March 2010 - Posts

Search for News on Corey Haim’s Death Leads to FAKEAV – TrendLabs Malware Blog

Mar14
6:32 pm (UTC-7)   |   by Sheryll Tiauzon (Advanced Threats Researcher)

For cybercriminals, another celebrity’s death means a new life for their scams. Earlier today, we discovered new FAKEAV variants that take advantage of the death of the former Canadian teen idol, Corey Haim.

Using blackhat search engine optimization (SEO) techniques, a simple Google search for news on Corey Haim’s funeral gives out malicious links in the top search results, which redirect users to sites that eventually lead to the download of a FAKEAV.

Click for larger view

A fake scan page convinces users that their computers were affected by several harmful files and that they should download and install the fake antivirus application.

Click for larger view Click for larger view

Trend Micro detects the downloaded file as TROJ_FAKEAV.DBB. After installation, the program loads a scan page with fake scan results and offers to remove the harmful files from the users’ machines.

Click for larger view Click for larger view

There is, of course, a slight catch since the product requires activation. We advise users to be wary of such tactics since they may unwillingly divulge sensitive information. In this case, the attackers ask for credit card information.

Click for larger view Click for larger view

Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV file. It also detects and prevents the download of TROJ_FAKEAV.DBB via the file reputation service.

Posted Thursday, March 18, 2010 4:18 PM by cmosby | with no comments
Filed under: , , , ,

Internet Explorer 9 "Platform Preview" Now Available From Microsoft – SANS Internet Storm Center

Here we go again…

Internet Explorer 9 "Platform Preview" Now Available From Microsoft

Share |

Published: 2010-03-16,
Last Updated: 2010-03-16 21:09:49 UTC
by Lenny Zeltser (Version: 1)

0 comment(s)

Microsoft released a "Platform Preview" version of the next version of Internet Explorer. You can download it from http://ie.microsoft.com/testdrive/Default.html. There are several security implications of this release:

  1. Security professionals may be interested in exploring what security features and enhancements (if any) are built into Internet Explorer 9
  2. Attackers may be interested in exploring what vulnerabilities (if any) exist in the code added to Internet Explorer 9
  3. Attackers may start using the lure of installing Internet Explorer 9 as part of phishing and drive-by campaigns

Regarding point #3... At the moment, searching for "Internet Explorer 9" doesn't provide many links that look malicious. I suspect this will change as malicious sites using Search Engine Optimization (SEO) techniques will spring into action to take advantage of people's interest in the new browser.

Have you had a chance to look at Internet Explorer 9? Let us know your security-related observations.

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Posted Thursday, March 18, 2010 9:36 AM by cmosby | with no comments
Filed under: , , , ,

March 2010 - Microsoft Patch Tuesday Diary – SANS Internet Storm

March 2010 - Microsoft Patch Tuesday Diary
 Share |     
Published: 2010-03-09,
Last Updated: 2010-03-09 18:10:05 UTC
by John Bambenek (Version: 1)
1 comment(s)

 

Overview of the March 2010 Microsoft Patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-016  Vulnerability in Windows Movie Maker Could Allow Remote Code Execution

Moviemaker:
CVE-2010-0265

  KB 975561 no known exploits. Severity: Important
Exploitability: 1 		Important Important
MS10-017  Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
Excel:
CVE-2010-0257
CVE-2010-0258
CVE-2010-0260
CVE-2010-0261
CVE-2010-0262
CVE-2010-0263
CVE-2010-0264		  KB 980150 no known exploits. Severity: Important
Exploitability: 1,2,1,1,2,1,1		 Critical Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

--
John Bambenek
bambenek at gmail /dot/ com

Posted Tuesday, March 09, 2010 2:48 PM by cmosby | with no comments
Filed under: , ,

Microsoft Security Advisory Notification - Issued: March 9, 2010

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: March 9, 2010

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (981374)

- Title: Vulnerability in Internet Explorer Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/981374.mspx

- Revision Note: V1.0 (March 9, 2010): Advisory published.

