August 2008 - Posts
Trend is warning of new Facebook malware attacks circulating in-the-wild
Users of any social networking environment environment should be cautious as malware based atttacks have been actively circulating in Facebook, MySpace, etc. Social networking sites provide for human-to-human electronic contact and in most cases it will be among trusted friends.
Folks still need to be careful in these environments in their trust of strangers and in sharing any personal information. Secondly, they need to mostly stay with exchanges of text, and avoid any URLs or files offered as much as possible. This includes even their trusted friends, (esp. unusual or out-of-character messages, files, or links) -- as their PCs could be infected.
Worms Wriggling Their Way Through Facebook
QUOTE: Trend Micro has flagged two malware with a type that is slowly and steadily making itself get noticed: worms, and the most notable to date are WORM_KOOBFACE.E and WORM_KOOBFACE.D. One may recall that both worms are unique since these take advantage of user interactivity, an awesome Web 2.0-borne feature, by making this a part of the whole propagation chain.
Somewhere between their execution on the affected system to their possible deletion from it, these worms search for a string or set of strings in cookie files related to the popular social-networking site Facebook. Once a match is found, these worms then access the user’s profile using the credentials from the cookies to add links pointing to a copy of itself in the affected user’s profile for virtually anyone to find and click on to download.
Infected users therefore put their frequent profile visitors (who might be more than willing to click on the link since it appears to be a new profile update that they haven’t checked out yet) in harm’s way, along with virtually anyone who stumbles upon the infected profile and clicks on the offending link.
New Koobface worms attack Facebook environment
Koobface worms - Trend Behavioral Analysis
QUOTE: This worm may be downloaded from the Internet. Upon execution, it drops a copy of itself. It displays a message box to trick users into thinking that it did not execute properly. It accesses the Google Web site to check for an Internet connection. It creates a registry entry to enable its automatic execution at every system startup. It also drops non-malicious files.
This worm checks if the user has visited the social networking Web site Facebook by searching for cookies with a certain string. If it finds the said string, it adds links to the affected user's profile that points to a copy of this worm. It deletes itself if no cookies that refer to Facebook are found. It connects to a certain Web site to send and receive information.
Facebook - Fastest Growing Network
Facebook Social Networking Environment - An Overview
Thankfully no critical systems are affected by this virus which is designed to steal passwords from computer games. The virus may have infected these laptops through an infected USB flash drive. AV protection should be active when any information is exchanged by email, IM, CDs, websites, or USB flash drives. NASA will be taking steps to clean these systems and prevent future problems.
International Space Station Laptops infected with Computer Virus
QUOTE: A computer virus is alive and well on the International Space Station (ISS). Nasa has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG. The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games.
Nasa told SpaceRef that no command or control systems of the ISS were at risk from the malicious program.The laptops infected with the virus were used to run nutritional programs and let the astronauts periodically send e-mail back to Earth. The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection.
Nasa is working with partners on the ISS to find out how the virus got on to the laptop in the first place. It is thought that the virus might have travelled via a flash or USB drive owned by an astronaut and taken into space. The space agency also plans to put in place security systems to stop such incidents happening in the future.
The new FedEx attacks have been adapted from the prior UPS attacks. Any email especially noting account or billing issues should be verified in a safe manner, e.g., telephone call. Please be careful with all email as these messages appear to be almost geniune.
QUOTE: Remember the UPS spam runs that were popular last month? Spammers have chosen a different courier this time, but the message was basically the same
Posing as FedEx notifications, these email messages have the same format as their earlier UPS counterparts: tracking number (perhaps to make the message appear authentic), message body informing recipients that there was a problem with the delivery of a package, and a message urging the recipient to print the attached “invoice” to claim the “package”.
Even the attachment is of the same file type as those seen in the previous spam runs. The .ZIP file is an info stealer detected by Trend Micro as TSPY_ZBOT.MCS. ZBOT spyware are infamous keyloggers that are known to steal confidential information, such as those related to online banking credentials.
The AntiVirus 2009 attacks are particularly troublesome as they can download and install silently on a PC by just visiting a website. However, the payload still requires a mouse click when the Antivirus pop-up suddenly appears stating the user has an infection. These are very advanced malware attacks. They are difficult to prevent, detect, and clean. Avoidance is your best defense.
