October 2011 - Posts

Several informative links are noted in this summary

Trend Labs - Highlights from Virus Bulletin 2011 Barcelona
http://blog.trendmicro.com/highlights-from-vb-2011-barcelona/

QUOTE: This year, we had the privilege of attending the 21st Virus Bulletin International Conference in Barcelona, Spain. Researchers from Trend Micro presented three topics in the corporate stream and one topic in the technical stream.

Ethan YX Chen covered file-fraction reputation for the technical stream on day 1.

For the corporate steam on day 2, Max Goncharov presented on traffic direction systems as malware distribution tools 

David Sancho and Rainer Link talked about the lessons they learned while sinkholing botnets.

Trend Micro global director of education David Perry talked about the missing metrics of malware.

The presentation entitled, “An OpenBTS GSM Replication Jail for Mobile Malware,” by Axelle Apvrille discussed the challenges security researchers faced when analyzing mobile threats. 

The presentation about fraud malware analysis showed us that FAKEAV/fake tools have been around for some time now and will probably be there for even longer because of their capability to adapt to changes in the computing landscape.

In his presentation, Tim Ebringer of Microsoft brought out the issue regarding difficulties with finding other malware samples related to one particular file.

There are many additional ones that could be added to the list including some of these in my own top ten: Conficker, Sasser, CIH, Blaster, Nimda, SQL-Slammer, Klez, SoBig, Netsky, AntiExe, etc

GCN LAB IMPRESSIONS - The 10 scariest computer viruses of all time
http://gcn.com/articles/2011/10/14/10-scariest-computer-viruses-of-all-time.aspx

QUOTE: The dreary winter months are approaching, and little ghosts and goblins are starting to crawl from their haunts. With the spooky Halloween season about to get into full swing, we thought we might help get into the mood with a look at the 10 most frightening viruses of all time. Hide your hard drives, lock up your files and make sure your AV shields are at maximum power as we enter…the dark realm of computer programs gone bad.

10. Virus infecting U.S. fleet of combat drones
9. Creeper wasn’t actually all that malignant, and it only affected TENEX operating systems in the 1970s.
8. Suddenly, in 2007, Stoned.Angelina came back to infect more than 100,000 PCs running the new operating system.
7. Stuxnet - cripple the Iranian nuclear program. 
6. Anna Kournikova virus in 2001
5. Back Orifice is not really a virus per se, but gives remote access privileges to someone at another computer
4. Christmas Tree EXEC program paralyzed a lot of internal networks in 1987
3. Code Red virus was one of the first to successfully target Web servers running IIS in 2001
2. Melissa virus of 1999
1. I Love You virus, which racked up an impressive kill tally of tens of millions of computers in the year 2000. 


TOP TEN EMAIL viruses of all time from 2004
http://msmvps.com/blogs/harrywaldron/archive/2004/07/20/10421.aspx

Below is another attack that is circulating which should be avoided by Facebook users.  It even offers prizes and as noted in the past, "there are no free lunches on the Internet" 

Facebook - Avoid McDonalds Happy 44th Birthday link
http://sunbeltblog.blogspot.com/2011/10/mcdonalds-facebook-scam-happy-birthday.html

QUOTE: I'm sure a McDonald's themed Facebook scam seemed like a good idea to somebody at the time, but wow is this one all over the place. It's your typical "Click here to Like", "Post a spam comment saying how good this is" then "do one of these offers" affair. "Happy 44th birthday to Donald", they say. Except his name is Ronald and he was created in 1963, which means he's actually 48. However, things quickly become confusing at this point. This scam targets Facebook users in India, yet as far as I can tell he's called Ronald there.

The new email scam is circulating and it is intended to deceive users into clicking on a non-Facebook link that could potentially be malicious

Facebook email scam - You have three lost messages
http://sunbeltblog.blogspot.com/2011/10/you-lost-your-facebook-messages.html

QUOTE: Or, to put it another way, you didn't. However, spam mail doing the rounds wants you to think otherwise. "You have three lost messages on Facebook, to recover the messages please follow the link below."  The links just go to the usual advert / viagra junk. What's kind of funny here is that an older version of this campaign claimed you were missing one message. Obviously the spammers decided to up the ante so now you have a whole three messages lost to the void.

Trend Labs shares some informative links related to malicious new SPAM attacks

BlackHole Exploit Kit - Used in new SPAM and Exploit attacks
http://blog.trendmicro.com/a-refresher-on-spam-and-exploits/#more-37481

QUOTE: Lately, we have been seeing a renewed increase in the volume of spam attacks that utilize an exploit kit, specifically the BlackHole Exploit Kit to trigger a malicious payload. We have seen this in the latest slew of Automated Clearing House (ACH) spam attacks and the more recent spam run related to Steve Jobs’s death.

