Spyware Sucks : Vulnerabilities, Technology, viruses and exploits

New SWF analysis tools - thanks to TeMerc for pointing this out

sandi — Thu, 06 Dec 2007 23:58:00 GMT

Yay, a new tool. Thank you TeMerc, I owe you a drink of your choice when I am next in town...

"In light of a growing problem that has the potential to effectively place every internet user at risk, even when only visiting sites they would otherwise fully trust, there is at least a new tool available to assist the security researcher community with a means to better identify malicious SWF files. The timing for this is excellent, as I have personally only learned of this tool just this morning. This particular tool is the OWASP hosted project named 'SWFIntruder'."

There is a *lot* going on right now with regards to malicious advertising - too much to write about now - but watch this space. There may be FUN times ahead (for us, that is, not the purveyors of the malicious banner advertisements) :o)

Breaking news: skyauction.com, unauthorised malicious advertisements, a fake letter of mandate.. oh my...

sandi — Thu, 06 Dec 2007 23:15:00 GMT

My regular readers may recall my recent article about emusic's claim that various advertising networks (uniqueads.com, adtraff.com and forceup.com) were fraudulently claiming to represent emusic. Said advertising networks were apparently selling unauthorised, malicious, advertisements touting emusic.com; advertisements that hijacked users in an attempt to spread malware.

Well, I have received an email from the Chief Technology Officer at skyauction.com and he has quite a story to tell. Here is a quote from his email - information shared with permission:

"We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate" (which I can email you) to one of their targets saying that they represent us. As with our logo, they were pretty sloppy creating this fake "mandate" because there are some obvious errors. In this case, someone with the pseudonym (one can only guess) of "Jim Burch" (jim@netmediagroup.net) contacted the site claiming to represent us and asking to put up ads on the contact's site. The the ads go up and deliver the fake malcious Skyauction ads until someone complains and they are finally taken down. NetMediaGroup appears at first glance to be a real company, but they are probably a completely
fraudelent one. The domain name is registered to some organization in Germany, but the contact us phone number seems to be in the Netherlands. All of the names on the web site are just generic (i.e. they don't give full names)."

Here is a picture of the fake letter of mandate as sent to me by skyauction.com - click on the graphic to view a full size copy:

Ok, so who are netmediagroup.net? Let's do a Whois search (copied below) - hmm, note the email address burnads_c@yahoo.com. Yep, that rings a bell - thinking back to the fake skyauction.com advertisement that hit soccernet.com, I remember that the name burnads appeared. The referrer for performanceoptimizer was: burnads.com/swf/gnida.swf?campaign=flatfootup&u=23423424. That URL, when I just loaded it in my system, redirected me immediately to fraudware site.

I think it is time to get in touch with the CTO of emusic and find out what *his* story is. The CTO of skyauction and I both believe that the best way to fight the fraudsters is to expose their activities.

Domain Name : netmediagroup.net

::Registrant::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Administrative Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Technical Contact::
Name      : Martin Such
Email     : burnads_c@yahoo.com
Address   : Debusweg 6-18, Koenigstein - Falkenstein Frankfurt
Zipcode   : 61462
Nation    : DE
Tel       : +49(0)4513456
Fax       :

::Name Servers::
ns1.netmediagroup.net
ns2.netmediagroup.net

::Dates & Status::
Created Date   2006-06-29 05:38:33 EDT
Updated Date   2007-06-27 17:59:00 EDT
Valid Date     2008-06-29 05:38:33 EDT
Status         ACTIVE

Is this the beginning of the end for malicious SWF files?

sandi — Thu, 06 Dec 2007 22:56:00 GMT

Oh, I hope so. Mind you, it's going to take me quite a while to get my head around this 7 page document, and all of the extra pages referred to ... anybody want to give me a crash course, or explain to my readers what sort of difference this will make in the fight against malicious banner advertisements? ;o)

Source: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html

"In 2003, Flash Player 7 software introduced a channel of client-server communication that was new to the web: direct cross-domain data loading, authorized by policy files. Before policy files, web content could only perform two-way communication with its own server, such as runtime configuration or transactions without page reloads. Policy files allowed servers to open up their data selectively to client content from other domains, or generally to content from anywhere. Since the introduction of policy files, domain boundaries have been less of a barrier for authors of rich Internet applications.

