November 2008 - Posts

Bogus ‘HouseCall’ Search Results Lead to Adware - TrendLabs Malware Blog

Nov23
by Jonathan Leopando (Technical Communications)

Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit.

Advanced Threats Researcher Ivan Macalintal found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google:

Figure 1. Fake HouseCall search result.

Clicking on this link brings up the fake scanner:


Figure 2. The software supposedly performs a system scan.

Figure 3. It warns users of bogus malware infection.

Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat.

ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats.

The sites hosting this adware are already blocked by the Trend Micro Smart Protection Network.

Solutions for the cleanup and removal of ADW_FAKEAV and ADW_FAKEAV.O are also provided by this technology.

This would not be the first time our products’ names were used in malicious operations. The following blog entries are about other threats that did that:

Trend Micro advises all users to go to our website for information on the products and services we offer.

Posted Tuesday, November 25, 2008 4:32 PM by cmosby | with no comments
Filed under: ,

Being too helpful - F-Secure Weblog

Being too helpful Posted by Mikko @ 18:41 GMT | postCount('00001547'); Comments

Here's a screenshot of a site:

g

It's a phishing site using Google AdWords as the lure.

What it really tries to do is to steal your Google AdWords account username and password.

And your credit card number.

Now look again. Look at what the browser is offering.

g

No thanks, I'd rather not save my password for this site, thank you very much.

Posted Tuesday, November 25, 2008 3:50 PM by cmosby | with no comments
Filed under: ,

Windows Vista "CreateIpForwardEntry2()" Memory Corruption Vulnerability - Secunia

Windows Vista "CreateIpForwardEntry2()" Memory Corruption Vulnerability

Secunia Advisory: SA32791

Release Date: 2008-11-24

Popularity: 902 views
Critical:
Not critical Impact: DoS
Where: Local system Solution Status: Unpatched
OS:Microsoft Windows Vista

Subscribe: Instant alerts on relevant vulnerabilities

Description:
A vulnerability has been reported in Microsoft Windows Vista, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to the "CreateIpForwardEntry2()" function not properly limiting the length of the IP address prefix of the destination IP address passed via the "MIB_IPFORWARD_ROW2" structure. This can be exploited to cause a buffer overflow and e.g. crash a vulnerable system.

Successful exploitation requires that the attacker is a member of the "Network Configuration Operators Group".

The vulnerability is reported in Microsoft Windows Vista Enterprise (32 bit and 64 bit) and Microsoft Windows Vista Ultimate (32 bit and 64 bit). Other versions may also be affected.

Solution:
Only add trusted users to the "Network Configuration Operators Group".

Provided and/or discovered by:
Marius Wachtler, Michael Burgbacher, Carson Hounshell, Michael Craggs, and Thomas Unterleitner of phion AG

Original Advisory:
http://marc.info/?l=bugtraq&m=122711627932563&w=2

Posted Tuesday, November 25, 2008 9:32 AM by cmosby | with no comments
Filed under: , ,

Bogus Wal-Mart Survey Leads to Phishing Page - TrendLabs Malware Blog

Nov22
by Florabel Baetiong (Anti-spam Research Engineer)

Email messages supposedly sent by the popular department stores chain Wal-Mart promises recipients a rather large amount of money by simply participating in a survey. The messages also state that the money will be credited to the respondent’s account once the survey has been completed. Here’s what the spammed message contains:

Congratulations!

You have been selected to take part in our quick and easy 9 questions survey
In turn we will credit $90.00 to your account - Just for your time!

The survey has been sent only to a few people from our random generator !

Please spare two minutes of your time and take part in our online survey
so we can improve our services.

Don’t miss this chance to change something.

To participate in this survey, Click Here

With the information collected we can decide to direct a number of changes to improve and expand our online services

Note:
-If you received this message in your SPAM BULK folder, that is because of the restrictions implemented by your ISP
-For security reasons, we will record your ip address, the date and time.
-Deliberate wrong imputs are criminally pursued and indicted

Copyright 2008 Wal-Mart Stores, Inc. All Rights Reserved.

Survey ID

WWLEKFTSYXDYVLUOSDMVCBRJEXCXCIRWTTFHDQ

A link to the “survey” is provided in the message. This is definitely a scam as Wal-Mart has no such survey, and is not paying potential victims of this scam $90 to answer nine questions. Spammers added some notes to make the email message more believable though. Warnings are written at the bottom of the mail such as the recording of the respondent’s IP address “for security reasons” and the more threatening “deliberate wrong inputs are criminally pursued and indicted.” Email messages are also marked High Priority.

Clicking on the link leads users to the phishing site

Scammers again seem to be exploiting the shopping frenzy that comes with the holidays. Christmas and Thanksgiving related Web threats often prey on users’ enthusiasm for purchasing products whether online or not. Several Trend Micro blog entries also document other spamming operations that have similar social engineering techniques:

The Trend Micro Smart Protection Network already blocks this email message, keeping users away from the phishing website. Non-Trend Micro users are advised to not participate in surveys that come from unsolicited messages. Not clicking links in unwanted messages, or those from suspicious senders also keeps systems safe from threats.

Posted Tuesday, November 25, 2008 9:30 AM by cmosby | with no comments
Filed under: ,

WinCE Malware Blackens Phone Wallpapers - TrendLabs Malware Blog

Nov22

WinCE Malware Blackens Phone Wallpapers

by Jake Soriano (Technical Communications)

Making its way back in the wild is a WinCE malware that infects Windows mobile phones. Detected by Trend Micro as WINCE_CRYPTIC.A, this new variant uses the same old routines that made WinCE malware notorious before.

Advanced Threats Researcher Jamz Yaneza says it works as a typical companion virus because it stores the infection code in another file. Typical viruses infect files themselves but WINCE_CRYPTIC.A does not. Instead, it creates “companion” files using the same file names as the infected mobile phone’s storage card. These companion files contain the infection code, and when users run the storage card, the malicious files run first.

So in essence it does not infect files themselves, and changes are made from the polymorphic engine of the malware. Yaneza adds that the file could actually be considered a Trojan with some polymorphic functionality. Companion viruses do this to avoid detection. Users are tricked into thinking they are still running a legitimate application when in fact they are already executing the malware.

Users however, will notice changes in their infected mobile phones as WINCE_CRYPTIC.A changes the text and background colors of the affected device. Here are some screenshots:


WinCe malware changes a mobile phone’s display colors.

The malware may be distributed through memory cards. It may also be hosted on malicious websites and may arrive in mobile phones through downloads. Yaneza believes that document-sharing via infrared or Bluetooth could also be a possible avenue for infection, as remote malicious users could easily pass on documents when these said devices are left on.

With more users using mobile devices that are Web-enabled, malware authors are also quick to adapt. From spam to ransomware, cybercriminals are exploiting mobile phone usage as a new avenue for profit. Interestingly, this malicious software deviates from the usual scheming operations that use Symbian malware to extort money from affected users for example. Symbian malware are notorious for locking phones and then asking users for money so affected phones could be fixed.

