October 2010 - Posts
Trend provides an in-depth technical review of this latest ZBOT trojan which is a highly advanced malware attack.
Full Analysis of the ZeuS-LICAT Trojan
QUOTE: Last September, several individuals were arrested for using information-stealing Trojans created with the well-known ZeuS toolkit. Following this, security researchers anticipated the inevitable “upgrade” to the toolkit/Trojans that will allow cybercriminals to continue their money-making ploy. Soon enough, we received reports on a ZeuS Trojan Trend Micro detects as TSPY_ZBOT.BYZ with the following new features:
We have been chronicling our findings about TSPY_ZBOT.BYZ, the ZeuS Trojan with LICAT features, in the following entries:
Please update Flash as promoted to ensure the best levels of safety are in place
Adobe - Critical Update for Flash
QUOTE: A critical vulnerability exists in Adobe Shockwave Player 184.108.40.2062 and earlier versions on the Windows and Macintosh operating systems. This vulnerability (CVE-2010-3653) could cause a crash and potentially allow an attacker to take control of the affected system. As of October 27, Adobe is aware of reports of this vulnerability being exploited in the wild. A fix is available for Adobe Shockwave Player 220.127.116.112 on the Windows and Macintosh operating systems as of Thursday, October 28, 2010. Please refer to Security Bulletin APSB10-25.
While malware may be circulating less actively for Linux or Mac users, there are still threats and the need to always be careful. Koobface (Facebook spelled backwards) has now been retrofitted so that these environments may also be infected if users are not careful.
Koobface Worm - Now a threat for Linux and Mac users
QUOTE: A new variant of the Koobface worm that targets Mac OS X and Linux as well as Windows is spreading through Facebook, MySpace and Twitter, security researchers warned today. Antivirus firms first reported the malware, dubbed "Boonana," on Wednesday when Intego and SecureMac, two Mac-only security vendors, warned Mac OS X users that the worm was aimed at them.
Boonana spreads via messages posted to social networking or microblogging sites. Those messages bait the trap with the subject "Is this you in the video?" and a link to a malicious site. People who bite and click the link are then prompted to run a Java applet.
Webroot shares an excellent newsletter related to National Cyber Security Awareness for the month of October. I've also seen the phrase "Think before you click" which denotes that our own actions can get us in trouble if we let curiousity override the need for safety in the dangerous
Security Awareness - Stop, Think, Connect
Stop, Think, Connect
QUOTE: The army of criminals who commit fraud and theft over the Internet have several tricks up their sleeves. They disguise themselves and rely on you to not stop, not think, and to click links or open files immediately. That's how most people infect themselves. Luckily, you can prevent most of these infections yourself, simply by exercising a little restraint.
In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.
TOP THREE SCAMS CIRCULATING TODAY
Scam #1: Your computer is infected! The biggest criminal enterprise is the rogue antivirus product. It tries to convince you that your computer is infected so you hand over money for "antivirus protection" - which is not actually protection at all. The minute you see a fake alert, stop everything you're doing, kill the browser, and perform a full scan with the legitimate antivirus product of your choice.
Scam #2: Check out this cool link! Your friend's email or Facebook account is hijacked, and you receive a brief message with a short URL to watch a video or check out something equally "cool." The link actually leads to a malicious page with a malware download. Most shortlink services have a feature that lets you preview where the shortlink will go; use it. If you've never heard of the Web site, check the true destination domain against a reputation service, such as Webroot's Brightcloud. And don't be the first one among your friends to click a link.
Scam #3: John Doe wants to be your friend. In this one, the scammers usually duplicate the message format of popular social network sites. Instead of linking to "friend request," it takes you to a malicious page instead. To avoid this one, without clicking anything, move the mouse over the link in your email message, then look at the Status Bar to see exactly where the link leads. If the message claims to come from one company, but the URL points to a domain you've never heard of, don't click the link.
Below are the top 5 latest threats identified by Webroot
1. Rogue Security Products
When you access a website to enter or view sensitive information, it's important that the site use https (which creates an encrypted SSL session) rather than standard http sessions. SSL encryption is especially important and mandatory for banking or any e-commerce transactions.
With Firesheep All Your HTTP Sessions Are Belong To Us
QUOTE: If you didn't already know that plain HTTP sessions are utterly insecure, here's proof: A new Firefox addin named Firesheep captures sessions on open Wifi networks and goes one step more sinister. It finds users logged into Facebook, Twitter, Google, Amazon, Dropbox, Evernote, Wordpress, Flickr, bit.ly and other services. It lets you take over their sessions and become them.