Like most new technologies, policy files weren't perfect when they were first introduced. After four years, the Internet security community has found two undesirable situations (described later in this article) that can arise from the existence of policy files. The basic premise of policy files remains valid, and Flash developers can continue to rely on policy files just as they have since Flash 6. To address the new concerns, however, Adobe is specifying some stricter rules for the use of policy files. Additionally, there are a number of improvements that make policy files more useful and usable. We will try to explain the reasons for our changes clearly and simply."

Not even my immediate family is safe from malware....

sandi — Fri, 23 Nov 2007 12:00:00 GMT

There's my Dad, searching the net for an update to a particular specialist programme on his system; he finds what he wants, he downloads, he starts to install (we don't know if he closed his Web browser first - I'm bettting not), he's prompted to update *DirectX* and whammo, he's hit with spyware.cyberlog-x.

Unfortunately:

he doesn't remember what the URL was that he downloaded the software from;
he's not sure in what order various events occurred; and
IE's history, just for today, has been deleted (an interesting symptom in and of itself) - IE's history record for previous days is intact.

The affected system is an XPSP2 system and my Dad fell victim to a standard combination of circumstance; a nice dose of social engineering, being confronted by a dialogue box that mentioned a name that was familiar enough to not be too scary, and not paying close enough attention to what he was downloading, and just as importantly, where from.

My father's experience today, and our difficulties when trying to clarify exactly what happened and how it happened, combined with other interactions I have seen between IT and computer users, reminds me that the average user really doesn't "get it" when it comes to working with IT staff. They are sometimes their own worst enemies; not paying attention, and not recording what is, for us, essential information and not interacting well with their IT support. The user mis-steps that I see happening most often are:

The average user will not read the error message on the screen.

There was the time a very grumpy person complained that somebody had changed his password, because he was sure he was putting it in correctly, but it kept failing. It turned out that the true situation was that he was trying to unlock a locked screen and didn't read the dialogue box that appeared after he entered his username and password which said (paraphrased) that "this computer is locked, if you proceed the other logged on user's programs will be shut down and they may lose data". Instead, he assumed it was an incorrect password dialog, hit enter (which triggered 'cancel'), pressed ctrl/alt/del, tried again, didn't read the message again, hit enter again, rinse/wash/repeat. After 4 or so tries he came to me to complain, and a lot of frustration could have been saved if he had read the dialogue box and acknowledged the warning by clicking ok instead of cancel....

And this guy had an admin account - don't let him near a server... please...
Practice patience.

If the hourglass is spinning, it won't do you any good at all to keep clicking; in fact, with some of the line of business applications that I support it will guarantee a crash. Go and get yourself a tea, coffee, fruit juice or whatever and if the problem is still there when you get back, call IT and ask for advice.
If the cursor turns into a hand, *single* click, don't double click... again, I support some line of business applications that *will* crash if you double click instead of single click.
If it doesn't work the first time that you click, it won't work if you click 2, 3, 5, 10 or 20 times.
Swearing at the computer won't help - it can't hear you.
Swearing and being angry when talking to IT support won't help either. Stress is bad for both of you.
Sometimes a simple reboot is all that is needed to stabilise your system, especially if you leave it running 24 hours a day.
It is not a good idea to delay rebooting after installing security updates if prompted to do so - to avoid weird problems and errors, please restart your computer when prompted, even if you're really really really busy - it doesn't take that long.
"It's been crashing for about a week, but I really need this report right now".

Please call IT support before it becomes an emergency. We don't have crystal balls... we don't discover that you are having problems via some sort of mysterious osmosis, and if you've left things for a week before calling us we have somewhere between "nil and buckleys" chance of working out what went wrong and why. Also, it is difficult for us to minimise the frustration you're feeling if you only call us after you've been "putting up with it" for a week, and you're now seriously pissed off and ready to throw your computer (and your IT support professional) out the nearest window.
"There was a weird message then it crashed"...

