22 total posts
New Koobface variant saves researchers time from analysis
Researchers at McAfee labs monitor Koobface activities 24/7 via custom honeypots and while reviewing one such update we noticed a variant that had debug/log features. Unlike the traditional captcha breaking technique to create new accounts, this variant of the worm converts the infected machine to a bot.
When we analysed the malware trapped in our botnet, we found that this variant of Koobface has a special feature for logging all activities carried out during the infection process in a log file . Log file is created under system root with date and time stamp for eg, C:\fb_reg20090612.log.
More details in http://www.avertlabs.com/research/blog/index.php/2010/01/13/new-koobface-variant-saves-researchers-time-from-analysis/
Avatar Success Attracts SEO Poisoning Attacks
The movie Avatar is making a big splash in the global film market, drawing large audiences with its unique viewing experience. It has also attracted some unwanted attention. As people search for information about Avatar on the Internet, cyber criminals are using the opportunity to spread malware. The following figure demonstrates a successful attempt to position malicious content as high as fourth in search results using a common search phrase for the movie. [...]
Cyber criminals compromise vulnerable Web sites and insert the SEO page. When a request is made for that page, the referrer part of the request header is checked. If the request is from a search engine like Google.com, ask.com, or bing.com, visitors are redirected to rogue anti-virus sites. Websense Security Labs™ has published numerous alerts on this type of incident before, such as Ice Skating Car Video Black Hat SEO and Brittany Murphy's Death SEO Poisoning.
See screenshots and more in http://securitylabs.websense.com/content/Blogs/3529.aspx
Spam and Phishing Landscape: January 2010
Notable highlights this month include the shift of the regions of message origin, and changes in the average size of spam messages.
- In recent months, APJ and South America have been taking the spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009.
- With respect to the average size of the messages, the 2kb - 5kb message size category increased by seven percent, while the 5kb - 10kb message size category decreased by six percent in December 2009.
- With respect to all spam categories, health and product spam have increased and now account for 52 percent of all spam messages. [...]
In addition, the January 2010 State of Phishing Report has also been made available and highlights the following trends:
- Symantec observed a four percent decrease from the previous month in all phishing attacks.
- Twenty-one percent of phishing URLs were generated using phishing toolkits; a decrease of 19 percent from the previous month.
- A 26 percent decrease from the previous month was observed in non-English phishing sites.
• More than 118 Web hosting services were used, which accounted for 11 percent of all phishing attacks; an increase of two percent in total Web host URLs when compared to the previous month.
Free avast! 5 Chosen for Google Pack
As we get ready to launch our new Avast! Free Antivirus Version 5, we are proud to announce that Google has chosen this product for inclusion in Google Pack. Google Pack is a package of free software that Google assembles and distributes to its users around the world. Google Pack includes Avast for the following languages: French, German, Italian, Czech, Spanish, Russian, Portuguese, and Polish.
The Avast Free Antivirus included in the Google Pack is the same as our regular Avast Free Antivirus. Following the philosophy of Google and Avast, the product is fully featured and does not constantly try to up-sell users to a premium product. The features of this product include:
3. Blocking of malicious websites
4. Blocking of hijacked or infected websites
5. Behavior blocking
6. Heuristics and signature detections
7. Scheduled, on-demand, and real time scanning
8. Gaming and full screen mode
FBI: Beware Haitian Quake Relief Scams
The earthquakes that have wrought so much devastation and death in Haiti this week are moving many to donate to various relief efforts. But security experts and the FBI are warning people to be on the lookout for ghoulish criminals scams that invariably spring up in the wake of such natural disasters in a bid to siphon funds from charitable organizations.
In an alert published today, the FBI urged people not to respond to spam messages asking for donations, and to be skeptical of people pretending to be surviving victims or officials asking for donations via e-mail or social networking sites.
Currently, there are a large number of Tweets coursing through Twitter urging users to donate to relief efforts using various text message short codes. While most of these may be promoting campaigns tied to legitimate charities and relief organizations, it?s probably safest to ignore incoming suggestions to donate this way.