Please be careful in visiting websites or with any types of links presented. FakeAV infections are very difficult to clean and one of these malware attacks actively circulating in the wild.
FakeAV - Rogue variant that spoofs Microsoft Security Essentials circulating
QUOTE: However, there's a rogue security product out there that claims to be "Microsoft Security Essentials". It has nothing to do with Microsoft. This malware is distributed via drive-by-download attacks. And not only does this fake tool steal Microsoft's brand, it also features a bizarre matrix display of 32 antivirus products, offering to locate you a tool that would be capable of fixing your machine as "Microsoft Security Essentials" can't clean the malware it found. In reality, this is all fake, and the tool has not found an infection in the fail it claims.
I've always cautioned friends to avoid these types of games, (e.g., may pick up malicious strangers as "friends" who can misuse sensitive information, it may annoy some FB users, etc). This may not be a significant issue, as social networking is a wide-open and non-private environment setting. Still if promises of privacy were broken, it'll be interesting to see if anything becomes of it.
Zynga sued in privacy breach controversy
QUOTE: 218 million “class members” probably won’t settle for Farmville dollars. A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status.
The lawsuit alleges that Zynga, maker of six of the top 10 Facebook games, collected and shared the IDs of 218 million users, in violation of federal law and terms of service. It seeks unspecified monetary damages and an injunction preventing the alleged practice from continuing. The suit was filed in US District Court in San Francisco on behalf of Nancy Graf of St. Paul, Minnesota. It seeks class action status so other Facebook users may also be represented.
The action follows an investigation by The Wall Street Journal that found that a large number of Facebook apps, including all of the top 10, transmitted the unique user IDs of those who ran them to outside companies. Zynga – maker of games such as Farmville, Mafia Wars, and Cafe World – was found to be “transmitting personal information about a user's friends to outside companies,” the paper reported
Trend shares an informative analysis of how FakeAV attacks are using Java and mimicking IE, Firefox, or other vendor updates realisticaly. Please be careful when applying all updates.
FakeAV Attacks - Increasingly use of Java and realistic appearing product updates
QUOTE: FAKEAV doorway pages (a concept previously discussed in “Doorway Pages and Other FAKEAV Stealth Tactics”) are increasingly using Java vulnerabilities. In cases where these vulnerabilities cannot be exploited, PDF exploits are used instead. We detect the said Java and PDF exploits as JAVA_LOADER.HLL and TROJ_PIDIEF.HLL respectively
This isn’t the only way FAKEAV has recently evolved, however. While browser-specific payloads and pages are not new, the pages being served up are more polished than before. Here are samples of two browser-specific pages we saw—one is for Internet Explorer while the other is for Firefox.
Both pages very closely mimic the actual interfaces of the aforementioned browsers. In Firefox’s case, not only did they mimic Mozilla’s site design, they also detected which browser version runs on a particular system. This kind of very specific and well-polished behavior can easily lead users to believe that the alerts they see are legitimate.
During our difficult economic times, individuals without jobs may be tempted to look into and even apply for "work at home" opportunities. However, there is danger associated with these scams, especially when folks have to pay for the privilege to work at home. Some safety warnings and protective safeguards are offered by the FBI in this special warning.
FBI Warning - Avoid Work-at-Home scams
QUOTE: Consumers continue to lose money from work-from-home scams that assist cyber criminals move stolen funds. Worse yet, due to their deliberate or unknowing participation in the scams, these individuals may face criminal charges. Work-from-home scam victims are often recruited by organized cyber criminals through newspaper ads, online employment services, unsolicited emails or “spam”, and social networking sites advertising work-from-home opportunities.
Once recruited, however, rather than becoming an employee of a legitimate business, the consumer is actually a “mule” for cyber criminals who use the consumer’s or other victim's accounts to steal and launder money. In addition, the consumer’s own identity or account may be compromised by the cyber criminals.
Example of a Work-From-Home Scheme:
• An individual applies for a position as a rebate or payments processor through an online job site or through an unsolicited email.
• As a new employee, the individual is asked to provide his/her bank account information to his/her employer or to establish a new account using information provided by the employer.
• Funds are deposited into the account that the employee is instructed to wire to a third (often international) account. The employee is instructed to deduct a percentage of the wired amount as their commission.