"Ok, what was the message?" ... <<silence except for the sound of crickets chirping in the darkness>> ... "I dunno. I clicked on ok, and now nothing works".

If you experience a crash, stop what you are doing, read it and write it down, then call me.
"I didn't do anything!" .... sometimes, my friend, yes you jolly well did.
If your thoughts immediately before clicking are anything like "maybe if I try this..." or if you feel a desire to close your eyes and cross your fingers as you click, then don't click.
"It has never worked!!" .... Ok, we're dealing with the crystal ball thing again, aren't we...
Please, don't try to fix it yourself. You may "know a bit about computers" but if your efforts change a simple fix into a complicated procedure or an "easier to reformat" situation, you won't win any friends, especially if you call IT and say "It's been crashing for about a week, but I really need this report right now".

US-CERT alert - MAC OSX Leopard

sandi — Mon, 05 Nov 2007 23:20:00 GMT

"US-CERT is aware of reports of possible flaws in the Application-Based Firewall in Mac OS X Leopard. According to these reports, users may be misinformed of the status of their firewall rule set, thus placing users with listening network services at an increased risk."

What *were* Apple thinking? "Block all incoming connections" should do exactly that.

Heise Security have a detailed analysis of the Leopard firewall's protections, or more precisely lack thereof, and their verdict is:

"The Mac OS X Leopard firewall failed every test. It is not activated by default and, even when activated, it does not behave as expected. Network connections to non-authorised services can still be established and even under the most restrictive setting, "Block all incoming connections," it allows access to system services from the internet. Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac, Apple would be well advised to sort them out pronto."

Ok, so the Leopard firewall is off by default, even if you had your firewall turned on before upgrading to Leopard; it doesn't distinguish between network types (unlike Vista which allows you to set different security levels for different networks); it is application based (identifying programs via code signatures) and no longer not port based, and there are the reports of applications being unable to access the internet (Skype and World of Warcraft being two that come to mind).

More on the MAC malware

sandi — Thu, 01 Nov 2007 23:03:00 GMT

Word is starting to spread about the MAC targetting malware "MacCodec" aka OSX.RSPlug.A, but I admit to being concerned at some of the reactions that I am seeing.

"A spokesperson for Symantec suggested that Intego "has a tendency to over-hype things" - excuse me?? What an unhelpful statement by Symantec.

"It's not going to spread far because it prompts for the Administrator password" - ah, if only life were that simple, but reality is those dancing pigs are just too darned tempting....

"Practice safe browsing: lock-down your browser (instructions below), and only download from sites you trust and install programs that you download intentionally. If you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site like MacUpdate.com or VersionTracker.com (not all legit programs are available on these sites, but they can serve as a good reality check)." (source: http://www.smith.edu/its/technotes/?p=41)

My apologies in advance to the people at Smith College TechNotes - this isn't personal, ok? Your article just happened to be high up in a Google search and contained the type of advice that I wanted to highlight.

Ok, so let's look at the above in segments...

"Practice safe browsing: lock down your computer (instructions below)" - locking down your computer does not protect you from social engineering attacks where you are tricked into running what you think is a safe file, a file that is seemingly required to complete whatever task it is that you are doing on the computer. Locking down your computer only protects you from exploits and "drive by downloads", neither of which apply to the MAC trojan under discussion.

And, just what is "safe browsing" anyway? The hacking of *legitimate* "safe" web sites is becoming commonplace. I could tell you about some very big names that have had their Web sites hacked, or who have involuntarily offered infected files for download, or who have hosted malicious Flash based banner advertisements - names that you would never expect to be a danger. The MAC world is going to have to become far more distrusting, and far more cynical, now that the bad guys are targeting them.

"Only download from sites you trust" - see the previous paragraph - and anyway, does anybody actually trust a porn site? I don't. And what will happen when the bad guys start using less nefarious topics such as, for example, a "how to stay safe on the internet" as the theme for their websites and malicious movies?

