Spyware, Viruses, & Security forum

Alert

NEWS - July 09, 2012

by Carol~ Moderator / July 9, 2012 12:06 AM PDT
Most of What You've Read About DNSChanger Is Wrong. Here's How.

If you've been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. - hundreds of thousands around the world - will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That's bad, right? Well, maybe not.

What you may not know is that the impending DNSChanger "black out" threatens to obscure what has been a highly successful effort - one of few to date - to stamp out a global online scam and malware infestation.

First, some recent history: U.S. authorities in November unveiled indictments against six Estonian nationals who they charged with running a sophisticated, international online fraud that netted an estimated $14 million in bogus Internet advertising revenues, while infecting some four million computers world wide, 500,000 in the U.S. alone. The scheme used malicious software, installed on victims' machines, to force the users to visit Web sites that were customers of an online advertising firm controlled by the scammers.

Following the bust, the U.S. Department of Justice, working with ISC and other tech industry partners, set up their own Domain Name System (DNS) servers in place of those used by the cyber criminals to manage Web requests from infected hosts. A court order stipulated that the servers be shut down on March 5, 2012, four months after the bust. However, as that deadline approached, the U.S. Attorney's Office successfully argued for an extension to July 9 - Monday.

Continued : http://threatpost.com/en_us/blogs/most-what-youve-read-about-dnschanger-wrong-heres-why-070812

DNSChanger related:
The FBI will turn off the Internet on Monday (or not)
Malware Threat to Internet Corralled
Discussion is locked
You are posting a reply to: NEWS - July 09, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - July 09, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
FBI could be shutting down 13800 UK internet connections
by Carol~ Moderator / July 9, 2012 1:05 AM PDT
In reply to: NEWS - July 09, 2012

Early Monday morning, as previously announced, the FBI turned off the DNS server which has been handling the requests from machines that were compromised by DNSChanger. Around 13,800 users with unique UK IP addresses have been accessing the server, according to an anonymously published excerpt from the logfiles that suggests the information is accurate up to last Saturday. On that day there were still requests coming from some 250,000 different IP addresses in total.

It can be assumed that little has changed since the numbers were gathered. The first six months since the defeat of the DNSChanger botnets saw around a third of the originally affected systems being disinfected. In Germany, users were warned by their internet providers that they were infected, while globally, Google has been displaying a warning to users they detected as being infected.

If a user finds that they have apparently been suddenly disconnected from the internet, then the easiest way to recover is to set the affected system to use Google's DNS service on 8.8.8.8. DNSChanger was able, according to F-Secure, to modify DNS settings on Windows and Mac OS X computers and on D-Link, LinkSys, A-Link, Netgear, ASUS and SMC routers.

Continued : http://www.h-online.com/security/news/item/FBI-could-be-shutting-down-13800-UK-internet-connections-1635055.html

Collapse -
DarkComet RAT - It is the END!
by Carol~ Moderator / July 9, 2012 1:05 AM PDT
In reply to: NEWS - July 09, 2012

From the Symantec Security Response Blog:

The official website of DarkComet remote administration tool (RAT), detected by Symantec as Backdoor.Breut, has published a statement, as shown below, explaining that the project has come to an end. The DarkComet RAT grabbed news headlines this year when it was used in the Syrian conflict to spy on regime supporters. The decision of the author to end the project comes on the heels of the apparent arrest of the Blackshades RAT project author, another similar remote administration tool that has also been used for nefarious purposes.

The DarkComet RAT statement clearly outlines that the reason for the author deciding to now end this project is the misuse of the free tool and the law deeming the author to be partly responsible for this misuse. While in the past authors of such tools believed that they were immune from prosecution by claiming that they were educational tools, arrests, starting with the alleged author of the infamous Mariposa botnet, have begun to wake up authors of such tools to the possibility that they could be breaking the law. These arrests are sending a message to the authors of such tools that they are not above the law and could face prosecution for their actions. The recent arrest of the Blackshades RAT project author and the end of this project may yet have further reverberations leading to the closure of other similar projects. Time will tell but any similar closures due to the risk of prosecution must be seen as a step in the right direction in combating the risk posed by such freely available tools. [Screenshot]

Continued: http://www.symantec.com/connect/blogs/darkcomet-rat-it-end

Also:
DarkComet RAT Flames Out
DarkComet RAT Author Terminates Project Because of the Misuse of the Tool

Collapse -
ENISA recommends "assume all PCs are infected"
by Carol~ Moderator / July 9, 2012 1:05 AM PDT
In reply to: NEWS - July 09, 2012

The European Network and Information Security Agency (ENISA) recommends that banks assume that their customers' computers are infected with online banking trojans such as ZeuS. The recommendation comes as part of an analysis of the recent targeted "High Roller" cyber-attacks and specifically refers to the frequently cited ZeuS Tracker statistics page, which suggests that anti-virus programs only detect about 40% of ZeuS trojans.