In fact, this clever social engineering attack may simulate past experiences where the legitimate Anti Virus product has found a virus and presented it to the user. Users who are not technically inclined may even think this is their own Anti Virus system warning them.
When a malware pop-up appears of any type, your PC is in trouble at that point. Sometimes however you can avoid more extensive damage by exiting out and getting immediate help in cleaning. If you can safely exit out of these types of pop-ups, sometimes your PC may not become infected.
Avoid any clicking or pressing the enter key, as "NO" or "CANCEL" may be secretly programmed to be a "YES". Malware writers won't have the best ethical conduct and they want to use any mouse click available to let the attack enter into the Windows environment (even a "NO" or "EXIT"). Instead use this approach:
USE TASK MANAGER TO SAFELY EXIT MALWARE ATTACKS
1. The easiest way to launch task manager in Windows is to press: Ctrl+Shift+Esc
2. Press the applications TAB (if it's not already positioned there)
3. Select the pop-up TASK
4. Press End Task button at bottom to close it
5. Then seek technical help on cleaning ... If you're not experienced, my #1 tip is to have a friend or relative help you so that you do this safely and minimize losses to your PC.
Additional resources can be found from these experts below:
How to Safely Close a Pop-Up Window In Your Browser
Don't Close That Pop-Up Window! - Clicking "No" May Mean "Yes"
How to invoke Task Manager
AVERT labs is documenting a new fake toolbar that is circulating and while it provides legitimate functionality for e-Bay users, it also has a hidden agent that will install a remote control account with full administrative rights. The bad guys can then secretly logon to the infected PC with full access to any files that might be found there It is a good practice to avoid all toolbars
, as they can slow down browser performance. Also some of the toolbars offered, are malware attacks in disguise as in this case.AVERT Labs - More Than a Toolbarhttp://www.avertlabs.com/research/bl...han-a-toolbar/QUOTE:
We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.
This file silently opens TCP port 3389
, which is by default the port for Terminal Services. It creates a new account ”eBayMember” with Administrator privileges
and enables this account to remotely access the infected machine. The created account is also hidden from login screen
, to prevent the victim from noticing.
Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.
Trend Micro is warning users to avoid threating notices that might be found in their inbox. These attacks use the social engineering tactic of making folks believe "they have done something wrong" and "they will loose their Internet privileges completely". Users should delete these messages and resist taking actions on any unusual or unexpected email messages.
Spammers Masquerade as Internet Copyright Police
QUOTE: Internet spammers have turned to file-sharing scare-tactics. This is to entice would-be victims to open a malicious attachment, threatening the unfortunate recipients with interrupted Internet connectivity or legal action. Recipients are most likely to be motivated by fear to fall for this ruse. It is, after all, the Internet surfer’s worst nightmare to have all their Internet activities known to other parties — epecially those who threaten legal prosecution.
These spam runs seem to use a self-righteous tone against piracy, which makes the ruse even all the more believable. However, downloading the attached file is not in the recipient’s best interests. We advise users to consider all unsolicited email suspect.
This recent Sunbelt posting shares how malware writers are currently using these products to create malicious ads that can even appear on more popular mainstream sites if the webmasters aren't careful (e.g., Antivirus 2009). I've had training in Dreamweaver and Cold Fusion Studio in the past and we've used Fuse at my prior company. Fuse is a compilation tool and a good product as well.
As Flash is the MOST WIDELY INSTALLED software product possibly in the Internet environment, it is being misused by the bad guys. While Fuse itself is not a malicious product, this highly productive tool allows these malicious authors to compile and create professional looking banner ads. Webmasters need to be viligant and test each sponsored ad for malware, as UNPATCHED versions of Flash can be used to redirect users to hostile sites or download malicious code.
Users need to be careful of banner ads and any encounters of Flash based objects on websites. More importantly, they should ensure they are on the latest available version.
Unintended consequences and Fuse Kit
QUOTE: Fuse Kit is a cool utility to create animations in Flash. Unfortunately, it’s popular with malware distributors, who are using it to create malicious advertisements. These malicious advertisements get served on sites — even mainstream sites.
They push malware. (Just to make sure there’s no confusion, this is not a drive-by exploit. Typically the user will see a fake “system scan” message that “Your system is infected!”. If the user actually believes it and clicks “OK”, and then downloads and installs the “security software”, the infection will occur. However, it’s not to lighten the effect — it’s very devious social engineering.)