* Microsoft Security Advisory (973811)

- Title: Extended Protection for Authentication

- http://www.microsoft.com/technet/security/advisory/973811.mspx

- Revision Note: V1.3 (March 9, 2010): Updated the FAQ to

announce the rerelease of the update that enables Internet

Information Services to opt in to Extended Protection for

Authentication. For more information, see Known issues in

Microsoft Knowledge Base Article 973917.

Posted Tuesday, March 09, 2010 1:53 PM by cmosby | with no comments
Filed under: , , , , ,

Oscars 2010 Awards Users with FAKEAV – TrendLabs Malware Blog

Mar9
4:39 am (UTC-7)   |   by Sheryll Tiauzon (Advanced Threats Researcher)

It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year’s Academy Awards, Trend Micro Threat researchers found FAKEAV variants topbilling the search pages.

Click for larger view

This time around, users searching for news on the Oscars fall prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live”. Almost 80% of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

Click for larger view Click for larger view

The said variant has been observed to connect to a remote web site to send and receive information. It is also able to download other malware, Mal_Xed-22 and TROJ_VUNDO.SMAT included.

With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top web searches. Users are thus reminded to exercise extreme caution when visiting sites especially with Oscar fever still running high.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Posted Tuesday, March 09, 2010 1:18 PM by cmosby | with no comments
Filed under: , , , ,

PDF Based Targeted Attacks are Increasing – F-Secure Weblog

PDF Based Targeted Attacks are Increasing Posted by Sean @ 15:30 GMT | Comments

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

That update should now be applied if you haven't already done so.

Why?

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.

It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.

Looking through our sample management system, we see a growing number of targeted attack files.

There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.

And how about the first two months of 2010?

Well, so far the number is 895, which will more than double last year's number if the current pace continues.

The percentage targeting Adobe Reader continues to rise.

Here's a graph with a breakdown of the most common attack vectors used in targeted attacks:

Targeted attacks 2008, 2009, 2010 (Jan/Feb)

Posted Tuesday, March 09, 2010 1:15 PM by cmosby | with no comments
Filed under: , , , ,

Energizer Malware – SANS Internet Storm Center

Energizer Malware
 Share |     
Published: 2010-03-09,
Last Updated: 2010-03-09 10:09:31 UTC
by Marcus Sachs (Version: 2)
1 comment(s)

We received several emails today about the US-CERT analysis of Trojan horse software found in an application designed for a battery recharger.  Our assessment is that due to the dates involved (2007 and 2008) this is likely related to the rash of malware we reported a couple of years ago that was found on digital photo frames, iPods, GPS devices, and other consumer products.  If any of our readers have any additional technical information or observations to share about this case, please use the comment feature below.

Marcus H. Sachs
Director, SANS Internet Storm Center

UPDATE: Due to the high demand and number of notifications from our ISC readers, be aware that yesterday new Nmap and Metasploit modules to detect and exploit this trojan were released.

Keywords: malware
Posted Tuesday, March 09, 2010 12:56 PM by cmosby | with no comments
Filed under: , , ,

Hackers exploit Oscars to spread scareware attack, Sophos reports Movie-lovers at risk of infection from fake anti-virus traps – Sophos

Hackers exploit Oscars to spread scareware attack, Sophos reports Movie-lovers at risk of infection from fake anti-virus traps

IT security and control firm Sophos is warning that hackers are exploiting interest in last night's Oscar film awards ceremony to infect the computers of unsuspecting computer users.

Movie-loving internet users are searching the web for information and gossip about the Academy Award winners, making phrases like "Oscars Winners" one of the most commonly searched for phrases on the internet. However, using SEO (search engine optimisation) techniques, hackers have created webpages stuffed with content which appears to be related to The Oscars - but are really designed to infect visiting computers.

Malicious Oscar-related search results

"Many people won't have had the chance to watch The Oscars live on television, and so turn to the internet for news on whether their favourite film won an award or not - but careless clicks can lead to a malware attack," explained Graham Cluley, senior technology consultant for Sophos. "Hackers have created poisoned pages that appear on the first page of search engine results, tempting users to click on them. However, if you visit the links you can expect to see bogus warnings that your computer is infected with viruses, that try and trick you into downloading dangerous clean-up software or handing over your credit card details. Scareware or fake anti-virus attacks like this are an increasingly common weapon in the armoury of cybercriminal, jumping on the coat tails of breaking news stories."

