CyberInsecure.com

Archive for October, 2008

Researchers at unified threat management vendor Fortinet noticed that a program similar to the Koobface worm had started using the Google Reader and Picasa websites to spread. In the attack, criminals host images that look like YouTube videos on the Google sites in hopes of tricking victims into downloading malicious Trojan software.

Hackers initially unleashed Koobface in late July, but Facebook’s security team soon slowed its spread by blocking the webites that were hosting the malicious Trojan software. That has prompted the criminals to change tactics. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.

The links appear safe because they go to Google sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most anti-virus programs, according to Facebook.

It could be the cyber-criminals behind Koobface have deliberately misspelled their Facebook messages to further help them evade detection by filters. This latest attack do not use the self-copying worm code that Koobface used last August, but it could easily be added.

Koobface has been a top security concern at Facebook since July. The worm’s creators have used Facebook’s instant messaging feature and also hosted their malicious links on sites such as Tinyurl.com and Bloglines.

Security experts have long warned that the Web 2.0 mash-up model of allowing users to put together their own content from many different sources naturally creates many security problems. In part, this is because it allows anyone to post material on trustworthy domains such as Google.

Facebook is working with Google to shut down the problem, said Facebook spokesman Barry Schnitt.

Bebo, the popular social networking site is currently under spammers attack who automatically registering thousands of bogus accounts advertising fake online pharmacies, with the campaign owners receiving revenue through an affiliate based program. According to Websense Security Labs, Bebo has already been targeted by spammers in July this year and according to MessageLabs, it happened again in October.

The automated registration process is made possible through breaking Bebo’s CAPTCHA in a combination with using bogus email registered in the very same fashion. Direct CAPTCHA breaking or outsourcing the process to humans in order to make such spam campaigns across social networking sites possible, is only going to get more efficient in 2009.

Spammers have found uses for the valid email addresses created on popular trusted free email sites by linking these addresses to accounts created on social networking sites, such as Bebo. According to Trend Micro, a search on Google for “Cialis”, a drug commonly referenced in spam messages, currently reveals two accounts on Bebo in the top-five results returned.

Approximately 30,000 bogus profiles have been generated for October alone. As always, Bebo isn’t targeted exclusively, but in between other social networking sites and blogging platforms, since from a blackhat search engine optimization perspective, the more popular the abused service the higher the visibility and shorter the time frame for search engine crawlers to pick up their bogus content.

The potential for abuse here is enormous, since once the profiles start acquiring traffic, the spammers could and will easily start selling the traffic through a traffic exchange program created exclusively for malicious purposes like redirecting to live exploit URLs, and rogue security software.

Consequently, users of social networking sites are receiving more “buddy” requests from fake profiles wishing to connect. This approach works well because traditional anti-spam solutions are unable to differentiate between these requests and genuine ones. The buddy requests appear genuine as they are from the real social networking site and consequently their headers are intact and correct. Moreover, the email addresses attached to the profiles are also valid, albeit they have been created fraudulently. Often, the only visible clues may sometimes be the random arrangement of letters in the user name portion of the email address.

Security researchers at RSA’s FraudAction Research Lab have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts. The Sinowal (AKA Torpig or Mebroot) trojan has also stole email and FTP account login details. Previous attempts to track the source of the Trojan were unsuccessful.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. The program has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

One popular theory is that the malware authors behind the trojan are in the same gang as the group who ran the infamous Russian Business Network (RBN). RSA’s analysis suggests that the authors of Sinowal may have been at least affiliated with the Storm worm gang in the past but are now running the malware through hosting facilities unaffiliated to the RBN.

Sinowal has only managed to become more productive over time. In the past six months, it has compromised more than 100,000 accounts. Since February, the number of variants has spiked, from fewer than 25 per month to more than 70, according to RSA. The increase helps the malware evade detection by anti-virus programs.

In all, the trojan has infected at least 300,000 Windows machines and stolen 270,000 online banking account numbers and 240,000 credit and debit credentials. Unlike many trojans, it doesn’t rely on tricking the end user into clicking on a link or file to get installed. Rather, it spreads silently via websites that prey on unpatched vulnerabilities in the Windows operating system or in third-party applications, such as Adobe Flash and Apple’s QuickTime media player.

“This particular trojan can get installed without even awareness of the end-user that they have agreed to anything or that anything has been installed,” Sean Brady, manager of identity protection at RSA, said in an interview. Sinowal sits dormant on a machine until a user points a browser at the website of a bank or other financial institution. Then an HTML injection engine adds fields to the website’s login page that prompt victims to enter social security numbers, passwords, and other credentials. Once entered, the information is transmitted to a server under the control of the malware authors. The injection mechanism is triggered by more than 2,700 different web addresses.

It then hides itself on a computer’s master boot record, making the infection extremely difficult to find. About the only remedy for victims fortunate enough to learn they are contaminated is to reformat their hard drive and reinstall their operating system.

RSA is in liaison with computer emergency response teams and other appropriate parties in an effort to take down the network controlled by the Sinowal trojan. The malware, variants of which first appeared in 2006, takes considerable pains to conceal its presence on compromised machines.