More from Sandi Hardmieir, who has been doing just about the best job of tracking these:
I am seeing reports of the malicious redirects remaining dormant for a week before visitors to victim web sites are hijacked and redirected to fraudware sites. Web sites simply *must* increase their due diligence checks with any new advertiser. It is going to take time, and it is going to cost money, but what alternative do web sites have if they want to protect and keep their readership, and if they want to avoid the inevitable end result of malvertizing, which is that more and more of visitors to their sites are going to block all advertising.
Additional Resources to ensure safer operations using FLASH
Adobe test site which will show latest version
(should be 9.0.124)
How to manually update if needed
(Be sure to uncheck Google Toolbar)
Adobe Flash Player Flaw - Massive Exploitation reported
Adobe Flash - How to disable and enable in IE 7 or IE 8
While I've been personally receiving and avoiding these malware ladened attacks, I wasn't aware of the overall volume which is estimated to be between 2 to 10 million message per hour. As previously documented, these spammed messages appear to be genuine and have infected folks who are normally very careful in handling email messages.
SPAM CAMPAIGNS TARGET MSNBC.COM and CNN
QUOTE: The spam unleashed Wednesday follows a massive campaign last week in which spammers impersonated CNN.com. That campaign saw 250 million spam messages sent in one intense 24 hour period, according to spam-fighting firm MX Logic Inc. Those e-mails appeared to include links to CNN's top 10 stories, but Internet users who were tricked into clicking on those links were sent instead to Web sites overseas that were booby-trapped with malicious software.
MX Logic says it captured 850 million CNN spam messages since Aug. 4, and that the volume has steadily increased, suggesting that recipients have fallen for the ploy and their infected computers have been used to send out even more spam.
So far, MX Logic says, it's catching about 2 million msnbc.com spam messages per hour, but the rate is steadily increasing. Security firm Sophos said the msnbc.com spam spiked at one point on Wednesday morning and equaled the total amount of all other spam the firm was trapping.
Malware writers use every trick in the book when it comes to social engineering schemes. AntiVirus 2009 employs some convincing graphical displays to trick users into thinking they are infected and to install this product for cleaning. It appears to be spreading through email, IM, and social networking websites. New variants are also constantly emerging in these spam runs to avoid AV detection.
If any infection is found, users are much better served installing a true mainstream AV solution instead. In addition, to full feature AV products, there are even good free alternatives, that can do a good job in basic prevention or cleaning.
As a golden rule, never install any type of software from an email link. In fact, it's always beneficial in avoiding taking ANY actions on most email messages you receive.
AntiVirus 2009 - Avoid these Fake Antivirus Trojan attacks
QUOTE: Researchers at TrendLabs have discovered a new set of rogue antivirus software circulating in the wild. Based on initial analysis, these threats arrive mainly via spammed email messages that contain a link to a bogus celebrity video scandal, although we have also received reports that the said link is also circulating in instant messaging applications and private messages in social networking Web sites.
RENOS Trojans are known to have very visual payloads that may further alarm users (for example, they modify the system’s wallpaper and screensaver settings to display BSOD). Thus, users may be more convinced that something’s wrong with their system, not knowing that their new software is the one causing it.
The recent fake CNN alerts have been modified by the authors to appear as MSNBC alerts. These must also be avoided, as they prompt users to load ADOBE_FLASH.EXE which contains a malicious trojan horse. These are also circulating extensively in spam email.
MSNBC / CNN malware run
QUOTE: For some days we've been spam runs with titles like "CNN Alerts: My Custom Alert" or "CNN Alerts: Breaking news". These are fake news articles that point to a fake news page that will try to download malware to your machine. Apparently people stopped clicking on fake CNN links as today the attackers switched the mails to look like they are now coming from MSNBC.
Appears to be a much needed update for MS Office components in particular. As most of these items are rated as critical, these security updates should be applied promptly to ensure the best level of protection.
