General discussion

NEWS - April 27, 2010

Fake Anti-virus Peddlers Outmaneuvering Legitimate AV

Purveyors of fake anti-virus or ?scareware? programs have aggressively stepped up their game to evade detection by legitimate anti-virus programs, according to new data from Google.

In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.

Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What?s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.

Continued here: http://krebsonsecurity.com/2010/04/fake-anti-virus-peddlers-outmaneuvering-legitimate-av/

A copy of the Google report is available here (PDF).
Discussion is locked
Follow
Reply to: NEWS - April 27, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 27, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Vulnerable Sites Database

Besides other common sources of real security vulnerabilities made public, such as the full-disclosure mailing-list, zone-h.org (well known for the publication of web defacement and vulnerabilities), or the xssed.com (that publishes websites that are vulnerable to Cross-Site Scripting, XSS), a new website saw the light this month: the Vulnerable Sites Database (http://www.vs-db.info).

This disclosure repository publishes web server and web application vulnerabilities, such as Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQL), Cross-Site Scripting (XSS), Cross-Site REquest Forgery (CSRF), Directory Traversal, etc. The site says they practice "Responsible disclosure no details are made public (details of vulnerabilities are privately reported to developer or web site owners).", with limited details about the vulnerability, but definitely becoming a new wall of shame. A new place to keep an eye on and try not to show up in the picture.

Although similar initiatives existed in the past and then disappear, and although it is too soon to confirm, for now, the site remains very active with multiple daily entries.

Continued here: http://isc.sans.org/diary.html?storyid=8701

- Collapse -
Dissecting Koobface Gang's Latest Facebook Spreading Campaig

From Dancho Danchev's Blog:

During the weekend, our "dear friends" from the Koobface gang -- folks, you're so not forgotten, with the scale of diversification for your activities to be publicly summarized within the next few days -- launched another spreading attempt across Facebook, with Koobface-infected users posting bogus video links on their walls.

Recommended reading: 10 things you didn't know about the Koobface gang

What's particularly interesting about the campaign, is that the gang is now start to publicly acknowledge its connections with xorg.pl (Malicious software includes 40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), with an actual subdomain residing there embedded on Koobface-serving compromised hosts.

Moreover, the majority of scareware domains, including the redirectors continue using hosting services in Moldova, AS31252, STARNET-AS StarNet Moldova in particular.

* Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova

With the campaign still ongoing it's time to dissect it, expose the scareware domains portfolio and the AS29073, ECATEL-AS connection, with the Koobface gang a loyal customer of their services since November, 2009. AS29073, ECATEL-AS Koobface gang connections:

Continued here: http://ddanchev.blogspot.com/2010/04/dissecting-koobface-gangs-latest.html

- Collapse -
Intrusion detector Snort now has improved HTTP inspection

According to the Snort developers, the latest 2.8.6 release can now divide HTTP requests into five components ? method, URI, header, cookies and body ? to allow better analysis. This makes it easier to apply rules to individual components. Decompression of packets zipped using Gzip has been improved and a sensitive data filter, which seeks to detect and prevent the transfer of personal data, implemented. There are a number of additional fixes and stability enhancements.

In a post on its blog, Sourcefire points out a couple of stumbling blocks which arise as a result of the change in rules files version numbers. Version 0.4.1 of Snort rules updater PulledPork is also available and includes a number of improvements.

Continued here: http://www.h-online.com/security/news/item/Intrusion-detector-Snort-now-has-improved-HTTP-inspection-988356.html

Also: New VRT Rulepack Changes (all Snort Users should read)

- Collapse -
McAfee updates firewall hardware for enterprises

McAfee announced Tuesday the release of its new Firewall Enterprise 8 appliance, touting it as the next generation in firewall devices. The company is targeting the new firewall at security administrators trying to protect their networks from the growing threats of malware and hackers.

IT administrators will be able to set up and enforce policies to filter out thousands of different applications that can sometimes sneak past traditional firewalls, according to McAfee. By tapping into McAfee's cloud-based services and networks, users of the new Firewall Enterprise hardware should be able to keep up with newly developed malware and other emerging threats.

McAfee Firewall Enterprise is also designed to integrate with existing corporate security policies, the company said, which would help IT admins better deal with compliance issues.

As part of its "next generation" features, the new firewall appliance will use global reputation-based technology, which collects data from customers in an attempt to identify threats before they hit other companies. A new geolocation feature also can help businesses limit their network access to sources from locations known and trusted to be secure.

Continued here: http://news.cnet.com/8301-1001_3-20003521-92.html

- Collapse -
Canadian Pharmacy spammers set up shop on Twitter

From Graham Cluley's Blog:

At the beginning of this month I received an email telling me about someone new who had started following me on Twitter. [...]

Their name was @canadianshop, and it was immediately apparent that they were promoting a Canadian online pharmacy via their account. These kind of websites are frequently promoted in email spam. [...]

Like every other time you receive a new follower on Twitter, the service reminds you that you can report them for spam:

If you believe canadianshop is engaging in abusive behavior on Twitter, you may report canadianshop for spam.

But for once I decided not to. After all, this account was clearly spammy and I was curious to see how long it would take before someone else reported them and their account was suspended.