In a typical spam campaign that involves malware, cybercriminals lure users through social engineering to perform several actions before the intended payload gets executed. For example, a user needs to download, extract, and execute a supposedly “benign” file for a spam attack to succeed.  Spam campaigns that use exploit kits, however, are a bit more dangerous since these only need to lure the users into clicking a malicious link for the rest of the infection to take place.

In-Depth look at SPAM in today's business world
http://us.trendmicro.com/imperia/md/content/us/pdf/trendwatch/spam_trends_in_today_s_business_world.pdf

The significant aspect of the new Zeus attack is it's creation from the special exploit kit . While it currently only targets Australian users, there is a potential for it to be used in other locations as well.

TREND LABS - Another Modified ZeuS Variant Seen in the Wild
http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/

QUOTE: This new version, detected as TSPY_ZBOT.SMQH spread around late September through spam that claims to be from ATO (Australian Taxation Office). The spammed messages contain a malicious link, which when clicked directs users to a malicious website that serves the BlackHole exploit kit. The exploit kit, in turn, downloads a variant of this new ZeuS version.

Like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same creators of LICAT, or affiliated with them at least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.  Although the spammed messages only target Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign.

Another great contributor to computer technology passed away this week also.

Dennis M. Ritchie - Passing of creator of "C" programming language
http://isc.sans.edu/diary.html?storyid=11806
http://cm.bell-labs.com/who/dmr/

QUOTE: Dennis M. Ritchie, the creator of the C Programming language and well known for contributing to the creation of the UNIX Operating System, died on October 8, 2011, hit the Internet headlines today.

The ISC rates this critical OSX security update as "PATCH NOW" and more information can be found at:

Apple OS X - Critical security update for October 2011
http://isc.sans.org/diary/Critical+OS+X+Vulnerability+Patched/11797

QUOTE: With today's focus on the release of iOS 5, and people worldwide refreshing the UPS shipping status page to check if the iPhone 4S left Hong Kong or Anchorage yet, a patch released for OS X Lion (10.7) came in under the radar. In addition to bringing us iCloud support and a good number of other security related patches, one issue sticks out as SUPER CRITICAL, PATCH NOW, STOP THAT iOS 5 DOWNLOAD.

The exploit can be implemented in a line of javascript, and will launch arbitrary programs on the user's system. It does not appear that the attacker can pass arguments to the software, which may make real malicious exploitation a bit hard, but I am not going to wait for an improved proof of concept to proof me wrong.

Sunbelt Security offers an excellent synopsis of SIR v11 reflecting developments during the first half of 2011 

Microsoft - Security Intelligence Report v11
http://sunbeltblog.blogspot.com/2011/10/microsoft-released-volume-11-of-sir.html

QUOTE: SIR volume 11 has a lot more findings, insights, and observations from the the first half of 2011. Below are just some facts and figures from the report that are worth noting for future reference and study. Below are just some facts and figures from the report that are worth noting for future reference and study:

  • More than 1/3 of malware detected (ab)use the AutoRun feature in Windows. These malware spread via removable drives and network drives.
  • Exploits that take advantage of flaws in Java, the OS itself, and HTML/JScript were most prevalent from Q3 of 2010 to Q2 of 2011. The volume of exploits targeting Adobe Flash increased by more 40 times compared to the volume seen in Q2 of this year.
  • Adobe Reader and Acrobat are the most affected software for document format exploits. No surprise here.
  • Windows XP SP3 (client) and Windows Server 2033 SP2 (server) are the OSs with the highest infection rates.
  • Adware, software that were deemed potentially unsafe, and Trojans are the most prevalent threats that were detected on systems. An example of this threat is FakeRean.
  • There was a 71.97 percent decrease of spam volume from July 2010 to June 2011 due to the takedowns of the Pushdo/Cutwail and Rustock botnets.
  • Phishers are now targeting social networks more than financial institutes.

The .PDF copy of SIR is available and can be downloaded here. If you're interested in backtracking previous volumes, Microsoft has made them available in their library page

Microsoft - Security Intelligence Report Home
http://www.microsoft.com/security/sir/default.aspx

PC Magazine offers a detailed evaluation of Apple's new iCloud facility as noted below:

Apple iCloud - PC Magazine Review
http://www.pcmag.com/article2/0,2817,2394611,00.asp

QUOTE: The new iPhone 4S is grabbing most of the headlines this week, but a less concrete new offering from Apple may be just as momentous—iCloud.  The new Web-based service will not only replace the checkered MobileMe Web apps (well, most of them), but also add backup and other services for iPads, iPhones, iPod touches, and even Mac computers running OS X Lion.

Apple iCloud - Key Links
http://www.apple.com/icloud/
http://www.apple.com/icloud/what-is.html
http://www.apple.com/icloud/get-started/

Hardware issues created a world-wide system outage and these appear to have been successfully resolved

BlackBerry - Full Services restored after 3 day outage
http://www.pcmag.com/article2/0,2817,2394609,00.asp

QUOTE: Research in Motion co-founder Mike Lazaridis today apologized for the ongoing BlackBerry outage and said that the company has "restored full services."  "Since launching BlackBerry in 1999, it's been my goal to provide reliable, real-time communications around the world. We did not deliver on that goal this week, not even close," Lazaridis said in a video message (below). "I apologize for the service outages this week. We've let many of you down."