Continued here: http://www.krebsonsecurity.com/2010/01/fbi-beware-haitian-quake-relief-scams/
Above is a follow up to yesterday's news item "Latest Blackhat SEO on Haiti Earthquake".
Ont. privacy commissioner orders 'strong encryption'...
of health records
Ontario's privacy commissioner has ordered the Durham Health Region to make sure computerized health records are "strongly encrypted" to avoid another embarrassing loss of health information.
In December the Durham health authority, which is responsible for a large area east of Toronto, announced it had lost the medical records of thousands people after a nurse misplaced a USB key at Durham region's headquarters in Whitby, Ont.
The information on the USB key, also known as a memory stick, was not encrypted.
The device contained data collected from more than 83,000 patients during H1N1 flu vaccination clinics in the region between Oct. 23 and Dec. 15.
On Thursday, Ontario privacy commissioner Ann Cavoukian said Durham must ensure the safety of patient records and ordered it "to immediately implement procedures to ensure that any personal health information stored on any mobile devices [laptops, memory sticks, etc] is strongly encrypted."
Cavoukian made clear in her report that she expects every health authority in the province — not just Durham — to follow suit.
Analyst's View: Facebook's Automated Security Could Do More
Facebook automatically cleans up malware-infested accounts-now it has help from McAfee. But the social-networking site could do much more to ensure safe computing for all its users.
Facebook has teamed up with McAfee to protect its user base by isolating accounts with malware problems. When I heard that, I pictured some sort of gatekeeper function, like an Enterprise's Network Access Control (NAC). A computer that attempts to join a network protected by NAC gets shunted into a virtual holding area until NAC can confirm that it's patched fully, configured correctly, and malware free. If necessary, NAC proactively installs updates, corrects the configuration, and scrubs out malware. Only after this does the computer attain full network access. What a boon to humanity if every Facebook visitor went through such a decontamination!
Of course, the reality isn't nearly so elaborate. If Facebook made all 350 million users wait around for a checkup before each visit, the site would face a full-scale revolt. What actually happens is that Facebook looks for account activity suggesting an infection by Koobface or some other Facebook-focused worm. On detecting a problem it initiates an automatic remediation process. This isn't new technology-it's been around since July 2009. Facebook suspends the compromised account, carefully verifies the user's identity, forces a password change, and gives a little lecture on safety. Once the account is clean, the user can again post every little thought.
Where does McAfee come in? As of this week there's a new stage in the remediation process, a free McAfee Scan and Repair tool. This tool, custom-designed for Facebook, quickly identifies and removes threats relevant to the social-networking service. While it's working it promotes a special six-month free trial of McAfee Internet Security for Facebook users. Note, however, that there's no communication between Facebook's automatic remediation and any existing installation of McAfee Internet Security.
There's a potential problem here for responsible users who already have security software installed.
Complete article in http://www.pcmag.com/article2/0,2817,2358087,00.asp
Also see related news yesterday
BANKER Scams New Spam Victims
Two new spam campaigns spreading variants of the BANKER family of identity-stealing Trojans have recently emerged. The first campaign features spammed messages containing malicious links to supposed pictures. Once clicked, however, users ended up with TSPY_BANKER.OCN infections. This campaign made use of standalone files.
The second campaign was more elaborate, as the involved malware (detected as TSPY_BANKER.MTX) had two components-one steals banking-related information while the other steals email account information.
Both campaigns may, however, be related, as the information they steal from users end up in drop zones that are hosted on the same Web server:
Looking for more details on webcomunicaobr.com revealed the following details:
IP: 220.127.116.11 Hosted in the USA
ASN: AS46475 LIMESTONENETWORKS Limestone Networks Inc. Primary ASN
Digging a little bit deeper still, three interesting pages cropped up that revealed the number of systems each contracted spammer has infected so far, a list of PHP servers where stolen information is sent, and a list of files that contained encrypted information downloaded by infected hosts.
Complete details with screenshots in http://blog.trendmicro.com/banker-scams-new-spam-victims/
Search Results in Microsoft’s Site May Lead to FAKEAV
Trend Micro was alerted to the discovery of a recent threat that takes advantage of malicious search results generated from the Microsoft Office's site.