That was 24 days ago. And despite the @canadianshop account making no attempt to hide who they are - even their background wallpaper uses familiar imagery used in hundreds of thousands of emails to promote medications like Viagra and Cialis - they remain active on Twitter.

Continued here: http://www.sophos.com/blogs/gc/g/2010/04/27/canadian-pharmacy-spammers-set-shop-twitter/

- Collapse -
The come back of ?Storm Worm?

From the CA Security Advisor Research Blog:

CA ISBU recently observed the active come back of Storm worm detected as Win32/Pecoan. It was discovered bundled and distributed by Trojan downloader along with Win32/FakeAV or Rouge Antivirus malware.

This Win32/Pecoan (aka Storm, Nuwar, Zhelatin, Dorf) variant is currently active as of this blog post and is sending out massive volume of spam emails to targeted recipients.

Storm botnet spam-generating campaign distributes the following:

* Bogus Online Pharmacy Spam Emails
* Impotency related Spam Emails
* Adult Dating Spam Emails
* Celebrity Scandals Spam Emails

We detect this new variant as Win32/Pecoan.AG

This Pecoan variant communicates to the spam bot server via http POST command, the server then responds with the command and data that is used for its spam email messages (see Figure 1). [...]

Continued here: http://community.ca.com/blogs/securityadvisor/archive/2010/04/26/the-come-back-of-storm-worm.aspx

- Collapse -
Authorities Seize Gizmodo Editor?s Computers

As Brian Steltzer reports on the New York Times Mediadecoder blog, the computers and servers used by Jason Chen, an editor with the technology blog Gizmodo.com, were seized by the authorities in California on Friday evening.

Mr. Chen wrote extensively about the missing iPhone 4G.

In a blog post on Gizmodo more details were shared about the raid. According to Gizmodo, the police entered Mr. Chen?s ?home without him present, seizing four computers and two servers.? The authorities were using a warrant issued by a judge from the state Superior Court in San Mateo.

Gizmodo also wrote: ?According to Gaby Darbyshire, COO of Gawker Media LLC, the search warrant to remove these computers was invalid under section 1524(g) of the California Penal Code.?

Continued here: http://bits.blogs.nytimes.com/2010/04/26/police-seize-gizmodo-editors-computer/

Also: Police seize Gizmodo computers in Apple iPhone 4.0 prototype leak

- Collapse -
Google backpedals on IP 'anonymization' claim

"Less obscure obscurity"

Google has not only opened up on how often the world's governments request user data stored on its servers. It's come awfully close to acknowledging that it doesn't actually "anonymize" your IP address after 9 months.

As noticed by longtime Google critic Chris Soghoian - now a technical advisor for the US Federal Trade Commission's Division of Privacy and Identity Protection - Google has departed from the usual false claims of anonymization to say that after 9 months, it "obfuscates" your IP. At the very least, this new language isn't as misleading as the old.

An unnamed Googler recently gave an interview to Privacy International over its decision to release data on government requests for your private information, and the new language appeared when he or she was asked how long the company retains unique identifiers.

Continued here: http://www.theregister.co.uk/2010/04/27/google_backtracks_on_ip_anonymization_claims/

- Collapse -
Fake IT Email Notification Spreads Malicious PDF

From TrendLabs Malware Blog:

TrendLabs received reports of a suspicious email that claims to be an IT notification, informing users that their mailbox settings have been changed. This email has a .PDF attachment that supposedly contains instructions, which users need to read before updating their settings.

This attack is similar to many we have seen previously purporting to come from a real sender, and looking like a semi-legitimate company notification. Through this design, cybercriminals hope to make the malicious email more believable for the recipients, enticing them to open the .PDF attachment. Here?s a sample screenshot of the of one of the emails received: [...]

There are some simple safe computing practices that can always be used when opening emails and executing attachments.

? Always check who the email sender is
? Look for errors in messages
? Do not click embedded links
? Check attachments? real extension names, and never click on executable files

The .PDF attachment is actually a malicious file, which Trend Micro detects as TROJ_PIDIEF.ZAC. When executed, this .PDF file creates the script batscript.vbs, which drops and executes a worm component named game.exe. The worm component also carries the rootkit file bp.sys to possibly hide its malicious routines and prevent itself from being discovered by the user.

Continued here: http://blog.trendmicro.com/fake-it-email-notification-spreads-malicious-pdf/

- Collapse -
Sony's Crackle: Invisible Traffic Galore

Ben Edelman:

Advertisers buying display ads from Sony's Crackle.com rightly and reasonably expect that users can see the ads. After all, a visible ad is a basic and crucial condition for effective display advertising: If a user can't see ad, then the impression is wasted, as is the associated spending. Nonetheless, in a surprising series of incidents, numerous Crackle partners are loading the Crackle site invisibly -- thereby overcharging advertisers for worthless invisible impressions.

Below, I present three recent examples of Crackle partners loading the Crackle site invisibly, largely via 1x1 IFRAMEs. I then tabulate observations preserved by my automation, demonstrating that Crackle's tainted traffic has continued for more than a year. I conclude by flagging implications for traffic measurement and ad pricing, and by suggesting what Crackle should do to clean up this mess.

Continued here: http://www.benedelman.org/news/042710-1.html

CNET Forums