In addition, the communication infrastructure behind the trojan is sophisticated and well maintained. Little is known about the group responsible for Sinowal, but at least one clue suggests the group has ties to Russia: While the trojan targets institutions in dozens of countries in North America, Europe and Asia, none were located in Russia.

“The creators of the Sinowal Trojan periodically release new variants and register thousands of Internet domains for its communication resources. The purpose of this is to maintain the Trojan’s uninterrupted grip on infected computers,” a posting on the RSA security blog explains.

RSA has shared the data it discovered with affected banks in the hopes they will notify customers who are infected.

Sophos have reported a new kind of phishing campaign yesterday. Instead of the regular bank phish, or the more recent university/webmail email account phish, this new campaign targets domain registrar accounts, as per the email below:

The email fakes the From address (purports to come from tech@enom.com) and ask the user to update their account due to some maintenance, in a manner similar to bank phishes. The following two subject lines were seen in the phish emails, some with additional words such as “attention”, “warning”, or “IncidentID: #####”. Clicking on the link will take the user to a link in the url format of www.enom.com.someotherdomain.

The fake login site is probably lifted from the real eNom login page in its entirety. Looking at the HTML source of the phish site, one would find that even the Google Analytics link was copied. The only HTML code that was not part of the real eNom page is the login box. Submitting credentials to the box would allow phishers to gain access to an eNom registrar account.

Most likely, phishers would want to go after registrar accounts because of the termination of the EST Domains as a registrar. EST Domains happens to be the registrar of choice for many spammers, rogue antivirus program writers, and malware writers. Shutting down this registrar would impede their ability to bulk register new domains. Hence, newly phished registrar accounts can be used to purchase new domains for malicious use until they can find someone else to partner with them. It remains to be seen if these registrar account phish campaigns will be here to stay.

The phishers also target registrar accounts at Network Solutions. Here is a capture of the phishing email:

Just like the eNom phishes, the From address is a tech@ email address, and the phishing site seems to be a modified version of the Network Solutions login page. Given the two targets so far, it is quite possible that other registrar providers will be targeted next. So, beware of email purporting to be coming from your registrar service and don’t give spammers and malware writers a way to obtain domains for their nefarious purposes.

OpenOffice.org has released a new version of the open-source desktop productivity suite to patch highly-critical vulnerabilities that could expose users to arbitrary code execution attacks.

The flaws, which affect all versions prior to OpenOffice.org 2.4.2, could be exploited via manipulated WMF and EMF files in StarOffice or StarSuite documents:

CVE-2008-2237: A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.

CVE-2008-2238: A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now. There is no workaround.

OpenOffice.org described the bugs as file-handling heap overflows. Patches are available in OpenOffice 2.4.2. OpenOffice 3.0 is not affected by these vulnerabilities.

EstDomains, a domain name registrar that worked closely with cyber criminals, suffered another blow after the organization that oversees the net’s address system said it would revoke the company’s right to sell domain names because of a recent fraud conviction of its president in Estonia. EstDomains has been criticized by many security experts for registering domain names used in phishing, spam, malware, and the sale of drugs that are illegal in some countries.

In a letter addressed to EstDomains President Vladimir Tsastsin, an official with the Internet Corporation for Assigned Names and Numbers said EstDomain’s registrar accreditation would be revoked on November 12.

“This termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction,” Stacy Burnette, ICANN’s director of contractual compliance, wrote. ICANN rules permit the group to terminate registrars who have officers or directors convicted of a crime related to financial activities, she said.

Last month, a company that provides software used to shield the identity of domain name owners said it was cutting off EstDomains because a high percentage of its customers used the anonymizing service to register websites that engaged in cyber crime. Three weeks later, network provider Intercage, struggling with its own reputation as a haven for cyber criminals, terminated its contract with EstDomains and its sister company EstHost.

Throughout the entire controversy, principals with EstDomains and EstHost have maintained they do not knowingly allow customers to run illegal websites. “We don’t provide the service for spammers/phishers etc, and we never did,” Konstantin Poltev, registry liaison for EstDomains, wrote in an email to The Register on Wednesday. He said officials with the company were appealing ICANN’s move on several grounds. For one, Tsastsin hasn’t been a director or officer of EstDomains since June. And for another, the February court record, which was reported here by Brian Krebs’s Security Fix blog, has never taken effect.

ICANN is already preparing for the transfer of some 281,000 domain names under EstDomains’ management. The registrar is free to recommend an ICANN-accredited agent to receive a bulk transfer, or qualified registrars may volunteer under established ICANN procedures. It will be interesting to see what companies, if any, agree to take on a customer base with such toxic reputation.

An EstDomains representative said the group was working to block the move.

Netcraft has detected a vulnerability on a Yahoo website, which is currently being used to steal authentication cookies from Yahoo users — transmitting them to a website under the control of a remote attacker. With these stolen details, the attacker can gain access to his victims’ Yahoo accounts, such as Yahoo Mail.