WinCE malware in the past did not have this routine. Our researchers believe that creators of this new WinCE malware are testing the waters for a bigger threat on mobile devices.

The following mobile phone models may be affected by WINCE_CRYPTIC.A:

  • Windows Mobile 5.0 Smartphone
  • Windows Mobile 5.0 PocketPC/PocketPC Phone Edition
  • Windows Mobile 6.0/6.1 Classic
  • Windows Mobile 6.0/6.1 Standard
  • Windows Mobile 6.0/6.1 Professional

The Trend Micro Smart Protection Network already detects WINCE_CRYPTIC.A and provides solutions for its cleanup and removal. Trend Micro meanwhile advises users to not download phone applications from unknown locations on the Web. WINCE_CRYPTIC.A itself does not run on PCs but files may be downloaded from there to mobile phones. Beamed applications and documents should also be handled with caution. The US National Institute of Standards and Technology also provides guidelines on mobile phone security.

Posted Tuesday, November 25, 2008 9:15 AM by cmosby | with no comments
Filed under: ,

Increase in Exploit Attempts Against MS08-067 - Symantec Security Response Blog

Increase in Exploit Attempts Against MS08-067

Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge.

Microsoft released a detailed matrix describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows XP, and Windows 2003. But, it is not exploitable on default configurations of Windows XP because the Windows Firewall blocks connect attempts to the required RPC interface. However, if the firewall is disabled, or the firewall is enabled but file/printer sharing is also enabled, then the issue is remotely exploitable on Windows XP. An attacker would need to authenticate to Windows Vista and Windows Server 2008 in order to exploit this issue.

Several public exploits are currently available that leverage this issue. Typically an exploit needs to be reliable for a worm to incorporate the exploit into its propagation routines. The nature of this vulnerability made it difficult for exploit authors to construct a single exploit that would successfully leverage the issue for all versions of Microsoft Windows at once. So, exploits were released that targeted specific versions of Microsoft Windows first, and the first public exploit to surface that wasn't a simple crash proof-of-concept leveraged the issue on Microsoft Windows platforms that were localized for traditional Chinese markets. Over the past month, exploit authors have discovered far more reliable methods to exploit this vulnerability and have released more stable exploits. The most reliable public exploit is incorporated into the Metasploit Framework—it contains many configurations that can be used to leverage this issue for a large array of Windows versions.

When we first noticed worm-like malicious applications exploiting this vulnerability they were using the primitive exploits that were available at the time. In other words, exploits that targeted Chinese Windows systems. However, over the last 24 hours we are observing a new worm. It exploits MS08-067, but it uses the routine from the Metasploit Framework to universally exploit computers that are running Microsoft Windows 2000. The worm targets TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:

 

http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]


The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.

We are currently observing an increase in IPs generating activity over TCP port 445 and we believe that this activity is at least in part related to the propagation of this malicious code:

 


 

 

SANs are also reporting a spike in activity on TCP port 445. However, this was not the main reason behind our ThreatCon update. The aggressive propagation of this malicious threat in our honeypot network was the main reason behind the update. We decided that the activity was significant enough to remind our customers of the importance of installing the MS08-067 updates. Symantec antivirus currently detects this threat as W32.Downadup, so please make sure that your antivirus software is up to date.

We also recommend that the following mitigating strategies are applied:

•    Block access to TCP port 139 and 445 at network perimeters.
•    Ensure that computers that are connected to the network have host-based firewall software installed.
•    Ensure that antivirus software is installed on all clients connected to the network and that the software is up to date.

And, please install the update from MS08-067 as soon as possible. Microsoft has suggested a number of additional workarounds in the security bulletin, such as disabling the browser service. We advise customers to review their suggestions as well.

 

* Update

 

Symantec IPS will detect and block this attack with the following signatures:

 

•    MSRPC Server Service Buffer Overflow
•    RPC Server Service BO2

Message Edited by SR Blog Moderator on 11-25-2008 04:37 AM
Posted Tuesday, November 25, 2008 8:42 AM by cmosby | with no comments
Filed under: ,

Malware in Lenovo - Viruslist Analyst's Diary

Malware in Lenovo


  Costin       November 21, 2008 | 21:37  GMT

comment  

Some of you might have seen the blogpost that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers.

Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message.

Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work.

Naturally, we've notified IBM immediately – and IBM took the file offline.

We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis!

Posted Monday, November 24, 2008 11:18 AM by cmosby | with no comments
Filed under: ,

More on Autorun-Based Malware - McAfee Avert Labs Blog

More on Autorun-Based Malware

Friday November 21, 2008 at 11:54 am CST
Posted by Lokesh Kumar


Earlier, my colleague Vinoo Thomas blogged about “The Rise in Autorun-Based Malware” and about a method employed to disable such malware from executing that uses the gpedit.msc tool.

I briefly want to add a couple of points to this:

The Group Policy Editor (gpedit.msc) is a tool provided by Microsoft, and is used to modify various system settings. One such setting is the ability to turn off the autoplay feature.

Changes made using this tool eventually get applied in the Windows registry. For example, when a user modifies settings related to autoplay using the group policy editor, it will be reflected in the following location in the registry:

HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key: NoDriveTypeAutoRun

Now, here’s the interesting part. The Group Policy Editor is not available to users of Windows XP Home Edition. Those users would need to manually edit the registry or install TweakUI, a tool available in the PowerToys Suite, or download a third-party tool to do disable this feature.

Isn’t it odd that Microsoft makes a home user manually edit the registry to turn off this feature, yet it provides a tool for administrators using XP Professional?

I can understand the growing concern many are having with the use of removable devices. There has been a known bug in the NoDriveTypeAutoRun subkey value, which allows any changes made to this subkey to revert to its default value.

Of course, the default value enables the autoplay feature to function in all its glory.

All hope is not lost, though, as I managed to find a fix. Save the following text as a .reg file and import it into the registry. And, as always, remember to back up your registry before doing this.

REGEDIT4
[HKEY_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”

Apparently, this registry value prevents Windows from taking actions based on the Autorun.inf file.

If you are a McAfee Virus Scan customer, you could create a custom Access Protection Rule to disable the execution of files named autorun.inf. Many autorun worm variants are detected by McAfee asW32/Autorun.worm.dw.

Finally, Microsoft should implement this autorun feature (which is now exploited by malware) in a more efficient manner. My Ubuntu machine, which has Wine installed, can run Windows executables and has the same autoplay feature as Microsoft does, but with one BIG difference:

Ubuntu Autorun

When a removable device with an autorun.inf file is inserted on my Ubuntu machine, it recognizes that the autorun.inf file is trying to run an executable and then asks for confirmation. Now, that’s what I call prioritizing the user’s security needs!!

Posted Monday, November 24, 2008 11:13 AM by cmosby | with no comments
Filed under: ,

Search-and-Destroy - F-Secure Weblog

Some rogue antivirus applications are overtly malicious. XP Antivirus 2008 and XP Antivirus 2009 have numerous affiliates utilizing rootkits and plenty of other nasty techniques in order to get themselves installed (and purchased). They're a real pain in the… neck.