ENISA has even included special "secure online banking devices" in its recommendation. Many of these systems work on the assumption that the customer's PC is not infected, said the agency, adding that, "Given the current state of PC security, this assumption is dangerous." ENISA explained that a basic two-factor authentication system does not prevent man-in-the-middle or man-in-the-browser attacks on transactions and recommended: "Therefore, it is important to cross-check with the user the value and destination of certain transactions, via a trusted channel, on a trusted device." According to the agency, such a trusted channel can be established using stand-alone smartcard readers with their own display or even mobile phones and smartphones.

http://www.h-online.com/security/news/item/ENISA-recommends-assume-all-PCs-are-infected-1634466.html

Collapse -
ENISA: High Roller Online Bank Robberies Reveal Security Gap
by Carol~ Moderator / July 9, 2012 7:35 AM PDT

Many online banking systems dangerously rely on PCs being secure, but banks should instead presume customer PCs are infected, says the EU's cyber security agency ENISA in response to the reports about the "High Roller" cyber-attack.

The recent, targeted "High Roller" cyber-attacks on wealthy corporate bank accounts yielding tens of millions of dollars was analysed in a report recently published by McAfee and Guardian Analytics. The report describes the technical details and the impact of a series of cyber-attacks.

The old adage that "criminals go where the money is" today means that "bank robbers go online", as the Executive Director of ENISA, Professor Udo Helmbrecht states. It should come as no surprise that large organized crime groups are targeting online banking sites. Still, the attacks drew much attention, for three reasons:

1) Highly automated: The attackers reduced manual intervention to a minimum, relying mostly on automation. The attacks were also fast and easily missed by the user.

2) Sophisticated: The banks' protection measures, such as two-factor authentication and fraud detection, were circumvented. Users did not notice this right away because the fraudulent transactions were hidden by malware (inserting javascript code into pages).

3) Targeted: Only PCs from users with corresponding high balances were targeted (e.g. around 5000 PCs in the Netherlands).

The cyber-attacks had three phases. First, targets were identified using online reconnaissance and (spear) phishing. Victims with access to high balance accounts (hence the name "High Rollers") were singled out. Secondly, malware (SpyEye, Zeus and Ice 9) was loaded onto the victim's PC - tailor customised for the victim's online banking websites.

Continued : http://www.infosecisland.com/blogview/21848-ENISA-High-Roller-Online-Bank-Robberies-Reveal-Security-Gaps-.html

Collapse -
Fake anti-piracy warnings hitting UK users w/ money requests
by Carol~ Moderator / July 9, 2012 1:05 AM PDT
In reply to: NEWS - July 09, 2012

Much has been said and written about the UK's Digital Economy Act, but most Internet users still know just one thing about it: that it will eventually end with ISPs sending out notifications to Internet pirates, who will be forced to stop their illegal activities or suffer consequences.

This email campaign started only days after Ofcom - the regulator and competition authority for the UK communications industries - released its revised Initial Obligations Code proposal, which details how the aforementioned notification system is going to work.

Even though Ofcom stated that it expects the first notification letters to be sent in early 2014, online scammers bet on the fact that not many users keep close tabs on the situation and took it upon themselves to impersonate the enforcers of said act by sending out emails accusing the recipients of pirating various content and trying to make them pay a non-existent penalty: [Screenshot]

Continued : http://www.net-security.org/secworld.php?id=13212

Collapse -
Android Trojan leaves 100,000 users out of pocket
by Carol~ Moderator / July 9, 2012 1:30 AM PDT
In reply to: NEWS - July 09, 2012

"MMarketPay buys content from China Mobile's app store"

Security researchers are warning of yet another Android malware outbreak which has spread to nine app stores and infected 100,000 with code designed to covertly purchase apps and content from China Mobile's Mobile Market.

Mobile security firm TrustGo explained that the MMarketPay.A Trojan could be hidden in a number of legitimate-looking applications, including those from Sina and media streaming company Funinhand, as well as travel and weather apps.

The malware has already been placed in nine different third party Android app markets in China, infecting over 100,000, the firm said.

Once downloaded, the Trojan will automatically place orders for paid content and apps at China Mobile's official Mobile Market online store without informing the user.

It is able to intercept China Mobile's verification SMS and post the code to the Mobile Market web site in order to complete the purchase, said TrustGo.