This threat targets users looking for tips and help-related information on using Microsoft Office products on Microsoft's official website, particularly those looking to delete meeting notices without notifying the other invitees.
Using the search string, "delete meeting without notifying invitees," apparently led users to malicious results, which led to the download of two malicious files-webvirusscanner77.com.htm-1 (detected by Trend Micro as HTML_FAKEALE.JD) and Setup102_2045-10.exe-1 or Setup111060_2045-10.exe-1 (aka TROJ_FAKEXPA.IA).
Both files have been found to be FAKEAV variants. Once executed, they displayed fake scanning results and prompted users to buy bogus antivirus software.
Continued in http://blog.trendmicro.com/search-results-in-microsoft’s-site-may-lead-to-fakeav/
Also see previous alert by WebSense on the above in January 8, 2010's news thread
Microsoft, HP fail to back Google's China move: FT
The chief executives of Microsoft and Hewlett-Packard have declined to back Google's threat to pull out of China over censorship and cyberattacks, the Financial Times reported on Thursday.
Microsoft chief executive Steve Ballmer described Google's row with China as "the Google problem," the FT said, while Mark Hurd, CEO of computer maker HP, called China "an amazing market with tremendous growth."
"Every large institution is being hacked," the newspaper quoted Ballmer as saying. "I don't think it's a fundamental change in the security environment on the Internet."
The FT said Ballmer declined to indicate whether Microsoft would stop censoring results on its Bing search engine in China.
Google announced on Tuesday that it would no longer filter search results in China and said it may be forced to pull out of the world's largest online market of 360 million users.
Pizza delivery man cops to life in DarkMarket
Ran 'eBay for criminals' from net cafe
A former London pizza delivery man faces a 10-year prison sentence after admitting he helped found the notorious DarkMarket forum for computer crime, several news sites reported.
Renukanth Subramaniam, a 33-year-old Sri Lanka-born man from North London, pleaded guilty at Blackfriars Crown Court in London to conspiracy to defraud and furnishing false information. Authorities say he joined DarkMarket on its first day of operation in late 2005 and helped build it into an online resource for payment card fraud, with a thriving exchange for buying and selling stolen data and its own secure payment system.
Yahoo also hit by attacks from China
YAHOO!, owner of the No. 2 search engine in the US, was targeted by a Chinese attack similar to the one that affected Google, according to a person familiar with the matter. Google said this week that at least 20 other companies were targeted in a series of 'highly sophisticated' attacks in December. Yahoo was one of those companies, said the person, who declined to be identified because the information isn't public.
Google said this week that it's notifying the other companies, which spanned such industries as finance, technology, media and chemicals. Google declined to identify them. The Chinese attacks also included hackers going after human-rights activists via their Gmail e-mail accounts, Google said.
The popularity of Yahoo's e-mail service could have made it a target, said Danny Sullivan, editor-in-chief of the Search Engine Land site in Redding, Connecticut. "People are looking for places to communicate, and communicate without the Chinese authorities restricting them." Yahoo, which said it 'stands aligned' with Google in condemning the attacks, doesn't disclose attacks on its computer systems. Yahoo sold its Chinese business in 2005, though it has a stake in the country's Alibaba Group.
"Yahoo does not generally disclose that type of information, but we take security very seriously and we take appropriate action in the event of any kind of breach," the company said in a statement.
Previous news on the above in http://forums.cnet.com/5208-6132_102-0.html?messageID=3221397#3221397
Hackers used IE zero-day, not PDF, in China-Google attacks
McAfee blames unpatched IE bug; Microsoft to release security advisory later today
Hackers exploited an unpatched vulnerability in Microsoft's Internet Explorer (IE) browser to break into some of the firms targeted in a widespread attack that compromised Google's and Adobe's corporate networks last year and earlier this month, McAfee said today.
According to Dmitri Alperovitch, vice president of threat research at McAfee, the unpatched vulnerability in IE was the only exploit used to hack into several of the companies attacked starting last month. Other researchers have said that as many as 33 firms, including Google and Adobe, were attacked, their networks compromised and in some cases, data stolen.