Microsoft Security Updates - August 2008
• MS08-041 - addresses a vulnerability in Microsoft Access (KB 955617)
• MS08-042 - addresses a vulnerability in Microsoft Word (KB 955048)
• MS08-043 - addresses a vulnerability in Microsoft Excel (KB 954066)
• MS08-044 - addresses a vulnerability in Microsoft Office (KB 924090)
• MS08-045 - addresses a vulnerability in Internet Explorer (KB 953838)
• MS08-046 - addresses a vulnerability in Windows (KB 952954)
• MS08-047 - addresses a vulnerability in Windows (KB 953733)
• MS08-048 - addresses a vulnerability in Outlook Express (KB 951066)
• MS08-049 - addresses a vulnerability in Windows (KB 950974)
• MS08-050 - addresses a vulnerability in Windows Messenger (KB 955702)
• MS09-051 - addresses a vulnerability in Microsoft PowerPoint (KB 949785)
Steve Friedl, Microsoft MVP, has developed this EXCELLENT guide which illustrates in detail how the new DSN exploits can impact unpatched servers.
An Illustrated Guide to the Kaminsky DNS Vulnerability
QUOTE: This paper covers how DNS works: first at a high level, then by picking apart an individual packet exchange field by field. Next, we'll use this knowledge to see how weaknesses in common implementations can lead to cache poisoning. By fully understanding the issues at play, the reader may be better equipped to mitigate the risks in his or her own environment. We hope everybody who runs a DNS server patches soon.
As many security sites have noted over the weekend, the bad guys have been taking advantage of this special sporting event. It is important to stay safe during the next two weeks by using the best practices in handling email, website visitation, instant messaging, e-commerce, etc. As reflected below, there are a number of "malware events" underway and here's hoping these participants will not earn any medals from these malicious acts.
A parallel Olympics for malware started today
QUOTE: With all the press coverage the Beijing’s Olympics is currently receiving, it doesn’t surprise us that malware authors are using it as a way of spreading their parasites. Today around the time of the opening ceremony we received a sample in the Aylesbury research lab, which proclaimed to be a set of images which showed the amazing architectural feats of the venues. While viewing the slideshow your machine would be infected by a classic BackDoor-CKB.
Scammers Try Their Luck (Again) on The Olympics
QUOTE: With the Beijing Olympics now in full swing, you can bet that all the usual suspects will be trying hard to part users from their hard-earned money. It’s not just scammers; phishers are having a go at it as well. Users should keep this in mind: if it’s too good to be true, it probably is.
MORE EXAMPLES OF EARLIER ATTACKS
Buyer Beware - Scam Olympic Ticketing Sites About
QUOTE: A timely warning to those wishing to purchase last minute tickets for the Beijing Olympic Games of 2008 to beware of scams and rip offs. There are some fake but very well crafted ticketing Web sites that have been duping unsuspecting members of the public out of their hard earned cash by posing as legitimate suppliers for Olympic events. In particular, one such scam site has, according to media reports, already ripped off many individuals, some to the tune of US $57,000.
SQL Injection Attacks Targeting Chinese-oriented Sites
QUOTE: With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with ‘China’ being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web – and we’ve been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas.
ISC: Olympic Clicks
QUOTE: With the Olympics starting tomorrow our users are going to start receiving themed emails with something extra. They will start receiving emails similar to the cnn.com top ten emails Daniel wrote about, but also messages from “news services”, storm with Olympic themed subjects, messages from Visa as Olympic sponsor, etc. They will all ask the recipient to click. So it is probably a good idea to remind your users of the dangers of the almighty click.
GREAT ADVICE FROM ISC from the "Olympic Clicks" article above
Don’t click any links when:
* The email was sent by someone you do not know.
* The email was sent by someone you might know, but whose name and email address do not match. e.g sender: John Smith <Shjdyu@yahoo.com> or Albert Einstein <stacyB@hotmail.com>
* If the email asks you to click a link to “verify” personal details. e.g. “please click the link below to verify your account details”.
* the link looks funny. e.g. http://18.104.22.168/dhjeuaUhskw/special_surprise or www.not-quite-the-banks-name.com
* the web page says you have “won a laptop, click here to claim”, “a /spyware, click here to download a program to fix it”, “been selected as our lucky winner for .....”
As multiple copies have been received, these fake CNN email alerts are circulating extensively. These realistic HTML based email messages appear almost legitimate, although some of the headlines have been sensationalized.
As an additional social engineering approach, the "get the latest flash" to view the videos may be something users have encountered in the past, with legitimate Flash upgrades. These realistic messages should be avoided and when in doubt go directly to the mail CNN website, rather than trusting the legitimacy of an email message.
