September 2010 - Posts

Facebook is one of the most popular sites on the Internet and Symantec shares caution in selecting links, the LIKE button, or clicking on other dangerous objects.

Social Network Flooded with Scam Messages

Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week.

Even though it might appear that one of your friends has shared this link, he or she most likely did not do it knowingly. This is because whenever someone follows one of these malicious links, he or she ends up at an intermediate site on Facebook that will then load an “iframe” from a remote site. In this particular case, the remote site hosted four more scams targeting Facebook, each with different themes. The iframe loads an Uncle Sam image from a free image-hosting site and then asks the user to click on some part of the image.

However, what the user doesn’t see is that the attacker has also loaded a Facebook site, but has modified it to be invisible. The hidden page that is loaded is the Facebook “Like button” page, which is conveniently placed under the mouse pointer of the user. Hence, when the user clicks on the colored bars of the image, he or she is actually clicking on the invisible Like button and consequently shares the attacker’s link with all of his or her friends on Facebook. (The same trick is attempted with an invisible “Share” button.)

The free version of the ZoneAlarm Firewall recently implemented some new popup warning messages, which stated “Global virus alert. Your PC may be in danger!” and then sharing an example from the advanced Zeus trojan family. 

While Zone Alarm has an excellent leakproof and award winning bi-directional Firewall for several years, this advertising approach was not well received. In fact, the message even resembles some of the Rogue and FakeAV scareware tactics (which uses the fear factor to motivate users).

The vendor quickly retracted this popup alert, as sometimes marketing ideas will not go as well as planned.  They will most likely never use this form of advertising to upsell users again to the paid version. Still, it's better to market security products based on the quality of protection.       

CheckPoint: ZoneAlarm Is No Rogue

QUOTE: Users of ZoneAlarm Free Firewall 9.2 PCMag's Editors' Choice for free firewall, were treated to a similar message this morning. Some of my colleagues feel this alert goes too far; Check Point says they were only trying to help.
As you can see, it doesn't actually say that your PC is infested with ZeuS.Zbot.aoaq, just that it "may be in danger". If you click the link to "See Threat Details" you come to a page of statistics purporting to show that only ZoneAlarm Internet Security Suite can protect you - not Norton, not Trend Micro, not any of several free antivirus solutions. Problem is, the source of those statistics repudiates their use here, saying "virustotal is NOT meant for AV comparatives".

Check Point responded: "The popup message in ZoneAlarm Free Firewall was intended as an alert to a virus our technology discovered. We wanted to proactively let our users know that ZoneAlarm Free Firewall and other AV products do not fully protect from this virus. It was never our intent to lead customers to believe they have a virus on their computer. This was purely an informative message about a legitimate and serious virus that also included information about the differences in protection of various products, and how to get protection against it. ZoneAlarm is committed to providing our customers with the best protection and considers it our job to proactively alert users whenever a potential risk is looming rather than wait for the damage to be done."

I'm afraid I don't buy it. The popup message is a clear and simple attempt to scare users of the free ZoneAlarm Firewall into purchasing a paid ZoneAlarm product. While it's not as pushy as the actual rogue products, I do see it as misleading. The fact that it links to misleading statistics is another nail in the coffin. CheckPoint may have inspired a few users to buy an upgraded product, but I'm sure many others are left with a lasting bad impression. The net effect of this initiative is decidedly negative.

QUOTE: Today, per a Presidential Proclamation and a Senate Resolution, marks the start of the sixth annual National Cybersecurity Awareness Month. As stated in the President’s Cyberspace Policy Review, cybersecurity is a national priority and is vital to our economy and the security of our nation. The financial industry, our government networks, and your home computers are under continual attack from a variety of malicious actors, including domestic hackers, international organized crime rings, and foreign intelligence agencies. They are stealing your identities and financial information, sensitive government data, and proprietary industry information. As President Obama stated in his May 29th speech, "America's economic prosperity in the 21st century will depend on cybersecurity."

