October 2010 - Posts

Trend provides an in-depth technical review of this latest ZBOT trojan which is a highly advanced malware attack.

Full Analysis of the ZeuS-LICAT Trojan
http://blog.trendmicro.com/full-analysis-of-the-zeus-licat-trojan/

QUOTE: Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:

We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:

Please update Flash as promoted to ensure the best levels of safety are in place

Adobe - Critical Update for Flash
http://www.adobe.com/support/security/advisories/apsa10-04.html

QUOTE:  A critical vulnerability exists in Adobe Shockwave Player 11.5.8.612 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system. As of October 27, Adobe is aware of reports of this vulnerability being exploited in the wild.  A fix is available for Adobe Shockwave Player 11.5.8.612 on the Windows and Macintosh operating systems as of Thursday, October 28, 2010. Please refer to Security Bulletin APSB10-25.

While malware may be circulating less actively for Linux or Mac users, there are still threats and the need to always be careful.  Koobface (Facebook spelled backwards) has now been retrofitted so that these environments may also be infected if users are not careful.

Koobface Worm - Now a threat for Linux and Mac users
http://www.computerworld.com/s/article/9193720/Koobface_worm_targets_Mac_users_on_Facebook_Twitter

QUOTE: A new variant of the Koobface worm that targets Mac OS X and Linux as well as Windows is spreading through Facebook, MySpace and Twitter, security researchers warned today. Antivirus firms first reported the malware, dubbed "Boonana," on Wednesday when Intego and SecureMac, two Mac-only security vendors, warned Mac OS X users that the worm was aimed at them.

Boonana spreads via messages posted to social networking or microblogging sites. Those messages bait the trap with the subject "Is this you in the video?" and a link to a malicious site. People who bite and click the link are then prompted to run a Java applet.

Webroot shares an excellent newsletter related to National Cyber Security Awareness for the month of October.  I've also seen the phrase "Think before you click" which denotes that our own actions can get us in trouble if we let curiousity override the need for safety in the dangerous

Security Awareness - Stop, Think, Connect
http://blog.webroot.com/2010/10/04/five-reasons-you-should-always-stop-think-connect-2/

Stop, Think, Connect
http://safetyandsecuritymessaging.org/

QUOTE: The army of criminals who commit fraud and theft over the Internet have several tricks up their sleeves. They disguise themselves and rely on you to not stop, not think, and to click links or open files immediately. That's how most people infect themselves. Luckily, you can prevent most of these infections yourself, simply by exercising a little restraint.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

TOP THREE SCAMS CIRCULATING TODAY

Scam #1: Your computer is infected!  The biggest criminal enterprise is the rogue antivirus product. It tries to convince you that your computer is infected so you hand over money for "antivirus protection" - which is not actually protection at all. The minute you see a fake alert, stop everything you're doing, kill the browser, and perform a full scan with the legitimate antivirus product of your choice.

Scam #2: Check out this cool link! Your friend's email or Facebook account is hijacked, and you receive a brief message with a short URL to watch a video or check out something equally "cool." The link actually leads to a malicious page with a malware download. Most shortlink services have a feature that lets you preview where the shortlink will go; use it. If you've never heard of the Web site, check the true destination domain against a reputation service, such as Webroot's Brightcloud. And don't be the first one among your friends to click a link.

Scam #3: John Doe wants to be your friend. In this one, the scammers usually duplicate the message format of popular social network sites. Instead of linking to "friend request," it takes you to a malicious page instead. To avoid this one, without clicking anything, move the mouse over the link in your email message, then look at the Status Bar to see exactly where the link leads. If the message claims to come from one company, but the URL points to a domain you've never heard of, don't click the link.

Below are the top 5 latest threats identified by Webroot

1. Rogue Security Products
2. Worm-Koobface
3. Virtumonde
4. Trojan-Backdoor-Progdav(Zbot)
5. Trojan-Agent-TDSS

When you access a website to enter or view sensitive information, it's important that the site use https (which creates an encrypted SSL session) rather than standard http sessions.  SSL encryption is especially important and mandatory for banking or any e-commerce transactions.  

With Firesheep All Your HTTP Sessions Are Belong To Us
http://blogs.pcmag.com/securitywatch/2010/10/with_firesheep_all_your_http_s.php
http://www.technewsworld.com/story/Firesheep-Exposes-the-Soft-Underbelly-of-Website-Security-71115.html
http://www.networkworld.com/news/2010/102610-firesheeps-a-huge-hit-with.html
http://blogs.wsj.com/digits/2010/10/25/firesheep-highlights-web-privacy-problem/

QUOTE: If you didn't already know that plain HTTP sessions are utterly insecure, here's proof: A new Firefox addin named Firesheep captures sessions on open Wifi networks and goes one step more sinister. It finds users logged into Facebook, Twitter, Google, Amazon, Dropbox, Evernote, Wordpress, Flickr, bit.ly and other services. It lets you take over their sessions and become them.

