who are paid a small sum for each pro-government comment they post on line. Baidu is China’s biggest search site.)

— “Wumao wishes Google would make a row every month.

1. Always material to write about.
2. “Fees” have caps and are disbursed monthly, benefits can be maximized.
3. If a LAN is really established, then many people will probably lose this job.”

There is a rather interesting (and very scatological) cartoon on the site as well that comments (and we’re really generalizing here) on the fact that Google could no longer accept the humiliation of Chinese censorship and “left the table,” but other search sites “stayed at the table.”

ChinaSMACK site.

Slashdot story here.

Tom Kelchner

Our good friends at Hanoi, Viet Nam, -based security firm Bkis have written about an interesting malcode lure: Trojans masquerading as updates for popular applications such as Adobe, Java or Windows.

The fake updates are distributed with icons of the application they’re impersonating.

Analyst Nguyen Cong Cuong wrote: “In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.”

As a countermeasure, it would be a good idea to ignore any email you receive with a link or attachment that claims to be an update. Use the “updater” or “check for updates” menu choice on the application or Windows implementation that’s installed on your machine.

Bkis blog piece here.

Tom Kelchner

The Inquirer security news site is reporting that the 25-year-old arrested by French police for hacking a Twitter data base and accessing U.S. President Barak Obama’s account guessed the admin’s password.

The unemployed man, who went by the handle “Hacker Croll.” is not a genius, the news site concluded.

“Apparently it was a doddle to do. He simply guessed people’s passwords by working them out from information on their blogs or online pages they had created about themselves,” it said.

So, if you have a web site with pictures of cat “Fluffy” all over it, and you Tweet about Fluffy until your friends start dropping hints about getting a life, it wouldn’t be unreasonable to think that the password you use on your MySpace page, Twitter account and bank web site is something like “fluffy1.”

Story here.

Not Fluffy

Tom Kelchner

Fast action at Pwn2Own

In the Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, Canada, security researchers and hackers quickly hacked three of the major browsers to take control of the underline operating systems.

— A German hacker who goes by the handle “Nils” used a previously unknown vulnerability in Mozilla’s Firefox to gain control of a 64-bit Windows 7 machine.

— Peter Vreugdenhil an independent researcher from the Netherlands, used several vulnerabilities in Internet Explorer to take control of a machine running a patched 64-bit Windows 7 implementation.

— Researcher Charlie Miller used a vulnerability in the Safari browser to take control of a Mac Book.

The winners of the contest get cash prizes and get to keep the machines they hack.

TippingPoint’s Zero Day Initiative, which sponsored the contest, owns the rights to the hacks and will present the details to Mozilla, Microsoft and Apple so those company can issue patches before details are made public.

TippingPoint has put up $100,000 in prizes for the contest. This is its fourth year.

PCWorld story here.

More details in Computerworld story here.

This is a very high-profile event that helps focus the world’s attention on security vulnerabilities without anyone losing their banking logins, credit card numbers or account balance. The big lesson this year is that all browsers have vulnerabilities that can be exploited by malicious web sites and are often the way in to an operating system. Web users would be well advised to keep alert for updates no matter which one they use.

Various commentators are foaming at the mouth about Windows 7 weaknesses (“a FULLY PATCHED 64 bit Windows 7 installation!”), a Mac being hacked (“see, enterprises shouldn’t rely on the security of OS X!”) and the fact that Ubuntu Linux was NOT hacked (“aw, they just didn’t give them enough time!”)

It’s a passion thing: love me, love my OS.

Tom Kelchner

Google and the Chinese government are continuing to trade shots in the PR battle over net censorship. Earlier in the week, Google moved its Chinese search facility to Hong Kong where it claims it is legal under Chinese law to provide searches without censoring results.

In China:

The Chinese government slashed Google in an op-ed piece in China Daily. The op ed, under the name of Ding Yifan, included the assertion:

“Google’s withdrawal is not a purely commercial act. The incident has from the beginning been implicated in Washington’s political games with China.”

China Daily op ed here: “Google’s exit a deliberate plot”

In Washington:

Google’s Director of Public Policy, Alan Davidson, testified before the U.S. Congressional-Executive Commission on China yesterday. His remarks stressed the free trade and rule-of-law implications of China’s actions and ask the U.S. government to consider diplomatic and other actions against the dozens of countries in the world that restrict Internet access.

“We should continue to look for effective ways to address unfair foreign trade barriers in the online world: to use trade agreements, trade tools, and trade diplomacy to promote the free flow of information on the Internet,” he said.

Transcript of testimony here.

Google has nothing (else) to lose in all of this. The Chinese government made the search giant’s position in China untenable with the (assumed) hacking of dissidents’ Gmail accounts and intransigence on net censorship.

China’s human rights record is bad enough that it isn’t going to lose much face on that front. A huge number of businesses that want to get into the vast Chinese market probably don’t care about that anyway. Google, however, can paint China as business-hostile by making an issue of the country’s lack of rule of law, (alleged) government-sponsored hacking to steal proprietary information and arbitrary regulations.

Tom Kelchner

There are a number of Toolbars out there in the wild with a nasty sting in the tail for anybody using them to login to Facebook. We’ve seen two of these so far; it’s possible there are more.

Promoted as toolbars that allow you to cheat at popular Zynga games such as Mafia Wars, they appear to be normal at first glance with a collection of links to various websites and other features common to this type of program.

Should the end-user hit the “Facebook” button, however, things start to go wrong very quickly. In testing, what opened up for us wasn’t the real Facebook login screen – it was a verified Facebook Phish.

Taken to apps-facebook-inthemafia(dot)tk, only the anti-phish protection in both IE and Firefox would probably have saved the end-user from entering their details into the fake page. mafiamafiamafiamafia(dot)t35(dot)com was also flagged on Phishtank, and it looks like we arrived just in time to catch the suspicious activity taking place because the t35 URL was deactivated shortly after.

The story doesn’t end there, however – once the above domain went down at around 5:20 GMT, it was around 90 minutes or less before the toolbars were now pointing to a fresh URL!

As you can see from the above screenshot, the toolbars now took end-users to apps-inthemafias-facebook(dot)tk, which was a cover for another t35 URL: mafiawars200uk(dot)t35(dot)com. Again, it wasn’t too long before the domain looked like this:

Currently, the toolbars we have point to the real Facebook URL – the obvious danger is that they could suddenly switch to another fake site and continue harvesting Facebook logins. I’ve reported both Toolbars (which can be created by anyone through this Community Toolbar form) to Conduit, and hopefully action will be taken shortly. If we see any new phish pages linked to, I’ll update this entry.

For now, some handy tips:

1) If you install a toolbar from the ourtoolbar(dot)com domain, pay attention to what kind of toolbar it is. Does it promise “cheats” for Zynga games? If so, you might want to avoid logging into Facebook by clicking buttons on the toolbar itself.

2) If you do click a Facebook button on one of these toolbars, are you taken to a .tk domain? If so, check at the bottom of the page – the phish page creators are a little lazy, and have left a rather large clue that you’re not on the real Facebook site:

Adverts and a T35 hosting notice – probably a bit of a giveaway (you can also View Source in your browser and confirm you’re on a T35 domain and not Facebook).

We detect this as Trojan.Fbphishbar. Thanks to Adam Thomas from Sunbelt’s Malware Research Team for additional testing.

Christopher Boyd