Microsoft has just released an out-of-band security update early this afternoon. Please apply this promptly.  So far, this new update is working well in early testing.

Microsoft Security Updates - Out-of-Band release on September 28th

QUOTE: Microsoft is going to release an Out-of-Band Security bulletin tomorrow, 28 September 2010, which will address a security vulnerability in ASP.Net affecting all current versions of Windows.

Trend labs shares an informative writeup on a new botnet family which is impacting users in Asia currently.

New Azvhan Bot Family Revealed

QUOTE: A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided. Avzhan bots install themselves onto the Windows system directory using the file name  {six random lower-case letters}.exe. After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems. In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

• Computer name
• CPU speed
• Language used
• Memory size
• Windows version

Sunbelt Security is warning of at least three separate forms of attack on this highly popular game.  Avoid free downloads that promise success, be careful with Internet searches, and avoid handing over your account credentials to others.

Sunbelt Blogs: Halo Reach: Scams Galore

QUOTE: Halo Reach has been doing rather well since the game was launched last week. Of course, this means scammers have marked it as a target for shenanigans. I thought it would be a good idea to have a quick look at some of the most common pitfalls to avoid. I haven’t touched phishing, as Bungie (the Halo developers) have covered that one nicel

Halo Reach - Very popular (70 million times played)

(1) Free generators. It doesn’t matter whether they’re offering up free armour downloads, extra weaponry or, er, “flaming helmets” – you can bet hard cash that whatever they’re offering will not work. Many of these sites lurk on free blog hosting, advertised via Youtube

(2) Something else gamers should be wary of is stumbling onto infected sites that through accident or design (in the form of Blackhat SEO) are touting all manner of Malware. One little letter missing, and the end-user would be stumbling onto a URL flagged with the “This site may harm your computer” warning from Google Search.

(3) Modding / hacking XBox accounts for cash, buying high level profiles, giving control of your account to strangers to let them increase your score. All of the above are bad ideas – modding accounts can easily be detected, and the banhammer is probably going to fall on your head shortly afterwards.

Finally, it goes without saying that you should never hand over login details to “helpful” gamers who want to increase your score – things will go wrong in a hurry.  There will probably be many more scams related to Halo Reach over the coming months, but the above list hopefully gives you an idea of what the most common ones will be.

All MSE and Forefront users should ensure they are up-to-date for virus signature files.  On September 16, 2010, Microsoft included an engine update which will enhance detection capabilities to better meet constantly changing security requirements.

QUOTE: Antimalware Engine 1.1.6201.0 is released to all MSE and FCS customers on 16 September 2010. Signature package is the first that contains this engine.

Affected products: Microsoft Security Essentials (MSE), Forefront Client Security (FCS)

Engine Version will be in the range of 1.1.620X.0

Microsoft will be strengthening security controls for it's free Hotmail service this week.

Microsoft Hotmail Security Enhancements Coming

QUOTE: Microsoft said it is delivering security changes to Hotmail users this week, including new user identity proofs and detection capabilities meant to thwart account hijacking. Microsoft has begun rolling out new security features for Hotmail users today centered around preventing and detecting account compromises. Once they arrive, the changes will include both new proofs for user authentication as well as detection capabilities meant to identify hijacked accounts.

In the area of proofs, users will be able to add a “Trusted PC” to associate with their Hotmail account. If an account is compromised, all a victim needs to do to reclaim their account is to login from their trusted machine. Cell phones can be used as proofs as well, with Microsoft sending a code via SMS message to allow users to reset their passwords.  “Account proofs are like a spare key to your account,” Lewis said. “If you set them up in advance, in the unlikely event that you forget your password or someone hijacks your account you can use them to “prove” that you are the rightful owner and kick out the hijacker.”