As an interesting aside – XP Antivirus 2008 and XP Antivirus 2009 are actually produced by two different gangs. Variants of one sometimes attempt to uninstall and disable the other.

Then there are some "rogues" that are just kind of sad… we're tempted to call them lame-ware rather than scareware.

Last week, someone calling himself "Mirando" submitted this to our moderated comment system:

Search-and-Destroy Antispyware

What are the odds that such a comment, promoting a dubious application, will be approved by us? Not likely.

This is how the search-and-destroy .com site appears:

Search-and-Destroy

The site just uses a simple Flash graphic for basic animation; there are no fake "scans" that attempt to scare the visitor. It's all very quiet, relying perhaps on its name.

This application, search-and-destroy, should not of course be confused with Spybot Search & Destroy, a well known and respected antispyware application.

We downloaded and tested the Search-and-Destroy Antispyware application.

First it prompted a warning that there were zero risks.

Startup Risk

Then we performed the scan and there were 159 "problems" discovered. All 159 were not fixable in the trial version.

Scan Finished

Within the "malicious threats" that were discovered, were invalid shortcuts.

Threat Details

True, the links were invalid, but that's hardly a threat.

So we uninstalled the application, and it left behind a registry key:

After Uninstall

Typical. The scan warned us about invalid shorts, and then leaves behind an invalid registry key.

Mirando has posted to other forums as well.

Comments

Based on the IP address used when posting to our comments system, Mirando lives in New Delhi, India. We suspect that he's young and that these posts are early attempts at making money via an affiliate program.

We hope that he'll consider quiting while he's ahead, and doesn't move on to the hard-rogues.
Posted Monday, November 24, 2008 10:22 AM by cmosby | with no comments
Filed under: , ,

The Rise in Autorun-Based Malware - McAfee Avert Labs Blog

The Rise in Autorun-Based Malware

Thursday November 20, 2008 at 10:24 am CST
Posted by Vinoo Thomas


Most folks associate computer viruses and other prevalent malware with the Internet. Not quite. The earliest computer threats came from the era of floppy disks and removable media. However, with the arrival of the Internet, email and network based attacks became the preferred vector for hackers to spread malicious code and the issues with removable media took a back seat.

Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.

Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “Autorun” that exists to automagically launch the content in a removable disk without any user interaction.

McAfee Avert Labs has observed an alarming increase in malware using autorun as an infection vector. In addition to traditional autorun worms that used this feature, pure-play backdoors, password stealers, common Trojans and even parasitic viruses that previously required a user to double click an executable file in order to infect a system have started incorporating the autoplay technique to spread.

To give an example of how rampant the problem of autorun malware in the real world is, shown below is the McAfee global virus map which tracks statistics of infections observed by McAfee users world wide.

McAfee Virus Map

Generic!atr is a McAfee antivirus detection the for the configuration file (autorun.inf) where the path to the malware executable that needs to autoplay is specified. This detection is observed on over two million files in the last 24 hours and has always been in the top five detections globally ever since the signature was added to the McAfee DAT files. What is shown above are detections seen only on computers installed with McAfee antivirus, where those users have opted into reporting their detections. When you take in to account the millions of computers on the Internet and other vendor detections of autorun based threats, one understands how rampant the problem is.

Why is autorun as an infection vector so popular especially with machines running the Windows operating system? The fact is autorun is enabled by default on all flavors of Microsoft Windows including the latest versions of Windows Vista and Windows Server 2008. A user only has to insert a removable disk into an infected machine running Microsoft Windows and the malware would autocopy itself and infect the disk without any additional user interaction. And this self sustained cycle continues unabated every time the disk is inserted into a new machine.

So what can a user do to protect themselves against autorun based malware? The autorun feature can easily be disabled via the Windows group policy editor. If you’re a system administrator, it makes sense to disable autoplay via Active Directory and push this policy to the entire enterprise. Prevention is always better than drastic bans of USB disks & drives, although it makes you wonder why Microsoft can’t *fix* this ill-used feature in their next Windows update ;-)

Posted Monday, November 24, 2008 9:41 AM by cmosby | with no comments
Filed under:

Increase in USB-Based Malware Attacks - Symantec Security Response Blog

Increase in USB-Based Malware Attacks

 

Symantec is currently observing an increase in malicious applications that use USB flash drive devices as a propagation method. Just as a clarification for any of our readers that are not familiar with the term “USB flash drive,” a USB flash drive is typically a removable portable storage device that uses a USB (universal serial bus) port to interface to a computer. USB ports are part of most modern computers and they are designed to allow many peripherals to be easily connected (plug-and-play) to a computer through a standardized interface. These USB flash drive storage devices are very useful and are becoming fairly ubiquitous in the workplace.
The USB flash drive storage medium is designed to be portable, making it easy to connect to many computers in its lifetime. This, unfortunately, exposes the flash drive to the risk of infection. There are many malicious applications that propagate simply by making a copy of themselves on all drives that are attached to a computer. The portability of the USB device and its small form factor can also make it easy for attackers to plug it into computers that they have limited physical access to, potentially granting them remote access at a later time.
At the moment, there are two popular methods that malicious applications use to infect USB flash drives:
Simple file copy method

With this method, a malicious application that is installed on an infected computer simply makes copies of itself to all storage devices that are attached to the infected computer. A copy of the malicious code will be placed on network shares, local drives, and removable media (such as USB flash drives) that are connected to the computer. Usually the malicious application will also attempt to copy itself to peer-to-peer (P2P) file-sharing shared folders as well. With this method, a malicious file is often named with a sensational filename to lure a victim into launching the file and causing malicious code to be executed. Quite often there are familiar file icons such as Microsoft Windows icons for videos and images that are used to trick unsuspecting victims into thinking that an executable file is a harmless image or video. This infection method requires that the victim manually execute the malicious file from their computer to become infected.
AutoRun.inf modification method

Microsoft Windows and some other operating systems have a functionality that is called “AutoRun” (sometimes also referred to as Autoplay). AutoRun functionality is basically designed to perform some actions that are automatically executed when removable media is inserted or removed from a computer.
On Microsoft Windows platforms, “autorun.inf” is the file that contains instructions for the AutoRun functionality. The autorun.inf file can instruct AutoRun to use a certain type of icon; add menu commands; and among other things, start an executable.
With this infection method, the malicious application modifies or creates an autorun.inf file on all of the network shares, local drives, and removable media (including USB flash drives) that are connected to the computer. When an infected USB flash drive is inserted into another computer, the copy of the malicious application is automatically executed. Under a default configuration of Windows, this infection method does not require any interaction from the victim other than physically attaching the media to the computer.
Increasing trend of drive-infecting malicious code
Symantec has recently observed that both of the above methods are becoming an increasingly popular propagation method for malicious code. We have noticed the following percentile increase in several pieces of malicious code that Symantec antivirus currently blocks:


This trend is substantiated in vol. XIII of the Symantec Internet Security Threat Report (quoted from page 56, Propagation mechanisms subsection of the Malicious Code Trends section):

"In the second half of 2007, 40 percent of malicious code that propagated did so as shared executable files (table 9), a significant increase from 14 percent in the first half of 2007. Shared executable files are the propagation mechanism employed by viruses and some worms that copy themselves to removable media. As stated in the “Malicious code types” section above, the increasing use of USB drives and media players has resulted in a resurgence of malicious code that propagates through this vector.
This vector lost popularity among malicious code authors when the use of floppy disks declined and attackers instead concentrated on other more widely used file transfer mechanisms such as email and shared network drives. However, as use of removable drives has become more widespread, attackers have again begun to employ this propagation technique. Although current removable drives differ from floppy disks, the principle remains the same, enabling attackers to make simple modifications to old propagation techniques.”