Please be careful in visiting websites or with any types of links presented.  FakeAV infections are very difficult to clean and one of these malware attacks actively circulating in the wild.

FakeAV - Rogue variant that spoofs Microsoft Security Essentials circulating
http://www.f-secure.com/weblog/archives/00002053.html

QUOTE: However, there's a rogue security product out there that claims to be "Microsoft Security Essentials". It has nothing to do with Microsoft.  This malware is distributed via drive-by-download attacks. And not only does this fake tool steal Microsoft's brand, it also features a bizarre matrix display of 32 antivirus products, offering to locate you a tool that would be capable of fixing your machine as "Microsoft Security Essentials" can't clean the malware it found. In reality, this is all fake, and the tool has not found an infection in the fail it claims.

I've always cautioned friends to avoid these types of games, (e.g., may pick up malicious strangers as "friends" who can misuse sensitive information, it may annoy some FB users, etc).  This may not be a significant issue, as social networking is a wide-open and non-private environment setting. Still if promises of privacy were broken, it'll be interesting to see if anything becomes of it.   

Zynga sued in privacy breach controversy
http://sunbeltblog.blogspot.com/2010/10/zynga-sued-in-privacy-breach.html
http://www.theregister.co.uk/2010/10/20/facebook_games_maker_sued/
http://online.wsj.com/article/SB10001424052702304772804575558484075236968.html

QUOTE: 218 million “class members” probably won’t settle for Farmville dollars.  A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status.

The lawsuit alleges that Zynga, maker of six of the top 10 Facebook games, collected and shared the IDs of 218 million users, in violation of federal law and terms of service. It seeks unspecified monetary damages and an injunction preventing the alleged practice from continuing. The suit was filed in US District Court in San Francisco on behalf of Nancy Graf of St. Paul, Minnesota. It seeks class action status so other Facebook users may also be represented.

The action follows an investigation by The Wall Street Journal that found that a large number of Facebook apps, including all of the top 10, transmitted the unique user IDs of those who ran them to outside companies. Zynga – maker of games such as Farmville, Mafia Wars, and Cafe World – was found to be “transmitting personal information about a user's friends to outside companies,” the paper reported

Trend shares an informative analysis of how FakeAV attacks are using Java and mimicking IE, Firefox, or other vendor updates realisticaly.  Please be careful when applying all updates.

FakeAV Attacks - Increasingly use of Java and realistic appearing product updates
http://blog.trendmicro.com/fakeav-update-java-vulnerabilities-and-improved-fake-alerts/
http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/

QUOTE: FAKEAV doorway pages (a concept previously discussed in “Doorway Pages and Other FAKEAV Stealth Tactics”) are increasingly using Java vulnerabilities. In cases where these vulnerabilities cannot be exploited, PDF exploits are used instead. We detect the said Java and PDF exploits as JAVA_LOADER.HLL and TROJ_PIDIEF.HLL respectively

This isn’t the only way FAKEAV has recently evolved, however. While browser-specific payloads and pages are not new, the pages being served up are more polished than before. Here are samples of two browser-specific pages we saw—one is for Internet Explorer while the other is for Firefox.

Both pages very closely mimic the actual interfaces of the aforementioned browsers. In Firefox’s case, not only did they mimic Mozilla’s site design, they also detected which browser version runs on a particular system. This kind of very specific and well-polished behavior can easily lead users to believe that the alerts they see are legitimate.

 

During our difficult economic times, individuals without jobs may be tempted to look into and even apply for "work at home" opportunities.  However, there is danger associated with these scams, especially when folks have to pay for the privilege to work at home.  Some safety warnings and protective safeguards are offered by the FBI in this special warning.

FBI Warning - Avoid Work-at-Home scams
http://www.ic3.gov/media/2010/WorkAtHome.pdf

QUOTE: Consumers continue to lose money from work-from-home scams that assist cyber criminals move stolen funds. Worse yet, due to their deliberate or unknowing participation in the scams, these individuals may face criminal charges. Work-from-home scam victims are often recruited by organized cyber criminals through newspaper ads, online employment services, unsolicited emails or “spam”, and social networking sites advertising work-from-home opportunities.

Once recruited, however, rather than becoming an employee of a legitimate business, the consumer is actually a “mule” for cyber criminals who use the consumer’s or other victim's accounts to steal and launder money. In addition, the consumer’s own identity or account may be compromised by the cyber criminals.

Example of a Work-From-Home Scheme:

• An individual applies for a position as a rebate or payments processor through an online job site or through an unsolicited email.

• As a new employee, the individual is asked to provide his/her bank account information to his/her employer or to establish a new account using information provided by the employer.

• Funds are deposited into the account that the employee is instructed to wire to a third (often international) account. The employee is instructed to deduct a percentage of the wired amount as their commission.

• However, rather than processing rebates or processing payments, the individual is actually participating in a criminal activity by laundering stolen funds through his/her own account or a newly established account.