Fake CNN News email alerts are circulating extensively
QUOTE: This recent spam run looks fairly legit. It even comes with a tag line ”More videos, More news, More people saying: I just saw it in CNN.com” in the footer area -- perhaps to make it appear that the email is pushing a genuine CNN campaign. Both varieties though, appear to point to the download of the same file, get_flash_update.exe, in order to view the videos referred to in the spammed email.
So far, this new engine is working well on my XP SP3 PCs at work. Performance seems to also be improved, as launching programs and invoking right-mouse seems slightly faster. It is available as a standalone update from McAfee for corporate users.
McAfee AV Engine 5300 released - Improved Performance and Detection
McAfee AV Engine 5300 - Download site
QUOTE: McAfee Avert Labs proudly released a new version of it’s core technology late last week. The 5300 Scan Engine is the most recent major release, and boasts significant performance optimizations in terms of scan and initialization times - in addition to a 42% improvement in memory usage. As the number and types of malware continues to grow at an ever increasing rate, Avert has worked hard to include functionality in the engine to enable better detection.
Yet another round of new attacks are occurring with CNN as the quoted source. Instead of selecting links in email, go to the main news site of your choice to check on any developing stories.
Avoid Email messages with fake or sensationalized headlines
QUOTE: A new round of spam pushing fake codecs. Last week we had fake Reuters. Now, we have fake CNN. That “flash player” is a Trojan and will only make your day decidedly less pleasant.
Starting with the October 2008 security bulletins, Microsoft will include valuable information related to how likely exploits might be developed for each individual security update. This new rating system can help administrators better identify higy priority updates. All security updates are of a critical nature and after testing they should be applied as quickly as possible.
Microsoft implements new Exploitability Index for Security Releases
QUOTE: The Microsoft Exploitability Index aims to help IT administrators prioritize patches by rating the likelihood that vulnerabilities will be exploited.
The Exploitability Index is Microsoft's attempt to deal with what has become an unfortunate, predictable pattern: Microsoft issues a Security Bulletin and cybercriminals answer with code designed to exploit the newly disclosed vulnerabilities.
Starting with its October patch cycle, Microsoft plans to rate the likelihood that vulnerabilities will be exploited. It will do so to help administrators prioritize patches.
Vulnerabilities will be rated with one of three designations: Consistent Exploit Code Likely, Inconsistent Exploit Code Likely, and Functioning Exploit Code Unlikely. The first designation describes a vulnerability that would produce consistent results if exploited; the second designation describes a vulnerability that is difficult to exploit or would produce inconsistent results; the third designation describes a vulnerability that would be very difficult to exploit and thus might not warrant an immediate patch.
As I've been using Firefox for years to test newly developed web pages for compatibility and as a complementary browser, I also installed the latest alpha version and it's functioning and performing well so far. Developers who install this test version, should use the "clean install" approach, where Firefox is completely removed including the settings found in user profiles managed in the Documents and Settings area.
Firefox 3.1 alpha version - Available for IT professionals
Shiretoko Alpha 1 is an early developer milestone for the next version of Firefox that is being built on top of Mozilla's Gecko 1.9.1 layout engine, Shiretoko Alpha 1 is being made available for testing purposes only, and is intended for web application developers and our testing community. Current users of Mozilla Firefox should not use Shiretoko Alpha 1.
Shiretoko / Gecko 1.9.1 Alpha 1 introduces several new features:
Download site (for IT developers only)
Security sites are warning users to get Adobe to carefully update or obtain their Flash Player browser plug-in. Malware writers are using get_flash_update.exe at hostile websites as one approach to trick folks. The flash player or associated security updates must only be installed from Adobe's official website.
Adobe Flash - Beware of fake downloads circulating
QUOTE: Amidst confirmed reports that malicious hackers are starting to use fake Flash Player downloads as social engineering lures for malware, Adobe has issued a call-to-arms for users to validate installers before downloading software updates.
Adobe Bulletin - Importance of Verifying installers
QUOTE: We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.
Adobe Flash can be downloaded from the official site. One change I'd like to see there is to not bundle the Google Toolbar as a pre-checked option.
Abobe's official download site
WARNING: Be sure to uncheck the Google Toolbar option if this additional download is not desired
More Posts Next page »