This year is on its way out and seemingly cybercriminals are also planning their year ahead. Secure content management solutions developer Kaspersky Lab has outlined the threats it expects to see in 2010 as a result of cybercriminal activity.
Kaspersky Lab was expecting a rise in the number of global epidemics in 2009 but this year was marked by sophisticated malicious programs with rootkit functionality. Corporates and individuals struggled with the Kido worm (Conficker), Web attacks and botnets. An increase in the cases of SMS fraud and attacks on social networks was also experienced.
Continue reading in http://www.pcworld.com/article/185177/cybercrooks_target_file_sharing_networks.html
Few more days... it'll be Christmas day. Have a great Christmas everyone and I wish you all the best for the New Year!
Calendarofupdates.com was offline for many hours because my fellow admin, Peter (aka ColdinCbus - Thanks Peter!) upgraded to newer version of Invision Power Board software. That's new look to many of us and I am liking it. That's just in time for a new year's new look of the forum!
From F-Secure Blog:
Just a quick note - the sudden death of Hollywood celebrity Brittany Murphy last Sunday (BBC report here) has prompted a spike in searches on the subject - and of course, an SEO attack.
Users who click on a poisoned search result link will be redirected to a website that will display a scare message trying to panic users into downloading rogue AV software.
Screenshot and more info in http://www.f-secure.com/weblog/archives/00001842.html
See also Websense Alert: http://securitylabs.websense.com/content/Alerts/3514.aspx
Brittany Murphy's Death SEO Poisoning
Date:12.21.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe, and at the moment it seems they haven't attracted much attention from AV companies.
From Sophos Blog:
Well, it didn't take long for the Christmas E-Card scams to start.
Recently we have seen email messages pretending to be from Hallmark, suggesting that you have received an E-card from a friend. The complete email message looks like this:
You have recieved a Hallmark E-Card from your friend.
To see it, check the link below:
http://www. hallmark. com/webapp/wcs/stores/Occasion/ChristmasE-Cards
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon, Your friends at Hallmark
Note, that the link looks like it's from Hallmark, but it's fake. If you hover your mouse over the link and look at your browser's status bar, the real link show up (which in this case is http://www. <hidden>. com/_themes/Christmas.exe). This piece of malware is detected by us as Troj/VBInject-S.
http://www.sophos.com/blogs/sophoslabs/?p=8039
Wi-Fi security in UK retail environments is improving, but shops remain vulnerable to the sorts of attacks carried out as part of the infamous TJX credit card heist.
The cybercrooks, who lifted more than 21 million credit card records, leapfrogged onto the retailer's credit card database after first breaking into the wireless network of a regional store, a subsequent investigation ahead of upcoming US trials revealed. The incident ought to have acted as a wake-up call to retailers worldwide, but progress has been a little slow.
A Wi-Fi war walk, passively detecting Wi-Fi networks in a popular shopping areas around Oxford Circus last week, revealed numerous problems.
Data was collected over a one hour period on 16 December using security scanning tools from Motorola AirDefense. No networks or devices were actively compromised during the exercise.
More in http://www.theregister.co.uk/2009/12/21/west_end_wardrive/
Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of the analytical article “The botnet ecosystem” by Vitaly Kamluk, Director of Kaspersky Lab’s EEMEA Research Center. The article sheds light on the nature of the cybercrime business and, in particular, the botnets at its core.
The author analyzes the components which make up the cybercrime business, how they interact with each other and with the outside world. The article describes the roles played by those who supply services to botnet owners, those who buy botnet services and the botnets themselves that link these activities. Botnets are at the center of the cybercriminal business, facilitating a continuous flow of money between cybercriminals. [...]
The full version of the article is available at www.viruslist.com/en. A summary of the article can be found at www.kaspersky.com.
http://www.kaspersky.com/news?id=207575988
From Techcrunch:
We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site is currently offline. We’re looking into this and waiting on a response from Twitter.
The message reads:
Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
iRANiAN.CYBER.ARMY@GMAIL.COM
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.
Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.
Twitter does not have the best record with security issues.
Update 2.: Twitter.com is down, status.twitter.com is down (not useful, perhaps they should host it at blogger).
Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.
Update 4.: There is a history between Iran and Twitter.
Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page.
Complete and for updates, go to http://www.techcrunch.com/2009/12/17/twitter-reportedly-hacked-by-iranian-cyber-army/
From Twitter status:
Working on site outage 1 hour ago
We are working to recovery from an unplanned downtime and will update more as we learn the cause of this outage.
Update (11:28p): Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.
Known issues: timeline delays and missing tweets. Retweet back up. 14 hours ago
We are aware of and investigating the causes of timeline delays and missing tweets. Retweet is back up and fully functional.
Dec 14th Mon
SMS service temporarily unavailable, we are working on the problem 3 days ago
Posting tweets via SMS is currently unavailable. Some tweets are also not being delivered via text (the outbound service). We are actively working on the underlying cause of both problems and hope to restore service soon.
Update (12/14 6:30pm). The issue has been resolved.
http://status.twitter.com/
From Twitter Blog:
DNS Disruption
As we tweeted a bit ago, Twitter's DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully.
http://blog.twitter.com/2009/12/dns-disruption.html
Twitter (not) hacked by Iranian Cyber Army
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
"As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully."
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.
http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/
Waikato District Health Board has been crippled by a computer worm which has seen every PC in the organisation shut down. While the main hospital in Hamilton and smaller outlying hospitals were continuing to function, spokeswoman Mary-Ann Gill said it was important people only came for treatment if it was absolutely necessary.
Emergency care was still available but those arriving for routine appointments were being affected, as were GPs who often made referrals to hospitals via email. "We are asking GPs to only make urgent referrals," she said. "We need to keep as many people out of hospitals as we can."
Ms Gill said DHB technicians were working on a computer upgrade overnight when things started to go awry. "About 2am they noticed there were some issues with the computers. By 4am they realised a computer virus had got into our whole system.
"We brought in Microsoft and have been working with them through the night."
Conficka has been identified as the culprit.
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10616074
Microsoft has reached agreement with European Union anti-trust regulators to allow European users a choice of web browsers.
The accord ends 10 years of dispute between the two sides.
Over that time, the EU imposed fines totalling 1.68bn euros ($2.44bn, £1.5bn).
The European Commission said Microsoft's legally binding agreement ended the dispute and averted a possible fine for the company.
The Commission's concern was that the US computer giant may have broken competition rules by bundling its Internet Explorer web browser with its dominant Windows operating system.
http://news.bbc.co.uk/2/hi/business/8415902.stm
Microsoft Statement on European Commission Decision in http://www.microsoft.com/presspass/press/2009/dec09/12-16statement.mspx
It's been a while. If I remember correctly, a variant of Vundo was using the "overlay.xul" mechanism to hi-jack searches in the Firefox browser almost a year ago. Now, ISC reader Tom contacted us with a mystery that took him and his colleagues several days to unravel. The symptoms: You try to search with Google/Yahoo/Ask/Bing, but NoScript (a great add-on!!) warns you that the browser is actually trying to run a JavaScript from innoshots-dot-org. Having checked all the usual culprits, and run all the Anti-Virus tools you have, you find: Nothing. And the browser still redirects.
overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI, and is used for good effect by several tools. We don't know which infection vector was used in Tom's case to deposit the malicious overlay file on the machine. All we have is the file, and the knowledge that it apparently either resides in
Documents and Settings/user/Local Settings/Application Data/{randomstring}/chrome/content -- or --
Program Files/Mozilla Firefox/extensions/{randomstring}/chrome/content
and is accompanied by a suspicious Javascript file called _cfg.js.
overlay.xul contains heavily obfuscated JavaScript, and has nice copyright headers to make it look like a valid Firefox add-on, but the "smoking gun" is still visible in the lower portion of the file.
http://isc.sans.org/diary.html?storyid=7765
PrivacyChoice Opt-Out protects your privacy by opting out of privacy-invading ad networks.