• However, rather than processing rebates or processing payments, the individual is actually participating in a criminal activity by laundering stolen funds through his/her own account or a newly established account.
• Be wary of work-from-home opportunities. Research the legitimacy of the company through the Better Business Bureau (for US-based companies) or WHOIS/Domain Tools (for international companies) before providing personal or account information and/or agreeing to work for them. In addition, TrustedSource.org can help you identify companies that may be maliciously sending spam based on the volume of email sent from their Internet Protocol (IP) addresses. See also the FTC’s recommendations.
• Be cautious about any opportunities offering the chance to work from home with very little work or prior experience. Remember: if it looks too good to be true, it usually is.
• Never pay for the privilege of working for an employer. Be suspicious of opportunities that require you to pay for things up front, such as supplies and other materials.
• Never give your bank account details to anyone unless you know and trust them.
• If you think you may be a victim of one of these scams, contact your financial institution immediately. Report any suspicious work-from-home offers or activities
Adobe has announced plans to strengthen it's Acrobat reader when processing PDF files to reduce malware attacks. It will use Protected mode and Sandbox security concepts to better interface with Windows APIs and potentially reduce some of the dangers today associated with PDF processing.
Adobe - Creating Sandbox Architecture for reader
QUOTE: Another approach, which Adobe announced in July, was that they would implement a sandbox architecture in Reader for Windows. All the same vulnerabilities affect Acrobat and most of them affect other operating systems, but Reader for Windows was chosen because it's the overwhelming majority of the installed base and therefore the overwhelming majority of the systems attacked. Remove the ability to attack Reader and attackers will look elsewhere.
Because the sandbox process has very little in the way of rights, even if an exploit takes complete control of that process it won't be able to do anything useful. Sandboxes are great and this one should go a long way towards protecting users.
Small businesses should ensure they have the best levels of security and check account statements regularly for any unusual activities.
FBI Warning - Cybercriminals targeting small business accounts
QUOTE: Cyber criminals are targeting the financial accounts of owners and employees of small and medium sized businesses, resulting in significant business disruption and substantial monetary losses due to fraudulent transfers from these accounts. Often these funds may not be recovered.
Several critical updates for Firefox were recently released - please update as prompted to ensure improved safety.
Firefox 3.6.11 released to address 12 vulnerabilities
QUOTE: Mozilla has released versions 3.6.11 and 3.5.14 of Firefox to address 12 vulnerabilities in nine updates. Five of the updates are rated Critical, two High, one Moderate and one Low. The updates may be downloaded directly: click here for 3.6.11 and here for 3.5.14. You can download updates with the Help-Check for Updates feature. If you don't update within 24-48 hours, you should receive a notification that an update is available. Even though an update is available for the 3.5 branch of Firefox, Mozilla recommends strongly that you upgrade to 3.6.11. Before too long, support for the 3.5 branch will be withdrawn.
Please Auto update as prompted or obtain from Download site
MSE just celebrated it's first anniversary and a new release became available during Patch Tuesday for October 2010. If your icon has turned Orange, it denotes a new version is available. Please install the latest version if prompted to ensure you are completely up-to-date.
Microsoft Security Essentials - New release during October 2010
QUOTE: Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software. Microsoft Security Essentials is a free* download from Microsoft that is simple to install, easy to use, and always kept up to date so you can be assured your PC is protected by the latest technology. It’s easy to tell if your PC is secure — when you’re green, you’re good. It’s that simple. Microsoft Security Essentials runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.
Java is indeed one of the attackers primary conduits for malware these days. In the 1st link below, the chart is worth looking at, as the exponential growth shown is alarming. I thought the PDF dangers might be high, but web/email based attacks are off the charts. As Java works behind the scenes it may not be as visible to users, as well as the need for it to be updated. Always carefully update Java as prompted to ensure your PC is adequately protected.
Microsoft warns of major increase in Java based attacks
Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?
Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version.
Below is a reminder to apply the recent security updates from Microsoft, as a large number of critical updates were published. The updates this month help combat a few exploits circulating in the wild and it is beneficial to ensure your systems are completely up-to-date. Please always keep your systems set for automatic updates or if you manually update always remember to do so on "Patch Tuesday"
Microsoft Security Updates - October 2010
Internet Storm Center - Excellent Analysis
A great feature of the Windows Update process is the Malicious Software Removal Tool (MSRT) facility which detects and cleans any discovered major malware agents. While some malware attacks deactivate AV protection, MSRT is often able to clean these infections. MSRT does a good public service in shutting down some major security threats as evident by stopping the Storm Worm attacks a few years ago.