How to mitigate this threat
There are many policy- and configuration-based mitigations that can be used to adequately limit the propagation of these threats. Network administrators are advised to:

•    Ensure that antivirus software is up to date.
•    Disable AutoRun functionality for removable media, which should be possible using endpoint security systems. For personal computers, there are many detailed tutorials on how to disable AutoRun. Also, holding down the SHIFT key while inserting a USB flash drive can temporarily disable AutoRun.
•    If removable drives are not required, endpoint security systems can distribute policies to prevent removable media from being recognized.
•    User education should be a priority to educate network users about these threats.

Message Edited by SR Blog Moderator on 11-20-2008 04:03 PM

Posted Monday, November 24, 2008 9:33 AM by cmosby | with no comments
Filed under:

PayPal Spam Warns of Fraud, Installs Worm Instead - TrendLabs Malware B

Nov18
by Adrian Labiano (Anti-spam Research Engineer)

A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment.

Here’s a sample email:

Figure 1. This supposed PayPal email message warns users that their accounts may have been compromised.

It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered.

The attachment that arrives with this spam, however, does not contain a report or any similar information.

Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution.

Figure 2. Users expecting a document may be surprised to see that file contains an executable.

Detected by Trend Micro as WORM_POISON.LA, this malicious executable has routines that are related to the (now infamous) peer-to-peer file-sharing application Kazaa.

Other PayPal-related spam runs include the following:

The Trend Micro Smart Protection Network already blocks the spammed PayPal message, keeping users’ PCs away from its malicious attachment. It also detects WORM_POISON.LA and provides solutions for its cleanup and removal. Users are strongly advised to refrain from downloading and executing files found in unsolicited email messages.

Posted Wednesday, November 19, 2008 9:53 AM by cmosby | with no comments
Filed under: ,

Phishers Take Aim at Slingshot - TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov18
by Sarah Calaunan (Fraud Analyst)

The Trend Micro Content Security Team just discovered a phishing attack targeting Slingshot Communications, Inc. A phishing email pretends to update a customer’s existing account. It also includes the legitimate contact number of the company to make it seem authentic.

Figure 1. Phishing email sent to users

Figure 2. The Slingshot phishing site

Slingshot Communications, Inc. is the company that pioneered the business of prepaid Internet service. It is best known for its unique, stored value pay-as-you-go format of giving high-speed wireless Internet service to its customers. With these kind of services, unknowing users who might think that this is a legitimate notification from Slingshot, may volunteer their credentials and by that, phishers can now take advantage by using their accounts.

The malicious URLs used in this phishing attack are now blocked by the Trend Micro Smart Protection Network.

Posted Wednesday, November 19, 2008 9:37 AM by cmosby | with no comments
Filed under: ,

VirusResponse Lab 2009 - F-Secure Weblog

VirusResponse Lab 2009 Posted by Sean @ 16:24 GMT | postCount('00001542'); Comments

Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.

Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.

404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:

FraudTool.Win32.Agent.eh 404dnswebsite.com

If the victim fell for the trick, they would have downloaded what we detect as FraudTool.Win32.Agent.eh.

As you can see from the screenshot above, the fraud page is not at all dynamic. Even though we opened the page with Firefox on a Linux based system, the page displays the text "Internet Explorer".

The 404dnswebsite account is now suspended.

FraudTool.Win32.Agent.eh

Posted Tuesday, November 18, 2008 9:27 AM by cmosby | with no comments
Filed under: , ,

Adobe AIR Multiple Vulnerabilities -

Adobe AIR Multiple Vulnerabilities

Secunia Advisory: SA32772

Release Date: 2008-11-18

Popularity: 186 views
Critical:
Highly critical

Impact: System access
Where: From remote Solution Status: Vendor Patch
Software:Adobe AIR 1.x

Subscribe: Instant alerts on relevant vulnerabilities
CVE reference:CVE-2008-4824
CVE-2008-5108


Description:
Some vulnerabilities have been reported in Adobe AIR, which can be exploited by malicious people to compromise a user's system.

1) Multiple unspecified input validation errors in the parsing of SWF files can be exploited to potentially execute arbitrary code.

2) An unspecified error may allow execution of untrusted JavaScript with escalated privileges if data is loaded from a malicious source.

The vulnerabilities are reported in version 1.1 and prior.

Solution:
Update to version 1.5.
http://get.adobe.com/air

Provided and/or discovered by:
The vendor credits:
1) Riley Hassell and Josh Zelonis, iSEC Partners.
2) Chris Weber, Casaba Security.

Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb08-22.html
http://www.adobe.com/support/security/bulletins/apsb08-23.html

Posted Tuesday, November 18, 2008 8:34 AM by cmosby | with no comments
Filed under: , , ,

Critical update to Adobe AIR - SANS Internet Storm Center

Critical update to Adobe AIR
Published: 2008-11-17,
Last Updated: 2008-11-17 22:21:15 UTC
by Jim Clausing (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5363&rss'; digg_title = 'Critical update to Adobe AIR'; digg_skin='compact'; digg_topic = 'security';

The folks at Adobe have released a bulletin and update to Adobe AIR that they classify as critical.  It fixes some of the same vulnerabilities announced earlier in Flash player.  Time to update if you are using AIR.  Details related to that CVE number are not yet available at nvd.nist.gov.

Keywords: Adobe AIR
0 comment(s)
Posted Tuesday, November 18, 2008 7:41 AM by cmosby | with no comments
Filed under: , , ,

Detection of Trojan control channels - SANS Internet Storm Center

Detection of Trojan control channels
Published: 2008-11-16,
Last Updated: 2008-11-16 09:22:41 UTC
by Maarten Van Horenbeeck (Version: 1)
2 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5345&rss'; digg_title = 'Detection of Trojan control channels'; digg_skin='compact'; digg_topic = 'security';

Recently I was working with an organization whose network had been deeply compromised by a persistent threat agent: they had very little remaining trust in the network. A full rebuild of the network was not financially feasible for this organization, as it would have meant losing much of the unique intellectual property the organization had to offer–truly a scenario that was not acceptable.