Oscar scareware

Sophos detects the attacks as Mal/FakeAVJs-A and Troj/FakeAV-AXS. Users are advised to be cautious about the links they click on and ensure that they are running up-to-date anti-virus protection.

"Cybercriminals lover launching SEO attacks because they've proven to be so successful at hitting unsuspecting users," explained Cluley. "Visiting mainstream news websites for breaking news might be a lot safer for users than stumbling across dangerous pages carrying traps laid by hackers."

Further information about the attack can be found on Graham Cluley's blog.

Posted Monday, March 08, 2010 4:22 PM by cmosby | with no comments
Filed under: , , , ,

Desperate Phishing Attempt – F-Secure Weblog

Desperate Phishing Attempt Posted by Mikko @ 22:26 GMT | Comments

Somebody is trying to pose as us. If you see an email like the one below, please ignore it:

     From: security@f-secure.com
     Reply-To: securitysupport@hotxf.com
     Subject: Security Maintenance.F-Secure HTK4S
     Date: Fri, 5 Mar 2010 18:11:05 -0000
     To: undisclosed-recipients:;
     
     Dear Email Subscriber,
     
     Your e-mail account needs to be improved with our new
     F-Secure HTK4S anti-virus/anti-spam 2010-version.
     Fill in the columns below or your account will be
     temporarily excluded from our services.
     
     E-mail Address:
     Password:
     Phone Number:
     
     Please note that your password is encrypted
     with 1024-bit RSA keys for increased security.
     
     Management.
     
     Copyright 2009. All Rights Reserved.

Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.

Posted Monday, March 08, 2010 11:00 AM by cmosby | with no comments
Filed under: , ,

SEO poisoning on TV show – SANS Internet Storm Center

SEO poisoning on TV show
 Share |     
Published: 2010-03-08,
Last Updated: 2010-03-08 07:28:45 UTC
by Raul Siles (Version: 1)
0 comment(s)

An ISC reader, thanks Paul, notified us about a new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attacks in the past, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator". The "wiki billy the exterminator" search term in Google (USE WITH CAUTION: http://www.google.com/search?q=wiki+billy+the+exterminator) shows the poisoning attack.

The compromised sites present the following URL format: /FILE.php?PARAM=billy%20the%20exterminator%20wiki, where FILE is most commonly a three letter file name, and PARAM is an input parameter (one or multiple characters). The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware: "Warning! Your computer is vulnerable to malware attacks. We recommend you to check your system immediately. Press OK to start the process now.".

If you manage, or know someone that manages any of the affected sites, we would like to get details about the compromise in order to confirm the vulnerability exploited to get into . Please, send details through our contact page.(PHP related)

--
Raul Siles (www.raulsiles.com)
Taddong is comming soon...

Posted Monday, March 08, 2010 9:51 AM by cmosby | with no comments
Filed under: , , , ,

Blackhat SEO turns to PDF with Chile and Hawaii disasters – Websense Alerts

Blackhat SEO turns to PDF with Chile and Hawaii disasters

Date:02.28.2010

Threat Type: Malicious Web Site / Malicious Code

Over 13% of all searches on Google looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products.

Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file.



As you can see above Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India.

By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link.

This is the first time we've seen the attackers use this approach but considering how aggressive the rogue AV gangs are, it's not a surprise that they continue to refine their techniques to get people to "buy" their products.

The Rogue AV file itself is currently detected by 26.20% of the antivirus engines used by VirusTotal.