Ad networks and Web sites constantly track your behavior as you surf the Web, recording what sites you visit, what pages you visit on sites, and what kind of content you like to view. If you'd like to keep your personal Web preferences to yourself, get the free Firefox addon PrivacyChoice Opt-Out, which lets you stop more than 100 companies from tracking your behavior.[...]
Privacychoice.org also makes another Firefox add-in, TrackerWatcher, which lets you get similar privacy information about sites you visit as you surf the Web. Using PrivacyChoice Opt-Out in concert with TrackerWatcher makes an excellent one-two punch for protecting your privacy.
http://www.networkworld.com/reviews/2009/121609-privacychoice.html
Security experts have known for months that some countries have had a harder time battling the Conficker worm than others. But thanks to data released Wednesday by Shadowserver, a volunteer-run organization, they now have a better idea of which Internet Service Providers have the biggest problem.
In terms of the total number of infected computers, China Telecom's Chinanet seems to have been hardest hit by the worm, which began spreading late last year.
http://www.networkworld.com/news/2009/121709-chinese-isp-hosts-1-in.html
Arrests and jail time for cybercriminals are increasingly common in China
A Chinese court Wednesday sentenced 11 members of a malware ring for writing and distributing Trojan horse viruses meant to steal online game account passwords, according to state media.
The people, who stole login information for more than 5 million game accounts, were given prison sentences of up to three years and were fined a total of 830,000 Chinese yuan (US$120,000), China's Xinhua news agency said. Dozens of other members of the ring, which is suspected of 30 million yuan ($4.4 million) in crime, are expected to be sentenced soon, Xinhua said.
Reports of arrests and court sentences for cybercriminals have become increasingly common in China after the country has strengthened its laws governing the activity. The government action has come in response to increasing signs of organization among cybercriminals, including division of the labor needed to design, distribute and profit from information-stealing malware.
http://www.networkworld.com/news/2009/121709-china-jails-trojan-virus-authors.html
Yesterday the Secunia PSI was installed on system number 2,000,000.
The 2,000,000 users have been achieved on a 0 dollar marketing budget. Only word-of-mouth, articles, endorsements, and the loyal support of the community around the PSI and Secunia has spread the important message about the need for patching.
Patching your programs to protect against criminals exploiting the security related errors which exists in almost all of the programs you are using, have never been more important than now.
During the past 3 years there has been a significant change, in the programs criminals exploit to break in to PC systems. Traditionally, the criminals exploited programs from Microsoft, but now the criminals focus on programs from other vendors as well.
http://secunia.com/blog/69/
Botnet operators have always been able to easily infect and convert PCs into bots, but they also are increasingly going after servers -- even building networks of compromised servers.
Web servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers or as pure zombies, but more as a place to host their malicious code and files, or in some cases to execute high-powered spam runs.
"FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots," says Mikko Hypponen, chief research officer at F-Secure. "Another thing we've noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads."
Why SSL servers? "If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won't be able to scan for the malware in transit, making it easier to sneak in," Hypponen explains.
Shadowserver, a nonprofit that tracks botnet activity, has seen botnets building their own networks of compromised servers as sort of sub-botnets for the botnet's use. "Now we're starting to see a botnet of servers ... What's interesting is we're finding these networks of connected servers are under a certain person's control," says Andre DiMino, director of Shadowserver.
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=222002433
From Kaspersky's Viruslist blog:
A couple of months I blogged about how the creators of rogue AV solutions are keeping a close eye on developments in the antivirus market. And my colleague Vyacheslav recently wrote a whole article about rogue AV which highlighted, among other things, the huge increase in this type of malware.
Last week I looked at some samples which showed that the bad guys behind this stuff are ratcheting their efforts up a notch.