Continued : http://www.theregister.co.uk/2012/07/09/android_trustgo_china_mobile/

Also:
New Android virus 'MMarketPay.A' found on 100,000 Chinese smartphones and in 9 app stores
New Android Trojan secretly buys apps
Chinese Android trojan buys applications

Collapse -
Malware spammed out as report for "tomorrow's meeting"
by Carol~ Moderator / July 9, 2012 2:08 AM PDT
In reply to: NEWS - July 09, 2012

Have you received an email telling you not to forget to bring a report to a meeting being held tomorrow?

Be on your guard.

SophosLabs is intercepting a malware campaign that has been widely spammed out across the internet, using just such a disguise.

Attached to the emails, which have a subject line of "Don't forget about a meeting tomorrow" is a file called Report.zip, which harbours the malware.

Here's what a typical email looks like: [Screenshot: Malicious meeting email]

Interestingly, the spelling of the email's message body can vary - presumably this was done in an attempt to avoid rudimentary email filters which might attempt to block messages.

Here are some of the variations we've seen:

Don't forget this report for meeting tomrorow.
See attached file.

Don't forget this report for meteing tmoorrow.
See attached file.

Don't forget this report for meeting toomrrow.
See attached file.

Don't forget this report for meeitng tomrorow.
See attached file.


Recipients might think the typos are the result of someone writing too quickly, or fumbling on their BlackBerry, rather than an attempt to bypass a company's email gateway protection.

Continued : http://nakedsecurity.sophos.com/2012/07/09/malware-tomorrow-meeting/

Collapse -
Facebook to Target Ads Based on App Usage
by Carol~ Moderator / July 9, 2012 2:08 AM PDT
In reply to: NEWS - July 09, 2012

Facebook Inc. is launching a new type of mobile advertising that targets consumers based on the apps they use, pushing the limits of how companies track what people do on their phones.

The social network is tracking the apps that people use through its popular Facebook Connect feature, which lets users log into millions of websites and apps as varied as Amazon.com, LinkedIn and Yelp with their Facebook identity. The company then targets ads based on that data, said people familiar with the company's plans.

Facebook may also track what people do on the apps, though it hasn't made a final decision, said one of the people.

The new ads could stoke privacy concerns because they let Facebook go a step further than mobile-ad networks, which track what ads people have clicked on through a phone's Web browser. Those networks aren't aware of all the apps that a user has on their phone.

Companies like Apple Inc. and Google Inc. track users' mobile apps but they approach ad targeting differently. Apple discloses to users in its privacy policy that it can target ads based on apps the person has downloaded from its App Store and iTunes. Google, however, doesn't target ads based on that data, though in theory it could. Neither Google nor Apple track what people do in their apps to target ads.

Continued : http://online.wsj.com/article/SB10001424052702304141204577510951953200634.html

Also:
Facebook Will Target Ads Based On The Apps On Your Phone—Here's Today's Ad Brief
Facebook to target ads based on what mobile apps we use

Collapse -
How to Break Into Security, Grossman Edition
by Carol~ Moderator / July 9, 2012 2:08 AM PDT
In reply to: NEWS - July 09, 2012

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

BK: How did you get started in computer security?

Grossman: For me it was...I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don't know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn't go to college to be infosec pros, it just kind of happened. They followed opportunity.

BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?

Continued : https://krebsonsecurity.com/2012/07/how-to-break-into-security-grossman-edition/

Collapse -
July 4th fireworks fiasco in San Diego? Computer virus..
by Carol~ Moderator / July 9, 2012 2:09 AM PDT
In reply to: NEWS - July 09, 2012
... gets the blame

As local media reported, hundreds of thousands of people gathered at San Diego Bay on July 4th to see what should have been one of America's biggest Independence Day firework spectacles.

But a computer malfunction meant that the planned 17 minute fireworks display was condensed into a 15 second firestorm.

Confused spectators waited for what they believed was going to be the rest of the show, but were told that the event was cancelled and sent home disappointed.

There are numerous videos of the "Big Bay Boom" event on YouTube, but this is my favourite because of one audience member's reaction at the end of the clip.

Some of the media reports have claimed that a virus was responsible for thousands of fireworks on four barges to be fired at the same time. [Screenshot]

Continued : http://nakedsecurity.sophos.com/2012/07/09/firework-fiasco-virus-blamed/
Collapse -
Not Your Normal Skype Download
by Carol~ Moderator / July 9, 2012 5:01 AM PDT
In reply to: NEWS - July 09, 2012

From the F-Secure Antivirus Research Weblog:

We recently stumbled upon a website that supposedly provides the application Skype for Android devices.