Alperovitch said that Microsoft would release additional information about the IE vulnerability in a security advisory later today.
"Microsoft is investigating these reports and will provide more information when it is available," a Microsoft spokesman said in an e-mail.
More Details on "Operation Aurora"
Earlier today, George Kurtz posted an entry, 'Operation "Aurora" Hit Google, Others', on the McAfee's Security Insight blog The purpose of this blog is to answer questions about this particular attack; fill in some of the threat flow and McAfee coverage details.
How were systems compromised?
What was the payload of the exploit?
Once a system was successfully compromised, the exploit was designed to download and run an executable from a site, which has since been taken offline. That executable installed a remote access Trojan to load at startup. This Trojan also contacted a remote server. This allowed remote attackers to view, create, and modify information on the compromised system.
How wide-spread is this attack?
Aurora appears to have been a very concentrated attack on specific targets. It is not believed to be widespread at this time.
How serious is this vulnerability?
The Microsoft Internet Explorer vulnerability leveraged in this attack allows for remote code execution, but does require user intervention (such as following a hyperlink to a website, or opening an email attachment, etc). Furthermore, the single exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled by default in Internet Explorer 8 and optionally in Internet Explorer 7. Microsoft lists the following combinations to be vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
Also see Microsoft's Response and Advisory on this issue:
Hacker Breaches N.Y. Bank
Long Island bank notifying 8,000 customers that their accounts have been compromised.
The data breaches just keep on coming. eSecurity Planet has the details about the latest incident, which saw a hacker snag the account login information from thousands of New Yorkers.
Officials at Suffolk County National Bank in Long Island, N.Y. this week are warning more than 8,000 customers that their account login information was likely compromised in November, when a hacker illegally accessed a server hosting its online banking system.
SCNB officials discovered the breach during a routine internal security review in late December. Investigators determined the unauthorized intrusion occurred during a six-day period between Nov. 18 and Nov. 23 of last year.
"The security of customers' information is of utmost importance to SCNB," Suffolk Bancorp CEO J. Gordon Huszagh said in a statement.
Malware Sneaks Into Android Market
Hidden among the barcode readers, music players and games in the marketplace for Android software may be apps that could steal your online banking credentials or infect your phone.
Google removed about 1 percent of the apps posted to the Android Market last year, according to a 2009 filing Google made to the FTC (.pdf). While most of those apps were removed because of user complaints about adult content or copyright violations, two apps attempted to gain access to users' financial information, according to InformationWeek.
"I am surprised it is that much," says Artem Petakov, co-founder and CTO of WorkSmart Labs, which offers the Cardiotrainer app, referring to the number of apps removed. "I assumed the user reporting and flagging was working better than that."
The possibility of malicious apps in the Android Market has some developers wondering if Google needs to police the marketplace better. It has also raised questions about the impact of these security holes on consumer confidence and app marketing by developers.
Google launched the free, open source Android OS with the T-Mobile G1 phone in October 2008. Unlike Apple, which tightly controls the submission and the review process for its App Store, Google has taken a much more open approach with the Android Market. Developers don't have to wait for Google's approval to get an app into the store. Instead, the search giant and Android creator is counting on users flagging suspicious or malicious apps.
Last month, two credit unions posted a warning to their customers about a rogue app that uses phishing techniques to gain access to a user's banking credentials. Once Google was notified, it moved quickly to remove the app along with about 50 others written by the hacker.
Android Market's malware-related challenges are not surprising, says Patrick Mork, vice-president of marketing for GetJar, a company that has a catalog of 60,000 apps and runs its own app stores for phones.
Related news in http://forums.cnet.com/5208-6132_102-0.html?messageID=3219438#3219438
McKinnon gets yet another chance
Gary Mckinnon's case for extradition is now subject to yet another judicial review, according to reports.
McKinnon was first arrested seven years ago, and since then his case has twisted and turned its way through courts and appeals. This latest twist will see his case be examined afresh by a High Court judge, once again raising the possibility that the Aspergers suffering UFO fan could be tried in the UK to spare him almost certain conviction by the US courts, and likely life imprisonment.