Idea This is an excellent technical resource on how PDFs operate and how they can be manipulated by malicious individuals

Malicious PDF Analysis - Free E-book

QUOTE: Didier Stevens has published a 23-page paper on how to analyze nasty PDFs. While the content is a bit dated and the attackers have added more insidious exploit obfuscation to their arsenal since, the document explains all the concepts that are still valid and useful whenever you encounter a suspicious PDF today.  If you're into PDF analysis (and even if you aren't), this is a must-read.

AVERT Labs provides an informative update on highly advanced malware that could impact automation found in industrial control systems. These firms should thoroughly patch all software and scan for the presence of malware. 

MS10-046: Stuxnet Advanced Malware that could impact energy firms for unpatched Windows

QUOTE: Stuxnet is a highly complex virus targeting Siemens’ SCADA software.  The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729).  It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.

Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Windows Shell (LNK) Vulnerability - Patch by performing Windows update

Please avoid suspicious downloads or email messages that might offer a customizable profile setting.  Instead lock down your privacy and security settings directly within Facebook, as well as selecting other preferable settings

Facebook - Avoid downloads that offer to customize your Facebook profile

QUOTE: Take care when downloading programs or browser extensions that offer to “customize” your Facebook Profile. These products are not built or sanctioned by Facebook and may leave you vulnerable to security threats.

Please be careful not to select links from suspicious messages that appear to come from Facebook. Instead, log into FB and check for new messages there.

Facebook - New attacks where email messages are similar to Facebook notifications

QUOTE: We've received reports of a new malware campaign using emails made to look like they're from Facebook. Scammers sometimes pose as friends or popular websites in order to trick people into installing malware or providing personal information. Stay vigilant, and remember that Facebook won't send you emails with attachments. If an email looks suspicious, delete it and warn your friends.

One popular trend that is increasing in Facebook is for a one line statement (that is hyperlinked) for a popular or religious phrase to be show up under the NewsFeed that a FRIEND has selected (with the LIKE button available). 

In early usage of Facebook, I had even even selected a few of these.  Later, I discovered they are difficult to remove from LIKE lists later on.  While these links may or may not be malicious, the linked sites can contain extensive advertising rather than supporting the theme noted by the link. I've stopped selecting these a while back and the Internet Storm center also recently noted caution as noted below.

Facebook - Be careful with the LIKE button on URLs

QUOTE:  I am seeing a trend on Facebook recently, and I am not sure what to make of it. As we all know just too well, Facebook has a "Like" feature. This feature, a little button associated with a post, allows you to show agreement with a post.  Lately however, I am seeing more and more posts like the following: (a hyperlinked phrase with a button)

Nobody has seen anything malicious from these URLs yet, so it appears to be just "Spam", maybe search engine optimization techniques to get these pages linked and ranked higher. A couple readers noted that unlike a regular "like", it is not so easy to remove these notes from your profile. You need to go to your "wall" page and remove them. You can not remove them like normal "Likes" from your "Newsfeed".

Individuals with advanced technical skills are the best candidates for testing this first beta version of Internet Explorer 9.

Internet Explorer 9 Beta - Home Page

Internet Explorer 9 Beta - Key Features

QUOTE: The wait is over for the newest beta version of Microsoft’s browser, Internet Explorer 9.  Starting on September 15, 2010 (PDT), users will be invited to download this newest test version.

Internet Explorer 9 offers substantial improvements the current version including: a streamlined interface, full hardware-accelerated HTML5, modern SVG and native JavaScript integration, support for the Web Open Font Format as well as faster overall performance. The new Internet Explorer 9 Beta provides a more secure, stable and fast browsing experience. 

Internet Explorer 9 Beta is compatible with Windows Vista SP2 and Windows 7 PCs. It is not available for earlier versions of Windows Vista or with PCs running Windows XP.

Microsoft released several critical security updates during September as noted in links below. Please install these promptly to ensure your systems are properly protected.

Microsoft Security Updates - September 2010

ISC Patch Tuesday Summary (always an excellent resource)

More Posts Next page »