In that message, he also said service was "approaching normal," but in a later conference call with reporters, Lazaridis said services have now been restored. He reiterated that the three-day outage was caused by a hardware failure that prompted a "ripple effect" in RIM's systems. Getting things back up "took much longer than we had expected," and RIM is now "taking immediate and aggressive steps" to prevent such an outage from ever happening again, he said.  During a Wednesday conference call, the company said the problems were not related to a hack.

Users should apply these changes expediently to ensure the best levels of protection

Microsoft Security Updates - October 2011
http://isc.sans.edu/diary.html?storyid=11779
http://blog.trendmicro.com/microsoft-releases-eight-bulletins-for-october-patch-tuesday/

QUOTE: Eight security bulletins have been released to include patches for 23 vulnerabilities for software such as Microsoft .NET Framework, Microsoft Silverlight, Internet Explorer, Microsoft Forefront United Access Gateway, and Microsoft Host Integration Server.

Microsoft Technet overview
http://technet.microsoft.com/en-us/security/bulletin/ms11-oct

This new development is still being analyzed by security firms: 

Backdoor Snoops on Skype, MSN, and Yahoo! Messenger
http://blog.trendmicro.com/backdoor-snoops-on-skype-msn-and-yahoo-messenger/
http://www.f-secure.com/weblog/archives/00002250.html

QUOTE: We recently came across reports about a hacker group that was able to detect a backdoor which was found capable of monitoring online activities and recording calls when using Skype. However, apart from its routines, it garnered media attention because of its claims that the discovered backdoor may be used by German Law Enforcement.  The malware, which we detect as BKDR_R2D2.A is known as “R2D2″. Based on our analysis, this malware is capable of the following functionalities:

  • Listen to chat conversations for applications such as Skype, Yahoo! Messenger, MSN Messenger and SipGate x-lite.
  • Record audio calls when using Skype
  • Monitor web browsing activities with browsers SeaMonkey, Navigator, Opera, Internet Explorer and Mozilla Firefox.
  • Take screenshots on the affected system.

The new Metro UI may allow for Windows 8 to load resources to memory as they are opened and needed.

Windows 8 - Striving to improve memory management
http://www.pcmag.com/article2/0,2817,2394426,00.asp

QUOTE: Microsoft's Windows 8 is aiming to minimize a PC's memory usage through efficient design, allowing it to run on hardware originally designed for Windows 7.  In a blog post, Bill Karagounis, the group program manager of the Windows Performance team, said that the group's goal with Windows 8 was always to ship with the same performance requirements as Windows 7. Interestingly, Karagounis wrote that the reason for doing this was to minimize the power consumption used by Windows 8 when running on a tablet.  Microsoft has said that the "Metro" UI also eliminates the need to load all portions of the desktop, saving memory. And Windows 8 is simply more efficient in using memory, Karagounis added.

Windows 8 - PC Magazine's list of articles
http://www.pcmag.com/Windows-8

The Symantec research study provides an excellent overview regarding monetary incentives for Android mobile computing malware.

Android Malware - Symantec Research Study of Monetary Incentives 
http://securitywatch.pcmag.com/malware/288932-how-android-malware-makes-money

QUOTE: In the old, old days researchers wrote virus code to prove a point and lone coders released malware that disseminated a message or simply vandalized computers. Modern malware is all about money. Symantec has just released a report on the various techniques used to make a profit from Android-focused malware. Given that Android is now the most widespread mobile platform, it's a wide-open field for malefactors seeking to cash in.

Premium rate billing is one simple technique to skim some cash. In this case a Trojanized Android application performs some useful or entertaining function, but secretly sends SMS short codes that bill the caller  $10, $50, or even more. The attacker splits the fee with the phone service carrier. Apps can send text messages without any visible indication, making this a better choice than forced dialing of premium rate telephone numbers.

Some apps literally spy on the victim, recording phone calls and texts and tracking GPS location. It's true that on installation the victim must agree to specific permissions, but many users just routinely give an OK to all such requests. Malicious apps that poison search engine results can drive traffic to malicious Web sites, either to encourage download of more malware or to generate income based on pay-per-view or pay-per-click advertising.

Symantec - Motivations of Recent Android Malware
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/motivations_of_recent_android_malware.pdf

QUOTE: The following categories of attack are highlighted in the study:

1. Premium Rate Number billing (calls or text messaging)
2. Spyware
3. SEO Poisoning
4. Pay per click
5. Pay per install of apps
6. Adware
7. Mobile Transaction Authorization Number (MTAN) Stealing

More Posts « Previous page - Next page »