"..and install programs that you download intentionally" - ok, but the user is expecting to view a video - he or she *wants* to view that video and being prompted to install a codec is not unusual. The trick (a fake codec) is a commonly used, and far too often successful, trick used in the Windows world. In light of that reality, I'm not sure how this little snippet of advice helps in a situation like the MAC trojan.

"if you are unsure whether a program is legitimate, you can check to see if that program is also available from a trusted download site..." - sorry, this ain't gonna work unless you decide that if a product or codec isn't listed, you're not going to run it AND that you will only download and run from said trusted site, AND it assumes that the site itself has not been compromised. AND, what happens when the bad guys mimic the name of a well-known, trusted product? In the Windows world, the bad guys often mimic the names of Windows system files, and well known software.

And, in the end, users are lazy. They're not going to stop what they're doing, write down the name of whatever it is they have found that wants to install, load another page so that they can view whatever download site and search for the file in question before deciding whether or not to enter their Administrator password.

MacWorld's article about the trojan is here:
http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php

So what does this all boil down to? All of the above advice is good, traditional, advice and it would have been enough in the past - but nowadays it is not a panacea and much of the advice is negated by social engineering attacks anyway.

MAC users are being targeted in a porn trojan social engineering attack

sandi — Wed, 31 Oct 2007 23:27:00 GMT

Source: http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/

"Miscreants have released a sophisticated Trojan into the wild that targets Mac users, according to Intego, a company that markets security software that runs on OS X.

The malicious Trojan, dubbed OSX.RSPlug.A, is making the rounds on several porn websites. When Mac users try to view some videos, the site feeds them a page that says QuickTime is unable to play the file unless a special codec is installed first. If the user proceeds, a form of DNSChanger is installed that hijacks some web requests sent to eBay, PayPal and some banking websites, according to this write-up <http://www.intego.com/news/ism0705.asp> from Intego.

"The noteworthy part is that someone is targeting the [Mac] OS," said Randy Abrams, a security researcher at antivirus software provider Eset. "This may mean that the OS is beginning to gain enough users to be attractive to attackers."

The Trojan installs a root crontrab that makes minute-by-minute queries to check that the doctored DNS server is still active. The websites offer different versions of the malware, most likely to tailor web spoofing to the victim's particular country. There is no way for victims running 10.4 to see the changed DNS server in the OS X GUI. In 10.5, the DNS server is visible in the Advanced Network preferences, but the added servers are dimmed and can't be removed manually.

Apple PR representatives didn't respond to an email seeking comment for this story.

A barrage of spam posted to Mac forums invites readers to visit the malicious websites. The Trojan requires victims to enter the administrative password for their machine, a factor that is likely to mitigate the risk somewhat. Then again, Windows users have for years been tricked into installing malware <http://www.theregister.com/2007/10/19/return_of_trojan_bayrob/> that can wreak havoc on their PCs. We see no evidence that Mac users are any less resilient to social-engineering attacks."

An interesting article by my friend Mauricio, and a timely warning

sandi — Fri, 17 Aug 2007 00:41:00 GMT

Operating System security is [only] as good as the admins http://www.geekzone.co.nz/freitasm/3578 "This last week, 5 of the 8 servers that are loco hosted but Canonical sponsored, had to be shut down due to reports that they were actively attacking...(read more)

Extremely disappointing - Trend Micro fails anti-malware test

sandi — Mon, 06 Aug 2007 05:21:00 GMT

"All three of its software products report false positives in VB100 testing.

All three of the anti-malware products submitted by Trend Micro for Virus Bulletin's independent tests failed because they produced false positives.

Of the 20 products submitted for testing, six generated false positives when scanning a set of known clean files and failed to meet the requirements for VB100 certification.

"Trend Micro, one of the 'big four' anti-malware companies, submitted no fewer than three of its anti-virus products, all of which falsely identified a Microsoft development tool as spyware," said a statement from Virus Bulletin.

"Other products to generate false positives were FortiClient, Ikarus Utilities and VirusBuster."

Source: http://www.crn.com.au/story.aspx?CIID=88516&r=rss

Unfortunately there is no mention in the CRN article (or any of the other verbatim articles appearing on the various news sites) of what the "Microsoft development tool" was/is that triggered the false positive.