Despite it being almost a decade since he was arrested, McKinnon is facing what is called a fast-track extradition to the US. Once there he would be tried for hacking into NASA computers and would have an excessively large book thrown at him. He's gathered support from many UK politicians and human rights groups and has even had a "Free Gary McKinnon" campaign set up in his honour.
This latest event will see the judge rule on whether the Home Secretary Alan Johnson was right to opt out of intervening in the case, when in November he chose not to attempt to block it.
Responding to a news story in the Telegraph, the Free Gary McKinnon group wrote, "Since Judgments may take several weeks or months to be published, the outcome of this Judicial Review is very likely to be after the forthcoming General Election, and over 8 years since Gary was first arrested."
Kaspersky Lab Changes Support Structure in Benelux Region
After the relationship with Kaspersky Lab's former distribution partner in the Benelux was terminated due to systematic breaches from the partner's side in December 2009, the company has changed its support structure for the region. All licenses sold by the former distribution partner will retain their current validity and will be fully supported and maintained by Kaspersky Lab. The company will do its utmost to minimize any inconvenience to all parties.
Technical support and maintenance will be provided by the offices in Germany, France and the United Kingdom. Distributors, resellers and customers will continue to receive full support. French speaking customers will be supported via the French office, German speaking customers via the German office and Dutch speaking customers - in English - by the UK office. Resellers will be supported by their distributors as usual.
To access support services, please use the following link: http://www.kaspersky.com/nl/support
Twitterbuilding.com-Stealing Your Passwords One Tweet at..
Blogged today by TrendLabs:
I, like many others, am a big fan of Twitter, although I'm fairly ruthless about pruning those I follow. Most of the people I follow are either other security professionals or close friends and they normally Tweet content that I am genuinely interested in. The first hint of someone going to the dark side, e.g.,
In McDonalds-should I get a cheeseburger or a big mac?
4 minutes ago from iPhone by InaneTwit
So confused-must decide soon- person in front of me in Q!
3 minutes ago from iPhone by InaneTwit
I got the cheeseburger!
2 minutes ago from iPhone by InaneTwit
... and I will ruthlessly remove them. There is one exception to this, however, one of my younger siblings, who for some reason, I let get away with this kind of thing. So I was not too surprised to see the following Tweet earlier today:
This site is AWESOME!!!- TwitterBuilding. com
about 2 hours ago from API
Following the link, I came to the following page (screenshot in below link)
Suddenly, my spider senses are tingling-call me paranoid but that does not look particularly official. A quick search of the Web shows thousands of identical Tweets from thousands of people who have gladly handed over their passwords to this website (which is most likely the same password they use for everything, including the holy grail, their email account—something I wrote about way back in February 2009).
What is the message here? Simple-"Think before you click!"
Lincoln National Discloses Breach Of 1.2 Million Customers
Shared-password vulnerability may have exposed personal information in online account management system
Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.
In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.
The letter does not give technical details about the breach, but it indicates the unidentified source sent FINRA a username and password to the portfolio management system.
"This username and password had been shared among certain employees of [Lincoln Financial Services] and employees of affiliated companies," the letter says. "The sharing of usernames and passwords is not permitted under the LNC security policy."
Online Scams that Impersonate the IRS
Consumers should protect themselves against online identity theft and other scams that increase during and linger after the filing season. Such scams may appropriate the name, logo or other appurtenances of the IRS or U.S. Department of the Treasury to mislead taxpayers into believing that the scam is legitimate.
Scams involving the impersonation of the IRS usually take the form of e-mails, tweets or other online messages to consumers. Scammers may also use phones and faxes to reach intended victims. Some scammers set up phony Web sites.
The IRS and E-mail
Generally, the IRS does not send unsolicited e-mails to taxpayers. Further, the IRS does not discuss tax account information with taxpayers via e-mail or use e-mail to solicit sensitive financial and personal information from taxpayers. The IRS does not request financial account security information, such as PIN numbers, from taxpayers.
Read more about: Object of Scams, Who Is Targeted, How an Identity Theft Scam Works, Phony Web or Commercial Sites, Frequent or Recent Scams, Other Known Scams, How to Spot a Scam and What to Do.