There are two points which attracted my attention:
The interface of the rogue AV is a very close copy of the genuine solution
The logo isn't the same, but the rogue incorporates the Windows Security Center logo, and reinforces the perception that it's a genuine product by using the name of a legitimate free AV solution.
In other words, the rogue AV guys are getting closer and closer to creating exact copies of real AV solutions, at least in terms of the GUI. This makes it much more difficult to determine at a glance whether or not a solution is rogue, for novices and more experienced users alike.
This example shows that maybe we're not so far from the time when rogue AV solutions will visually be exact copies of legitimate security software. And with the FBI estimating losses caused by scareware at around $150 million dollars, the stakes are getting higher all the time.
Screenshots in http://www.viruslist.com/en/weblog?weblogid=208187938
From McAfee Labs Blog:
Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.
Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:
Update your systems to current patch levels
Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)
http://www.avertlabs.com/research/blog/index.php/2009/12/16/conficker-again-in-the-news/
McAfee Labs Report on VoIP Vulnerabilities
- Voice over Internet Protocol (VoIP) is a method for making phone calls over the Internet or using private networks. Traditional phone calls must travel over a series of switches and circuits owned by the telephone companies, which control the process and the charges. By using VoIP, both businesses and individuals can enjoy a substantial cost savings, especially while making long-distance calls.
- McAfee Labs first observed an increase in VoIP vulnerabilities during the end of 2006 and that trend has continued through today. We can credit part of this increase to better tools for finding VoIP problems, yet this upward trend should be largely attributed to the growing number of VoIP installations. [...]
- Download the report, available in nine languages, in its entirety here.
http://www.avertlabs.com/research/blog/index.php/2009/12/16/mcafee-labs-report-on-voip-vulnerabilities/
Starting at ~3:20pm GMT today, Canadian Pharmacy spammers began using attached MP3 files as the call-to-action for their latest campaign. The message had no subject, no "text" body content, just an attached "audio/mpeg" file with a random lower case file name.
Upon playing the attached mp3 file, you find out why I called it the "call-to-action". A robotic sounding woman’s voice reads off the URL they would like recipients to browse to (letter by letter), with porn-like moaning as background noise. I guess they are going for the often used spam tactic of tying ED pills (Viagra, Cialis, etc..) to porn star-like performance in bed.
http://www.sophos.com/blogs/sophoslabs/?p=7983
Everything exists for a purpose.
Malware, for all the crazy things they do, exist because their creators want them to. Malware can be the product of a bored mind, of an experiment, of inspiration, or, as it is becoming increasingly common nowadays, as a means for profit.[...]
In the third (and hopefully last) installment of our KOOBFACE research papers, we examined the various mechanisms KOOBFACE employed to monetize its botnet, offering a peek at the ways modern cybercriminals operate and the challenges these pose.
For those interested, "Show Me the Money! The Monetization of KOOBFACE" can be downloaded here.
http://blog.trendmicro.com/how-koobface-makes-money/
"Making easy money with Google" scams and frauds have been circulating in the Web realm for quite some time now. In the last weeks, a new wave of such scams has emerged using Google’s reputation to sell 'working from home' kits that claim Google is hiring people. Those false claims have upset Google, which is looking to sue the group/company behind the campaign and also some related individuals.
The Web site marketing the 'Google kit' has the name and look-and-feel of a featured article from a legitimate online newspaper. More research into this reveals a network of hundreds of template Web sites holding the same theme and doing the same thing - we use the description "template" because we see a lot of them, all without any reputation. These sites mainly hold themes of news Web sites and personal blogs, a trick used to give a more reputable and trusted look to the site. The 'news article' or 'blog' talks about how easy it is to make money with the featured Google Kit and how the financial lives of those who did changed for the better. The templates used all have the same look and feel, but the actual source code behind these Web sites is often changed from one to another to avoid easy detection. This is very similar to methods used in email spam, such as Nigerian scams that have been changing forever but have the same goal.
How does it work?
How does the scam propagate?
Read more in http://securitylabs.websense.com/content/Blogs/3512.aspx