Given that a “nuke from high orbit” would not be feasible, we worked on several techniques to identify those hosts which had been compromised.  Note that we did not want to identify internal data being trafficked out per se: while Data Loss Prevention solutions have greatly improved over the last few years, there are hundreds of ways to smuggle a binary piece of data out in a difficult-to-detect form.  Our goal was to detect behavior indicating an active Trojan on a system.

  • Initially we worked on increasing situational awareness. While in our case this did include costly measures such as implementing intrusion detection systems, situational awareness can also be significantly improved by small configuration changes, such as configuring BIND to log all DNS queries, storing netflows and extending firewalls to log accepted connections;

     
  • In order to detect variants of existing, known, Trojans, we deployed an IDS on the perimeter, and installed the virus-rules from EmergingThreats. Matt Jonkman’s team regularly publishes updated signatures for known Command and Control channels. If setting up such system sounds like a bit of work, have a look at BotHunter;

     
  • We started sniffing all DNS requests from hosts on the internal network, and then applied several heuristics on the resulting DNS data:
    • DNS responses which had a low to very low TTL (time to live) value, which is somewhat unusual;
    • DNS responses which contained a domain that belonged to one of a long list of dynamic DNS providers;
    • DNS queries which were issued more frequently by the client than would be expected given the TTL for that hostname;
    • DNS requests for a hostname outside of the local namespace which were responded to with a resource record pointing to an IP address within either 127.0.0.0/8, 0.0.0.0/32, RFC1918 IP space, or anywhere inside the public or private IP space of the organization;
    • Consecutive DNS responses for a single unique hostname which contained only a single resource record, but which changed more than twice every 24 hours.
       
  • Anomaly detection of network traffic can be a very powerful tool in detecting command & control channels. Unfortunately, to be most effective the baselining (defining what is “good” about the network) should take place before the first compromise. However, some forms of anomaly detection still add tremendous value:
    • We wrote a quick set of signatures to ensure that each TCP session on port 80 and 443 consisted of valid HTTP or SSL traffic, respectively. You can also do this using a tool such as FlowGrep, or by reviewing your proxy logs for failures. This would be a useful exercise in general for all traffic that is not relayed through an application proxy, and is not blocked from direct access to internet resources.

    • Persistent connections to HTTP servers on the internet, even outside regular office hours, can be normal: just think of software update mechanisms. However, they should be exceptions, not the rule, so these valid exceptions can be filtered out, making this a potent mechanism to identify compromises. Is the attacker operating from the same time zone as your organization?
    • Persistent requests for the same file on a remote web server, but using a different parameter can indicate data smuggling over HTTP.

We also took some action on the host based front. A shortlist was created of anti virus vendors that were successful on so-called “proactive detection tests” (such as the AV-Comparatives one), where month old signature sets are tested against today’s malware. We licensed the software appropriately and created a live-cd that ran each solution sequentially across all local hard drives. This CD was distributed to the offices and ran on a large sample of systems over a weekend. 

Upon completing the scan, the CD logged into a central FTP server and stored all suspicious binaries on this share. Each of the samples was afterwards analyzed in depth, and if found malicious, detection logic was created and deployed onto the various network based detection mechanisms.

On a set of critical systems, we deployed a logon policy which ran Sysinternals’ RootkitRevealer and stored its report on a remote network share. Once these reports were verified and we had some assurance that the file system API was not hooked to hide specific files, we ran a copy of Mandiant’s Red Curtain on the system to identify suspicious binaries. These were once again hooked into the analysis process above.

Regardless of whether you go for a pure-play network or host based aproach, or a combination, the investigative approach should be to identify that which is unusual, validate whether it is a manifestation of a threat, and reapply what is learned to our detection probes, or identify additional monitoring that would add value. The next step is to improve our understanding of the threat agent and how it interfaces with our network. One way to get there is nodal link analysis, an analytical technique which we'll cover in a future diary entry.

If you have other ideas on how to approach this problem, do get in touch!

--
Maarten Van Horenbeeck

Keywords: trojan compromise malware detection
2 comment(s)
Posted Monday, November 17, 2008 1:42 PM by cmosby | with no comments
Filed under:

Spam Volume Plummets as ISPs Pull the Plug on McColo - TrendLabs Malware Blog

Nov15
by JM Hipolito (Technical Communications)

It looks like spam volume has taken a turn for the better, at least for now.

After a couple of years of playing a shell game with security researchers, spam giant McColo Corp. was finally disconnected. Hosting major operations related to porn, credit card theft, fraud and other nefarious criminal activities, McColo posed as a legitimate corporate entity and conducted its business operations in Silicon Valley. On a global level, McColo is reportedly accountable for anywhere from 50 to 75 percent of all spam activity on the planet.

Trend Micro contributed research & intelligence to the HostExploit.com Cyber Crime Report, which detailed the criminal activity occurring inside of McColo for the past two years. Advanced Threats Researcher Paul Ferguson worked with other security researchers to compile the necessary information on those activities, which compelled their upstream ISPs to terminate connectivity to McColo after this information was made public.

McColo’s Internet Service Providers - Global Crossing and Hurricane Electric, were alerted by these investigators of their criminal activities, and once presented with details of this investigation, the ISPs immediately ceased their connectivity services with McColo.

This event definitely is a big blow to spam in general, however, it may be a very short-lived victory. The criminal operatives affected by these actions will most certainly make every attempt to move their operations elsewhere — we are watching.

The Trend Micro Email Reputation Services (ERS) detected a 40% drop in spam activity immediately following the termination of McColo’s connectivity:

ERS spam count

Not only have we seen a dramatic drop in spam inside of Trend Micro’s back-end correlations systems, but the rest of the world continues to see the dramatically lower volumes of spam:

This small victory will most likely be short-lived, as it is almost certain that these obviously profitable criminal operations are too valuable for these criminal operations to be abandoned.

But Trend Micro customers won’t be without protection — the Trend Micro Smart Protection Network will block spam messages even before they reach users’ inboxes, and we are doing continual due diligence to ensure that all of the badware associated with these criminal operations is blocked before you ever see it.

With additional editorial input by Paul Ferguson, Advanced Threats research.

Update: 15 Nov 2008, 21:42 PST: It appears that McColo is back “on the air” as of this afternoon, so we’ll have to see what happens next.

Update: 16 Nov 2008, 09:30 PST: McColo is once again “off the air” as of this morning.

Posted Monday, November 17, 2008 11:02 AM by cmosby | with no comments
Filed under:

Intrepid iPhone developers bypass security for functionality - McAfee Avert Labs Blog

Intrepid iPhone developers bypass security for functionality

Saturday November 15, 2008 at 5:27 am CST
Posted by Jimmy Shah


The Apple iPhone is vulnerable to a new bug related to the signing of iPhone applications.  Applications that are created with the official iPhone SDK need to be cryptographically signed by the author and Apple before they’re allowed into the App store or installed on an iPhone.  The digital signing is a security measure that serves two purposes; helping to identify the developer in case of any problems and making sure that an approved application hasn’t been modified.