MSRT now roots out Zeus malware
QUOTE: Two weeks after law enforcement broke up one of the criminal gangs behind the Zeus malware, Microsoft has taken steps to make it harder for criminals to install the software on PCs. On Tuesday, Microsoft started detecting Zeus with its Malicious Software Removal Tool (MSRT) -- a widely used virus removal program that's free for Windows users. That should make it harder for the many criminals who use Zeus to keep running their software on computers that don't have antivirus software installed -- often an easy target up until now.
According to a September 2009 study by security vendor Trusteer, 45 percent of Zeus-infected machines have either no antivirus software or an out-of-date product. On the other hand, Zeus has been effective at avoiding the type of detection that Microsoft is now adding to its MSRT. According to that same report, 55 percent of Zeus infections were on machines that did have working antivirus programs installed.
Microsoft's decision to add MSRT protection has had a big effect on some malicious programs. It's credited with pretty much knocking the Storm Worm offline in 2007, for example.
One time temporary passwords can be helpful to ensure the primary permanent password is not captured while using a public PC (e.g., caching, keyloggers, etc). Facebook has implemented this feature and by texting a special number, a one time login password good for 20 minutes can be used. As it requires registration of a cell phone into Facebook, it should be used by individuals with a true need for these services.
Facebook - Implements one time passwords via Phone text
QUOTE: We're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password. Simply text "otp" to 32665 on your mobile phone (U.S. only), and you'll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you'll need a mobile phone number in your account. We're rolling this out gradually, and it should be available to everyone in the coming weeks.
Stuxnet is one of the most sophisticated malware attacks to emerge and not much is known regarding it's origin or intent at this time. As security researchers continue to investigate this new potential attack on industrial systems, details continue to emerge as noted in the updates below:
Stuxnet - More details emerge on this advanced threat
QUOTE: It's not often that malware like Stuxnet comes around. Stuxnet appears to be the new black at the Virus Bulletin 2010 conference, currently ongoing in Vancouver. Everyone's talking about it. The mountain of research and just plain blabbing about Stuxnet there includes a paper from Symantec entitled Win32.Stuxnet Dossier. It summarizes what we know (or rather what Symantec knows) on the matter and adds some interesting new details dug out of the innards of the code. There's also a great Stuxnet Questions and Answers from F-Secure. Some summary characteristics of Stuxnet from the paper:
It self-replicates through removable drives exploiting a vulnerability allowing auto-execution. Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (BID 41732)
It spreads in a LAN through a vulnerability in the Windows Print Spooler.Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
It spreads through SMB by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.
Copies and executes itself on remote computers running a WinCC database server.
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded.
Updates itself through a peer-to-peer mechanism within a LAN.
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulnerabilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including updated versions.
Contains a Windows rootkit that hide its binaries.
Attempts to bypass security products.
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
Hides modified code on PLCs, essentially a rootkit for PLC.
Critical security updates for Adobe Acrobat and Flash will be released tomorrow one week earlier than the normal quarterly schedule. These should be applied promptly to improve safety when processing PDF files or visiting websites that contain Flash objects.
Adobe Quarterly Security Release - October 5, 2010
QUOTE: Adobe has announced that next Tuesday, October 5, they will release their quarterly updates, one week ahead of the normal schedule, which would be October 12. The update will address critical problems in Adobe Reader and Acrobat 9.3.4 and 8.2.4 for Windows, Macintosh and UNIX/Linux. These include Flash vulnerabilities which were already updated in Flash but to which Reader and Acrobat are also vulnerable. There is an implication that other vulnerabilities will be fixed. as well. Tune in Tuesday for more details as Adobe releases them and the updates themselves.
Microsoft, the Internet Storm Center (ISC), and many other security firms are promoting safety and best practices this month. As in past years, the ISC will feature one article daily related to improving security awareness in a dangerous online world.
QUOTE: October is National Cyber Security Awareness Month. Microsoft and the National Cyber Security Alliance (NCSA) have teamed up with the Department of Homeland Security (DHS) again this year to help increase awareness about Internet security issues and to educate people about how to help protect themselves and their devices.
More Posts Next page »