The attack exploits a cross-site scripting vulnerability on Yahoo’s HotJobs site at hotjobs.yahoo.com, which currently allows the attacker to inject obfuscated JavaScript into the affected page. The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details.

Netcraft found that the Yahoo cookies stolen by the attacker would have allowed him to hijack his victims’ browser sessions, letting him gain access to all of their Yahoo Mail emails and any other account which uses cookies for the yahoo.com domain.

Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim’s email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank web page, leaving them unlikely to realize that their own account has just been compromised.

When websites use cookies to handle authenticated sessions, it is extremely important to protect the cookie values and ensure they are not seen by other parties. Cross-site scripting vulnerabilities often allow these values to be accessed by an attacker and transmitted to a website under their control, which then allows the attacker to use the same cookie values to hijack their victim’s session without needing to log in. This type of attack can be mitigated to some extent by using HttpOnly cookies to prevent scripts gaining access to the cookies — a feature that is now supported by most modern browsers.

Earlier this year, Netcraft blocked a similar flaw on another Yahoo website. The previous attack targeted a cross-site scripting vulnerability on Yahoo’s ychat.help.yahoo.com site, which was served securely using a valid SSL certificate, adding further credibility to the attack. The attacker used the vulnerability to inject malign JavaScript into one of the site’s web pages.

Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker’s cookie harvesting script are both still present, according to Netcraft’s news blog.

A critical security hole fixed by Microsoft with Security Bulletin MS08-067 is actively exploited in the wild by a new password-stealing Trojan. Next to gathering and stealing Windows Live-, Protected Storage- and Microsoft Outlook-credentials which are phoned home to China, the Trojan downloads an additional exploit component from the Internet.

The Trojan exploits the above mentioned vulnerability on attacked hosts and causes the shellcode to download the very same Trojan from the Internet onto the victim’s computer and immediately executes it in place. This new infected system then again downloads the exploit component to infect other systems and the whole worm-like process starts from scratch.

Security researchers had identified the new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.

Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.

The vulnerability lies in the Windows Server service used to connect with other devices on networks. Although the firewall software that ships with Windows will block the worm from spreading, security experts are worried that the flaw could be used to spread infections between machines on local-area networks, which are not typically protected by firewalls.

The Gimmiv is downloaded onto a target machine via social engineering and then proceeds to scan and exploit machines on the same network, using this newly disclosed vulnerability in the Windows Server service. The worm then loads software that steals passwords, security experts say.

Both Symantec and McAfee Inc. said today that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting yesterday evening, it found a 25% jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

That scenario becomes more likely, too, as more tools that exploit the flaw are released to the public. Sample exploit code was posted to the Milw0rm site two days ago, and over the next few days hackers are expected to move that code into attack tools that are easy to use. The attack code will most likely be used soon to build botnet networks of infected computers.

Users should deploy the provided patches from Microsoft as soon as possible. Furthermore the attack could be mitigated by blocking incoming TCP connection on ports 139 and 445 in the firewall. Vulnerable services are “Computer Browser Service” and “Server”, both can be stopped and disabled in case the PC is not a part of a network. Inside attack scenarios could be mitigated by deploying a desktop firewall and disabled file/printer sharing.

A new vulnerability has been found in Google’s Chrome browser that allows attackers to impersonate websites of groups like the Better Business Bureau, PayPal and even Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California. According to The Register, Apple Safari is not vulnerable in the same way although same engine (webkit) is being used.

As researchers proof of concept demonstrates, it is in fact possible to send Chrome users to a page under his control while causing the browser’s address bar to display the domain name bbb.org.

A Google representative says Chrome’s spoofing vulnerability is a “known issue” that will be fixed in an update that will be pushed to end users soon.

Credit: Dan Goodin, The Register

A malware research firm, FaceTime Security Labs, has found a list of hacked eBay logins during investigation of an unrelated case of phishing in October 12. According to Christopher Boyd, the director of FaceTime Security Labs, it was the biggest haul of stolen eBay logins they’ve ever seen.

The list includes 121 pages and carries 5,534 eBay accounts, including usernames, passwords and mail address. Quite a lot of the accounts don’t exist or are no longer registered users, but there’s enough live accounts in there for this to be something of a worry (there also don’t appear to be any duplicates, which is unusual for a collection this big).

At first glance, it’s hard to say exactly where the data has come from or how new/old some of it is. It’s apparently been passed around various file download sites over the past week or two, though a massive “roll-up” of stolen accounts from various phishers seems most likely. These would be newly registered users, or users with low feedback scores because they don’t tend to use eBay that much. These are prime targets for phishers, because they’re more likely to be fooled by fake logins.

Another worry is that many inexperienced users on eBay use the same login details for Paypal, so there’s the possibility of being able to access two sets of accounts from the same data. Some of the logins have already been “locked out”, presumably logging in on an account from an unfamiliar IP address is triggering eBay security checks.

eBay have been notified and the data have been removed from the web with the help of Google who removed some cached data from their search engine index. Hopefully eBay will act quickly on the information they’ve been provided and assist those unfortunate enough to have been phished.