Websense® Messaging and Websense Web Security customers are protected against this attack.
Posted Friday, March 05, 2010 1:18 PM by cmosby | with no comments
Filed under: , , ,

New Exploit Bypasses DEP – Trend Labs Malware Blog

Mar3
2:54 am (UTC-7)   |   by Carolyn Guevarra (Technical Communications)

Another Proof-of-Concept (POC) Revealed

The changing threat landscape has brought about more sophisticated Web threats, and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

This is what Berend-Jan Wever, aka Skylined (the security researcher responsible for disclosing the heap-spraying technique), came to discover as he reported a a new exploit technique');" href="http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/%3Ea%20new%20exploit%20technique">new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

Possibilities Explored

Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already-fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

As Trend Micro researcher, Rajiv Motwani, puts it, “history could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

Thoughts on Public Disclosures

Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education, David Perry, notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

Additional text by Ria Rivera

Posted Friday, March 05, 2010 1:12 PM by cmosby | with no comments
Filed under: , , ,

Viruses and Digital Signatures – Symantec Security Response

Viruses and Digital Signatures

Jeet Morparia

March 4th, 2010

Tags: Endpoint Protection (AntiVirus), Malicious Code, Online Fraud, Security, Security Response

Recently, Symantec received some malicious files which appeared to be signed by “Adobe Systems Incorporated”. On closer inspection, however, it was seen that the signature was just a ruse used by the malware author to give an air of legitimacy to the files. Virus writers are getting smarter and going that extra mile to digitally sign their files. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked.

Although the files are signed, they are signed using an unauthenticated CA (Certificate Authority) which is masquerading as Verisign. A CA is a trusted third party that issues and signs the certificate and vouches for the authenticity of the file. Each CA should be registered and therefore recognized globally as a trusted signer. The signature on the certificate is verified by the signer’s public key.

What the malware authors have tried here is to create their own CA and attempt to use it to sign these malicious files. They chose a misleading name for their CA, namely "Verisign", but their private key used for signing will obviously be different from the authentic Verisign CA key. Therefore this renders their CA untrustworthy so that, while the file still has a valid signature, it is not from the real Verisign CA.

Also, although the file is correctly signed by a company called "Adobe Systems Incorporated," that company has been certified by their fake Verisign CA and therefore has no meaning or relation to the real "Adobe Systems Incorporated."

Shown below are the real and fake Verisign CA signed files. On the left you can see that the certificate chain is not trusted all the way to the root where as on the right side (a real Adobe file) the certification chain is trusted up to the root.

certificates.jpg
path.jpg

On Windows machines with User Access Control enabled, a warning similar to the one shown below will be displayed (warning that the publisher is unknown).

warning_1a.jpg

So, in a nutshell, creating “authentic-looking” certificates to make malicious files look legitimate is a trick which virus writers are employing to challenge today’s sophisticated security mechanisms. We have written about certificates being abused previously. The following blog article has more information: Phishing Toolkits Attacks are Abusing SSL Certificates.

So, play safe, and check the authenticity of the signature whenever one is present.

Posted Friday, March 05, 2010 1:09 PM by cmosby | with no comments
Filed under: ,

The Morphing PDF – F-Secure Weblog

Friday, March 5, 2010  
 
The Morphing PDF Posted by Response @ 07:00 GMT | Comments

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…

Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.

Joe Corvo

And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.

Joe Corvo PDF

Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.

Joe Corvo, 3hrs later

But is it really a PDF this time around?

Joe Corvo HTML

It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:

Jay Polhill PDF

At least for a few hours before it becomes…

Jay Polhill HTML

It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.

Response post by — Christine and Mina

Posted Friday, March 05, 2010 10:52 AM by cmosby | with no comments
Filed under: , , , ,

What’s the Juice on ZeuS? – Trend Labs Malware Blog


img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }
Mar4
5:21 pm (UTC-7)   |   by Trend Micro

TrendLabs researchers recently published their findings on ZeuS, a botnet that is again making the headlines in today’s threat landscape.

ZeuS: A Persistent Criminal Enterprise

ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities.

The paper provides an extensive view of the ZeuS botnet. From a thorough discussion of its usual routine up to the possible criminal organizations involved, the research is a must read for users who want to get the rundown on this persistent online threat.

For more information on the above-mentioned subject and other previously released white/research papers, you may download the reports from this page.

Posted Friday, March 05, 2010 10:49 AM by cmosby | with no comments
Filed under: ,
More Posts Next page »