An iPhone developer discovered the bug while looking for a way to duplicate a feature of Apple created iPhone applications: dynamic default.png files.  The default.png file is displayed when an iPhone application is launched and can be used as a static splashscreen.  When you quit an Apple created application, it takes a snapshot of the screen when you quit and saves it as default.png within itself.  The next time you start the app it loads the new default.png, and everything looks like it was when it was last run. The application hasn’t fully loaded yet, but the saved default.png trick makes it look that way.

Unlike Apple’s apps, those created by other developers can’t modify their default.png files. Since the default.png is stored within the application as a part of itself, it gets digitally signed.  Modifying the image file and thus the app, makes the digital signature invalid.  An alternative would be to use a default.png in the application’s data directory, but only the file within the application is supported on the iPhone.

The method to replicate Apple’s default.png trick involves a defect in the codesign utility in the iPhone SDK.  codesign is the utility used by developers when they digitally sign their applications.  Normally codesign will take every file within an iPhone application into account when it creates the digital signature.  the problem with codesign is that it doesn’t handle symbolic links (symlinks) properly.

Symlinks are like shortcuts to files; if you want to refer to one file in two locations or with two different names you can create a symlink in the new location.  The symlink isn’t a new file copy, just a pointer to the original file.  codesign doesn’t follow the pointer to the original file, so it doesn’t consider that file during signing.  The new approach is to create a symlink named default.png that points to a location or file outside of the application that can be easily modified.

This is a neat trick, but harmless.  If it were only the codesign utility that has this symlink problem, then the technique would not work for an installed application.  The real trouble arises when symlinks are used to obscure other program files or components during signing.  The digital signature process was intended to ensure that no unapproved or unsafe modifications could occur.  An attacker could arrange for malicious components to be installed using a self-update feature.  Since the digital signature ignores symlinks, the malicious application could contain pointers to the yet to be downloaded parts.  Since the bad portions of the program don’t exist during the approval process, malicious applications can sneak through.  This effectively bypasses the iPhone OS’s protection against the running of malicious code.

Fortunately, since the application is signed, tracking down the author of such malware should be considerably easier.  Given that the vulnerability lies within a utility in the iPhone SDK and within the iPhone OS’s verification system, it should be fixed shortly in a future update.

Posted Monday, November 17, 2008 11:00 AM by cmosby | with no comments
Filed under: ,

Exploit-MS08-067 Bundled in Commercial Malware Kit - McAfee Avert Labs Blog

Exploit-MS08-067 Bundled in Commercial Malware Kit

Friday November 14, 2008 at 8:27 am CST
Posted by Haowei Ren, Geok Meng Ong


Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

WolfTeeth

Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:

  • Kernel rootkit.
  • Anti-virus software termination.
  • Weekly anti-virus detection monitoring and evasion service.
  • Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).

The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.

AdClicker for Sale Site

Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.

This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.

McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.

Posted Friday, November 14, 2008 3:26 PM by cmosby | with no comments
Filed under: , , , , , ,

Orkut "Account Usage Notification" Malicious Spam - Websense Alert

Orkut "Account Usage Notification" Malicious Spam

Date:11.13.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.

Websense quotes in the 2008 Threat Predictions report have been accurate. In our previous alerts, we have seen spammers and malware authors switching tactics to persevere with their attacks over a longer time, with an increased success rate through defeating antivirus vendors and content learning technologies. This attack is another instance of such tactics, which is an ongoing trend increasingly targeting Web 2.0 sites to carry out a wide range of attacks.

Screenshot of the message:

From the above screenshot, it can be seen that the links in the message actually lead to a malicious executable, a Trojan Downloader named "regulamento_orkut.exe" (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3).

This malicious executable has a very low AV detection.

When run, the malicious executable downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.

While malicious code is being downloaded a browser window will also popup with objectionable material on it.


Screenshot showing "fox.exe" downloaded onto infected machine:

Screenshot showing user's machine infected:

Websense Messaging and Websense Web Security customers are protected against these threats.

Posted Friday, November 14, 2008 9:33 AM by cmosby | with no comments
Filed under: ,

Termination of EstDomains, 24 November 2008 - F-Secure Weblog

Termination of EstDomains, 24 November 2008 Posted by Sean @ 15:54 GMT | postCount('00001540'); Comments

The termination of ICANN-accredited registrar EstDomains is to go ahead, effective 24 November 2008.

There are approximately 281,000 domain names managed by EstDomains, many of which shouldn't be touched with a ten-foot poll.

ICANN is now seeking expressions of interest from registrars to receive a bulk transfer of those domains. Anyone interested?

See our past posts here, here, and here for additional details.

Posted Friday, November 14, 2008 9:25 AM by cmosby | with no comments
Filed under: , , ,

Facebook Picture Joke Connives with Email Harvester - TrendLabs Malware Blog

Nov13
by Rik Ferguson (Threat Marketing Communications)

Just recently, I received an intriguing post on my Facebook wall from a friend, someone I know and trust. The post contained the following message:


Has anyone messaged you to let you know your face book pictre is all over {BLOCKED}.com

To be honest, even the spelling and grammar sounded like my friend, but I’m fairly certain that was purely coincidental. Given that the days when I might have had a shot at a modelling career (hands only) are now firmly behind me, I was skeptical that my picture might be all over anywhere.

Once I had let my friend know that their PC was probably compromised by some kind of information stealing malware, I thought I had better go and investigate this website.

So in a clean test-environment, (don’t try this at home folks) I followed the link to the website, only to be greeted by an alarming pop-up:


Figure 1. A quite odd nonetheless alarming popup

I didn’t upload any photos that I remember; so I clicked through to find out more. What do I get? A computerised voice that immediately intones Attention please. Your profile picture has been detected on this website. Attention please. Your profile picture has been detected on this website and this page displayed on the browser:


Figure 2. The displayed page contains a rather ironic disclaimer

I love the little disclaimer at the top: Privacy note: We never send SPAM to your email address. We never sell your personal info. This is NOT a MySpace or Facebook login page. MySpace/Facebook users are not authorised to participate on this website.

So anyway, back to my personal pictures. I need to see them and ask that they be removed surely? So I give them my name and email address and click Submit:


Figure 3. A password request to view the alleged pictures

Now they are asking me to create a password in order to be able to view “my pictures”. The small print here is helpfully telling me that I shouldn’t use the same password I may have previously used on this site, or the same password I use to access other sites, but of course this is entirely the behaviour the scammer is hoping for. I see a box asking for my password, I think “I’m going to need to remember this password. I know I’ll use my standard one” in it goes, and I click Submit again:


Figure 4. Don’t worry about Dave Daveness, that’s the name I entered in the previous pop-up

OK, I understand, a little market research, no problem, I click OK:


Figure 5. Users are asked to choose the website that reffered them

Well I got this from Facebook so I choose that link, and what a shame:


Figure 6. Facebook and Myspace users are not served

Looks like I’ll never get to see those pictures. But I’m really concerned about them. I’ll just hit the Back button in my browser and pretend not to be a Facebook user:


Figure 7. The name of my friend I typed at Figure 2 is stated.