When visiting the website using an Android device, it shows an APK file (skype52_installer.apk) for download: [Screenshot]

However, accessing the website using an iOS device yields to the screenshot below:

[Screenshot]
Translation:
The new application is being verified and deployed: skype.ipa
Checking iphone_free_space


Afterwards, it informs the user that the installation is "complete":

[Screenshot]
Translation:
Installation complete!
The new application skype is ready to install!
Enter your phone number to protect against illegal usage of this application, and follow instructions in a SMS message
.

At this point, there are still no new application installed in the device. As expected, even after entering a number, nothing happens.

[Screenshot]
Translation:
Installation complete!
A free SMS message with confirmation request has been sent to you.


If visited using any other devices except for Android or iOS, it prompts for a JAR file (skype52_installer.jar):

Continued: http://www.f-secure.com/weblog/archives/00002396.html

Collapse -
Spring Cleaning for Your Security Toolbox
by Carol~ Moderator / July 9, 2012 5:02 AM PDT
In reply to: NEWS - July 09, 2012

You have too much stuff. Those old clothes you can't bear to part with. How many t-shirts from tech conferences do you really need?

The stacks of magazines you are going to read "someday." Toys for the kids, half-way completed projects, and dozens of other things make your life unorganized, and more difficult to manage.

The exact same problem infests many of our security programs. Every time we add a new technology, be it installed in production, or as a proof of concept, we make our operating environment more complex.

Say it with me now... Complexity is the enemy of security. Having too many systems causes multiple problems:

• How many systems can you be a master of? You can be world-class at 1 thing, great at a few things, or mediocre at many things. That's the trade-off. You can't know about that newest neat feature that will save the company millions on every tool out there.

• When our resources are spread between too many systems, we only look at systems when lights go red. This means we're missing the small clues that things might be changing. Simply put, we are not receiving full value from our tools.

Continued : http://www.infosecisland.com/blogview/21857-Spring-Cleaning-for-Your-Security-Toolbox.html

Collapse -
Multi-platform Backdoor Lurks in Colombian Transport Site
by Carol~ Moderator / July 9, 2012 5:03 AM PDT
In reply to: NEWS - July 09, 2012

From the F-Secure Antivirus Weblog:

We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.

Here is what is shown if visited using Windows: [Screenshot]

And using MacOS: [Screenshot]

The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform. [Screenshot]

All three files for the three different platforms behave the same way. They all connect to 186.69.87.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively. As of writing, the server has not given any code.

The files are detected as:

Continued : http://www.f-secure.com/weblog/archives/00002397.html

Collapse -
DNSChanger FAQ: The Internet Is Not Broken
by Carol~ Moderator / July 9, 2012 7:36 AM PDT
In reply to: NEWS - July 09, 2012

You know things have gone sideways when NPR and local TV news are talking about the "Internet doomsday" or "Black Monday". We have DNSChanger to thank for this latest bout of Internet paranoia, and there's a ton of misinformation and craziness circulating about the malware. We're here to provide some actual information, luckily for you.

So, here's a short FAQ to help separate fact from fiction regarding DNSChanger.

What is DNSChanger and what can it do?

DNSChanger is a piece of malware that was used in a large click-fraud campaign known as Ghost Click. Once on a victim's machine, the malware would hijack search queries and send users' traffic through rogue DNS servers and on to sites that displayed ads for companies that were controlled by the gang behind the scam, earning them money for every click on those ads. The FBI helped take down the DNSChanger crew last year and at the time of the bust, estimated that there were several million PCs infected with the malware. That number is estimated to be around 300,000 infections now, a tiny fraction of the billions of IP-enabled devices on the Interwebs. When the FBI took down the gang behind this attack, it also took control of the rogue DNS servers and continued to operate them so that all of the infected users could still access the Internet.

What is a DNS server and why do I care which one my traffic goes through?

The DNS system is a global network of specialized servers that provide your computer with the IP address that corresponds to the URL you are trying to reach. So, for example, if you search for Threatpost on Alta Vista and then click on the link for Threatpost.com, your browser contacts a name server and says, "Hi, please give me the IP address for the URL Threatpost.com." The name server will respond with a an IP address that your browser understands, and then your browser connects to the address and you wind up here reading this FAQ. This works properly billions of times a day, but there are ways for attackers to mess with the system, as the DNSChanger crew did, and route your DNS requests through a name server that they control. In those attacks, your browser doesn't end up on the site you're trying to reach and instead can be redirected to malicious sites.

So the FBI owns the DNS system?

Mmmm, no.

NSA?

Getting warmer...

Google?

Continued : http://threatpost.com/en_us/blogs/dnschanger-faq-internet-not-broken-070912

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.