Protect Yourself:

Be wary of work-from-home opportunities. Research the legitimacy of the company through the Better Business Bureau (for US-based companies) or WHOIS/Domain Tools (for international companies) before providing personal or account information and/or agreeing to work for them. In addition, TrustedSource.org can help you identify companies that may be maliciously sending spam based on the volume of email sent from their Internet Protocol (IP) addresses. See also the FTC’s recommendations.

• Be cautious about any opportunities offering the chance to work from home with very little work or prior experience. Remember: if it looks too good to be true, it usually is.

Never pay for the privilege of working for an employer. Be suspicious of opportunities that require you to pay for things up front, such as supplies and other materials.

Never give your bank account details to anyone unless you know and trust them.

• If you think you may be a victim of one of these scams, contact your financial institution immediately. Report any suspicious work-from-home offers or activities

Idea Adobe has announced plans to strengthen it's Acrobat reader when processing PDF files to reduce malware attacks.  It will use Protected mode and Sandbox security concepts to better interface with Windows APIs and potentially reduce some of the dangers today associated with PDF processing.

Adobe - Creating Sandbox Architecture for reader
http://blogs.pcmag.com/securitywatch/2010/10/adobe_describes_upcoming_windo.php
http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html

QUOTE: Another approach, which Adobe announced in July, was that they would implement a sandbox architecture in Reader for Windows. All the same vulnerabilities affect Acrobat and most of them affect other operating systems, but Reader for Windows was chosen because it's the overwhelming majority of the installed base and therefore the overwhelming majority of the systems attacked. Remove the ability to attack Reader and attackers will look elsewhere.

The sandbox splits Reader in two: The core functions, including parsing and rendering PDFs and executing JavaScript are done in a restricted sandbox process. If code in that process must perform some potentially dangerous task like calling a Windows API or using the file system, it must call to a separate process called the broker process through interprocess communication. No details are provided, but presumably this IPC mechanism is protected somehow so that it can't be called by inappropriate code.

Because the sandbox process has very little in the way of rights, even if an exploit takes complete control of that process it won't be able to do anything useful.  Sandboxes are great and this one should go a long way towards protecting users.

Lightning Small businesses should ensure they have the best levels of security and check account statements regularly for any unusual activities.

FBI Warning - Cybercriminals targeting small business accounts
http://www.fbi.gov/scams-safety/e-scams
http://www.ic3.gov/media/2010/CorporateAccountTakeOver.pdf
http://www.darkreading.com/smb-security/security/perimeter/showArticle.jhtml?articleID=227900529

QUOTE: Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered.

 

Thumbnail image for firefox-logo.jpg

 

 

 

 

Several critical updates for Firefox were recently released - please update as prompted to ensure improved safety.

Firefox 3.6.11 released to address 12 vulnerabilities
http://blogs.pcmag.com/securitywatch/2010/10/firefox_updates_fix_12_vulnera.php
http://www.mozilla.org/security/announce/

QUOTE: Mozilla has released versions 3.6.11 and 3.5.14 of Firefox to address 12 vulnerabilities in nine updates. Five of the updates are rated Critical, two High, one Moderate and one Low. The updates may be downloaded directly: click here for 3.6.11 and here for 3.5.14. You can download updates with the Help-Check for Updates feature. If you don't update within 24-48 hours, you should receive a notification that an update is available. Even though an update is available for the 3.5 branch of Firefox, Mozilla recommends strongly that you upgrade to 3.6.11. Before too long, support for the 3.5 branch will be withdrawn.

Please Auto update as prompted or obtain from Download site
http://www.mozilla.com/en-US/firefox/all.html

 

MSE just celebrated it's first anniversary and a new release became available during Patch Tuesday for October 2010.  If your icon has turned Orange, it denotes a new version is available.  Please install the latest version if prompted to ensure you are completely up-to-date.

Microsoft Security Essentials - New release during October 2010
http://www.microsoft.com/security_essentials/

QUOTE:  Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.  Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple.  Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.

Java is indeed one of the attackers primary conduits for malware these days.  In the 1st link below, the chart is worth looking at, as the exponential growth shown is alarming.  I thought the PDF dangers might be high, but web/email based attacks are off the charts.  As Java works behind the scenes it may not be as visible to users, as well as the need for it to be updated. Always carefully update Java as prompted to ensure your PC is adequately protected.

Microsoft warns of major increase in Java based attacks
http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/

QUOTE: What I discovered was that some of our exploit "malware" families were telling a scary story - an unprecedented wave of Java exploitation.  In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.

Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it.  On top of that, Java is a technology that runs in the background to make more visible components work.  How do you know if you have Java installed or if it's running?

Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version.

Below is a reminder to apply the recent security updates from Microsoft, as a large number of critical updates were published. The updates this month help combat a few exploits circulating in the wild and it is beneficial to ensure your systems are completely up-to-date.  Please always keep your systems set for automatic updates or if you manually update always remember to do so on "Patch Tuesday"

Microsoft Security Updates - October 2010
https://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx

Internet Storm Center - Excellent Analysis
http://isc.sans.edu/diary.html?storyid=9736

More Posts Next page »