I click on OK and there goes that voice again “Attention please. You must participate to retrieve your final results. Attention please. You must participate to retrieve your final results.”

And yet another pop-up, saying that my good friend reserved a special offer for me, as well as finding these pictures I need to see:


Figure 8. The picture seems to be unavailable

It looks like the content of that window isn’t available right now though, and if I use another browser window to look at the origin of where the content is supposed to be coming from, all I get is a page with a single word on it profitsource. Interesting.

So I’ll try to close the currently broken window down to finally get to my picture:


Figure 9. Another pop-up?

Here we go, here’s what all the fuss was about…


Figure 10. Finally! My picture!

I’m clicking, I can hardly wait!


Figure 11. Obviously not me

So what happens if I found that whole process so funny I can hardly wait to share it:


Figure 12. Harmless? Really?

Some interesting points relating to all of this:

  • • The person who is registered as owning the domain name I was originally sent to in that Facebook wall post, also owns several hundred other domain names. Now I haven’t tried them all, but I have tried a good few, and they all lead back to this same email address harvesting site.
  • • Interestingly, the email address of the registered owner (the only part of the registration information I really give much credence to in this case) is listed as bulletinpics@xxxxxxxx.com. Bulletinpics is a slightly older Spam & Scam campaign with shady international links. Here is a graphic example of the kinds of “service” Bulletinpics carry out, where he recruits CAPTCHA cracking cybercriminals:


    Figure 13. Forum post by CAPTCHA-cracking criminals
  • • Finally, all of those different domains registered to the person with the bulletinpics email address, when I visit them; show up in the browser address bar as one particular domain name. If I do a search to see which sites link out to that one particular domain name, I only get one result, a Chinese “Pay to Click” MLM site, that on investigation, doesn’t have the rosiest of reputations.
  • • Another thing those different domains appear to all have in common is the registrar Moniker Online Services Inc. who appear to have a very interesting history all of their own.

SHARETHIS.addEntry({ title: "Facebook Picture Joke Connives with Email Harvester", url: "http://blog.trendmicro.com/facebook-picture-joke-connives-with-email-harvester/" });

Posted Friday, November 14, 2008 9:24 AM by cmosby | with no comments
Filed under: , ,

Phishing for Google adwords - SANS Internet Storm Center

Phishing for Google adwords
Published: 2008-11-11,
Last Updated: 2008-11-11 21:15:09 UTC
by Swa Frantzen (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5327&rss'; digg_title = 'Phishing for Google adwords'; digg_skin='compact'; digg_topic = 'security';

Today, (Tue Nov 11 17:27:xx in GMT+1) I received:

From: Google AdWords <setup@google.com>                                       
To: xxx@xxx.xxx
Subject: Google AdWords Alert 
Date: Wed, 12 Nov 2008 02:27:xx +1000 
 
Hello, 
 
Our attempt to charge your credit card on Wed, 12 Nov 2008 02:27:xx +1000
for your outstanding Google AdWords account balance was declined. 
Your account is still open. However, your ads have been suspended. Once 
we are able to charge your card and receive payment for your account 
balance, we will re-activate your ads. 
 
Please update your billing information, even if you plan to use the 
same credit card. This will trigger our billing system to try charging 
your card again. You do not need to contact us to reactivate your 
account. 
 
To update your primary payment information, please follow these steps: 
 
1. Log in to your AdWords account at: http://adwords .google .com 
.session- xxxxxxxxxxxxxxxxxxxx .xxxxxxxxxxxxxxxxxxxx .com68 .ru 
3. Click 'Billing Preferences' link. 
4. Click Edit next to the appropriate 'Payment Details' section. 
5. Enter your new or updated payment information. 
6. Click 'Save Changes' when you have finished. 
 
In the future, you may wish to use a backup credit card in order to 
help ensure continuous delivery of your ads. You can add a backup 
credit card by visiting your Billing Preferences page. 
------------------------------------------------------------------ 
This message was sent from a notification-only email address that does 
not accept incoming email. Please do not reply to this message. If you 
have any questions, please visit the Google AdWords Help Centre at 
https://adwords.google.com/support/?hl=en_GB to find answers to 
frequently asked questions and a 'contact us' link near the bottom of   
the page.
---------------------------------------------------------------- 
 
Thank you for advertising with Google AdWords. 
We look forward to providing you with the most effective advertising available. 
 
Sincerely,

The Google AdWords Team

The x-ed out stuff was spot-on, the spaces are added to the URL to prevent any reader from clicking on this. It was sent to an email address I actually have used in association with Google adwords, (although it's not that well targeted, I got other copies of it on addresses I use in conjunction with managing websites but not linked to adwords.)

Notice the lack of obvious errors aside of a date that's in the future (their timezone calculation might be off) and the concealed URL that does not point to google.com, but to .com68.ru

Now, when explaining to your users how to detect phishing from real warnings, do you think your users have a reasonable chance of noticing this before the credit card gets abused?

Tracing it back:

  • com68.ru has a private registration. Sure, what's new.
  • The email originated in 77.34.0.0/15 (used by an ISP based in Vladivostok).
  • The actual DNS name didn't resolve at the time of this writing.
Posted Friday, November 14, 2008 9:21 AM by cmosby | with no comments
Filed under: , ,

Obama Malware Spam Targets Latin America - TrendLabs Malware Blog

Nov8
by Jake Soriano (Technical Communications)

Malware criminals are continuing to attempt to exploit the intense media coverage involving the election of Barack Obama to the U.S. Presidency. A very recent spam run has already hit American online users — now a new and different spam run targeting Latin American online users was also recently discovered.

Spammers have added some genuine global concerns in their social engineering techniques this time. Obama’s election indeed has implications for other nations besides the United States. Spammed messages, written in Spanish, carry the following message when translated in English:

Lima – With 297 votes, Barack Obama, the Democrat candidate won the presidential elections in the United States, against the 139 votes from the Republican party led by John McCain. What can Latin America expect about that?

Today the world’s eyes are focused on the United States. Most of them are Latin Americans.
Since the pending free trade agreement debate, until the promise for financial support for the drug traffic fight in Mexico, the list of items related to Latin America that are waiting for the new american president is not short.

The relationships to Venezuela’s Hugo Chavez and to Cuba’s Castro will also determine the way on which the new president of the USA will face with its southern neighbors.

BBC correspondent in Washington Lourdes Heredia talked with advisors of the main candidates when Barack Obama was elected president, to investigate what Latin America can expect on the coming years of his presidential period.

While some points in the message may be valid, the facts end there. A companion video is included in the message body, but embedded there are malicious links which lead to the download of a file detected by Trend Micro as TSPY_BANCOS.EDM.

This info-stealing malware modifies the system registry to turn an infected system into a Web server, which could make an infected computer part of a botnet. It also drops several component files detected as TROJ_BANKER and TROJ_QHOST variants.

Further, it modifies system HOSTS file to disable users from accessing certain banking websites. When the victim tries to access certain banking websites, a fake login page (identical to the original) will be displayed, Tricking the user into entering their account credentials. The entered information is then gathered, which the malware sends to a remote user through an HTTP post. The Trend Micro Smart Protection Network already detects the malicious file, and provides users with solutions for cleanup and malware removal.

The U.S. election season has witnessed several Web threats which range from plain spam to malware attacks:

It seems that until the media frenzy wanes, online users will probably see more attacks coming as cyber criminals are always keen on taking advantage of newsworthy events to achieve their respective goals.

Posted Thursday, November 13, 2008 6:17 PM by cmosby | with no comments
Filed under: ,

Trend Micro ServerProtect Multiple Vulnerabilities - Secunia

 
Trend Micro ServerProtect Multiple Vulnerabilities
Secunia Advisory: SA32618
Release Date: 2008-11-12
Last Update: 2008-11-13
Popularity: 766 views

Critical:
Moderately critical
Impact: DoS
System access
Where: From local network
Solution Status: Unpatched

Software: Trend Micro ServerProtect for EMC Celerra 5.x
Trend Micro ServerProtect for Network Appliance Filer 5.x
Trend Micro ServerProtect for Windows/NetWare 5.x

Subscribe: Instant alerts on relevant vulnerabilities

CVE reference: CVE-2006-5268
CVE-2006-5269
CVE-2007-0072
CVE-2007-0073
CVE-2007-0074
CVE-2008-0012
CVE-2008-0013
CVE-2008-0014


Description:
Some vulnerabilities have been reported in Trend Micro ServerProtect, which potentially can be exploited by malicious people to compromise a vulnerable system.

1) An error in the RPC authentication process can be exploited to gain administrative access to the RPC interface.

2) Multiple errors in the implementation of unspecified RPC procedures can be exploited to cause heap-based buffer overflows.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in versions 5.7 and 5.58. Other versions may also be affected.

Solution:
Restrict network access to the product.

Provided and/or discovered by:
1) David Dewey of ISS X-Force
2) David Dewey and Chris Valasek of ISS X-Force

Changelog:
2008-11-13: Added link to US-CERT.

Original Advisory:
ISS X-Force:
http://www.iss.net/threats/307.html
http://www.iss.net/threats/308.html
http://www.iss.net/threats/309.html
http://www.iss.net/threats/310.html

Other References:
US-CERT VU#768681:
http://www.kb.cert.org/vuls/id/768681
Posted Thursday, November 13, 2008 6:00 PM by cmosby | with no comments
Filed under: ,

New rogue: Virus Trigger - Sunbelt Blog

Wednesday, November 12, 2008

New rogue: Virus Trigger

Virus Trigger is a new rogue security product and a near clone of VirusResponse Lab 2009.
VirusTrigger
Virus Trigger Home page
VirusTrigger Site
74.50.110.184 Systemtrigger. com
74.50.110.184 Virtrigger. com
74.50.110.184 Virtriggersupport. com
74.50.110.184 Virus-trigger. com
74.50.110.184 Virus-triggers. com
74.50.110.184 Virustrigger2009. com
Bharath M N

Posted Thursday, November 13, 2008 3:03 PM by cmosby | with no comments
Filed under:

Survey style Phish targets JPMorgan Chase & Co. - McAfee Avert Labs Blog

Survey style Phish targets JPMorgan Chase & Co.

Wednesday November 12, 2008 at 4:59 pm CST
Posted by Chris Barton, Research Scientist and Artemis Geek


Look what we ran across in our spam traps recently:

Phish email

$50 for a survey! It’s our unlucky day…

survey
[Click for full size]

As you can see from the partially obscured email address it is clearly NOT from JP Morgan Chase!! I hope this variation on the theme is suspicious enough to set off most peoples “too-good-to-be-true” radar. We can expect this type of attack to get much more convincing real soon no doubt.

Posted Thursday, November 13, 2008 2:40 PM by cmosby | with no comments
Filed under: ,

Friend at the Window - McAfee Avert Labs Blog

Friend at the Window

Thursday November 13, 2008 at 4:24 am CST
Posted by Jimmy Shah


Recently, we at Avert Labs received word of a new Windows CE/Mobile polymorphic, companion virus. This was a bit odd since companion viruses used to be more popular in the days of DOS and we haven’t seen too many on newer platforms.

Unlike more standard file infecting viruses, companion viruses do not infect program files but instead pretend to be the original files.   A companion virus will rename a clean file to a hidden or random name and rename itself to the clean file’s name.  The result is that the user runs the virus when intending to run the original program.  To avoid raising suspicion, the original is run once the virus is done executing.   There may not be a noticeable delay before the original program runs.

While the companion technique was used quite often by less complex viruses, this one also uses basic encryption to evade detection.  The decryption code of the virus is polymorphic with a handful of random code blocks.  We’re also looking into what may be defects in portions of the virus.

The appearance of this new for Windows Mobile phones may mark a change from for-profit trojans and spyware to the more experimental form of viruses.  Or maybe WinCE malware authors are just tired of other mobile platforms getting all the attention.

Posted Thursday, November 13, 2008 1:29 PM by cmosby | with no comments
Filed under: , ,

‘US Treasury’ Warns of Phishing, Redirects to Malicious Sites - TrendLabs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Nov9
by Reuben Mercado (Technical Communications)

Spammed email messages supposedly from The United States Federal Reserve Bank warn their recipients of a “large-scale phishing attack” affecting several banks and credit unions. A spammed message may look like this:


Figure 1. Sample spammed message.

The email message gives details on the supposed phishing attack and adds that the US Treasury Department has also monitored a high level of illegal wire transfers. Having told recipients that, the email message then informs them of restrictions imposed on federal wire transfers as part of security measures being taken by concerned government agencies.

The message helpfully gives some links where users can get more detailed information. But instead of being directed to a legitimate website, those who click are led to .org domains with names completely different from the websites of the Federal Reserve Bank, the Treasury Department, or the Federal Deposit Insurance Corporation.

Trend Micro engineers are currently investigating this threat. We will post updates as soon as more information becomes available. Other related attacks that use the names of legitimate government organizations or mask themselves as security measures include the following:

Users are advised to refrain from clicking links in unsolicited email messages. It is best to go directly to the website of the concerned organization for more information.

Updates as of November 11, 2008 6PM PST: Users who unfortunately click on the links in the spam infect their PCs with TROJ_INJECT.DG. This Trojan restarts systems and drops TROJ_INJECT.KQ.

Updates as of November 13, 2008 2AM PST: TROJ_INJECT.KQ opens a hidden Internet Explorer window to connect to a certain website. It sends to and receives information from this site, compromising system security.

Posted Thursday, November 13, 2008 12:32 PM by cmosby | with no comments
Filed under: ,
More Posts Next page »